How to prepare for a BSI audit under §64 and §65 BSIG
Article 32 NIS 2 gives every supervisory authority a fixed toolkit. §64 BSIG copies it into German law. This page walks the four-step evidence ladder the BSI uses, plus what an essential entity, an important entity and a KRITIS operator each have to be ready for.
The short version
A BSI audit is not one event. Article 32 NIS 2 lists a fixed set of supervisory powers for essential entities: on-site inspections, targeted security audits by an independent body, ad hoc audits where there is a justified reason, security scans, and written requests for information and documents. The BSI escalates up that ladder.
§64 BSIG transposes those powers into German law as Auskunfts- und Unterlagenanforderung, Vor-Ort-Prüfung and technische Untersuchung. §61 BSIG sets the surrounding supervisory powers. §65 BSIG is where the penalties live. Penalties run to ten million euro or two percent of group turnover for essential entities and seven million or one point four percent for important entities, mirroring Article 34 NIS 2.
Most audits never reach the on-site step. Clean documentation, a management body that can answer for it, and a written treatment plan for known gaps end the audit at step one or two. This page walks the ladder, the legal text behind it, and the three traps that turn a paper audit into a site visit.
Article 32 NIS 2 Directive (2022/2555)
Member States shall ensure that the supervisory measures imposed on essential entities for the purpose of this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. When exercising their supervisory powers in respect of essential entities, the competent authorities shall have the power to subject those entities to: (a) on-site inspections and off-site supervision, including random checks, conducted by trained professionals; (b) regular and targeted security audits carried out by an independent body or a competent authority; (c) ad hoc audits, including where justified on the grounds of a significant incident or infringement of this Directive by the essential entity; (d) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned; (e) requests for information necessary to assess the cybersecurity risk management measures adopted by the entity concerned.
Article 32 sets the ex-ante toolkit for essential entities. Article 33 mirrors it for important entities but as ex-post supervision, meaning the BSI may only act when it has indications of non-compliance. Article 34 sets the penalty ceilings the BSIG copies.
Commission Implementing Regulation (EU) 2024/2690, Annex
For the purposes of Article 21(2) of Directive (EU) 2022/2555, the relevant entities shall establish, implement and apply a network and information security policy [...] and the risk management framework [...] addressing the risks to the security of network and information systems.
The CIR Annex is what an auditor actually checks against. It spells out what risk management, supply chain security, incident handling, business continuity, training, cryptography, access control and the other Article 21(2) measures have to contain. The directive gives the BSI the right to look. The CIR Annex sets the bar.
§64 BSIG (Germany)
Das Bundesamt kann die zur Erfüllung seiner Aufgaben erforderlichen Informationen einschließlich personenbezogener Daten verarbeiten. Es kann insbesondere Auskünfte und die Übermittlung von Unterlagen verlangen, Räume, Grundstücke und Anlagen besonders wichtiger und wichtiger Einrichtungen während der üblichen Geschäftszeiten betreten und besichtigen sowie Prüfungen, einschließlich technischer Untersuchungen, vornehmen.
§64 BSIG gives the BSI three operational powers: ask for documents, walk into your offices during business hours, run a technical inspection. §61 BSIG sets the broader supervisory remit. §65 BSIG sets the penalties, with the Article 34 ceilings carried through directly. KRITIS operators carry an additional three-year evidence duty under §29 BSIG.
Documentation request and walkthrough
Step one is a written §64 BSIG Auskunfts- und Unterlagenanforderung. The BSI asks for your risk management framework, your asset list, your incident handling policy, your training records, your supply chain measures and the §38 BSIG management training evidence. Step two is a walkthrough call: the BSI asks the responsible roles to explain what is on paper. A management body member is usually expected on this call. Most audits close here.
On-site inspection
If documentation is missing or the walkthrough exposes gaps the BSI cannot reconcile, §64 BSIG lets them enter your premises during business hours and inspect. They will ask to see how policies translate into practice: backups actually running, access control actually enforced, incident playbooks actually known. Article 32(2)(c) lets them escalate ad hoc after a significant incident, without warning. The fix is not to perform well on the day. It is to have nothing the walkthrough could not already show.
Targeted security audit and technical inspection
Article 32(2)(b) lets the BSI order a regular or targeted security audit by an independent body, at your cost. §64 BSIG adds the technische Untersuchung: scans, configuration reviews, log analysis. Article 32(2)(d) lets them run security scans on your perimeter under objective and non-discriminatory criteria. This step is rare for important entities, structurally available for essential entities, and the standard route for KRITIS operators under §29 BSIG (three-year Nachweis cycle).
Dated and signed beats comprehensive
An auditor does not want a perfect policy. They want a policy that is dated, signed by a named owner, last reviewed in the last twelve months, and traceable to a version. A six-page policy with a sign-off from the managing director two months ago is worth more than a forty-page policy nobody owns. Known gaps with a written treatment plan and a target date are fine. Unknown gaps and undocumented decisions are not.
The management body has to be in the room
Article 20 NIS 2 puts the management body on the hook for approving the cybersecurity risk management measures and overseeing implementation. §38 BSIG transposes this with personal liability. A BSI walkthrough where the managing director cannot answer for the risk picture is a finding by itself. The fix is not a script. It is a quarterly review the managing director actually attends.
BSI standard audit + §29 KRITIS Nachweis
For essential and important entities, the BSI operates the §64 BSIG ladder from documentation request upward. For KRITIS operators (critical infrastructure under §28 BSIG), §29 BSIG adds a three-year Nachweis duty: every three years, the operator submits evidence (typically an external audit report) that shows the §30 BSIG measures are in place. The §29 Nachweis is calendar-driven and does not depend on the BSI starting an audit.
ENISA + NIS Cooperation Group
ENISA, the EU Cybersecurity Agency, publishes the Technical Implementation Guidance (TIG) that maps Article 21 NIS 2 onto established standards like ISO/IEC 27001:2022 and NIST CSF 2.0. The NIS Cooperation Group under Article 14 NIS 2 coordinates audit practice across member states. If you operate in several countries, the substance the auditors check is the same. The mechanics (forms, channels, deadlines) differ.
Sector competent authorities
For some sectors (energy, finance, telecoms) supervision sits partly with the sector regulator (BNetzA, BaFin) instead of or alongside the BSI. The directive permits this and §61 BSIG names the divisions of competence. The Article 32 powers themselves do not change. Which authority shows up at the door does.
If our policies are written, we are ready.
Written policies are step one. The walkthrough at step two is where the audit actually gets decided. The auditor asks the responsible role to explain how the policy works in practice. If the role cannot explain it, the policy is paper and the audit moves on-site under §64 BSIG. The treatment is not better policies. It is the responsible person actually using them and the management body actually reviewing them.
We will get the documentation in order once the audit letter arrives.
The BSI typically gives a deadline of two to four weeks for the §64 documentation request. Building a risk register, an asset inventory and an incident handling policy from scratch in that window is not realistic. It also produces the worst possible artefact for an auditor: a fresh document with no version history, no prior sign-offs and no traceable use. Documents need to be operated, not produced for the letter.
We are only responsible for what we run ourselves, not for our suppliers.
Article 21(2)(d) NIS 2 and §30(2)(4) BSIG put supply chain security on the entity, not the supplier. A black box answer like 'our managed service provider handles that' is a finding. The auditor will ask for the contract clauses, the supplier risk assessment and the evidence you check the supplier. KRITIS operators face this more sharply: the §29 Nachweis covers managed services too. You can outsource the operation, not the accountability.
A regional energy supplier we work with sits in scope as a KRITIS operator under §28 BSIG. Their last §29 Nachweis was eighteen months ago, the next one is due in eighteen. They run the prep on a rolling basis: every quarter, the CISO walks one §30 BSIG measure with the managing director, captures the evidence (policy version, sign-off, last review, open treatment items) and closes any gap before the next quarter. By the time the auditor knocks, nothing is produced for the visit. Everything is dated.
The §29 Nachweis itself runs through an external auditor commissioned by the operator. The BSI does not run the audit directly: it accepts the external report. The audit report flags gaps as 'erhebliche Mängel' (significant defects), 'sonstige Mängel' (other defects) or none. Significant defects trigger follow-up duties. Other defects come with a treatment plan and a target date. The energy supplier closes around eighty percent of audit findings before the report goes to the BSI, by treating the gap list as the standing agenda for the next two quarters.
Every NIS 2 requirement on the platform produces three things by default: a policy with a version and a sign-off, a recurring review with a deadline, and an audit trail that records who did what and when. A §64 BSIG Auskunfts- und Unterlagenanforderung becomes an export, not a writing project. You hand over a packaged evidence bundle (policies, sign-offs, asset list, risk register, incident log, training records, supplier list) instead of trawling for files.
For KRITIS operators the §29 Nachweis runs on the same data. The external auditor gets a read-only view of the same artefacts the company already operates. There is no second tool, no parallel spreadsheet pile, and no audit-week scramble. The point is structural: when the audit-letter day comes, you are not preparing. You are exporting.
- Directive (EU) 2022/2555 (NIS 2), Articles 32, 33, 34 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §29 (KRITIS Nachweis), §61 (Aufsichtsbefugnisse), §64 (Auskunfts- und Untersuchungsbefugnisse), §65 (Bußgeldvorschriften)
- BSI Infopakete 'NIS 2 Pflichten' — bsi.bund.de/dok/nis-2-infopakete
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)
- NIS Cooperation Group reference documents on supervision practice — digital-strategy.ec.europa.eu