Runs a full NIS2 compliance assessment under EU Directive 2022/2555. Scope determination, essential-vs-important classification, Art. 21 gap analysis, 0–4 maturity scoring, prioritized roadmap, and management body briefing — with deep German BSIG-neu coverage.
Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.
Eleven structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.
Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.
nis2-navigator/ ├── evals # Test cases + assertions │ └── evals.json # 4 cases, 32 assertions ├── references # Reference corpus │ ├── art21-measures.md │ ├── eu-jurisdiction-profiles.md │ ├── germany-nis2umsucg.md │ ├── regulatory-sources.md │ ├── sector-classification.md │ └── templates.md ├── CHANGELOG.md # Version history ├── README.md # Deployment guide └── SKILL.md # Main skill instructions
Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.
nis2-navigator/ foldercp -r nis2-navigator/ \ ~/.claude/skills/user/
Every output is documented, version-pinned, and traceable to its source citation.
Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.
Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.
The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.
See CHANGELOG.md for version history.
NIS2 Compliance Navigator — scope classification, Art. 21 gap analysis, and compliance roadmap under EU Directive 2022/2555:
nis2-navigator/
├── SKILL.md # Main skill instructions (deploy this)
├── CHANGELOG.md # Version history
└── references/
├── sector-classification.md # Annex I / II sector taxonomy + entity-size rules
├── art21-measures.md # The 10 risk-management measures (Art. 21(2)(a)-(j))
├── germany-nis2umsucg.md # § 30 BSIG, NIS2UmsuCG, BSI registration
├── eu-jurisdiction-profiles.md # IT, FR, NL, AT, ES — entity taxonomy + SA contacts
├── regulatory-sources.md # Official EU + Member State source catalog
└── templates.md # Output templates (gap analysis, roadmap, briefing)
nis2-navigator/ folder structurenis2-navigator/ folder to your skills directory:
bash
cp -r nis2-navigator/ /path/to/your/skills/user/nis2-navigator/Describe your organisation:
"We're a German cloud-services provider with 80 employees and €15M turnover. Do we fall under NIS2? If yes, give me a gap analysis against Art. 21 and a 12-month roadmap."
The skill will classify scope, run the gap analysis, and produce a phased roadmap.
| Phase | Description |
|---|---|
| Session Init | Disclaimer, web search for recent developments, jurisdiction focus selection |
| Phase 1: Scope & Classification | Annex I/II routing, essential vs. important, jurisdiction-specific overlays (~5 min) |
| Phase 2: Art. 21 Gap Analysis | 0–4 maturity scoring across the 10 measures with ISO 27001 anchors (~15 min) |
| Phase 3: Compliance Roadmap | Prioritisation framework + Germany-specific items + Art. 20 / § 38 BSIG management briefing |
| Output | Final Assessment Report consolidating scope, gaps, and roadmap |
| Feature | Description |
|---|---|
| Scope Classification | Annex I/II + essential/important + jurisdiction-specific overlays |
| Art. 21 Gap Analysis | 0–4 maturity scoring across all 10 measures |
| ISO 27001 Crossref | Each measure mapped to ISO 27001 controls |
| Roadmap Prioritisation | Legal-exposure-aware sequencing with quick-win identification |
| Germany Deep Coverage | § 30 BSIG, NIS2UmsuCG, BSI registration workflow |
| EU Profiles | IT, FR, NL, AT, ES — entity taxonomy + SA contacts |
| Management Briefing | Art. 20 / § 38 BSIG board-level liability briefing template |
| Final Report | Audit-ready assessment report consolidating all phases |
| Document | Reference |
|---|---|
| NIS2 Directive | EU Directive 2022/2555 |
| Art. 21 | 10 risk-management measures |
| Art. 23 | Incident reporting obligations |
| Art. 20 | Management body responsibilities |
| Annex I / II | Sector and entity-type taxonomy |
| BSIG-neu (DE) | German NIS2UmsuCG transposition, § 30, § 38 |
| ISO 27001 | Risk-management measure crossref |
This skill provides structured NIS2 compliance guidance based on EU Directive 2022/2555 and national transposition laws. It is not legal advice. Final compliance decisions should involve your organisation's CISO / Information Security Officer and qualified legal counsel experienced in cybersecurity regulation.
Licensed under AGPL-3.0 — see LICENSE at the repo root.
Created by Oliver Schmidt-Prietz — OneZero Legal