Glossary

NIS2, BSI & ISO 27001 -- Plain-Language Glossary

30 terms every SaaS vendor selling into the EU should be able to define. Sourced from the directive texts, BSI publications and ISO/IEC 27001:2022. Updated 2026-05-17.

Scan your domain → get an A-F grade NIS2 self-assessment

NIS2 Directive -- Core Terms

The NIS2 Directive (EU 2022/2555) raised cybersecurity baseline obligations for ~160,000 EU entities. These are the terms a SaaS vendor cannot ignore.

NIS2 Directive(NIS2): EU Directive 2022/2555 on measures for a high common level of cybersecurity, replacing NIS1. Sets minimum security and incident-reporting requirements across 18 sectors. Member-state transposition was due 17 October 2024; Germany transposed it via the NIS-2-Umsetzungsgesetz (BSIG amendment), in force March 2026.
Essential entity: A NIS2-scoped organisation in a high-criticality sector (energy, transport, banking, health, digital infrastructure, etc.) with ≥250 employees or >€50M turnover. Subject to proactive supervision, on-site audits and fines up to €10M or 2% of global turnover. → How to prepare for a NIS2 audit
Important entity: A NIS2-scoped organisation that does not qualify as essential -- typically medium-sized (50-249 employees or €10-50M turnover). Subject to reactive supervision and fines up to €7M or 1.4% of global turnover.
NIS2 Article 21(Art. 21): The ten cybersecurity risk-management measures every in-scope entity must implement: risk analysis, incident handling, business continuity, supply-chain security, secure SDLC, vulnerability handling, cyber hygiene + training, cryptography, access control + asset management, MFA. → Art. 21 self-audit
NIS2 Article 23(Art. 23): The incident-reporting obligation: early warning within 24 hours of a significant incident, formal notification within 72 hours, final report within 1 month -- to the national CSIRT/competent authority. → 24h notification template
Significant incident: Under NIS2 Art. 23, an incident is "significant" when it has caused (or is capable of causing) severe operational disruption or financial loss, or affected other entities by causing material/non-material damage. Triggers the 24h/72h/1-month reporting chain.
Supply-chain security (Art. 21(2)(d)): The NIS2 obligation to assess and manage risks from direct suppliers and service providers, including software providers. Enterprise buyers translate this into vendor security questionnaires sent to SaaS providers. → Supply-chain vendor compliance
Management body liability (Art. 20): NIS2 requires the management body of in-scope entities to approve risk measures, oversee implementation and undergo regular training. Non-compliance can trigger personal liability and temporary management bans (Art. 32(6)). → §38 BSIG personal liability
CSIRT: Computer Security Incident Response Team -- the national body designated under NIS2 Art. 10 to receive incident notifications. In Germany, the BSI operates the national CSIRT for in-scope entities.

German BSI & IT-Grundschutz Terms

Germany layers its own concepts on top of NIS2: §38 BSIG personal liability, IT-Grundschutz methodology, BSI registration. These terms matter for any SaaS vendor selling into the DACH market.

BSI: Bundesamt für Sicherheit in der Informationstechnik -- Germany's federal cybersecurity authority. Operates the NIS2 registration portal, the national CSIRT, and publishes the IT-Grundschutz catalogues. The BSI is the supervisory authority for NIS2 in Germany.
§38 BSIG: The section of the amended BSI-Gesetz codifying personal liability for managing directors (Geschäftsführer) of NIS2 in-scope entities. Cannot be fully delegated; requires documented training records and risk-measure approval. Fines reach €10M / 2% global turnover and can include temporary management bans. → CEO liability deep-dive
BSI IT-Grundschutz: BSI's structured methodology for information-security management. Combines a standardised process (BSI Standards 200-1/2/3) with a catalogue of "Bausteine" (modules) covering technical, organisational and physical controls. Often used as the German implementation path to ISO 27001 + NIS2 Art. 21. → IT-Grundschutz for SaaS
Baustein: A module in the BSI IT-Grundschutz catalogue covering one topic (e.g. APP.3.1 Web Applications, NET.1.1 Network Architecture). Each Baustein lists threats and concrete requirements at three protection levels (basic, standard, high).
BSI Meldepflicht: The German mandatory-notification regime. NIS2-scoped entities must register with the BSI via the Meldeportal and notify significant incidents per Art. 23 timelines. The registration window closed 6 March 2026 -- ~17,500 of 29,500 expected entities missed the deadline. → Registration deadline missed
BSI Prüfungsanordnung: A formal audit order issued by the BSI to a NIS2-supervised entity. Triggers a 72-hour clock to assemble evidence: security posture documentation, incident logs, training records, supply-chain risk assessments. → 72-hour response plan
KRITIS: Kritische Infrastrukturen -- the German sectoral framework for critical infrastructure operators (energy, water, finance, health, etc.). Predates NIS2 and is now overlaid with the NIS2 essential-entity tier. KRITIS thresholds are defined in the BSI-Kritisverordnung.

ISO 27001 & Annex A Terms

ISO/IEC 27001:2022 is the international information-security management standard most enterprise buyers expect from their SaaS vendors. These terms appear in every Annex A audit.

ISO/IEC 27001:2022: The international standard for an Information Security Management System (ISMS). The 2022 revision restructured Annex A from 114 controls (across 14 clauses) into 93 controls organised in 4 themes: organisational, people, physical, technological. → ISO 27001 cert guide
ISMS: Information Security Management System -- the documented set of policies, procedures, controls and risk-management processes a certified organisation operates to manage information security. ISO 27001 specifies its requirements.
Annex A (ISO 27001:2022): The reference control set of ISO 27001 -- 93 controls grouped into 4 themes (A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological). The Statement of Applicability declares which controls apply and how they are implemented.
Statement of Applicability(SoA): A mandatory ISO 27001 document listing every Annex A control, whether it applies, its justification, and its implementation status. Auditors review the SoA on every certification and surveillance audit.
Risk treatment plan: The ISO 27001 deliverable mapping each identified risk to a treatment decision (mitigate / accept / transfer / avoid) and to the specific Annex A controls implemented. Required evidence for certification.
Surveillance audit: Annual external audit performed by the certification body between ISO 27001 recertification cycles (full recertification every 3 years). Verifies the ISMS continues to operate effectively.

SaaS Vendor Compliance & Posture Terms

The cross-cutting terms that show up in vendor security questionnaires, procurement reviews and trust pages.

External Attack Surface Management(EASM): The discipline of continuously discovering, inventorying and monitoring an organisation's internet-facing assets (domains, certificates, headers, exposed services) from an outside-in perspective. Distinct from internal SAST/SCA -- EASM is what attackers and external auditors see first. → EASM for SaaS
Security posture score: A single, defensible metric summarising an entity's external security state -- for SaaSFort, the A-F grade computed as (passed_checks / 60) × 100. Used in trust pages, vendor questionnaires and board-level reporting. → Get your grade
Vendor security questionnaire: A standardised set of security-control questions (SIG, CAIQ, custom buyer questionnaire) sent by enterprise buyers to SaaS vendors during procurement. ~67% of B2B deals require one; answering well can shorten sales cycles by weeks. → Questionnaire response guide
SIG questionnaire: Standardized Information Gathering -- the Shared Assessments programme's vendor-risk questionnaire (SIG Core, SIG Lite). Widely used in financial services and enterprise procurement. → SIG response guide
CAIQ v4: Consensus Assessment Initiative Questionnaire (CSA STAR) -- the cloud-specific vendor security self-assessment maintained by the Cloud Security Alliance, aligned to the Cloud Controls Matrix. → CAIQ self-assessment
Trust page / trust centre: A vendor-published page surfacing security posture, certifications, sub-processors and incident history. Increasingly expected as a procurement entry point; pairs well with a public security grade or badge. → Trust badge playbook
DORA: EU Digital Operational Resilience Act (2022/2554) -- financial-sector regulation in force since January 2025, focused on ICT risk management, incident reporting, resilience testing and third-party (ICT provider) oversight. Overlaps with NIS2 for financial entities; supervised in Germany by BaFin. → DORA vs NIS2
SOC 2 Type II: An AICPA attestation report covering the design and operating effectiveness of a service organisation's controls (Security, Availability, Processing Integrity, Confidentiality, Privacy) over a period (typically 6-12 months). The de facto US enterprise-procurement baseline. → SOC 2 Type II guide

From definition to evidence in 60 seconds

Reading about NIS2 Art. 21 controls is one thing -- proving you implement them to an auditor or enterprise buyer is another. SaaSFort runs 60 external checks across 21 categories and maps every finding to NIS2 + ISO 27001 + BSI IT-Grundschutz.

Run a free scan Pricing -- from €9/mo