NIS2 Requirements Checklist
All 10 mandatory cybersecurity measures under §30 BSIG – what each requires, what evidence the BSI expects, and the practical priority order for implementation.
§30 BSIG defines 10 mandatory cybersecurity measures that every NIS2-affected company in Germany must implement. These measures are not optional and not negotiable – they apply to all besonders wichtige Einrichtungen (bwE) and wichtige Einrichtungen (wE) regardless of size or sector. The CIR 2024/2690 adds technical detail to each measure.
Use this checklist to assess your current state against each measure, identify gaps, and plan your implementation. For each measure, we list the key requirements and the evidence the BSI would expect in an audit. Work through them in the priority order at the bottom – they build on each other, so sequence matters.
How to Use This Checklist
- Work through each measure in order – they build on each other
- For each requirement, document your current state and identify gaps
- Focus on evidence: for every requirement, ask 'how would we prove this to the BSI?'
10 Mandatory Measures (§30 BSIG)
Each measure below maps to §30(2) BSIG and is further specified by CIR 2024/2690. The effort rating reflects a typical 100-person company starting from scratch.
1. Risk Analysis & Information Security Policies
§30(2)(1) BSIG – Establish risk analysis processes and information security policies. This is the foundation: without a risk assessment, you cannot justify any other measure. The BSI expects a methodical approach (BSI-200-3 recommended), not ad-hoc risk lists.
Key Requirements
- Establish an information security management framework
- Conduct regular risk assessments covering all critical assets
- Define risk acceptance criteria and treatment procedures
- Maintain and review security policies at least annually
Evidence Needed
- Documented risk assessment with asset inventory
- Information security policy signed by management
- Risk treatment plan with assigned owners
High – foundational, do this first
2. Incident Handling
§30(2)(2) BSIG – Establish processes for detecting, managing, and reporting security incidents. §32 BSIG defines strict reporting timelines: initial notification to BSI within 24 hours, follow-up within 72 hours, final report within one month. You need processes that can meet these deadlines at 2 AM on a Sunday.
Key Requirements
- Define incident detection, classification, and escalation procedures
- Establish 24h/72h/1m reporting cascade to BSI per §32 BSIG
- Assign incident response roles and contact chains
- Implement post-incident review and lessons-learned process
Evidence Needed
- Incident response plan with defined roles and responsibilities
- BSI reporting templates and communication procedures
- Incident log with classification, timeline, and resolution records
High – critical, and requires tested processes not just documentation
3. Business Continuity & Crisis Management
§30(2)(3) BSIG – Ensure continuity of critical services during and after security incidents. This covers backup management, disaster recovery, and crisis management. The CIR requires documented recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.
Key Requirements
- Identify critical business processes and their IT dependencies
- Define RTO and RPO for critical systems
- Implement and test backup procedures
- Establish crisis management and communication procedures
Evidence Needed
- Business continuity plan with RTO/RPO per critical system
- Backup procedures with documented test results
- Crisis communication plan with emergency contacts
Medium – leverages your existing backup infrastructure
4. Supply Chain Security
§30(2)(4) BSIG – Assess and manage cybersecurity risks in the supply chain. NIS2 recognizes that your security is only as strong as your weakest supplier. You must assess suppliers who have access to your systems, data, or network – and include security requirements in contracts.
Key Requirements
- Inventory all suppliers with access to systems, data, or network
- Assess cybersecurity posture of critical suppliers
- Include cybersecurity requirements in supplier contracts
- Monitor supplier security posture on an ongoing basis
Evidence Needed
- Supplier inventory with risk categorization
- Supplier assessment questionnaires or audit results
- Contract clauses referencing cybersecurity requirements
Medium – time-consuming to gather supplier data initially
5. Security in Network & System Procurement
§30(2)(5) BSIG – Include security considerations in procurement, development, and maintenance of IT systems. This means security requirements in procurement specs, vulnerability handling procedures, and secure configuration baselines for new systems.
Key Requirements
- Define security requirements for IT procurement
- Establish vulnerability handling and disclosure procedures
- Implement secure configuration baselines for new systems
- Include security reviews in system acceptance testing
Evidence Needed
- Procurement guidelines with security requirements
- Vulnerability management process documentation
- Secure configuration standards per system type
Medium – mostly documentation if you already have procurement processes
6. Effectiveness Assessment
§30(2)(6) BSIG – Evaluate the effectiveness of cybersecurity risk management measures. This is the audit loop: you must regularly check whether your measures actually work, not just whether they exist. KPIs, internal audits, and corrective action processes are required.
Key Requirements
- Define metrics and KPIs for cybersecurity effectiveness
- Conduct regular internal audits or assessments
- Implement corrective action procedures for identified gaps
- Report effectiveness results to management
Evidence Needed
- Effectiveness assessment reports with KPI measurements
- Internal audit plan and completed audit reports
- Corrective action log with resolution tracking
Medium – requires the other measures to be in place first
7. Cybersecurity Training & Awareness
§30(2)(7) BSIG – Implement cybersecurity training and awareness programs. This covers all employees (annual awareness training), IT staff (role-specific technical training), and management (§38 BSIG obligation). The scope is broader than most companies expect.
Key Requirements
- Provide annual cybersecurity awareness training for all employees
- Deliver role-specific training for IT and security staff
- Ensure management completes §38 BSIG cybersecurity training
- Track training completion and maintain records
Evidence Needed
- Training plan with target groups and frequencies
- Training completion records with dates and attendee lists
- Management training certificates per §38 BSIG
Low – many providers offer off-the-shelf training packages
8. Cryptography & Encryption
§30(2)(8) BSIG – Implement appropriate cryptography and encryption measures. Document what encryption you use, where, and why. The CIR requires encryption for data at rest and in transit where appropriate, plus key management procedures.
Key Requirements
- Inventory encryption usage across systems and data flows
- Implement encryption for data at rest and in transit
- Establish key management procedures (generation, storage, rotation, revocation)
- Define cryptographic algorithm standards aligned with BSI TR-02102
Evidence Needed
- Cryptography policy with algorithm standards
- Encryption inventory: what's encrypted, where, with what
- Key management procedures documentation
Low to Medium – mostly documenting what you already use
9. Access Control & Asset Management
§30(2)(9) BSIG – Implement access control, identity management, and asset management measures. This combines who can access what (least privilege, role-based access) with what you have (asset inventory). The asset inventory from measure 1 feeds directly into this.
Key Requirements
- Implement role-based access control with least privilege principle
- Establish onboarding/offboarding procedures for access provisioning
- Maintain asset inventory covering hardware, software, and data
- Implement privileged access management for administrative accounts
Evidence Needed
- Access control policy with role definitions
- Onboarding/offboarding checklists with access review records
- Asset inventory with assigned owners and classification
High – requires operational process changes, not just documentation
10. Multi-Factor Authentication & Secure Communication
§30(2)(10) BSIG – Implement multi-factor authentication and secure communication measures. MFA is required for remote access, administrative access, and access to critical systems. Secure communication means encrypted email, messaging, and voice where confidential information is exchanged.
Key Requirements
- Implement MFA for remote access, VPN, and administrative accounts
- Deploy MFA for access to critical business applications
- Establish secure communication channels for confidential information
- Implement emergency access procedures when MFA is unavailable
Evidence Needed
- MFA deployment documentation with covered systems list
- Secure communication policy and tool inventory
- Emergency access procedures with break-glass documentation
Medium – technical implementation required if MFA is not yet deployed
Priority Order
Not all measures are equally urgent. This priority order reflects dependencies – later measures build on earlier ones – and enforcement risk. Start with what the BSI will ask for first.
1
Start immediately
Measures 1 (risk analysis), 2 (incident handling), 9 (access control & assets). These are foundational – everything else builds on them.
2
Weeks 3–6
Measures 3 (continuity), 4 (supply chain), 7 (training). These require the asset inventory from measure 1.
3
Weeks 7–12
Measures 5 (procurement), 6 (effectiveness), 8 (crypto), 10 (MFA). These build on the controls established in tier 2.
Track Your Progress
The platform breaks each of these 10 measures into structured requirements with evidence uploads, management sign-offs, and progress tracking – so you always know exactly where you stand and what's left to do.