Skip to content
NIS2 Onboarding

NIS2 — pragmatic, documented, in 12 weeks.

The NIS2 directive has been in force since October 2024. Our onboarding programme takes you from gap analysis to first report — structured and documented.

Demo buchen →
In force since October 2024
Who is affected?

Essential and important entities.

NIS2 distinguishes between essential and important entities. Obligations are similar; supervisory intensity differs. If in doubt: if you have more than 50 employees or operate in a critical sector, you are likely in scope.

Essential Entities

Essential entities

Energy, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, transport, public administration.

Important Entities

Important entities

Manufacturers (medical, pharma, chemical, food), postal/courier, waste management, research institutions, digital service providers.

12-week roadmap

From gap to report.

Each milestone delivers a concrete document or activated measure.

  1. Week 1

    Scoping

    Which systems, processes, and entities fall under NIS2? Scope document as output.

  2. Week 2–3

    Asset inventory

    Documentation of critical assets and dependencies. Basis for the risk assessment.

  3. Week 4–6

    Risk assessment

    Evaluation of threats and vulnerabilities per NIS2 Art. 21. Risk matrix as output.

  4. Week 7–9

    Measure implementation

    Implementation of prioritised technical and organisational measures — including awareness programme.

  5. Week 10–11

    Activate awareness programme

    Start phishing simulation and training. Measure and document baseline click rate.

  6. Week 12

    Reporting & handover

    First compliance report. Handover to internal CISO or ISB for ongoing operation.

What we deliver

Four deliverables, one programme.

Workshop

Scoping workshop

Half-day workshop to determine the NIS2 scope — remote or on-site.

Documents

Report templates

Ready-made templates for quarterly report, measures evidence, and incidents log per NIS2 requirements.

Programme

Awareness programme

Configured phishing simulation and training plan for 12 months — compliant with NIS2 Art. 21 (2) g.

Review

Quarterly review

Quarterly review of the programme, trend analysis, and adjustment of the training plan.

FAQ NIS2

Frequently asked questions about NIS2.

+When does NIS2 apply in Germany?

The NIS2 directive has been in force across the EU since October 2024. Germany implemented national requirements via the NIS2UmsuCG. Companies in affected sectors must already comply.

+What happens for non-compliance?

Fines of up to €10 million or 2% of global annual turnover for essential entities, up to €7 million or 1.4% for important entities. Personal liability of management is also possible.

+Is an annual training enough for NIS2?

No. NIS2 Art. 21 (2) g requires continuous measures — not an annual mandatory event. Our programme is explicitly designed for this requirement: monthly modules, simulation cycle, quarterly report.

+Do small companies need to comply with NIS2?

NIS2 generally applies to medium and large companies (50+ employees or €10M+ turnover) in critical sectors. Smaller companies may be in scope as important entities if they provide critical services.

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping — for your industry.

Book a demoContact us
NIS2 Onboarding — Awareness-as-a-Service