NIS 2 personnel security under Article 21(2)(i)
People are part of the security boundary. Article 21(2)(i) NIS 2 names personnel security, access control and asset management in one breath. CIR (EU) 2024/2690 §10 spells out the four personnel pieces. In Germany, §30(2)(9) BSIG carries the same duty.
The short version
Most breaches start with a person. Article 21(2)(i) puts personnel security on the list of ten cybersecurity duties. The text bundles three things together: personnel security, access control, and asset management. They are linked because a role decides what access a person needs and which assets they can touch.
CIR (EU) 2024/2690 §10 takes the personnel half and splits it into four pieces. Make sure people understand their role (§10.1). Check reliability where it makes sense (§10.2). Handle departures and role changes cleanly (§10.3). Have a disciplinary procedure for breaches (§10.4). Not soft HR. Operational security.
Germany transposes the whole of Article 21(2)(i) via §30(2)(9) BSIG, which lists personnel security, access control and asset management together. The same wording. The same duty. This page walks the directive, the EU follow-up regulation, and the German transposition in that order.
Article 21(2)(i) NIS 2 Directive (2022/2555)
Human resources security, access control policies and asset management.
Point (i) on the list of ten cybersecurity measures every essential and important entity has to put in place. Three duties packed into one paragraph, because they only work together.
CIR (EU) 2024/2690, Annex §10
Human resources security (Article 21(2)(i) of Directive (EU) 2022/2555).
CIR §10 splits the personnel half into four subsections. §10.1 roles and recruitment, §10.2 reliability checks, §10.3 termination and role changes, §10.4 disciplinary procedure. Directly binding EU law for DNS providers, cloud and data centre providers, MSPs, trust service providers and the other sectors named in the Annex.
§30(2)(9) BSIG (Germany)
Human resources security, concepts for access control and asset management.
Germany copies the EU text. The duty is the same. The BSI signals IT-Grundschutz, in particular module ORP.2 'Personnel', as the practical route to implementation.
Roles, awareness and recruitment
Make sure people know what their cybersecurity responsibilities are. Staff in general, users with admin or privileged access, and the management body in particular. Recruit deliberately for cybersecurity-relevant roles: reference checks, validation of qualifications, written tests where appropriate.
Reliability checks where appropriate
Background checks on staff and direct providers where 'feasible and applicable' and the role requires it. Write down which roles can only be filled by people whose reliability has been verified. It is role-dependent, not universal. Admin and privileged-access roles are typical candidates.
Termination, role change and discipline
When someone leaves or changes role, the security duties that outlive employment have to be fixed in writing in the contract and actually enforced. Confidentiality clauses run beyond the end of employment. And there must be a disciplinary procedure for breaches of the security policies.
Reliability checks are role-dependent, not universal
§10.2 says background checks 'where feasible and applicable' and only on roles that require it. You do not screen every cashier. You do screen the person who holds domain admin. The criteria for which roles need a reliability check belong in writing, before you hire, not after.
Confidentiality survives the employment relationship
§10.3 wants the security duties that have to hold after someone leaves fixed contractually. Confidentiality is the obvious one. Non-disclosure of incident details, customer data, system architecture. The clause goes in the contract on day one, not on the leaver's last day.
BSI / IT-Grundschutz ORP.2
The BSI's IT-Grundschutz baseline covers personnel security in module ORP.2 'Personnel'. ORP.2 walks through recruitment, awareness, training, departure procedures and supplier personnel. In Germany you also have to coordinate with HR law: AGG limits on screening criteria, BetrVG works council co-determination on background checks. Do the policy with the works council in the room, not against it.
ENISA Technical Implementation Guidance
ENISA's TIG for CIR (EU) 2024/2690 maps §10 onto ISO/IEC 27001:2022 Annex A controls A.6.1 to A.6.6 (screening, terms and conditions of employment, awareness, disciplinary process, termination, confidentiality). If you already run ISO 27001, most of §10 is in place. The TIG names the evidence auditors expect.
National transposition laws
Every member state has its own transposition (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). The duty under Article 21(2)(i) is the same. What differs locally: labour-law constraints on background screening, which mirror Germany's AGG and BetrVG in form if not in detail.
We do not do background checks. Data protection forbids it.
Over-broad. §10.2 limits reliability checks to roles where they are 'feasible and applicable'. For admin or privileged-access users a documented reliability check is usually fine under the GDPR if you have a clear legal basis, a defined scope, and the works council on board. The job is not 'screen nobody'. The job is 'write down which roles need it and run it for those roles'.
When someone leaves, we take their badge and disable their account. Done.
Good for the physical and IT access piece. Not enough for §10.3. The directive wants the duties that survive employment fixed in writing in the contract. Confidentiality, non-disclosure, return of assets, ongoing reporting obligations for incidents the person knows about. A leaver checklist with no contractual anchor is half the job.
We do not have a disciplinary procedure for IT security breaches.
Yes you do, you just have not written it down for IT specifically. §10.4 wants a disciplinary procedure for breaches of the security policies. It does not have to be a separate process. Plug it into your general HR disciplinary procedure: name the trigger ('breach of the information security policy'), reference the policy, document the escalation path.
Most Mittelstand companies already do half of §10 without calling it NIS 2. HR runs reference checks at hiring. There is a leaver checklist. Confidentiality clauses are in the standard employment contract. Awareness training happens once a year. That covers the bulk of §10.1 and a slice of §10.3.
The §10 gaps we see are narrower than people think. One: contractual confidentiality clauses that explicitly cover IT-related obligations and survive the end of employment, not just generic NDA language. Two: a written list of roles where a reliability check is mandatory before hiring, with the criteria spelled out. Three: an explicit disciplinary procedure for IT security breaches, even if it is one paragraph cross-referenced from the general HR procedure. Close those three, and §10 is done.
The platform captures the §10 evidence in the HR and ACC modules. Role assignments live in one place with the person, the role, the reliability check status, and the date of the last awareness training. The leaver checklist is a workflow with sign-off, not a Word document.
The disciplinary log sits in the audit trail. When a policy breach is recorded, the procedure that fires is documented, the steps taken are signed off, and the closure is visible. No spreadsheet. No second tool. The same evidence base your auditor will look at.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(i) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §10 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §30(2)(9) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI IT-Grundschutz, module ORP.2 'Personnel' — bsi.bund.de/grundschutz
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)