ISMS Copilot for public-sector compliance
National security baselines — Spain's ENS, the Netherlands' BIO, Germany's BSI IT-Grundschutz — plus NIS 2 essential-entity obligations.
Why public-sector compliance is baseline-driven, not risk-driven
Private-sector security lets you justify a control by risk appetite. Public-sector security usually does not. Most member states impose a mandatory national baseline on public bodies and the suppliers selling to them: Spain's Esquema Nacional de Seguridad (ENS) under Royal Decree 311/2022 with its Básica/Media/Alta categorisation, the Netherlands' Baseline Informatiebeveiliging Overheid (BIO), and Germany's BSI IT-Grundschutz with its building-block catalogue. These are prescriptive: the control set is largely fixed by the baseline and your category, not negotiated down by a risk assessment. On top of the baseline, NIS 2 frequently classifies public administration as essential entities — the heavier regime, with proactive supervision, stricter incident-reporting deadlines, and personal management liability. ISMS Copilot drafts documentation against the specific national baseline, maps it to an ISO 27001 ISMS so the international standard and the national baseline coexist, and layers NIS 2 essential-entity obligations on top.
NIS 2 framework details →The public-sector regulatory stack ISMS Copilot covers
- ENS documentation aligned to Royal Decree 311/2022 and the Básica/Media/Alta categorisation
- BIO (Baseline Informatiebeveiliging Overheid) control drafting for Dutch public bodies and suppliers
- BSI IT-Grundschutz building-block and module mapping for German public-sector work
- NIS 2 essential-entity scope assessment, risk-management measures, and incident reporting
- National-baseline-to-ISO 27001 cross-mapping so the ISMS and the baseline coexist
- Supplier conformity documentation for public-procurement security clauses
Built for public-sector and govtech compliance leads
ENS categorisation walkthrough (Básica / Media / Alta) and control selection
BIO control-to-ISO 27001 mapping for Dutch government suppliers
BSI IT-Grundschutz methodology and modernised module guidance
NIS 2 essential-entity accountability and stricter incident-reporting timelines
ISO 27001 SoA generator reconciled against the applicable national baseline
Public-procurement security-clause and conformity-statement drafting
Frequently Asked Questions
Which national baseline does ISMS Copilot support?
It drafts documentation for the major mandatory baselines — Spain's ENS (Royal Decree 311/2022), the Netherlands' BIO, and Germany's BSI IT-Grundschutz — and maps each onto an ISO 27001 ISMS so the international standard and the national baseline coexist rather than duplicate.
Is public administration an essential entity under NIS 2?
Frequently, yes — NIS 2 commonly classifies public administration entities as essential, which means the heavier regime: proactive supervision, stricter incident-reporting deadlines, and personal management liability. ISMS Copilot helps you run the scope assessment and document the obligations. See /frameworks/nis-2.
We sell to government, not run it — does this apply to us?
Yes. Suppliers selling into the public sector are usually contractually bound to the relevant baseline (ENS conformity, BIO, IT-Grundschutz). ISMS Copilot drafts the supplier conformity documentation and procurement security-clause responses that public buyers require.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.