What the NIS2 Coverage Check evaluates
The NIS2 Coverage Check for authorities evaluates your classification per § 28 BSIG. Important: § 28(4) BSIG contains an exemption for small municipalities (short-circuit); for federal and state authorities, NIS2 coverage generally applies to critical services.
Legal foundations
NIS2UmsuCG 2026; BSIG § 28(1)–(4) (especially para. 4 municipal exemption); state IT security acts; BSI registration. Placeholder — Phase 46 provides the target-group-specific ContentBlock.
How the check works
1. Choose authority type (federal, state, municipality, public enterprise, public-law institution, corporation) 2. For municipalities: size short-circuit per § 28(4) BSIG 3. Evaluate criticality and core services 4. Assessment with guidance on BSI registration
Your benefits
• Free and without registration • § 28(4) BSIG municipal exemption prominent • Public-enterprise follow-up question considered • Legal status April 2026
Frequently asked questions
- Does NIS2 apply to municipalities?
- In principle yes, but § 28(4) BSIG provides an exemption for small municipalities below certain thresholds. The check evaluates your threshold and shows the legal consequence.
- Are public enterprises to be reported separately?
- Private-law public enterprises (GmbH) are treated as independent entities and evaluate their NIS2 coverage themselves. Public-law enterprises follow the parent authority.
- How do I report a security incident?
- Affected entities register with the BSI and report incidents via the BSI reporting portal: 24 h initial report, 72 h follow-up assessment, 1 month final report.
This initial assessment is not legal advice and does not replace consultation with a qualified lawyer. Legal status: April 2026.