§44 BSIG

NIS2 and IT-Grundschutz

§44(2) BSIG provides a legal shortcut: implementing IT-Grundschutz is recognized as proof of NIS2 compliance in Germany.

Cory HiseyCory Hisey·Continuously reviewed

The Legal Chain

German companies have a unique advantage over their European peers when it comes to NIS2 compliance. While companies in France, Italy, or the Netherlands must work directly from the NIS2 Directive and the EU Implementing Regulation, German companies can leverage IT-Grundschutz, a well-established, BSI-maintained methodology that has been the standard for information security in Germany for over 25 years.

§44(2) BSIG provides the legal shortcut: companies that implement IT-Grundschutz can use this as evidence of NIS2 compliance. This is not informal guidance. It is codified in the Federal Cybersecurity Act. The BSI itself develops and maintains both the Grundschutz framework and the NIS2 enforcement regime, ensuring alignment by design.

This page maps the entire legal chain from the EU NIS2 Directive through German transposition to the practical implementation methodology. Understanding this chain is essential for any compliance lead: it tells you exactly which requirements come from where, why they exist, and how to satisfy them with documented evidence.

From EU Directive to German Practice
NIS2 compliance in Germany follows a four-layer legal chain. Each layer adds specificity, from high-level objectives down to concrete implementation guidance.
1

NIS2 Directive

EU Directive 2022/2555, the EU-wide cybersecurity framework

2

BSIG

German Federal Cybersecurity Act, transposes NIS2 into German law

3

CIR 2024/2690

EU Implementing Regulation, defines the technical minimum measures

4

IT-Grundschutz

BSI methodology, the established German framework for implementing these measures

§44(2) BSIG: Grundschutz Equals Compliance
The legal shortcut most companies don't know about.

§44(2) BSIG states that compliance with the requirements of §30 BSIG can be demonstrated through implementation of recognized standards, and explicitly references IT-Grundschutz as such a standard. This means that if you implement Grundschutz according to BSI-200-1 through BSI-200-4 methodology, you have a legally recognized basis for claiming NIS2 compliance. This is not a 'get out of jail free' card (you still need evidence), but it gives you a clear, BSI-approved methodology to follow.

In practice, this means you don't need to interpret the NIS2 Directive or CIR 2024/2690 from scratch. The Grundschutz Kompendium already maps the technical requirements to specific Bausteine (modules) and Anforderungen (requirements). When the BSI audits your NIS2 compliance, they are auditing against a methodology they themselves created, not against an abstract EU directive. This alignment eliminates the interpretation gap that plagues companies in other EU member states.

For BSI auditors, Grundschutz implementation is familiar territory. They have been auditing Grundschutz for decades. This means audit efficiency: the auditors know exactly what evidence to expect, the terminology is standardized, and the methodology is documented in German. Compare this to defending an ad-hoc compliance approach against the English-language CIR. The practical advantage is significant.

CIR 2024/2690: The EU Technical Baseline
The Commission Implementing Regulation that defines the technical minimum every EU member state must enforce.

CIR 2024/2690 (Commission Implementing Regulation) was published on October 17, 2024 and establishes the technical and methodological requirements for NIS2 compliance across the EU. It applies directly (no transposition needed) and defines the minimum measures that all essential and important entities must implement. This is the floor, not the ceiling.

The CIR directly binds only 11 specific digital entity types: DNS service providers, TLD name registries, cloud computing services, data centre providers, content delivery networks, managed services, managed security services, online marketplaces, online search engines, social networking platforms, and trust service providers. However, §30 BSIG independently imposes the same 10 measures (Art. 21(2) NIS-2) on all NIS2-covered sectors in Germany, so the CIR's technical detail becomes the de facto reference even outside its direct scope.

The Grundschutz Kompendium covers every measure area in the CIR and goes further through its Bausteine. Where the CIR says briefly 'implement access control,' Grundschutz specifies exactly how, for example through modules like ORP.4 (Identity and Access Management) with step-by-step implementation guidance. This is why §44(2) BSIG recognizes Grundschutz: it is a superset of CIR measure areas, not just an equivalent.

IT-Grundschutz vs ISO 27001 for NIS2
Both are recognized information security frameworks, but for NIS2 compliance in Germany, they are not equivalent.

BSI Recognition

IT-Grundschutz is explicitly referenced in §44(2) BSIG as a recognized standard for demonstrating NIS2 compliance. ISO 27001 certification may support your case, but it is not specifically named in the law. When the BSI is both the framework author and the enforcement authority, alignment matters.

Requirements Coverage

Grundschutz covers every CIR 2024/2690 measure area through its Kompendium Bausteine and goes prescriptively further. ISO 27001 covers information security management broadly but does not specifically address all §30 BSIG measures, particularly the NIS2-specific incident reporting timelines (§32 BSIG), supply chain requirements (§30(2)(4) BSIG), and management body obligations (§38 BSIG). You would need ISO 27001 plus additional gap-filling.

Language & Methodology

Grundschutz is developed in German, by the BSI, for German organizations. The terminology matches the BSIG exactly. ISO 27001 is an international standard published in English, with different terminology and a less prescriptive methodology. For a 100-person German Mittelstand company, Grundschutz's concrete, German-language implementation guidance is significantly more practical than ISO 27001's abstract control objectives.

Why This Matters for Your Company
For mid-market German companies, the Grundschutz pathway offers three concrete advantages over alternative compliance approaches.

Audit Advantage

When the BSI audits your NIS2 compliance, presenting Grundschutz-structured evidence means the auditor speaks your language. The methodology, documentation structure, and evidence expectations are standardized. This translates to faster audits, fewer misunderstandings, and clearer outcomes.

BSI Alignment

The BSI publishes the Grundschutz Kompendium, enforces NIS2 compliance, and can inspect your implementation under its supervisory powers (§61 BSIG); formal certification is carried out by BSI-accredited auditors. Using the BSI's own methodology ensures that your interpretation of requirements matches the regulator's. There is no interpretation gap: the same organization that defines the rules also provides the playbook.

Legal Certainty

§44(2) BSIG gives Grundschutz implementation explicit legal standing as proof of compliance. This is the strongest legal position available: you are following the methodology recognized by the law itself. If challenged, you can point to a specific statutory provision that validates your approach, not just industry best practice or consultant opinion.

Built on the Grundschutz Framework
The platform structures the NIS2 requirements (twelve categories, 49 concrete controls) according to IT-Grundschutz methodology, with evidence templates and audit-ready documentation that follows the BSI's own structure.
Start Your NIS2 Compliance Process