Compliance

1. What does IT compliance mean? #

IT compliance means adhering to all legal, regulatory, and organizational requirements that apply to operating IT systems and processing data. The term covers three equally important dimensions:

Dimension 1: Legal compliance #

The legal dimension covers all requirements arising from laws, regulations, and official directives:

• Data protection law: GDPR and national implementing legislation regulate which personal data may be processed, how it is stored, for how long, and what data subject rights apply.
• Tax and commercial law: The German Commercial Code (HGB), the German Fiscal Code (AO), and the GoBD (German bookkeeping principles) prescribe which business documents must be retained, for how long, and in what form. These apply to organizations subject to German or EU recordkeeping requirements.
• IT security law: The NIS2 Directive (transposed into German law in December 2025), the KRITIS umbrella law, and the IT Security Act 2.0 define minimum standards for IT security in specific types of organizations.
• Sector-specific law: DORA (Digital Operational Resilience Act) for financial entities, national radiation protection regulations for healthcare, and requirements under banking, anti-money-laundering, and other sector laws.

Dimension 2: Technical compliance #

The technical dimension describes specific IT requirements derived from legal obligations:

• Data storage: Tamper-proof archiving, WORM protection, defined retention periods, and secure deletion after expiry
• Access control: Role-based access management, multi-factor authentication, logging of all access events
• Encryption: Protection of data in transit and at rest (AES-256 or equivalent)
• Audit trail: Complete, tamper-proof recording of all security-relevant events
• Incident response: Technical capability to detect, analyze, and report security incidents

Dimension 3: Organizational compliance #

The organizational dimension covers processes, responsibilities, and documentation:

• Policies and process documentation: Written documentation of all relevant processes — from data storage and access control to incident response
• Responsibilities: Designation of named owners (data protection officer, CISO, IT security officer)
• Training: Regular training of all staff on data protection and security-relevant topics
• Audits: Regular internal and external review of compliance measures

IT compliance vs. audit-proof archiving: the difference #

Compliance and audit-proof archiving are frequently conflated — they are not the same. Audit-proof archiving is a specific subset of IT compliance, focused on the legally compliant storage of business documents (German GoBD, HGB, AO — applicable to organizations subject to German or EU recordkeeping requirements). IT compliance is the broader concept: it includes audit-proof archiving but extends far beyond it — to IT security requirements, data protection, personal liability, and operational resilience.

2. The regulatory landscape 2026 #

The regulatory environment for IT compliance has become considerably more complex in recent years. The table below provides an overview of the key frameworks, the organizations they affect, and their core requirements.

Overview: Frameworks, affected organizations, and core requirements #

NIS2 Directive: The most far-reaching new regulation in years #

The NIS2 Directive was transposed into German law through the BSIG amendment (December 2025). It is the most significant new IT security obligation for organizations since the original IT Security Act.

Organizations affected: NIS2 applies to medium-sized organizations (50+ employees or EUR 10m+ annual revenue) and large organizations in 18 critical sectors — from energy, water, and healthcare through digital infrastructure to manufacturing and postal services. The NIS2 scope is broader than the previous KRITIS framework.

Core obligations:

• Implementation of an IT security risk management system
• Reporting of significant security incidents: initial report within 24 hours, full report within 72 hours
• Supply chain security: assessment of IT service providers and suppliers
• Personal liability of management (§38 BSIG-new)

Fines: Up to EUR 10m or 2% of global annual revenue (essential entities); up to EUR 7m or 1.4% (important entities).

DORA (Digital Operational Resilience Act): The financial sector obligation #

DORA has been mandatory since 17 January 2025. It applies to banks, insurance companies, investment firms, payment service providers, and critical ICT third-party providers.

Core obligations:

• ICT risk management with a written framework
• Classification and reporting of ICT security incidents
• Testing of digital resilience (TLPT for significant institutions)
• Management of ICT third-party risks — including cloud providers and software vendors

German GoBD: The tax-law foundation #

The GoBD (German bookkeeping principles, BMF circular of 28.11.2019) apply to all organizations subject to German bookkeeping obligations. GoBD is not a statute but an authoritative administrative directive with binding character for tax audits. Organizations subject to German or EU recordkeeping requirements must comply.

Core obligations: Tamper-proof archiving of tax-relevant documents, process documentation, completeness, traceability, and digitally auditable access for tax authorities.

3. Sector-specific compliance requirements #

On top of general requirements from GDPR, GoBD, and NIS2, sector-specific frameworks add further layers. For organizations in regulated sectors, the result is a multi-layered set of obligations.

Overview: Compliance requirements by sector #

Financial sector: The densest regulatory framework #

Financial entities face the most heavily regulated environment. The obligation set includes:

DORA (since 17.01.2025): DORA is mandatory for all EU-supervised financial entities. The ICT risk management framework must be documented in writing, tested regularly, and approved by management. All critical ICT third-party providers — including cloud providers and backup software vendors — must be registered and assessed. For serious incidents: mandatory reporting to the competent authority within 4 hours (initial notification) and 24 hours (detailed notification).

BAIT (German supervisory requirements for IT in banking): The German Federal Financial Supervisory Authority (BaFin) BAIT guidelines specify IT requirements for credit institutions under §25a KWG. Key topics: IT strategy, IT governance, information risk management, outsourcing (including cloud), business continuity.

MaRisk (Minimum requirements for risk management): MaRisk applies to credit and financial services institutions. Relevant for IT compliance: requirements for data backup, backup recovery, and business continuity.

→ Industry solution: Financial services

Healthcare: Long retention periods, high liability risk #

Healthcare combines strict data protection requirements with some of the longest retention periods in any sector:

Retention periods overview:

Criminal law risk: Patient data is protected under §203 StGB (breach of professional secrecy). Disclosure to cloud providers is only permitted under narrow conditions. On-premises storage is the safe path for patient data.

→ Industry solution: Healthcare

Public administration: Mandatory BSI and critical infrastructure #

Public authorities are subject to BSI IT-Grundschutz as a mandatory standard. This means:

• Structured security analysis following IT-Grundschutz methodology
• Protection requirements assessment for all IT systems and data
• Implementation of IT-Grundschutz building blocks (CON.3 for data backup is particularly relevant)
• For federal agencies: registration and reporting obligations under NIS2

Digital file management: E‑government legislation at federal and state level mandates electronic file management for public authorities. Audit-proof storage is a prerequisite, not an option.

→ Industry solution: Public administration

Industry and critical infrastructure: OT security meets IT compliance #

Industrial organizations, especially critical infrastructure operators in energy, water, food, and manufacturing sectors, face a particular challenge: the boundary between IT (Information Technology) and OT (Operational Technology) is blurring. Cyberattacks on production systems are a documented reality.

Specific requirements:

• NIS2 applies to manufacturers in critical supply chains (Section II, Annex II)
• The KRITIS umbrella law requires physical and digital resilience for critical facility operators from 2026
• Sector-specific security standards (B3S) for critical infrastructure operators in energy, water, food, and healthcare

4. Data storage as the compliance foundation #

Nearly every compliance framework imposes requirements on data storage. Retention periods, immutability, findability, and secure deletion are not IT details — they are the technical foundation of legal compliance.

Retention periods: What must be kept and for how long #

Periods begin at the end of the calendar year in which the document was created or the transaction was completed. An invoice dated March 2026 must therefore be retained until 31 December 2036.

Audit-proof archiving: The core technical requirement #

The German GoBD and HGB require that documents subject to retention obligations are stored in a tamper-proof manner. This means technically: once archived, data must not be altered or deleted — neither by administrators nor by attackers.

This requirement is met by WORM storage (Write Once, Read Many). WORM is not all the same:

• Hardware WORM (Silent Cubes): Immutability at firmware level — independent of software, operating system, and user permissions. No software configuration can modify or delete written data.
• Software WORM (Object Lock, Immutable Storage): Immutability enforced by software policies — dependent on correct configuration and access controls. Can in principle be bypassed with sufficient administrator rights.

For tax purposes, German tax authorities accept both approaches — but hardware WORM provides the more defensible position in a tax audit or compliance inspection.

→ Silent Cubes: Hardware WORM for compliant archiving

GDPR conflict: Retention obligation vs. deletion obligation #

A common misunderstanding: retention obligations (GoBD, HGB) and deletion obligations (GDPR Art. 17) appear to conflict. The resolution is clear: as long as a statutory retention obligation exists, it takes precedence over the GDPR deletion right. After the retention period expires, the GDPR deletion obligation applies.

This requires an archiving system that manages retention periods and can selectively delete records after expiry — including on WORM storage. Silent Cubes supports retention management: retention periods are defined per document category; after expiry, the document is released for deletion.

5. Technical compliance requirements #

Compliance is not a purely legal problem — it must be implemented technically. The following technical requirements stem from various frameworks but must be implemented in practice as a unified package.

Encryption #

What is required: GDPR Art. 32 requires appropriate encryption as a technical protection measure. NIS2 (§30 BSIG-new) requires encryption as part of IT risk management. ISO 27001 (Control A.8.24) requires the use of cryptography.

What this means in practice:

• Data in transit: TLS 1.2 or higher for all network connections
• Data at rest: AES-256 for storage systems, backups, and archives
• Key management: Own control over encryption keys — no provider-managed-key-only arrangements

Silent Cubes and the Silent Brick System support AES-256 encryption at rest. Keys remain under the operator’s control.

Access logging and audit trail #

What is required: German GoBD (paragraph 74) requires a complete audit trail for all archived documents. NIS2 (§30 BSIG-new) requires logging of security-relevant events. GDPR Art. 5(2) requires demonstrable compliance (accountability principle). ISO 27001 (Control A.8.15) requires logging.

What this means in practice:

• Complete recording of all access to business-critical data: who accessed which document and when
• Logging of all administrative actions: configuration changes, access rights grants, export operations
• Logs themselves must be tamper-proof — a log that can be altered retroactively is not a compliance log
• Log retention: at least 1 year (BSI recommendation for NIS2-relevant logs)

Access control and identity management #

What is required: NIS2 (§30 BSIG-new) requires access management as part of the risk management system. DORA (Art. 9) requires Identity Access Management. GDPR Art. 32 lists access control as a technical protection measure. BSI IT-Grundschutz ORP.4.

What this means in practice:

• Role-based access control (RBAC): each user receives only the rights needed for their role
• Multi-factor authentication (MFA) for all privileged access
• Regular review and revocation of access rights no longer needed
• Separate administrator accounts: production access and administrator access must be separated
• No shared accounts: each person has their own, identifiable credential

Air gap for critical data #

What is required: NIS2 (§30 BSIG-new) requires the ability to recover after a security incident. BSI (German Federal Office for Information Security) recommendations on ransomware protection explicitly name offline or air-gapped backups. ISO 27001 (Control A.8.13) requires data backup and recoverability.

What this means in practice: A backup permanently connected to the network provides no protection against ransomware. Attackers moving laterally through a network also reach and encrypt online backups — often within minutes. Compliance requires a backup that is unreachable during an attack.

The Silent Brick System provides two variants of the air gap:

• Silent Brick Pro: Physically removable from the slot of Controller X. The storage module is removed from the controller after the backup — full physical air gap, reactivation always manual. No attacker, no ransomware process can access a removed module.
• Silent Brick Max Air: Galvanic isolation of the built-in storage media — no physical removal needed. The isolation is released either manually via a button on the device, or automatically in air-gap mode (automatic reconnection after a defined time, e.g. for media rotation during regular backup windows).

→ Silent Brick System: Air-gap backup explained

Incident reporting and notification obligations #

What is required: NIS2 (§30 BSIG-new) requires reporting of significant security incidents: initial report to BSI (German Federal Office for Information Security) within 24 hours, full report within 72 hours. GDPR Art. 33 requires notification of data breaches to the competent supervisory authority within 72 hours. DORA (Art. 19) requires reporting of serious ICT incidents within 4 hours (initial notification).

What this means in practice: Without technical detection capability, timely reporting is not possible. The NIS2 24-hour deadline requires that a security incident can be detected, classified, and assessed within hours. This requires:

• SIEM or at least central log management
• Defined classification criteria (what constitutes a ​“significant” incident?)
• A written incident response plan with clear responsibilities and escalation paths

6. Compliance and personal liability #

The era when IT compliance was purely an IT matter is over. NIS2, DORA, and GDPR enforcement make managing directors and board members personally liable. This is not a theoretical risk — these are enforceable rules.

NIS2 Directive: Personal liability of management #

§38 BSIG-new (NIS2 transposition law) is unambiguous: the management of essential and important entities is personally responsible for implementing risk management measures. Specifically:

• Approval: Management must approve and actively monitor the organization’s cybersecurity measures
• Training: Managing directors and board members are required to participate in cybersecurity risk training
• Personal liability: In the event of culpable breach of supervisory duty, management is personally liable — not just the organization
• No delegation: Assigning responsibility to the IT department or an external provider does not release management from liability

Fines for the organization: Up to EUR 10m or 2% of global annual revenue (essential entities); up to EUR 7m or 1.4% (important entities).

DORA (Digital Operational Resilience Act): Board-level responsibility #

DORA (Art. 5) sets clear requirements for the responsibility of the management body of financial entities. The management body must:

• Approve and regularly review the ICT risk strategy
• Bear responsibility for implementing the ICT risk framework
• Provide sufficient resources for digital resilience
• Receive regular reports on ICT risks

Sanctions: The competent supervisory authority (BaFin in Germany) can take action against individuals in addition to imposing fines on the organization.

GDPR: Fines and organizational responsibility #

GDPR provides for fines of up to EUR 20m or 4% of global annual revenue (Art. 83(5) GDPR). In practice, fines are imposed — including against mid-sized organizations.

Practically relevant scenarios:

• A data breach not reported within 72 hours: fine under Art. 83 GDPR
• Data storage without adequate legal basis: fine plus deletion order
• Processing of sensitive data without adequate technical and organizational measures: fine plus processing ban

For managing directors: GDPR is addressed to the controller — i.e. the organization. But directors can be held personally liable under §130 OWiG for intentional or grossly negligent breach of their supervisory duty.

Criminal law risks #

Beyond civil and regulatory liability, criminal law risks exist:

• §202a StGB (unauthorized access to data): Intentionally circumventing security measures or tolerating this
• §203 StGB (breach of professional secrecy): Unauthorized disclosure of professional confidences — particularly relevant in healthcare and for lawyers
• §266 StGB (breach of fiduciary duty): Managing directors who grossly neglect IT compliance obligations and thereby cause harm to the organization
• §370 AO (tax evasion): In cases of intentionally incorrect or manipulated bookkeeping

7. Compliance architecture: reference model #

A compliance-capable IT architecture is not a collection of individual measures — it is a structured system built on four layers.

The four layers of the compliance architecture #

┌────────────────────────────────────────────────────────────────────┐
│  Layer 1: Data storage and archiving                               │
│  ├── Audit-proof long-term archiving (Silent Cubes)                │
│  │    Hardware WORM at firmware level, 10+ years operation         │
│  │    GoBD-compliant: tamper-proof, findable, auditable            │
│  ├── WORM protection for tax-relevant documents                    │
│  ├── Retention management: automated period management             │
│  └── Digitally auditable access for tax authorities and auditors   │
├────────────────────────────────────────────────────────────────────┤
│  Layer 2: Backup and recovery                                      │
│  ├── Primary on-premises backup (Silent Brick System)              │
│  │    Fast recovery (RTO < 1h), full control                       │
│  ├── Air-gap layer for ransomware resilience                       │
│  │    Silent Brick Pro: physical removal → physical air gap        │
│  │    Silent Brick Max Air: galvanic isolation, automatable        │
│  ├── 3-2-1-1 strategy: 3 copies, 2 media types, 1 offline         │
│  └── Immutable backup copies                                       │
├────────────────────────────────────────────────────────────────────┤
│  Layer 3: Access security and logging                              │
│  ├── Role-based access control (RBAC)                              │
│  ├── Multi-factor authentication for privileged access             │
│  ├── AES-256 encryption at rest and in transit (TLS 1.2+)          │
│  ├── Tamper-proof audit trail (access events, admin actions)       │
│  └── Log retention of at least 1 year                              │
├────────────────────────────────────────────────────────────────────┤
│  Layer 4: Governance, documentation, and incident response         │
│  ├── Written process documentation (GoBD paragraphs 151-155)      │
│  ├── IT security policy and ISMS (ISO 27001 / BSI IT-Grundschutz) │
│  ├── Incident response plan with defined escalation paths          │
│  ├── Reporting process for NIS2 (24h BSI) and GDPR (72h DPA)      │
│  └── Regular audits, training, management reviews                  │
└────────────────────────────────────────────────────────────────────┘

FAST LTA products in the compliance architecture #

Silent Cubes — Layer 1: Audit-proof archiving

Silent Cubes is FAST LTA’s hardware WORM system for long-term archiving. Core compliance features:

• Hardware WORM at firmware level: Once data is written, it is physically immutable. No administrator, no root access, and no software update can alter written data. This is the decisive difference from software WORM.
• Long-term operation: Energy-efficient idle mode (3 watts in standby). Designed for retention periods of 10 to 30 years without hardware replacement — relevant for radiation therapy records (30 years, §28 RöV), blood product documentation (30 years, §14 TFG), and tax documents (10 years, German HGB §257).
• Integration: Standard interfaces (CIFS/SMB, NFS) for all common DMS/ECM systems.
• Data integrity: Automatic integrity verification (self-healing) — corrupted data blocks are repaired from the mirror copy.

→ Silent Cubes: Technical details

Silent Brick System — Layer 2: Air-gap backup

The Silent Brick System combines fast backup access with a physically secured air gap:

• Silent Brick Pro: Located in the slot of Controller X and physically removable. After the backup, the module is removed from the controller — no network access, no ransomware attack can reach a removed module. Reactivation is always manual.
• Silent Brick Max Air: External device with galvanic isolation of the built-in storage media. Isolation is released either manually via a button on the device, or automatically in air-gap mode after a defined time (e.g. daily for a 2‑hour backup window, then galvanically isolated again).
• Immutability: The Silent Brick System additionally provides software-independent immutability — backups can be set as immutable even without a physical air gap.

→ Silent Brick System: Technical details

Why on-premises storage for compliance-critical data #

Cloud solutions can meet individual technical compliance requirements — but they create new compliance risks:

• US CLOUD Act: US cloud providers can be compelled to hand over data, even if the servers are located in the EU. This can conflict with GDPR requirements.
• Schrems II implications: Legal uncertainty around EU-US data transfers is not definitively resolved.
• Access control: With cloud WORM, software immutability depends on IAM configuration — a privileged attacker can change policies.
• Offline availability: In a crisis (network outage, DDoS against a cloud provider), a cloud backup is unreachable.

On-premises archiving and backup under your own roof eliminates these risks: no third-country legal framework, physical control, offline availability in a crisis.

8. Common mistakes #

Mistake 1: “Compliance is an IT task” #

The most common and consequential mistake: compliance is delegated to the IT department and not actively overseen by management. NIS2 §38 BSIG-new makes managing directors personally liable — delegating to IT changes nothing. Compliance is a leadership task that requires IT expertise. Not the other way around.

What this means: Managing directors must approve risk management measures, monitor their implementation, and participate in training. Failing to do so is legally negligent under the statute.

Mistake 2: No process documentation #

German GoBD requires written process documentation for the entire archiving process (paragraphs 151-155). Without it, no electronic archiving is audit-proof — regardless of the technology used. In practice, process documentation is missing in the majority of organizations subject to a tax audit. The tax authority can then reject the regularity of the bookkeeping.

What this means: The process documentation must describe which documents are archived, how they are captured and indexed, on which system they are stored, how immutability is ensured, and who is responsible. A qualified third party must be able to follow the process.

Mistake 3: Cloud data without a GDPR check #

Many organizations use US cloud services for storing business documents without having assessed GDPR compliance. The US CLOUD Act authorizes US authorities to demand data from US companies — even if the servers are located in Germany. For personal data, this is a GDPR risk that must be documented and assessed.

What this means: For every cloud provider holding personal or business-critical data, a risk assessment must be documented. If the risk is unacceptable: migrate data to your own sovereign infrastructure.

Mistake 4: Backup without air gap #

A backup permanently connected to the network provides no protection against ransomware. Attackers moving laterally through the network reach and encrypt online backups too — in many cases within minutes. NIS2 requires the ability to recover after a security incident. Without an air gap, this ability does not exist after a successful ransomware attack.

What this means: At least one backup copy must be physically separated from the network or offline. Silent Brick Pro (physical removal) and Silent Brick Max Air (galvanic isolation) provide this capability — without complex additional systems.

Mistake 5: Lack of awareness of German GoBD requirements in mid-market organizations #

The GoBD applies to all organizations subject to German bookkeeping obligations — that is millions of organizations. Yet GoBD compliance is frequently incomplete in mid-sized organizations: emails are not archived, scanner workflows are undocumented, the tax advisor stores data on their own system, and process documentation does not exist. These gaps become visible in a tax audit.

What this means: GoBD compliance starts with a straightforward check: are all tax-relevant documents archived in a tamper-proof manner? Does process documentation exist? Can an auditor obtain digital audit access? If not, action is needed.

Mistake 6: No written incident response plan #

NIS2 requires reporting of significant security incidents within 24 hours. This deadline is only achievable if the reporting process was defined and practiced before an incident occurs. In practice, many organizations lack a written incident response plan — or it exists but has not been updated in years and is unknown to most staff.

What this means: An incident response plan must be documented in writing, name responsibilities, define escalation paths, and describe the reporting process to BSI (German Federal Office for Information Security) and, where applicable, the data protection authority. It must be exercised regularly and updated after incidents.

9. Step-by-step to compliance #

The following plan guides IT managers and executives through implementation in a structured way. Every step is auditable — each completed step increases compliance maturity.

Prioritization: What to do first #

When resources are limited, the following order applies:

1. Backup with air gap: Protection against data loss from ransomware is the immediately highest risk reduction.
2. GoBD process documentation: Missing in almost every organization; immediately visible in a tax audit.
3. MFA for privileged access: One of the most effective controls against attackers using stolen credentials — quick to implement.
4. Incident response plan: NIS2 requires it; the 24-hour deadline is unachievable without a plan.
5. WORM archiving: For organizations with 10-year or longer retention obligations.

→ Request a free consultation → Explore Silent Cubes and Silent Brick System