NIS2 → BSI IT-Grundschutz Mapping

Cross-reference mapping between NIS2 Directive requirements and BSI IT-Grundschutz building blocks.

This page maps NIS2 Directive (EU 2022/2555) requirements to BSI IT-Grundschutz building blocks. NIS2 establishes cybersecurity risk-management measures and reporting obligations for essential and important entities across the EU.

Art. 20(1) Governance — management body approval and oversight

ISMS.1 ISMS.1 Security Management ORP.1 ORP.1 Organisation

Art. 21(2)(a) Policies on risk analysis and information system security

CON.11.1 CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) IND.1 IND.1 Process Control and Automation Technology INF.1 INF.1 General Building INF.2 INF.2 Data Center and Server Room INF.5 INF.5 Room and Cabinet for Technical Infrastructure ISMS.1 ISMS.1 Security Management OPS.1.1.1 OPS.1.1.1 General IT Operations OPS.1.1.6 OPS.1.1.6 Software Testing and Approvals ORP.1 ORP.1 Organisation ORP.5 ORP.5 Compliance Management (Requirements Management)

Art. 21(2)(b) Incident handling

DER.1 DER.1 Detection of Security-Relevant Events DER.2.1 DER.2.1 Security Incident Handling DER.2.2 DER.2.2 Precautions for IT Forensics DER.2.3 DER.2.3 Remediation of Extensive Security Incidents DER.4 DER.4 Emergency Management NET.3.4 NET.3.4 Network Access Control OPS.1.1.3 OPS.1.1.3 Patch and Change Management OPS.1.1.5 OPS.1.1.5 Logging

Art. 21(2)(c) Business continuity, backup management and disaster recovery

CON.10 CON.10 Development of Web Applications CON.3 CON.3 Data Backup Concept DER.4 DER.4 Emergency Management IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments INF.14 INF.14 Building Automation SYS.1.8 SYS.1.8 Storage Solutions

Art. 21(2)(d) Supply chain security

APP.4.6 APP.4.6 SAP ABAP Programming CON.9 CON.9 Information Exchange OPS.1.2.2 OPS.1.2.2 Archiving OPS.1.2.5 OPS.1.2.5 Remote Maintenance OPS.2.2 OPS.2.2 Cloud Use OPS.2.3 OPS.2.3 Use of Outsourcing OPS.3.2 OPS.3.2 Providing Outsourcing

Art. 21(2)(e) Security in network and information systems acquisition, development and maintenance

APP.1.1 APP.1.1 Office Products APP.1.2 APP.1.2 Web Browsers APP.1.4 APP.1.4 Mobile Applications (Apps) APP.3.1 APP.3.1 Web Applications and Web Services APP.3.2 APP.3.2 Web Servers APP.3.3 APP.3.3 File Servers APP.3.6 APP.3.6 DNS Server APP.4.2 APP.4.2 SAP ERP System APP.4.3 APP.4.3 Relational Databases APP.4.4 APP.4.4 Kubernetes APP.4.6 APP.4.6 SAP ABAP Programming APP.5.2 APP.5.2 Microsoft Exchange and Outlook APP.5.3 APP.5.3 General Email Client and Server APP.5.4 APP.5.4 Unified Communications and Collaboration (UCC) APP.6 APP.6 General Software APP.7 APP.7 Development of Custom Software CON.8 CON.8 Software Development IND.2.1 IND.2.1 General ICS Component IND.2.2 IND.2.2 Programmable Logic Controller (PLC) IND.2.3 IND.2.3 Sensors and Actuators IND.2.4 IND.2.4 Machine IND.2.7 IND.2.7 Safety Instrumented Systems NET.1.1 NET.1.1 Network Architecture and Design NET.1.2 NET.1.2 Network Management NET.2.1 NET.2.1 WLAN Operation NET.3.1 NET.3.1 Routers and Switches NET.3.2 NET.3.2 Firewall NET.4.1 NET.4.1 PBX Systems NET.4.2 NET.4.2 VoIP OPS.1.1.2 OPS.1.1.2 Proper IT Administration OPS.1.1.4 OPS.1.1.4 Protection Against Malware OPS.1.2.6 OPS.1.2.6 NTP Time Synchronization SYS.1.1 SYS.1.1 General Server SYS.1.2.2 SYS.1.2.2 Windows Server 2012 SYS.1.2.3 SYS.1.2.3 Windows Server SYS.1.3 SYS.1.3 Servers Running Linux and Unix SYS.1.5 SYS.1.5 Virtualization SYS.1.6 SYS.1.6 Containerization SYS.1.7 SYS.1.7 IBM Z SYS.1.9 SYS.1.9 Terminal Server SYS.2.1 SYS.2.1 General Client SYS.2.2.3 SYS.2.2.3 Clients Running Windows SYS.2.3 SYS.2.3 Clients Running Linux and Unix SYS.2.4 SYS.2.4 Clients Running macOS SYS.2.5 SYS.2.5 Client Virtualization SYS.2.6 SYS.2.6 Virtual Desktop Infrastructure SYS.3.1 SYS.3.1 Laptops SYS.3.2.1 SYS.3.2.1 General Smartphones and Tablets SYS.3.2.2 SYS.3.2.2 Mobile Device Management (MDM) SYS.3.2.3 SYS.3.2.3 iOS (for Enterprise) SYS.3.2.4 SYS.3.2.4 Android SYS.3.3 SYS.3.3 Mobile Phone SYS.4.1 SYS.4.1 Printers, Copiers, and Multifunction Devices SYS.4.3 SYS.4.3 Embedded Systems SYS.4.4 SYS.4.4 General IoT Device SYS.4.5 SYS.4.5 Removable Storage Media

Art. 21(2)(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

DER.3.1 DER.3.1 Audits and Revisions DER.3.2 DER.3.2 Revisions Based on the IS Revision Guide ISMS.1 ISMS.1 Security Management OPS.1.1.7 OPS.1.1.7 System Management

Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity training

ORP.3 ORP.3 Information Security Awareness and Training

Art. 21(2)(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption

APP.3.4 APP.3.4 Samba CON.1 CON.1 Cryptographic Concept CON.6 CON.6 Deletion and Destruction CON.7 CON.7 Information Security during International Travel NET.2.2 NET.2.2 WLAN Use NET.3.3 NET.3.3 VPN NET.4.3 NET.4.3 Fax Machines and Fax Servers

Art. 21(2)(i) Human resources security, access control policies and asset management

APP.2.1 APP.2.1 General Directory Service APP.2.2 APP.2.2 Active Directory Domain Services APP.2.3 APP.2.3 OpenLDAP CON.2 CON.2 Data Protection OPS.1.2.4 OPS.1.2.4 Telework ORP.2 ORP.2 Personnel ORP.4 ORP.4 Identity and Access Management

Art. 21(2)(j) Use of multi-factor authentication or continuous authentication solutions

APP.2.1 APP.2.1 General Directory Service APP.2.2 APP.2.2 Active Directory Domain Services APP.2.3 APP.2.3 OpenLDAP ORP.4 ORP.4 Identity and Access Management

Art. 23(1) Reporting obligations — significant incident notification

DER.2.1 DER.2.1 Security Incident Handling

These mappings are provided for reference and do not replace a professional compliance assessment.