EUSEC
Solution
The Problem & Solution How it works Rating Criteria Pricing Legal Assessment API
Testing Podcast About Us & Our Security Dashboard
NIS2 Obligations & Evidence

Your obligations don’t end at your firewall.

NIS2 is in force.
Your supply chain is the blind spot.
Management is personally liable.

Since 6 December 2025, Germany’s NIS2 Implementation Act has been in force — with no transition period. Securing your supply chain is one of ten mandatory measures required by law (§ 30 BSIG). It is the only one not fully in your own hands: you carry responsibility for the security of your supply chain — including companies you don’t own — and you must be able to demonstrate, at any time, what you are doing about it.

How EUSEC solves this
NIS2 obligations · BSIG
NIS2 obligations.
§ 30(2) — Risk management
01Risk analysis & security policies§ 30(2) no. 1
02Incident handling§ 30(2) no. 2
03Business continuity & crisis management§ 30(2) no. 3
04Supply chain security§ 30(2) no. 4EUSEC
05Secure procurement, development & vulnerabilities§ 30(2) no. 5
06Assessing the effectiveness of measures§ 30(2) no. 6
07Cyber hygiene & training§ 30(2) no. 7
08Cryptography & encryption§ 30(2) no. 8
09Access control & asset management§ 30(2) no. 9
10Multi-factor authentication & secured communications§ 30(2) no. 10
Further NIS2 obligations
11Registration with the BSI§ 33
12Reporting · 24h/72h/1 month§ 32
13Management: approval, oversight & liability§ 38 (1),(2)personal liability
14Management: training duty§ 38 (3)
15Evidence & supervision (authority)§§ 39 / 61 / 62
Mandatory since 06 Dec 2025 no transition period
Exhibit 01 — The Obligation

NIS2 is live. No grace period.

Around 29,500 entities across 18 sectors fall under the new BSIG. Three duties apply immediately: register with the BSI, report significant incidents (24h / 72h / 1 month, § 32), and implement and document risk-management measures (§ 30). Top management is personally liable for this.

06.12.
2025, in force — the new BSIG applies immediately, with no transition period for the ten measures under § 30
0
days of grace — the BSI registration deadline (6 March 2026) has already passed
€10M
or 2% of worldwide annual turnover — maximum fine for essential entities (§ 65)
§ 38
You, personally — management must approve and oversee the measures, and is liable
The full obligation set

§ 30 is only one part. NIS2 obligates you across five further areas.

Beyond the ten risk-management measures of § 30 BSIG, there are five further obligation areas: registration, reporting, governance and supervision. Most you meet with internal processes and clear governance — the structural exception is the supply chain (§ 30(2) no. 4). The EUSEC Inside Rating covers all of these areas as a structured self-assessment.

k § 33 BSIG

Registration with the BSI

Entry in the BSI portal with current master data and contact points; changes must be reported.

Art. 27 / 3(4)
l § 32 BSIG

Reporting obligations

Report significant incidents — early warning 24h, follow-up 72h, final report 1 month.

Art. 23
m § 38 (1),(2) BSIG

Approval & oversight

Management must approve the risk-management measures and oversee their implementation — and is personally liable for this.

Art. 20(1)
n § 38 (3) BSIG

Training duty

Management must take part in regular training on cybersecurity risks.

Art. 20(2)
o §§ 39 / 61 / 62 BSIG

Evidence & supervision

Periodic evidence obligation (KRITIS, § 39) plus the BSI’s information, audit and enforcement powers (§§ 61/62).

Art. 31–34

All of these obligations you drive in-house — with one structural exception: the security of your supply chain. That is exactly where EUSEC fits.

Exhibit 02 — The Problem

Nine you handle in-house. The tenth lies outside your control.

Risk analysis, MFA, training, encryption — these you implement within your own four walls. Supply chain security (§ 30(2) no. 4 BSIG) is different: it requires you to assess and manage the security posture of suppliers whose systems you have no access to. That is exactly where the biggest incidents originate — and exactly where most companies are blind.

Liability without control

You bear personal responsibility (§ 38 BSIG) for the cybersecurity of companies you do not control. An incident at a supplier becomes your incident.

The scaling problem

Hundreds, often thousands of suppliers. Questionnaires and email chains do not scale. By the time the answers come back, the risk picture has long since changed.

Self-disclosures deceive

A questionnaire measures what a supplier says about itself — not what is visible from the outside. That produces a false sense of security, not solid evidence.

Risk is dynamic

A snapshot is out of date the moment it is taken. The supplier that was “green” yesterday can have an open, exploitable vulnerability today.

You don’t know WHEN you will be checked

For essential entities, the BSI can demand evidence at any time and without cause. If you only start documenting once the request arrives, you are too late.

No documentation, no evidence

When the incident or the supervisory request comes, only what you can substantiate counts. No documentation of your supply chain measures means: no evidence of your due diligence.

The edge

Without a system, your third-party risk is incalculable — and your NIS2 evidence is empty. This is not a nice-to-have. This is the edge where personal liability begins.

Exhibit 03 — The Evidence

There is no fixed audit date. So you have to be audit-ready every day.

Unlike critical-infrastructure operators, most NIS2 entities have no automatic evidence cycle. That is not reassuring — it is the opposite: the request can come at any time, and then only what is already documented counts.

Critical-infrastructure operators · KRITIS
Every 3 years — automatically

Proactive, periodic obligation to provide evidence to the BSI.

Basis: § 39 BSIG
Essential entities
Any time — on request

No fixed cycle, but the BSI can order evidence and audits proactively and without cause.

Basis: §§ 61/62 BSIG — supervisory powers
Important entities
Cause-based — reactive

Typically inspected after an incident or on specific suspicion.

Basis: §§ 61/62 BSIG — supervisory powers
The consequence

Evidence cannot be assembled on demand. Maintain the documentation of your supply chain measures continuously and you are audit-ready every single day — delivering instantly when the BSI asks, instead of spending weeks reconstructing it from email chains.

Exhibit 04 — The Solution

Track NIS2 Compliance — your supply chain, continuously rated and audit-ready documented.

EUSEC supports you in meeting the supply chain security requirement under § 30(2) no. 4 BSIG / Art. 21(2)(d) NIS2 — and provides the evidence and documentation you need for this obligation. Each of the six hurdles gets a concrete answer:

01

100% coverage from day one

The non-intrusive Outside Rating assesses every supplier from the outside — without their involvement, in hours instead of months. Even suppliers that never respond are covered.

02

All NIS2 obligation areas

The Inside Rating adds a structured self-assessment across all NIS2 obligation areas — the ten § 30 BSIG measures plus registration, reporting, governance and supervisory readiness — with audit-ready documentation.

03

Discrepancy detection

We place the self-disclosure next to the external observation and flag every gap between claim and reality. No more false security.

04

Continuous monitoring & alerting

Ratings are not a single cut-off date but a live picture. If a critical supplier’s posture deteriorates, you are alerted — before it becomes your problem.

05

Risk-based, by ABC tiers

Assessment depth follows criticality: Outside for the long tail, + Inside for relevant, + Audit for critical suppliers — proportionate, as § 30 BSIG requires.

06

Audit-ready & exportable

Every assessment, every measure, every change — logged and exportable. The evidence of the measures you have taken, ready for your supervisory meetings.

Track NIS2 Compliance
Your supply chain — rated, ranked, documented.
Live updates
Portfolio coverage
100%
Suppliers rated
1.284
Discrepancies flagged
37
Negative outlook
12
Company Criticality Outside Inside Overall Outlook
Logistics Partner A Critical AAA AAA AAA Stable
SaaS Provider B Relevant B AA B Negative
Cloud Provider C Relevant AA AA AA Stable
SaaS Provider D Long-tail C C Negative
Illustrative dashboard · audit-ready · exportable. Company names are fictitious. “AAA–C” denotes the EUSEC Rating, not an official determination of conformity.
Exhibit 05 — The Math

With or without EUSEC — the difference is your ability to provide evidence.

Without EUSEC
Supplier risk invisible and incalculable
Questionnaire false-security, months of lead time
No discrepancy detection — blind spots remain
Snapshots that are obsolete instantly
On a BSI request: frantic reconstruction, patchy records
Personal liability without documented due diligence
With EUSEC
100% portfolio coverage from week one
Outside Rating in hours, no supplier involvement
Every gap between claim ↔ reality flagged
Continuous monitoring with alerting
Audit-ready at any time — evidence of your measures at the push of a button
Documented due diligence — solid evidence of what you did
Exhibit 06 — Plain Talk

What we don’t do — and why that is exactly what makes us credible.

We provide the evidence and the tools. Responsibility for compliance stays with you — and that is precisely why our assessment holds up where “NIS2-certified” promises fall apart.

EUSEC does not certify NIS2 conformity — no private party can; that is for the authority alone to judge. The law provides for no “NIS2 certificate.” What we deliver is the independent, continuous assessment and the audit-ready documentation of your supply chain security — evidence of what you do, not an empty seal.

EUSEC — European Cyber Rating Agency
Scalable. Solid.

10 company ratings — free. Start today.

No credit card. No account required. No commitment.
Results straight to your inbox.