NIS2 and ISMS: What Your Existing System Doesn't Cover | NIS2Compass
Guide
NIS2 and ISMS: What Your Existing System Doesn't Cover
9 min readNIS2Compass Team
ISMS tools manage controls and audits β but they don't provide a NIS2 implementation path. Why ISMS vendors upsell consulting, where the guidance gap lies, and how NIS2Compass fills it.
ISMS tools manage controls, documents, and audits, but they deliver neither a NIS2-specific implementation path nor the concrete measures required by Section 30 BSIG. That is why most vendors sell NIS2 consulting as a paid add-on. NIS2Compass closes exactly this gap: structured NIS2 expertise, ready-made templates, and an 8-chapter guide that complements your existing system.
This article shows where ISMS tools reach their limits, why combining them with a NIS2-specific guide makes sense, and how the integration works in practice.
An ISMS tool organizes your security management: controls, policies, audit trails, and evidence in one place. But NIS2 introduces specific requirements that go beyond pure administration, including the ten areas of measures under Section 30 BSIG, BSI registration, and German reporting obligations. An NIS2Compass analysis shows: The platform alone does not answer the question "What exactly do I need to do?"
The problem begins where NIS2-specific expertise is required. Four gaps appear particularly often:
No NIS2-specific content: Tools provide structure, but no expertise on Section 30 BSIG, reporting obligations, or executive liability.
No German legal specifics: International tools map the EU Directive, not the NIS2UmsuCG with its specific penalty frameworks and BSI requirements.
No implementation guidance: A control point labelled "Conduct risk analysis" does not tell you how to carry it out for NIS2 specifically.
Templates are missing or generic: No German-language risk register, no Section 30-compliant information security policy.
The numbers confirm this gap. According to a study by G DATA, only 12.1% of affected companies have fully implemented NIS2 -- even though many of them already have ISMS tools in place. The problem is not administration; it is the missing content.
Put differently: An ISMS tool is the bookshelf, but the books are missing. It organizes your security documentation reliably. It just does not tell you which documents you actually need for NIS2 and how to create them. For details on the consequences of failing to implement the Section 30 measures, see the article NIS2 Fines: What Penalties Can You Expect?.
ISMS vendors know that their platform alone is not sufficient for NIS2. That is why most offer additional NIS2 consulting packages, from gap analyses and action planning to BSI registration support. At daily rates of EUR 1,000 to 2,000, this can significantly increase total costs for SMEs with limited budgets.
Typical NIS2 consulting project for SMEs: EUR 50,000--150,000 initial (CCVOSSEL)
ISMS tool licence on top: EUR 10,000--50,000 per year
Total cost in the first year: easily six figures, for a company that already has an ISMS tool
More than half of all companies still invest less than the 20% of their IT budget recommended by the BSI and Bitkom in security (Bitkom Wirtschaftsschutz 2025). Additional five-figure consulting costs only make this problem worse.
The key question is: What does the consultant deliver that cannot also be conveyed in a structured way? The answer: the expertise, the guiding thread, and the concrete templates. These are exactly the three elements a specialized NIS2 compliance platform can provide. Without a daily rate.
"Most ISMS tools are excellent administration platforms. But NIS2 compliance does not come from administration; it comes from the structured implementation of concrete measures. That is exactly what requires a guide, not just a dashboard." -- Dr. Markus Hartmann, Senior Compliance Consultant
ISMS tools present controls as a flat list or matrix, without prioritization, without sequence, and without a clear answer to the question "Where do I start?" According to ADVISORI, a lack of prioritization is one of the ten most expensive mistakes in NIS2 implementation for mid-sized companies. NIS2Compass solves this with a structured 8-chapter implementation path.
Business Continuity -- BIA, BCP, backup strategy, testing
Awareness and Training -- build a programme, mandatory training, phishing simulations, security culture
Each individual step answers the question: "What do I need to do?" Progress is measurable: a step is either completed or open. No room for interpretation, no guessing.
According to HvS-Consulting, without a clear methodology companies end up with "extensive risk registers with limited added value." ISMS implementations typically take 6 to 12 months. Companies that are only starting now will not be fully NIS2-compliant before the end of 2026 at the earliest. A focused implementation path significantly shortens this timeline.
"Treating NIS2 as an IT project is a recipe for failure. NIS2 requires a comprehensive integration of security measures, governance, workforce development, reporting, and supply chain management." -- Security Insider, 2026
The combination follows a clear principle: NIS2Compass delivers the expertise, the implementation path, and the templates. Your ISMS tool manages the results. According to ISMS.online, ISO 27001 provides an excellent foundation, but the requirements of the NIS2UmsuCG go further. NIS2Compass closes this gap: tool-agnostic and without requiring a system change.
Universal formats: All templates are available in Word and Excel, importable into any ISMS tool.
No technical integration required: No API connection, no vendor lock-in, no configuration.
Complement, not replacement: NIS2Compass fills your ISMS tool with NIS2 content instead of replacing it.
NIS2Compass covers all ten Section 30 areas of measures with over 40 expert articles, 20+ templates, and a 124-step guide. This matches the content scope of a typical NIS2 consulting project, for EUR 29 per month instead of five-figure consulting fees.
A mechanical engineering company with 130 employees has been using an ISMS tool for two years. When the NIS2UmsuCG enters into force, the IT manager realizes that the tool shows the ISO 27001 status but not what is specifically missing for NIS2. The vendor offers a consulting package for EUR 45,000. With the NIS2Compass Guide, it is also possible for EUR 29 per month.
Mechanical engineering, 130 employees, EUR 22 million annual revenue, classified as an "important entity"
ISMS tool in use since 2024, ISO 27001 controls partially implemented
IT team of 5, no dedicated information security officer
The ISMS vendor offers a "NIS2 Readiness Package": gap analysis, consulting, and training for EUR 45,000
Problem:
The ISMS tool shows 114 ISO 27001 controls but does not indicate which ones are NIS2-relevant. There is no Section 30 mapping and no guidance for BSI registration. An incident response plan covering the 24-hour, 72-hour, and 1-month reporting deadlines is completely missing. The managing director does not know that he is personally liable under Section 38 BSIG. For details on what that means, see the article NIS2 Fines: What Penalties Can You Expect?.
Solution with NIS2Compass (EUR 29/month):
Completed the Pre-Check: immediately reveals that the IR plan, BSI registration, and supplier inventory are missing
Guide Chapter 1: BSI registration completed step by step
Guide Chapter 4: IR plan created using a ready-made template, reporting deadlines set up
Guide Chapter 5: Executive duties documented, training scheduled
Guide Chapter 6: Supplier inventory created using a template
All documents imported into the ISMS tool -- controls updated, evidence added
Result:
The NIS2 gaps were closed in 8 weeks. Total cost: EUR 232 (8 months x EUR 29) instead of EUR 45,000 for the consulting package. The ISMS tool remains the central platform, now filled with NIS2-compliant content.
This scenario is anonymized and serves illustrative purposes.
No. NIS2Compass is not an ISMS tool and does not replace one. It complements your existing system with what is missing for NIS2: structured expertise across all ten Section 30 areas of measures, a concrete implementation path, and over 20 ready-made templates. Documentation and administration remain in your ISMS tool.
Yes, it is fully tool-agnostic. All templates are available in Word and Excel format, universally importable into any platform. There is no technical dependency and no API integration. NIS2Compass works as a standalone guide alongside any ISMS platform.
In most cases, no. ISO 27001 provides an excellent foundation, but according to G DATA, only 12.1% of affected companies have fully implemented NIS2. The NIS2UmsuCG goes beyond standard ISMS frameworks, particularly regarding reporting obligations, BSI registration, and executive liability under Section 38 BSIG.
EUR 29 per month, cancellable monthly. For comparison: a typical NIS2 consulting project for SMEs costs between EUR 50,000 and 150,000 according to CCVOSSEL. The ISMS tool licence is an additional expense in either case. NIS2Compass delivers the same content scope, without daily rates.
For most SMEs, no. NIS2Compass covers all ten Section 30 areas of measures with its 124-step guide, over 40 expert articles in the Knowledge Hub, and 20+ templates. This matches the scope of a NIS2 readiness project. For special cases such as KRITIS operators or complex group structures, targeted consulting may still be advisable.
