Do I Need an ISMS for NIS2? Mandatory or Optional

No, NIS2 does not mandate a formal ISMS or ISO 27001 certification, and the BSI explicitly confirms this freedom of methodology. However, the ten measures set out in §30 BSIG effectively require ISMS-typical structures; for the roughly 29,500 affected companies, the question is rarely "whether" but "how extensive" (comparison with ISO 27001). NIS2Compass shows you where you stand through the Pre-Check.

What does §30 BSIG actually say about ISMS obligations?

§30 Paragraph 1 BSIG requires "appropriate, proportionate and effective technical and organisational measures", not a specific management system. The BSI states clearly: "The BSI does not prescribe any specific standard." (translated from the German original). What is mandatory, therefore, is the implementation of the ten areas of measures from Paragraph 2, not a certified ISMS or an ISO certification.

The wording of §30 Para. 1 BSIG is deliberately open. The legislator thereby opens the path for different forms of implementation, from ISO 27001 through BSI IT-Grundschutz to tailored solutions. This openness is by design, not a regulatory gap.

The BSI has clarified its position on its official information page ISO/IEC 27001 im Kontext NIS-2/BSIG: entities are fundamentally free to choose how they implement the statutory requirements. Freedom of methodology is thus firmly anchored. For a deeper dive into this comparison, see the article NIS2 vs. ISO 27001: Was ist der Unterschied?.

What is mandatory is the result, not the path. The ten areas of measures must be implemented; how this is done is up to each company. Those looking for a structured path will find one in the NIS2 Guide based on the §30 BSIG structure.

Freedom of methodology, however, is not a licence for arbitrariness. The terms "appropriate, proportionate and effective" demand documentation and verifiability to the BSI. §38 BSIG obliges entities to present evidence at the request of the supervisory authority, including risk analyses, policies and effectiveness assessments. Whoever chooses the method freely must justify that choice and demonstrate its suitability for the specific risk context.

For around 29,500 companies in Germany, of which roughly 8,250 are essential entities and 21,600 are important entities, this obligation to provide proof of compliance has applied since December 2025, when the NIS2UmsuCG entered into force (source: OpenKRITIS). For most of these companies, the existing security level is the most important factor, not the choice of standard.

Which §30 BSIG requirements effectively demand ISMS structures?

At least four of the ten minimum security measures under §30 BSIG cannot be sensibly implemented without ISMS-typical structures: risk analysis, effectiveness assessment, training and documentation. An ISO 27001 certification alone is not enough for NIS2, because it does not cover central §30 obligations. But the ISMS methodology (Plan-Do-Check-Act, risk register, effectiveness measurement) is hard to avoid as an approach.

A look at §30 BSIG shows where management system structures become unavoidable. Four requirements deserve particular attention:

• §30 Para. 2 No. 1 (risk analysis): the provision requires a systematic risk management process. Without a risk register, documented assessment methodology and fixed update cycle, the requirement cannot be evidenced to the BSI.
• §30 Para. 2 No. 6 (effectiveness assessment): the effectiveness of measures must be reviewed regularly. This is a classic ISMS component and typically includes internal audits as well as management reviews.
• §30 Para. 2 No. 7 (training): training planning, attendance records and structured awareness programmes are part of the standard repertoire of an ISMS. Isolated measures without a programme concept are not enough.
• §30 Para. 1 (documentation): compliance must be documented. This requires policies, procedures and evidence. The resulting document architecture is essentially identical to that of an ISMS.

To be fair, this does not apply to all ten points. No. 8 (cryptography), No. 9 (access control and asset management) and No. 10 (MFA and secure communication) are primarily technical measures. They are, in theory, implementable without an ISMS. For proof of effectiveness and regular updates, however, you again need structures that resemble a management system.

It is not the certificate that is mandatory, but the underlying methodology. Whoever implements §30 BSIG properly will in effect build ISMS-typical elements, even without ISO 27001 certification. This insight is decisive for the question of which implementation path is economically reasonable.

The scale is shown by the NIS2 mapping by OpenKRITIS: an ISMS in accordance with ISO 27001 covers roughly 70 to 80 percent of NIS2 requirements. The remaining 20 to 30 percent are precisely the NIS2-specific obligations such as reporting and registration. Which structures you already have and where the pragmatic entry point lies can be determined in the Pre-Check. A deeper analysis of what an existing management system does not cover is offered by the article NIS2 und ISMS: Was Ihr bestehendes System nicht abdeckt.

What options do SMEs actually have?

Three paths lead to NIS2 compliance: a full ISMS with ISO 27001 certification, an ISMS tool without certification intent, or a structured guide plus template library. Which path fits depends on three factors: customer requirements, IT security maturity and available budget. For SMEs without certification pressure, the pragmatic path is usually the most economical.

Option A — Full ISMS with ISO 27001 certification: you build a formal management system, go through an audit cycle and obtain an external certificate. Costs typically range from EUR 35,000 to 50,000 for the initial certification of an SME with 10 to 50 employees. Internal resources amount to 0.5 to 1.5 full-time equivalents over 6 to 12 months (source: secjur — ISO 27001 Kosten 2026). This path makes sense if external proof of compliance is a business requirement.

Option B — ISMS tool without certification intent: you use a software platform for structure and audit readiness, but forgo the external certificate. Typical categories include open-source solutions and commercial SaaS platforms. SaaS annual fees vary significantly and often range from EUR 5,000 to 30,000, depending on user count and modules. This option suits companies that want to maintain several frameworks in parallel.

Option C — Structured guide plus template library: you follow a step-by-step path through the ten §30 BSIG measures, use ready-made policy templates and document effectiveness evidence as Word and Excel files. Suitable for SMEs without certification pressure. Example: NIS2Compass combines the NIS2 Guide, the Knowledge Hub and the Template Library into a guided implementation path.

The choice depends on four decision factors. First, customer requirements: if tenders require an ISO 27001 certificate, there is no way around Option A. Second, maturity: those who already have policies, a backup concept and a risk register documented can realistically start with Option C. Third, industry: machine-builders supplying the automotive sector often have additional TISAX requirements, which point towards Option A or B. Fourth, framework variety: when ISO 27001, GDPR and NIS2 run in parallel, Option A or B is more economical.

The numbers put certification pressure into perspective. In 2023 there were only 1,563 valid ISO 27001 certificates in Germany (source: Statista, ISO Survey 2023). Even among the roughly 29,500 NIS2-affected companies, ISO certification is therefore the minority. The article Reicht ISO 27001 für NIS2-Compliance aus? offers a deeper certification perspective. What a pragmatic path looks like in practice is shown by the Template Library with its ready-made policy sets.

"Many SMEs reflexively jump into the ISO 27001 debate and overlook that for the NIS2 obligation, evidencing the §30 measures is initially sufficient. If no tender demands a certificate, building a guide-based set of measures within four to six months is realistic. A full ISO certification takes twice as long and costs many times more."

>

— Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass

When is a guide enough, when do you need a full ISMS?

For SMEs without ISO certification pressure, a structured guide with documented policies and effectiveness evidence is often enough to fulfil §30 BSIG. A full ISMS pays off when major customers require certification, when several compliance frameworks run in parallel, or when the company is an essential entity. Three criteria help the decision.

When is a structured guide enough?

A guide approach with ready-made templates and documented effectiveness evidence is viable if the following conditions apply:

• No customer requirement for ISO 27001 or TISAX in tenders or supplier contracts.
• Classification as an important entity (not an essential entity under §28 BSIG).
• Manageable IT landscape with clear company structure and unambiguous responsibilities.
• Existing baseline documents such as a backup concept, access controls or contingency plan as a starting point.

The NIS2 Guide from NIS2Compass walks you step by step through the ten §30 BSIG areas of measures and provides Word and Excel templates for every mandatory area. A full overview of the ready-to-use Word and Excel templates is available on the NIS2 templates page.

When does a full ISMS make sense?

In the following constellations, there is no way around building an ISMS:

• Tenders explicitly require a valid ISO 27001 certificate.
• Several compliance frameworks run in parallel, such as GDPR, ISO 27001, TISAX and NIS2.
• Complex group or site structure with distributed responsibilities.
• Industry-specific pressure in the energy, finance or healthcare sectors.

What is the pragmatic transition path?

Many SMEs start with the guide path and migrate to a certified ISMS later if needed. The §30 documentation structure is very good preparation for a later ISO certification. The detail in NIS2 vs. ISO 27001 shows which elements can be transferred directly.

The guide path is not an "ISMS light". The obligations under §30 BSIG are identical; only the level of detail of the management system structures differs. The explanatory memorandum of the NIS2UmsuCG notes: only 17 percent of NIS2-affected companies have in principle taken sufficient measures (explanatory memorandum NIS2UmsuCG, cited from OpenKRITIS). Those who start pragmatically are already part of the small majority that is taking action.

Practical case: how a machine-builder with 150 employees starts NIS2 without building an ISMS

A southern German machine-builder with 150 employees fell under NIS2 as an important entity from December 2025 onwards. Instead of setting up a full ISMS, the company documented the ten §30 measures using structured Word and Excel templates. Within four months, BSI registration, risk register and policy package were in place, at a fraction of the cost of building an ISMS.

Starting position

The company employs 150 people and supplies the automotive industry as a Tier-1 partner. A TISAX label was in place but did not cover the NIS2-specific requirements. There was no ISO 27001 certification. The IT department comprised five people. Management only became aware of NIS2 as a real obligation in summer 2025, after a major customer requested a corresponding self-declaration.

Decision: no twelve-month ISMS build, but a pragmatic four-month path along the §30 BSIG measures.

Approach over four months

• Month 1: BSI registration under §33 BSIG completed. Pre-Check carried out to determine maturity, identifying existing structures from TISAX as a starting point.
• Month 2: risk register created on the basis of an Excel template, with documented top-15 risks. Policy set for access control, backup, incident response and acceptable use policy adapted from the Template Library and approved by management.
• Month 3: MFA rolled out for privileged accounts. IR plan with reporting cascade under §32 BSIG adopted. Awareness training started for all employees.
• Month 4: supplier assessment introduced as a NIS2 gate for Tier-1 suppliers. Effectiveness measurement defined with quarterly reviews. Documentation prepared for a potential BSI evidence request.

Result and cost comparison

§30 compliance is documentable and can be evidenced to the BSI. The TISAX audit continues separately. ISO 27001 certification was not pursued, but remains open as an option for any future tender requirement. The company was able to build on the documented structures from the NIS2 Guide.

• Option A (full ISMS plus ISO 27001): estimated EUR 45,000 and 1.2 full-time equivalents over nine months.
• Chosen path (guide plus templates): estimated EUR 5,000 and 0.5 full-time equivalents over four months.

The pragmatic path significantly reduces both capital expenditure and the internal commitment of IT resources. This is consistent with the market picture: only twelve percent of surveyed companies have so far fully implemented NIS2, according to the G DATA / Statista study "Cybersecurity in Numbers" 2025.

Note: industry and size details are anonymised. The scenario summarises typical patterns from practice and does not represent a specific customer story.

What does the BSI recommend for companies without ISMS experience?

The BSI recommends a step-by-step, risk-based implementation with clear documentation, without prescribing a specific framework. Those who do not yet have an ISMS should start with risk analysis, BSI registration and MFA, and systematically build up documentation. With its #nis2know information packages, the BSI provides free guidance.

The official BSI position is consistent across several sources. On the information page ISO/IEC 27001 im Kontext NIS-2/BSIG, the BSI explicitly affirms freedom of methodology. Existing management systems can serve as a basis but must be reconciled with §30 BSIG. The approach is deliberately holistic and all-hazard: digital, physical and environmental security belong together.

For companies without ISMS experience, the BSI suggests a pragmatic sequence:

1. BSI registration under §33 BSIG as the formal entry point.
2. Risk analysis as the foundation under §30 Para. 2 No. 1.
3. Immediate measures such as MFA, backup and basic incident response.
4. Policy package built up (asset management, access control, suppliers).
5. Effectiveness measurement and continuous improvement established.

An important BSI clarification, often underestimated by companies, is this: even an ISO 27001 certification is not an automatic proof of NIS2 compliance. The BSI names three structural gaps:

• Scope: the ISMS scope may be restricted. §30 BSIG, however, requires implementation across the entire relevant operation.
• Risk acceptance: ISO 27001 permits risk acceptance and transfer. §30 requires the mandatory implementation of appropriate measures.
• Statutory obligations: reporting obligations under §32 BSIG, registration under §33 BSIG and management liability under §38 BSIG are not part of an ISMS.

One figure sets the picture in context: in 2023 there were only 1,563 valid ISO 27001 certificates in Germany, compared with around 29,500 NIS2-affected companies. The majority will therefore have to take the pragmatic route. NIS2Compass supports this route: the Pre-Check determines the maturity level as a concrete starting point, and the article NIS2 und ISMS-Integration goes deeper into the integration with existing structures.

Frequently Asked Questions

Does §30 BSIG require an ISMS?

No. §30 BSIG demands "appropriate, proportionate and effective technical and organisational measures", but does not define a specific management system. The BSI officially clarifies: "The BSI does not prescribe any specific standard." (translated from the German original). An ISMS is one possible form of implementation, not the only one required.

Is ISO 27001 certification a prerequisite for NIS2 compliance?

No. ISO 27001 certification can be a strong foundation, but it does not replace proof of NIS2 compliance. The BSI names three areas where ISO 27001 falls short: scope definition, risk acceptance options, and statutory obligations such as reporting and registration. More details: Reicht ISO 27001 für NIS2-Compliance aus?

Are individual policies and documents enough without a formal ISMS?

Yes, provided they cover the ten §30 areas of measures and are documented in a verifiable way. What is mandatory is not the management system, but the evidence of implemented measures. Structured templates, regular effectiveness measurements and a clear framework of responsibilities are sufficient, as long as they are maintained consistently and kept up to date.

What does building a full ISMS cost for an SME?

For an SME with 10–50 employees, the costs for initial ISO 27001 certification typically range from EUR 35,000 to 50,000 in the first year, including consulting and external audit. On top of that come 0.5 to 1.5 internal full-time equivalents over six to twelve months for build-up and documentation.

When should I build a full ISMS?

When customers or tenders require ISO 27001, when several compliance frameworks run in parallel (GDPR, NIS2, TISAX), or when the company is classified as an essential entity. Without these triggers, a structured guide with documented measures is sufficient for many SMEs.