ISMS Copilot for critical infrastructure compliance
NIS 2 essential-entity status, national CI regimes like Germany's KRITIS and Australia's SOCI, and the incident-reporting clocks that come with them.
Essential-entity status: what changes legally
Being designated a critical infrastructure operator is a legal status change, not a maturity tier. Under NIS 2, essential entities — energy, water, transport, banking, health, digital infrastructure above the size thresholds — sit in the heaviest regime: proactive, ex-ante supervision (regulators can audit without suspecting a breach), strict incident-reporting clocks (an early warning typically within 24 hours and a fuller notification within 72), and personal liability for management bodies who can be barred from leadership roles for governance failures. National CI regimes stack on top: Germany's KRITIS regulation under the BSI-Gesetz with sector-specific thresholds and B3S industry standards, Australia's Security of Critical Infrastructure (SOCI) Act with its risk-management programme and mandatory cyber-incident reporting. The obligations are non-negotiable and the clocks are short, so the work is operational readiness, not paperwork. ISMS Copilot drafts the NIS 2 essential-entity documentation, maps the applicable national CI regime onto it, builds the tiered incident-reporting workflow against the regulatory deadlines, and reconciles all of it with an ISO 27001 ISMS.
NIS 2 framework details →The critical-infrastructure regulatory stack ISMS Copilot covers
- NIS 2 essential-entity scope assessment, risk-management measures, and management-accountability framework
- Tiered incident-reporting workflow (early warning ~24h, notification ~72h, final report) against regulatory clocks
- National CI regime mapping — Germany's KRITIS / BSI-Gesetz thresholds and B3S, Australia's SOCI risk-management programme
- Supply-chain and ICT third-party security assessment for critical-service dependencies
- NIS 2-to-ISO 27001 cross-mapping so the ISMS underpins the directive
- Business-continuity and crisis-management documentation for essential services
Built for the critical-infrastructure security lead
NIS 2 essential-entity vs important-entity determination and obligation mapping
Incident-classification thresholds and the multi-stage reporting timeline
KRITIS / BSI-Gesetz sector-threshold and B3S industry-standard guidance
SOCI risk-management programme and mandatory-reporting workflow drafting
ISO 27001 ISMS reconciled with the applicable national CI regime
Board-level accountability and crisis-management runbook templates
Free first-pass NIS 2 scope checker for CI operators
Most critical-infrastructure operators in Annex I sectors fall into the essential-entity tier, but size, sector definition and member-state transposition determine the actual classification. The free NIS 2 Applicability Checker walks the Article 2/3 essential-versus-important test (with national-transposition data) as a structured first pass — a defensible starting point for the heavier-regime work above, not a final legal determination.
Open the free NIS 2 Applicability Checker →Frequently Asked Questions
What legally changes when we are an essential entity under NIS 2?
The regime gets heavier: proactive ex-ante supervision (audits without prior suspicion), strict incident-reporting clocks (early warning ~24h, notification ~72h), and personal liability for management bodies. ISMS Copilot helps you document the obligations and build the reporting workflow. See /frameworks/nis-2.
Does ISMS Copilot cover national regimes like KRITIS or SOCI?
Yes. It maps Germany's KRITIS obligations under the BSI-Gesetz (sector thresholds, B3S industry standards) and Australia's SOCI Act risk-management programme and mandatory cyber-incident reporting onto your NIS 2 and ISO 27001 documentation so the national regime is not a separate binder.
How fast are the incident-reporting deadlines?
Short. NIS 2 expects an early warning typically within 24 hours of awareness and a fuller incident notification within 72 hours, with a final report later. ISMS Copilot drafts the tiered workflow and classification thresholds so the timeline is operationalised before an incident, not improvised during one.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.