The BSI IT-Grundschutz Kompendium contains ~100 Bausteine. These are the five that map directly to a SaaS vendor's external posture and to NIS2 Article 21 — the ones a BSI auditor will check first when your Geschäftsführer is on the hook under §38 BSIG.
Each card explains the Baustein, its NIS2 Article 21 anchor, and the BSI auditor's first check. Linked to the canonical SaaSFort guide that already covers that ground in depth.
Covers the web application itself: input validation, session handling, authentication, secure deployment. The Baustein every public-facing SaaS lives under and the first thing a BSI auditor probes externally.
NIS2 anchor: Art. 21.2(e) -- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
→ Canonical guide for APP.3.1 on saasfort.comThe secure SDLC requirement: threat modelling, secure coding standards, dependency hygiene, code review. Maps directly to what AppSec teams already do; the Baustein turns those into a BSI-auditor-acceptable artefact.
NIS2 anchor: Art. 21.2(e) -- secure development, vulnerability handling and disclosure across the application lifecycle.
→ Canonical guide for CON.10 on saasfort.comDocumented, recurring security awareness training for every employee with system access. NIS2 makes this management-body liability (§38 BSIG); the Baustein defines what evidence the auditor expects.
NIS2 anchor: Art. 21.2(g) -- basic cyber hygiene practices and cybersecurity training.
→ Canonical guide for ORP.3 on saasfort.comIAM: least-privilege, joiner/mover/leaver, MFA, privileged-access management. For SaaS this is both internal (employees) and external (customer-side admins). One of the highest-leverage Bausteine for both posture and audit readiness.
NIS2 anchor: Art. 21.2(i) -- human resources security, access control policies and asset management. + 21.2(j) on MFA.
→ Canonical guide for ORP.4 on saasfort.comCentralised, tamper-resistant logging across application, infrastructure and access. The detection/response capability NIS2 incident-reporting timelines (Art. 23) rely on; without it the 24h early-warning clock is impossible to meet credibly.
NIS2 anchor: Art. 21.2(b) + Art. 23 -- incident handling, detection, and the 24h/72h/1-month notification chain.
→ Canonical guide for OPS.1.1.5 on saasfort.comReading a Baustein is one thing; proving it to a BSI auditor is another. SaaSFort runs 60 external checks across 21 categories and maps every finding to NIS2 Art. 21 + ISO 27001 Annex A + the relevant Bausteine above.
Run my free posture scanRelated: NIS2, BSI & ISO 27001 glossary · IT-Grundschutz vs NIS2 — which standard? · All industry NIS2 checklists
SaaSFort