How to Comply with the NIS-2 Directive in Germany: A 90-Day Operational Plan

Around 29,500 German entities fall within the scope of Directive (EU) 2022/2555 (NIS-2), implemented in Germany through the NIS-2 Implementation Act (NIS2UmsuCG) and the amended BSI Act. The German legislator was late in transposition, but supervisory enforcement by the Federal Office for Information Security (BSI) is sequencing up through 2026, with mandatory registration windows and first audits for essential entities in regulated sectors already on the calendar. Penalties under section 60 BSI Act reach up to 10 million euro or 2 percent of group turnover for essential entities, with management personal liability under section 38 BSI Act including a prohibition on indemnification.

This article moves past the primer (covered in the CIVAC news brief on the German implementation) and into operational territory: a 90-day plan for entities still building the foundation. The audience is the future or recently appointed information security officer, the CISO without an officer mandate, and the legal counsel translating directive text into procurement decisions. Bestellurkunde, unterschrieben, abgelegt, belegbar. CIVAC delivers a Compliance-Plattform und Officer-as-a-Service combination, with workspace licensing for internal officers or appointed officers under a two-business-day SLA.

The first task is to confirm whether your entity is in scope and, if so, in which class. Annex I (essential entities) and Annex II (important entities) of the directive list eighteen sectors. The German Implementation Act applies, with minor adjustments, the same sector list, with a size threshold of 50 employees and 10 million euro turnover or balance sheet total for important entities and 250 employees or 50 million euro turnover for essential entities. Below threshold, certain entities (Vertrauensdiensteanbieter, DNS operators, top-level domain registries, public administration above municipal level, certain qualified trust service providers) are in scope regardless of size.

Scoping involves three parallel reviews. First, the sector classification by NACE code and core service. Second, the size criteria across the legal entity and group structure. Third, exemptions and overlapping regimes (KRITIS, financial sector under DORA, telecommunications under TKG). Document the scoping decision with named decision-maker, date, and supporting evidence; this is the first artefact a BSI inspector requests. Once scope is confirmed, register the entity through the BSI portal within the statutory window (currently three months after scope confirmation, sector-dependent). CIVAC ships a scoping wizard in the workspace that produces a signed scoping memorandum, suitable for board submission and audit retention, and a registration pre-fill that reduces the BSI portal submission to a fifteen-minute task rather than a half-day puzzle. The scoping memorandum carries a version history and a board signature block, which the BSI inspector expects to see during the first audit and which most mid-caps assemble retroactively under time pressure.

The NIS-2 directive does not literally require a named officer, but section 30 BSI Act demands a documented governance structure that names accountable persons for the security measures. In practice, supervisory authorities expect a designated information security officer with an appointment letter, scope of mandate, reporting line to top management, and documented qualifications. The role consolidates duties that, in many mid-caps, are scattered across a part-time CISO, a head of IT, and a compliance officer who is unsure where her mandate ends.

Internal versus external appointment is the first decision. An internal information security officer offers institutional knowledge but often suffers from role conflicts, especially if the candidate also operates IT systems. An external information security officer provides independence, broader exposure to incidents, and a reliable substitute during illness or vacation, but requires structured onboarding. CIVAC supports both models through the dual frame. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen. Both paths produce a signed appointment letter, a documented mandate, and a reporting line that satisfies section 38 BSI Act. The CIVAC SLA for officer appointment is two business days from contract signature, compared to two to six weeks in classical recruiting. The officer takes ownership of the 90-day programme described in the remaining sections and reports to top management on a documented cadence with a defined escalation path. The mandate explicitly excludes operational system administration to preserve independence, a distinction supervisory authorities now actively check during interviews with appointed officers, especially in mid-caps with smaller IT teams.

Section 30 BSI Act lists ten mandatory categories of security measures: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, security in acquisition, development and maintenance, policies and procedures for the effectiveness of cybersecurity risk management measures, cyber hygiene and training, cryptography, access control and asset management, multi-factor authentication and secure communications. These categories are not aspirational; they are the minimum scope of the risk management system that the BSI audits against. ISO/IEC 27001:2022 with all 93 Annex A controls in scope is the de facto evidence path, although alternative frameworks (BSI IT-Grundschutz, NIST CSF) are accepted if equivalence is documented.

The first deliverable is a top-10 risk register, mapping each section 30 category to identified risks, residual risk after treatment, named risk owner, and treatment plan. The second is a control catalogue, linking each ISO 27001 Annex A control to evidence (policy document, technical control configuration, training record). The third is a tested incident response plan, with playbooks for the most likely scenarios (ransomware, supply chain compromise, data exfiltration). The CIVAC workspace ships a pre-populated risk register template, a control catalogue mapped to ISO/IEC 27001:2022 with 93 controls and to the section 30 categories, and incident response playbooks aligned with the BSI Cyber-Sicherheitswarnungen. The information security officer completes and adapts these artefacts rather than building from blank pages, which compresses the foundation work from twelve weeks to three to four weeks. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.

Section 38 BSI Act imposes a personal duty on management bodies of essential and important entities. They must approve the cybersecurity risk management measures, supervise their implementation, and undergo regular training to acquire sufficient knowledge to identify risks and assess management practices. Crucially, the duty cannot be delegated, and the entity cannot indemnify members of the management body for fines arising from breaches of this duty. This is a sharp departure from the soft posture of NIS-1 and a deliberate alignment with general management duties under section 93 AktG and section 43 GmbHG.

The training requirement is substantive. A generic 60-minute video does not satisfy section 38; supervisory authorities expect a curriculum covering current threat landscape, the entity's risk register, incident scenarios with management decision points, regulatory framework, and the management's specific supervisory obligations. Document attendance, content, assessment, and refresher cadence (annually is the minimum recommended frequency). For board-level audiences, CIVAC offers a structured curriculum delivered as a 4-hour facilitated workshop or a 6-hour self-paced module, with attendance log, assessment, and a signed acknowledgment that satisfies the section 38 evidence requirement. The information security officer reports on training completion to the supervisory board annually, with named individuals, completion dates, and exception handling for absences. Audit-fest, dokumentiert, section 38 BSI Act-fest. Without this training record, a section 60 BSI Act fine becomes far more difficult to defend in the supervisory appeal proceeding. The training record is also the artefact most often requested by D&O insurance underwriters renewing cyber policies, so the operational investment yields a second commercial benefit beyond regulatory defence.

Article 23 of the NIS-2 directive, transposed via section 32 BSI Act, requires entities to submit an early warning within 24 hours of becoming aware of a significant incident, a follow-up notification within 72 hours with an updated assessment, and a final report within one month including impact, mitigation, and root cause. A significant incident is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Frist laeuft ab Kenntnis. The 24-hour clock starts at the moment of awareness, not at the moment of confirmation.

Operationalising this path requires four artefacts. First, an awareness threshold definition that translates the legal standard into operational triggers (e.g. a confirmed ransomware encryption on a production system, a data exfiltration confirmed by SIEM correlation). Second, a reporting template aligned with the BSI online portal, pre-filled with entity identifiers, contact details, and the categorical fields the portal requires. Third, a designated reporter and a deputy with portal access and current credentials. Fourth, a quarterly drill that exercises the path end-to-end, including the deputy. CIVAC ships the reporting templates pre-aligned with the BSI portal, the awareness threshold guidance, and a drill scenario library covering the most common incident classes. Der Prüfer ruft an, der Nachweis liegt bereit, and the 24-hour clock does not catch you searching for the BSI portal URL or the right contact name.

Supply chain security is one of the ten section 30 categories and frequently the weakest link in mid-cap NIS-2 programmes. The duty covers direct suppliers, service providers, and any third party with access to networks or data. The information security officer must document a risk-based assessment of suppliers, with deeper diligence for suppliers in critical paths (cloud infrastructure, security services, managed IT services, business-critical SaaS). Contract clauses must include cybersecurity obligations, breach notification, audit rights, and termination triggers tied to security posture.

The practical workflow is a tiered supplier inventory. Tier 1 (high criticality, direct system access) requires annual security questionnaires, evidence of ISO/IEC 27001 or equivalent certification, breach history review, and contract clauses aligned with section 30(2). Tier 2 (moderate criticality) requires biennial questionnaires and basic contract clauses. Tier 3 (low criticality) requires baseline due diligence and standard contract clauses. The CIVAC workspace provides the tiering rubric, the questionnaire templates, and a tracker that records questionnaire status, evidence links, and renewal dates per supplier. For mid-caps with 100 to 500 suppliers, the workspace cuts the inventory build from three months of manual interview work to two to three weeks of structured intake, with the officer reviewing exceptions rather than completing every form. The output is a documented supplier risk register that the BSI inspector can review without requesting additional artefacts, with renewal reminders, named owners per supplier, and a one-click export ready for sharing with the supervisory authority on request.

The last five days of the 90-day programme close the loop with an internal audit and a management briefing. The internal audit covers the section 30 categories against ISO/IEC 27001:2022 Annex A controls and against the section 32 reporting path. The audit should be conducted by a qualified internal auditor or external party, distinct from the information security officer (independence). Findings are categorised as major, minor, or observation, with remediation owner and due date for each. A finding-free audit is suspicious; expect 5 to 15 findings in a first audit, most of which are minor.

The management briefing translates the audit into a board-ready summary: scope confirmation, risk posture, top-5 risks, top-5 findings, supplier risk summary, incident readiness, and a 12-month roadmap. The briefing is the artefact that satisfies the management oversight duty under section 38 BSI Act and that produces the documented management approval of cybersecurity risk management measures. CIVAC's reporting module produces this briefing as a one-click PDF with editable narrative sections, pre-populated KPI tables, and a signature block for the board approval. The information security officer presents, the board approves and signs, the artefact is filed in the workspace with hash-anchored timestamp. Aus dem Lesen einen Auftrag machen: the 90 days end with a defensible posture and a working operating rhythm rather than a stack of half-finished documents. The next quarter then focuses on continuous improvement: lessons-learned reviews from the drill, supplier questionnaire renewals, and the first scheduled refresher of the management curriculum.

Three pitfalls undermine most 90-day programmes. The first is scoping ambiguity. Mid-caps often have group structures with subsidiaries operating different services. Each legal entity must be scoped separately; a holding company is typically not in scope, but operating subsidiaries are. Treating the group as one entity leads to under-reporting and is the most common BSI finding in early audits. Address this by completing the scoping memorandum at legal-entity level, even when control is shared at group level.

The second pitfall is treating the information security officer as a part-time addition to an existing CISO role without mandate clarity. The supervisory authority distinguishes the operational CISO from the appointed officer, who carries the legal mandate and the reporting duty. The appointment letter must articulate the mandate scope, the reporting line, and the resource entitlement. The third pitfall is delaying management training. Management training appears late on most project plans and is often deprioritised when other items overrun. This is precisely the artefact that section 38 BSI Act makes non-delegable, and its absence is what auditors flag first because it is the easiest gap to identify in a document review. The 90-day plan front-loads management training to days 46 to 60 deliberately, so that even a budget cut or staff turnover does not derail the most legally sensitive milestone of the programme. The CIVAC workspace tracks completion at named-individual granularity and escalates automatically when a board member misses the annual refresher window.

A 90-day NIS-2 foundation programme is feasible for a German mid-cap with discipline and the right tooling. The load-bearing artefacts are a named information security officer with mandate and reporting line, a documented risk management system under section 30 BSI Act, a tested 24/72 reporting path, a tiered supplier risk register, and a board-approved security posture refreshed annually. The directive's intent is operational resilience, not paperwork accumulation; auditors read posture, not page counts. A well-instrumented platform with 93 ISO 27001:2022 controls in scope, 490 audit-ready templates, EU data residency, and an integrated reporting path is the multiplier that turns 90 days into a credible foundation rather than a documentation backlog.

CIVAC operates as a Compliance-Plattform und Officer-as-a-Service for German entities under NIS-2. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen, with appointment letter, reporting line, and annual report under a two-business-day SLA. For a primer on the German NIS-2 timeline, see the CIVAC news brief on NIS-2 implementation in Germany; for the ISMS context, see the ISO 27001:2022 transition overview. Aus dem Lesen einen Auftrag machen: write to info@civac.de or use the contact form on civac.de, and you will receive within one business day a tailored 90-day plan with named milestones, effort estimates, and a recommendation on internal versus appointed officer. The plan includes a target architecture for the 24/72 reporting path, a supplier tiering proposal, and an indicative timeline that aligns with your fiscal-year planning cycle and any sector-specific BSI registration windows.