LIVE · v1.2 STABLE
BUILD 2026.05.27
DIRECTIVE 2022/2555
AGPL-3.0 · 4 EVAL CASES · 32 ASSERTIONS

CYBERSECURITY
SCOPE
to ROADMAP.

Runs a full NIS2 compliance assessment under EU Directive 2022/2555. Scope determination, essential-vs-important classification, Art. 21 gap analysis, 0–4 maturity scoring, prioritized roadmap, and management body briefing — with deep German BSIG-neu coverage.

DIRECTIVE 2022/2555   ·   ART. 20   ·   ART. 21   ·   ART. 23   ·   ANNEX I   ·   ANNEX II   ·   BSIG-NEU   ·   § 30 BSIG   ·   § 38 BSIG   ·   NIS2UMSUCG   ·   CIR 2024/2690   ·   ISO 27001:2022   ·   BSI   ·   DORA   ·   DIRECTIVE 2022/2555   ·   ART. 20   ·   ART. 21   ·   ART. 23   ·   ANNEX I   ·   ANNEX II   ·   BSIG-NEU   ·   § 30 BSIG   ·   § 38 BSIG   ·   NIS2UMSUCG   ·   CIR 2024/2690   ·   ISO 27001:2022   ·   BSI   ·   DORA
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
SCOPE & CLASSIFICATION
Maps the entity to Annex I or Annex II, applies the size test, and returns essential / important / out-of-scope. Flags DORA carve-out, CIR 2024/2690, and regardless-of-size categories.
02
ART. 21 GAP ANALYSIS
Walks the 10 risk-management measures of Art. 21(2)(a)–(j) / § 30 BSIG-neu. One targeted question per measure, scored 0–4 with explained reasoning.
03
ISO 27001 CROSSREF
Each measure mapped to ISO 27001:2022 Annex A controls, so existing certification work is credited instead of re-audited.
04
COMPLIANCE ROADMAP
P1/P2/P3 prioritization keyed to entity category and maturity. Essential entities escalate faster under proactive supervision.
05
GERMAN DEEP COVERAGE
BSIG-neu / NIS2UmsuCG: BSI registration, § 32 incident reporting, § 38 management liability, Nachweispflicht, BSI #nis2know roadmap.
06
EU JURISDICTION PROFILES
National profiles for Italy, France, Netherlands, Austria, and Spain — entity taxonomies and supervisory authorities, with transposition status flagged for web verification.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Eleven structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Disclaimer & web search
Non-blocking disclaimer. Search for current NIS2 enforcement and implementing-regulation developments before starting.
02
Jurisdiction focus
EU-level only, a specific Member State, or both. Loads the matching reference profile (Germany, or IT/FR/NL/AT/ES).
03
Scope intake
Five questions one at a time: sector, services, size, group structure, special status (DNS, TLD, trust service, public comms, sole provider).
04
Classification
Annex mapping + size test → essential / important / out of scope. Check DORA exclusion and CIR 2024/2690.
05
Scope output
Sector, size class, entity category, legal basis, special flags. For Germany: BSI registration status.
06
Art. 21 walkthrough
For each of the 10 measures: explain the requirement, ask one question, score 0–4, note gaps where score ≤ 2.
07
Gap summary
Maturity table across all 10 measures with traffic lights. Overall score out of 40 and overall rating.
08
Roadmap prioritization
Map each gap to P1 (0–3 mo) / P2 (3–6 mo) / P3 (6–12 mo) by entity category and maturity. Maturity 3–4 → maintenance.
09
Germany-specific items
BSI registration, § 38 management obligations, Nachweispflicht deadline (Dec 2028), § 32 incident reporting, KRITIS-Dachgesetz interaction.
10
Management briefing
Art. 20 / § 38 BSIG board obligations: approve measures, undergo training (non-delegable), oversee implementation, personal liability (DE).
11
Final report
Consolidate scope, gaps, roadmap, management obligations, and jurisdiction specifics into one assessment report.
§ 03 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.

nis2-navigator/
├── evals  # Test cases + assertions
│   └── evals.json  # 4 cases, 32 assertions
├── references  # Reference corpus
│   ├── art21-measures.md
│   ├── eu-jurisdiction-profiles.md
│   ├── germany-nis2umsucg.md
│   ├── regulatory-sources.md
│   ├── sector-classification.md
│   └── templates.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 04 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire nis2-navigator/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r nis2-navigator/ \
   ~/.claude/skills/user/
§ 05 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Scope determination
Sector, size classification, entity category (essential / important / out of scope), legal basis, and special flags (DORA, CIR, regardless-of-size).
Gap analysis table
Maturity 0–4 across all 10 Art. 21 measures with traffic lights, overall score out of 40, and overall rating.
Compliance roadmap
Per-gap current state, target state, 2–3 key actions, effort (S/M/L/XL), and priority with timeline.
Management briefing
Art. 20 / § 38 BSIG board-level obligations and, for Germany, personal liability under § 38(2).
Jurisdiction overlay
Germany BSIG-neu items, or a country profile for IT / FR / NL / AT / ES with supervisory authority and transposition caveats.
Final assessment report
Executive summary, scope detail, scoring table, prioritized roadmap, management obligations, jurisdiction requirements, next steps.
§ 06 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

04
Test Cases
32
Assertions
100%
Coverage Required
01
We're a German cloud-hosting provider, 80 employees, €15M turnover, balance shee...
8 ASSERTS
02
Run an Art
8 ASSERTS
03
Draft me a management briefing for our German board on NIS2 management body obli...
8 ASSERTS
04
How do we register with the BSI under BSIG-neu? We're a German important entity,...
8 ASSERTS
§ 07 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

EU Directive 2022/2555
The NIS2 Directive — scope, classification, and obligations.
Art. 21
The 10 cybersecurity risk-management measures, (2)(a)–(j).
Art. 20 / Art. 23
Management body responsibilities and incident reporting obligations.
BSIG-neu (NIS2UmsuCG)
German transposition: § 30 measures, § 32 reporting, § 38 management liability, BSI registration.
CIR 2024/2690
Binding technical requirements for digital infrastructure / provider entities beyond Art. 21.
ISO 27001:2022
Annex A control mapping for each risk-management measure.
§ 08 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every classification, maturity score, and roadmap priority traces to a Directive article, BSIG-neu §, or ISO 27001 control.
VERIFIED
Reproducible decisions.
Pin a build; recreate the scope verdict and gap scoring years later for audit or supervisory defence.
IMMUTABLE
Explained scoring.
Each 0–4 maturity score states its reasoning so the entity can challenge it before it reaches the roadmap.
ENFORCED
**
EU-native.
Built around Annex I/II, BSI registration, and Member State transpositions — Germany deep, IT/FR/NL/AT/ES profiled. Not retrofitted.
NATIVE

NIS2 Compliance Navigator — Deployment Guide

📄 View the interactive skill page →

See CHANGELOG.md for version history.

Overview

NIS2 Compliance Navigator — scope classification, Art. 21 gap analysis, and compliance roadmap under EU Directive 2022/2555:

  • Scope & classification — Annex I / Annex II + essential vs. important entity determination
  • Art. 21 gap analysis with 0–4 maturity scoring across the 10 risk-management measures
  • ISO 27001 cross-references for each measure to leverage existing certification work
  • Compliance roadmap with prioritisation framework (legal exposure, dependency, quick wins)
  • Deep German BSIG-neu coverage — § 30 BSIG registration, NIS2UmsuCG specifics
  • Profiles for IT, FR, NL, AT, ES — country-specific entity-type taxonomies and supervisory authorities
  • Management briefing template (Art. 20 / § 38 BSIG) for board-level liability
  • Incident reporting framework with timelines and escalation paths
  • Supply chain security considerations integrated throughout
  • Final assessment report consolidating scope, gaps, and roadmap

File Structure

nis2-navigator/
├── SKILL.md                              # Main skill instructions (deploy this)
├── CHANGELOG.md                          # Version history
└── references/
    ├── sector-classification.md          # Annex I / II sector taxonomy + entity-size rules
    ├── art21-measures.md                 # The 10 risk-management measures (Art. 21(2)(a)-(j))
    ├── germany-nis2umsucg.md             # § 30 BSIG, NIS2UmsuCG, BSI registration
    ├── eu-jurisdiction-profiles.md       # IT, FR, NL, AT, ES — entity taxonomy + SA contacts
    ├── regulatory-sources.md             # Official EU + Member State source catalog
    └── templates.md                      # Output templates (gap analysis, roadmap, briefing)

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire nis2-navigator/ folder structure
  3. The skill will auto-trigger on "NIS2", "BSIG", "BSIG-neu", "NIS2UmsuCG", "Annex I/II", "essential entity", or "Art. 21 gap analysis"

Claude Code / Custom MCP Setup

  1. Copy the nis2-navigator/ folder to your skills directory: bash cp -r nis2-navigator/ /path/to/your/skills/user/nis2-navigator/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Describe your organisation:

"We're a German cloud-services provider with 80 employees and €15M turnover. Do we fall under NIS2? If yes, give me a gap analysis against Art. 21 and a 12-month roadmap."

The skill will classify scope, run the gap analysis, and produce a phased roadmap.

Trigger Phrases

  • "NIS2" / "NIS-2" / "BSIG" / "BSIG-neu" / "NIS2UmsuCG"
  • "Essential entity" / "Important entity" / "Annex I/II"
  • "Art. 21 gap analysis" / "NIS2 readiness" / "Cybersecurity compliance assessment"
  • "BSI registration" / "§ 30 BSIG"
  • "Cyberbeveiligingswet" / "Loi Résilience" / "decreto legislativo 138"

Workflow

Phase Description
Session Init Disclaimer, web search for recent developments, jurisdiction focus selection
Phase 1: Scope & Classification Annex I/II routing, essential vs. important, jurisdiction-specific overlays (~5 min)
Phase 2: Art. 21 Gap Analysis 0–4 maturity scoring across the 10 measures with ISO 27001 anchors (~15 min)
Phase 3: Compliance Roadmap Prioritisation framework + Germany-specific items + Art. 20 / § 38 BSIG management briefing
Output Final Assessment Report consolidating scope, gaps, and roadmap

Capabilities Summary

Feature Description
Scope Classification Annex I/II + essential/important + jurisdiction-specific overlays
Art. 21 Gap Analysis 0–4 maturity scoring across all 10 measures
ISO 27001 Crossref Each measure mapped to ISO 27001 controls
Roadmap Prioritisation Legal-exposure-aware sequencing with quick-win identification
Germany Deep Coverage § 30 BSIG, NIS2UmsuCG, BSI registration workflow
EU Profiles IT, FR, NL, AT, ES — entity taxonomy + SA contacts
Management Briefing Art. 20 / § 38 BSIG board-level liability briefing template
Final Report Audit-ready assessment report consolidating all phases

Regulatory Basis

Document Reference
NIS2 Directive EU Directive 2022/2555
Art. 21 10 risk-management measures
Art. 23 Incident reporting obligations
Art. 20 Management body responsibilities
Annex I / II Sector and entity-type taxonomy
BSIG-neu (DE) German NIS2UmsuCG transposition, § 30, § 38
ISO 27001 Risk-management measure crossref

License & Disclaimer

This skill provides structured NIS2 compliance guidance based on EU Directive 2022/2555 and national transposition laws. It is not legal advice. Final compliance decisions should involve your organisation's CISO / Information Security Officer and qualified legal counsel experienced in cybersecurity regulation.

Licensed under AGPL-3.0 — see LICENSE at the repo root.


Created by Oliver Schmidt-Prietz — OneZero Legal