NIS2 Terminology Glossary

Essential Entity

Besonders wichtige Einrichtung

Companies in high-criticality sectors (Annex I of NIS2) above the size threshold. In Germany, these face the strictest requirements and highest penalties under §28 BSIG. Think: energy, transport, banking, health, water, digital infrastructure. Essential entities are subject to proactive BSI audits – the BSI can inspect you without a specific trigger.

§28(1) BSIG, NIS2 Directive Art. 3(1)

Important Entity

Wichtige Einrichtung

Companies in other in-scope sectors (Annex II of NIS2) above the size threshold. Same core obligations as essential entities, but lower maximum penalties and reactive rather than proactive supervision – the BSI investigates if something goes wrong, not on a routine schedule. Think: waste, food, manufacturing, postal, chemicals, research.

§28(2) BSIG, NIS2 Directive Art. 3(2)

BSIG (BSI-Gesetz)

Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

The German federal law governing the BSI (Federal Office for Information Security) and cybersecurity obligations. The NIS2UmsuCG amended the BSIG to include all NIS2 requirements. When someone says 'NIS2 compliance in Germany,' they mean compliance with the amended BSIG. This is the law that applies to you – not the NIS2 Directive itself.

BSIG as amended by NIS2UmsuCG

NIS2 Directive

The EU-level legislation (Directive 2022/2555) that required all member states to implement cybersecurity regulation for critical and important entities. It sets the minimum requirements – each country then transposed it into national law. In Germany, this became the amended BSIG. You do not comply with the Directive directly; you comply with the BSIG.

Directive (EU) 2022/2555

CIR 2024/2690

The EU Implementing Regulation that specifies the exact technical and methodological requirements for NIS2 entities. Unlike the Directive, this applies directly in all member states without transposition. It details what 'appropriate cybersecurity measures' actually means in practice – think of it as the technical rulebook that fills in the details the Directive left open.

Commission Implementing Regulation (EU) 2024/2690

BSI Registration

BSI-Registrierung

The mandatory registration of in-scope entities with the BSI via its online portal. Required by §33 BSIG with its own penalty provision. You provide your company details, sector classification, a cybersecurity contact person, and IP address ranges. This is a standalone legal obligation – completing it does not satisfy your other NIS2 requirements, but not completing it is its own violation.

§33 BSIG

Significant Incident

Erheblicher Sicherheitsvorfall

A cybersecurity event that actually disrupts your service, causes financial damage, or could spread to others. Not every phishing email – only events that cross specific severity thresholds trigger the mandatory BSI reporting cascade. The CIR 2024/2690 defines concrete thresholds: financial loss exceeding €500,000 or 5% of turnover, data exfiltration of trade secrets, or health impact.

§32 BSIG, CIR 2024/2690 Art. 3

Risk Management Measures

Risikomanagementmaßnahmen

The ten categories of cybersecurity measures that all NIS2 entities must implement under §30 BSIG. These range from risk assessment and incident handling to supply chain security and cryptography. They must be 'appropriate and proportionate' to your size and risk profile – a 50-person waste company is not expected to implement the same controls as Deutsche Telekom.

§30(2) BSIG

Supply Chain Security

Sicherheit der Lieferkette

The requirement to assess and manage cybersecurity risks in your supply chain – especially IT service providers, cloud providers, and any supplier with access to your systems or data. You must include security requirements in contracts, assess supplier practices, and monitor them over time. This is new compared to the old KRITIS regime.

§30(2)(4) BSIG

Management Liability

Leitungsverantwortung

The personal liability of company management (Geschäftsführung) for NIS2 compliance under §38 BSIG. Management must approve cybersecurity measures, ensure their implementation, undergo cybersecurity training, and can be held personally liable for resulting damages. This liability cannot be waived – not even by shareholder resolution. This is the provision that moves cybersecurity from the IT department to the boardroom.

§38 BSIG

IT-Grundschutz

IT-Grundschutz

The BSI's own cybersecurity methodology – a comprehensive framework of security modules (Bausteine) with step-by-step implementation guidance. §44(2) BSIG explicitly recognizes Grundschutz implementation as proof of NIS2 compliance. Since the BSI both publishes Grundschutz and enforces NIS2, using their methodology means you are audited against a standard the auditor knows inside out.

§44(2) BSIG, BSI-Standards 200-1 through 200-4

Audit Trail

A chronological record of who did what, when, and why in your compliance process. NIS2 requires evidence that measures are not just documented but actually implemented and maintained. An audit trail shows the BSI auditor that your policies are living documents, not shelf-ware – who approved a measure, when it was last reviewed, what changed.

Multi-Factor Authentication (MFA)

Authentication that requires two or more verification factors – typically something you know (password) and something you have (phone, hardware key). §30(2)(10) BSIG requires MFA for remote access, administrative access, and access to critical systems. If you are not already using MFA on your VPN, admin accounts, and email, this is one of the most concrete technical requirements to implement.

§30(2)(10) BSIG

§30 BSIG – Cybersecurity Measures

The central provision of NIS2 in German law. Lists ten categories of cybersecurity risk management measures that all in-scope entities must implement. Covers risk assessment, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, training, cryptography, access control, and multi-factor authentication. The measures must be 'appropriate and proportionate' – not gold-plated, but genuine.

§30 BSIG

§32 BSIG – Incident Reporting

Meldepflichten

The mandatory three-stage incident reporting cascade. When a significant incident occurs: early warning to the BSI within 24 hours, detailed incident notification within 72 hours, final report within one month. Each stage has specific content requirements. Late or missing reports are separate violations with their own penalty provisions.

§32 BSIG

§33 BSIG – Registration Obligation

Registrierungspflicht

The legal obligation for all in-scope entities to register with the BSI. You provide entity information, sector classification, cybersecurity contact details, and IP address ranges. Non-registration is a standalone violation punishable by fines up to €500,000 – separate from any penalties for failing to implement actual security measures.

§33 BSIG

§38 BSIG – Management Responsibility

Billigung von Risikomanagementmaßnahmen

The provision that makes company management personally liable for NIS2 compliance. The Geschäftsführung must approve risk management measures, oversee their implementation, and complete cybersecurity training. Failure creates personal liability for damages – and this liability cannot be waived by shareholders. This is the paragraph that gets CEOs' attention.

§38 BSIG

NIS2 Annex I – High-Criticality Sectors

The list of sectors whose entities are classified as 'essential' (besonders wichtige Einrichtungen) when they meet the size threshold. Includes: energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

NIS2 Directive Annex I, §28(1) BSIG

NIS2 Annex II – Other Critical Sectors

The list of sectors whose entities are classified as 'important' (wichtige Einrichtungen) when they meet the size threshold. Includes: postal and courier services, waste management, chemical manufacturing and distribution, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), and research organizations.

NIS2 Directive Annex II, §28(2) BSIG

CSIRT (Computer Security Incident Response Team)

Computer-Notfallteam

The national team responsible for receiving and responding to cybersecurity incident reports. In Germany, the BSI serves as the national CSIRT. When you report a significant incident under §32 BSIG, the BSI-CSIRT receives and processes your report. They can also provide technical assistance during incident response – they are not just a mailbox, but an operational resource.

NIS2 Directive Art. 10, §32 BSIG