Skip to content

NIS 2Scope🔗

The Scope defines which parts of your organisation are considered within the context of NIS 2. Functionally, it corresponds to the information domain in IT-Grundschutz as well as the scopes in ISO 27001 and BCM. IT-Grundschutz – Information Domain

Only objects that you link to a NIS 2 scope will appear in:

  • NIS 2 Risk Management and
  • NIS 2 Audit Management

Typical NIS 2 Scopes🔗

Examples of scopes in the NIS 2 context:

  • "NIS2 – Critical IT Services for Customers"
  • "NIS2 – Data Centre Operations Site X"
  • "NIS2 – Central Platform Services (e.g. Identity & Access, Network, Storage)"
  • "NIS2 – Production IT"

For each scope you can document in the description, for example:

  • which entity (essential / important) is being considered,
  • which sites are included,
  • which regulatory requirements are relevant here.

Creating a Scope🔗

  1. Open the NIS 2 module.
  2. Select the Scope tile.
  3. Click Create Scope (plus icon or three-dot menu).
  4. Enter:
  5. Name (e.g. "NIS2 – Security 2025"),
  6. Description (brief textual delineation),
  7. optionally a formal delineation (e.g. sites, systems),
  8. Subject-matter relevance (NIS 2 – and optionally also ISO 27001, IT-Grundschutz, BCM).

Via the subject-matter relevance you can reuse the same scope in other modules without having to create it again.

Linking Processes and Assets to the Scope🔗

After creation, the scope is initially empty. Now you link the objects from your organisation that should be considered in the NIS 2 context:

  • Processes
  • Infrastructure
  • Hardware
  • Software / Applications
  • Service Providers
  • Personnel
  • Data / Information Domains

Procedure (example: Processes):

  1. Open the desired scope.
  2. Navigate to the Processes section.
  3. Click Link Processes.
  4. The list shows all processes that are not yet linked to this scope.
  5. Select one or more processes and confirm the selection.

Follow the same procedure for infrastructure, hardware, software, service providers and data.

Multiple Links

A process or asset can exist in multiple scopes simultaneously, e.g. in an ISO 27001 scope and a NIS 2 scope. This allows meaningful mapping of overlaps between standards.

Using Dependencies🔗

If you have already maintained dependencies between processes, assets and service providers in the inventory, you benefit from this in the NIS 2 scope:

  • You can see which resources are required for a NIS-2-critical process.
  • You can identify potential single points of failure.
  • Later in risk management, you can focus risks and actions specifically on critical dependencies.

These dependencies are also used in IT-Grundschutz and BCMNIS 2 builds on them.

Impact on Risk Management and Audits🔗

The defined scope controls:

  • which assets and processes are assessed in the NIS 2 risk analysis,
  • which objects actions and findings relate to,
  • which elements are available as audit subjects in NIS 2 audits.

If you later want to include new processes or systems in the NIS 2 scope, you simply need to:

  1. create them in Organisation / Inventory and
  2. link them to the corresponding NIS 2 scope.

Everything else (risk, actions, audits) builds on this automatically.