§1 BSIG + Art. 8 NIS 2

What is the BSI?

Federal higher authority under the Federal Ministry of the Interior, established under §1 BSIG. Under NIS 2 it is the competent authority, the single notification point and the operator of the national CSIRT.

Simon OrzelSimon Orzel·

What it is

Anyone thinking about NIS 2 in Germany for the first time ends up at the BSI. The Federal Office for Information Security sits in Bonn, has existed since 1991, and under §1 BSIG it is the federal cybersecurity authority. In practice this means: whatever you have to report, register or evidence under NIS 2 eventually runs through the BSI.

What confuses many first-time readers: under NIS 2 the BSI does not have one role but four. It is the competent authority under Art. 8 NIS 2, the single point you notify significant incidents to under §32 BSIG, the body you register with under §33 BSIG, and the operator of the national CSIRT (CERT-Bund) within the meaning of Art. 10 NIS 2. Four interfaces, one authority.

In practice you meet the BSI at three touchpoints: registration, incident notification, and supervision. What the BSI does not do: case-specific legal advice, ISO 27001 certification, or implementation consultancy. The implementation work stays with you, in-house or with external help.

Legal basis
The establishment and tasks of the BSI are set out in the BSIG. Its competences under NIS 2 are structured by the NIS-2 Implementation and Cybersecurity Strengthening Act.

§1 BSIG (establishment)

The Federation maintains, as a federal higher authority within the portfolio of the Federal Ministry of the Interior, Building and Community, the Federal Office for Information Security.

Independent federal higher authority means the BSI is organisationally separate but subject to specialist and service supervision by the Federal Ministry of the Interior. It does not act as a ministry or a court.

§3 BSIG (tasks)

The Federal Office promotes information security. To that end it carries out the following tasks: defending against threats to the security of federal information technology, collecting and assessing information on security risks, advising and warning, setting minimum standards.

The catalogue in §3 BSIG is broad. For NIS 2 the most relevant tasks are advising and warning, setting minimum standards, and supporting competent authorities in investigating security incidents.

Art. 8 NIS 2 (competent authorities) + §32, §33 BSIG

Member States shall designate one or more competent authorities responsible for cybersecurity. They shall ensure that those competent authorities monitor the application of this Directive at national level.

Germany has designated the BSI as the competent authority under Art. 8 NIS 2. Notifications run through §32 BSIG and registrations through §33 BSIG.

What the BSI does under NIS 2 in concrete terms
Five roles that touch every entity directly or indirectly.

Registration authority

You register via the BSI portal under §33 BSIG. Three months from the moment you first fall in scope of NIS 2. Mandatory data: master data, sector, contact person, scope of activity, size class.

Single notification point

You notify significant incidents under §32 BSIG via the BSI single notification point. Early warning within 24 hours, follow-up notification within 72 hours, final report within one month. Both clocks start at the moment you become aware.

National CSIRT (CERT-Bund)

CERT-Bund is Germany's national CSIRT within the meaning of Art. 10 NIS 2. It receives incident notifications, coordinates response and exchanges information with the other Member States in the EU CSIRTs network.

Supervision

Supervision of NIS 2 entities is anchored in the BSIG. The BSI may request information, order audits and issue directives. Fines are imposed under §65 BSIG.

Information and warning hub

Situational reports, security warnings, technical minimum standards: the BSI publishes continuously. The Alliance for Cybersecurity and UP KRITIS add practical guidance on top.

What the BSI is not
Three common misunderstandings on first contact.

Not a source of individual legal advice

General guidance and minimum standards: yes. Legal assessment of your specific facts: no. For that you need a lawyer.

Not an ISO 27001 certification body

The BSI does not issue ISO 27001 certificates. What the BSI runs are its own certification schemes, for instance IT-Grundschutz and Common Criteria. They are independent of ISO.

Not an implementation consultant

The BSI inspects and supervises, it does not implement on your behalf. The operational NIS 2 work happens inside your entity, with your people or with external consultancy.

Practitioner note

In conversations with management teams approaching NIS 2 for the first time, two questions come up: what do I have to report, what do I have to register. The answers are in §32 and §33 BSIG. Both run through the BSI portal, both need an ELSTER organisation certificate as the access credential.

The central information hub remains bsi.bund.de. The actual reporting portal has its own address and is linked from there. First-time readers tend to mix the two up.

Sources
  • Act on the Federal Office for Information Security (BSIG), in particular §§1, 3, 32, 33, 65, www.gesetze-im-internet.de
  • Directive (EU) 2022/2555 (NIS 2), Art. 8, 10, 23, 27, www.eur-lex.europa.eu
  • BSI website: www.bsi.bund.de
  • NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)

This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BSI publications). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.

Are you an essential or important entity?
The free applicability check clarifies in minutes whether NIS 2 applies to you and what obligations you owe the BSI.