The BSI introduced Grundschutz++ on 1 January 2026 and released the Methodikleitfaden on 1 April 2026. This page explains what actually changes, where the transition stands today, and what the modernisation means for organisations with an existing IT-Grundschutz footprint as well as those entering compliance through NIS2 for the first time.
02 / The short version
Grundschutz++ is the BSI's modernisation of IT-Grundschutz. The starting point is the same methodology that compliance teams have used for two decades: identify the information domain, establish protection requirements, select suitable measures, document what you run, evidence what you claim. What changes is the form in which the standard is published and the shape of the controls catalogue it sits on.
The old Compendium was a PDF, maintained on an annual cadence and cross-referenced by hand. Grundschutz++ is a structured, machine-readable catalogue in the OSCAL format, published openly through the BSI's GitHub organisation and versioned continuously. The regulatory intent has not changed. The artefact producing the intent has.
Put plainly: the regulatory intent has not changed, the methodology has not changed, the roles and responsibilities have not changed. What has changed is that the catalogue now lives as structured data instead of a PDF, and that the structure carries built-in cross-references to ISO 27001 and NIS2.
03 / The concrete changes
Grundschutz++ is not a new ISMS philosophy. The BSI kept the Plan-Do-Check-Act backbone, the obligation to establish Schutzbedarf, and the primacy of the IT-Sicherheitsbeauftragte. Inside that frame, the catalogue itself changes in concrete ways.
The 2023 Compendium groups controls into 111 Bausteine across ten layers. Grundschutz++ consolidates the catalogue into 19 process-oriented Praktiken, grouped along the PDCA cycle. Work that used to live inside a Baustein now lives inside a Praktik; the selection logic changes from which Bausteine apply to a target object to which Praktiken apply, and at what depth.
The 2023 Compendium carries roughly 6,567 individual requirements across its Bausteine. The Grundschutz++ Praktiken contain approximately 985. The reduction is not a lowering of the bar: redundant phrasings have been consolidated, inheritance along a target-object hierarchy is now explicit, and organisation-wide requirements no longer repeat per target object. The net effect is fewer boxes to tick, better alignment between boxes, and less duplicated documentation.
The historical three-tier scale, normal, hoch, sehr hoch, collapses into two levels in Grundschutz++: normal for the general state of the art, erhöht for elevated protection. Anything that previously would have landed at sehr hoch now enters the Risikoanalyse track directly. This removes the grey zone between hoch and sehr hoch that most practitioners found unhelpful.
Grundschutz++ is published as OSCAL, the open compliance-document schema maintained by NIST. The BSI makes both JSON and XML serialisations available through the public BSI-Bund/Stand-der-Technik-Bibliothek GitHub repository. Catalogue updates arrive as commits, not as annual PDF releases. ISMS tools that speak OSCAL can ingest the catalogue directly and run target-actual comparisons against live system data.
The old IT-Grundschutz profiles, pre-configured Sicherheitskonzept templates for archetypes like e-file, 5G, or municipal utilities, become Blaupausen in Grundschutz++. Structurally similar, procedurally different: Blaupausen are machine-readable configurations that a tool can apply automatically to a target object, not document templates that consultants adapt by hand.
Grundschutz++ ships with OSCAL cross-references to ISO 27001:2022 Annex A controls and to NIS2 requirements. Organisations running a combined BSI/ISO scope no longer maintain the mapping in a separate spreadsheet. For multinational scopes, Grundschutz++ starts to look like a viable primary catalogue where previously only ISO could serve that role.
04 / The transition
Grundschutz++ is live, but the 2023 Compendium remains valid for audits and certifications during the transition. Where you sit on the timeline should drive the pace of your move, not the reverse.
Until the end of 2028, an organisation can run an ISMS on either the 2023 Compendium or on Grundschutz++ and be audited accordingly. The BSI has been deliberate in calling this a multi-year transition rather than a cut-over: inventories, Sicherheitskonzepte, evidence portfolios, and auditor workflows all need time to move. Existing certifications remain valid to the end of their term under the standard they were issued against. Re-certifications later in the transition window will increasingly land on Grundschutz++.
Caveat · Some implementation aids, including sector-specific Blaupausen, profile mappings, and procurement templates, are still being published incrementally through the BSI GitHub repository. This page will update as they arrive.
05 / Your position
You already have a Strukturanalyse, a Schutzbedarfsfeststellung, a modelled set of Bausteine, and a Grundschutz-Check on record. The transition is not a rewrite. It is a rebinding: the same target objects map against the 19 Praktiken, the same evidence files attach to the same controls, the same sign-offs remain in place. What changes is where the catalogue lives and how the mapping is expressed.
The decisive question is tooling. ISMS tools built on the 2023 Compendium's PDF-plus-spreadsheets paradigm need to add OSCAL ingestion, a Praktiken model, and machine-readable evidence linking. The longer your existing tool takes to get there, the more manual effort the transition costs your team. The earlier you evaluate tools that are OSCAL-native today, the smaller the re-work bill later.
How OrbisGraph is built for thisIf your organisation has been brought into scope by NIS2 or the KRITIS-Dachgesetz, the arithmetic is different. You do not have a Sicherheitskonzept today. Starting on the 2023 Compendium would mean producing a 2023-era artefact and then migrating it before the end of 2028. Starting on Grundschutz++ means producing the artefact on the catalogue that will still be valid after the transition ends.
Both paths are legitimate; auditors will accept either during the transition. The practical question is whether your tooling, your auditor, and your timeline support Grundschutz++ from day one. Where they do, starting on Grundschutz++ avoids a second project in three years. Where they do not, the 2023 Compendium remains a defensible path, with a migration budget penciled in for 2027 to 2028.
What to do now06 / Practical next steps
Guidance that stands on its own, independent of vendor. The substance of this section does not change whether you ultimately run OrbisGraph or any other ISMS tool. It is the groundwork every organisation in scope will benefit from.
The Methodikleitfaden published on 1 April 2026 is the single best starting point. The Stand-der-Technik-Bibliothek GitHub repository is the canonical source for catalogues and updates. Everything else, including this page, is commentary.
Independent of tooling, the exercise of mapping your existing Bausteine and measures to the 19 practices surfaces which parts of your ISMS are already practice-oriented and which will need restructuring. Many organisations discover that their documented reality was already closer to the new model than to the old.
Any project that enters scope between now and the end of 2028 is going to face a transition question. Deciding the starting catalogue once, per project type, is cheaper than deciding it case by case and discovering inconsistency at audit.
Ask your ISMS tool vendor three questions in writing: does the product ingest the BSI's OSCAL catalogues natively, does it represent Praktiken as first-class objects, and does it support the BSI's own cross-references to ISO 27001 and NIS2. If any answer is on the roadmap, ask for a date.
Auditors working through the transition have a view on which certifications they will continue to issue under the 2023 Compendium and when they expect clients to move. Their calendar matters more than yours for audit planning.
The BSI has set the end of parallel validity at late 2028 / early 2029 on purpose. Organisations that plan to that horizon carry less risk than those trying to compress the move into a single year.
07 / How OrbisGraph fits in
OrbisGraph is Pinnipedia's compliance platform. Under the hood, its catalogue layer is implemented as a knowledge graph: Praktiken, requirements, target objects, measures, evidence, sign-off states and cross-framework references held as typed nodes and edges. OrbisGraph does not hold a copy of the Compendium as a PDF and parse it for queries. OSCAL documents map into the underlying graph directly, because OSCAL itself is a graph-shaped schema underneath the JSON.
That has two consequences during the Grundschutz++ transition. First, the move from Bausteine to Praktiken is a re-mapping of nodes, not a rewrite of tooling. The same engagement data, the same evidence, the same sign-off states survive the change and re-attach to the new catalogue. Second, catalogue updates from the BSI GitHub repository arrive as incremental graph changes, not as new product versions. Updates that would require a quarterly release cycle in a document-based tool land in days here.
Beyond the transition itself, the cross-references built into Grundschutz++ (to ISO 27001:2022 and NIS2) become walkable edges inside the same graph. Organisations running a combined scope can query evidence coverage across frameworks in one place, rather than maintaining three spreadsheets.
OrbisGraph remains a tool, not an auditor or a certification body. Certification is issued by accredited auditors, not by the platform. Pinnipedia is not in a contractual relationship with the BSI and does not claim BSI approval. What we can claim, because the architecture supports it, is that the move to Grundschutz++ is a serialisation task inside OrbisGraph, not a rebuild.
08 / FAQ
IT-Grundschutz in its 2023 edition is a PDF Compendium of 111 Bausteine and roughly 6,567 requirements. Grundschutz++ is the same methodology rebuilt around 19 process-oriented Praktiken, roughly 985 requirements, two Schutzbedarf levels instead of three, and an OSCAL/JSON catalogue published on GitHub. Methodology intent is preserved; catalogue form and level of detail are modernised.
No. During the transition period, which runs through late 2028 / early 2029, a Sicherheitskonzept based on the 2023 Compendium remains valid for audit. When you do migrate, the exercise is a re-mapping from Bausteine to Praktiken, not a clean-sheet rewrite. Target objects, evidence, and approvals carry across; the catalogue reference they attach to changes.
It is already in force as of 1 January 2026, running in parallel with the 2023 Compendium. The end of parallel validity is communicated as late 2028 / early 2029. After that point, Grundschutz++ will be the standing catalogue; 2023-Compendium certifications will remain valid until their renewal date and then re-issue under Grundschutz++.
OSCAL (Open Security Controls Assessment Language) is an open standard maintained by NIST for representing security catalogues, profiles, system security plans, and assessment results as machine-readable documents in JSON or XML. The BSI adopted it because it gives Grundschutz++ a format that ISMS tools can ingest directly, supports automated target-actual comparisons against live system data, and enables interoperable cross-references to other frameworks (ISO 27001, NIS2).
Existing certifications issued under the 2023 Compendium remain valid until the end of their term. Audits during the transition can be conducted against either standard. Re-certifications and new certifications late in the transition window will increasingly be conducted against Grundschutz++. Accredited auditors are the authoritative source on what they will and will not certify; talk to yours early.
Tool readiness varies. The meaningful question is not whether the tool mentions Grundschutz++ but whether the tool ingests OSCAL catalogues natively, represents Praktiken as first-class objects, and speaks the BSI's cross-references to ISO 27001 and NIS2. Those are the three concrete questions worth asking any vendor in writing.
They are being rebuilt as Blaupausen inside Grundschutz++. Structurally analogous to the old profiles, procedurally different: Blaupausen are machine-readable configurations that tools apply to target objects, rather than document templates that teams adapt by hand. Early Blaupausen cover sectors already published by the BSI, including e-file, 5G infrastructure, and municipal utilities; more arrive incrementally in the Stand-der-Technik-Bibliothek.
The BSI's own publications are authoritative. The two primary surfaces are the Grundschutz++ pages on bsi.bund.de and the public GitHub repository BSI-Bund/Stand-der-Technik-Bibliothek. The Methodikleitfaden, published on 1 April 2026, is the single best orientation document for teams starting from zero.
Thirty minutes. We run the product on your transition scenario, walk through how the catalogue layer ingests OSCAL, and answer the questions your team will ask first.