NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer

The German transposition of the NIS 2 Directive (EU) 2022/2555, implemented through the NIS 2 Umsetzungsgesetz amending the BSI Act, applies to roughly 29,500 organisations across 18 sectors. Essential entities (above 250 employees or EUR 50 million turnover) face fines up to EUR 10 million or 2 percent of global group revenue. Important entities (above 50 employees or EUR 10 million turnover) face fines up to EUR 7 million or 1.4 percent. Personal liability sits with the Geschäftsführung, with management training under § 38 BSIG (new) a statutory requirement. Reading the directive is the easy part; running the operational cycle is what audits ultimately measure.

This article is not another primer on what NIS 2 says. It is the operational playbook for the appointed Information Security Officer (ISB) in Germany. It covers the BSI registration window, the personal liability regime for managing directors, the 24-hour early warning and 72-hour follow-up reporting timeline under § 32 BSIG, the supplier risk assessment under § 31 BSIG, the obligatory management training under § 38 BSIG, and the evidence cycle the BSI expects when it audits. CIVAC operates a compliance platform and Officer-as-a-Service that consolidates each of these obligations into one workspace, with ISO/IEC 27001:2022 controls and EU data residency. Appointed, signed, filed, evidenced.

Article 2 of the NIS 2 Directive defines two categories of regulated entities. Essential entities cover energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Important entities cover postal and courier services, waste management, manufacture and distribution of chemicals, manufacture and distribution of food, manufacture of medical devices, computers, electrical equipment, machinery, motor vehicles, digital providers, and research. Across 18 sectors, the German transposition (BSIG-new) is expected to bring approximately 29,500 organisations into scope.

The size thresholds are: essential entities have 250 or more employees, or EUR 50 million turnover, or EUR 43 million balance sheet. Important entities have 50 or more employees, or EUR 10 million turnover. Specific sub-sectors (energy, banking, digital infrastructure, public administration) are in scope regardless of size. Subsidiaries within a group are assessed individually for sector and size, but the Geschäftsführung at parent level is co-responsible for group-wide compliance under § 38 BSIG. The first task of the Information Security Officer is to confirm the entity's classification, document the rationale, and register with the BSI within the registration window (currently three months from the law's entry into force). The CIVAC ISB role ships with a classification worksheet that maps the company's sector codes and size metrics to the BSIG categories, producing the registration packet automatically. The registration itself is filed through the BSI portal with the named contact, alternates and incident channel pre-populated. Mistakes at the classification stage are expensive: misclassifying an essential entity as important shifts the fine ceiling by EUR 3 million but also changes the supervisory regime, the audit cadence and the management training intensity.

Registration is the entry point. Once the BSIG-new is in force, entities must register with the Bundesamt für Sicherheit in der Informationstechnik within the deadline set by § 33 BSIG (currently three months from the law's entry into force, subject to final wording). The registration covers: the legal name and entity registration number, the operating sector, the size category, the points of contact for incident reporting, the alternates, the IT contact, the responsible board member for cybersecurity (as required by § 38 BSIG), and the territory of operation in Germany.

Registration is not a one-time event. § 33 BSIG requires updates within two weeks for material changes, for example a change of the responsible board member, a merger, a divestment, a sector reclassification, or a change in the responsible officer. The ISB owns this registration data and maintains the change log. CIVAC carries the registration data as a first-class object in the workspace, with change tracking, alert thresholds when contacts leave the company, and an export endpoint for the BSI portal. The supervisor calls, the registration is current. The registration record is also linked to the incident reporting workflow, so the named contacts are notified automatically when an incident is created. Frist läuft ab Kenntnis, the system timestamps each material change and tracks the two-week update deadline. Failure to update is itself a breach of § 33 BSIG and can trigger separate fines and supervisory measures. The registration data is also the basis for the BSI's view of the company's cyber posture, so inconsistent or outdated entries can trigger additional supervisory attention even in the absence of an incident.

The most operationally demanding NIS 2 obligation is the incident reporting timeline under § 32 BSIG. Three reports are required for any significant incident. T+24 hours: early warning to the BSI, indicating whether the incident is caused by unlawful or malicious acts and could have cross-border impact. T+72 hours: incident notification with initial assessment of severity, impact, indicators of compromise, and known causes. T+1 month: final report with detailed description, root cause analysis, mitigation measures and lessons learned. Intermediate progress reports may be requested by the BSI.

Operationalising this timeline is not trivial. The ISB needs a workflow that captures the first internal indicator, classifies severity, determines whether the threshold for a significant incident is met, drafts and submits the early warning, escalates internally to the Geschäftsführung and externally to legal, insurance and (where relevant) data protection (Art. 33 GDPR has its own 72-hour timeline, sometimes overlapping). CIVAC implements the workflow as a state machine: detection, classification, internal escalation, T+24 draft, T+24 submission, T+72 draft, T+72 submission, monthly draft, monthly submission, closure. Each transition is timestamped, the responsible officer is named, and a notification log is created for management. Frist läuft ab Kenntnis. The supervisor calls, the evidence is ready. The system also reconciles the NIS 2 timeline with the parallel Art. 33 GDPR 72-hour timeline, preventing the common defect of contradictory severity classifications in the two notifications. The audit trail captures every draft, every approval and every submission, with a hash-anchored timeline that defends against later allegations of late or incomplete reporting.

NIS 2 introduces a personal accountability regime for management. § 38 BSIG-new requires the management body of essential and important entities to approve the cybersecurity risk management measures, oversee implementation, and undergo regular cybersecurity training. Failure to comply gives the supervisor the power to impose personal fines and, in extreme cases, suspend the managing director from office. Delegation does not relieve liability. The supervisor will look first for evidence that the Geschäftsführung has approved the risk measures, attended training, and reviewed incident response and supplier risk.

The training requirement is substantive. It cannot be discharged through a one-hour annual e-learning module without documented learning objectives, assessment, and refresher cycle. The Bundesamt für Sicherheit in der Informationstechnik has indicated that training records will be reviewed in audits. CIVAC ships a management training module aligned to BSI guidance, with documented curriculum, attendance records and assessment results stored in the workspace. The ISB workspace includes a separate management training tab where the appointed officer can monitor completion, schedule refreshers, and produce evidence on demand. Appointed, signed, filed, evidenced. Audit-resistant, documented, § 130 OWiG-tight. Refresher cycles default to annual and are escalated automatically when the deadline approaches, preventing the silent lapse that supervisors find most often in initial audits. Board minutes that approve the cybersecurity risk measures are attached to the same workspace, so the named board member's approval is provable from a single artifact rather than reconstructed from email threads. The reporting pack for the management body is generated automatically each quarter, capturing the cybersecurity risk position in language and depth suited to a non-technical board audience.

The supply chain dimension of NIS 2 is one of the most labour-intensive obligations. § 31 BSIG-new requires entities to take cybersecurity risk management measures across their supply chain, including assessment of the security practices of direct suppliers, contractual obligations, and ongoing monitoring. The ISB must produce a supplier register, classify suppliers by criticality, conduct due diligence on critical suppliers, embed cybersecurity clauses in contracts, and monitor supplier incidents. The ENISA Guidelines on Cyber Risk Management Measures provide further detail on what is expected.

CIVAC includes a supplier risk register as a native object in the workspace. Suppliers are classified by criticality (essential, important, peripheral), the due diligence depth is set per tier, the contractual cybersecurity clauses are templated, and incident reporting obligations flow back to the supplier register. Monitoring is continuous: suppliers in the essential tier are reviewed annually or upon material change, with the review evidence stored alongside the supplier record. When a supplier reports an incident, the workflow is wired to the ISB and Geschäftsleitung. The supplier register integrates with procurement systems through API, so new suppliers are added with the right risk classification from the start. License the workspace for your internal officers, or have our officers appointed externally. In either model, the supplier risk register is the single source of truth, replacing the multiple shadow spreadsheets that most German companies still rely on for vendor risk management. The register is also the foundation for downstream automation, including contract clause generation, supplier questionnaires and the integration with security ratings providers where companies use them.

§ 30 BSIG-new mandates a set of technical and organisational measures: risk analysis and information security policies, incident handling, business continuity (including backup management and disaster recovery), supply chain security, security in network and information systems acquisition, development and maintenance (including vulnerability handling and disclosure), policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and training, cryptography policies, human resources security, access control, asset management, multi-factor authentication, secure voice/video/text communications, and secure emergency communications. The catalogue maps closely to ISO/IEC 27001:2022 Annex A.

CIVAC's ISB workspace inherits the 93 controls of ISO/IEC 27001:2022 mapped to the § 30 BSIG measures. The ISMS is built into the platform, with policy templates, control objectives, evidence collection, and an internal audit cycle. For companies pursuing ISO 27001 certification in parallel, the workspace acts as the documentation backbone: control implementation, internal audit, management review and corrective actions are all tracked in one system. The mapping between ISO controls and BSIG measures is pre-built, so a single piece of evidence satisfies both regimes. The supervisor calls, the evidence is ready. The platform also exposes maturity metrics, so the ISB can report to management how far the company is from full coverage and where the gaps sit, enabling targeted investment rather than across-the-board spending. The maturity assessment is benchmarked against sector peers anonymously, so management can see where their cybersecurity posture sits relative to the comparable cohort and where the BSI is likely to focus its attention.

BSI audits will follow a recognisable pattern. Supervisors will request: the BSI registration record (current and historical), the appointment letter of the ISB (with task catalogue and reporting line), the management approval of cybersecurity risk measures (board minutes or equivalent), the management training records (curriculum, attendance, assessment), the supplier register (with classification and due diligence evidence), the incident log (with the three reports for each significant incident), the technical and organisational measures catalogue, the internal audit reports, the management review minutes, and the corrective action register.

The audit will compare what the ISB reports with what the system shows. Fragmented documentation across spreadsheets and PDF folders typically produces inconsistencies that supervisors interpret as poor controls. A unified workspace produces a coherent evidence trail. CIVAC organises all of the above as first-class objects with timestamp, named officer and version control. The export bundle includes the BSI registration, the appointment letters, the management training records, the supplier register, the incident logs, the TOM catalogue, the audit reports and the corrective actions, all in one structured archive. Companies that operate the platform for two or more quarters typically pass the first BSI inspection without material findings, with the audit time reduced by 40 to 60 percent compared to multi-tool baselines. The audit is no longer an emergency, it is a routine review of an already-current record. Companies that operate the workspace continuously can prepare for the BSI inspection in days rather than months, with the export bundle reflecting the live state of the system rather than a retrospective reconstruction.

Companies face a choice between appointing an internal ISB and engaging an external one through Officer-as-a-Service. The internal model fits companies with existing cybersecurity teams and a candidate for the ISB role with the requisite seniority and independence. § 30 BSIG-new requires the ISB to have direct reporting access to management, sufficient resources, and protection against detrimental treatment for performing the role. The external model fits companies without internal capacity, or companies that want to combine the ISB function with broader information security advisory.

CIVAC supports both. The licensed workspace gives the internal ISB the full toolset: appointment letter, BSI registration, supplier register, incident workflow, ISO 27001:2022 control framework, management training module. The Officer-as-a-Service model has a CIVAC ISB appointed within two business days, with the same workspace operated by an experienced external officer. Companies often start with Officer-as-a-Service for the first 12 to 18 months while building internal capability, then transition to the licensed workspace with knowledge transfer through the platform. License the workspace for your internal officers, or have our officers appointed externally. The dual model also supports hybrid setups where group entities differ in their internal capacity: one subsidiary may have a strong internal team while another relies on external coverage, both operating in the same workspace under group-level reporting. Knowledge transfer between external and internal officers is built into the platform: every artifact, every supplier review, every incident response is documented in a form that any successor officer can pick up without information loss.

NIS 2 compliance in Germany is operationally substantive. Reading the directive takes hours; running the operational cycle, BSI registration, management training, incident workflow, supplier risk, technical measures, internal audit, takes the better part of a year. The 24-hour and 72-hour reporting timelines are not negotiable, the supplier risk register requires sustained effort, and the management training is subject to audit. Doing this on spreadsheets and ad-hoc workflows is increasingly indefensible at the audit stage.

CIVAC offers a starting point in two business days. License the workspace for your internal officers, or have our officers appointed externally. In either model the BSI registration is prepared, the appointment letter is drafted, the supplier register is initialised, the incident workflow is configured, the management training module is rolled out, and the ISO 27001:2022 control framework is activated. The workspace runs on EU data residency under an ISO/IEC 27001:2022-certified ISMS. The first BSI audit becomes a routine review. Turn reading into a mandate. Write to info@civac.de or use the contact form at civac.de. The next step is a 30-minute introductory call to map your sector classification, identify your scope category (essential or important), and choose the delivery model. Within two business days, the workspace can be provisioned and the appointed ISB can be registered. Appointed, signed, filed, evidenced. The supervisor calls, the evidence is ready. Audit-resistant, documented, § 130 OWiG-tight. Companies that postpone the start until close to the deadline lose the cushion the platform's two-business-day SLA provides, so beginning the conversation early is materially less stressful.