SaaSFort
NIS2 Directive · Article 32

NIS2 Article 32 — supervisory measures for essential entities

Article 32 is the enforcement-power article for essential entities. Supervisory authorities (in Germany, the BSI) can request information, order on-site inspections, demand security audits performed by qualified auditors, run targeted security scans, and — for repeated or severe non-compliance — temporarily suspend a manager from their management functions until the issue is remediated.

Scan your domain free (60s) See the auditor-handoff pack

Who Article 32 applies to

Essential entities only. Important entities are covered under Art. 33 with reactive (post-incident) supervision rather than proactive.

What Article 32 obliges you to do

  • Respond to BSI / supervisory-authority information requests within the deadline set in the request
  • Allow on-site inspections without prior notice for essential entities
  • Submit to security audits ordered under Art. 32(2)(b)
  • Permit targeted security scans (Art. 32(2)(c)) — internal or external, as ordered
  • Comply with binding instructions to remediate identified failings
  • Accept enforcement measures including fines (Art. 34) and management bans (Art. 32(6)) where issued

Common misconception

"The BSI can't come on-site without notice."

False for essential entities. Art. 32(2)(a) explicitly allows on-site inspections WITHOUT prior notice when justified. The "Prüfungsanordnung" (audit order) often arrives with a 72-hour evidence-assembly clock — pre-staged external-posture evidence is the difference between an organised response and a scramble.

Get the external-posture evidence in 60 seconds

An auditor reviewing Article 32 compliance will ask for evidence. SaaSFort produces the externally-observable portion (TLS, headers, DNS, certs, exposed surfaces) in 60 seconds — mapped to Art. 21 sub-clauses and ISO 27001 Annex A.

Run my free scan See plans from €9/mo

Frequently asked questions

How fast must I respond to a BSI Prüfungsanordnung?

The order itself sets the deadline; in practice, common windows are 24-72 hours for evidence requests and 5-15 business days for full audit cooperation. Have the external-posture PDF, training records, and Art. 21 evidence pre-staged before the order arrives.

Under what conditions does a management ban (Art. 32(6)) trigger?

Repeated or severe non-compliance after prior enforcement action. It is the supervisor's tool of last resort but it is a real power — not symbolic. The ban remains in force until the remediation is verified.

BSI Prüfungsanordnung — 72-hour response plan

Related cornerstones: Article 23 — incident response · NIS2 / BSI / ISO 27001 glossary · BSI IT-Grundschutz Bausteine · Industry-specific NIS2 checklists