Decision guide · Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
NIS2 readiness is not one decision; it is ten overlapping ones. The ten cybersecurity risk-management measures in Art. 21 each translate into a buying or governance decision (identity, logging, incident response, supply chain, training, crypto, backup, vulnerability management, access control, physical). The right structure treats each as its own weighted, auditable case and links them to the Art. 20 board accountability file.
TL;DR
NIS2 readiness is ten decisions. Run each one structured, link them to board sign-off.
Who owns this decision
CISO as programme owner, management body as accountable party, IT Operations, Legal, Data Protection and Procurement as active stakeholders.
Key criteria to weight
Scope determination
Essential vs important entity, size thresholds, sector mapping. Gets it wrong, everything downstream is wrong.
Art. 20 management accountability
Board training, sign-off, documented oversight of each risk-management measure.
Art. 21 measure coverage
Ten named measures, each with its own evidence trail.
Incident reporting capability
24 / 72 / 30-day cascade. End-to-end tested, not only procedural.
Supply-chain risk
Third-party ICT suppliers. Explicit register with assessments.
Evidence quality
Decision memos, not policy PDFs. Auditors ask what was decided and why.
Step-by-step decision flow
- 1
Confirm scope
In scope or out. Essential or important. Put the legal analysis on file.
- 2
Map Art. 21 measures
List each of the ten measures and the current control state.
- 3
Prioritise the gaps
Rank by exposure, not by ease. Identity and logging usually top.
- 4
Run each gap as a decision
Each gap becomes its own decision case: trigger, options, scoring, memo.
- 5
Link to Art. 20 file
Each memo feeds into a board-level master file showing management oversight.
- 6
Rehearse the incident cascade
24 / 72 / 30 hours and days. Tabletop, then live. Evidence it.
Anonymised memo excerpt
Energieversorger, 600 Mitarbeiter, mittlere KRITIS-Schwelle überschritten
Readiness score
76
- Trigger
- NIS2-Umsetzungsgesetz für Energieversorger plus IT-Sicherheitskatalog §11 EnWG führen zu Doppelpflicht. Geschäftsführung muss Art. 20 Aufsicht nachweisen können.
- Top criteria (weights)
- Art. 21 Maßnahmen-Coverage25%
- Art. 20 Management-Aufsicht und Reporting20%
- Incident-Reporting-Cascade getestet15%
- Lieferketten-Register und Risikobewertung15%
- Mapping zu IT-Sicherheitskatalog §11 EnWG15%
- Monitoring der Wirksamkeit10%
- Shortlist
- Eigene Decision-Memo-Struktur in DecisionOS
- ServiceNow IRM mit DACH-Implementierungspartner
- Beratungsdrivenes Programm mit Big-4-Partner
- Decision
- DecisionOS für materielle Einzelentscheidungen, ServiceNow IRM als laufendes Risk-Register, Big-4 für initiale Gap-Analyse.
- Rationale
- Reines Beratungsprogramm liefert keinen wiederholbaren Decision-Audit-Trail. Reines Tool-Programm liefert keine initiale Programm-Struktur. Die Drei-Komponenten-Lösung verbindet einmalige Programm-Initiierung mit dauerhaftem Decision-Speicher und laufendem Risk-Register.
- Residual risks
- Schnittstelle ServiceNow IRM und DecisionOS-Memos braucht Konnektor
- TLPT-Aequivalent für NIS2 (Resilience-Tests) erst in Phase 2
Compliance note
NIS2 applies from October 2024. National implementations continue to land across EU member states. The DecisionOS structure is deliberately aligned to Art. 20 management-body expectations.
Common pitfalls
- !Running NIS2 as a policy-writing exercise instead of a decision programme.
- !Treating the management body as a rubber stamp rather than the accountable party.
- !No end-to-end incident cascade rehearsal.
- !Third-party register missing half the critical suppliers.
FAQ
Who is in scope for NIS2?
Essential and important entities in 18 sectors, usually at 50+ employees or 10M EUR turnover, with specific exceptions. The in-scope test itself is often a dealbreaker up front: if you are in scope, certain decisions (identity, logging, incident reporting) become non-negotiable.
What does NIS2 Art. 20 require from management bodies?
Management bodies must approve cybersecurity risk-management measures and oversee their implementation; they are personally accountable. Practically, this means board-ready documentation of each material security decision, which is where a DecisionOS memo is designed to fit.
How do I get to NIS2 readiness in a structured way?
Start with scope, then map the 10 cybersecurity risk-management measures, then run each underlying decision as a separate, auditable case. The bottleneck is documentation quality, not technical capability.
Related decision guides
Related comparisons
DecisionOS vs ServiceNow GRC
ServiceNow runs your GRC programme. DecisionOS runs the decisions inside it.
DecisionOS vs Vanta
Vanta automates compliance. DecisionOS documents decisions.
DecisionOS vs Drata
Drata maintains compliance posture. DecisionOS records the decisions behind it.
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
Relevant industries
Banken & Finanzdienstleister
Banken entscheiden unter DORA, MaRisk, BAIT gleichzeitig. DecisionOS liefert das Memo, das alle drei Prüfer akzeptieren.
Versicherungen
Versicherer entscheiden unter DORA + Solvency II + VAIT gleichzeitig. Ein Memo-Format für alle drei.
Gesundheitswesen
Gesundheitswesen: KRITIS + NIS2 + B3S + DSGVO Art. 9. DecisionOS macht das Memo prüfbar.
Energieversorger
Energieversorger: KRITIS + IT-SiG 2.0 + NIS2 + branchenspezifische Sicherheit. Memo muss vor BSI und BNetzA bestehen.
Telekommunikation
Telko entscheidet unter NIS2 + TKG §165 + BSI-Sicherheitskatalog gleichzeitig. Ein Memo, das alle Prüfer akzeptieren.
Wasser- und Abwasserversorgung
Wasserversorger unter KRITIS + NIS2 + B3S Wasser. Entscheidungen müssen IT und OT sauber trennen und vor BSI bestehen.
Transport und Logistik
Logistik entscheidet unter NIS2 + KRITIS Transport + branchenspezifischen Standards. Ein Memo, das Betriebssicherheit und Compliance gleichzeitig abbildet.