BSI Audit Letter Received? Your First 72-Hour Response Plan

A BSI letter arrives by registered post on a Tuesday morning. The header references §29 BSIG. The deadline for the first response is 14 working days. Most management boards have never seen one — and the first 72 hours determine how the rest of the inspection unfolds.

Two months after the March 6 registration deadline, BSI is no longer warning. It is inspecting. If the envelope on your desk references Auskunftsersuchen or Prüfung nach §29 BSIG, this is the playbook for the first three days.

This article assumes you received the letter today. Skip what doesn’t apply.

Hour 0 to 24: Do These Five Things, In Order

The first 24 hours are about controlling the response — not answering it. A premature reply locks you into positions you may not be able to defend later.

1. Photograph the envelope and letter, then store the originals. Date stamp on the envelope establishes the response clock. The signed receipt of the registered post is your evidence of the start date. Keep both — auditors and lawyers will ask.
2. Lock down internal email about the letter. No forwarding, no Slack channels named #bsi-audit. Restrict to a named distribution list: CEO/Geschäftsführer, CTO/CISO, General Counsel or external NIS2 counsel, designated NIS2 contact. Anyone else gets briefed verbally on a need-to-know basis.
3. Engage external counsel on day one. §29 BSIG inspections are administrative law procedures with appeal rights, refusal grounds, and deadlines that interact with §32 BSIG enforcement powers. Internal legal teams without German cybersecurity-regulatory experience are not enough. Budget €5K–€15K for the first-response phase.
4. Identify the §38 BSIG decision-maker. That is the managing director or board member who carries personal liability for the response. They need to be briefed today, not next week. The duty to approve and supervise cybersecurity measures is non-delegable — the response strategy is theirs to own. See our §38 BSIG personal-liability guide for what this actually means in practice.
5. Do not call the listed BSI contact yet. Calls without a documented strategy create unrecorded exposures. A short written acknowledgement of receipt, sent on day 2 or 3, is the correct first contact.

What not to do in the first 24 hours: do not start preparing the substantive response, do not initiate panic remediation, do not send any document to BSI. You are organizing the response, not delivering it.

Hour 24 to 48: Decode What BSI Is Actually Asking

§29 BSIG inspection letters fall into three categories, each with different stakes and response strategies. The header and the cited authorities tell you which one you have.

Letter type	Cited authority	What BSI wants	Typical risk
Registration enforcement	§33 BSIG (registration obligation)	Confirmation of in-scope status + retroactive registration	Up to €500K
Article 21 evidence request	§29 BSIG + §30 BSIG (risk-management measures)	Documented evidence of the 10 measures	Up to €10M / 2% turnover
Incident-related inspection	§29 BSIG + §32 BSIG (enforcement)	Investigation of a notified or suspected incident	Same + Art. 32(6) management ban

The category determines everything else. A registration enforcement letter usually closes within 30 days if you register and submit the requested confirmation. An Article 21 evidence request is a 60- to 120-day process. An incident-related inspection can run six months and triggers the most aggressive enforcement options.

Read the deadline language carefully

German administrative letters distinguish between Frist (binding deadline) and Bitte um Rückäußerung bis (requested response by). The first is enforceable. The second is negotiable in writing. Mixing them up is the most common first-response mistake.

If the deadline looks unreasonable, your counsel can request a Fristverlängerung — typically granted once for up to 14 days if the request is filed before the original deadline expires. Granted twice is rare. Asking after the deadline has passed is no longer an extension; it is a default.

Hour 48 to 72: Build the Evidence Inventory Now

What auditors ask for in §29 BSIG inspections is not surprising. It is the same evidence base across nearly every NIS2 audit. The advantage of starting at hour 48 is that you have time to inventory what exists before BSI reads your delivered version.

The seven evidence domains BSI consistently requests:

1. Registration confirmation (BSI portal screenshot, registration ID, designated contact)
2. Risk analysis under Article 21(2)(a) — methodology, scope, last update date
3. Incident-handling procedures under Article 21(2)(b) — including the 24h/72h/1-month notification workflow. If you don’t have these documented, our free 24-hour incident notification template is the fastest place to start.
4. Business continuity & backup under Article 21(2)(c) — RTO, RPO, last-tested date
5. Supply chain security under Article 21(2)(d) — vendor inventory, critical-vendor risk assessments
6. Vulnerability handling and external posture under Article 21(2)(e/f) — scan results, patch SLAs, disclosure policy
7. Cryptography, MFA, and access control under Article 21(2)(h/i/j) — TLS configuration, MFA coverage, privileged-access reviews

The fastest way to assess where you actually stand on items 6 and 7 is an external scan. Both are externally verifiable: TLS, headers, DMARC, exposed admin panels, JavaScript CVEs. Auditors will pull this data themselves — knowing it before they do shapes your response strategy.

→ Run a free SaaSFort scan — 66 deterministic checks across 25 categories, no signup required. The output maps directly to Article 21(2) measures and exports as a downloadable NIS2 PDF.

For a structured walkthrough of all seven evidence domains, see our NIS2 audit preparation evidence guide. For a fillable inventory format, the NIS2 Article 21 self-audit Excel template covers all 10 measures with status, priority, owner, and deadline columns.

What BSI Cannot Compel

§29 BSIG grants BSI broad inspection rights. It does not grant unlimited access. Three boundaries matter:

• Attorney-client privilege on legal advice obtained for the inspection itself is preserved. Internal legal memos analyzing the letter are protected.
• Operational-data exfiltration beyond what is necessary to verify Article 21 compliance is contestable. BSI can request evidence of measures, not bulk customer data.
• Self-incrimination on incidents not yet notified under Article 23 has limits. If the inspection surfaces an unreported significant incident, the company gains a 24-hour window from the moment of awareness — typically counted from BSI raising it, with counsel argument.

Refusal grounds must be invoked in writing, with citation. “We won’t share that” without legal basis converts a routine inspection into an enforcement procedure under §32 BSIG. Use refusal sparingly and with counsel sign-off.

What to Send in the First Written Response

Day 3 to day 7 is when the first written response leaves your office. The content depends on letter type, but the structure should match BSI’s bureaucratic expectations:

• Acknowledgement of receipt with date and reference number
• Confirmation of designated contact (name, role, direct contact)
• Status of registration obligation (already registered → cite registration ID; not yet registered → cite remediation date and BSI portal confirmation)
• Statement on Article 21 readiness — generally framed as “implementation in progress per §30 BSIG with expected completion by [date]” rather than absolute claims
• Request for procedural clarifications if the letter is ambiguous — written questions force BSI to commit to scope in writing

The one thing not to do: never claim full Article 21 compliance unless the evidence base is already audit-ready, with sourced documents, dated signatures, and external validation. False claims in §29 BSIG correspondence are a separate offense under §32 BSIG.

What to Do This Week

Pulling the threads together, the seven concrete actions for the first week:

1. Lock down the response group and engage external counsel (Day 1).
2. Categorize the letter type and its cited authorities (Day 2).
3. Inventory existing Article 21 evidence — what you have, what’s missing (Day 2–3).
4. Run an external scan to baseline externally verifiable measures (free scan, Day 3).
5. Draft the first written response with counsel review (Day 4–5).
6. Confirm registration status (if not registered, register the same week — see our registration enforcement guide).
7. Brief management under §38 BSIG with documented meeting record (Day 5–7).

If the letter cites incident-related authorities (§32 BSIG, Article 32 NIS2), the timeline compresses. Our NIS2 incident reporting setup guide covers the full 24h/72h/1-month notification workflow that auditors will benchmark your response against.

FAQ

Can I just register now and the letter goes away?

Sometimes. Registration enforcement letters often close once you complete registration and submit confirmation. Article 21 evidence requests do not — they are independent of registration status and continue regardless.

How much does a §29 BSIG inspection typically cost the company?

External counsel for a routine Article 21 inspection runs €15K–€60K over 60–120 days. Add €10K–€40K for external scanning, evidence consolidation, and any required remediation work. Incident-related inspections typically run 2–3× higher.

Should the CEO respond directly to BSI?

No. The designated NIS2 contact responds. The CEO/Geschäftsführer is the §38 BSIG accountable party but not the operational respondent. Direct CEO correspondence with BSI without counsel is a frequent escalation trigger.

Does receiving a §29 BSIG letter mean fines are coming?

Not automatically. §29 BSIG is an inspection authority, not a fine notice. Fines under §32 BSIG follow only if the inspection identifies non-compliance with measures or registration. A clean inspection closes with no fine.

What if my company is a sub-50-person SaaS vendor and BSI sent the letter to my enterprise customer, who is now demanding evidence from us?

This is the supply-chain cascade. You are not the directly inspected entity, but your customer’s Article 21(2)(d) obligation pulls evidence from you. Treat the customer’s request as a soft inspection — the NIS2 supply chain compliance guide covers the standard evidence package.

Is there a difference between a Prüfung and an Auskunftsersuchen?

Yes. Auskunftsersuchen is a request for information — typically the registration enforcement category. Prüfung is a full inspection — typically Article 21 evidence or incident-related. The header word changes the scope and the response strategy. Verify which one you have on day one.

---

The fastest baseline you can give your counsel and your management board on day one is an external scan. Run a free SaaSFort scan — 66 checks across SSL, DNS, headers, OWASP, and email authentication, mapped to Article 21(2) measures. NIS2 PDF export included. New accounts get a 14-day Growth trial automatically. For internal preparation, the NIS2 Article 21 self-audit template walks all 10 measures in a single spreadsheet. Download our free SaaS Security Playbook 2026 for the complete framework.