NIS2 Assessment
Review of NIS2 applicability for CONPORT Services GmbH and implementation in the Aldric platform
Version 1.0 — As of: March 2026
The NIS2 Directive (Directive (EU) 2022/2555) entered into force on 16 January 2023 and must be transposed into national law by 17 October 2024. In Germany, this is implemented through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This assessment examines whether CONPORT Services GmbH, as the provider of the SaaS platform "Aldric", falls within the scope of NIS2, what obligations may result, and how the platform supports customers with their own NIS2 compliance.
This assessment serves internal review purposes and does not constitute legal advice. Final classification should be confirmed by a specialized IT security consultant or IT law attorney. Managing directors are personally liable (Section 38 NIS2UmsuCG).
This is an English translation of the German original. In case of discrepancies, the German version shall prevail.
Part A: Applicability Analysis for CONPORT Services GmbH
Section 1 — Company Profile
| Criterion | CONPORT Services GmbH |
|---|---|
| Legal Form | GmbH (registered in Dortmund, Germany) |
| Activity | SaaS platform for compliance management (Aldric) |
| Sector | ICT services / Digital infrastructure |
| Employees | < 50 (micro/small enterprise) |
| Annual Turnover | < EUR 10 million |
| Balance Sheet Total | < EUR 10 million |
| Customers | B2B (enterprises, authorities, consulting firms) |
| Data Processing | Personal data, compliance documentation, risk assessments |
Section 2 — NIS2 Sector Classification
The NIS2 Directive distinguishes between sectors of high criticality (Annex I) and other critical sectors (Annex II). ICT service management (B2B) falls under Annex II No. 6: Digital Providers, subcategory "Managed ICT Service Providers" (Managed Service Provider).
| Sector (NIS2) | Classification | Result |
|---|---|---|
| Annex I No. 8: Digital Infrastructure | Cloud computing services, data centers | Not directly — CONPORT uses cloud providers, does not operate own data center |
| Annex II No. 6: Digital Providers | Managed Service Provider (MSP) | Potentially applicable — SaaS with compliance data |
| Annex I No. 8: ICT Service Management | Managed Security Service Provider (MSSP) | Not applicable — no SOC/SIEM service |
Section 3 — Threshold Review
NIS2 generally applies the EU SME definition (Recommendation 2003/361/EC). Entities fall within scope if they are:
- Medium-sized enterprise: ≥ 50 employees OR > EUR 10 million annual turnover AND > EUR 10 million balance sheet total
- Large enterprise: ≥ 250 employees OR > EUR 50 million turnover
Threshold Result:
CONPORT Services GmbH currently falls below the thresholds (< 50 employees, < EUR 10 million turnover). A direct NIS2 obligation does not currently exist.
Section 4 — Exceptions and Special Cases
Even below the thresholds, applicability may exist if:
- The entity is the sole provider of a service in a Member State (Art. 2(2)(b))
- A disruption would have significant impact on public order, safety, or health (Art. 2(2)(d))
- The entity provides services to essential or important entities and a failure would significantly impair their operations (supply chain risk)
- A national authority individually designates the entity
Risk Assessment:
If CONPORT serves customers from NIS2-regulated sectors (e.g., energy providers, financial institutions, healthcare), these customers may demand NIS2-compliant measures from CONPORT as part of their supply chain security. This represents an indirect compliance driver that effectively requires NIS2-level measures.
Section 5 — Applicability Summary
| Criterion | Status | Assessment |
|---|---|---|
| Sector classification | Annex II No. 6 (Digital Provider / MSP) | Applicable |
| Employee threshold | < 50 | Below threshold |
| Turnover threshold | < EUR 10 million | Below threshold |
| Direct NIS2 obligation | — | No (currently) |
| Indirect obligation (supply chain) | Customers from regulated sectors | Likely |
| Recommendation | — | Voluntary implementation at NIS2 level |
Part B: NIS2 Requirements and Implementation Status
Even without a direct obligation, CONPORT Services GmbH proactively implements security measures at NIS2 level. The following table shows the ten core areas pursuant to Art. 21 NIS2 and the current implementation status.
Section 6 — Risk Management (Art. 21(2)(a))
| Measure | Status | Details |
|---|---|---|
| IT systems risk analysis | Implemented | Regular assessment of all system components, documented in the Aldric platform |
| Risk assessment methodology | Implemented | Systematic methodology using likelihood x impact scoring |
| Risk mitigation plan | Implemented | Action plan with responsibilities and deadlines |
| Regular review | Planned | Quarterly reviews (formalized with ISO 27001 certification) |
Section 7 — Incident Handling (Art. 21(2)(b))
| Measure | Status | Details |
|---|---|---|
| Incident response plan | Implemented | Documented at /en/legal/incident-response/ |
| 24h early warning | Prepared | Reporting process to BSI defined (24h early warning, 72h report, 1 month final report) |
| Incident classification | Implemented | Severity levels (Critical/High/Medium/Low) with defined escalation paths |
| Forensic preservation | Planned | Audit log retention and forensic analysis capabilities |
Section 8 — Business Continuity (Art. 21(2)(c))
| Measure | Status | Details |
|---|---|---|
| Backup strategy | Implemented | Daily backups, encrypted, separate storage locations |
| Recovery plan | Implemented | RPO < 24h, RTO < 4h (see SLA) |
| Crisis management | Implemented | Defined roles and communication chains |
| Disaster recovery tests | Planned | Semi-annual DR tests at production launch |
Section 9 — Supply Chain Security (Art. 21(2)(d))
| Measure | Status | Details |
|---|---|---|
| Supplier assessment | Implemented | Cloud providers, open-source dependencies, sub-processors assessed (see Sub-Processors) |
| Contractual security requirements | Implemented | DPA with all sub-processors, security clauses in contracts |
| Software supply chain | Partial | Dependency scanning via CI/CD, SBOM in preparation |
| Supply chain due diligence | Implemented | Documented at /en/legal/supply-chain-act/ |
Section 10 — Security in Development and Maintenance (Art. 21(2)(e))
| Measure | Status | Details |
|---|---|---|
| Secure development lifecycle | Implemented | Code reviews, automated tests, CI/CD pipeline with security checks |
| Vulnerability management | Implemented | Automatic dependency updates, CVE monitoring |
| Patch management | Implemented | Critical patches within 48h, regular updates on 2-week cycle |
| Penetration testing | Planned | Annual external pentest at production launch |
Section 11 — Effectiveness Assessment (Art. 21(2)(f))
| Measure | Status | Details |
|---|---|---|
| Security audits | Planned | Internal audits quarterly, external audits annually (ISO 27001 target) |
| KPI measurement | Partial | Uptime monitoring, incident metrics, MTTR tracking |
| Management review | Planned | Quarterly security report to management |
Section 12 — Cyber Hygiene and Training (Art. 21(2)(g))
| Measure | Status | Details |
|---|---|---|
| Security policies | Implemented | Documented at /en/legal/security-policy/ |
| Employee training | Implemented | Onboarding training, annual refresher, phishing awareness |
| Management training | Planned | NIS2 explicitly requires training for management bodies (Art. 20(2)) |
| Password policy | Implemented | MFA for all systems, password manager mandatory |
Section 13 — Cryptography and Encryption (Art. 21(2)(h))
| Measure | Status | Details |
|---|---|---|
| Encryption in transit | Implemented | TLS 1.2+ for all connections, HSTS enabled |
| Encryption at rest | Implemented | AES-256 for database and object storage |
| Key management | Implemented | Separate keys per tenant, regular rotation |
| Cryptography policy | Implemented | Minimum standards defined (no deprecated algorithms) |
Section 14 — Access Control and Asset Management (Art. 21(2)(i))
| Measure | Status | Details |
|---|---|---|
| RBAC / Access control | Implemented | Role-based access control at module/function/record level |
| Multi-factor authentication | Implemented | MFA via Keycloak (TOTP, WebAuthn) |
| Tenant isolation | Implemented | PostgreSQL Row-Level Security (RLS) on all tables |
| Asset inventory | Partial | IT asset register in preparation |
Section 15 — Secure Communication (Art. 21(2)(j))
| Measure | Status | Details |
|---|---|---|
| Secure authentication | Implemented | OAuth 2.0 / OpenID Connect via Keycloak, JWT-based |
| Network segmentation | Implemented | Kubernetes network policies, separate namespaces |
| Emergency communication | Prepared | Redundant communication channels defined for crisis situations |
Part C: Reporting Obligations
Section 16 — NIS2 Reporting Obligations to BSI
Should CONPORT become directly subject to NIS2 in the future (e.g., through growth or official designation), the following reporting obligations apply pursuant to Art. 23 NIS2 / Section 32 NIS2UmsuCG:
| Deadline | Report | Content |
|---|---|---|
| 24 hours | Early warning | Initial notification to BSI about significant security incident (suspicion suffices) |
| 72 hours | Incident notification | Assessment of incident, severity, impact, indicators of compromise |
| 1 month | Final report | Detailed description, root cause analysis, remediation measures, cross-border impacts |
Even without a direct obligation, CONPORT prepares these processes as regulated customers may contractually require equivalent reporting timelines.
Section 17 — Registration Obligation
Essential and important entities must register with BSI (Section 33 NIS2UmsuCG). Currently, CONPORT has no registration obligation. If thresholds are exceeded or upon official designation, registration will be completed immediately.
Part D: Management Liability
Section 18 — Personal Liability under NIS2
A key element of the NIS2 Directive is the personal liability of management (Art. 20 NIS2, Section 38 NIS2UmsuCG):
- Management bodies must approve risk management measures and oversee their implementation
- Management bodies must attend cybersecurity training
- In case of violations, management bodies can be held personally liable
- Fines: up to EUR 10 million or 2% of worldwide annual turnover (essential entities) or EUR 7 million or 1.4% (important entities)
Action Required for Management:
Even though CONPORT is not currently directly obligated, management should voluntarily fulfill the NIS2 training requirement and formally approve security measures. If the company grows beyond the thresholds, liability applies immediately.
Part E: The Aldric Platform as a NIS2 Tool
Section 19 — NIS2 Compliance for Customers
The Aldric platform supports customers who are themselves subject to NIS2 in fulfilling their obligations:
| NIS2 Requirement | Aldric Module | Function |
|---|---|---|
| Risk management (Art. 21(a)) | Risk Module | Risk analysis, assessment, measure tracking |
| Incident response (Art. 21(b)) | Incident Module | Incident capture, escalation, BSI reporting deadline tracking |
| Business continuity (Art. 21(c)) | TOM Module | Documentation of technical and organizational measures |
| Supply chain security (Art. 21(d)) | Supplier Module | Supplier assessment, risk scoring, contract monitoring |
| Vulnerability management (Art. 21(e)) | Audit Module | Audit trail, change logging |
| Effectiveness assessment (Art. 21(f)) | Dashboard | Compliance score, KPI overview, trend analysis |
| Training evidence (Art. 21(g)) | Training Module | Training management, attendance confirmation, expiry reminders |
| Documentation (Art. 21 general) | Document Module | Versioning, approval workflows, retention periods |
Section 20 — NIS2 Report Templates
Aldric provides pre-configured report templates aligned with NIS2 reporting obligations:
- Early warning (24h): Structured form with all mandatory fields per Art. 23(4)(a)
- Incident notification (72h): Extended assessment with severity classification and indicators
- Final report (1 month): Complete report with root cause analysis and measures
- NIS2 compliance report: Overview of all implemented measures per Art. 21
Recommendations
Section 21 — Immediate Actions (0-3 Months)
- Management training: Conduct cybersecurity training for management
- Formal approval: Management formally approves security strategy and risk management
- Gap analysis: Detailed review of all 10 NIS2 areas against current status
- Threshold monitoring: Establish process to monitor employee count and turnover
Section 22 — Mid-Term Actions (3-12 Months)
- ISO 27001: Start certification (covers many NIS2 requirements)
- SBOM: Create and maintain Software Bill of Materials
- Penetration testing: Commission first external penetration test
- DR tests: Conduct and document disaster recovery tests
- BSI reporting process: Formalize and test reporting process
Final Provisions
This assessment is updated annually or upon material changes (growth, new regulations, security incidents). The next review is planned for Q3 2026.
Provider:
CONPORT Services GmbH
Alte Benninghofer Str. 24
44263 Dortmund, Germany
Managing Director: Benjamin Schowe
Email: info@conport.de
Phone: +49 (0) 2304 6070060
References: NIS2 Directive (EU) 2022/2555 | BSI on NIS2 | Information Security | Incident Response Plan