Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model

Germany's regulatory landscape for information security has shifted significantly since the NIS-2 transposition deadline on 17 October 2024 and the ISO/IEC 27001:2022 transition deadline on 31 October 2025. Roughly 29,500 entities in Germany now fall under the scope of the NIS-2 implementation act, with fines reaching 10 million euros or 2 percent of global group turnover for essential entities under § 60 NIS2UmsuCG. Management board members carry personal liability under § 38 NIS2UmsuCG. Yet most affected mid-sized companies do not employ a full-time chief information security officer and would struggle to justify the salary band of 180,000 to 280,000 euros that experienced CISOs command on the open market.

This article explains how a virtual CISO model addresses that gap, what scope of services Germany-based companies should expect, and how to anchor the mandate so it survives an audit. CIVAC operates as a compliance platform and officer-as-a-service with a workspace, audit templates, appointment certificates, EU data residency and dedicated capacity for NIS-2 reporting paths. License the workspace for your internal officers or have our officers appointed. You will learn what a virtual CISO actually does in a German legal context, how to scope the engagement, what red flags to avoid and how the role connects to data protection, compliance and the information security management system.

A virtual CISO is a fractional information security executive who holds a documented appointment from management and delivers the same governance outcomes as a full-time chief information security officer at a fraction of the headcount cost. The mandate in Germany typically covers the design and operation of an information security management system aligned with ISO/IEC 27001:2022, the implementation of NIS-2 measures under §§ 30 and 31 NIS2UmsuCG, the bridge to GDPR security obligations under Art. 32 GDPR, and the reporting line to the management board. The role is not statutory in the sense that NIS-2 itself does not require a CISO title, yet § 38 NIS2UmsuCG demands that management approve, oversee and train on security measures, which in practice requires a competent executive lead.

The virtual CISO is therefore the person who translates management responsibility into operational reality. Concretely this means owning the risk register, the statement of applicability, the asset inventory and the supplier security programme. In addition the role coordinates the 24-hour early warning and 72-hour follow-up notification path under § 32 NIS2UmsuCG with the Federal Office for Information Security (BSI). CIVAC supports the role via its information security officer profile in the workspace, with German legal references retained throughout because the workspace is configured for the German regulatory environment.

The fractional nature of the engagement is its strength, not its limitation. Where a full-time CISO carries operational overhead and rapidly runs out of strategic bandwidth in a 250-person company, a virtual CISO scales precisely to the strategic need. The day rate model with documented deliverables avoids the trap of paying for presence without output, which is a common failure mode in classic consultancy mandates.

The German NIS-2 implementation act distinguishes essential entities and important entities by sector and size. Essential entities are large companies in 11 highly critical sectors including energy, transport, banking, health, water, digital infrastructure and public administration. Important entities are medium-sized companies in those sectors plus seven other critical sectors. The size thresholds follow Commission Recommendation 2003/361/EC: medium-sized means 50 to 249 employees and up to 50 million euros turnover; large means 250 employees and above or more than 50 million euros turnover. Approximately 29,500 entities in Germany fall under the new regime, compared with roughly 4,500 under the previous KRITIS framework.

The act has been politically delayed several times but is on track for entry into force in 2026. Once in force the obligations include risk management measures under § 30, a 24-hour early warning, a 72-hour follow-up notification and a final report under § 32, supply chain security, business continuity and management approval under § 38. Crucially, § 38 NIS2UmsuCG establishes personal liability of management members for the supervision of security measures, with fines for the entity reaching 10 million euros or 2 percent of global group turnover for essential entities. For important entities the ceiling is 7 million euros or 1.4 percent.

A virtual CISO supports management in discharging these duties. The role does not absorb the personal liability of board members; that liability rests with management under § 38. What the virtual CISO provides is the documented evidence that management has acted with the required diligence: risk assessments, decisions captured in board minutes, mandatory training, supplier reviews, incident drills and a working 24/72h reporting path. Without this evidence the diligence defence under § 130 OWiG is significantly weaker, and personal liability becomes a realistic outcome.

A robust virtual CISO mandate in Germany covers eight core areas. First, the information security management system aligned with ISO/IEC 27001:2022, including the 93 controls grouped into four themes. Second, the gap analysis against NIS-2 obligations and the resulting roadmap with named owners. Third, the supplier security programme with contracts, questionnaires and risk-tiered review cycles. Fourth, the incident response framework including the 24/72-hour reporting path under § 32 NIS2UmsuCG and the connection to Art. 33 GDPR. Fifth, business continuity and disaster recovery planning with documented recovery time and recovery point objectives.

Sixth, the awareness and training programme tailored to roles and risk exposure. Seventh, the board reporting line with a quarterly cadence and ad-hoc escalations on significant incidents. Eighth, the audit programme covering internal audits, external assessments and certification readiness if the company pursues ISO/IEC 27001 certification. Items that typically sit outside the base mandate are forensic investigations, hands-on incident response during major breaches, penetration testing execution and software engineering work. These are scoped as separate projects to avoid hidden cost inflation.

The CIVAC workspace consolidates the deliverables across all eight core areas, so the virtual CISO does not create silos with personal templates. The 490 audit templates and the 93-control catalogue are the operating layer. Appointment letter, signed, filed, evidence at hand. The model works because the workspace persists across CISO rotations: if the contracted individual changes, the next virtual CISO inherits a complete, versioned operating environment rather than a stack of personal spreadsheets that need to be rebuilt from scratch.

The German market for virtual CISO services has matured significantly since 2022. Day rates range from 1,400 to 1,950 euros net for experienced practitioners, depending on industry vertical, certification ambition and incident response readiness. A typical mid-sized company in the 100 to 500 employee range engages a virtual CISO for 4 to 16 days per month, with the high end usually associated with active ISO/IEC 27001 certification projects and the low end with steady-state operation of an existing ISMS. The annual budget therefore sits between roughly 67,000 and 374,000 euros depending on intensity.

Compared to a full-time hire, the saving comes from three sources. First, salary differential: a full-time CISO in Germany commands 180,000 to 280,000 euros plus bonus, plus the employer side social security and operational overhead of roughly 25 percent. Second, ramp-up time: a senior hire typically needs six to nine months to reach productive output, while a virtual CISO arrives with templates and methodology. Third, optionality: a fractional engagement scales up during certification phases and down during steady state, while a permanent hire does not.

The buy-versus-rent decision typically tips towards in-house when the company reaches 500 to 800 employees in regulated industries or 1,000-plus in less regulated ones. Below that threshold the virtual model usually wins on total cost of ownership and on resilience, because the supplier carries the substitution risk if the named individual is unavailable. CIVAC offers both: license the workspace for your internal officers when the company is ready to internalise, or have our officers appointed when the strategic moment is not yet there. Both paths share the same operating layer.

ISO/IEC 27001:2022 became the only valid version of the standard on 31 October 2025, with all 2013 certificates expiring on that date. The transition affected the structure of Annex A controls, which were reduced from 114 to 93 and grouped into four themes: organisational, people, physical and technological. The new version also introduced eleven entirely new controls including A.5.7 threat intelligence, A.5.23 cloud services and A.8.28 secure coding. A virtual CISO is the natural owner of the certification project because the standard requires a defined ISMS with clear responsibilities and management commitment.

The certification pathway in Germany follows three stages. Stage one is the documentation review by an accredited certification body, typically conducted as a one-day off-site assessment. Stage two is the on-site assessment of the ISMS in operation, usually two to four days depending on company size. The surveillance audits in years two and three are shorter and confirm continued conformity. A typical certification project takes nine to fourteen months from kickoff to certificate issuance, with the heaviest workload in months four to nine when controls are operationalised and evidence is built.

CIVAC pre-populates the workspace with the full 93-control catalogue, the statement of applicability template and the risk treatment plan in a format that accredited auditors recognise. Audit-ready, documented, ISO 27001:2022-ready. The virtual CISO uses these templates as a starting point and adapts them to the company's risk profile, rather than building from a blank sheet. This reduces the certification timeline by roughly two to four months in practice and removes the most common audit findings related to inconsistent control documentation. For companies pursuing the certification primarily as a sales enabler, the time saving converts directly into revenue.

The reporting obligations under § 32 NIS2UmsuCG are among the strictest in the German regulatory landscape. Affected entities must submit an early warning to the Federal Office for Information Security within 24 hours of becoming aware of a significant incident, a follow-up notification with an initial assessment within 72 hours and a final report within one month. The definition of significant incident hinges on operational disruption, financial loss and impact on natural or legal persons. The 24-hour clock starts at awareness, not at confirmation, which is a subtle but consequential distinction that mirrors the Art. 33 GDPR construction.

A virtual CISO designs and tests the reporting path before an incident occurs. This includes the internal escalation chain from operations to the security function to management, the templates for the BSI notification, the coordination with the data protection officer for parallel Art. 33 GDPR notifications and the external communications plan. CIVAC ships pre-formatted BSI notification templates in the workspace, indexed against the German federal state competence map and the BSI single point of contact. The phone rings, the evidence is ready.

The most common operational failure in 2025 was not the absence of templates but the absence of practice. Tabletop exercises every six months with IT, legal, communications, HR and the management board build the muscle memory that an incident demands. A virtual CISO who has not run at least one tabletop in the engagement has not yet delivered on the incident readiness component of the mandate, regardless of how complete the paper documentation looks. Drills also expose technical gaps such as missing log retention or unclear escalation phone numbers that no document review would catch.

Selecting a virtual CISO is more than checking a CV. Five criteria matter in the German market. First, formal credentials such as CISSP, CISM, ISO 27001 Lead Auditor or Lead Implementer, and demonstrable familiarity with the BSI IT-Grundschutz catalogue. Second, evidence of completed ISO/IEC 27001:2022 transitions, ideally with named clients available for reference. Third, demonstrable handling of a notifiable incident in the past 24 months, because incident composure is learned, not taught. Fourth, a German legal working knowledge covering NIS-2, GDPR, EU AI Act and the German Federal Data Protection Act.

Fifth, the cultural and language fit with the management board and the IT organisation. A virtual CISO who cannot communicate clearly with a German Geschäftsführung in board minutes and budget meetings will not move the agenda forward. This is often underweighted in selection by procurement-led processes that focus on day rates and certifications without testing communication style. Ask for a written board briefing from the candidate as part of the selection process, on a real scenario relevant to your company. The quality of that briefing is the best predictor of engagement success.

CIVAC selects its officer pool against all five criteria and matches assignments to industry vertical and regulatory exposure. The mandate is anchored with a written appointment letter, a documented reporting line and a formal handover protocol if the assigned officer changes. Where appropriate, CIVAC pairs the data protection officer role with the virtual CISO assignment to avoid coordination gaps between Art. 32 GDPR and NIS-2 measures. The result is a single accountability point for the security and privacy domains, with consolidated reporting into the management board.

The German regulatory environment increasingly demands an integrated view of information security, data protection and broader compliance. NIS-2 obligations under §§ 30 and 31 overlap substantially with Art. 32 GDPR security requirements. The EU AI Act since 2 August 2026 imposes additional documentation obligations on high-risk AI systems that intersect with both. Treating these as separate workstreams creates duplicated documentation, inconsistent risk classifications and gaps that auditors find within the first day of fieldwork.

A mature operating model integrates the virtual CISO, the data protection officer, the compliance officer and, where relevant, an internal audit function into a single governance layer. The CIVAC workspace is built for this integration. Controls map to multiple frameworks simultaneously, so an encryption measure for personal data also satisfies the relevant ISO 27001 control and the NIS-2 expectation. Evidence is captured once and reused across reports. Others run compliance like a filing cabinet. We run it like software.

This integration also matters for management board oversight. A board that receives separate reports from CISO, DPO and compliance has a harder time forming a consolidated risk view than a board that receives one quarterly governance brief with three sub-sections and a unified action list. The virtual CISO contributes the security and ISMS section and aligns it with the DPO and compliance contributions before the brief reaches the board. This single-pane reporting is one of the most underestimated benefits of the model, because it materially reduces the cognitive load on non-executive directors.

The decision to engage a virtual CISO typically follows one of three triggers. First, an upcoming ISO/IEC 27001 certification driven by customer or tender requirements. Second, NIS-2 scope confirmation that the entity is essential or important and management needs documented diligence. Third, an incident in the previous 12 months that exposed the gap between IT operations and governance. In each case the early decisions about scope, day rate, reporting cadence and substitution arrangements shape whether the engagement delivers or stalls.

CIVAC operates as a compliance platform and officer-as-a-service with a workspace, 490 audit templates, the 93-control ISO 27001:2022 catalogue, appointment letters, EU data residency and a 2-business-day SLA that replaces the classic 2 to 6 week response window. License the workspace for your internal officers or have our officers appointed. Both paths use the same operating layer, so a future internalisation does not mean a platform migration. The engagement model is transparent and the deliverables are scoped before the first invoice.

If your company faces a NIS-2 deadline, an ISO 27001 certification ambition or a board mandate to formalise information security governance, we can scope a virtual CISO engagement in a structured first meeting. Turn reading into a mandate. Write to info@civac.de or use the contact form for an initial assessment of your current information security posture. You will receive a concrete gap list with delivery dates per mandatory artefact and an indicative day-rate envelope tied to your specific scope, so the next budget cycle has a defensible number.