From lawvable-awesome-legal-skills
Guides NIS2 compliance assessments including scope classification, Art. 21 gap analysis with maturity scoring, and compliance roadmap for EU Directive 2022/2555 with German BSIG-neu coverage.
How this skill is triggered — by the user, by Claude, or both
Slash command
/lawvable-awesome-legal-skills:nis2-navigator-oliver-schmidt-prietzThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Guide users through a full NIS2 compliance assessment: scope determination, Art. 21 gap analysis across 10 risk management measures, and prioritized compliance roadmap. Covers EU Directive 2022/2555 with deep German national transposition (BSIG-neu) and high-level profiles for Italy, France, Netherlands, Austria, and Spain.
Guide users through a full NIS2 compliance assessment: scope determination, Art. 21 gap analysis across 10 risk management measures, and prioritized compliance roadmap. Covers EU Directive 2022/2555 with deep German national transposition (BSIG-neu) and high-level profiles for Italy, France, Netherlands, Austria, and Spain.
IMPORTANT NOTICE This tool provides structured compliance guidance based on EU Directive 2022/2555 (NIS2) and national transposition laws. It does not constitute legal advice. Final compliance decisions should involve:
- Your organization's CISO / Information Security Officer
- Qualified legal counsel experienced in cybersecurity regulation
Do you acknowledge this and wish to proceed?
Wait for acknowledgment before proceeding.
Search for current regulatory developments before starting — NIS2 transposition is still evolving in many Member States, and enforcement practice is developing rapidly:
NIS2 enforcement updates [current year]
NIS2 implementing regulation EU Commission [current year]
For the full catalog of official EU and BSI sources, load references/regulatory-sources.md when you need to cite specific guidance or direct the user to official resources.
"Will this assessment focus on (a) EU-level NIS2 Directive obligations, (b) a specific Member State's national law, or (c) both?"
Determine whether the organization falls under NIS2 and classify as essential or important. This is the most common first question any entity has, and getting the classification right is foundational — it determines enforcement intensity, fine levels, and reporting obligations.
For German entities, mention the BSI's free Betroffenheitsprüfung (betroffenheitspruefung-nis-2.bsi.de) as a complementary first step. Note it only covers scope — our assessment goes further into compliance maturity and roadmap.
Ask questions ONE AT A TIME in this order:
| # | Category | Question |
|---|---|---|
| 1 | Sector | "What sector(s) does your organization operate in?" Offer Annex I/II categories as reference. |
| 2 | Services | "What specific services do you provide within that sector?" (needed for precise Annex mapping) |
| 3 | Size | "How many employees does your organization have, and what is your annual turnover and balance sheet total?" |
| 4 | Group structure | "Is your organization part of a corporate group? If so, are the NIS2-relevant activities at group or entity level?" |
| 5 | Special status | "Do any of these apply: DNS provider, TLD registry, trust service provider, public electronic communications network, sole provider of a critical service in a Member State?" |
Load references/sector-classification.md for the full Annex I/II sector mapping and size thresholds.
Decision tree:
Group structure: Apply the size test at the level where the NIS2-relevant service operates. Consolidated figures apply with operational integration. Independent entities within a group: assess separately.
SCOPE DETERMINATION
- Sector: [Annex I/II sector and sub-sector]
- Size classification: [Small / Medium / Large]
- Entity category: [Essential / Important / Out of Scope]
- Basis: [Directive Art. / national law reference]
- Special flags: [DORA exclusion / CIR applies / Regardless-of-size / None]
If Germany: BSI registration [required/not required], status [completed / overdue]
Example: A German managed IT services provider with 120 employees and €25M turnover in the ICT service management sector (Annex I) → Annex I, medium enterprise, essential entity (MSPs are essential regardless of size). BSI registration required (overdue since 6 March 2026). CIR 2024/2690 applies. This entity faces both proactive BSI supervision and the additional CIR technical requirements — communicate this clearly because it significantly increases the compliance scope compared to a typical important entity.
If Out of Scope → inform user, suggest voluntary adoption (supply chain pressure from in-scope customers is increasingly common), and end assessment. Otherwise proceed to Phase 2.
Walk through the 10 risk management measures from Art. 21(2)(a)–(j) / § 30 BSIG-neu. The purpose is rapid maturity scoring — enough to identify critical gaps and prioritize, not a full audit. This keeps the assessment accessible for entities encountering NIS2 for the first time while still producing actionable output.
Load references/art21-measures.md for measure descriptions, scoring criteria, and ISO 27001 references.
For each measure, ask ONE targeted question, then score on a 0–4 scale:
| Score | Level | Description |
|---|---|---|
| 0 | Non-existent | No awareness, no measures |
| 1 | Ad hoc | Informal, reactive, person-dependent |
| 2 | Defined | Documented but inconsistently applied |
| 3 | Managed | Consistently implemented, monitored, reviewed |
| 4 | Optimized | Continuously improved, measured, integrated into enterprise risk management |
For each measure, include a brief reference to relevant ISO 27001:2022 Annex A controls. Many organizations approaching NIS2 already have ISO 27001, so this mapping creates immediate practical value — "you already satisfy Art. 21(2)(a) through your A.5.1 and A.5.2 controls" is the kind of output that saves hours of consultant time.
Walk through each measure sequentially. For each:
Detailed measures, questions, and scoring criteria are in references/art21-measures.md.
After scoring all 10 measures, present a summary table:
## NIS2 Gap Analysis Summary
| # | Measure (Art. 21(2)) | Maturity (0-4) | Status |
|---|---------------------|----------------|--------|
| a | Risk analysis & IS policies | [score] | [🔴/🟡/🟢] |
| b | Incident handling | [score] | [🔴/🟡/🟢] |
| c | Business continuity & crisis mgmt | [score] | [🔴/🟡/🟢] |
| d | Supply chain security | [score] | [🔴/🟡/🟢] |
| e | Network & IS acquisition/dev/maint | [score] | [🔴/🟡/🟢] |
| f | Effectiveness assessment | [score] | [🔴/🟡/🟢] |
| g | Cyber hygiene & training | [score] | [🔴/🟡/🟢] |
| h | Cryptography & encryption | [score] | [🔴/🟡/🟢] |
| i | HR security & access control | [score] | [🔴/🟡/🟢] |
| j | MFA & secure communications | [score] | [🔴/🟡/🟢] |
**Overall Score: [X] / 40**
**Overall Rating: [🔴 Critical / 🟡 Needs Improvement / 🟢 On Track]**
Traffic light: 🔴 = 0–1, 🟡 = 2, 🟢 = 3–4. Overall: 🔴 ≤ 15, 🟡 16–29, 🟢 ≥ 30.
Example: A mid-sized logistics company (important entity) might score: (a) Risk analysis 2 🟡 — policy exists but last reviewed 18 months ago; (d) Supply chain 1 🔴 — ad hoc checks only, no contractual clauses; (j) MFA 3 🟢 — enforced for all remote and privileged access. Overall 19/40, 🟡 Needs Improvement. Top priorities: supply chain security and incident handling.
Generate a prioritized remediation roadmap based on the gap analysis.
For German entities, align with the BSI's 6-phase #nis2know Roadmap and reference BSI-Standards 200-2/200-3 as implementation resources — this gives the roadmap additional authority when presented to German management.
Essential entities face proactive supervision, so their gaps are more urgent at every maturity level:
| Maturity 0 | Maturity 1 | Maturity 2 | |
|---|---|---|---|
| Essential entity | P1 — Immediate | P1 — Immediate | P2 — Short-term |
| Important entity | P1 — Immediate | P2 — Short-term | P3 — Medium-term |
Measures at maturity 3–4 → maintenance mode (not in roadmap).
For each gap: (1) Measure, (2) Current state, (3) Target state, (4) 2–3 key actions, (5) Effort (S/M/L/XL), (6) Priority with timeline.
If jurisdiction includes Germany, load references/germany-nis2umsucg.md and add: BSI registration status, § 38 management body obligations, Nachweispflicht deadline (Dec 2028), § 32 incident reporting readiness, KRITIS-Dachgesetz interaction if applicable.
Include a management body section in every roadmap. NIS2 Art. 20 explicitly creates management body engagement requirements, and Germany's § 38(2) BSIG adds personal liability. This section is often the most persuasive part of the assessment — it transforms the abstract compliance obligation into something personal for the individuals in the room:
Management Body Obligations
- Approve risk management measures (Art. 20(1) / § 38(1) BSIG)
- Undergo regular cybersecurity training (Art. 20(2) / § 38(3) BSIG) — not delegable
- Oversee implementation — execution can be delegated to CISO, oversight cannot
- Germany: Personal liability for damages from non-compliance (§ 38(2) BSIG)
Combine all three phases using the template in references/templates.md.
Report structure:
The non-obvious pitfalls that trip up real assessments:
npx claudepluginhub lawve-ai/awesome-legal-skillsEvaluates projects for EU regulatory compliance with RGPD (data protection), NIS2 (cybersecurity infrastructure), and CRA (digital product security). Generates checklists, gap reports, and remediation actions.
Provides expert guidance on NYDFS 23 NYCRR 500 cybersecurity regulations for financial services, covering all 23 sections, annual certifications, CISO requirements, penetration testing, incident notification, and third-party risk management.
Maps EU AI Act obligations based on role and risk tier into a compliance matrix with RACI assignments. Generates checklists for provider and deployer duties.