Who is affected by § 30 BSIG?

Essential entities: 50+ employees + €10M revenue + 1 of 11 sectors (energy, banks, health, cloud, etc.). Important entities: 50+ employees + €10M + 1 of 7 sectors (transport, etc.). Plus KRITIS regardless of size.

Is ISO 27001 sufficient?

ISO 27001 covers 9 of 10 areas. Supply chain security (Annex A.15) needs additional structure. ISO 27001 strongly recommended but not mandatory.

What about D&O insurance?

D&O typically covers defense costs + civil claims. NOT covered: willful intent, gross negligence, fines. Compliance documentation is the better protection.

Reporting via email or portal?

BSI portal mandatory: bsi.bund.de/meldungen. Email only as emergency backup. 24/7 hotline available.

Cost-effective implementation?

SME 50-100 employees: 8-15k EUR (Microsoft 365 E5 + Veeam Backup + Compliance-Kit NIS2 Kit + 5 person-days external consulting).

KRITIS entities (regardless of size, e.g., large hospitals) have stricter audit obligations + biennial mandatory audits.

Section 30 BSIG: 10 NIS2 Mandatory Measures for Companies Explained

Published: 26 April 2026 · Last updated: 02 May 2026 · Category: NIS2 · Cybersecurity

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding advice, please consult a licensed attorney.

TL;DR

10 mandatory measure areas under Section 30 (2) BSIG (in force since 06 December 2025)
Risk-based + proportionate — no rigid minimum list, but each area must be addressed
ISO 27001 covers 70-80% — but mapping gaps must be closed systematically
Most frequent audit findings 2026: supply chain, effectiveness assessment, cyber hygiene
Fines up to EUR 10 million / 2% of turnover — plus personal managing director liability under Section 38 (5)

1. Overview: What Section 30 BSIG Requires

Section 30 BSIG (German IT Security Act, in force since 06 December 2025 through the NIS2UmsuCG) obliges essential and important entities to implement appropriate and proportionate technical, operational, and organizational measures for managing cyber risks.

"The measures shall, taking into account the particularities of the essential or important entity, reflect the state of the art and comply with the relevant European and international standards." — Section 30 (1) sentence 2 BSIG

The regulation lists 10 measure areas that every affected entity must address — the depth of implementation scales with the risk.

If you don't want to draft the 22 templates for all 10 areas yourself, you'll find a complete measures package including ISO 27001 mapping and BSI Baseline Protection crosswalk in the NIS2 Kit.

2. Areas 1 + 2: Risk Analysis + Incidents

Area	Obligation	Templates
1. Risk analysis + security concepts	Methodology (e.g. ISO 27005), risk register, risk treatment plan	ISMS policy, risk register, RMP
2. Handling of security incidents	Incident response policy, 24h/72h/30d notification templates, playbooks	IR policy, IR playbook, notification templates

Practitioner note: The 24h early warning is mandatory within 24 hours of becoming aware — not from the start of the incident. 24/7 availability must be ensured.

3. Area 3: Business Continuity

"Maintenance of operations (backup management and recovery after an emergency, crisis management)" — Section 30 (2) no. 3 BSIG.

Business Continuity Plan (BCP) with RTO/RPO per business process
Backup strategy (3-2-1 principle or equivalent)
Disaster Recovery Plan with tested recovery routine
Crisis management plan + internal/external communication

4. Areas 4 + 5: Supply Chain + Secure Development

The most frequent audit finding in 2026 is Area 4. Mandatory contents:

Supplier evaluation with risk classification
Cybersecurity clauses in standard contracts
Right-to-audit for critical suppliers
Incident notification from suppliers to you as the principal (max. 24h)

Area 5: secure software development — typically OWASP-oriented + vulnerability management following the CVD process (Coordinated Vulnerability Disclosure).

5. Area 6: Effectiveness Assessment

Obligation to implement "concepts for assessing the effectiveness of the measures". In practice:

KPIs per area (e.g. patch compliance rate, phishing click rate, recovery time)
Quarterly reporting to management
Annual penetration test (BSI recommendation)
Internal audit + external audit every 2 years

6. Area 7: Cyber Hygiene

"Concepts and procedures in the area of cyber hygiene and training in the area of cybersecurity" — Section 30 (2) no. 7 BSIG.

Quarterly phishing simulation with click-rate monitoring
Annual training for all employees (with quiz)
Onboarding training for new employees (mandatory within the first 4 weeks)
Sector-specific deep dives (e.g. SCADA training in industry)

7. Area 8: Cryptography

Application	Standard
Data in transit	TLS 1.3 (BSI TR-02102), HTTPS everywhere
Data at rest	AES-256 for storage media and backups
Email security	S/MIME or PGP for sensitive communication
Key management	HSM or equivalent Key Management System
Quantum cryptography	Post-Quantum preparation (NIST Standards 2024)

8. Areas 9 + 10: Personnel Security + Authentication

Area	Obligation
9. Personnel security + access control	Authorization concept, need-to-know, regular review, onboarding/offboarding workflow, security screening where applicable
10. MFA + secure communication	MFA for all admin and external access, secure voice/video/text communication, emergency communication

9. ISO 27001 Mapping

Section 30 Area	ISO 27001 Annex A	Gap probability
1. Risk analysis	A.5, A.8	low
2. Incidents	A.16	medium (NIS2 notification obligations 24/72/30 missing)
3. BCP	A.17	low
4. Supply chain	A.15	high (cybersecurity clauses often missing)
5. Secure development	A.14	low
6. Effectiveness	A.18	medium (KPI reporting to managing director missing)
7. Cyber hygiene	A.7	medium
8. Cryptography	A.10	low
9. Personnel security	A.7, A.9	low
10. MFA	A.9	medium

10. Practitioner Checklist: 22 Templates for the 10 Areas

ISMS policy
Risk analysis methodology
Risk register
Risk treatment plan
Incident response policy
Incident playbook
24h/72h/30d notification templates (3 pieces)
Business Continuity Plan
Backup & recovery concept
Disaster Recovery Plan
Crisis management plan
Supplier questionnaire
Cybersecurity contract clauses
Vulnerability management process
Vulnerability Disclosure Policy
Cyber hygiene training
Phishing simulation concept
Cryptography policy
Authorization concept
MFA policy
Asset inventory
Audit checklist + effectiveness measurement

Sources

As of: 02 May 2026

BSIG 2025 (consolidated version) — Sections 28–60 (as of: 02 May 2026)
NIS2 Implementation Act — Federal Law Gazette 2025 I No. 301 (as of: 02 May 2026; in force 06 December 2025)
Directive (EU) 2022/2555 (NIS2) — Art. 21 (EUR-Lex DE) (as of: 02 May 2026)
BSI — NIS2 FAQ regulated companies

Sources

BSIG 2025 (Section 30 cybersecurity measures) (As of: 2026-05-02)
Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
BSI — NIS-2 FAQ (as of: ongoing)

Section 30 BSIG: 10 NIS2 Mandatory Measures for Companies Explained

TL;DR

1. Overview: What Section 30 BSIG Requires

2. Areas 1 + 2: Risk Analysis + Incidents

3. Area 3: Business Continuity

4. Areas 4 + 5: Supply Chain + Secure Development

5. Area 6: Effectiveness Assessment

6. Area 7: Cyber Hygiene

7. Area 8: Cryptography

8. Areas 9 + 10: Personnel Security + Authentication

9. ISO 27001 Mapping

10. Practitioner Checklist: 22 Templates for the 10 Areas

Sources

Sources

Related Reading