What the BSI IT-Baseline Check evaluates
For public authorities, the BSI IT-Baseline Check evaluates your information security at the level applicable to public administration. Municipalities benefit from the § 28(4) BSIG hint (NIS2 exemption for smaller municipalities).
Legal foundations
BSI Standards 200-1/2/3; BSIG; § 28(4) BSIG (municipal exemption under NIS2); state IT security acts (e.g., ISG-NW). Placeholder — Phase 46 provides the target-group-specific ContentBlock.
How the check works
1. Choose authority type and size class 2. For municipalities: pick the federal state for state-specific IT security law 3. Questions on ISMS, baseline protection, crisis management 4. Assessment with NIS2 cross-reference
Your benefits
• Free and without registration • § 28(4) BSIG for small municipalities considered • Cross-reference to state IT security acts • Legal status April 2026
Frequently asked questions
- Does BSI Baseline apply to municipalities as well?
- BSI Baseline measures are binding for federal authorities. State and municipal authorities follow their state IT security acts; BSI Baseline is largely recommended or required there.
- What does § 28(4) BSIG say for municipalities?
- Municipalities below certain thresholds are excluded from the NIS2 scope; the exemption is meant to not overburden small municipalities. The check evaluates this threshold.
- Are public enterprises treated like authorities?
- Depends on the legal form: public-law enterprises → public body; private-law (GmbH) → usually a private-sector entity. The check differentiates automatically.
This initial assessment is not legal advice and does not replace consultation with a qualified lawyer. Legal status: April 2026.