NIS2 Roadmap: The 5 Phases from Applicability to Audit

NIS2 compliance is not a one-time project you tick off after three months. It is a structured 5-phase cycle that starts with the first applicability check and ends with ongoing evidence collection. This article walks you through the entire journey from Phase 1 (Am I even affected?) to Phase 5 (How do I continuously prove compliance to the BSI?) with concrete decision points and the matching Kopexa tool for each step. Once you understand the five phases, you can start at the right point immediately rather than wasting time on work you do not yet need.

Phase 1: Check Applicability

Before you invest a single euro in NIS2 compliance, you need clarity: are you actually in scope? This sounds obvious, but it is the most common entry mistake. Many organisations jump straight to Phase 3 and later discover that their scope was incorrectly defined. NIS2 applies in Germany to entities in 18 sectors that meet specific thresholds for number of employees or annual turnover.

Our NIS2 applicability calculator covers all 17 main sectors and guides you to a result in under 15 minutes. You receive a traffic-light status (in scope / borderline / out of scope) and a PDF report you can hand directly to senior management. The calculator also includes the KRITIS check under § 28 BSIG.

Decision point after Phase 1: Are you an important or particularly important entity under § 28 BSIG? Particularly important entities are subject to proactive BSI supervision and the higher fine ceiling (up to EUR 10 million). Important entities are supervised reactively (up to EUR 7 million). The distinction determines your prioritisation in Phase 3.

If your company falls in the borderline range, also review the NIS2 thresholds by sector. Some sectors have deviating thresholds that resolve borderline cases definitively.

• •Time required: 15 minutes
• •Outputs: Traffic-light status, PDF report, entity category (important or essential)
• •Kopexa tool: Applicability calculator

Phase 2: Register with the BSI

If Phase 1 confirmed that you are in scope, the next step is BSI registration under § 33 BSIG. The registration deadline expired on 06 March 2026. Missing the deadline exposes you to a fine of up to EUR 100,000 under § 65 para. 1 no. 1 BSIG. Registering promptly now demonstrates cooperative behaviour and can reduce the sanction.

The technical process involves three steps: apply for the ELSTER Organisation Certificate, set up Mein Unternehmenskonto (MUK), and register in the BSI portal. The full step-by-step guide is on our NIS2 BSI registration page.

Plan at least 6 working days for the entire process: 5 working days for the ELSTER activation letter to arrive by post, plus 1 hour of actual form-filling time in the BSI portal. Prepare all mandatory details in advance: IP address ranges in CIDR notation, DNS domains, sector classification under Annex I or II, and the name and mobile number of your 24/7 contact point.

• •Time required: 6 working days total (5 days ELSTER + 1 hour portal)
• •Outputs: Registration number, confirmed 24/7 contact point, sector classification documented
• •Deadline note: 06 March 2026 expired; prompt registration reduces fine risk
• •Kopexa tool: Registration guide

Phase 3: Build Risk Management

Phase 3 is the most work-intensive phase. § 30 BSIG requires affected entities to implement appropriate risk management measures. This covers risk analysis, incident handling, business continuity, supply chain security, cryptography, access control, MFA, training obligations, and network segmentation. The complete list of obligations is on our NIS2 requirements under Art. 21 page.

How long Phase 3 takes depends heavily on your existing maturity level. An organisation with no ISMS at all should plan for 4 to 6 months. An organisation already certified to ISO 27001 can complete Phase 3 in 4 to 8 weeks, since ISO 27001 already covers around 85% of NIS2 obligations. Details on the overlap are in our NIS2 and ISO 27001 mapping.

The outputs from Phase 3 form the foundation for everything that follows: ISMS documentation, a risk register, and technical and organisational measures (TOMs) are not just regulatory requirements but also the primary subjects of future BSI audits.

• •Time required: 3 to 6 months depending on maturity
• •Outputs: ISMS documentation, risk register, technical and organisational measures
• •ISO tip: ISO 27001 covers 85% of NIS2 obligations and significantly shortens Phase 3
• •Kopexa modules: Risks, Policies, IT Assets, Vendors

Phase 4: Set Up the Reporting Process

§ 32 BSIG requires affected entities to report significant security incidents to the BSI in a three-stage chain: an early warning within 24 hours, an initial notification within 72 hours, and a final report within 30 days. Each missed deadline can be sanctioned separately under § 65 para. 1 no. 3 BSIG with up to EUR 500,000.

Phase 4 requires three concrete steps: first, define roles (24/7 contact point, reporting responsible, escalation path to senior management). Second, create report templates for all three stages. Third, run a test report via the BSI portal before a real incident occurs. A process that is executed for the first time during a real incident almost always fails.

The Kopexa incident management module supports the entire reporting chain: structured incident capture, escalation workflows, and timestamp documentation that serves as evidence during a BSI audit.

• •Time required: 2 to 4 weeks
• •Outputs: Reporting process documented, team trained, templates ready, test run completed
• •Legal reporting chain: 24h early warning, 72h initial notification, 30d final report
• •Kopexa module: Incident management (Incidents)

Phase 5: Evidence Collection and Continuous Audit

Phase 5 is not a closed phase but an ongoing operational mode. § 30 BSIG explicitly requires a continuous risk assessment. The BSI can request evidence at any time. Particularly important entities can be subject to an external audit every two years. If you cannot produce your evidence on demand, the work done in the previous four phases will ultimately count for nothing.

The annually required activities include: updating the risk assessment, reviewing audit logs, renewing training records, and documenting the senior management training obligation under § 38 BSIG. This is supplemented by regular internal audits and, for particularly important entities, preparation for the biennial review by the BSI or an accredited auditor.

The Kopexa evidence archiving module and audit workflow centralise all evidence: risk assessments, policy versions, training records, and audit reports are all in one place and can be exported with a single click during a BSI inspection. This saves weeks of assembly from scattered emails, SharePoints, and network drives.

• •Time required: Continuous, annual cycle
• •Outputs: Audit-ready documentation, compliance report for senior management, complete evidence trail
• •External audit: Every 2 years by BSI for essential entities
• •Kopexa modules: Evidence, Audits

Timeline Overview: All 5 Phases at a Glance

The table below summarises the typical effort per phase and the corresponding Kopexa tool.

Common Roadmap Mistakes

From working with organisations across various sectors, we know the typical roadmap mistakes. Here are the five most common ones:

1. 1."We start with Phase 3": Without a completed applicability check, the scope is unclear. You may build measures for systems that are not in scope under NIS2 while missing those that are. Always start with Phase 1.
2. 2."We do not need Phase 4, we have no SIEM": The reporting obligation under § 32 BSIG applies entirely independently of the tools you use. Even without a SIEM you are required to report significant incidents. A missing reporting process is its own fine position.
3. 3."Phase 5 is optional": § 30 BSIG explicitly requires continuous assessment of risk management measures. Stopping documentation after initial implementation causes you to lose your compliance status again.
4. 4."One phase per quarter is enough": At one quarter per phase, full implementation takes over a year. Given the already expired registration deadline and the immediate applicability of fines, this is too slow. Plan Phases 1 and 2 in parallel; run Phase 3 on two tracks.
5. 5."External consultants handle it completely": Consultants can help with analysis, documentation, and implementation. But internal accountability remains with the organisation and its senior management. § 38 BSIG explicitly anchors personal liability regardless of who you engage. Whether you use Kopexa self-service or work with a partner, the responsibility is yours.

What Kopexa Delivers for the NIS2 Roadmap

Kopexa is an OSCAL-based GRC platform that maps all five phases of the NIS2 roadmap in a single system. Instead of spreadsheets, scattered email documentation, and manual evidence assembly, you get a central platform for the entire compliance lifecycle.

• •Risk management: Risk register, ISO 27005 assessments, measure tracking
• •Policy management: Policy templates, approval workflows, versioning
• •IT asset management: Asset inventory, classification, risk assignment
• •Vendor management: Supplier assessments, risk classification, supply chain tracking
• •Incident management: Structured incident capture, 24h/72h/30d workflow, BSI reporting templates
• •Evidence and audits: Central evidence archive, audit trail, compliance reports

Kopexa is hosted in Germany, available from EUR 249 per month, and can be tested free for 14 days. No sales call required. Full pricing and feature details are on the pricing page. If you prefer working with a certified partner who accompanies you through all five phases, see our partner programme.

Next Step: Start with Phase 1 Now

The easiest entry point into the NIS2 roadmap is the applicability calculator. In 15 minutes you know whether and in which category your organisation is affected. The result gives you the foundation for all subsequent phases and a PDF report you can share directly with senior management.

If you already know you are in scope and prefer to start with the Kopexa platform: try it free for 14 days, no contract, no call required. Or start with partner support through our partner network.