§64 BSIG

Receiving a BSI request under §64 BSIG

Article 32 NIS 2 gives competent authorities supervisory powers. §64 BSIG is the German transposition. This page describes the procedural framework, not how a specific request should be handled.

Simon OrzelSimon Orzel·

Overview

Article 32 of the NIS 2 Directive empowers competent authorities to supervise essential entities. The catalogue of powers includes on-site inspections, off-site supervision, targeted security audits, ad hoc audits, security scans, requests for information, and requests for evidence that cybersecurity risk management measures have been implemented.

In Germany, §64 BSIG transposes this catalogue and assigns the supervisory role to the Bundesamt für Sicherheit in der Informationstechnik (BSI). A §64 BSIG request typically arrives in writing, identifies the legal basis, names a deadline, and lists the information or documents required. The request itself sets the procedural clock.

Entities served with such a request are subject to a cooperation duty (Mitwirkungspflicht). The duty is not unlimited: it is bounded by what was asked, by the deadline set in the request, and by general legal protections that apply in administrative proceedings. The Verwaltungsverfahrensgesetz (VwVfG) governs the administrative procedure framework around the request.

Legal anchor
The EU layer establishes the supervisory powers. BSIG transposes them into national law. VwVfG provides the general procedural framework.

Directive 2022/2555 (NIS 2), Article 32(2)

Competent authorities shall have the power to subject essential entities to on-site inspections and off-site supervision, including random checks; targeted security audits; ad hoc audits; security scans; requests for information; and requests to provide evidence of implementation of cybersecurity policies.

Article 32(2) lists the supervisory measures available to competent authorities for essential entities. Article 33 sets a comparable, lighter regime for important entities. The Directive does not set deadlines; those are set by the national authority in each individual request.

Implementing Regulation (EU) 2024/2690

The Implementing Regulation specifies the technical and methodological requirements that essential and important entities in the digital sectors must meet. It does not regulate the procedural form of supervisory requests.

The Implementing Regulation is relevant to the content of what authorities may ask about (the measures listed in its Annex). The procedural side of how a request is served and answered remains national law.

§64 BSIG (German transposition)

The BSI may request information and documents from regulated entities, conduct on-site inspections, and require technical examinations to verify compliance with the obligations under the BSIG. The entity, its representatives and its employees are under a duty to cooperate.

§64 BSIG operationalises Article 32 NIS 2 in Germany. §65 BSIG provides the enforcement layer (administrative fines) if the cooperation duty under §64 is breached. The Verwaltungsverfahrensgesetz (VwVfG), in particular §28 on the right to be heard, applies in parallel.

What a §64 BSIG request typically contains
Requests are written, structured, and time-bound. The format does not vary much across cases.
Step 1

The legal basis and scope

A §64 BSIG request cites its legal basis (typically §64 BSIG, sometimes in combination with the specific obligation under §30 or §32 BSIG that triggered the inquiry). It names the recipient entity, the matter under examination, and the categories of information or documents required. An entity served with such a request can establish the perimeter of cooperation by reading the legal basis and the question catalogue carefully.

Step 2

The deadline and the evidence asked for

The request sets a deadline (Frist), commonly between two and four weeks for document requests, shorter for incident-related inquiries. The evidence asked for is usually documentary: policies, risk register entries, incident reports, supplier contracts, training records. Entities typically log the deadline, the question catalogue, and the responsible internal owner before producing material.

Step 3

Written response, written record

Responses to a §64 BSIG request are typically made in writing, even when initial contact happens by phone. A written response creates a verifiable record of what was disclosed, on what date, under what legal basis. Entities that document the cover letter, the index of attachments, and the date of dispatch retain a clear evidentiary trail in any later proceeding.

Two principles that shape any response
The cooperation duty is real, but it has a boundary. Both sides matter.

Cooperation duty under §64 BSIG (Mitwirkungspflicht)

§64 BSIG places an active cooperation duty on the regulated entity, its legal representatives, and its employees. The duty covers the production of information and documents the BSI requests, the granting of access for on-site inspections, and the toleration of technical examinations within the scope identified. Non-cooperation may trigger enforcement under §65 BSIG, which provides for administrative fines.

Boundary of the cooperation duty

The cooperation duty is bounded by what was actually requested, by the deadline set, and by general legal protections that apply in administrative proceedings. Communications with external counsel are protected by professional confidentiality (§43a BRAO, §203 StGB). The right to be heard under §28 VwVfG applies before adverse administrative acts are issued. These boundaries are procedural; their concrete application to a specific document set is a matter for regulatory counsel.

National authorities and procedural framework
The supervisory authority and the procedural framework differ by member state. In Germany, the picture is structured.
DE

Bundesamt für Sicherheit in der Informationstechnik (BSI)

The BSI is the competent authority for cybersecurity supervision under the BSIG. It issues §64 BSIG requests, conducts inspections, and proposes enforcement measures. The BSI is a federal authority (Bundesoberbehörde) under the Federal Ministry of the Interior.

DE

Verwaltungsverfahrensgesetz (VwVfG)

The VwVfG is the general administrative procedure act. It governs how administrative acts are issued, how the right to be heard (§28 VwVfG) operates, how appeals work, and how deadlines are calculated. A §64 BSIG request sits within this framework.

DE

Regulatory counsel and professional confidentiality

External legal counsel is bound by professional confidentiality under §43a BRAO and §203 StGB. Communications produced for the purpose of legal advice are protected. The protection is narrower than the attorney-client privilege concept used in some other jurisdictions; the precise scope is matter-specific.

Three pitfalls seen in practice
Each pitfall has been observed in published enforcement narratives across comparable supervisory frameworks (DSGVO, BaFin, KRITIS).
  • Ignoring or quietly delaying the request

    Missing a §64 BSIG deadline without a written extension request is itself a breach of the cooperation duty. §65 BSIG provides for administrative fines for non-cooperation, independently of any underlying compliance gap. Entities served with a request typically acknowledge receipt in writing and request an extension if the deadline cannot be met.

  • Sending everything in scope plus extras

    Producing material that was not asked for expands the evidentiary record and may reveal unrelated gaps. The cooperation duty under §64 BSIG covers what was requested. Entities typically scope their response to the question catalogue and log what was produced.

  • Answering by phone without a written record

    Phone calls leave no shared written record of what was disclosed, when, and under what scope. Entities typically follow up any phone exchange with a written summary, both to confirm understanding and to maintain a clear evidentiary trail for any later proceeding.

Practitioner view

A §64 BSIG request is not a fine, an enforcement order, or an audit finding. It is a procedural step in which the competent authority exercises a supervisory power conferred by Article 32 NIS 2. The procedural framework is set: written request, named legal basis, defined deadline, written response. The substantive evaluation comes later, in a separate administrative act, with the right to be heard under §28 VwVfG.

This page describes the procedural framework only. Concrete handling of a BSI request, including the scope of documents to disclose, the wording of the response, and the interaction with §65 BSIG enforcement, requires regulatory counsel. The platform documents the underlying compliance state (policies, risk register, incident records, supplier contracts) so that, if a request arrives, the evidentiary base is already in order.

What the platform documents

The platform maintains the underlying record that a §64 BSIG question catalogue typically targets: the obligation register, the risk register, incident records with timestamps, supplier records with §30 BSIG due diligence, training records under §38 BSIG, and the audit trail of who signed off on what and when. Each item is timestamped and exportable.

The platform does not draft responses to supervisory requests and does not replace regulatory counsel. It maintains the evidentiary base so that the production of documents under §64 BSIG is a question of export, not of reconstruction.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 32 (supervisory and enforcement measures regarding essential entities) and Article 33 (important entities). EUR-Lex.
  • Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 on technical and methodological requirements. EUR-Lex.
  • BSIG (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) §64 (supervisory powers and cooperation duty) and §65 (administrative fines). gesetze-im-internet.de.
  • Verwaltungsverfahrensgesetz (VwVfG) §28 (Anhörung Beteiligter). gesetze-im-internet.de.
  • Bundesrechtsanwaltsordnung (BRAO) §43a (Berufspflichten) and Strafgesetzbuch (StGB) §203 (Verletzung von Privatgeheimnissen). gesetze-im-internet.de.
Check applicability first
Whether §64 BSIG applies at all depends on whether the entity is in scope of the BSIG. The applicability check covers sector, size, and the regardless-of-size overrides.