We value your privacy

We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking "Accept All", you consent to our use of cookies.

Powered by

    REGULATORY & COMPLIANCE

    Compliance is a leadership responsibility.
    Since December 2025, it's the law.

    NIS2, EU AI Act, DORA, CRA, ISO 27001. The regulatory environment for mid-market companies is shifting faster than in the past decade. We help you maintain oversight and take the right steps at the right time.

    REGULATORY CHECK

    Which obligations apply to you?

    As of March 2026. Continuously updated.

    Regulatory check by Convios. Current status, not legal advice.

    0

    Companies in Germany subject to NIS2BSI estimate, December 2025. Official figure: 29,850 affected companies.

    0 %

    registered with BSI by March 2026BSI portal, March 7, 2026. 11,500 of approx. 29,850 companies registered on time.

    up to 0 M €

    Fine for violations, or 2% of annual revenue§30 para. 2 BSIG, essential entities. Or 2% of global annual revenue, whichever is higher.

    DOES THIS SOUND FAMILIAR?

    NIS2 applicability unclear

    You're not certain whether your company falls under NIS2. The BSI registration deadline has passed.

    Cyber insurance at risk

    Your cyber insurance requires documentation you can't provide yet.

    AI without governance

    EU AI Act high-risk obligations apply from August 2026. Your company already uses AI tools without documented governance.

    Three regulations, one framework

    You need a governance framework covering NIS2, AI Act, and ISO 27001, without running three separate projects.

    SERVICES

    Three packages. From assessment to ongoing advisory.

    BAFA-ELIGIBLE

    PACKAGE 1

    Compliance Check

    Determines applicability, identifies gaps, delivers a roadmap.

    2 days (remote or on-site)

    from €3,500

    WHAT YOU RECEIVE

    Applicability analysis for NIS2, EU AI Act, and DORA where relevant. Gap analysis against the ten security domains of §30 BSIG. Prioritized 12-month implementation roadmap. Assessment of your cyber insurance situation, including obligations under §28 VVG. Board-ready results document, usable as evidence of compliance activity.

    FOR WHOM

    Managing directors who need clarity: are we affected, where do we stand, what takes priority?

    WITHOUT COMPLIANCE

    Missing NIS2 compliance can render your cyber insurance worthless (§28 VVG). BSI audits begin mid-2026. Fines up to €10M or 2% of annual revenue.

    PACKAGE 2

    Compliance Sprint

    Build governance framework. Establish reporting processes. Audit-ready in four to eight weeks.

    4 to 8 weeks, project-based

    from €12,000

    WHAT YOU RECEIVE

    ISMS foundation per ISO 27001, BSI-recommended as NIS2 backbone. Incident response process with 24-hour initial notification per §32 BSIG. Supply chain security assessment per §30 para. 2 no. 4 BSIG. Management training with §38 para. 3 BSIG certification, a direct liability protection measure. Multi-regulation scan: NIS2, EU AI Act, and DORA in one project. Audit preparation for BSI spot checks starting mid-2026.

    FOR WHOM

    Companies that are affected and need to be audit-ready within two months.

    WITHOUT COMPLIANCE

    §38 para. 3 BSIG requires documented management training. Without this, you carry personal liability. Combining NIS2 + AI Act + DORA in one project saves up to 40% implementation effort (ADVISORI reference). Three separate projects cost more and take longer.

    RECOMMENDED

    PACKAGE 3

    Compliance Advisory

    Regulations change quarterly. Your governance framework needs to keep up.

    Quarterly or monthly retainer

    from €2,500/month

    WHAT YOU RECEIVE

    Quarterly compliance review covering new requirements, updated interpretations, and BSI updates. Preparation for regulatory milestones: KRITIS Act July 2026, CRA September 2026, EU AI Act high-risk August 2026. Point of contact for ad-hoc questions on audit requirements or security incidents. Annual governance framework update. Management sparring on regulatory decisions.

    FOR WHOM

    Managing directors who want to resolve this permanently without building an internal compliance function.

    WITHOUT COMPLIANCE

    2026 brings four regulatory milestones in eight months: KRITIS Act (July), EU AI Act high-risk (August), CRA (September), BSI audits (ongoing). Keeping governance current avoids restarting at each milestone.

    Many services are BAFA-eligible. We advise you in the initial consultation.
    Dr. Oliver Gausmann

    Dr. Oliver Gausmann

    Managing Director, Convios

    WHAT MANY OVERLOOK

    Since NIS2 took effect, statutory requirements have automatically become contractual obligations in your cyber insurance policy. Non-compliance can lead to your insurer refusing coverage entirely in the event of a claim. This follows from §28 VVG. Most managing directors I speak with haven't connected these dots yet.

    §28 VVG, German Insurance Contract Act

    HOW WE WORK

    01

    30 minutes, free

    Initial consultation

    Determine applicability, identify regulations, prioritize action.

    02

    2 days

    Compliance check

    Gap analysis, roadmap, board-ready results document.

    03

    4 to 8 weeks

    Implementation

    Governance framework, reporting processes, team training. Audit-ready.

    04

    Ongoing, quarterly

    Ongoing advisory

    Keep governance current, prepare milestones, management sparring.

    WHY CONVIOS

    20 years in regulated environments

    Convios has advised mid-market companies on regulation and governance since 2006. BaFin, FINMA, EASA. Over 40 companies across eight industries.

    Results, then move on

    Compliance slows you down and feels like it creates no value. We handle it quickly and cleanly so you can get back to running your business. Two days for the check, eight weeks to audit-ready.

    AI-supported, autonomous, efficient

    Structured frameworks, AI-supported documentation, proven processes. That reduces coordination rounds and cost. You get results.

    Connected to those who audit

    Governance frameworks aligned with Big 4, DAkkS auditor, and regulatory expectations. Built from experience in BaFin-, FINMA-, and EASA-regulated environments.

    Founder of Ethenios, a GRC platform for predictive compliance intelligence. Regulation is our core business.

    LATEST INSIGHTS

    All insights on Regulation →

    Your next step: a 30-minute initial conversation.

    We'll determine which regulations apply to your company and where you stand.