← All articles

consultant

BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM

In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.

Summary — In April 2026, BSI released version 2.0 of its minimum standard “Protokollierung und Detektion.” This v2.0 sharpens technical logging requirements, the end‑to‑end detection process up to escalation, and the integrity/traceability of logs for investigation and evidence. Source: BSI — Mindeststandard Protokollierung und Detektion v2.0 (April 2026). ENISA’s NIS360 (28 May 2026) also highlights persistent weaknesses in detection and investigation. Source: ENISA — NIS360, 28 May 2026 (Featured).

The applicable legal framework

  • NIS 2 — Article 21(2)(d), (h), (j): risk management policies and procedures, incident handling/notification, and access control — in practice, comprehensive logging, correlation, and continuous detection. In Luxembourg, ILR is the competent authority and centralizes NIS 2 resources (SERIMA, FAQ). Sources: ILR — Cybersecurity (NISS), ILR — Incident notification.
  • Finance (DORA) — CSSF has supervised DORA since 17 January 2025 and expects detection, monitoring, and investigation capabilities to notify and document major ICT incidents. Source: CSSF — ICT and cyber risk for DORA entities.
  • Governance/forensics — CSSF circulars (12/552, 17/655) require effective controls and traceability enabling control/audit functions to reconstruct events. Sources: CSSF 17/655, CSSF 12/552.

The combined effect of NIS 2/DORA obligations and ILR/CSSF expectations mandates usable, tamper‑evident logging, continuous detection, and a fast, well‑documented investigation capability. The BSI v2.0 guide offers a recognized technical blueprint to demonstrate “appropriate” and “state of the art” controls. For a local view, see NIS 2 expectations in Luxembourg.

The technical solution to deploy

Objective: operate an end‑to‑end “log → detect → investigate → prove” chain aligned with BSI v2.0, NIS 2, and DORA.

  • Collection and normalization of key logs: authentication (AD/Entra, SSO), endpoints/EDR, firewalls/VPN, proxies, critical SaaS, databases, IAM/PAM, cloud (CSPM/CloudTrail/Activity Logs), business apps. BSI v2.0 references IT‑Grundschutz OPS.1.1.5 (Protokollierung) and DER.1 (Detektion). Source: BSI — Mindeststandard v2.0.
  • Integrity and retention: trusted timestamps, immutability (WORM/locked S3 objects), custody chain, role separation — prerequisites for evidentiary value (GDPR, NIS 2).
  • Correlation and detection: codified use cases (Detection‑as‑Code), MITRE ATT&CK mapping, risk‑based thresholds and allow/deny lists. ENISA NIS360 notes frequent issues from incomplete log scope and insufficient tuning — address via continuous detection engineering. Source: ENISA — NIS360 (28 May 2026).
  • Forensic investigation: preservation of volatile artifacts, timeline reconstruction, pivots on identities/endpoints/network, signed evidence export, and escalation playbooks.
  • Reference frameworks: ISO/IEC 27001:2022 Annex A (A.8.15, A.5.10, A.8.16), NIST CSF 2.0 (DE.CM, DE.AE, RS.AN), CIS Controls v8 (8, 6, 17).

Typical tools

  • A modern SIEM (cloud/hybrid) for ingestion, correlation, detection, and search — a managed SOC service can accelerate deployment.
  • EDR/XDR for host telemetry and rapid investigations.
  • Immutable, signed evidence storage (WORM, sealing key).
  • SOAR playbooks for response orchestration and automated evidence collection.

How Luxgap implements this

  • Managed SOC: industrialized BSI v2.0 chain with a “minimum log baseline” per asset type, MITRE‑correlated rules, coverage dashboards, 24/7 on‑call, prioritized alerts, and weekly tuning reviews.
  • ISO 27001 governance: logging policy (scope, retention, integrity, roles) aligned to ISO/IEC 27001 Annex A and BSI v2.0, with a reusable “requirements → controls → evidence” matrix for ILR/CSSF audits.
  • Audit‑ready logging and forensics: playbooks, evidence sealing procedures, reporting kits for notifications (NIS 2/DORA) and post‑mortems.

Method: 1) scope risks and obligations (NIS 2/DORA/sector), 2) gap analysis vs BSI v2.0 and ISO 27001, 3) deploy SIEM/EDR baseline and integrate sources, 4) tuning and priority use cases, 5) investigation exercises and reportability, 6) quarterly evidence and KPIs.

Real‑world case (Luxembourg/EU)

An investment management firm (DORA) aligned logging and detection in 8 weeks: 32 log sources integrated (IAM, firewalls, EDR, cloud, fund application), 22 critical MITRE use cases, object‑store immutability with lock, and sealing procedures. Results: first qualified alert in 6 minutes during a test (simulated SaaS account exfiltration), timeline rebuilt in 90 minutes, and incident report ready in ILR/CSSF format.

First concrete steps

  • In 5 days, map your “systems of record” (identities, endpoints, network, critical SaaS, databases) and verify log completeness/timestamps.
  • Define a logging and integrity policy (who collects what, how long, where — immutable storage, who accesses), aligned with ISO 27001 A.8.15 and BSI v2.0.
  • Define 10 priority MITRE‑mapped use cases (AitM on SSO, dormant admin creation, volumetric SaaS exfiltration, out‑of‑perimeter authentication, unauthorized encrypted tunnel).
  • Set up an “investigation kit”: artifact collection procedures, timeline template, signed evidence export, NIS 2/DORA report checklist.
  • Plan a tabletop investigation within a month: realistic scenario, evidence collection, mock report, lessons learned, and SIEM corrections.

Official sources

With BSI v2.0, you now have a precise blueprint for logging, detection, and investigation. Implementing a managed SOC, aligned with BSI v2.0 and ISO 27001, helps you meet NIS 2/ILR expectations and the DORA framework.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →