NIS2 Costs 2026: Consulting vs. Software

What NIS2 Compliance Really Costs

NIS2 compliance is not free. The German government estimated in its legislative impact assessment (Bundestag proceedings 20/9171, page 165 ff.) an average of 70,000 EUR in one-time implementation costs per affected entity. In practice, costs range from 15,000 to over 250,000 EUR depending on company size and approach. This article compares the three most common paths and shows you exactly what each one costs.

The Government Average: 70,000 EUR in Context

The German government published concrete figures in its legislative reasoning for the NIS2 Implementation Act: 70,000 EUR in one-time setup costs plus 30,000 EUR in annual operating costs per affected entity. These figures are based on a regulatory impact assessment and represent an average across all company segments.

This is a mean value. Large corporations with complex IT landscapes and hundreds of suppliers land significantly higher. A lean SME with a clear IT structure using software tooling can stay significantly below this figure. Source: Bundestag proceedings 20/9171, page 165 ff., published by the German Federal Ministry of the Interior.

The 5 Cost Drivers of NIS2

Regardless of the approach you choose, five areas account for the majority of NIS2 costs:

• 1.ISMS setup (risk analysis, policies, controls): Building an information security management system forms the foundation of all NIS2 measures. Without a structured ISMS, the requirements of Art. 21 NIS2 cannot be met on an ongoing basis.
• 2.Gap analysis and implementation project: The gap analysis identifies the distance between your current security level and NIS2 requirements. Depending on your starting point, the implementation project is either a small improvement effort or a multi-year transformation.
• 3.Technical measures (SIEM, EDR, MFA, backup): Logging, monitoring, endpoint protection, multi-factor authentication, and resilient backups are non-negotiable. Those who build this infrastructure from scratch face significant one-time costs.
• 4.Ongoing evidence collection and audits: NIS2 requires continuous risk management (§ 30 NIS2 Implementation Act), not a one-time snapshot. Evidence archiving, regular internal audits, and BSI reporting processes generate ongoing operating costs.
• 5.Training and management awareness: Security awareness training is mandatory under NIS2, including for executive management. Training records are among the first items audited by supervisory authorities.

Path 1: Traditional Consulting

External consultants bring experience from many NIS2 projects and can build structures quickly. Day rates for information security specialists typically range from 800 to 2,500 EUR, depending on specialization and experience.

Typical project sizes in practice:

• •Small SME (approx. 50 employees, up to 15M EUR revenue): 15 to 25 project days plus 10 to 15 days of follow-up work equals approximately 20,000 to 50,000 EUR one-time. Ongoing support: 15,000 to 25,000 EUR per year.
• •Mid-sized company (approx. 150 employees): 30 to 50 project days plus 20 days follow-up: approximately 50,000 to 150,000 EUR one-time. Ongoing: 30,000 to 50,000 EUR per year.
• •Large enterprise (500 and more employees): 80 to 150 project days, one-time costs of 150,000 to 500,000 EUR. Ongoing need: 80,000 EUR and more per year.

Advantages of consulting: External expertise, high speed in setup, clear accountability through a consulting contract. Consulting has its place, especially for the initial build and for complex architectures.

Disadvantages: After the project concludes, the consulting mandate ends. The ISMS must be maintained internally. Without appropriate software, the consulting project quickly turns into a collection of outdated spreadsheets. Strong dependency on the consultant and difficult to scale.

Path 2: Internal CISO or DPO

A dedicated Chief Information Security Officer brings continuity, deep company knowledge, and long-term commitment. Realistic annual salaries for experienced CISOs: 80,000 to 150,000 EUR gross, depending on region and experience. Add tooling budgets, training costs, and potentially a small security team.

For companies with approximately 200 or more employees, an internal CISO can pay off in the long run, especially when multiple frameworks are managed in parallel (NIS2, ISO 27001, GDPR). For small SMEs, this option is rarely economical: qualified candidates are hard to find, expensive, and a departure creates a single point of failure for the entire compliance program.

Advantages: Strong internal continuity, deep company knowledge, no external information leakage.

Disadvantages: High recruitment costs (headhunters charge 20 to 30% of annual salary), long onboarding period, single point of failure when someone leaves. Economically viable only from approximately 200 employees upward.

Path 3: GRC Software with Self-Service or Partner

Modern GRC software makes it possible to build a structured ISMS without full dependency on consultants or an expensive internal CISO. Kopexa offers two options:

• •Self-service: From 249 EUR/month, no setup fee, flexible contract terms, 14-day trial without a credit card. One responsible internal employee leads the implementation, supported by pre-structured frameworks, policy templates, and the integrated NIS2 requirements catalog.
• •Software with certified partner: A Kopexa partner handles the onboarding and initial configuration, typically for 5,000 to 15,000 EUR one-time. Afterward, the ISMS runs independently in the platform. The partner remains available as an optional complement, but you are not permanently dependent on them.

Advantages: Transparent, predictable costs. Scalable with the company. The ISMS stays alive in the platform, not buried in a folder. Management dashboard for demonstrating compliance to supervisory authorities and auditors.

Disadvantages: One responsible internal employee is needed, even with self-service. Without at least partial capacity freed up internally, even the best software will not deliver results.

Cost Comparison: Example Calculation for 100 Employees

The table below shows a realistic orientation calculation for a mid-sized company with around 100 employees that currently has no structured ISMS:

Kopexa Self-Service: 249 EUR/month x 12 = 2,988 EUR/year. Kopexa + Partner: 2,988 EUR software + 5,000 EUR optional partner annual retainer. These figures are orientation values, not fixed prices. Your individual requirements determine the final cost.

What GRC Software Actually Delivers

GRC software is not an end in itself. What a platform like Kopexa concretely takes off your plate in an NIS2 implementation:

• •Risk catalog: Structured risk capture and assessment using recognized methodologies. No more spreadsheets.
• •Policy templates: Pre-structured information security policies aligned to NIS2 and ISO 27001, ready to be adapted to your company and approved.
• •Audit workflow: Scheduled audits with tasks, deadlines, and owners. Results are automatically archived.
• •Evidence archiving: Store, version, and make evidence for controls and measures centrally available for BSI audits and supervisory reviews.
• •Incident tracking with deadline timers: Prepare the 24-hour early warning, 72-hour initial report, and 30-day final report for the BSI directly from the platform.
• •ISO 27001 and NIS2 framework mapping: Map NIS2 requirements to ISO 27001 Annex A controls and leverage synergies. More in the NIS2 and ISO 27001 mapping.

A full platform overview is available at kopexa.com/platform.

When Each Path Makes Sense

There is no universally correct answer. The decision depends on company size, starting point, internal capacity, and budget:

• •One-time implementation, no ongoing ISMS planned: Traditional consulting can make sense. The risk: without a living system, the continuously required evidence collection is hard to fulfill efficiently.
• •Large enterprise with a dedicated risk team: Internal CISO combined with GRC software. The software scales to enterprise size; the CISO uses it as an operational tool.
• •SMEs and mid-sized companies focused on efficiency: GRC software with self-service or a certified partner. Predictable costs, no ongoing consulting contract, internal ownership of the ISMS.

Common Budget Planning Mistakes

Four false assumptions that repeatedly lead to incorrect budget calculations:

• 1."We don't need ongoing costs": Wrong. § 30 of the NIS2 Implementation Act requires continuous risk management. A one-time consulting project does not permanently fulfill this obligation.
• 2."One consulting project is enough": The evidence obligation is permanent. BSI audits can come at any time. Without an ongoing system, you lack current proof of compliance.
• 3."We need ISO certification": § 30 of the NIS2 Implementation Act requires technical and organizational measures (TOMs), not a specific certification. ISO 27001 is helpful and creates synergies, but it is not a legal requirement.
• 4."We only budget for year one": The audit cycle is multi-year. BSI inspections, internal audits, training cycles, and supplier assessments generate ongoing effort.

First: Am I Even Affected?

Before calculating a budget, check whether you are actually subject to NIS2. Companies that do not fall under NIS2 save 100% of the costs listed above. Our sector calculator shows you in a few minutes whether and in which category your company is affected. Only then does a detailed budget calculation make sense.