Compliance Matrix
Complete mapping of all NIS2 requirements to documentation, implementation and synergies.
Effectiveness Review
The Last Effectiveness Review column documents the evidence required under §30(2) No. 6 BSIG. Measures without a documented review in the current year are considered not effectively reviewed. The next scheduled effectiveness review is due 12 months after the last documented review.
§30 BSIG – Risk Management Measures
| No. | Measure | Documentation | Status | Last Effectiveness Review | Next Review |
|---|---|---|---|---|---|
| 1 | Risk analysis and IT security concepts | Risk Management | ✅ Implemented | 2026-03 | 2027-03 |
| 2 | Incident handling | Incident Management | ✅ Implemented | 2026-03 | 2027-03 |
| 3 | Business continuity / BCM | Business Continuity | ✅ Implemented | 2026-03 | 2027-03 |
| 4 | Supply chain security | Supply Chain Security | ✅ Implemented | 2026-03 | 2027-03 |
| 5 | Secure acquisition, development, maintenance | Vulnerability Management | ✅ Implemented | 2026-03 | 2027-03 |
| 6 | Effectiveness review | Effectiveness Review | ✅ Implemented | 2026-03 | 2027-03 |
| 7 | Training & awareness | Training & Awareness | ✅ Implemented | 2026-03 | 2027-03 |
| 8 | Cryptography | Cryptography | ✅ Implemented | 2026-03 | 2027-03 |
| 9 | Access control & personnel security | Access Control | ✅ Implemented | 2026-03 | 2027-03 |
| 10 | MFA & secure communication | Access Control | ✅ Implemented | 2026-03 | 2027-03 |
Additional BSIG Obligations
| Section | Obligation | Documentation | Status | Last Effectiveness Review | Next Review |
|---|---|---|---|---|---|
| §32 | Reporting obligations | Incident Management | ✅ Implemented | 2026-03 | 2027-03 |
| §33 | Registration obligation | Organizationally implemented | ✅ Implemented | 2026-03 | 2027-03 |
| §38 | Management duties | Governance | ✅ Implemented | 2026-03 | 2027-03 |
Status Legend
| Symbol | Meaning |
|---|---|
| ✅ Implemented | Measure documented, deployed and last effectiveness review successful |
| 🟡 In progress | Measure adopted, rollout ongoing, effectiveness review pending |
| 🔴 Open | Measure required but not yet deployed |
| ⏸️ Excluded | Measure not applicable (justification documented) |
CRA Synergies
| NIS2 Measure | CRA Documentation | Synergy |
|---|---|---|
| No. 2 – Incidents | CRA Incident Response | Product incidents via CRA, operational incidents via NIS2 |
| No. 4 – Supply chain | CRA Supply Chain | Software supply chain via CRA, service providers via NIS2 |
| No. 5 – Vulnerabilities | CRA Vulnerability Management | Product CVEs via CRA, infra CVEs via NIS2 |
| No. 5 – SBOM | CRA SBOM & Signing | SBOM generation and signing via CRA |
AI Act Synergies
| NIS2 Measure | AI Act Reference | Synergy |
|---|---|---|
| No. 1 – Risk management | Art. 9 AI Act (risk management) | NIS2 ISMS as foundation for AI risk management |
| No. 8 – Cryptography | Art. 15 AI Act (cybersecurity) | Cryptography standards also apply to AI systems |
| No. 9 – Access control | Art. 14 AI Act (human oversight) | Access control as foundation for AI oversight |