Section 30 BSIG: the Ten Cybersecurity Measures
Short answer: Section 30 of the German BSIG is the national transposition of Article 21 NIS 2. Essential and important entities must implement ten risk management measures, from risk analysis to supply chain security to multi-factor authentication. Implementation must be proportionate to size, risk exposure, and state of the art.
What Section 30 BSIG requires
Section 30 BSIG sits at the centre of Germany's NIS 2 implementation. It obliges essential and important entities to take appropriate, proportionate, and effective technical and organisational measures to manage risks to the security of their information systems, components, and processes.
The provision transposes Article 21(2) of the NIS 2 Directive (Directive (EU) 2022/2555) into German law. The substance is EU-wide and identical in every Member State. The wording was adjusted to the German legislative style, but the ten measures in Section 30(2) Nos. 1 to 10 BSIG map one to one onto Article 21(2)(a) to (j) NIS 2.
The duties apply from the date the NIS2UmsuCG took effect. The Act provides no transition period. Whoever falls within scope owes the measures from the day they enter scope.
No. 1: Policies on risk analysis and information system security
Policies on risk analysis and information system security. Maps to Article 21(2)(a) NIS 2. Operationalised by CIR (EU) 2024/2690 Section 2 for digital sectors in its annex.
No. 2: Incident handling
Detection, response, containment, recovery, and post-incident review. Maps to Article 21(2)(b) NIS 2. Interlocks with the reporting duty under Section 32 BSIG.
No. 3: Business continuity
Backup management, disaster recovery, and crisis management. Maps to Article 21(2)(c) NIS 2. A cloud outage at your provider is covered here.
No. 4: Supply chain security
Supply chain security including security-related aspects of relationships with direct suppliers and service providers. Maps to Article 21(2)(d) NIS 2. This obligation cascades contractually to every direct supplier.
No. 5: Security in acquisition, development, and maintenance
Security measures in the acquisition, development, and maintenance of information systems, components, and processes, including vulnerability handling and disclosure. Maps to Article 21(2)(e) NIS 2. Overlaps with Cyber Resilience Act obligations for products with digital elements.
No. 6: Effectiveness assessment
Policies and procedures to assess the effectiveness of risk management measures. Maps to Article 21(2)(f) NIS 2. This is the feedback loop: not just introduce measures, but check whether they work.
No. 7: Cyber hygiene and training
Basic cyber hygiene practices and cybersecurity training. Maps to Article 21(2)(g) NIS 2. Applies to all staff, with role-specific training for IT roles. Management body training is regulated separately under Section 38(3) BSIG.
No. 8: Cryptography and encryption
Policies and procedures for the use of cryptography and, where appropriate, encryption. Maps to Article 21(2)(h) NIS 2. 'Where appropriate' permits risk-based differentiation but rules out a blanket exemption.
No. 9: Human resources security, access control, asset management
Human resources security, access control policies, and asset management. Maps to Article 21(2)(i) NIS 2. Covers onboarding and offboarding, need-to-know access provisioning, and an asset inventory.
No. 10: Multi-factor authentication and secured communications
Multi-factor or continuous authentication solutions, secured voice, video, and text communications, and, where appropriate, secured emergency communication systems within the entity. Maps to Article 21(2)(j) NIS 2.
Section 30(1) sentence 2 BSIG requires that measures be chosen taking into account the state of the art, relevant European and international standards, and the cost of implementation. Size, risk exposure, and the probability of incidents are factored in.
Proportionality is not a licence to skip a measure. The BSI made clear in its guidance on Section 38(3) BSIG that a blanket transfer of risk to cyber insurance or service providers is ruled out. Proportionate means: not every measure at maximum depth, but adapted to the specific situation and documented in writing.
Article 21(2) NIS 2 is the EU-level basis. The ten letters (a) to (j) are binding. The wording was kept open so Member States could fit it into national supervisory structures. Section 30 BSIG adopts the ten measures as Nos. 1 to 10 without substantive deviation.
For DNS providers, TLD registries, cloud providers, data centres, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines, social networking platforms, and trust service providers, the EU Commission Implementing Regulation 2024/2690 operationalises the ten measures in its annex. The Regulation applies directly, without national transposition. For these sectors, both Section 30 BSIG and the CIR sit on the shelf.
Section 30 BSIG applies to essential entities under Section 28(6) BSIG and important entities under Section 28(7) BSIG. The sectors are listed in Annex 1 and Annex 2 of the NIS 2 Directive. The size threshold is at least 50 employees or 10 million euros annual turnover, with special rules for KRITIS and for sectors that apply regardless of size.
If you are unsure, start with the applicability test under Article 2 NIS 2. Suppliers to regulated entities also come into contact with Section 30 via No. 4 (supply chain): the obligations cascade contractually to direct suppliers.
Breaches of the measures duty under Section 30 BSIG carry administrative fines under Section 65 BSIG. For essential entities, the maximum is 10 million euros or 2 percent of global prior-year turnover, whichever is higher. For important entities, the maximum is 7 million euros or 1.4 percent.
Section 38 BSIG adds personal liability of the management body for breach of the duty to approve the Section 30 measures and monitor their implementation. The liability does not depend on actual harm having occurred.
Frequently asked questions on Section 30 BSIG
Is Section 30 BSIG the same as Article 21 NIS 2?
In substance, yes. Section 30 BSIG is the German transposition of Article 21 NIS 2. The ten measures in Section 30(2) Nos. 1 to 10 BSIG map one to one onto Article 21(2)(a) to (j) NIS 2. For EU-wide work, cite Article 21 NIS 2 as the primary source and reference Section 30 BSIG as the German transposition.
Do I have to implement all ten measures?
Yes. The ten measures are not optional. Choice happens within each measure through proportionality. Skipping an entire measure is not permitted. Depth of implementation may be adapted to size, risk exposure, and state of the art, but dropping a whole number is not.
What does proportionality mean in practice?
Proportionality under Section 30(1) sentence 2 BSIG means: measures align with size, risk exposure, the probability and severity of incidents, and the cost of implementation. The decision must be documented in writing. A blanket transfer of risk to cyber insurance or a service provider is not accepted by the BSI as proportionate implementation.
How do I evidence implementation to the BSI?
Through documentation. For each of the ten measures, record the chosen implementation, the rationale for the depth, and the effectiveness assessment in writing. A BSI audit under Section 61 or Section 62 BSIG examines these records, not oral explanation. A structured self-assessment across all ten measures is the fastest starting point.
What is the difference between Section 30 BSIG and IT-Grundschutz?
Section 30 BSIG is the duty. IT-Grundschutz is one concrete methodology that satisfies the duty. Section 44(2) BSIG names IT-Grundschutz as sufficient implementation. Other standards such as ISO 27001 are equally possible, but evidence remains tied to the ten measures under Section 30 BSIG, not to the structure of the chosen standard.