---
title: Compliance
date: 2026-04-27T16:13:00+02:00
author: Hannes Heckel
canonical_url: "https://www.fast-lta.de//en/blog/compliance"
section: Pillar Pages
---
[1. 1. What does IT compliance mean?](#1-what-does-it-compliance-mean)[1. 2. The regulatory landscape 2026](#2-the-regulatory-landscape-2026)[1. 3. Sector-specific compliance requirements](#3-sector-specific-compliance-requirements)[1. 4. Data storage as the compliance foundation](#4-data-storage-as-the-compliance-foundation)[1. 5. Technical compliance requirements](#5-technical-compliance-requirements)[1. 6. Compliance and personal liability](#6-compliance-and-personal-liability)[1. 7. Compliance architecture: reference model](#7-compliance-architecture-reference-model)[1. 8. Common mistakes](#8-common-mistakes)[1. 9. Step-by-step to compliance](#9-step-by-step-to-compliance)[1. 10. Häufige Fragen (FAQ)](#10-h%C3%A4ufige-fragen-faq)
### 1. What does IT compliance mean? [\#](#1-what-does-it-compliance-mean "1. What does IT compliance mean?")
IT compliance means adhering to all legal, regulatory, and organizational requirements that apply to operating IT systems and processing data. The term covers three equally important dimensions:
#### Dimension 1: Legal compliance [\#](#dimension-1-legal-compliance "Dimension 1: Legal compliance")
The legal dimension covers all requirements arising from laws, regulations, and official directives:
- **Data protection law:** GDPR and national implementing legislation regulate which personal data may be processed, how it is stored, for how long, and what data subject rights apply.
- **Tax and commercial law:** The German Commercial Code (HGB), the German Fiscal Code (AO), and the GoBD (German bookkeeping principles) prescribe which business documents must be retained, for how long, and in what form. These apply to organizations subject to German or EU recordkeeping requirements.
- **IT security law:** The NIS2 Directive (transposed into German law in December 2025), the KRITIS umbrella law, and the IT Security Act 2.0 define minimum standards for IT security in specific types of organizations.
- **Sector-specific law:** DORA (Digital Operational Resilience Act) for financial entities, national radiation protection regulations for healthcare, and requirements under banking, anti-money-laundering, and other sector laws.
#### Dimension 2: Technical compliance [\#](#dimension-2-technical-compliance "Dimension 2: Technical compliance")
The technical dimension describes specific IT requirements derived from legal obligations:
- **Data storage:** Tamper-proof archiving, WORM protection, defined retention periods, and secure deletion after expiry
- **Access control:** Role-based access management, multi-factor authentication, logging of all access events
- **Encryption:** Protection of data in transit and at rest (AES-256 or equivalent)
- **Audit trail:** Complete, tamper-proof recording of all security-relevant events
- **Incident response:** Technical capability to detect, analyze, and report security incidents
#### Dimension 3: Organizational compliance [\#](#dimension-3-organizational-compliance "Dimension 3: Organizational compliance")
The organizational dimension covers processes, responsibilities, and documentation:
- **Policies and process documentation:** Written documentation of all relevant processes — from data storage and access control to incident response
- **Responsibilities:** Designation of named owners (data protection officer, CISO, IT security officer)
- **Training:** Regular training of all staff on data protection and security-relevant topics
- **Audits:** Regular internal and external review of compliance measures
#### IT compliance vs. audit-proof archiving: the difference [\#](#it-compliance-vs-audit-proof-archiving-the-difference "IT compliance vs. audit-proof archiving: the difference")
Compliance and audit-proof archiving are frequently conflated — they are not the same. Audit-proof archiving is a specific subset of IT compliance, focused on the legally compliant storage of business documents (German GoBD, HGB, AO — applicable to organizations subject to German or EU recordkeeping requirements). IT compliance is the broader concept: it includes audit-proof archiving but extends far beyond it — to IT security requirements, data protection, personal liability, and operational resilience.
TopicAudit-proof archivingIT complianceTamper-proof archiving of business documentsCore topicIncludedData protection under GDPRPartialFully coveredIT security under NIS2 Directive / BSINot addressedCore topicPersonal liability of directorsLimited (tax)Full (NIS2, DORA, GDPR)Incident reportingNot requiredMandatory (NIS2, DORA)Sector-specific requirements (DORA, BAIT)Not addressedCore topic### IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
[###### Blog Post | 1/7/2026
NIS2 Explained: Who Is Affected and What Do You Need to Do?
NIS2 is here. Directive (EU) 2022/2555 on network and information security applies across the European Union. Member states had to transpose it into national law by 17 October 2024. Many did so on time, some later: Germany, for example, brought its implementation act (NIS2UmsuCG) into force on 6 December 2025, without a general transition period. The result across the EU: tens of thousands of organisations must implement concrete IT security measures. Those that do not risk fines of up to EUR 10 million or 2% of global annual turnover.This article explains who is affected, what the directive requires, and what you need to do now.---
[](https://www.fast-lta.de//en/blog/nis2-einfach-erkl%C3%A4rt-wer-ist-betroffen-und-was-muss-ich-tun "NIS2 Explained: Who Is Affected and What Do You Need to Do?")](https://www.fast-lta.de//en/blog/nis2-einfach-erkl%C3%A4rt-wer-ist-betroffen-und-was-muss-ich-tun "NIS2 Explained: Who Is Affected and What Do You Need to Do?")[###### Blog Post | 4/16/2026
Audit-Proof Archiving and GDPR: Retention vs. Right to Erasure
Two legal obligations appear to collide. Retention law says: keep business records, unaltered, for years. The GDPR says: erase personal data when it is no longer needed (Art. 17). Companies that archive invoices, contracts, and correspondence hold personal data in both categories at once. So which rule wins, and how do you build an archive that satisfies both?---
[](https://www.fast-lta.de//en/blog/revisionssicherheit-und-dsgvo-aufbewahrung-vs-l%C3%B6schpflicht "Audit-Proof Archiving and GDPR: Retention vs. Right to Erasure")](https://www.fast-lta.de//en/blog/revisionssicherheit-und-dsgvo-aufbewahrung-vs-l%C3%B6schpflicht "Audit-Proof Archiving and GDPR: Retention vs. Right to Erasure")
### 2. The regulatory landscape 2026 [\#](#2-the-regulatory-landscape-2026 "2. The regulatory landscape 2026")
The regulatory environment for IT compliance has become considerably more complex in recent years. The table below provides an overview of the key frameworks, the organizations they affect, and their core requirements.
#### Overview: Frameworks, affected organizations, and core requirements [\#](#overview-frameworks-affected-organizations-and-core-requirements "Overview: Frameworks, affected organizations, and core requirements")
FrameworkSince / StatusAffected organizationsCore requirements**GDPR**25.05.2018All organizations processing personal dataLawful basis for processing, data subject rights, 72h breach notification, technical and organizational measures, processor contracts**German GoBD**01.01.2015 (updated 2019)All organizations subject to German bookkeeping obligationsTamper-proof archiving of tax-relevant documents, process documentation, digital audit access**NIS2 Directive / BSIG amendment**December 2025Medium and large organizations in 18 critical sectorsRisk management, incident reporting (24h/72h), supply chain security, personal liability of management**DORA (Digital Operational Resilience Act)**17.01.2025Financial entities and critical ICT third-party providersDigital resilience, ICT risk management, incident reporting, TLPT (Threat-Led Penetration Testing)**KRITIS umbrella law**Phased from 2026Operators of critical facilities in 11 sectorsPhysical and digital resilience, registration, incident reporting**BSI IT-Grundschutz**Continuously updatedPublic authorities (mandatory), organizations (de-facto standard)Structural analysis, protection requirements assessment, baseline/standard/core security controls**ISO 27001**Current version: 2022All organizations (voluntary, but de-facto market requirement)ISMS (Information Security Management System), risk treatment, continuous improvement#### NIS2 Directive: The most far-reaching new regulation in years [\#](#nis2-directive-the-most-far-reaching-new-regulation-in-years "NIS2 Directive: The most far-reaching new regulation in years")
The NIS2 Directive was transposed into German law through the BSIG amendment (December 2025). It is the most significant new IT security obligation for organizations since the original IT Security Act.
**Organizations affected:** NIS2 applies to medium-sized organizations (50+ employees or EUR 10m+ annual revenue) and large organizations in 18 critical sectors — from energy, water, and healthcare through digital infrastructure to manufacturing and postal services. The NIS2 scope is broader than the previous KRITIS framework.
**Core obligations:**
- Implementation of an IT security risk management system
- Reporting of significant security incidents: initial report within 24 hours, full report within 72 hours
- Supply chain security: assessment of IT service providers and suppliers
- Personal liability of management (§38 BSIG-new)
**Fines:** Up to EUR 10m or 2% of global annual revenue (essential entities); up to EUR 7m or 1.4% (important entities).
#### DORA (Digital Operational Resilience Act): The financial sector obligation [\#](#dora-digital-operational-resilience-act-the-financial-sector-obligation "DORA (Digital Operational Resilience Act): The financial sector obligation")
DORA has been mandatory since 17 January 2025. It applies to banks, insurance companies, investment firms, payment service providers, and critical ICT third-party providers.
**Core obligations:**
- ICT risk management with a written framework
- Classification and reporting of ICT security incidents
- Testing of digital resilience (TLPT for significant institutions)
- Management of ICT third-party risks — including cloud providers and software vendors
#### German GoBD: The tax-law foundation [\#](#german-gobd-the-tax-law-foundation "German GoBD: The tax-law foundation")
The GoBD (German bookkeeping principles, BMF circular of 28.11.2019) apply to all organizations subject to German bookkeeping obligations. GoBD is not a statute but an authoritative administrative directive with binding character for tax audits. Organizations subject to German or EU recordkeeping requirements must comply.
**Core obligations:** Tamper-proof archiving of tax-relevant documents, process documentation, completeness, traceability, and digitally auditable access for tax authorities.
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience)
[###### Blog Post | 6/2/2026
NIS2 Implementation Deadlines: Timeline and Fines
The NIS2 Directive (EU 2022/2555) had to be transposed into national law by 17 October 2024. Deadlines and details vary by EU member state, so always check the national law applicable to your organisation. Germany completed transposition with the NIS2 Implementation Act (NIS2UmsuCG), in force since 6 December 2025. The examples below refer to the German implementation.The key point: there is no general transition period. The obligations apply since the law took effect.---
[](https://www.fast-lta.de//en/blog/nis2-umsetzungsfristen-zeitplan-und-bu%C3%9Fgelder "NIS2 Implementation Deadlines: Timeline and Fines")](https://www.fast-lta.de//en/blog/nis2-umsetzungsfristen-zeitplan-und-bu%C3%9Fgelder "NIS2 Implementation Deadlines: Timeline and Fines")[###### Blog Post | 2/13/2026
ISO 27001 and Data Backup: What Control 8.13 Concretely Demands
ISO/IEC 27001 is the central benchmark for structured information security management. Organisations seeking or maintaining certification must demonstrate that backup processes not only exist but also function, are documented, and are controlled.For IT managers, CISOs, and compliance officers, a practically relevant question arises: what does the standard specifically require, what do auditors actually check, and how can this be implemented efficiently? This article answers these questions based on the current version ISO/IEC 27001:2022.**Reading time:** approx. 9 minutes **Last updated:** April 2026---
[](https://www.fast-lta.de//en/blog/iso-27001-backup-anforderungen-was-control-8-13-konkret-fordert-fast-lta "ISO 27001 and Data Backup: What Control 8.13 Concretely Demands")](https://www.fast-lta.de//en/blog/iso-27001-backup-anforderungen-was-control-8-13-konkret-fordert-fast-lta "ISO 27001 and Data Backup: What Control 8.13 Concretely Demands")
**Where does your organization stand on IT compliance?**
Our experts assess your current infrastructure against NIS2, GDPR, GoBD, and sector-specific requirements — at no cost and without obligation.
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
[Make an appointment ](https://www.fast-lta.de//en/fast/contact/general "Make an appointment")
### 3. Sector-specific compliance requirements [\#](#3-sector-specific-compliance-requirements "3. Sector-specific compliance requirements")
On top of general requirements from GDPR, GoBD, and NIS2, sector-specific frameworks add further layers. For organizations in regulated sectors, the result is a multi-layered set of obligations.
#### Overview: Compliance requirements by sector [\#](#overview-compliance-requirements-by-sector "Overview: Compliance requirements by sector")
SectorGeneral obligationsSector-specific obligationsNotes**Financial sector (banks, insurers)**GDPR, GoBD, NIS2DORA, BAIT, MaRisk, KWG, GwGDORA mandatory since 17.01.2025; BaFin inspections; 5‑year retention for WpHG records**Healthcare**GDPR, GoBD, NIS2§630f BGB, §28 RöV, §14 TFG, patient data protection lawRadiation therapy records: 30 years; criminal law protection under §203 StGB**Public administration**GDPR, GoBDBSI IT-Grundschutz (mandatory), e‑government laws, file retention rules, KRITIS (federal agencies)Statutory file retention under federal and state law; classified document requirements in some cases**Industry / critical infrastructure operators**GDPR, GoBD, NIS2KRITIS umbrella law, IT Security Act 2.0, sector-specific security standards (B3S)OT security; production data backup separate from IT; physical resilience**All other organizations (SMEs, mid-market)**GDPR, GoBDNIS2 (from 50 employees in covered sectors), German Commercial Code §257, German Fiscal Code §147GoBD process documentation frequently missing; checked in tax audits#### Financial sector: The densest regulatory framework [\#](#financial-sector-the-densest-regulatory-framework "Financial sector: The densest regulatory framework")
Financial entities face the most heavily regulated environment. The obligation set includes:
**DORA (since 17.01.2025):** DORA is mandatory for all EU-supervised financial entities. The ICT risk management framework must be documented in writing, tested regularly, and approved by management. All critical ICT third-party providers — including cloud providers and backup software vendors — must be registered and assessed. For serious incidents: mandatory reporting to the competent authority within 4 hours (initial notification) and 24 hours (detailed notification).
**BAIT (German supervisory requirements for IT in banking):** The German Federal Financial Supervisory Authority (BaFin) BAIT guidelines specify IT requirements for credit institutions under §25a KWG. Key topics: IT strategy, IT governance, information risk management, outsourcing (including cloud), business continuity.
**MaRisk (Minimum requirements for risk management):** MaRisk applies to credit and financial services institutions. Relevant for IT compliance: requirements for data backup, backup recovery, and business continuity.
→ [Industry solution: Financial services](/en/verticals/financial-services/)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
[###### Blog Post | 2/18/2026
DORA: Requirements for Digital Operational Resilience in the Financial Sector
---
[](https://www.fast-lta.de//en/blog/dora-anforderungen-an-die-digitale-betriebsresilienz-im-finanzsektor "DORA: Requirements for Digital Operational Resilience in the Financial Sector")](https://www.fast-lta.de//en/blog/dora-anforderungen-an-die-digitale-betriebsresilienz-im-finanzsektor "DORA: Requirements for Digital Operational Resilience in the Financial Sector")
#### Healthcare: Long retention periods, high liability risk [\#](#healthcare-long-retention-periods-high-liability-risk "Healthcare: Long retention periods, high liability risk")
Healthcare combines strict data protection requirements with some of the longest retention periods in any sector:
**Retention periods overview:**
Document typePeriodLegal basisPatient records (general)10 years after last treatment§630f BGBPatient records (minors)Until age 28§630f BGBDiagnostic X‑ray images10 years§28 RöVRadiation therapy records30 years§28 RöVBlood product documentation30 years§14 TFG**Criminal law risk:** Patient data is protected under §203 StGB (breach of professional secrecy). Disclosure to cloud providers is only permitted under narrow conditions. On-premises storage is the safe path for patient data.
→ [Industry solution: Healthcare](/en/verticals/healthcare/)
#### Public administration: Mandatory BSI and critical infrastructure [\#](#public-administration-mandatory-bsi-and-critical-infrastructure "Public administration: Mandatory BSI and critical infrastructure")
Public authorities are subject to BSI IT-Grundschutz as a mandatory standard. This means:
- Structured security analysis following IT-Grundschutz methodology
- Protection requirements assessment for all IT systems and data
- Implementation of IT-Grundschutz building blocks (CON.3 for data backup is particularly relevant)
- For federal agencies: registration and reporting obligations under NIS2
**Digital file management:** E‑government legislation at federal and state level mandates electronic file management for public authorities. Audit-proof storage is a prerequisite, not an option.
→ [Industry solution: Public administration](/en/verticals/public-sector/)
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
#### Industry and critical infrastructure: OT security meets IT compliance [\#](#industry-and-critical-infrastructure-ot-security-meets-it-compliance "Industry and critical infrastructure: OT security meets IT compliance")
Industrial organizations, especially critical infrastructure operators in energy, water, food, and manufacturing sectors, face a particular challenge: the boundary between IT (Information Technology) and OT (Operational Technology) is blurring. Cyberattacks on production systems are a documented reality.
**Specific requirements:**
- NIS2 applies to manufacturers in critical supply chains (Section II, Annex II)
- The KRITIS umbrella law requires physical and digital resilience for critical facility operators from 2026
- Sector-specific security standards (B3S) for critical infrastructure operators in energy, water, food, and healthcare
### KRITIS (Critical Infrastructure)
KRITIS refers to organizations and facilities whose failure or impairment would cause significant supply shortages or threats to public safety — KRITIS operators are subject to heightened IT security requirements under §8a of the German BSI Act and must demonstrate compliance to the BSI every two years.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/kritis-critical-infrastructure)
### IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience)
### KRITIS (Critical Infrastructure)
KRITIS refers to organizations and facilities whose failure or impairment would cause significant supply shortages or threats to public safety — KRITIS operators are subject to heightened IT security requirements under §8a of the German BSI Act and must demonstrate compliance to the BSI every two years.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/kritis-critical-infrastructure)
### 4. Data storage as the compliance foundation [\#](#4-data-storage-as-the-compliance-foundation "4. Data storage as the compliance foundation")
Nearly every compliance framework imposes requirements on data storage. Retention periods, immutability, findability, and secure deletion are not IT details — they are the technical foundation of legal compliance.
#### Retention periods: What must be kept and for how long [\#](#retention-periods-what-must-be-kept-and-for-how-long "Retention periods: What must be kept and for how long")
Document typeRetention periodLegal basisCommercial books, inventories, annual financial statements10 yearsGerman HGB §257Accounting vouchers10 yearsGerman HGB §257, AO §147Incoming and outgoing invoices10 yearsGerman UStG §14bReceived and sent commercial correspondence6 yearsGerman HGB §257Payroll records (social insurance-relevant)5 years after end of employmentGerman SGB IV §28fSecurity-relevant log files (NIS2)At least 1 year (BSI recommendation)§30 BSIG-newPeriods begin at the end of the calendar year in which the document was created or the transaction was completed. An invoice dated March 2026 must therefore be retained until 31 December 2036.
#### Audit-proof archiving: The core technical requirement [\#](#audit-proof-archiving-the-core-technical-requirement "Audit-proof archiving: The core technical requirement")
The German GoBD and HGB require that documents subject to retention obligations are stored in a **tamper-proof** manner. This means technically: once archived, data must not be altered or deleted — neither by administrators nor by attackers.
This requirement is met by WORM storage (Write Once, Read Many). WORM is not all the same:
- **Hardware WORM (Silent Cubes):** Immutability at firmware level — independent of software, operating system, and user permissions. No software configuration can modify or delete written data.
- **Software WORM (Object Lock, Immutable Storage):** Immutability enforced by software policies — dependent on correct configuration and access controls. Can in principle be bypassed with sufficient administrator rights.
For tax purposes, German tax authorities accept both approaches — but hardware WORM provides the more defensible position in a tax audit or compliance inspection.
→ [Silent Cubes: Hardware WORM for compliant archiving](/en/products/silent-cubes/)
#### GDPR conflict: Retention obligation vs. deletion obligation [\#](#gdpr-conflict-retention-obligation-vs-deletion-obligation "GDPR conflict: Retention obligation vs. deletion obligation")
A common misunderstanding: retention obligations (GoBD, HGB) and deletion obligations (GDPR Art. 17) appear to conflict. The resolution is clear: as long as a statutory retention obligation exists, it takes precedence over the GDPR deletion right. After the retention period expires, the GDPR deletion obligation applies.
This requires an archiving system that manages retention periods and can selectively delete records after expiry — including on WORM storage. Silent Cubes supports retention management: retention periods are defined per document category; after expiry, the document is released for deletion.
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)
### Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)
### Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
[###### Blog Post | 2/11/2026
Compliance with WORM Storage: What External Financial Auditors Expect
Every year, external financial auditors examine the annual accounts of companies across the EU. The statutory audit, harmonised by the EU Audit Directive (2006/43/EC, as amended), is conducted under International Standards on Auditing (ISA). One part of that audit regularly catches IT departments off guard: the auditor's assessment of the systems that store accounting records. If archived records can be altered or deleted, the auditor cannot rely on them as evidence.This article explains what auditors actually check in your archiving systems, why WORM storage (Write Once Read Many) has become the reference answer, and what documentation you should have ready before the audit team arrives.---
[](https://www.fast-lta.de//en/blog/compliance-mit-worm-speicher-was-wirtschaftspr%C3%BCfer-erwarten "Compliance with WORM Storage: What External Financial Auditors Expect")](https://www.fast-lta.de//en/blog/compliance-mit-worm-speicher-was-wirtschaftspr%C3%BCfer-erwarten "Compliance with WORM Storage: What External Financial Auditors Expect")
### 5. Technical compliance requirements [\#](#5-technical-compliance-requirements "5. Technical compliance requirements")
Compliance is not a purely legal problem — it must be implemented technically. The following technical requirements stem from various frameworks but must be implemented in practice as a unified package.
#### Encryption [\#](#encryption "Encryption")
**What is required:** GDPR Art. 32 requires appropriate encryption as a technical protection measure. NIS2 (§30 BSIG-new) requires encryption as part of IT risk management. ISO 27001 (Control A.8.24) requires the use of cryptography.
**What this means in practice:**
- Data in transit: TLS 1.2 or higher for all network connections
- Data at rest: AES-256 for storage systems, backups, and archives
- Key management: Own control over encryption keys — no provider-managed-key-only arrangements
Silent Cubes and the Silent Brick System support AES-256 encryption at rest. Keys remain under the operator’s control.
#### Access logging and audit trail [\#](#access-logging-and-audit-trail "Access logging and audit trail")
**What is required:** German GoBD (paragraph 74) requires a complete audit trail for all archived documents. NIS2 (§30 BSIG-new) requires logging of security-relevant events. GDPR Art. 5(2) requires demonstrable compliance (accountability principle). ISO 27001 (Control A.8.15) requires logging.
**What this means in practice:**
- Complete recording of all access to business-critical data: who accessed which document and when
- Logging of all administrative actions: configuration changes, access rights grants, export operations
- Logs themselves must be tamper-proof — a log that can be altered retroactively is not a compliance log
- Log retention: at least 1 year (BSI recommendation for NIS2-relevant logs)
#### Access control and identity management [\#](#access-control-and-identity-management "Access control and identity management")
**What is required:** NIS2 (§30 BSIG-new) requires access management as part of the risk management system. DORA (Art. 9) requires Identity Access Management. GDPR Art. 32 lists access control as a technical protection measure. BSI IT-Grundschutz ORP.4.
**What this means in practice:**
- Role-based access control (RBAC): each user receives only the rights needed for their role
- Multi-factor authentication (MFA) for all privileged access
- Regular review and revocation of access rights no longer needed
- Separate administrator accounts: production access and administrator access must be separated
- No shared accounts: each person has their own, identifiable credential
#### Air gap for critical data [\#](#air-gap-for-critical-data "Air gap for critical data")
**What is required:** NIS2 (§30 BSIG-new) requires the ability to recover after a security incident. BSI (German Federal Office for Information Security) recommendations on ransomware protection explicitly name offline or air-gapped backups. ISO 27001 (Control A.8.13) requires data backup and recoverability.
**What this means in practice:** A backup permanently connected to the network provides no protection against ransomware. Attackers moving laterally through a network also reach and encrypt online backups — often within minutes. Compliance requires a backup that is unreachable during an attack.
The Silent Brick System provides two variants of the air gap:
- **Silent Brick Pro:** Physically removable from the slot of Controller X. The storage module is removed from the controller after the backup — full physical air gap, reactivation always manual. No attacker, no ransomware process can access a removed module.
- **Silent Brick Max Air:** Galvanic isolation of the built-in storage media — no physical removal needed. The isolation is released either manually via a button on the device, or automatically in air-gap mode (automatic reconnection after a defined time, e.g. for media rotation during regular backup windows).
→ [Silent Brick System: Air-gap backup explained](/en/products/silent-brick-system/)
#### Incident reporting and notification obligations [\#](#incident-reporting-and-notification-obligations "Incident reporting and notification obligations")
**What is required:** NIS2 (§30 BSIG-new) requires reporting of significant security incidents: initial report to BSI (German Federal Office for Information Security) within 24 hours, full report within 72 hours. GDPR Art. 33 requires notification of data breaches to the competent supervisory authority within 72 hours. DORA (Art. 19) requires reporting of serious ICT incidents within 4 hours (initial notification).
**What this means in practice:** Without technical detection capability, timely reporting is not possible. The NIS2 24-hour deadline requires that a security incident can be detected, classified, and assessed within hours. This requires:
- SIEM or at least central log management
- Defined classification criteria (what constitutes a “significant” incident?)
- A written incident response plan with clear responsibilities and escalation paths
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
[###### Blog Post | 3/3/2026
Creating an Incident Response Plan: Template and Guide
An incident response plan (IRP) is the backbone of resilience. It is the document that prepares your organization for a cyberattack before it happens. A well-structured IRP significantly reduces response time and minimizes the extent of damage. Yet many organizations have none, or only an outdated concept that nobody has tested.Under the NIS2 Directive (Directive (EU) 2022/2555), incident handling is an explicit risk management requirement for essential and important entities. Here is a concrete template with 8 required sections that every IR plan must have.---
[](https://www.fast-lta.de//en/blog/incident-response-plan-erstellen-vorlage-und-anleitung "Creating an Incident Response Plan: Template and Guide")](https://www.fast-lta.de//en/blog/incident-response-plan-erstellen-vorlage-und-anleitung "Creating an Incident Response Plan: Template and Guide")[###### Blog Post | 4/10/2026
Why Software WORM Is Not the Same as Hardware WORM
Both are marketed as "immutable storage." Both promise that data cannot be changed after writing. But the two approaches enforce that promise at very different levels, and the difference decides whether your archive survives an attacker with admin rights, or an audit ten years from now.---
[](https://www.fast-lta.de//en/blog/warum-software-worm-nicht-gleich-hardware-worm-ist "Why Software WORM Is Not the Same as Hardware WORM")](https://www.fast-lta.de//en/blog/warum-software-worm-nicht-gleich-hardware-worm-ist "Why Software WORM Is Not the Same as Hardware WORM")
### 6. Compliance and personal liability [\#](#6-compliance-and-personal-liability "6. Compliance and personal liability")
The era when IT compliance was purely an IT matter is over. NIS2, DORA, and GDPR enforcement make managing directors and board members personally liable. This is not a theoretical risk — these are enforceable rules.
#### NIS2 Directive: Personal liability of management [\#](#nis2-directive-personal-liability-of-management "NIS2 Directive: Personal liability of management")
§38 BSIG-new (NIS2 transposition law) is unambiguous: the management of essential and important entities is personally responsible for implementing risk management measures. Specifically:
- **Approval:** Management must approve and actively monitor the organization’s cybersecurity measures
- **Training:** Managing directors and board members are required to participate in cybersecurity risk training
- **Personal liability:** In the event of culpable breach of supervisory duty, management is personally liable — not just the organization
- **No delegation:** Assigning responsibility to the IT department or an external provider does not release management from liability
**Fines for the organization:** Up to EUR 10m or 2% of global annual revenue (essential entities); up to EUR 7m or 1.4% (important entities).
#### DORA (Digital Operational Resilience Act): Board-level responsibility [\#](#dora-digital-operational-resilience-act-board-level-responsibility "DORA (Digital Operational Resilience Act): Board-level responsibility")
DORA (Art. 5) sets clear requirements for the responsibility of the management body of financial entities. The management body must:
- Approve and regularly review the ICT risk strategy
- Bear responsibility for implementing the ICT risk framework
- Provide sufficient resources for digital resilience
- Receive regular reports on ICT risks
Sanctions: The competent supervisory authority (BaFin in Germany) can take action against individuals in addition to imposing fines on the organization.
#### GDPR: Fines and organizational responsibility [\#](#gdpr-fines-and-organizational-responsibility "GDPR: Fines and organizational responsibility")
GDPR provides for fines of up to EUR 20m or 4% of global annual revenue (Art. 83(5) GDPR). In practice, fines are imposed — including against mid-sized organizations.
**Practically relevant scenarios:**
- A data breach not reported within 72 hours: fine under Art. 83 GDPR
- Data storage without adequate legal basis: fine plus deletion order
- Processing of sensitive data without adequate technical and organizational measures: fine plus processing ban
For managing directors: GDPR is addressed to the controller — i.e. the organization. But directors can be held personally liable under §130 OWiG for intentional or grossly negligent breach of their supervisory duty.
#### Criminal law risks [\#](#criminal-law-risks "Criminal law risks")
Beyond civil and regulatory liability, criminal law risks exist:
- **§202a StGB (unauthorized access to data):** Intentionally circumventing security measures or tolerating this
- **§203 StGB (breach of professional secrecy):** Unauthorized disclosure of professional confidences — particularly relevant in healthcare and for lawyers
- **§266 StGB (breach of fiduciary duty):** Managing directors who grossly neglect IT compliance obligations and thereby cause harm to the organization
- **§370 AO (tax evasion):** In cases of intentionally incorrect or manipulated bookkeeping
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
[###### Blog Post | 1/21/2026
Personal Liability Under NIS2: What Executives Need to Know
This is uncomfortable but important: under NIS2, cybersecurity is explicitly a management duty, and breaching it can cost executives personally. Article 20 of Directive (EU) 2022/2555 requires the management body to approve the cybersecurity risk management measures, oversee their implementation, and attend training. Member states must ensure that management can be held liable for infringements of these duties. National implementation acts spell this out; in Germany, for example, the amended BSIG makes executives liable towards their own company for culpable breaches of these duties, and that claim targets personal assets. This article explains how the liability works across the EU and what executives can do to minimise it. ---
[](https://www.fast-lta.de//en/blog/personal-liability-under-nis2 "Personal Liability Under NIS2: What Executives Need to Know")](https://www.fast-lta.de//en/blog/personal-liability-under-nis2 "Personal Liability Under NIS2: What Executives Need to Know")[###### Blog Post | 2/5/2026
What Does Non-Compliance Really Cost?
Compliance costs money, time, and management attention. That is undisputed. What many decision-makers systematically underestimate: non-compliance costs significantly more. Not someday, but at the first serious incident.This article lays out the complete bill: fines, operational disruption, reputational damage, personal liability. And it shows how to use this to build a solid business case for your compliance investments.**Reading time:** approx. 10 minutes | **Updated:** April 2026---
[](https://www.fast-lta.de//en/blog/was-kostet-non-compliance-wirklich-bu%C3%9Fgelder-sch%C3%A4den-haftung "What Does Non-Compliance Really Cost?")](https://www.fast-lta.de//en/blog/was-kostet-non-compliance-wirklich-bu%C3%9Fgelder-sch%C3%A4den-haftung "What Does Non-Compliance Really Cost?")
**Close compliance gaps before fines arrive**
Our experts show you which technical measures your infrastructure requires — concrete, prioritized, and actionable.
[Make an appointment ](https://www.fast-lta.de//en/fast/contact "Make an appointment")
### 7. Compliance architecture: reference model [\#](#7-compliance-architecture-reference-model "7. Compliance architecture: reference model")
A compliance-capable IT architecture is not a collection of individual measures — it is a structured system built on four layers.
#### The four layers of the compliance architecture [\#](#the-four-layers-of-the-compliance-architecture "The four layers of the compliance architecture")
```
┌────────────────────────────────────────────────────────────────────┐
│ Layer 1: Data storage and archiving │
│ ├── Audit-proof long-term archiving (Silent Cubes) │
│ │ Hardware at firmware level, 10+ years operation │
│ │ -compliant: tamper-proof, findable, auditable │
│ ├── protection for tax-relevant documents │
│ ├── Retention management: automated period management │
│ └── Digitally auditable access for tax authorities and auditors │
├────────────────────────────────────────────────────────────────────┤
│ Layer 2: Backup and recovery │
│ ├── Primary on-premises backup (Silent Brick System) │
│ │ Fast recovery (RTO < 1h), full control │
│ ├── Air-gap layer for ransomware resilience │
│ │ Silent Brick Pro: physical removal → physical air gap │
│ │ Silent Brick Max Air: galvanic isolation, automatable │
│ ├── 3-2-1-1 strategy: 3 copies, 2 media types, 1 offline │
│ └── Immutable backup copies │
├────────────────────────────────────────────────────────────────────┤
│ Layer 3: Access security and logging │
│ ├── Role-based access control (RBAC) │
│ ├── Multi-factor authentication for privileged access │
│ ├── AES-256 encryption at rest and in transit (TLS 1.2+) │
│ ├── Tamper-proof audit trail (access events, admin actions) │
│ └── Log retention of at least 1 year │
├────────────────────────────────────────────────────────────────────┤
│ Layer 4: Governance, documentation, and incident response │
│ ├── Written process documentation ( paragraphs 151-155) │
│ ├── IT security policy and ISMS (ISO 27001 / ) │
│ ├── Incident response plan with defined escalation paths │
│ ├── Reporting process for (24h BSI) and (72h DPA) │
│ └── Regular audits, training, management reviews │
└────────────────────────────────────────────────────────────────────┘
```
#### FAST LTA products in the compliance architecture [\#](#fast-lta-products-in-the-compliance-architecture "FAST LTA products in the compliance architecture")
**Silent Cubes — Layer 1: Audit-proof archiving**
Silent Cubes is FAST LTA’s hardware WORM system for long-term archiving. Core compliance features:
- **Hardware WORM at firmware level:** Once data is written, it is physically immutable. No administrator, no root access, and no software update can alter written data. This is the decisive difference from software WORM.
- **Long-term operation:** Energy-efficient idle mode (3 watts in standby). Designed for retention periods of 10 to 30 years without hardware replacement — relevant for radiation therapy records (30 years, §28 RöV), blood product documentation (30 years, §14 TFG), and tax documents (10 years, German HGB §257).
- **Integration:** Standard interfaces (CIFS/SMB, NFS) for all common DMS/ECM systems.
- **Data integrity:** Automatic integrity verification (self-healing) — corrupted data blocks are repaired from the mirror copy.
→ [Silent Cubes: Technical details](/en/products/silent-cubes/)
**Silent Brick System — Layer 2: Air-gap backup**
The Silent Brick System combines fast backup access with a physically secured air gap:
- **Silent Brick Pro:** Located in the slot of Controller X and physically removable. After the backup, the module is removed from the controller — no network access, no ransomware attack can reach a removed module. Reactivation is always manual.
- **Silent Brick Max Air:** External device with galvanic isolation of the built-in storage media. Isolation is released either manually via a button on the device, or automatically in air-gap mode after a defined time (e.g. daily for a 2‑hour backup window, then galvanically isolated again).
- **Immutability:** The Silent Brick System additionally provides software-independent immutability — backups can be set as immutable even without a physical air gap.
→ [Silent Brick System: Technical details](/en/products/silent-brick-system/)
#### Why on-premises storage for compliance-critical data [\#](#why-on-premises-storage-for-compliance-critical-data "Why on-premises storage for compliance-critical data")
Cloud solutions can meet individual technical compliance requirements — but they create new compliance risks:
- **US CLOUD Act:** US cloud providers can be compelled to hand over data, even if the servers are located in the EU. This can conflict with GDPR requirements.
- **Schrems II implications:** Legal uncertainty around EU-US data transfers is not definitively resolved.
- **Access control:** With cloud WORM, software immutability depends on IAM configuration — a privileged attacker can change policies.
- **Offline availability:** In a crisis (network outage, DDoS against a cloud provider), a cloud backup is unreachable.
On-premises archiving and backup under your own roof eliminates these risks: no third-country legal framework, physical control, offline availability in a crisis.
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
### BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
[###### Blog Post | 12/2/2025
GDPR and Cloud Storage: Legally Compliant Handling of Personal Data
The GDPR permits cloud storage, but under strict conditions. Third-country transfers (to the US, China and other non-EU countries) are particularly complex. Many organisations do not realise that their current setup falls short of the requirements.This article explains the GDPR requirements for cloud storage and where the legal risks sit.---
[](https://www.fast-lta.de//en/blog/dsgvo-und-cloud-speicherung-rechtskonformer-umgang-mit-personenbezogenen-daten "GDPR and Cloud Storage: Legally Compliant Handling of Personal Data")](https://www.fast-lta.de//en/blog/dsgvo-und-cloud-speicherung-rechtskonformer-umgang-mit-personenbezogenen-daten "GDPR and Cloud Storage: Legally Compliant Handling of Personal Data")[###### Blog Post | 1/20/2026
EU Data Act: What Changes for Cloud Users
The EU Data Act (Regulation (EU) 2023/2854) entered into force on 11 January 2024 and has applied since 12 September 2025. It obliges cloud providers to make customer data portable and to remove the barriers that keep customers locked in.The practical implications are highly relevant for IT decision-makers, but many are still unaware of the regulation.---
[](https://www.fast-lta.de//en/blog/eu-data-act-was-sich-f%C3%BCr-cloud-nutzer-%C3%A4ndert "EU Data Act: What Changes for Cloud Users")](https://www.fast-lta.de//en/blog/eu-data-act-was-sich-f%C3%BCr-cloud-nutzer-%C3%A4ndert "EU Data Act: What Changes for Cloud Users")
### 8. Common mistakes [\#](#8-common-mistakes "8. Common mistakes")
#### Mistake 1: “Compliance is an IT task” [\#](#mistake-1-compliance-is-an-it-task "Mistake 1: ")
The most common and consequential mistake: compliance is delegated to the IT department and not actively overseen by management. NIS2 §38 BSIG-new makes managing directors personally liable — delegating to IT changes nothing. Compliance is a leadership task that requires IT expertise. Not the other way around.
**What this means:** Managing directors must approve risk management measures, monitor their implementation, and participate in training. Failing to do so is legally negligent under the statute.
#### Mistake 2: No process documentation [\#](#mistake-2-no-process-documentation "Mistake 2: No process documentation")
German GoBD requires written process documentation for the entire archiving process (paragraphs 151-155). Without it, no electronic archiving is audit-proof — regardless of the technology used. In practice, process documentation is missing in the majority of organizations subject to a tax audit. The tax authority can then reject the regularity of the bookkeeping.
**What this means:** The process documentation must describe which documents are archived, how they are captured and indexed, on which system they are stored, how immutability is ensured, and who is responsible. A qualified third party must be able to follow the process.
#### Mistake 3: Cloud data without a GDPR check [\#](#mistake-3-cloud-data-without-a-gdpr-check "Mistake 3: Cloud data without a GDPR check")
Many organizations use US cloud services for storing business documents without having assessed GDPR compliance. The US CLOUD Act authorizes US authorities to demand data from US companies — even if the servers are located in Germany. For personal data, this is a GDPR risk that must be documented and assessed.
**What this means:** For every cloud provider holding personal or business-critical data, a risk assessment must be documented. If the risk is unacceptable: migrate data to your own sovereign infrastructure.
#### Mistake 4: Backup without air gap [\#](#mistake-4-backup-without-air-gap "Mistake 4: Backup without air gap")
A backup permanently connected to the network provides no protection against ransomware. Attackers moving laterally through the network reach and encrypt online backups too — in many cases within minutes. NIS2 requires the ability to recover after a security incident. Without an air gap, this ability does not exist after a successful ransomware attack.
**What this means:** At least one backup copy must be physically separated from the network or offline. Silent Brick Pro (physical removal) and Silent Brick Max Air (galvanic isolation) provide this capability — without complex additional systems.
#### Mistake 5: Lack of awareness of German GoBD requirements in mid-market organizations [\#](#mistake-5-lack-of-awareness-of-german-gobd-requirements-in-mid-market-organizations "Mistake 5: Lack of awareness of German GoBD requirements in mid-market organizations")
The GoBD applies to all organizations subject to German bookkeeping obligations — that is millions of organizations. Yet GoBD compliance is frequently incomplete in mid-sized organizations: emails are not archived, scanner workflows are undocumented, the tax advisor stores data on their own system, and process documentation does not exist. These gaps become visible in a tax audit.
**What this means:** GoBD compliance starts with a straightforward check: are all tax-relevant documents archived in a tamper-proof manner? Does process documentation exist? Can an auditor obtain digital audit access? If not, action is needed.
#### Mistake 6: No written incident response plan [\#](#mistake-6-no-written-incident-response-plan "Mistake 6: No written incident response plan")
NIS2 requires reporting of significant security incidents within 24 hours. This deadline is only achievable if the reporting process was defined and practiced before an incident occurs. In practice, many organizations lack a written incident response plan — or it exists but has not been updated in years and is unknown to most staff.
**What this means:** An incident response plan must be documented in writing, name responsibilities, define escalation paths, and describe the reporting process to BSI (German Federal Office for Information Security) and, where applicable, the data protection authority. It must be exercised regularly and updated after incidents.
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)
### US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
[###### Blog Post | 3/3/2026
Creating an Incident Response Plan: Template and Guide
An incident response plan (IRP) is the backbone of resilience. It is the document that prepares your organization for a cyberattack before it happens. A well-structured IRP significantly reduces response time and minimizes the extent of damage. Yet many organizations have none, or only an outdated concept that nobody has tested.Under the NIS2 Directive (Directive (EU) 2022/2555), incident handling is an explicit risk management requirement for essential and important entities. Here is a concrete template with 8 required sections that every IR plan must have.---
[](https://www.fast-lta.de//en/blog/incident-response-plan-erstellen-vorlage-und-anleitung "Creating an Incident Response Plan: Template and Guide")](https://www.fast-lta.de//en/blog/incident-response-plan-erstellen-vorlage-und-anleitung "Creating an Incident Response Plan: Template and Guide")[###### Blog Post | 2/5/2026
What Does Non-Compliance Really Cost?
Compliance costs money, time, and management attention. That is undisputed. What many decision-makers systematically underestimate: non-compliance costs significantly more. Not someday, but at the first serious incident.This article lays out the complete bill: fines, operational disruption, reputational damage, personal liability. And it shows how to use this to build a solid business case for your compliance investments.**Reading time:** approx. 10 minutes | **Updated:** April 2026---
[](https://www.fast-lta.de//en/blog/was-kostet-non-compliance-wirklich-bu%C3%9Fgelder-sch%C3%A4den-haftung "What Does Non-Compliance Really Cost?")](https://www.fast-lta.de//en/blog/was-kostet-non-compliance-wirklich-bu%C3%9Fgelder-sch%C3%A4den-haftung "What Does Non-Compliance Really Cost?")
### 9. Step-by-step to compliance [\#](#9-step-by-step-to-compliance "9. Step-by-step to compliance")
The following plan guides IT managers and executives through implementation in a structured way. Every step is auditable — each completed step increases compliance maturity.
StepMeasureTimeframeGoal / Success criterion**1****Inventory:** Which data sits where? Which frameworks apply? Check NIS2 applicability (sector, size class).1 – 2 weeksComplete list of applicable frameworks and data categories**2****Gap analysis:** Assess current state against requirements from GDPR, GoBD, NIS2, DORA (if applicable), and sector-specific requirements.2 – 3 weeksDocumented compliance gaps with prioritization**3****Immediate measures:** Close critical gaps — e.g. missing MFA for privileged access, unencrypted storage systems, missing data protection officer appointment.2 – 4 weeksCritical risks addressed**4****Create process documentation:** GoBD-compliant description of the archiving process. In parallel: IT security policy meeting NIS2 requirements.3 – 6 weeksWritten, auditable documentation in place**5****Build technical infrastructure:** Hardware WORM for archives (Silent Cubes), air-gap backup (Silent Brick System), access logging, encryption.4 – 10 weeksCompliance-capable storage and backup architecture in operation**6****Create incident response plan:** Define reporting paths for NIS2 (BSI) and GDPR (data protection authority). Assign responsibilities. Schedule initial exercise.3 – 4 weeksWritten, tested incident response plan**7****Conduct training:** Train all relevant staff on data protection, IT security, and reporting obligations. Brief management on NIS2 liability.OngoingTraining records in place; attendance documented**8****Operations and continuous improvement:** Regular audits (internal and external), update all documents after incidents or regulatory changes, management reviews at least annually.OngoingCompliance anchored as a continuous process#### Prioritization: What to do first [\#](#prioritization-what-to-do-first "Prioritization: What to do first")
When resources are limited, the following order applies:
1. **Backup with air gap:** Protection against data loss from ransomware is the immediately highest risk reduction.
2. **GoBD process documentation:** Missing in almost every organization; immediately visible in a tax audit.
3. **MFA for privileged access:** One of the most effective controls against attackers using stolen credentials — quick to implement.
4. **Incident response plan:** NIS2 requires it; the 24-hour deadline is unachievable without a plan.
5. **WORM archiving:** For organizations with 10-year or longer retention obligations.
→ [Request a free consultation](/en/contact/) → [Explore Silent Cubes and Silent Brick System](/en/products/)
### GoBD
The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
#### Does NIS2 apply to my organization?
NIS2 applies to medium-sized organizations (50+ employees or EUR 10m+ annual revenue) in 18 critical sectors. These include: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital service providers, and research. Organizations that are unsure should consult BSI (German Federal Office for Information Security) or a compliance advisor. The self-registration obligation with BSI applies from the entry into force of the implementing regulation.
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
#### What is the difference between NIS2 and DORA?
NIS2 is a horizontal framework for all critical sectors — it sets minimum standards for IT security and resilience. DORA is sector-specific for the financial sector and goes beyond NIS2 in many areas: stricter ICT risk management requirements, shorter reporting deadlines (4-hour initial notification), mandatory digital resilience testing (TLPT), and detailed requirements for managing ICT third-party risks. Financial entities must comply with both frameworks; where there is a conflict, DORA applies as lex specialis.
### IT Resilience
IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
#### Is software WORM sufficient for GoBD compliance?
Formally yes — provided that organizational measures are fully documented and consistently enforced: separate administrator accounts, dual-control principle for policy changes, complete access logging. Hardware WORM provides the more defensible position because immutability is technically enforced and does not depend on software configuration or access controls. In a tax audit or compliance inspection, hardware WORM is easier to demonstrate: the system physically cannot alter data — it is not a matter of permissions or policies.
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
### WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)
[Software-WORM vs. Hardware-WORM: Was bei der Prüfung zählt ](# "Software-WORM vs. Hardware-WORM: Was bei der Prüfung zählt")
#### How large are the fines for GDPR violations?
GDPR provides two fine tiers: up to EUR 10m or 2% of global annual revenue for less serious violations (e.g. missing data protection impact assessment, inadequate processor contracts). Up to EUR 20m or 4% of global annual revenue for serious violations (e.g. unlawful data processing, violation of data subject rights). The higher amount applies. In practice, supervisory authorities impose substantial fines — including against mid-sized organizations.
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
#### What must I do as a managing director to be NIS2-compliant?
First: assess whether your organization falls within the NIS2 scope. Second: approve and actively monitor the organization's risk management measures — this cannot be fully delegated to IT. Third: participate in cybersecurity risk training (NIS2 makes this mandatory). Fourth: ensure an incident response plan exists and reporting paths to BSI are defined. Checking these four boxes meets the core requirements of the personal liability provision in §38 BSIG-new.
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
### NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2)
[NIS2 persönliche Haftung: Was Geschäftsführer wissen müssen ](# "NIS2 persönliche Haftung: Was Geschäftsführer wissen müssen")
#### Are backups with cloud providers GDPR-compliant?
It depends on the provider. European cloud providers operating exclusively in the EU and not affiliated with US parent companies can be GDPR-compliant — provided a data processing agreement under GDPR Art. 28 is in place and data does not leave the EU. US cloud providers (AWS, Azure, GCP) are problematic due to the US CLOUD Act: the Act authorizes US authorities to demand data even if servers are located in the EU. This conflicts with GDPR and must be documented and assessed. For personal data with a high protection requirement — patient data, employee data, financial data — on-premises storage under your own roof is recommended.
### US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)
### US CLOUD Act
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU.
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
### GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)
[DSGVO und Cloud-Speicherung: Was erlaubt ist und was nicht ](# "DSGVO und Cloud-Speicherung: Was erlaubt ist und was nicht")