Cybersecurity is now the law. We get you ready.
The NIS2 Directive, transposed into the BSIG (NIS2UmsuCG), has been in force since 06.12.2025 with no transition period. Roughly 29,500 German entities are newly in scope. At awedit, experts in regulated IT audits review your scope, class and §30 measures against a real control catalog, accelerated by highly specialized AI tooling. There is no NIS2 certificate, so we arm you to self-declare and survive BSI supervision.
Orientation, not evidence. Not legal advice.
The clock is already running.
NIS2UmsuCG in force, no transition period. The §30 risk-management measures apply now.
BSI registration deadline passed. Many entities are still unregistered and already non-compliant on this administrative duty.
For besonders wichtige Einrichtungen, the BSI can order a §39 Nachweis: an audit, examination or certification of the measures.
Experts lead the review. AI accelerates it. You sign on solid ground.
There is no NIS2 certificate. Our job is defensibility: a documented §30 file your personally-liable management can approve, and that survives a BSI supervisory audit.
- STEP · 01Scope
Sector plus size decides whether you are in scope and in which class. Some entities are in scope regardless of size.
- STEP · 02Scan
Your §30 measures are assessed against a real control catalog, cross-referenced to C5:2026 and ISO 27001. Experts review every finding.
- STEP · 03Arm
You get a prioritized gap report and a §38 management-approval pack, ready for self-declaration and for a §39 audit or ISO route later.
Experts lead the review, highly specialized AI tooling accelerates it, you sign on solid ground. No tool alone achieves compliance, and there is no such thing as a NIS2 certificate. One provider to manage, your signature on solid ground.
What NIS2 actually asks of you.
A plain-English read of the parts most teams get wrong on the first pass.
Scope: automatic by sector and size
NIS2 covers 18 sectors. Absent a special rule, you are in scope at medium size: at least 50 staff, or over €10M turnover and balance-sheet total. Some entities, such as trust service and DNS providers, are in scope regardless of size.
Two classes
Besonders wichtige Einrichtungen face proactive BSI supervision and a §39 Nachweis duty. Wichtige Einrichtungen face reactive supervision. Both must implement the same ten §30 measures.
The ten §30 measures
Risk analysis, incident handling, business continuity and backup, supply-chain security, secure development and vulnerability handling, effectiveness review, cyber hygiene and training, cryptography, access control and asset management, and multi-factor and secured communications.
Reporting: 24h, 72h, one month
A significant incident triggers an early warning within 24 hours, a notification within 72 hours, and a final report within one month.
Management liability
Under §38, leadership must approve and oversee the measures and undergo training. Liability is personal and cannot be fully delegated away.
No certificate, watch the claims
There is no NIS2 certificate. Nobody can sell you 'NIS2-zertifiziert'. A self-check is orientation, not evidence and not a Nachweis.
From scope to steady: four steps.
- 01Self-Check
Free, instant. Buys you clarity: which duties apply, how urgent, where the first gaps are.
- 02Scanner + Report
Buys you the map: an expert-reviewed scan of your real product, a prioritized report the next step can use as-is.
- 03Remediation
Buys you the shortest path: we close the gaps with you until handover or signature holds.
- 04Annual cycle
Buys you steadiness: the NIS2UmsVO is coming, BSI guidance keeps growing, and from 2028 the §39 Nachweis looms. The cycle keeps your §30 file current before supervision asks.
Two minutes to see where you stand.
Check your scope and class, then run the §30 readiness pass. No account, no sales call. The self-check also detects whether you operate a critical facility (KRITIS) and what that adds.
A self-check result is orientation, not evidence, and does not by itself demonstrate NIS2 compliance.