NIS2 for public administration.
Bund and certain state administrations are named essential entities under NIS2 — with BSI IT-Grundschutz as the de-facto implementation baseline. Matproof bridges BSI-Grundschutz, NIS2 Art. 21, and cross-border cooperation flows.
Why this matters now
The German NIS2-Umsetzungsgesetz explicitly extends NIS2 obligations to federal and selected state/municipal public bodies. Many public administrations already operate under BSI IT-Grundschutz — mapping to NIS2 is additive, not redundant.
- BSI IT-Grundschutz catalog is comprehensive but doesn't explicitly cover all NIS2 Art. 21 measures (supply chain, training depth)
- Budget and procurement cycles make rapid remediation hard
- Cross-authority information sharing requirements
- Executive accountability extends to elected officials and senior civil servants
How Matproof covers NIS2 for Public Sector & Government
BSI IT-Grundschutz to NIS2 mapping
Matproof maps IT-Grundschutz module controls (ORP, ISMS, CON, NET, SYS etc.) to NIS2 Art. 21 measures — showing coverage and gaps per organization.
Incident reporting via BSI
Public-sector incidents channel through BSI lagezentrum. Matproof uses the same 24h/72h/1 month structure with sector-specific classifications.
Training records for elected officials and senior staff
§ 38 BSIG-neu requires cyber-training for leadership. Matproof tracks completion and provides role-specific curricula for political leadership, senior civil servants, and operational staff.
Public-procurement alignment
Vendor management under NIS2 Art. 21(2)(d) must align with Vergaberecht. Matproof's vendor register flags preferred/permissible suppliers per EVB-IT and procurement rules.
In scope
- Federal ministries and Bund authorities
- State authorities (Landesbehoerden) designated by Landesrecht
- Municipalities providing essential services (water, waste, registry)
- Agencies providing digital identity, e-government, or public digital services
Frequently asked questions
Are all German municipalities subject to NIS2?+
Not all — the NIS2UmsuCG designates specific categories based on services provided (water supply, waste management, civil registry) and criticality thresholds. Small municipalities providing only internal services typically aren't in scope, but those operating essential services to citizens usually are. State law implementations vary.
Does BSI IT-Grundschutz satisfy NIS2 automatically?+
Mostly but not fully. IT-Grundschutz's security modules cover ~75% of NIS2 Art. 21 measures directly. Gaps: formalized supply-chain management (NIS2 Art. 21(2)(d)), board-level accountability (§ 38 BSIG-neu), and incident-notification timelines. IT-Grundschutz-certified organizations still need a NIS2 gap analysis.
How are elected officials affected by § 38 BSIG-neu?+
The personal accountability provisions apply to 'Leitung' — leadership. For public-sector bodies, this includes the political head (minister, mayor) and senior administrative leadership. They bear oversight responsibility and must be trained. Personal liability for gross negligence.
Ready to start with NIS2?
30-minute demo tailored to Public Sector & Government. We show you exactly how Matproof covers NIS2 for your sector.