NIS2 Section 30 BSIG: All 10 Obligations in One Overview

1. Risk-management system

Documented methodology (e.g., ISO 27005), annual update cycle, risk treatment plan with owners and target dates, and management approval.

2. Incident response

Incident-response plan, named crisis team, tabletop exercises, and the 24/72/30 BSI reporting workflow ready to execute.

3. Business continuity and disaster recovery

Business Impact Analysis, RTO/RPO targets per critical process, emergency plan, and annual DR tests with restore evidence.

4. Supply-chain security

Supplier inventory with criticality scoring, audit rights and DPA clauses, top-20 supplier audits, and exit plans for critical providers.

5. Secure system acquisition and maintenance

Patch management with documented SLAs, vulnerability scans, hardening standards (CIS Benchmarks, BSI baseline).

6. Effectiveness assessment of cybersecurity controls

Internal audits, external penetration tests, optional ISO 27001 audit, and CAPA tracking on findings.

7. Training and awareness

Annual cybersecurity training for all staff, plus quarterly phishing simulations. Records retained as audit evidence.

8. Cryptography and access management

MFA on all administrative access, conditional access policies, IAM lifecycle, and PAM for privileged accounts.

9. Asset management

Inventory of hardware, software, data, and cloud services; classification scheme; BYOD policy; end-of-life management.

10. Secure authentication and communication

FIDO2 / passkeys, encrypted communication channels, zero-trust architecture for network access.

Summary

Section 30 BSIG is a checklist disguised as a law. Treat it as a coverage matrix: every area must be addressed; ISO 27001 covers most; the gap is supply chain and visible board engagement. The NIS2 Kit ships templates for each of the 10 areas.

View NIS2 Kit →