This document is under active development and has not been finalized.

Compliance Matrix

Complete mapping of all NIS2 requirements to documentation, implementation and synergies.

§30 BSIG – Risk Management Measures

No.	Measure	Documentation	Status
1	Risk analysis and IT security concepts	Risk Management	✅ Implemented
2	Incident handling	Incident Management	✅ Implemented
3	Business continuity / BCM	Business Continuity	✅ Implemented
4	Supply chain security	Supply Chain Security	✅ Implemented
5	Secure acquisition, development, maintenance	Vulnerability Management	✅ Implemented
6	Effectiveness review	Effectiveness Review	✅ Implemented
7	Training & awareness	Training & Awareness	✅ Implemented
8	Cryptography	Cryptography	✅ Implemented
9	Access control & personnel security	Access Control	✅ Implemented
10	MFA & secure communication	Access Control	✅ Implemented

Additional BSIG Obligations

Section	Obligation	Documentation	Status
§32	Reporting obligations	Incident Management	✅ Implemented
§33	Registration obligation	Organizationally implemented	✅ Implemented
§38	Management duties	Governance	✅ Implemented

CRA Synergies

NIS2 Measure	CRA Documentation	Synergy
No. 2 – Incidents	CRA Incident Response	Product incidents via CRA, operational incidents via NIS2
No. 4 – Supply chain	CRA Supply Chain	Software supply chain via CRA, service providers via NIS2
No. 5 – Vulnerabilities	CRA Vulnerability Management	Product CVEs via CRA, infra CVEs via NIS2
No. 5 – SBOM	CRA SBOM & Signing	SBOM generation and signing via CRA

AI Act Synergies

NIS2 Measure	AI Act Reference	Synergy
No. 1 – Risk management	Art. 9 AI Act (risk management)	NIS2 ISMS as foundation for AI risk management
No. 8 – Cryptography	Art. 15 AI Act (cybersecurity)	Cryptography standards also apply to AI systems
No. 9 – Access control	Art. 14 AI Act (human oversight)	Access control as foundation for AI oversight