§ 30 BSIG / Art. 21

NIS2 Requirements

What affected entities must implement: 10 mandatory cybersecurity measures, a strict incident reporting cascade, and evidence-based compliance.

10 Mandatory Risk Management Measures (Section 30 BSIG / Article 21)

All essential and important entities must implement these measures. There is no transition period - these obligations apply since 6 December 2025 in Germany.

1

Risk analysis and information security policies

Establish and maintain policies for risk analysis and information systems security. Conduct regular risk assessments covering all critical systems and processes.

2

Incident handling

Implement procedures for preventing, detecting, identifying, containing, mitigating, and responding to security incidents.

3

Business continuity and crisis management

Backup management, disaster recovery planning, and crisis management procedures to ensure operational resilience.

4

Supply chain security

Security measures for relationships with direct suppliers and service providers. Includes assessment of all suppliers' cybersecurity practices and contractual security requirements.

5

Security in acquisition, development, and maintenance

Security in network and information system acquisition, development, and maintenance. Includes vulnerability handling and disclosure procedures.

6

Effectiveness assessment

Policies and procedures for assessing the effectiveness of cybersecurity risk management measures. Regular testing and evaluation of security controls.

7

Cybersecurity training and cyber hygiene

Basic cybersecurity training practices for all employees. Awareness programs covering phishing, social engineering, password management, and safe computing practices.

8

Cryptography and encryption

Policies and procedures on the use of cryptography and, where appropriate, encryption. Covers data at rest, data in transit, and key management.

9

Personnel security, access control, and asset management

Human resources security policies, access control mechanisms, and asset management procedures. Includes onboarding/offboarding, least-privilege access, and asset inventories.

10

Multi-factor authentication and secured communications

Use of MFA or continuous authentication solutions. Secured voice, video, and text communications. Secured emergency communication systems within the entity.

Incident Reporting Cascade
All essential and important entities must report significant security incidents to the BSI using a three-stage cascade.
24 hours

Early warning (Frühwarnung)

Report whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact.

72 hours

Updated notification (Aktualisierte Meldung)

Severity assessment, impact assessment, indicators of compromise, and initial root cause analysis if available.

1 month

Final report (Abschlussmeldung)

Detailed description of the incident, confirmed root cause, mitigation measures taken, preventive steps implemented, and cross-border impact assessment.

What counts as a "significant" incident?

A security incident qualifies as significant when it has caused or is capable of causing severe operational disruption or financial losses for the entity.

It also qualifies when it has affected or is capable of affecting other natural or legal persons by causing considerable material or immaterial damage.

Audit and Evidence Requirements

KRITIS Operators

Must demonstrate compliance through audits, inspections, or certifications every 3 years. Must include attack detection systems in their measures. Initial evidence deadline set by BSI at registration (~2028).

Besonders wichtige Einrichtungen (non-KRITIS)

No regular mandatory audit cycle, but must maintain comprehensive documentation. BSI may conduct proactive spot checks and order evidence at any time using risk-based selection.

Wichtige Einrichtungen

Must document implementation of all required measures. BSI inspections are reactive only - triggered by incidents or justified suspicion of non-compliance.

Acceptable Evidence
  • Internal or external audit reports
  • Certifications (ISO 27001, BSI IT-Grundschutz, etc.)
  • Comprehensive documentation of risk assessments, implemented measures, and effectiveness reviews

ISO 27001 or IT-Grundschutz certification supports but does not guarantee NIS2 compliance - the BSIG requirements may go beyond standard certification scope.

Supply Chain Security
NIS2 introduces mandatory supply chain security obligations. Entities must:
  • Assess the cybersecurity practices of all direct suppliers and service providers
  • Include cybersecurity requirements in supplier contracts
  • Monitor and review supplier security posture on an ongoing basis
  • Coordinate vulnerability disclosure with suppliers
  • Consider the overall quality of products and practices of suppliers, including their secure development procedures