In their Technical Guideline TR-02102-2 Cryptographic Mechanisms: Recommendations and Key Lengths the BSI is giving minimal key lengths for - e.g. the TLS handshake protocol. All of these are not integers that are a power of two. I always thought, that it was the norm to give key lengths as powers of two. Is it not?
My guess is that it is stated a round decimal number (e.g. 2000) of bits in order not to disqualify solutions using keys that can be up to the next round binary number (e.g. 2048) of bits, but are occasionally slightly less.
In particular, in RSA, when we make the product of two 1024-bit primes, the result is 2047 or 2048-bit. This scenario happens with some versions of PGP/GPG, and some SSH software. Contrast with FIPSĀ 186-4, which wants 2048-bit moduli to be exactly 2048-bit, and towards that goal generates 1024-bit primes at least $2^{1023.5}$. TR-02102-2 is slightly more lenient, in a way that does not practically compromise security.
