Why must protection-need categories be individualized per organization, and which damage scenarios are used for this?
Because "considerable damage" means something completely different for a corner shop than for a bank — each organization defines the categories using six typical damage scenarios.
A fixed money threshold (say, €100k) would be existential for a small business and a rounding error for a multinational. So each organization defines what normal/high/very high means for itself — e.g. a company might set "normal" as: financial damage below €50,000, no noticeable disruption beyond 24 hours, minor legal consequences, no lasting reputational harm.
The six typical damage scenarios used to anchor the definitions:
- Violations of laws, regulations, or contracts
- Impairment of informational self-determination (privacy rights of individuals)
- Impairment of personal integrity (physical harm to persons)
- Impairment of task fulfilment (business/mission disruption)
- Negative external effects (reputation/image damage)
- Financial consequences
For each scenario and category you describe the expected impact — these descriptions later make every individual assessment justifiable and comparable.
Go deeper:
Lektion 4: Schutzbedarfsfeststellung (BSI Online-Kurs) — Wie Schadensszenarien zur individuellen Definition der Schutzbedarfskategorien dienen.