Receiving a BSI request under §64 BSIG
Article 32 NIS 2 gives competent authorities supervisory powers. §64 BSIG is the German transposition. This page describes the procedural framework, not how a specific request should be handled.
Overview
Article 32 of the NIS 2 Directive empowers competent authorities to supervise essential entities. The catalogue of powers includes on-site inspections, off-site supervision, targeted security audits, ad hoc audits, security scans, requests for information, and requests for evidence that cybersecurity risk management measures have been implemented.
In Germany, §64 BSIG transposes this catalogue and assigns the supervisory role to the Bundesamt für Sicherheit in der Informationstechnik (BSI). A §64 BSIG request typically arrives in writing, identifies the legal basis, names a deadline, and lists the information or documents required. The request itself sets the procedural clock.
Entities served with such a request are subject to a cooperation duty (Mitwirkungspflicht). The duty is not unlimited: it is bounded by what was asked, by the deadline set in the request, and by general legal protections that apply in administrative proceedings. The Verwaltungsverfahrensgesetz (VwVfG) governs the administrative procedure framework around the request.
Directive 2022/2555 (NIS 2), Article 32(2)
Competent authorities shall have the power to subject essential entities to on-site inspections and off-site supervision, including random checks; targeted security audits; ad hoc audits; security scans; requests for information; and requests to provide evidence of implementation of cybersecurity policies.
Article 32(2) lists the supervisory measures available to competent authorities for essential entities. Article 33 sets a comparable, lighter regime for important entities. The Directive does not set deadlines; those are set by the national authority in each individual request.
Implementing Regulation (EU) 2024/2690
The Implementing Regulation specifies the technical and methodological requirements that essential and important entities in the digital sectors must meet. It does not regulate the procedural form of supervisory requests.
The Implementing Regulation is relevant to the content of what authorities may ask about (the measures listed in its Annex). The procedural side of how a request is served and answered remains national law.
§64 BSIG (German transposition)
The BSI may request information and documents from regulated entities, conduct on-site inspections, and require technical examinations to verify compliance with the obligations under the BSIG. The entity, its representatives and its employees are under a duty to cooperate.
§64 BSIG operationalises Article 32 NIS 2 in Germany. §65 BSIG provides the enforcement layer (administrative fines) if the cooperation duty under §64 is breached. The Verwaltungsverfahrensgesetz (VwVfG), in particular §28 on the right to be heard, applies in parallel.
The legal basis and scope
A §64 BSIG request cites its legal basis (typically §64 BSIG, sometimes in combination with the specific obligation under §30 or §32 BSIG that triggered the inquiry). It names the recipient entity, the matter under examination, and the categories of information or documents required. An entity served with such a request can establish the perimeter of cooperation by reading the legal basis and the question catalogue carefully.
The deadline and the evidence asked for
The request sets a deadline (Frist), commonly between two and four weeks for document requests, shorter for incident-related inquiries. The evidence asked for is usually documentary: policies, risk register entries, incident reports, supplier contracts, training records. Entities typically log the deadline, the question catalogue, and the responsible internal owner before producing material.
Written response, written record
Responses to a §64 BSIG request are typically made in writing, even when initial contact happens by phone. A written response creates a verifiable record of what was disclosed, on what date, under what legal basis. Entities that document the cover letter, the index of attachments, and the date of dispatch retain a clear evidentiary trail in any later proceeding.
Cooperation duty under §64 BSIG (Mitwirkungspflicht)
§64 BSIG places an active cooperation duty on the regulated entity, its legal representatives, and its employees. The duty covers the production of information and documents the BSI requests, the granting of access for on-site inspections, and the toleration of technical examinations within the scope identified. Non-cooperation may trigger enforcement under §65 BSIG, which provides for administrative fines.
Boundary of the cooperation duty
The cooperation duty is bounded by what was actually requested, by the deadline set, and by general legal protections that apply in administrative proceedings. Communications with external counsel are protected by professional confidentiality (§43a BRAO, §203 StGB). The right to be heard under §28 VwVfG applies before adverse administrative acts are issued. These boundaries are procedural; their concrete application to a specific document set is a matter for regulatory counsel.
Bundesamt für Sicherheit in der Informationstechnik (BSI)
The BSI is the competent authority for cybersecurity supervision under the BSIG. It issues §64 BSIG requests, conducts inspections, and proposes enforcement measures. The BSI is a federal authority (Bundesoberbehörde) under the Federal Ministry of the Interior.
Verwaltungsverfahrensgesetz (VwVfG)
The VwVfG is the general administrative procedure act. It governs how administrative acts are issued, how the right to be heard (§28 VwVfG) operates, how appeals work, and how deadlines are calculated. A §64 BSIG request sits within this framework.
Regulatory counsel and professional confidentiality
External legal counsel is bound by professional confidentiality under §43a BRAO and §203 StGB. Communications produced for the purpose of legal advice are protected. The protection is narrower than the attorney-client privilege concept used in some other jurisdictions; the precise scope is matter-specific.
Ignoring or quietly delaying the request
Missing a §64 BSIG deadline without a written extension request is itself a breach of the cooperation duty. §65 BSIG provides for administrative fines for non-cooperation, independently of any underlying compliance gap. Entities served with a request typically acknowledge receipt in writing and request an extension if the deadline cannot be met.
Sending everything in scope plus extras
Producing material that was not asked for expands the evidentiary record and may reveal unrelated gaps. The cooperation duty under §64 BSIG covers what was requested. Entities typically scope their response to the question catalogue and log what was produced.
Answering by phone without a written record
Phone calls leave no shared written record of what was disclosed, when, and under what scope. Entities typically follow up any phone exchange with a written summary, both to confirm understanding and to maintain a clear evidentiary trail for any later proceeding.
A §64 BSIG request is not a fine, an enforcement order, or an audit finding. It is a procedural step in which the competent authority exercises a supervisory power conferred by Article 32 NIS 2. The procedural framework is set: written request, named legal basis, defined deadline, written response. The substantive evaluation comes later, in a separate administrative act, with the right to be heard under §28 VwVfG.
This page describes the procedural framework only. Concrete handling of a BSI request, including the scope of documents to disclose, the wording of the response, and the interaction with §65 BSIG enforcement, requires regulatory counsel. The platform documents the underlying compliance state (policies, risk register, incident records, supplier contracts) so that, if a request arrives, the evidentiary base is already in order.
The platform maintains the underlying record that a §64 BSIG question catalogue typically targets: the obligation register, the risk register, incident records with timestamps, supplier records with §30 BSIG due diligence, training records under §38 BSIG, and the audit trail of who signed off on what and when. Each item is timestamped and exportable.
The platform does not draft responses to supervisory requests and does not replace regulatory counsel. It maintains the evidentiary base so that the production of documents under §64 BSIG is a question of export, not of reconstruction.
- Directive (EU) 2022/2555 (NIS 2), Article 32 (supervisory and enforcement measures regarding essential entities) and Article 33 (important entities). EUR-Lex.
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 on technical and methodological requirements. EUR-Lex.
- BSIG (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) §64 (supervisory powers and cooperation duty) and §65 (administrative fines). gesetze-im-internet.de.
- Verwaltungsverfahrensgesetz (VwVfG) §28 (Anhörung Beteiligter). gesetze-im-internet.de.
- Bundesrechtsanwaltsordnung (BRAO) §43a (Berufspflichten) and Strafgesetzbuch (StGB) §203 (Verletzung von Privatgeheimnissen). gesetze-im-internet.de.