NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap

The German transposition of the NIS-2 Directive (EU 2022/2555) is in force. Around 29,500 companies in Germany fall under the regime as essential or important entities, including manufacturing, energy, healthcare, transport, digital infrastructure, public administration suppliers and food production from a defined size. Managing directors are personally liable for compliance failures; sanctions reach 10 million euros or 2 percent of group turnover for essential entities and 7 million euros or 1.4 percent for important entities.

Mid-market companies arrive at this regime with limited internal security capacity. The standard consulting offering, a gap analysis followed by a recommendation deck, leaves the operational problem unsolved: there is still no appointed officer, no tested reporting path, no live ISMS. This article describes what NIS-2 implementation consulting for the mid-market must deliver to produce an operational state, not a document set. The reference timeline is twelve weeks.

The German transposition concretises NIS-2 in the BSIG (Federal Office for Information Security Act). § 30 BSIG sets the risk management obligations, which include policies on information security, incident handling, business continuity, supply chain security, security in network and information systems acquisition, cryptography, human resources security, asset management, access control and physical security. § 32 BSIG sets the reporting obligations on the 24-hour, 72-hour and one-month timeline. § 38 BSIG sets the liability of management.

For mid-market companies, the operational consequence is concrete. A formally appointed information security officer with a signed appointment letter, defined reporting line to management, ring-fenced budget and authority to escalate. A documented ISMS that covers the BSIG control areas, in practice usually aligned with ISO/IEC 27001:2022. A tested incident response process that can deliver the 24-hour early warning to the BSI without a multi-hour internal escalation.

The BSI registration is the entry point. Essential and important entities must register within three months of falling under the regime, naming the entity, the contact persons and the relevant services. Late registration is itself a sanctionable offence. Mid-market consulting that does not start with a registration sprint in the first two weeks is leaving the legal exposure open while the engagement runs.

Three failure patterns are common in mid-market NIS-2 engagements. The first is the deliverable inflation pattern. The engagement produces a 200-page gap analysis, a 50-page recommendations report and a roadmap with 60 work packages. After six months and a six-figure fee, the company has documents but no appointed officer, no live controls and no tested reporting path. The auditor calls, the evidence does not exist.

The second is the framework substitution pattern. The consultant introduces a proprietary framework that is not aligned with ISO/IEC 27001:2022 or the BSIG control set. The internal team must then re-map the framework to the actual statutory requirements during the audit, which doubles the documentation burden and erodes consultant value. The third is the staffing void pattern. The engagement assumes that the company will hire an information security officer in parallel; when the hire does not happen, the implementation stalls and the consultant disengages.

The pattern shared by all three failures is the absence of an operational handover. A useful engagement ends in a state that the company can run, with a named officer, a working workspace and a documented routine. Anything else leaves the regulatory exposure open. The auditor calls, the evidence is ready, or it is not. There is no middle ground.

The first two weeks establish three artefacts. First, the BSI registration is filed. The registration form requires the entity identification, the relevant sectors and services under the BSIG annexes, the contact persons for incident reporting and the management representative. This is not a future deliverable; it is a statutory deadline that runs from the moment the company falls under the regime.

Second, the information security officer is formally appointed. The appointment letter names the person, the scope, the reporting line to the managing director, the budget authority and the right to escalate. In the CIVAC Officer-as-a-Service model, the standard SLA from contract signature to a signed appointment letter is two working days. Bestellurkunde, unterschrieben, abgelegt, belegbar. The internal alternative requires an existing qualified candidate; in many mid-market companies, that candidate is not yet hired.

Third, the scope is fixed: which legal entities, which sites, which services fall under NIS-2; which controls are inherited from a group ISMS; which are local. The scoping document is short, typically five to ten pages, but it is the reference for every subsequent decision. CIVAC operates this phase as a structured sprint with audit templates for the registration, the appointment letter and the scoping document, supported by a workspace under EU data residency.

The ISMS rollout covers the four weeks after the appointment. The reference is the 93 controls in Annex A of ISO/IEC 27001:2022, structured in four themes: organisational (37 controls), people (8 controls), physical (14 controls) and technological (34 controls). For mid-market companies, a pragmatic rollout covers all 93 controls but operates them at the proportionality level appropriate to the company size and risk profile.

The rollout sequence starts with policies (information security policy, acceptable use, access control, cryptography, supplier security, incident management, business continuity), then risk assessment (asset inventory, threat catalogue, risk register with treatment decisions), then implementation of the technical controls that have the highest gap (typically logging, vulnerability management, backup verification, supplier security), then evidence collection. The evidence is collected in the workspace under each control, not in a separate audit folder, to avoid the duplicate documentation pattern.

By the end of week 6, the ISMS is at minimum viable state: every control has a documented owner, an evidence type and a review cycle. The Statement of Applicability is drafted. The internal audit programme is scheduled. This is not yet certifiable state, but it is the substrate for the six-month operational run that certification requires. The October 2025 deadline for transition from the 2013 to the 2022 version of the standard has passed; new mid-market ISMS implementations are baselined on 2022 from day one.

The reporting obligations under § 32 BSIG are the most distinctive operational feature of NIS-2. An early warning is due within 24 hours of becoming aware of a significant incident. A formal notification follows within 72 hours, with an interim update if requested. A final report is due within one month. The 24-hour clock starts at awareness, not at confirmation. Frist läuft ab Kenntnis.

The implementation in weeks 7 and 8 produces four artefacts. A triage decision tree that classifies an incident as significant or not, with documented criteria including disruption of service, financial loss, data breach scale and supply chain impact. A notification template pre-filled with company master data, the BSI contact channel and the field structure required by the BSI form. An escalation list with named contacts, deputy contacts and on-call coverage for evenings, weekends and holidays. A documented dry run of the 24-hour notification, including a recorded internal table-top exercise.

The dry run is the most important artefact. A notification path that has never been tested is a presumption, not a control. The dry run typically reveals the same three weaknesses: an unclear definition of awareness (when does the clock start), a missing deputy chain for the appointed officer, and a notification form that requires data the company does not collect. Each weakness is closed before the engagement moves to week 9.

Supply chain security under NIS-2 (§ 30 (2) Nr. 4 BSIG) requires policies and procedures to assess and address risks arising from suppliers and service providers. For mid-market companies, this is often the largest gap because supplier inventories are incomplete and contractual security clauses are inconsistent.

Weeks 9 and 10 produce three deliverables. A supplier inventory segmented by criticality, with tier-1 suppliers (direct production or data access), tier-2 suppliers (significant operational dependency) and tier-3 suppliers (low criticality). A security questionnaire for tier-1 and tier-2 suppliers, typically a 50-item assessment derived from ISO/IEC 27036 and the relevant ISO 27001 controls. A contractual addendum with security obligations including incident notification within 24 hours, audit rights, sub-processor approval and exit data return.

The implementation is incremental. New supplier contracts include the addendum from week 11 onwards. Existing tier-1 contracts are addressed in the first contract renewal window. Existing tier-2 contracts are addressed within twelve months. The mid-market often overestimates the achievable speed of supplier remediation; setting the twelve-month horizon explicitly avoids audit findings on a non-achievable target. The supplier inventory and risk decisions are documented in the workspace, linked to the relevant ISO 27001 controls (A.5.19 to A.5.23), so the audit trail is direct.

The final two weeks transition the company from project state to operational state. Three handovers occur. The information security officer, whether internal or under Officer-as-a-Service, takes over the workspace as the system of record. The first quarterly management report is prepared and presented to the managing director. The internal audit programme begins with the first control sample, typically access control and logging.

The first management report is short, typically eight to twelve pages. It covers the ISMS status with a control completion percentage, the open risks above the defined threshold, the incidents and near-misses of the period, the supplier security status and the upcoming deadlines (next surveillance audit, next risk assessment, next NIS-2 BSI submission window). The format is reused quarterly; consistency is more valuable than completeness in any single report.

From week 13 onwards, the company runs the ISMS in steady state. The CIVAC SLA model for external officers continues with monthly status, quarterly management reports and an annual full review. License the workspace for your internal officers, or have our officers appointed. The dual model allows companies to transition from external to internal staffing as their security function matures, without losing the documentation continuity. CIVAC is a compliance platform and Officer-as-a-Service provider; the workspace and the officer mandate run in the same system.

A twelve-week NIS-2 implementation for a mid-market company typically falls into a defined cost range. The consulting and officer-appointment component runs between 60,000 and 180,000 euros depending on company size, scope and existing maturity. A 200-employee company at a single site with limited supplier complexity is at the lower end; a 2,000-employee company with multiple sites, regulated customers and a complex supplier base is at the upper end.

The workspace license is a separate cost component, typically in the low five-figure range per year for the full ISMS scope including the 37 audit templates and the 93 ISO/IEC 27001:2022 control structures. The ongoing external information security officer mandate, where chosen, runs typically between 36,000 and 120,000 euros per year, scaled to the time commitment and the on-call coverage. Internal hire alternatives carry total cost between 80,000 and 160,000 euros per year for a qualified senior officer, plus recruitment lead time of three to six months.

The cost variable most often underestimated is the internal staff effort during the twelve weeks. Realistic effort for a 500-employee company is 0.5 to 1.0 full-time equivalents distributed across IT, HR, legal and the business units. Engagements that promise to minimise internal effort to near-zero usually compensate by producing documents the company cannot operate. The auditor will detect the gap within the first surveillance audit. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.

NIS-2 implementation consulting for the mid-market is a defined operational programme, not an analytical exercise. The deliverables are concrete: a BSI registration, an appointed information security officer with a signed letter, an ISMS with 93 controls baselined against ISO/IEC 27001:2022, a tested 24/72 notification path, a supplier security programme and a first management report. The realistic timeline is twelve weeks. Anything longer typically reflects engagement structure, not technical necessity.

CIVAC is a compliance platform and Officer-as-a-Service provider. The workspace holds the 37 audit templates, the 93 ISO/IEC 27001:2022 controls and the BSIG notification structures. The Officer-as-a-Service mandate appoints an external information security officer within two working days under a signed appointment letter, with the reporting line to your managing director. License the workspace for your internal officers, or have our officers appointed. EU data residency is the default, not an upgrade.

Turn reading into a mandate. Write to info@civac.de or use the contact form. In a first conversation, we determine whether your situation calls for a workspace-only setup with internal staffing, a full Officer-as-a-Service engagement for the ISB role or a hybrid model with selected roles externally appointed. The outcome of that conversation is a concrete twelve-week plan with named deliverables and a defined budget.