NIS2, ISO 27001, NIST CSF 2.0 and IT-Grundschutz: four levels, one security model

When people hear “NIS2,” they think of compliance. When they hear “ISO 27001,” they think of certification. And IT-Grundschutz? It sounds like thick file folders.

In the discussions we have with IT managers, executives, and CISOs, the same uncertainty keeps coming up: “Which framework is right for us?” Behind this question often lies the assumption that NIS2, ISO 27001, NIST CSF 2.0, and BSI IT-Grundschutz are in competition with one another—as if one had to choose. The opposite is true. Those who take cybersecurity seriously combine them. Because each of these four frameworks answers a different question, and does so at a different level. In this article, we organize the four frameworks into a practical level model that aids in consulting, provides clarity for management, and reduces friction during implementation.

A Level Model Instead of a Comparison

Instead of placing the four standards side by side and comparing checklists, it’s worth stacking them on top of one another. Each framework has a clear role:

Level 1 – NIS2: The regulatory level

Question: Why and what must be fulfilled?

The NIS2 Directive is an external obligation. It is not a toolkit or a best-practice catalog, but European law transposed into the national laws of member states. It defines who falls under its scope, which minimum requirements must be met, and what consequences organizations face if they fail.

However, NIS2 does not specify how security should be organized. It simply states that it must be done.

Level 2 – ISO 27001: The ISMS and Management Level

Question: How is security organized?

This is where ISO 27001 comes into play. The international standard provides the Information Security Management System (ISMS)—that is, the organizational framework used to manage information security on an ongoing basis. Roles, responsibilities, processes, risk assessment, audits, continuous improvement.

ISO 27001 turns “security” into a management system. This is precisely why it aligns so well with NIS2: Those with an actively implemented ISMS automatically meet a large portion of the NIS2 requirements—not because an auditor demands it, but because the system works.

Level 3 – NIST CSF 2.0: The governance and risk management level

Question: How are cyber risks managed?

The NIST Cybersecurity Framework 2.0 structures cybersecurity into six functions:

  • Govern – Establish governance and accountability
  • Identify – Understand risks, assets, and dependencies
  • Protect – Implement appropriate protective measures
  • Detect – Detect incidents
  • Respond – Respond to incidents
  • Recover – Recover from incidents

With version 2.0, NIST added the “Govern” function—a clear signal that cybersecurity cannot survive without governance. The CSF is ideal for measuring an organization’s maturity level across these functions, identifying gaps, and prioritizing investment roadmaps. It is the governance framework that translates risks into functional areas.

Level 4 – IT-Grundschutz: The Implementation and Measures Level

Question: How is it implemented in practice?

If the top three levels provide the strategy, then BSI IT-Grundschutz provides the tools. With its modules—ranging from personnel management and Active Directory to specific cloud services—it describes concrete measures that can actually be implemented in IT and business practice. IT-Grundschutz is the answer to the famous question, “That’s all well and good, but how exactly do we do this now?” Anyone who works through a module knows: what the requirements are, how they are implemented, and what evidence they must provide.

How the levels interlock

If you stack the four frameworks in this order, a logical flow emerges from regulation all the way to the power outlet:

  1. NIS2 sets requirements – the legal obligation is in place.
  2. ISO 27001 structures and controls – an ISMS ensures that the obligation is systematically fulfilled.
  3. NIST CSF 2.0 specifies and operationalizes – risks are managed along clear functions.
  4. IT-Grundschutz implements – concrete building blocks and measures are implemented in IT.

The levels do not contradict each other; they complement each other. And they lose their value when viewed in isolation:

  • NIS2 without an ISMS becomes a compliance charade that collapses at the first real incident.
  • ISO 27001 without a risk model becomes a documentation exercise with no control effect.
  • NIST CSF without concrete measures remains a pretty heat map on the wall.
  • IT-Grundschutz without a management level becomes a graveyard of measures with no connection to business reality.

A quick reference for the next board meeting

If you need a brief explanation—for example, for senior management, an audit committee, or an interdisciplinary project meeting—this image works reliably:

  • NIS2 = External requirement
  • ISO 27001 = Management system
  • NIST CSF 2.0 = Governance framework
  • IT-Grundschutz = Practical implementation

Four sentences. Four levels. One model.

What this means in practice

Many organizations we work with ultimately combine all four frameworks—not out of pride in certification, but out of necessity:

  • NIS2 as a regulatory target and scope.
  • ISO 27001 as an ISMS framework that makes security a management responsibility.
  • NIST CSF 2.0 as a governance and maturity model for cyber risks.
  • IT-Grundschutz as a catalog of measures for operational implementation.

This combination is not overkill, but rather a division of labor. Each framework does what it was designed to do—and leaves the rest to the others, which are better suited for those tasks.

What is the concrete approach?

Based on our consulting experience, a pragmatic approach has proven effective:

1. Clarify the scope (NIS2 perspective). Are you affected? If so, in which category? What specific requirements arise from the national implementing legislation?

2. Establish or mature an ISMS (ISO 27001). Roles, risk methodology, scope, steering committee. Without this overarching framework, every measure remains piecemeal.

3. Measure maturity level (NIST CSF 2.0). Where do you stand across the six functions? Where are the biggest gaps between current status and target?

4. Derive measures (IT-Grundschutz). Which building blocks specifically address the gaps? What do you build first, and what later?

Those who follow this path will not end up with a pile of frameworks—but rather a security architecture that is regulatory-compliant, organizationally embedded, risk-oriented, and operationally implementable.

Conclusion

Cybersecurity today is too complex to rely on a single framework—and too strategic to get lost in detailed standards. The multi-level model comprising NIS2, ISO 27001, NIST CSF 2.0, and IT-Grundschutz is not a theoretical construct. It is a practical tool for clarifying responsibilities, prioritizing investments, and ultimately reaching where security truly matters: in your organization’s day-to-day operations. Those who understand the four levels stop pitting frameworks against one another and start making them work together.

Would you like to know where your organization stands on these four levels?

Get in touch – we’ll guide you every step of the way, from the NIS2 analysis right through to the specific IT-Grundschutz module.

Get in touch