Implement NIS2 Practically
No Paper Tigers: Evidence is Automatically Generated from Your Workflows
Annual audits and manual documentation were built for a slower world. We implement NIS2 (and CRA on request) so that requirements become technical controls and evidence is continuously generated from your pipeline and operations.
- Automated evidence instead of Excel: Evidence comes from CI/CD, IaC and Runtime
- Vendor-agnostic: we integrate into your toolchain, not the other way around
- Engineering-compatible: Warn vs Block, Ownership, clear workflows
In 20 minutes we clarify scope, toolchain and evidence strategy. Afterwards you receive a brief recommendation (1 page) with the next steps.
Who Is This For
This page is for companies that build and operate software and therefore cannot or do not want to handle NIS2 as a pure documentation project.
Great fit if
- You develop a SaaS, platform or cloud product (releases are routine)
- Your company is active in the German market and likely falls within the scope of NIS2
- You want actual security improvement and audit-ready evidence
- You have CI/CD, IaC, containers or plan to expand automation as part of NIS2 implementation
Not ideal if
- You don't build your own software (standard IT, mostly legacy)
- It's primarily about on-prem Windows landscapes without automation
- You're mainly looking for an audit package without noticeable security improvement
The Problem: NIS2 Often Clashes with Modern Software Delivery
NIS2-Umsetzungsfrist
Frist abgelaufen
Max. Bußgeld bei Verstößen
oder 2% des Jahresumsatzes
Meldefrist für Vorfälle
nach Erkennung
NIS2 is broadly designed to cover many IT realities. In practice, this often leads companies to resort to traditional implementation: writing policies, maintaining documents, filling audit folders.
The problem: This approach has always been inefficient, but for modern software organizations it barely scales.
The result: Effort escalates, evidence is hard to substantiate, and real security impact falls short of expectations.
Why Paper Mode Fails
Dynamic Systems
The truth lies in code, configuration and logs - not in Word documents.
Snapshots
An audit package can appear complete while the actual security situation differs.
Reporting Obligations
During incidents, manual gathering becomes double stress.
Key Message
When NIS2 becomes a documentation exercise, a lot of effort is created with little resilience. The decision is made in architecture, automation and operational processes.
Our Approach: Requirements Become Controls, Controls Generate Evidence
Even though the notion persists that compliance is only possible with manual documentation, NIS2 (and CRA) deliberately leave room in the how. What's required are effective measures, clear processes and traceable evidence.
We use exactly this freedom: We don't treat NIS2 as a document project, but as a control-and-evidence chain.
Control-and-Evidence Chain
Three Principles
Declarative Technology
instead of retroactive description
IaC, CI/CD and Policies become a traceable, revision-proof change and release process.
Evidence by Default
from running systems
Evidence comes from systems that are already running: Git, CI/CD, IaC, Monitoring, Ticketing.
Lean Processes
without paper wars
Roles, playbooks, escalation and reporting are defined - but efficient and effective.
How Implementation Works
Identity & Access
- Define roles and permissions as code
- Automatically enforce Least Privilege
- Audit trail for all access changes
Evidence
Git Merge Request + Pipeline Log = Audit evidence
Vulnerability Management
- Consolidate findings from SCA/SAST/DAST
- Enrich SBOM + exposure
- Automate ownership + ticketing
Evidence
Central vulnerability view with prioritization
Monitoring & Incidents
- Version detection rules as code
- Automatic alert correlation
- Runbook triggers for critical events
Evidence
Signal → Rule → Alert → Ticket → Postmortem
Reporting Processes
- Structured incident capture
- Automatic deadline monitoring
- Report templates for authority notifications
Phasen der Umsetzung
Von der Analyse bis zum laufenden Betrieb – strukturiert und nachvollziehbar.
Phase 1: Scope and Control Design
- •Definition of relevant scope (products, systems, supply chain)
- •Risk and measure mapping to your product
- •Definition of evidence: What must be where and when?
Result: Clarity on priorities, controls and evidence paths.
Phase 2: Automation in CI/CD and Operations
- •Integrate controls in pipeline and IaC
- •Workflow: Warn vs Block, Ownership, SLAs
- •Automate evidence generation and storage
Result: Controls run daily, evidence is generated automatically.
Phase 3: Operations and Continuous Evidence
- •Make vulnerability and incident processes operational
- •Generate evidence and reports regularly
- •Effectiveness check: Improve controls, reduce false positives
Result: NIS2 becomes routine instead of audit marathon.
What You End Up With
No tool feature text, but what you can actually deliver, present and operate.
Lean, Audit-Ready Process Documentation
- Policies and responsibilities (who, what, when, why)
- Incident Response Playbook incl. reporting and communication path
- Exception and risk acceptance process (versioned)
Auditable Evidence System
- Defined evidence sources (Git, CI/CD, IaC, Monitoring)
- Versioned evidence (change logs, approvals, reports)
- Export and audit readiness without project mode
Effective Vulnerability Management
- Central view of vulnerabilities from code and supply chain
- Context-based prioritization (exposure, criticality, SBOM)
- Workflow: Triage, Fix, Verification, Exceptions, Reporting
Optional: CRA Readiness
If CRA is relevant for your product, we build the system to also support additional requirements for product lifecycle, technical documentation and vulnerability handling.
Target Outcomes
Real Security Gain
Less unplanned work, better prioritization, fewer blind spots
Lower Personnel Effort
Less manual evidence creation, more automation
Delivery Stays Manageable
Security measures without negative impact on DORA metrics
Documentation Remains Mandatory - Manual Work Does Not
Yes, NIS2 requires documentation. The difference is how it's created.
What Must Be Documented
- •Roles, policies, processes, exceptions, decisions
- •Effectiveness and regular execution
- •Incident handling and reporting paths
What We Automate
- Evidence from pipeline, IaC, runtime and tickets
- Revision-proof history: who, what, when, why
- Regular evidence exports or evidence repository
Goal: Less manual personnel effort with simultaneously better auditability and real security impact.
No Vendor Lock-in: We Integrate Into Your Toolchain
You don't need to buy a compliance platform to demonstrably implement NIS2. We work with what you have.
Typical Integration Points
CI/CD
GitHub, GitLab, Azure DevOps
Cloud/IaC
AWS, Azure, GCP, Terraform
Runtime
Kubernetes, Container, traditional deployments
Security Tools
SAST/SCA/Secrets/IaC Scanner
Ticketing
Jira, ServiceNow, Linear
Tool selection follows the goal: effective controls and audit-ready evidence.
What This Means for Engineering and Security
For CTOs and VP Engineering
- Compliance without blocking delivery (Warn vs Block, gradual rollout)
- Less rework through clear ownership workflows
- Keep delivery performance stable, make security work plannable
For CISOs and Security Leads
- Controls with effectiveness evidence, not just policies
- Clean incident and vulnerability processes for daily operations
- Evidence that can be presented in audit-ready format
Experience from Regulated Environments
We come from engineering, cloud automation and regulated customer environments. Our focus: NIS2 as a technical and organizational transformation that holds up in operations.
[Testimonial 1: Brief outcome statement about the project]
— Role, Industry
[Testimonial 2: Brief outcome statement about the project]
— Role, Industry
Frequently Asked Questions
NIS2 requires organizational and technical measures plus evidence. Our approach combines both - with a focus on auditable controls and reproducible evidence rather than documents as the end product.
No, that's explicitly not the goal. We work with Warn vs Block, Ownership, Triage and gradual rollout. Controls are introduced so they are sustainably accepted.
Not necessarily. We start with your toolchain and close gaps pragmatically. Compliance with us doesn't depend on a single vendor.
As little as possible, as much as necessary. Typically: read-only insights into repos and CI/CD, architecture overview, relevant logs or dashboards.
Yes. But the work shifts from manually maintaining texts to cleanly mapping controls and evidence. This reduces manual effort and increases auditability.
No. We deliver technical and organizational implementation, evidence and operational capability. Legal assessment must be done through appropriate channels.
20-Minute NIS2 Fit Check
In 20 minutes we clarify:
Your Scope
Products, systems, supply chain
Your Delivery
CI/CD, IaC, Runtime, Ownership
Your Target
Controls, Evidence, Audit Workflow
Afterwards you receive a brief, concrete recommendation with the next step.
More solutions for your needs
Cloud Migration Read More >
App Modernisation Read More >
Microservice Migration Read More >
Security Optimisation Read More >
Cost Optimisation Read More >
NIS2 Readiness Read More >
NEXODE CONSULTING GmbH
OBERWALLSTRAßE 6
10117 BERLIN
We use cookies to improve your experience and analyze our services. Learn more