BSI IT-Grundschutz: Complete Guide 2026 (Grundschutz++, Certification, Requirements)
BSI IT-Grundschutz explained: 111 building blocks, BSI Standards 200-1 to 200-4, Grundschutz++ reform from January 2026, certification process, NIS2 link, and costs for German authorities and companies.
BSI IT-Grundschutz: Complete Guide 2026
If you operate a German federal authority, run a critical infrastructure (KRITIS) organization, or fall under the new NIS2 Implementation Act as an important or essential entity, BSI IT-Grundschutz is no longer just a best-practice recommendation — it is the reference framework many German organizations will be measured against. With the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) entering into force on 6 December 2025, IT-Grundschutz has taken on greater legal and operational significance across the German public sector.
At the same time, the BSI is fundamentally reforming IT-Grundschutz. Grundschutz++ is being phased in from 2026 with a multi-year transition period. This guide explains everything authorities, companies, and compliance professionals need to know in 2026: the Compendium's structure, the four BSI standards, the certification process, the Grundschutz++ reform, costs, the NIS2 link, and practical implementation steps.
What Is BSI IT-Grundschutz?
BSI IT-Grundschutz is the information security framework developed by Germany's Federal Office for Information Security (BSI — Bundesamt für Sicherheit in der Informationstechnik) for the systematic construction and operation of information security in authorities and companies. Its goal is to build an Information Security Management System (ISMS) that provides concrete protective measures for typical IT systems, business processes, and infrastructures.
Continuously developed since the 1990s, IT-Grundschutz is today:
- The main reference framework for German federal authorities under the post-December 2025 regime
- A recognized methodology for operationalizing NIS2-related risk management expectations (§30 BSIG)
- The foundation for an ISO 27001 certification based on IT-Grundschutz (combined certificate)
- A proven tool for German SMEs (SME-friendly baseline protection)
The current IT-Grundschutz Compendium Edition 2023 includes 111 building blocks across ten thematic layers and remains the certification-relevant foundation until Grundschutz++ is fully introduced.
The IT-Grundschutz Compendium: 111 Building Blocks in 10 Layers
The Compendium structures security requirements into modular building blocks (Bausteine) applied to specific system types, processes, and infrastructure components. The ten layers are:
| Layer | Code | Content |
|---|---|---|
| Security Management | ISMS | Building and operating the ISMS |
| Organization and Personnel | ORP | Organizational structure, roles, awareness |
| Concepts and Approaches | CON | Data backup, cryptography, data protection |
| Operations | OPS | Patch management, logging, incident response |
| Detection and Response | DER | Monitoring, vulnerability management, forensics |
| Networks and Communication | NET | Network architecture, segmentation, WLAN |
| Infrastructure | INF | Data centers, server rooms, office spaces |
| IT Systems | SYS | Servers, clients, mobile devices, IoT |
| Industrial IT | IND | SCADA, OT/ICS, industrial controls |
| Applications | APP | Web applications, Office, email, databases |
Each building block contains:
- Threat landscape (typical threats for this component type)
- Requirements (BASIC, STANDARD, HIGH PROTECTION NEEDS)
- Implementation guidance (practical step-by-step instructions)
- Cross-references to ISO 27001, GDPR, and other standards
The Four BSI Standards 200-1 to 200-4
The framework relies on four interconnected BSI standards:
| Standard | Title | Content |
|---|---|---|
| BSI Standard 200-1 | Information Security Management | Building and operating an ISMS aligned with ISO 27001 |
| BSI Standard 200-2 | IT-Grundschutz Methodology | Approach for protection needs analysis and modelling |
| BSI Standard 200-3 | Risk Analysis | Supplementary risk analysis for high protection needs |
| BSI Standard 200-4 | Business Continuity Management | BCM processes, contingency planning, crisis management |
These standards define how IT-Grundschutz is implemented — the Compendium defines what must be implemented.
Three Implementation Approaches: Baseline, Standard, and Core Protection
BSI IT-Grundschutz offers three scalable implementation approaches for different organizational sizes and risk profiles:
1. Baseline Protection (Basisabsicherung)
Baseline protection addresses fundamental security measures with minimal effort. Suitable for:
- SMEs and startups with limited resources
- Organizations building their first structured security framework
- A stepping stone before full standard protection
Scope: Only BASIC requirements of all relevant building blocks. No full IT-Grundschutz certification is possible, but the BSI issues an attestation (Testat).
2. Standard Protection (Standardabsicherung)
Standard protection is the complete IT-Grundschutz implementation and the basis for an ISO 27001 certification based on IT-Grundschutz. It includes:
- BASIC and STANDARD requirements of all relevant building blocks
- Full protection needs analysis
- Modelling of the information domain
Suitable for: Medium and large organizations, federal authorities, KRITIS operators.
3. Core Protection (Kernabsicherung)
Core protection focuses on the most business-critical crown jewels — the most important assets and processes — at the highest security level. Suitable for:
- Highly sensitive areas (classified data, critical infrastructure)
- Organizations with high protection needs per BSI Standard 200-3
Grundschutz++: The Reform from January 2026
The BSI has fundamentally reformed IT-Grundschutz. Under the name Grundschutz++, the previous PDF-based Compendium is being replaced by a fully machine-readable, process-oriented ruleset.
Key Changes
| Feature | Current Compendium | Grundschutz++ |
|---|---|---|
| Format | PDF documents | Machine-readable JSON |
| Requirements scope | ~1,000 requirements | Significantly reduced (BSI target: up to 80%) |
| Structure | Building blocks by IT component | Process-oriented |
| Automation | Limited | Fully automatable |
| Measurability | Manual | CIA-triad scores per requirement |
| Availability | Static documents | GitHub repository (since 29 Sept 2025) |
Timeline
- September/October 2025: Publication of Grundschutz++ preview as "state-of-the-art library" on GitHub (BSI GitHub: BSI-Bund/Stand-der-Technik-Bibliothek)
- 1 January 2026: Official Grundschutz++ launch
- Until 2029: Transition period — old Compendium and Grundschutz++ can be used in parallel
- From 2029: Full replacement of the current Compendium (planned)
What Does This Mean for Ongoing Projects?
For ongoing certifications and authorities currently building standard protection: Compendium Edition 2023 remains fully valid and certification-relevant until 2029. You do not need to switch to Grundschutz++ immediately.
For new projects from 2026: It is advisable to evaluate Grundschutz++ in parallel and plan migration early to use the transition period efficiently.
IT-Grundschutz Certification: Step by Step
A full IT-Grundschutz certification (ISO 27001 certificate based on IT-Grundschutz) runs through seven main phases:
Step 1: Initiation and Structural Analysis
Define the information domain (Informationsverbund): which business processes, IT systems, rooms, and communication connections are in scope. Appoint the Information Security Officer (ISB — Informationssicherheitsbeauftragter).
Step 2: Protection Needs Analysis
Assess the protection needs of each component in the information domain with regard to confidentiality, integrity, and availability (CIA triad). The result determines which building blocks and requirement levels apply.
Step 3: Modelling the Information Domain
Assign the relevant IT-Grundschutz building blocks to each target object. This is the IT-Grundschutz modelling — it defines which of the 111 building blocks apply to your organization.
Step 4: IT-Grundschutz Check (Gap Analysis)
For each applied building block, verify whether requirements are met. Unmet requirements are documented as deficiencies (Mängel).
Step 5: Risk Analysis (for High Protection Needs)
If certain target objects have high protection needs, a supplementary risk analysis is conducted per BSI Standard 200-3.
Step 6: Implementation of Security Measures
Remediate all documented deficiencies. Prioritize by risk and available resources. Document implementation for the audit.
Step 7: Certification Audit by BSI-Approved Auditor
A BSI-approved external auditor (certification body) verifies full implementation. The ISO 27001 certificate based on IT-Grundschutz is issued after a successful audit and is valid for three years. Annual surveillance audits are required.
BSI IT-Grundschutz vs. ISO 27001: Differences and Similarities
| Dimension | BSI IT-Grundschutz | ISO 27001:2022 |
|---|---|---|
| Origin | German BSI | International (ISO/IEC) |
| Approach | Catalogue-based (building blocks) | Risk-based (Annex A) |
| Detail level | Very high (concrete measures) | Medium (principles, risk-oriented) |
| Certification | ISO 27001 + IT-Grundschutz attestation | ISO 27001 |
| Authority mandate (DE) | Yes (federal administration) | No |
| Geographic scope | Primarily Germany | Worldwide |
| Automation | From 2026 (Grundschutz++) | Limited |
| Control overlap | >80% with ISO 27001 | — |
Recommendation for German companies: Organizations already certified under ISO 27001 can obtain the combined IT-Grundschutz certificate with manageable additional effort. The modelling and IT-Grundschutz check add concrete German requirements to existing ISMS structures — a clear advantage for SMEs and authorities compared to a purely risk-based ISO approach.
BSI IT-Grundschutz and NIS2: Direct Connection
With the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which entered into force on 6 December 2025, BSI IT-Grundschutz has gained new legal significance:
Obligations for Federal Authorities
- All federal administrative bodies must implement risk management measures based on IT-Grundschutz (not just ministries as before)
- Introduction of the CISO Bund as a cross-departmental leadership role
- Compliance with BSI minimum standards is mandatory
KRITIS Registration
KRITIS operators automatically qualify as essential entities and were required to register with the BSI by 6 March 2026 (BSI portal activated on 6 January 2026).
NIS2 Penalties
For essential entities: up to €10 million or 2% of global annual turnover (whichever is higher). IT-Grundschutz implementation can provide strong evidence that your organization has implemented the kinds of technical and organizational measures expected under §30 BSIG.
Incident Reporting Obligations
The NIS2UmsuCG requires incident reporting: initial notification within 24 hours, followed by detailed reporting on a tight timeline. IT-Grundschutz building block DER.2.1 (Security Incident Handling) supports the response processes organizations need for that reporting model.
Costs and Timeline: Realistic Estimates
| Approach | Organization size | Typical costs | Timeline |
|---|---|---|---|
| Baseline protection | Small (< 50 employees) | €10,000–€30,000 | 3–6 months |
| Standard protection | Medium (50–500 employees) | €50,000–€150,000 | 12–18 months |
| Core protection (critical assets) | Large (> 500 employees) | €100,000–€300,000 | 18–24 months |
| ISO 27001 + IT-Grundschutz (parallel) | Medium | €60,000–€200,000 | 12–24 months |
Savings with existing ISO 27001: 20–40% reduction in preparation costs by leveraging existing ISMS documentation, policies, and evidence.
Ongoing costs: Annual surveillance audits (approx. €5,000–€20,000), internal effort for monitoring, training, and documentation maintenance.
How Orbiq Supports IT-Grundschutz Implementation
IT-Grundschutz is documentation-intensive — from the protection needs analysis and modelling through to the IT-Grundschutz check. Orbiq simplifies this process:
Continuous monitoring. Continuous monitoring automatically collects technical evidence from your systems — access logs, patch status, configuration baselines — eliminating manual evidence gathering for the IT-Grundschutz check and NIS2 reporting obligations.
Vendor risk management. AI-powered questionnaire automation supports IT-Grundschutz requirements from building block OPS.2.3 (Outsourcing Use) and NIS2 Article 21 directly.
Trust Center for authorities and partners. The Trust Center Platform allows you to share IT-Grundschutz status and security evidence in a structured way with contracting authorities and auditors.
EU data residency. Orbiq processes all data exclusively in European infrastructure — no CLOUD Act exposure for your compliance documentation.
Practical IT-Grundschutz Checklist 2026
- Appoint ISB — Information Security Officer with sufficient resources and a direct reporting line to senior management
- Define information domain — Set scope: business processes, IT systems, infrastructure, communication connections
- Protection needs analysis — CIA assessment for all components in the information domain
- Modelling — Assign building blocks from the Compendium
- IT-Grundschutz check — Target/actual comparison, document deficiencies
- Risk analysis (BSI Standard 200-3) — Conduct supplementary risk analysis for high protection needs
- Remediation plan — Prioritized implementation of missing requirements
- NIS2 registration check — KRITIS operators and important/essential entities must be registered with the BSI
- Set up incident reporting system — 24h initial notification, 72h follow-up report per NIS2UmsuCG
- Plan Grundschutz++ migration — Prepare transition to new framework ahead of 2029 deadline
- Initiate certification audit — Contact BSI-approved certification body (TÜV, DQS, etc.)
Related Reading
- EU Compliance Software: Complete Buyer's Guide
- ISO 27001 Certification Guide
- What Is an ISMS?
- NIS2 Compliance Guide
- TISAX Compliance Guide
- DORA Compliance Guide
Sources & References
- BSI — IT-Grundschutz Compendium — Official Compendium Edition 2023, 111 building blocks in 10 layers
- BSI — IT-Grundschutz — BSI main page with all standards and methodology models
- IT-Grundschutz++ 2026 — ISMS-Ratgeber WiKi — Grundschutz++ overview: JSON format, 80% reduction, transition period until 2029
- Grundschutz++: The Future of BSI IT-Grundschutz — HiScout — Analysis of the Grundschutz++ reform, automation potential
- BSI reforming IT-Grundschutz — IT-Zoom — Background on the reform, goals, and challenges
- NIS2 Implementation Act in Force — BSI Press Release — NIS2UmsuCG in force since 6 December 2025
- NIS2 Registration Deadline 6 March 2026 — Digitalagentur Berlin — KRITIS registration obligation and BSI portal activation
- NIS2 Enforcement 2026 — ADVISORI — BSI penalty framework: €10M or 2% of annual turnover
- NIS2 and KRITIS — Kleeberg — NIS2 and KRITIS for the German Mittelstand
- BSI IT-Grundschutz Overview 2025 — tenfold — Practical overview: building block structure, certification steps