SaaSFort
BSI deadline passed 6 March 2026

Got a BSI audit letter? Here is what to send back.

17,500 German companies missed the NIS2 registration deadline. If yours is one of them and a BSI letter just landed, you have days, not weeks. Free response template + 60-second posture scan to put dated, structured evidence in your reply.

EN template first. German version follows. Operational template, not legal advice.

Free download

BSI Audit Letter Response Template

PDF + DOCX. Structured around NIS2 Article 21 measures.

What is in the pack

  • Acknowledge receipt in writing

    A short, factual confirmation that you received the letter. Buys you the rest of the response window without admitting anything operational.

  • Run an external posture scan

    BSI auditors look at what attackers see from outside first. A timestamped grade + control mapping is the single fastest piece of credible evidence you can produce.

  • Attach a NIS2/ISO 27001 control mapping

    The response template is built around the same Article 21 measures the BSI letter references. Mapped, not narrative.

  • Document demonstrable progress

    BSI has said it expects "demonstrable implementation progress", not perfection. Show what is fixed, what is in flight, and the dated next step.

One email, no marketing list. The pack lands in your inbox in under a minute.

Step 2: produce the dated evidence for Annex A

The template asks you to attach evidence of your external posture. A SaaSFort scan delivers that in 60 seconds: A-F grade, NIS2 Article 21 control mapping, downloadable PDF you attach directly.

Run the free posture scan

No account. No card. Result in 60 seconds.

A first-week plan

If the letter landed this morning, this is the minimum credible response on the timeline BSI expects.

  1. 1
    Acknowledge the letter Day 1

    Use the response template as a starting point. Confirm receipt; commit to a detailed response by the BSI-stated deadline.

  2. 2
    Run the SaaSFort scan Day 1-2

    60 seconds, free, no card. Generates a posture grade + NIS2 Article 21 control mapping you can attach as Annex A.

  3. 3
    Draft the response Day 3-5

    Fill the template against your actual posture: what is compliant, what is partial, what is a gap, what is in remediation with a date.

  4. 4
    Send + keep the file Day 5-7

    Submit. Keep the dated evidence pack (scan PDF + control mapping + response letter) in the same folder. This becomes your §38 BSIG oversight evidence.

Common questions

Is this legal advice?
No. This is an operational response template based on the structure of NIS2 Article 21 + BSI guidance. Heavy disclaimer in the template. For a definitive legal answer, talk to your Datenschutzbeauftragter or a specialised lawyer; the template is meant to get you to a credible first draft fast.
Who is this for?
German entities that received (or expect to receive) a BSI letter referencing NIS2 registration, Article 21 measures, or §8a/§8b BSIG. Geschäftsführer, CISO, Compliance Officer, IT lead -- anyone who needs to send something credible back this week.
What does the SaaSFort scan add?
A timestamped, deterministic external-posture grade (A-F), NIS2 Article 21 control mapping, and a downloadable PDF you attach to your response as Annex A. Auditors prefer dated machine-generated evidence over narrative attestation.
Will BSI accept this?
The template mirrors the structure BSI guidance asks for (state of measures + evidence + roadmap). It is not a substitute for actually having the measures. It is a structured way to communicate what you have, what is gap, and what is in progress -- which BSI has publicly said it expects.

Need to talk this through? Contact us. Looking for ongoing posture monitoring? See plans (from EUR9/mo).