FAQ

NIS2 (Network and Information Security Directive 2) is an EU directive that sets cybersecurity requirements for organizations in critical sectors. In Germany, it has been in force since December 6, 2025 as the NIS2UmsuCG, affecting over 29,000 companies. NIS2Compass guides you through all requirements as a structured companion.

NIS2 applies to medium and large organizations with 50+ employees or €10M+ annual revenue in 18 critical sectors. The NIS2Compass Vor-Check helps you determine in under 5 minutes whether your organization is affected and which obligations apply.

Essential entities face fines of up to €10 million or 2% of global annual turnover. Important entities can be fined up to €7 million or 1.4%. Additionally, management can be held personally liable. The NIS2Compass Knowledge Hub explains all penalty provisions in detail.

Implementation timelines vary by organization size and current security maturity, but typically range from 6 to 18 months. NIS2Compass provides a clear roadmap with prioritized actions to help you reduce the time to compliance.

The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is the German transposition of the EU NIS2 Directive. It was passed by the German Parliament on November 13, 2025 and entered into force on December 6, 2025 — without any transition period.

ISO 27001 is a voluntary international standard for information security management systems. NIS2 is a legal obligation with specific reporting duties and penalties. An ISO 27001 certification covers approximately 60–70% of NIS2 requirements — the NIS2Compass Guide shows you exactly which gaps remain.

For significant security incidents, affected companies must submit an initial notification to the BSI within 24 hours, followed by a full report within 72 hours. The NIS2Compass Knowledge Hub explains the reporting process step by step.

Both. Companies face fines of up to €10 million. Additionally, management can be held personally liable if they neglect their supervisory duties. Under § 38 BSIG, executives must actively oversee the implementation of cybersecurity measures.

Yes, all companies affected by NIS2 must register with the BSI. The BSI portal has been available since January 6, 2026, and the registration deadline expired on March 6, 2026. Companies that missed the deadline should register immediately.

NIS2 does not mandate a formal ISMS, but requires measures across 10 areas — from risk management to incident handling to supply chain security — that effectively correspond to one. NIS2Compass guides you through all required measures as a structured companion, even without an existing ISMS.

NIS2 requires access control, encryption, network security, vulnerability management, and multi-factor authentication, among others. The NIS2Compass Template Library contains over 20 templates for policies and documentation of these measures.

External NIS2 consultants typically charge €700–1,200 per day — a full project ranges from €10,000–30,000. NIS2Compass offers the Pro plan at €29/month as a structured alternative with all articles, templates, and the NIS2 Guide.

The Vor-Check is a free gap analysis that assesses your current compliance status in under 5 minutes. Based on 16 questions about your existing security measures, it shows you which NIS2 requirements are already met and where action is needed.

Yes, you can cancel your subscription at any time from your account settings. You will retain access until the end of your current billing period.

Yes. NIS2Compass was designed specifically for SMBs with 30–250 employees — as a structured alternative to expensive consultants and complex enterprise tools. The Pro plan at €29/month provides everything you need for NIS2 compliance.