Microsoft Cloud · Compliance
The German NIS2 implementing law (NIS2UmsuCG) has been in force since December 6, 2025. About 29,500 German companies are subject to the duties for the first time. We bring mid-market and KRITIS companies into a sound compliance framework — on Microsoft Purview, Microsoft Entra ID, and Microsoft Defender. Pragmatic, not overblown.
NIS2 is here
The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is the German implementation of EU Directive 2022/2555. It entered into force on December 6, 2025, and drastically expands the set of companies subject to the duty. About 29,500 German companies fall under NIS2 for the first time — many of them mid-sized machinery manufacturers, food producers, IT service providers, regional energy suppliers.
The central novelty versus the first NIS directive: NIS2 no longer covers only classic KRITIS sectors but also essential and important sectors broadly — from food production through manufacturers of certain machines to providers of managed IT services. Anyone running a mid-sized company from 50 employees and €10 million revenue in one of the 18 NIS2 sectors is highly likely affected.
Three consequences are especially impactful: first, an incident-reporting duty within 24 hours to the BSI (German Federal Office for Information Security). Second, a documented risk-management system with clear technical and organizational measures. Third — often overlooked — direct personal liability of management. Anyone who delegates the topic and then demonstrably fails to supervise has a personal problem under NIS2.
Four compliance building blocks
In the past three years Microsoft has built a coherent compliance stack. Four tools form the foundation — they mesh together but are each their own licensing and configuration matter.
Assessment, gap analysis, roadmap. We check your current posture against NIS2 requirements, identify the largest gaps, and prioritize measures by risk and effort. Result: a clearly formulated implementation program that management and IT carry together.
Data classification, Data Loss Prevention (DLP), insider-risk management, audit. Microsoft Purview addresses the question: what is our critical data, who sees it, and who is allowed to do what with it. Central for GDPR and NIS2 alike.
Identity and access management. Multi-factor authentication, Conditional Access, Privileged Identity Management, Identity Protection. To become NIS2-compliant, you first need to get identities under control — the highest lever with the lowest risk.
Endpoint security, email security, cloud security, identity security. Microsoft Defender XDR unifies the individual Defender products into a telemetry platform. The NIS2 incident-reporting duty becomes operationally fulfillable — provided the stack is configured cleanly and the team knows how to use it.
Our approach
NIS2 isn't a 4-week project. But it isn't a 24-month program either. We work with our clients in four clearly separated phases — each phase delivers an independent result that has value even if the next phase is deferred.
Four weeks. We check your applicability (sector, size, KRITIS classification), inventory critical assets, and capture the current state in Microsoft 365, Entra ID, and Defender. Result: a clear picture of the starting point, without sugarcoating.
Three to four weeks. Per NIS2 requirement and per Microsoft tool a gap rating. What is met today, what partially, what not at all. Per gap a measure, an effort, a risk contribution. Result: a prioritized measures catalog.
4 to 9 months. Implementation of the prioritized measures — quick wins (MFA, Conditional Access, baseline DLP rules) first, then the structural topics (insider risk, SIEM, incident response). In waves, with clear milestones.
Ongoing. NIS2 isn't a project end state but an ongoing discipline. Quarterly compliance review, annual audit, continuous tuning of Defender rules. Optionally as part of our Application Care contracts.
Implementation cost — the honest number
We're often asked: "What does NIS2 cost us?" An honest answer needs two sides. On the advisory and implementation side we budget for mid-sized companies with 50 to 500 staff a program whose cost we narrow down together in the initial conversation. This range covers assessment, gap analysis, rollout of the quick wins, configuration of Microsoft Purview/Entra ID/Defender, and setting up the incident-response processes.
On the license side, Microsoft license upgrades come on top — typically from Microsoft 365 E3 to E5 or supplemental Defender and Purview packages. We calculate that transparently via our License Cost Calculator. Per staff member this means an additional monthly cost between €8 and €25 — the range depends strongly on the starting point.
What costs don't include: hardware refresh (e.g., for endpoint hardening), external audits by certified auditors, legal support for the declaration of conformity. We optionally include these items in an overall budget, but typically we refer to specialized partners.
Honest carve-out
We do NIS2 compliance on the Microsoft stack. Three areas where we deliberately involve partners:
OT security (operational technology). Machine controllers, SCADA systems, industrial sensors — this is a discipline of its own with its own tools (Claroty, Nozomi, Microsoft Defender for IoT as a bridge). For manufacturing clients we bring in specialized OT partners.
Physical security. Access control, UPS, fire safety, redundant sites — NIS2 requires it, we don't deliver it. Here we refer to facility-management partners.
Conformity audits. The legal stamp on the conformity declaration is set by a certified testing body, not by us. We prepare the audit, document the measures, and accompany you through the assessment — the stamp comes from a third party.
FAQ
NIS2 (EU Directive 2022/2555) is the second iteration of the Network and Information Security Directive. In Germany it was implemented via the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which entered into force on December 6, 2025. About 29,500 German companies are subject to the duties for the first time.
Three criteria trigger the duty: sector (18 NIS2 sectors such as energy, transport, banking, health, IT services, manufacturers of certain products), size (mid-sized companies from 50 employees and €10 million revenue), and criticality (KRITIS classification). We check applicability in the first hour of the initial conversation.
NIS2 provides penalties for particularly important entities of up to €10 million or 2% of global annual turnover. For important entities up to €7 million or 1.4% turnover. Plus a direct personal liability for management — the board stands personally accountable, not only IT.
For mid-sized companies we realistically budget an implementation between €50,000 and €150,000. This covers assessment, gap analysis, configuration of the Microsoft tools (Purview, Entra ID, Defender), training, and building the reporting duties. Ongoing costs add via licenses and continuous monitoring.
For most requirements, yes. Microsoft Purview, Microsoft Entra ID, Microsoft Defender, and Microsoft Sentinel cover the bulk of the NIS2 requirements. Gaps remain in OT security (operational technology, machine control), specific industry requirements, and physical protection. We address those gaps via partners.
Realistically 6 to 12 months for mid-sized companies — from initial assessment to productive operation of the compliance tools. Quick wins (multi-factor authentication, Conditional Access, basic DLP rules) can be implemented in 4 to 8 weeks. Full maturity including incident-response processes takes longer.
GDPR protects personal data. NIS2 protects the availability and integrity of critical services — i.e., cybersecurity in a wider sense, with clear duties on risk management, incident reporting (24-hour deadline!), and management liability. Both regulations interlock but cover different protected assets.
30-min initial conversation or 45-min architecture
We check applicability, maturity level, and largest gaps in a first conversation. For complex setups with multiple sites, OT components, or group structures, go straight to our 45-min architecture call.
Accompanying services
Engineering projects rarely stand alone — license logic, architecture clarification, quality gates, knowledge transfer, and follow-on operations usually run in parallel. Here are the most common accompanying services we add to Discovery Spikes, sprint fixed-price engagements, or Application Care contracts.
Up front · architecture
Before implementation: tenant structure, data model, security concept, integration mapping. The result is an architecture document any engineering team can pick up — including one other than us.
Read more →
Up front · CSP
Which license bundles for which users, which add-on SKUs are needed, where you are over- or under-licensed. Procured via Microsoft Licensing Partner — with the option to use CSP purely as a control mechanism without margin maximization.
Read more →
During · quality gate
Independent second opinion during a running implementation project — whether we are delivering it or another partner. CMMI-based quality gates, risk reviews, fixed price per gate.
During · adoption
Not the classic two-day workshop that's forgotten after a week — but a dynamic learning program over 4–6 weeks with kickoff training, application phases, and advanced sessions. Training matrix for roles and topics.
Read more →
After · operations
After go-live: a predictable Application Care contract with monthly flat rate, SLA-based. Includes releases, hotfixes, extensions, tenant hardening — and continuous support instead of merely reacting to tickets.
Read more →
After · knowledge
When the original developers are gone, the previous partner is no longer reachable, or the documentation is outdated — reverse engineering of the existing solution with a documented result: code map, data model, customization inventory.
Read more →
