NIS2 and IT-Grundschutz
§44(2) BSIG provides a legal shortcut: implementing IT-Grundschutz is recognized as sufficient proof of NIS2 compliance in Germany.
The Legal Chain
German companies have a unique advantage over their European peers when it comes to NIS2 compliance. While companies in France, Italy, or the Netherlands must work directly from the NIS2 Directive and the EU Implementing Regulation, German companies can leverage IT-Grundschutz – a well-established, BSI-maintained methodology that has been the standard for information security in Germany for over 25 years.
§44(2) BSIG provides the legal shortcut: companies that implement IT-Grundschutz can use this as evidence of NIS2 compliance. This is not informal guidance – it is codified in the Federal Cybersecurity Act. The BSI itself develops and maintains both the Grundschutz framework and the NIS2 enforcement regime, ensuring alignment by design.
This page maps the entire legal chain from the EU NIS2 Directive through German transposition to the practical implementation methodology. Understanding this chain is essential for any compliance lead: it tells you exactly which requirements come from where, why they exist, and how to satisfy them with documented evidence.
NIS2 Directive
EU Directive 2022/2555 – the EU-wide cybersecurity framework
BSIG
German Federal Cybersecurity Act – transposes NIS2 into German law
CIR 2024/2690
EU Implementing Regulation – defines the technical minimum measures
IT-Grundschutz
BSI methodology – the established German framework for implementing these measures
§44(2) BSIG states that compliance with the requirements of §30 BSIG can be demonstrated through implementation of recognized standards – and explicitly references IT-Grundschutz as such a standard. This means that if you implement Grundschutz according to BSI-200-1 through BSI-200-4 methodology, you have a legally recognized basis for claiming NIS2 compliance. This is not a 'get out of jail free' card – you still need evidence – but it gives you a clear, BSI-approved methodology to follow.
In practice, this means you don't need to interpret the NIS2 Directive or CIR 2024/2690 from scratch. The Grundschutz Kompendium already maps the technical requirements to specific Bausteine (modules) and Anforderungen (requirements). When the BSI audits your NIS2 compliance, they are auditing against a methodology they themselves created – not against an abstract EU directive. This alignment eliminates the interpretation gap that plagues companies in other EU member states.
For BSI auditors, Grundschutz implementation is familiar territory. They have been auditing Grundschutz for decades. This means audit efficiency: the auditors know exactly what evidence to expect, the terminology is standardized, and the methodology is documented in German. Compare this to defending an ad-hoc compliance approach against the English-language CIR – the practical advantage is significant.
CIR 2024/2690 (Commission Implementing Regulation) was published on October 17, 2024 and establishes the technical and methodological requirements for NIS2 compliance across the EU. It applies directly – no transposition needed – and defines the minimum measures that all essential and important entities must implement. This is the floor, not the ceiling.
The CIR specifically covers DNS service providers, TLD name registries, cloud computing services, data center providers, content delivery networks, managed services, managed security services, online marketplaces, online search engines, social networking platforms, and trust service providers. However, the BSIG extends these technical requirements to all NIS2-covered sectors in Germany, making the CIR's technical measures the de facto standard for everyone.
The Grundschutz Kompendium covers every requirement in the CIR and goes further. Where the CIR says 'implement access control,' Grundschutz specifies exactly how – through modules like ORP.4 (Identity and Access Management) with step-by-step implementation guidance. This is why §44(2) BSIG recognizes Grundschutz: it is a superset of CIR requirements, not just an equivalent.
BSI Recognition
IT-Grundschutz is explicitly referenced in §44(2) BSIG as a recognized standard for demonstrating NIS2 compliance. ISO 27001 certification may support your case, but it is not specifically named in the law. When the BSI is both the framework author and the enforcement authority, alignment matters.
Requirements Coverage
Grundschutz covers 100% of CIR 2024/2690 requirements through its Kompendium modules. ISO 27001 covers information security management broadly but does not specifically address all BSIG §30 measures – particularly the NIS2-specific incident reporting timelines, supply chain requirements, and management liability obligations. You would need ISO 27001 plus additional gap-filling.
Language & Methodology
Grundschutz is developed in German, by the BSI, for German organizations. The terminology matches the BSIG exactly. ISO 27001 is an international standard published in English, with different terminology and a less prescriptive methodology. For a 100-person German Mittelstand company, Grundschutz's concrete, German-language implementation guidance is significantly more practical than ISO 27001's abstract control objectives.
Audit Advantage
When the BSI audits your NIS2 compliance, presenting Grundschutz-structured evidence means the auditor speaks your language. The methodology, documentation structure, and evidence expectations are standardized. This translates to faster audits, fewer misunderstandings, and clearer outcomes.
BSI Alignment
The BSI publishes the Grundschutz Kompendium, enforces NIS2 compliance, and audits your implementation. Using their own methodology ensures that your interpretation of requirements matches theirs. There is no interpretation gap – the same organization that defines the rules also provides the playbook.
Legal Certainty
§44(2) BSIG gives Grundschutz implementation explicit legal standing as proof of compliance. This is the strongest legal position available: you are following the methodology recognized by the law itself. If challenged, you can point to a specific statutory provision that validates your approach – not just industry best practice or consultant opinion.