The wait is over: The BSI has published the first guidelines for Grundschutz++. What at first glance looks like additional bureaucratic red tape is, in reality, the new “state of the art” for NIS2.

The Federal Office for Information Security (BSI) has delivered. Just in time for the NIS2 Implementing Regulation, the guidelines on the methodology of Grundschutz++ (GSpp) have been published. This makes it clear: The shift from static PDF modules to a dynamic, machine-readable security management system is irreversible.

But be careful: Those who rush headlong into the migration will waste valuable resources. We’ll show you what the new standard means for you and why it’s the perfect springboard for true IT hardening.

Compliance pressures clash with outdated methods

Until now, IT-Grundschutz compliance has often involved a lot of tedious work in Excel and Word. With NIS2, the requirements are becoming much stricter. If your organization is classified as “important” or “particularly important,” you must demonstrate a security status that reflects the current state of the art.

The crux of the matter: Many companies still use architectures that offer little protection against modern attack vectors (such as ransomware or identity theft). While the current Grundschutz Edition 2023 remains valid until the end of 2028, if you’re setting up a new ISMS today, you can no longer avoid the GSpp.

Grundschutz++ as a Technical Guide

The new Grundschutz++ is radically different. It is based on the OSCAL standard (NIST), which means that security requirements become machine-readable. This saves you time in the long run when it comes to audits and administration. But the real highlight lies in the contents of the user catalog.

Here, the BSI defines precise requirements that go far beyond simply “ticking boxes.” For us at TEAL, it’s clear: GSpp is the regulatory confirmation of what we’ve been advocating for years.

Our theory: GSpp is the turbo boost for your leveling and PAW

Grundschutz++ consistently focuses on securing the “core”—that is, your most critical infrastructure components. We are convinced that a successful GSpp audit will not be possible without a strict tiering model, the use of Privileged Access Workstations (PAW), and consistent system hardening.

Why is that?

• • System hardening: GSpp requires specific measures for host systems. Without automated hardening, you’ll simply lose track of things in the new user catalog.
  • Tiering & PAW: When “state-of-the-art” security is required, there is absolutely no alternative to separating administrative levels (tiering) and protecting your admin identities via hardened endpoints (PAW).

“What I find interesting is that, with its ‘Grundschutz++’ framework, the BSI is fulfilling its obligation under the NIS2 Implementing Regulation to define a binding ‘state of the art.’ This is no longer just a non-binding guideline; for critical organizations, it is now the legal benchmark. Any organization that wants to meet these requirements must have done its homework when it comes to identity protection and infrastructure hardening.” – Fabian Böhm, Security Architect and Managing Director at TEAL

Bottom line: Prepare instead of rushing

The guide is currently intended specifically for pilot projects. The BSI will use the time until 2028 to refine the audit framework. This is your chance to get ready without time pressure.

Our recommendation for you:

1. 1. 1. Assess the status quo: Does your current architecture (Active Directory, cloud identities) already align with a modern tiering model?
      2. Pilot: Use the OSCAL catalogs to model initial information federations according to the GSpp methodology.
      3. Accelerate hardening: Start introducing privileged access workstations now and harden your systems to be prepared for upcoming audits.

In summary, Grundschutz++ represents the necessary digital leap forward for German IT security. It puts an end to paper-based compliance and forces us all to finally take system hardening and identity isolation seriously.

Want to know if your IT infrastructure is already “Grundschutz++ ready”? Let us take a look. We’ll help you with the architecture review!