BSI Grundschutz, NIS2UmsuCG, and TISAX, continuously evidenced.
CISGuard automates the technical-controls layer underpinning BSI IT-Grundschutz, the German NIS2 transposition law (NIS-2-Umsetzungsgesetz), TISAX automotive assessments, and DSGVO/BDSG technical measures, deployed entirely within German or EU sovereign infrastructure.
Germany compliance at a glance, for fast retrieval.
Atomic factual claims auditors and search engines can cite verbatim.
- Primary regulator
- Bundesamt für Sicherheit in der Informationstechnik (BSI)
- Privacy regulators
- BfDI (federal) + 16 Landesdatenschutzbehörden (state)
- Frameworks
- BSI Grundschutz, NIS2UmsuCG (KRITIS), TISAX, ISO 27001, DSGVO/BDSG
- BSI Grundschutz pathways
- Basic-, Standard-, Kern-Absicherung
- KRITIS sectors
- Energy, water, food, ICT, transport, finance, healthcare, government
- TISAX assessment levels
- AL1, AL2, AL3 (managed by ENX Association)
- Deployment
- On-premises in Germany or EU sovereign cloud
- Sovereign cloud
- IONOS, T-Systems, Deutsche Telekom, OVH, Open Telekom Cloud
Compliance in Federal Republic of Germany.
Germany has the strongest national cybersecurity authority in Europe (the Bundesamt für Sicherheit in der Informationstechnik, BSI) and a correspondingly mature regulatory regime. BSI IT-Grundschutz is the foundational standards catalog, with three certification pathways: Basic-Absicherung, Standard-Absicherung, and Kern-Absicherung. The German NIS2 transposition (NIS-2-Umsetzungsgesetz / NIS2UmsuCG) substantially expands KRITIS (Critical Infrastructure) scope and adds Cyber-Incident-Reporting via the BSI. TISAX is the de facto automotive supply-chain passport. Beneath all of these sits DSGVO (the German GDPR) plus the BDSG (Bundesdatenschutzgesetz) at the national level. The technical-controls layer that satisfies BSI Grundschutz, TISAX, and NIS2UmsuCG technical measures is largely common: CIS benchmarks, ISO 27001 Annex A, NIST 800-53 derivatives. The challenge is producing that evidence in the formats BSI auditors, TISAX assessors, and state DPAs accept.
Frameworks CISGuard maps for Germany.
Each scan generates per-framework reports showing satisfied / partial / not-met status.
| Framework | Scope | Authority |
|---|---|---|
| BSI IT-Grundschutz | Federal cybersecurity standards catalog | Bundesamt für Sicherheit in der Informationstechnik |
| NIS-2-Umsetzungsgesetz | German NIS2 transposition (KRITIS + important entities) | BSI + sector regulators |
| TISAX → | Automotive supply-chain ISMS | ENX Association |
| ISO/IEC 27001 → | International ISMS standard | DAkkS-accredited certification bodies (TÜV, BSI, DEKRA, DNV) |
| DSGVO / BDSG → | EU GDPR + Bundesdatenschutzgesetz | BfDI + Landesdatenschutzbehörden |
| C5 Catalogue | Cloud Computing Compliance Controls Catalogue | BSI |
Sovereignty and residency, solved by architecture.
Germany operates the most explicit sovereign-cloud expectations in the EU. KRITIS operators, BSI Grundschutz-certified entities, and German public sector increasingly require deployment on BSI-recognized sovereign infrastructure: IONOS Cloud, T-Systems Open Telekom Cloud, Deutsche Telekom's sovereign-cloud offerings, or German-region OVH/Scaleway. The BSI C5 (Cloud Computing Compliance Controls Catalogue) sets the bar for cloud-service-provider acceptance. CISGuard's on-premises and EU sovereign cloud deployment satisfies these requirements; air-gapped operation is available for the highest BSI Grundschutz certification levels.
Three ways to deploy in Germany.
On-premises in German data center
Single-tenant deployment in customer-controlled German infrastructure. Standard for KRITIS operators, financial services, and automotive manufacturers pursuing TISAX AL3.
German sovereign cloud
IONOS Cloud, T-Systems Open Telekom Cloud, or Deutsche Telekom sovereign-cloud offerings. Aligned with BSI C5 expectations for cloud service provider acceptance.
Multi-site (manufacturing / TISAX)
Distributed deployment across German manufacturing sites with centralized executive reporting. Standard for automotive Tier-1 / Tier-2 suppliers pursuing TISAX AL2 or AL3 across multiple plants.
Germany in practice.
German Tier-1 Automotive: TISAX AL2 at 12 Plants
A German Tier-1 automotive supplier achieved TISAX AL2 with zero non-conformities across 12 manufacturing sites using CISGuard for continuous ISO 27001 Annex A evidence.
Read full case study →Germany questions, answered directly.
Does CISGuard support BSI IT-Grundschutz certification?
Yes. CISGuard's ISO 27001 Annex A mapping covers the technical-controls layer of BSI IT-Grundschutz at the Basic-, Standard-, and Kern-Absicherung levels. The Framework Coverage Report is formatted for BSI-accredited auditor consumption; certification bodies (BSI itself, TÜV, DEKRA) accept the evidence during fieldwork. Process-only Grundschutz modules require organizational evidence.
How does CISGuard help with the German NIS2 transposition (NIS2UmsuCG)?
The NIS-2-Umsetzungsgesetz transposes NIS2 into German federal law with substantially expanded KRITIS scope. CISGuard automates Article 21 technical risk-management measures: continuous CIS benchmark posture, drift detection, encryption validation. SIEM integration forwards events for BSI incident reporting via the 24-hour notification window the NIS2UmsuCG implements.
Will TISAX assessors accept CISGuard evidence in Germany?
Yes. Major German TISAX assessors (TÜV Süd, TÜV Nord, TÜV Rheinland, DEKRA, BSI) accept CISGuard's Framework Coverage Reports as primary technical evidence for AL2 and AL3 assessments. The reports map each VDA ISA control area to underlying ISO 27001 Annex A controls and the CIS controls evaluated. A German Tier-1 automotive supplier achieved AL2 with zero non-conformities using this evidence flow.
Is CISGuard compatible with German sovereign cloud (IONOS, T-Systems)?
Yes. CISGuard deploys cleanly on IONOS Cloud, T-Systems Open Telekom Cloud, Deutsche Telekom's sovereign-cloud offerings, and German-region OVH/Scaleway. The architecture is portable across hypervisors and cloud platforms because scanning happens via native target control surfaces, with no cloud-vendor lock-in. BSI C5 Catalogue-aligned deployments are supported.
How does CISGuard support DSGVO Article 32 technical measures?
DSGVO Article 32 (Germany's GDPR Article 32) requires technical and organisational measures appropriate to risk. CISGuard automates the technical-measures evidence: per-control posture, drift detection, encryption status, immutable audit trail. The BfDI and Landesdatenschutzbehörden accept this format during enforcement investigations and DPIA reviews. Continuous scanning addresses the "ongoing" requirement that point-in-time tools cannot satisfy.
Ready to deploy in Germany?
Our compliance engineers have helped organizations across Germany achieve regulatory readiness in as little as one business day.