Recalibrating IT security: Germany’s guidance on IT security and risk governance

In June 2025, TeleTrusT – the German Federal Association for IT Security – published its updated guidance on the state of the art in IT security

Read the guidance here (only in German)

Although not legally binding, the document is widely recognised as an industry standard and frequently referenced in audits, procurement processes, and supervisory assessments. It serves as a practical orientation for minimum technical and organisational measures (“TOM”) under Article 32 GDPR, Section 8a German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “BSIG”), and increasingly in the context of the NIS2 Directive and sector-specific regulations.

Importantly, many of the measures outlined in the Guidance are not merely recommendations but reflect obligations already stipulated in legal frameworks. For example, the Digital Operational Resilience Act (DORA) requires financial entities to implement comprehensive business continuity and incident response strategies, while the NIS2 Directive mandates structured risk management and supplier oversight across critical sectors. This convergence of industry standards and regulatory requirements underscores the growing expectation that organisations proactively align their security practices with the evolving definition of “state of the art”.

The Guidance introduces several changes to the catalogue of TOM, reflecting both technological innovation and evolving threat landscapes.

1. Defining the state of the art - A structured catalogue of measures

The Guidance outlines a structured catalogue of measures that define the current state of the art in IT security. It encompasses both technical and organisational controls, reflecting the increasing interdependence between technological safeguards and governance frameworks.

1.1. Technical measures

The Guidance retains core technical measures such as multi-factor authentication, encryption, and endpoint protection, reaffirming their relevance. In response to evolving threat landscapes and regulatory developments (e.g. NIS2 Directive, DORA, AI Act), the Guidance also highlights a shift towards scalable, resilient, and context-aware security architectures. This shift is reflected in the adoption of advanced technologies and models, including:

• Zero Trust Architecture: A security model that assumes no implicit trust in users, devices, or network components, requiring continuous verification of identity, device posture, and context before granting access;
• Confidential Computing: Protects data during processing by isolating workloads in secure hardware-based environments, preventing unauthorised access even by privileged system administrators;
• AI-Specific Security Controls: Includes safeguards against emerging threats such as model poisoning and prompt injection, with reference to frameworks like the OWASP AI Top 10;
• Cloud Native Application Protection Platforms (CNAPP): Provides integrated security across cloud environments, covering infrastructure-as-code, workload protection, and identity entitlements; and
• Web Application Firewalls (WAF): Protects web applications from common exploits such as SQL injection and cross-site scripting.

These developments signal a transition to future-ready security architectures that combine scalability, resilience, and contextual awareness to address evolving threats.

1.2. Organisational measures

The Guidance retains core organisational measures such as patch and vulnerability management, information security risk management (ISRM), and audit and certification processes, reaffirming their continued relevance. However, it introduces a broader strategic framework that reflects evolving regulatory expectations and the increasing importance of operational resilience and human-centric security.

Building on these foundations, the Guidance introduces a broader set of organisational measures that reflect evolving regulatory expectations and the growing importance of human and operational resilience, such as:

• Business Continuity Management (BCM): Ensures the continuity of critical operations during and after disruptive incidents, including cyberattacks;
• Crisis Management and Emergency Planning: Establishes structured response protocols, communication plans, and escalation procedures for security incidents;
• Awareness and Secure Behaviour: Promotes a security-conscious culture through training, behavioural nudging, and reinforcement of best practices; and
• Third-Party and Supplier Risk Management: Assesses and mitigates risks arising from external service providers, including contractual safeguards and audit rights.

The combined emphasis on technology and governance underscores the evolving nature of IT security, where compliance with the state of the art requires both robust systems and resilient organisational structures.

2. Practical takeaways

For organisations, the Guidance presents both a challenge and an opportunity. The broadened understanding of “state of the art” requires a more strategic and anticipatory approach to IT compliance. It is no longer sufficient to deploy technically sound solutions in isolation; these must be embedded within a coherent organisational framework that reflects regulatory expectations and operational realities. This means:

• Conducting gap analyses to identify where legacy systems or processes fall short of current expectations.
• Revisiting procurement and vendor management practices, particularly in light of SBOM and supply chain scrutiny.
• Integrating Zero Trust principles into network architecture and access control policies.
• Ensuring cross-functional collaboration between IT, legal, compliance, and risk management teams.
• Documenting decision-making processes, especially where deviations from best practice are justified by proportionality or resource constraints.
• Preparing for audits and supervisory engagement, with clear evidence of how technical and organisational measures reflect current standards.

Consistent with the risk-based approach established under Article 32 GDPR and affirmed by the case law of the European Court of Justice, organisations are required to regularly reassess the risks associated with personal data processing and adjust their technical and organisational measures accordingly. Compliance in this context is not a one-off exercise, but an ongoing process of risk evaluation, strategic justification, and operational implementation. The Guidance serves as a valuable orientation for companies within Germany as the current status quo is described with great detail. Authorities and courts will most likely rely on such guidance to evaluate whether, for example, companies are taking appropriate technical and organisational measures pursuant to Article 32 GDPR. Non-compliance may give rise to claims for damages or sanctions. In the light of the upcoming implementation law for the NIS2 Directive, the Guidance gains additional importance as the management of companies could refer to it for the IT security measures they intend to take to meet the NIS2 requirements.