Section 30 BSIG
10 mandatory measure areas for NIS2 risk management
TL;DR
Section 30 BSIG (the German Federal Act on Information Security, in force since 06 December 2025 by virtue of the NIS2UmsuCG) requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage the risks to the security of their network and information systems — in 10 expressly designated mandatory measure areas.
What is Section 30 BSIG?
The 10 mandatory measure areas under Section 30(2) BSIG:
- Policies on risk analysis and assessment and on information system security
- Handling of security incidents
- Business continuity (backup, disaster recovery, crisis management)
- Supply chain security
- Security in the acquisition, development, and maintenance of network and information systems
- Policies for assessing the effectiveness of the measures
- Cyber hygiene and cybersecurity training
- Policies on cryptography and encryption
- Personnel security and access control policies
- MFA, continuous authentication, and secure voice/video/text communications
Practical example
A mechanical engineering company (350 employees, classified as an 'important entity' under Section 28 BSIG) implements Section 30 as follows: - Area 1: ISMS policy plus risk analysis methodology in accordance with ISO 27005 (annual review) - Area 2: incident response policy plus 24h/72h/30d notification templates - Area 3: BCP, backup, DR plan, crisis management - Area 4: supplier questionnaire plus cybersecurity contractual clauses - Area 7: annual cyber hygiene training, quarterly phishing simulations - Area 10: MFA for all administrator access, secure communications via S/MIME