BSI Opens NIS2 Enforcement: What German Entities Must Do Before the Audit

The Bundesamt für Sicherheit in der Informationstechnik (BSI) has initiated its first formal NIS2 enforcement actions under the German IT-Sicherheitsgesetz 3.0 framework, marking a decisive shift from guidance and transitional support to active supervisory enforcement. Supervisory authorities across EU member states are activating audit rights with increasing frequency — this is not a German phenomenon operating in isolation. The compliance clock for essential and important entities is no longer theoretical. It is running.

The Enforcement Shift — From Guidance to Audit

BSI published its formal audit criteria in late 2025, establishing the methodological foundation for risk-based supervision of in-scope entities operating in Germany (BSI, 2025). The publication of those criteria was the signal: the transition period was ending. What follows is the enforcement phase.

This pattern is not unique to Germany. France’s ANSSI issued its first NIS2 formal notice procedures in Q3 2025, referencing the same Article 21 risk management framework that BSI now audits against (ANSSI, 2025). Spain’s INCIBE has conducted on-site inspections of critical energy sector entities since early 2025 (INCIBE, 2025). The European Commission’s own NIS2 implementation report, published January 2026, confirmed that 19 of 27 member states have now activated active supervision mechanisms — up from just six in 2024 (European Commission, 2026).

This is coordinated, EU-wide activation. German entities that assumed BSI would move slowly should recalibrate. The enforcement infrastructure is operational.

What BSI’s Audit Scope Covers

BSI’s audit framework is anchored to Article 21 of NIS2 Directive (EU) 2022/2555, which defines the risk management measures that essential and important entities must implement. In practice, an audit will typically examine five domains:

1. Risk Management Measures (Article 21): Policies on risk analysis, security of network and information systems, incident handling, business continuity, supply chain security, security acquisition, hygiene, cryptographic controls, and human resource security. Auditors will request documentation — not presentations.

2. Asset Inventory: Article 21(1) requires a complete inventory of assets. BSI TR-02102 provides guidance on cryptographic standards, but the inventory obligation extends to physical hardware, software, data flows, and operational technology (OT). Entities must demonstrate the inventory is maintained, not merely that it existed at a point in time.

3. Incident Response Procedures: Documentation must show a defined procedure for detecting, analysing, and reporting incidents. The 24-hour early warning obligation under Article 23 is within scope. BSI will look for evidence that the procedure has been tested.

4. Board-Level Governance Documentation: NIS2 introduces explicit accountability for management bodies. Article 20(1) requires that management bodies approve and oversee the entity’s cybersecurity risk management measures. Board minutes, resolutions, and delegation structures are primary evidence. The absence of this documentation is a finding, not an observation.

5. Supply Chain Assessments: Article 21(2) requires entities to assess the security of their supply chain — specifically ICT third-party relationships. Critical suppliers must be identified, and assessments documented. BSI’s interpretation aligns with ENISA’s guidance on ICT supply chain security (ENISA, 2024).

Audit Readiness — The Minimum Standard

An entity does not pass a NIS2 audit by having good intentions. It passes by having the evidence. The following five-point readiness checklist represents the minimum standard:

1. Governance Documentation: Board-approved cybersecurity policy. Board minutes reflecting active oversight of ICT risk. Named security officer or DPO with documented reporting line to management body.

2. Risk Assessment: Current, documented risk assessment (within 12 months). Must cover all NIS2-relevant assets and threat scenarios. Board-reviewed and signed.

3. Asset Inventory: Complete, maintained inventory of hardware, software, network components, and OT/IoT devices. Last update date recorded. Linked to risk assessment.

4. Incident Response Plan and Test History: Incident response plan documented. Tabletop test completed within 24 months. Last test date, participants, and post-action improvements recorded.

5. Supply Chain Register: ICT third-party register complete. Critical suppliers identified. At minimum, security assessments or certifications on file for critical vendors.

If any of these five items lacks a dated document, the entity has an open finding before the auditor arrives.

How Brokers Can Use This With Clients

For brokers placing cyber coverage for German clients, the enforcement signal changes the conversation. A client who previously deferred NIS2 compliance as a regulatory nuisance now faces a concrete audit risk with six-figure penalty exposure.

The right questions to ask at next renewal:

• Has your board formally approved a cybersecurity risk management policy in the past 12 months?
• Do you have documented evidence of a tabletop incident response test within the last 24 months?
• Is your ICT supply chain register complete and current?

If the answer to any of these is “we’re working on it,” recommend remediation before binding. Coverage placed for a client mid-remediation creates a non-disclosed material change risk that can void coverage post-incident. Refer to the NIS2 Underwriting Questions guide for the full question set to use with clients.

BSI’s activation should concentrate minds. The €10M ceiling for essential entities is not abstract. Supervisory authorities now have the mandate, the methodology, and the staff to use it.

Calculate your client’s maximum fine exposure: NIS2 Penalty Calculator

Get the full checklist: NIS2 Compliance Checklist PDF