What Management Must Document Under NIS2
A scenario from a BSI audit: Executive management got a lot right. It approved the budget, appointed a CISO, prioritized measures, and kept track of progress. The only issue: none of that is on paper. When the auditor asks how the management is exercising its oversight duty, there are verbal assurances and no minutes. The work was done; the evidence is missing. This is precisely the point at which it is decided whether a good security organization also passes as such in the audit. A formal resolution is not required for that-a traceable management trail is.
Key Points at a Glance
- No formal resolution prescribed: Section 38 BSIG requires implementing the measures and monitoring their implementation. The word “approve” from the NIS2 Directive does not appear in the German law.
- Documentation is explicitly mandatory: Section 30(1) sentence 3 requires documenting compliance with the measures. A violation is subject to fines under Section 65.
- Six items belong in the record: from the measures documentation through monitoring evidence and management decisions to effectiveness assessment, training records, and the reporting chain.
- Fines hit the entity, liability hits the management: The caps of up to 10 million euros apply to the entity. The personal responsibility of the management is governed by civil law under Section 38(2).
Related:Five KPIs the Supervisory Board Actually Understands / Which Decision Rights of the CISO Must Be Regulated in Writing
What Must Management Document Under NIS2?
What documentation does the BSIG require from management? The BSIG 2025 requires the entity to document compliance with its risk management measures. Management must monitor their implementation. From both follows the practice of recording the security decisions taken, their monitoring, and training participation in such a way that they can be evidenced in a BSI audit or a liability review.
The most common misconception is that the law requires a formal management resolution regarding the security measures. That is the European formulation, not the German one. Anyone building their governance on this misunderstanding is documenting beside the law. The actual obligation is more narrowly defined and more practically manageable if you know the wording.
Implement and monitor, not approve
A look at the statutory text is worthwhile. Section 38(1) BSIG obliges the management of particularly important and important entities to implement the risk management measures to be taken pursuant to Section 30 and to monitor their implementation. There is no mention of approval or a resolution.
The confusion originates from the superior NIS2 Directive. Its Article 20 requires that management bodies approve the measures, monitor their implementation, and can be held accountable for violations. When transposing it, the German legislator replaced the word “approve” with “implement”, kept “monitor”, and anchored management’s responsibility in Section 38(2). For practice this means: No statutory obligation for a formal resolution can be derived from the BSIG. This does not, however, relieve the management, because monitoring without a documented trail can hardly be evidenced in an audit.
This is where the actual documentation obligation applies. Section 30(1) sentence 3 BSIG explicitly requires that the entity’s compliance with the obligation to take the measures is documented. This obligation applies to the entity and is directly punishable by a fine. Section 65 names missing, incorrect, or incomplete documentation as a separate administrative offense. Alongside this is the management duty under Section 38(1) to monitor implementation in a verifiable manner. This is not itself a finable offense but in practice requires the same documented trail. Together, the two provisions are the statutory anchor for every protocol checklist.
Six items that belong in the record
The following overview translates the statutory anchors into concrete documents. The law does not prescribe any format. What counts, therefore, are traceable trails in the right places, verifiable and kept current.
| Documentation Item | What Is Recorded | Legal Basis |
|---|---|---|
| Measures Documentation | All measures pursuant to Section 30, including the proportionality assessment according to size, risk, and cost | Section 30(1) sentence 3 (the only directly finable documentation obligation) |
| Monitoring Evidence | Regular status reports to management, open deficiencies, progress, cyber risk as an agenda item | Section 38(1) (monitor implementation) |
| Management Control Trail | Objectives, budget, roles, accepted residual risks, prioritization of measure packages, recorded as a management trail without any obligation to pass a resolution | Section 38(1) and Section 30(1) sentence 1 |
| Effectiveness Assessment | Concepts and procedures plus the periodic results from audits, tests, and exercises | Section 30(2) no. 6 |
| Training Records | Proof of attendance, contents, date, and participating members of management | Section 38(3) |
| Incident and Crisis Documentation | Evidence of the reporting chain for significant incidents and of management’s information and steering in a crisis | Section 32 and Section 30(2) nos. 2 and 3 |
Two of these items carry the greatest weight. The measures documentation under Section 30(1) sentence 3 is the only point whose absence immediately satisfies the elements of a finable offense. The monitoring evidence under Section 38(1) is the proof that management itself has steered and has not simply passed responsibility downward. This proof is decisive in the event of liability.
The same practical minimum applies to all six items: a clear filing location, a designated responsible person, a version status, and a fixed update rhythm. Without this document control, even a substantively good collection loses value in the audit because currency and responsibility cannot be evidenced.
What the BSI wants to see and who the sanctions affect
The law grants the BSI extensive supervisory powers. Section 61 allows, for particularly important entities, the ordering of audits and examinations, the demand for evidence, and the submission of records, documents, and other materials. For important entities, this supervision under Section 62 only applies upon justified suspicion. The management training obligation under Section 38(3) is also explicitly reviewable. The law does not name a fixed audit scheme or a prescribed protocol format. What is examined is the material fulfillment of the obligations under Sections 30 and 32 together with management’s implementation and monitoring obligations under Section 38(1) and (3).
When it comes to sanctions, a clean separation is useful-one that blurs in many accounts. The often-cited fine ranges from Section 65 apply to the entity, not personally to the management. For particularly important entities the range is up to 10 million euros or, with total turnover above 500 million euros, up to 2 percent of worldwide annual turnover. For important entities it is up to 7 million euros or up to 1.4 percent. These amounts are maximum caps for the individual case, subject to the principle of proportionality, not standard rates. They attach to violations of the measure and reporting obligations, for example the documentation obligation under Section 30(1) sentence 3.
Management’s personal responsibility follows a different path. Section 38(2) attaches internal liability of management toward the entity under corporate law rules to a culpable breach of duty. In serious cases, for particularly important entities the competent supervisory authority may, on notification from the BSI pursuant to Section 61(9), order a temporary prohibition on performing management duties if an order is not followed despite a deadline. For practice this means: Management that documents how it monitored and steered makes its own organization audit-capable. The records are the instrument by which the active exercise of the duty can later be proven, in the BSI audit as well as in a liability review.
Frequently Asked Questions
Each question is collapsed. Tap to reveal the answer.
Must management formally resolve on NIS2 measures?
No. Section 38 BSIG requires implementing the measures and monitoring their implementation, not approving or resolving on them. No formal resolution obligation follows from the statutory text. Records are a governance instrument for providing evidence, not a statutorily designated approval act.
Which documentation is explicitly mandatory under the BSIG?
Section 30(1) sentence 3 requires documenting compliance with the risk management measures. This is the only explicit documentation obligation with its own finable offense under Section 65. Complementarily, the effectiveness assessment under Section 30(2) number 6 and the monitoring under Section 38(1) require written trails.
How high are the fines under the BSIG?
Under Section 65 the ranges for particularly important entities are up to 10 million euros or up to 2 percent of worldwide annual turnover; for important entities up to 7 million euros or up to 1.4 percent. The turnover threshold kicks in from total turnover exceeding 500 million euros. The fines apply to the entity. Management’s personal responsibility runs through internal liability under corporate law pursuant to Section 38(2).
Must management personally participate in training?
The statutory text in Section 38(3) requires that management regularly participates in training. The words “personally” or “non-delegable” do not appear there. The obligation is addressed to the members of management as natural persons. For the audit, attendance, content, and regularity should be provable.
Editor’s Picks
Editor’s PickPart-Time CISO: What Can Be Outsourced and What Must Stay In-HouseEditor’s PickNIS2 after the deadline: Now the BSI supervision begins
More from the MBF Media Network
Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform
Image source: AI-generated (July 2026)




