IT security for public institutions
Storing data securely and confidently, and making it accessible
Ransomware hits authorities, universities, utilities, and public institutions with particular force: operations cannot simply be paused, citizen data and critical information must not leave the institution, and external cloud services are often ruled out for regulatory reasons. FAST LTA delivers backup and archive infrastructure that is physically unattackable, fully on premises, and demonstrable toward supervisory authorities without gaps.
The problem: public institutions in the crosshairs, and especially vulnerable #
Authorities, universities, utilities, courts, and public institutions have become preferred ransomware targets in recent years. The reason is structural: these institutions cannot simply interrupt operations. When citizen services fail, supply networks cannot be controlled, university systems are unreachable, or court proceedings stall, political and public pressure rises, and with it the willingness to pay.
Three factors make public-sector bodies especially vulnerable:
First, network-attached backups are no reliable protection. Anyone who compromises administrator access usually reaches the backup as well. A secured recovery point is only a real recovery point if it is physically separated from the network and demonstrably unaltered.
Second, cloud backup services are off the table for many public institutions, for reasons of data protection, contract law, security requirements, or simply the sensitivity of the data. Citizen data, research data, law-enforcement information, and internal case files must not be transmitted to external services.
Third, the pressure to provide evidence has grown: the NIS2 Directive, recognized IT-security baselines, , and sector-specific rules demand documentable technical protection measures, not just political commitments.
NIS2: who is in scope, and what every public institution needs #
The NIS2 Directive (Directive (EU) 2022⁄2555) is transposed into national law across the EU; the transposition deadline was 17 October 2024. In Germany it took effect through the NIS2 implementation act (NIS2UmsuCG) on 6 December 2025. National scope varies, but it typically covers a broad group of public institutions:
Directly affected (German transposition as an example):
- Federal and state authorities: fully within the NIS2 requirements
- Public utilities (energy, water, wastewater, waste management): as critical-infrastructure operators
- Public transport operators (rail, local public transport): where classified as important entities
- Public digital infrastructure: data centers and cloud services of public bodies
Explicitly exempted (German transposition):
- Municipal administrations: largely exempted under the German NIS2 act (exception: municipalities acting as critical-infrastructure operators or as processors for federal or state authorities). National scope differs across member states.
Sector-specific requirements:
- Universities and research institutions: own requirements depending on the funding body (for example national research funders, EU Horizon)
- Public broadcasters: media sector with its own regulatory framework
- Justice and law enforcement: own classified-information and data-protection requirements
Independent of NIS2, binding standards apply to all public institutions:
- ISO/IEC 27001 and ENISA guidance (in Germany, BSI ): as a general security baseline
- Art. 32: for the protection of personal and citizen data
- Public-archive law: for institutions with statutory retention duties
In short: the NIS2 obligation reaches a growing number of public institutions directly. For all others, recognized security baselines and are binding minimum standards, with identical technical requirements for backup integrity and data protection.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
Silent Brick System: air-gap backup for public institutions
The Silent Brick System protects backup data through physical network separation at the hardware level. After a backup job completes, the Silent Brick Max Air severs the network connection entirely: no protocol, no port, no API endpoint stays active. For ransomware attacks, compromised admin accounts, and insider threats, a physically separated medium is simply unreachable.
Two properties matter especially for public institutions:
Evidence toward supervisory authorities: Physical network separation is not a configuration setting; it is a hardware property. The Silent Brick System meets recognized compliant archiving standards (in Germany, BSI TR-03125 / TR-ESOR) and is suitable for essential-entity environments. For reporting duties, audits, and internal reviews, FAST LTA provides full conformity documentation.
Integration without replacement: The Silent Brick System complements existing backup infrastructure. It is compatible with Veeam, Commvault, Acronis, and any backup solution supporting FC, iSCSI, NFS, SMB, or S3. Existing backup processes and software stay unchanged.
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
Silent Cubes: compliant long-term archiving under archive law and statutory retention duties
Public institutions are subject to far-reaching statutory retention duties: public-archive laws, budgetary law, higher-education laws, broadcasting rules, and sector-specific provisions. Many periods run well beyond ten years. The common requirement: immutability, completeness, traceability, and readability at all times across the entire retention period.
Silent Cubes meet these requirements through : write protection is set directly in the storage controller at device level, independent of the operating system, user privileges, or configuration changes. No administrator and no attack can change or prematurely delete an archived record. is a physical property of the device, not a policy.
Compatibility with DMS and archive systems: Silent Cubes integrate as a storage platform into common document-management and archive systems, whether in administration, higher education, broadcast archives, or libraries. Access and change histories are fully logged, the basis for verifiable evidence toward audit offices and data-protection authorities.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Silent AI: on-premises AI knowledge base for public institutions
Staff in public institutions work daily with a complex web of national laws, regional rules, internal directives, administrative regulations, collective agreements, and domain-specific rulebooks. Finding relevant information quickly costs time, and mistakes cost more. Cloud AI services are off the table for most public institutions: citizen data, research data, internal information, and personal data must not be transmitted to external services.
Silent AI runs entirely on premises. There is no cloud connection, no external processing step, no transmission of queries to third parties. Through 15+ preconfigured connectors, Silent AI brings in law and regulation databases, SharePoint stores, internal directives, and archive holdings. Every AI answer cites its source documents, traceable and quotable.
For institutions in scope of the , on-premises operation greatly simplifies the risk management required under Article 9: data flows are fully controllable, and third-party processing is eliminated.
EU AI Act
The EU AI Act is the world's first comprehensive legislative regulation of AI systems, in force since August 2024. It classifies AI applications by risk level and sets concrete requirements for transparency, control, data protection and human oversight for high-risk systems.
Compliance at a glance #
| Regulation | Affected institutions | FAST LTA solution |
|---|---|---|
| NIS2 Directive (EU 2022⁄2555) (in Germany: NIS2UmsuCG / §30 BSIG) | Federal and state authorities, public utilities, public transport operators | Silent Brick System with physical air gap; conformity documentation for NIS2 evidence |
| ISO/IEC 27001 and ENISA guidance (in Germany: BSI IT-Grundschutz) | All public institutions | Hardware WORM (Silent Cubes) and physical network separation (Silent Brick) meet the requirements without an extra software layer |
| GDPR Art. 32 | All public institutions with personal data | Hardware immutability and air gap secure integrity and access protection; all data kept on premises |
| Public-archive law (national; in Germany BArchG, state archive laws) | Authorities, archives, libraries, universities | Silent Cubes with configurable retention periods; hardware WORM without software dependency |
| EU public procurement (Directive 2014/24/EU) (in Germany: EVB-IT, VgV) | All public contracting authorities | FAST LTA is experienced in public procurement; support for framework agreements and direct award |
| EU AI Act | Institutions deploying high-risk AI | Silent AI: on-premises operation, no third-party processing, full control over data flows and AI outputs |
Frequently asked questions for public-sector buyers
Directly affected are federal and state authorities and public institutions in critical-infrastructure sectors (energy, water, transport, digital infrastructure). Under the German transposition, municipal administrations were largely exempted, with the exception of municipalities that operate critical-infrastructure services or act as processors for federal or state authorities; national scope differs across the EU. Universities, broadcasters, and other public institutions have their own rules depending on their remit. For all public institutions, recognized security baselines (in Germany, ) and remain binding standards, independent of .
BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
NIS2
The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance.
A compliant backup proof requires that protection of the backup store cannot be bypassed by software configuration. The Silent Brick System meets this through physical network separation at the hardware level, a property of the device, not a policy. FAST LTA provides conformity documentation that can feed directly into evidence processes toward supervisory authorities, audit offices, or data-protection authorities.
Yes. EU public procurement rules (Directive 2014/24/EU; in Germany implemented via EVB-IT and VgV) govern the public purchase of IT products and services. FAST LTA is experienced as a supplier to public bodies and supports the procurement of Silent Cubes and the Silent Brick System under the applicable tendering procedures, including framework agreements and direct award. Speak with our sales team.
Silent Cubes support configurable retention periods, from five- or ten-year standard periods to individual periods under archive law or sector-specific rules. The hardware- lock applies for the entire configured period; after it expires, controlled deletion is released and logged. The storage media are designed for an operating life of at least thirty years.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
No. Silent AI runs exclusively on premises as an appliance in your own data center. There is no cloud connection and no transmission of queries, documents, or results to external services. Citizen data, research data, internal information, and personal data stay fully under your control. The solution is -compliant and meets the data-protection requirements of public institutions.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
Would you like a consultation?
Over 2,500 companies and public sector organisations in Germany rely on FAST LTA — including the Federal Archives, as well as numerous government agencies, universities and public utility companies. Developed and manufactured in Munich. Personal advice from FAST LTA engineers — not a sales call, but a technical consultation drawing on experience in the public sector.
Account Executive Öffentliche Auftraggeber