Services · Retention Cluster · Compliance
The German NIS2 Implementation Act has been in force since December 6, 2025. About 29,500 German companies fall under the obligation for the first time. We bring mid-market and KRITIS organizations into a workable compliance framework — on Microsoft Purview, Microsoft Entra ID, and Microsoft Defender. Pragmatic, not overstated.
For Managing Directors · risk reduction in euros
We translate NIS2 into euros: fine exposure, Managing-Director liability exposure, insurance impact, cost of action vs. cost of inaction. Fixed-price NIS2 Readiness with a documented gap analysis and prioritized action plan — defensible to shareholders, supervisory board, and in BSI audits. You know what you can put up against liability — in writing.
For Department Heads · NIS2 audit defense
We deliver a documented outcome report: NIS2 gap analysis against Annex II of EU Directive 2022/2555, prioritized action plan with effort and risk assessment, audit defense file with evidence structures for BSI inquiries. Discovery Spike as the typical first engagement, with a business-case skeleton for CFO and procurement — ready for the next steering committee and the annual security report.
For IT Leadership · Defender XDR, Purview, Entra
Concrete configuration, not theory: Microsoft Defender XDR (endpoint, email, cloud, identity) with incident reporting pipeline for the 24-hour reporting obligation, Microsoft Purview (data classification, DLP, insider risk, audit), Entra ID Conditional Access and Privileged Identity Management, Sentinel SIEM integration. NIS2 Annex II mapping per measure. You talk directly to the architect who also implements the stack.
NIS2 is here
The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) is the German implementation of EU Directive 2022/2555. It came into force on December 6, 2025, and dramatically expands the circle of obligated companies. About 29,500 German organizations fall under NIS2 for the first time — many of them mid-market machine builders, food producers, IT service providers, regional energy suppliers.
The central change versus the first NIS directive: NIS2 no longer covers only the classic KRITIS sectors but also essential and important sectors more broadly — from food production to manufacturers of certain machines to managed IT service providers. If you run a medium-sized company with 50+ employees and €10 million in revenue in one of the 18 NIS2 sectors, you're highly likely affected.
Three consequences are particularly impactful: first, an incident reporting obligation within 24 hours to the German Federal Office for Information Security (BSI). Second, a documented risk management system with clear technical and organizational measures. Third — and this is often overlooked — direct personal liability of Managing Directors. Anyone who delegates the topic and then demonstrably fails to oversee it has a personal problem under NIS2.
Four compliance building blocks
Microsoft has built a coherent compliance stack over the past three years. Four tools form the foundation — they interlock but are each their own license and configuration object.
Assessment, gap analysis, roadmap. We check your current state against NIS2 requirements, identify the biggest gaps, and prioritize actions by risk and effort. Result: a clearly formulated implementation program that management and IT carry together.
Data classification, Data Loss Prevention (DLP), insider risk management, audit. Microsoft Purview addresses the question: what are our critical data, who sees them, and who can do what with them. Central for GDPR and NIS2 alike.
Identity and access management. Multi-factor authentication, Conditional Access, Privileged Identity Management, Identity Protection. Anyone wanting NIS2 compliance must first get identities under control — the highest-leverage action with the lowest risk.
Endpoint security, email security, cloud security, identity security. Microsoft Defender XDR unites the individual Defender products into one telemetry platform. The NIS2 incident reporting obligation becomes operationally fulfillable — provided the stack is configured cleanly and the team knows how to use it.
Our approach
NIS2 is not a 4-week project. But it's also not a 24-month program. We work with our clients in four clearly separated phases — each phase delivers an independent result that has value even when the next phase is delayed.
Four weeks. We check your applicability (sector, size, KRITIS classification), inventory critical assets, and capture the current state in Microsoft 365, Entra ID, and Defender. Result: a clear picture of the starting position, without glossing over.
Three to four weeks. Per NIS2 requirement and per Microsoft tool a gap assessment. What's currently met, what partially, what not at all. Per gap a measure, an effort, a risk contribution. Result: a prioritized action catalog.
4 to 9 months. Implementation of the prioritized measures — quick wins (MFA, Conditional Access, DLP base rules) first, then the structural topics (insider risk, SIEM, incident response). In waves, with clear milestones.
Ongoing. NIS2 isn't a project end state but an ongoing discipline. Quarterly compliance review, annual audit, continuous tuning of Defender rules. Optionally within our Application Care contracts.
Implementation costs — the honest number
We often hear the question: "What will NIS2 cost us?" An honest answer needs two sides. On the advisory and implementation side, for medium-sized companies with 50 to 500 employees, we scope a program whose cost we settle together in the initial conversation. This range covers assessment, gap analysis, rollout of the quick wins, configuration of Microsoft Purview/Entra ID/Defender, and setup of the incident response processes.
On the license side, Microsoft license upgrades come on top — typically from Microsoft 365 E3 to E5 or supplementary Defender and Purview packages. We calculate this transparently via our License Cost Calculator. This translates into a monthly additional cost per employee — the range depends heavily on the starting position.
What the costs don't cover: hardware renewals (e.g., for endpoint hardening), external audits by certified auditors, legal support for the conformity declaration. We optionally include these items in an overall budget but typically refer to specialized partners.
Honest scope
We do NIS2 compliance on the Microsoft stack. Three areas where we deliberately bring in partners:
OT security (operational technology). Machine controls, SCADA systems, industrial sensors — that's its own discipline with its own tools (Claroty, Nozomi, Microsoft Defender for IoT as a bridge). For manufacturing clients we bring in specialized OT partners.
Physical security. Access control, UPS, fire protection, redundant sites — NIS2 demands it, we don't deliver it. We refer to facility management partners here.
Conformity audits. The legal stamp on the conformity declaration is placed by a certified auditing firm, not us. We prepare the audit, document the measures, and walk you through the assessment — the stamp comes from a third party.
Frequently asked questions
NIS2 (EU Directive 2022/2555) is the second edition of the Network and Information Security Directive. In Germany it was implemented via the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which came into force on December 6, 2025. About 29,500 German companies fall under the obligation for the first time.
Three criteria trigger the obligation: sector (18 sectors named in NIS2 such as energy, transport, banking, health, IT services, manufacturers of certain products), size (medium-sized companies from 50 employees and €10 million revenue), and criticality (KRITIS classification). We check applicability in the first hour of the initial conversation.
NIS2 provides for fines of up to €10 million or 2% of global annual revenue for essential entities. For important entities up to €7 million or 1.4% of revenue. Add to that direct Managing-Director liability — the management is personally on the hook, not just IT.
For medium-sized companies the implementation budget is calculated individually. It covers assessment, gap analysis, configuration of the Microsoft tools (Purview, Entra ID, Defender), training, and the buildout of reporting obligations. Ongoing costs come from licenses and continuous monitoring. Prices on request.
For most requirements, yes. Microsoft Purview, Microsoft Entra ID, Microsoft Defender, and Microsoft Sentinel cover the majority of NIS2 requirements. Gaps remain in OT security (operational technology, machine control), specific sector requirements, and physical protection. We address these gaps via partners.
Realistically 6 to 12 months for medium-sized companies — from the first assessment to productive operation of the compliance tools. Quick wins (multi-factor authentication, Conditional Access, basic DLP rules) are achievable in 4 to 8 weeks. Full maturity including incident response processes takes longer.
GDPR protects personal data. NIS2 protects the availability and integrity of critical services — cybersecurity in a broader sense, with clear obligations on risk management, incident reporting (24-hour deadline!), and Managing-Director liability. Both regulations interlock but cover different protection goals.
To take with you · two materials
Two depths for different reading needs. The factsheet is a quick reference (3–5 min) and immediately downloadable. The whitepaper is market education with methodology and comparison data (15–30 min) — you get it by email after a short request.
3–5 min read · direct download · no form
Concise overview: scope, key figures, pricing model, process — ideal to forward to CFO, procurement, or the business line.
15–30 min read · by email on request
Methodology, comparison data, recommendation framework — material for internal argumentation with stakeholders.
Related services
QM structures are the basis of sustainable compliance — documented processes, audit trails.
Read more →
Parallel compliance obligation for AI systems — same governance buildout.
Read more →
Secure architecture as a prerequisite — tenant strategy, Conditional Access, DLP.
Read more →
Configuring the Microsoft stack in line with NIS2 obligations — identity, M365, Defender.
Read more →
30-min initial conversation or 45-min architecture
We check applicability, maturity, and biggest gaps in a first conversation. For complex setups with multiple sites, OT shares, or group structures, head straight into our 45-min architecture call.
To take with you
Two-page quick reference with package structure, delivery areas, and three reasons for arades — immediately downloadable, no form. Ideal to forward to CFO, procurement, or IT lead.
3–5 min read · direct download · no form
