BSI IT-Grundschutz and NIS2: Which Modules Help?

BSI IT-Grundschutz covers about 80% of §30 BSIG requirements — from the same institution. But registration, reporting and §38 liability remain open.
Yes, BSI IT-Grundschutz directly supports NIS2 compliance because both the methodology and the supervisory authority come from the same institution. The roughly 110 modules of the 2023 Edition cover about 80 percent of the ten §30 BSIG measure areas, from ISMS.1 to CON.3. However, the purely statutory NIS2 obligations such as BSI registration, the §32 BSIG reporting cascade and §38 BSIG management liability remain open even with IT-Grundschutz in place.
NIS2Compass shows in the Pre-Check which IT-Grundschutz modules you already have and which NIS2 obligations apply on top.
What is BSI IT-Grundschutz and how does it relate to NIS2?
BSI IT-Grundschutz is the ISMS methodology developed by the German Federal Office for Information Security (BSI). It consists of four BSI Standards (200-1 through 200-4) and the Compendium with around 110 modules organised into ten layers. The constellation is unique: the same BSI that publishes IT-Grundschutz has also been the NIS2 supervisory authority under BSIG since December 2025.
IT-Grundschutz is a methodology for building and operating an information security management system (ISMS). The BSI IT-Grundschutz overview describes three approaches: Basic Protection as the entry-level approach, Standard Protection for full implementation and Core Protection focused on an organisation's crown jewels.
The four BSI Standards form the methodological foundation:
- BSI Standard 200-1: Information security management systems, compatible with ISO 27001
- BSI Standard 200-2: IT-Grundschutz methodology with the three protection paths
- BSI Standard 200-3: Risk analysis based on IT-Grundschutz
- BSI Standard 200-4: Business continuity management (May 2023, compatible with ISO 22301)
The IT-Grundschutz Compendium complements these standards. The 2023 Edition contains around 110 modules across ten layers: process layers (ISMS, ORP, CON, OPS, DER) and system layers (APP, SYS, IND, NET, INF). A module is a thematically coherent collection of security requirements; a layer groups related modules.
The NIS2 connection is structurally unique. BSI has been developing IT-Grundschutz since 1994 and, since December 2025, supervises the approximately 29,500 NIS2-affected companies in Germany under §61 BSIG. Those who use IT-Grundschutz speak the same language as their supervisor during an audit, unlike ISO 27001, which is internationally standardised and audited via DIN/DAkkS-accredited auditors.
Despite this proximity, BSIG does not prescribe a specific standard. §30 BSIG requires "appropriate, proportionate and effective technical and organisational measures". Anyone choosing ISO 27001 or a custom approach is not at a disadvantage. For more on methodological freedom, see the article Do I need an ISMS for NIS2?.
The NIS2Compass Pre-Check explicitly asks about existing IT-Grundschutz implementation and maps the IT-Grundschutz modules to the roughly 124 NIS2 implementation steps.
Which §30 BSIG requirements does IT-Grundschutz cover directly?
IT-Grundschutz structurally covers all ten measure areas from §30 (2) BSIG, from ISMS.1 (security management) to DER.2.1 (incident response). The official BSI mapping table "ISO/IEC 27001 to IT-Grundschutz" (2023 Edition) makes the bridging logic verifiable. About 80 percent of §30 requirements can be implemented directly via IT-Grundschutz modules.
The following mapping names the central module codes from the 2023 Edition Compendium for each of the ten items in §30 (2) BSIG. It is intended as an entry point, not a complete audit proof.
- §30 (2) No. 1 (Risk analysis and IT security concepts): ISMS.1 (security management), ORP.1 (organisation) and BSI Standard 200-3 (risk analysis). Supplemented by the elementary threats G0.1–G0.47, which structure every risk analysis.
- §30 (2) No. 2 (Incident management): DER.2.1 (handling security incidents), DER.2.2 (IT forensics readiness) and DER.2.3 (remediation of widespread security incidents). These three modules cover the complete incident lifecycle.
- §30 (2) No. 3 (Business continuity / backup): CON.3 (data backup concept), DER.4 (emergency management) and BSI Standard 200-4 BCM. CON.3.A4 explicitly requires regular restore tests, exactly as §30 demands.
- §30 (2) No. 4 (Supply chain security): OPS.2.3 (use of outsourcing), OPS.2.2 (cloud usage) and OPS.3 (vendors and manufacturers). This covers both supplier selection and ongoing governance.
- §30 (2) No. 5 (Secure procurement, development, maintenance): CON.8 (software development), OPS.1.1.5 (logging), OPS.1.1.6 (software testing and approvals) and OPS.1.1.3 (patch and change management). These modules form the core of secure SDLC in IT-Grundschutz.
- §30 (2) No. 6 (Effectiveness assessment): DER.1 (detection of security-relevant events), DER.3.1 (audits and reviews) and DER.3.2 (reviews based on the IS-Revision guideline). This methodically anchors continuous effectiveness review.
- §30 (2) No. 7 (Training / awareness): ORP.3 (awareness and information security training). This module is central because §38 (3) BSIG additionally obliges management to undergo named training.
- §30 (2) No. 8 (Cryptography): CON.1 (cryptographic concept), including certificate and key management via CON.1.A4, CON.1.A10 and CON.1.A11. This fully covers the §30 requirement for documented cryptography.
- §30 (2) No. 9 (Personnel security, access control, asset management): ORP.2 (personnel), ORP.4 (identity and authorisation management) and CON.2 (data protection), supplemented by the system layer (SYS, APP). The mix of process and system modules is mandatory here.
- §30 (2) No. 10 (MFA, secure communications): NET.1.1 (network architecture and design), NET.3.3 (VPN), ORP.4.A22 (multi-factor authentication), NET.4 (telephony) and the APP modules for secure voice, video and text communication.
The official BSI mapping table "ISO/IEC 27001 to IT-Grundschutz" (2023 Edition) makes this bridging logic reliable for ISO users. The original states: "The ISMS built this way meets the requirements of ISO/IEC 27001 and has an equivalent to the implementation guidance of ISO/IEC 27002." Anyone with IT-Grundschutz in place is therefore ISO-equivalent, and to the same degree NIS2-relevant in coverage. An independent estimate from openKRITIS NIS2 mapping combined with the BSI table results in roughly 80 percent §30 coverage via IT-Grundschutz modules. The full ISO 27001 mapping table can be found in the article NIS2 vs. ISO 27001.
"Anyone who has consistently implemented IT-Grundschutz typically saves several months on NIS2 implementation. The mapping logic exists, the methodology is BSI-recognised, and the modules address the §30 topics in great detail. What remains is the NIS2-specific layer: registration, reporting obligation, management liability." — Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass
Which NIS2 obligations does IT-Grundschutz NOT cover?
Even a complete IT-Grundschutz implementation does not replace four purely statutory NIS2 obligations: BSI registration under §33 BSIG, the three-stage reporting cascade under §32 BSIG (24h/72h/1 month), personal management liability under §38 BSIG, and the management training obligation under §38 (3) BSIG. These requirements are organisational and legal, not technical, and therefore not the subject of a security standard.
These four gaps stem from the NIS2UmsuCG, which has been in force since December 2025. They are not a flaw in the IT-Grundschutz Compendium but reflect a simple fact: statutory obligations belong in legislation, not in a security standard.
- BSI registration obligation (§33 BSIG). Affected companies had to register via the BSI portal by 6 March 2026. IT-Grundschutz does not address this, no module requires an external notification to an authority. Those who missed the deadline must register late and risk fines of up to EUR 10 million or 2% of global annual turnover (§60 BSIG).
- Reporting obligations under §32 BSIG. Three fixed deadlines that appear in no IT-Grundschutz module: 24 hours early warning, 72 hours initial report with assessment, 1 month final report. DER.2.1 (handling security incidents) is methodologically excellent but knows no statutory reporting deadlines to a supervisory authority. For details on the reporting cascade: NIS2 reporting obligations: when, what, to whom?.
- Personal management liability (§38 BSIG). The legal wording is unambiguous: "Management bodies that violate their obligations under paragraph 1 shall be liable to their institution for damages caused through fault." IT-Grundschutz requires the "assumption of overall responsibility for information security by management" in ISMS.1.A1, but knows no civil personal liability of management with damages exposure.
- Management training obligation (§38 (3) BSIG). The wording is again precise: "Management bodies of essential and important entities must regularly attend training to acquire sufficient knowledge for identifying and assessing risks and risk management practices." ORP.3 (awareness and training) covers general employee awareness, but not the named board or management training with proof obligation towards BSI.
These four gaps are not content deficiencies of IT-Grundschutz but structural limits. An information security standard cannot prescribe statutory reporting deadlines, civil liability rules or regulatory registration, that belongs in legislation, here the BSIG. Anyone using IT-Grundschutz has an excellent foundation for the §30 requirements and supplements the NIS2-specific obligations through additional documentation and processes. For details on the possible fine amounts, see the article NIS2 fines: What penalties apply for violations?.
Do I need an ISO 27001 certification based on IT-Grundschutz for NIS2?
No. Neither BSIG nor the NIS2UmsuCG prescribes certification, neither ISO 27001 nor ISO 27001 based on IT-Grundschutz nor IT-Grundschutz attestation. The obligation is to implement the measures under §30 BSIG, not to provide proof via a certificate. However, certification helps with substantiation towards BSI, insurers and business partners.
Methodological freedom is legally anchored. §30 (1) BSIG requires "appropriate, proportionate and effective technical and organisational measures" and deliberately names no specific standard. BSI explicitly confirms this methodological freedom on its page on ISO/IEC 27001 in the NIS-2 context. What matters for NIS2 compliance is the outcome, not the certificate.
Three certification options for context:
- ISO 27001: International certification via DIN/DAkkS-accredited auditors. The most established variant and most frequently required in B2B contracts.
- ISO 27001 based on IT-Grundschutz: Combined certification in which BSI IT-Grundschutz methodology is explicitly considered in the audit. Suitable when an organisation already uses IT-Grundschutz and additionally wants an internationally recognised certificate.
- IT-Grundschutz attestation: Pure IT-Grundschutz confirmation without ISO reference. More widespread in the public-sector environment.
When certification makes sense:
- Customer or contract requirements, especially in upper B2B
- Better terms or simply being able to take out cyber insurance
- Structured external pressure as discipline for internal processes
- Reliable substantiation towards BSI in an audit
When certification does not make sense:
- Purely meeting NIS2 obligations without external requirements
- Smaller SMEs just above the NIS2 threshold with limited resources
- When the effort for a fully certified ISMS is disproportionate to company size
For a detailed answer to the sufficiency question, see Is ISO 27001 enough for NIS-2 compliance?. The core message applies analogously to IT-Grundschutz attestations: a certificate is foundation but not automatic compliance proof. For an overview of methodological freedom, the SME options can be found in Do I need an ISMS for NIS2?.
On distribution: Around 16,000 valid ISO 27001 certificates exist in Germany (ISO Survey 2024). The number of pure IT-Grundschutz attestations and combined ISO 27001 on IT-Grundschutz certificates is significantly lower and can be viewed via the public BSI list of IT-Grundschutz certificates. Both paths meet NIS2 equivalently in substance, the choice depends on the market environment, not on the law.
How do I use existing IT-Grundschutz for the NIS2 entry?
Anyone who has already implemented IT-Grundschutz starts NIS2 introduction in three steps: first, check the scope against the NIS2 entity definition, because IT-Grundschutz allows free scope selection, BSIG does not. Second, take the existing mapping as a basis and add the NIS2 gaps. Third, prepare the documentation for BSI audit readiness.
Step 1: Scope review (1 week). IT-Grundschutz allows free scope selection at group, site or single business unit level. §30 BSIG requires implementation for the entire relevant entity operation. With multiple sites or plants, a scope extension is therefore almost always necessary before the existing ISMS can serve as a basis.
Step 2: Gap analysis modules vs. §30 (1–2 weeks). Systematically work through the ten §30 measure areas and evaluate the covering modules per area (ISMS.1, ORP.3, CON.3, DER.2.1, etc.). Particular attention goes to the four NIS2 gaps from the previous section. The NIS2Compass Pre-Check has condensed this mapping into 18 questions: the answers automatically yield a list of NIS2 implementation steps already covered.
Step 3: Implement the NIS2 delta (2–4 weeks). This concerns the four purely statutory obligations: BSI registration under §33 BSIG, three-stage reporting cascade under §32 BSIG, management training plan under §38 (3) BSIG, and §38 responsibility documentation. These four building blocks are available in the NIS2Compass Template Library as ready Word and Excel templates.
Step 4: BSI audit readiness (1 week). Store documentation centrally, ensure versioning and write a bridging document: which §30 requirement is covered by which IT-Grundschutz module, and what additional NIS2-specific measures apply? BSI may request this bridging documentation in the context of an audit.
Typical effort: 4–8 weeks for the NIS2 delta with existing IT-Grundschutz, compared to 4–8 months for building a completely new ISMS (NIS2Compass benchmark). Further guidance is provided by the BSI implementation notes for the IT-Grundschutz Compendium and the complete BSIG overview at gesetze-im-internet.de. The Implementation Guide takes the four steps into a concrete implementation path with substeps and templates.
Practical example: Municipal utility with IT-Grundschutz Basic Protection — what is missing for NIS2?
A municipal utility with 150 employees has implemented IT-Grundschutz Basic Protection since 2022 and qualifies as an essential entity in the NIS2 Energy sector. The IT-Grundschutz Basic Protection broadly covers the §30 requirements, but registration, reporting process and management training obligation were not part of the project. Four additional building blocks close the gaps in four to six weeks.
Starting position (anonymised): 150 employees, municipal energy supplier for electricity, gas and water. Energy sector (Annex I of the NIS2 Directive, highly critical), classified as an essential entity under §28 BSIG. IT-Grundschutz Basic Protection implemented since 2022 without attestation.
What IT-Grundschutz already provides: Established security management with a named ISO (ISMS.1), an operational patch management process (OPS.1.1.3), a documented backup concept with annual restore tests (CON.3.A4), an awareness programme for all employees (ORP.3), an incident handling process (DER.2.1) and basic network segmentation (NET.1.1).
What is still missing — four NIS2-specific gaps: BSI registration under §33 BSIG was due in March 2026 and is not part of IT-Grundschutz. The §32 reporting cascade with 24h/72h/1-month deadlines is not known to the existing DER.2.1 process. The management training obligation under §38 (3) BSIG goes beyond ORP.3 because it explicitly addresses the management body. The §38 responsibility documentation (approval and oversight) requires its own track beyond ISMS.1.A1.
The aha-moment: During review of the existing DER.2.1 process, it became clear that internal escalation worked smoothly, but an external BSI notification within 24 hours was not provided for anywhere. No one knew who fills in the reporting form, who approves it and through which channel it reaches BSI. This gap only became visible in the NIS2 delta and has since been added as a fixed escalation stage in the incident process.
Resolution in 4–6 weeks: BSI portal registration (1–2 days), extension of the DER.2.1 process by the §32 reporting cascade as a separate chapter (1 week), set up training plan for management and book external training (2 weeks lead time), draft §38 bridging document mapping modules to §30 obligations and adding the NIS2-specific documentation (1 week).
Context: The NIS2 Energy sector is among the highly critical sectors with the strictest requirements; municipal utilities serving roughly 30,000 inhabitants or more generally fall under essential entities per §28 BSIG. The BSI affectedness check provides the official sector classification.
The NIS2Compass Pre-Check explicitly asks about existing IT-Grundschutz implementation and automatically maps to the implementation steps already met. The Implementation Guide takes the remaining delta through eight chapters with concrete substeps, and the Template Library covers the reporting process, management training plan and §38 bridging document as ready templates.
Frequently Asked Questions
Is BSI IT-Grundschutz mandatory for NIS2?
No. Neither §30 BSIG nor the NIS2UmsuCG prescribes a specific standard. BSI explicitly confirms this on its page on ISO/IEC 27001 in the NIS-2 context: "BSI does not prescribe a specific norm." The obligation is to implement the ten §30 measure areas appropriately, effectively and proportionately. The path is freely selectable.
Is IT-Grundschutz Basic Protection enough for NIS2?
Partially. Basic Protection structurally covers the ten §30 measure areas and is a good entry point for SMEs. The purely statutory NIS2 obligations remain open, however: registration under §33 BSIG, the reporting cascade under §32 BSIG, and personal management liability under §38 BSIG. These points must be documented separately.
What is the difference between BSI IT-Grundschutz and the BSI Standards 200-x?
The BSI Standards 200-1 to 200-4 are the methodological foundation. 200-1 describes ISMS setup, 200-2 the IT-Grundschutz methodology with Basic, Standard and Core Protection, 200-3 the risk analysis, and 200-4 business continuity management. The IT-Grundschutz Compendium provides the concrete modules, around 110 in the 2023 Edition.
Do I have to switch from ISO 27001 to IT-Grundschutz for NIS2?
No. Both standards cover the §30 requirements to around 80 percent. A switch because of NIS2 is not required. Anyone who has ISO 27001 in place should stick with it and only build the NIS2-specific gaps on top: registration, reporting cascade and §38 obligations. The effort of switching standards almost always exceeds the benefit.
Where are the biggest gaps of IT-Grundschutz regarding NIS2?
In the purely statutory obligations that no technical standard can map: BSI registration under §33 BSIG, the three-stage reporting cascade under §32 BSIG with 24-hour, 72-hour and 1-month deadlines, personal management liability under §38 BSIG and the named management training obligation under §38 (3) BSIG. These gaps are closed through additional documentation and processes.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
Get startedÄhnliche Artikel
The KRITIS Umbrella Act and NIS2: What Applies to Whom?
Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.
7 Min. Lesezeit
NIS2 ISO 27001 Mapping: Excel Checklist Download
ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.
6 Min. Lesezeit
NIS2 BSI Registration: Missed the Deadline — What Now?
The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.
9 Min. Lesezeit