|

IT Compliance Checklist for German SMBs: GDPR, NIS2, and BSI Basics

ByAnthony Stewart

Compliance for German SMBs sits at the intersection of three frameworks that overlap in intent but differ in scope, obligations, and enforcement: GDPR, NIS2, and the BSI IT-Grundschutz baseline. Navigating all three without a dedicated compliance team is possible — but requires understanding what each actually demands at the technical level.

This checklist focuses on the IT controls required by each framework. It is not legal advice, and specific obligations depend on your sector, size, and data processing activities. What it provides is a structured view of the technical baseline that covers the majority of SMB exposure under all three frameworks simultaneously.

Framework overview

Framework Who it applies to Enforcement Max penalty
GDPR Any organisation processing personal data of EU residents Berliner Datenschutzbeauftragte (BlnBDI) €20M or 4% global turnover
NIS2 Medium/large entities in critical sectors; some supply chain implications for SMBs BSI (Bundesamt für Sicherheit in der Informationstechnik) €10M or 2% global turnover for essential entities
BSI IT-Grundschutz Voluntary framework; basis for ISO 27001 and NIS2 compliance evidence Voluntary (mandatory for federal agencies) No direct penalties

NIS2 and SMBs: NIS2 directly applies to medium entities (50+ employees, €10M+ turnover) in sectors including energy, transport, health, digital infrastructure, and ICT service management. Smaller businesses below these thresholds are generally not directly in scope. However, if you supply services to a NIS2-obligated organisation, that customer may impose NIS2-equivalent requirements on you contractually as part of their supply chain security obligations.

GDPR IT controls checklist

GDPR Article 32 requires “appropriate technical and organisational measures” proportionate to the risk. For SMBs, this translates to a concrete set of controls:

Access control

  • ☐ MFA enforced for all user accounts accessing systems that process personal data
  • ☐ Role-based access control — users access only the data required for their role
  • ☐ Privileged access restricted to named administrators with separate admin accounts
  • ☐ Access reviews conducted at least annually (and on employee departure)
  • ☐ IT offboarding procedure documented and tested — access revoked on day of departure

Encryption

  • ☐ Encryption at rest on all devices processing personal data (BitLocker or equivalent)
  • ☐ Encryption in transit (TLS 1.2 minimum) for all data transmission
  • ☐ Email encryption for sensitive personal data (S/MIME or Microsoft Purview Message Encryption)
  • ☐ Encrypted backup storage

Data availability and resilience

  • ☐ Backup covering all systems processing personal data — with tested restore procedure
  • ☐ Business continuity plan documented
  • ☐ Data retention policy defined and enforced — data deleted when retention period expires

Incident response

  • ☐ Incident response procedure documented — who does what when a breach is suspected
  • ☐ 72-hour breach notification process defined (notification to BlnBDI within 72 hours of becoming aware)
  • ☐ Incident log maintained

Vendor / processor management

  • ☐ Data Processing Agreements (DPAs) in place with all vendors who process personal data on your behalf (Microsoft, cloud providers, payroll processors, etc.)
  • ☐ Vendor list reviewed annually
  • ☐ International data transfers documented — Standard Contractual Clauses in place where required

NIS2 cybersecurity measures checklist

For businesses in scope or supplying to in-scope organisations, NIS2 Article 21 mandates a specific set of cybersecurity measures. These map closely to GDPR Article 32 requirements and extend them:

Risk management

  • ☐ Cybersecurity risk assessment documented — key assets identified, threats assessed, mitigations in place
  • ☐ Risk register maintained and reviewed annually
  • ☐ Security policies documented and accessible to staff

Incident handling

  • ☐ Incident response plan covers cybersecurity incidents (ransomware, data breach, DDoS)
  • ☐ Significant incident reporting process defined — NIS2 requires initial notification to BSI within 24 hours, detailed report within 72 hours
  • ☐ Contact details for BSI incident reporting available to IT team

Business continuity

  • ☐ Business continuity plan exists and is tested
  • ☐ Backup and recovery tested at least annually
  • ☐ Crisis communication plan defined

Supply chain security

  • ☐ Key vendors assessed for security posture (at minimum: questionnaire or certification review)
  • ☐ Contractual security requirements included in vendor agreements

Network and system security

  • ☐ Network segmentation implemented — guest Wi-Fi, workstations, servers on separate VLANs
  • ☐ Firewall and perimeter security documented and reviewed
  • ☐ Patch management process — critical patches applied within defined timeframes
  • ☐ Vulnerability scanning conducted at least annually

Awareness and training

  • ☐ Security awareness training for all staff — at minimum annually
  • ☐ Phishing simulation or equivalent practical exercise conducted
  • ☐ Management briefed on NIS2 obligations and cybersecurity risk

BSI IT-Grundschutz baseline

The BSI IT-Grundschutz Kompendium provides detailed technical and organisational controls for IT security. For SMBs, the BSI also publishes a simplified “Basis-Absicherung” (basic protection) profile, which is a practical starting point. Key areas from the basis profile that map directly to the GDPR and NIS2 checklists above:

  • SYS.2 (General IT Clients): Endpoint hardening, patch management, local admin restrictions
  • NET.1 (Network Architecture): Network segmentation, firewall requirements
  • OPS.1 (IT Operations): Change management, patch management, backup procedures
  • ORP.4 (Identity and Access Management): User provisioning, access reviews, privilege management
  • CON.3 (Data Backup Policy): Backup requirements, restore testing, retention
  • DER.2 (Security Incident Management): Incident response procedures, reporting

BSI IT-Grundschutz certification is not required for most SMBs but provides a recognised framework for demonstrating compliance posture to customers, auditors, and insurers. Cyber insurance policies increasingly ask about IT-Grundschutz alignment or ISO 27001 certification.

The practical starting point

For a Berlin SMB without a dedicated compliance function, the most cost-effective approach is to address GDPR, NIS2-adjacent, and BSI baseline controls simultaneously — because they largely require the same technical controls:

  1. Get MFA on everything (GDPR + NIS2)
  2. Implement Intune device compliance (GDPR encryption + NIS2 endpoint security)
  3. Document backup procedure and test it (GDPR availability + NIS2 continuity)
  4. Write an incident response procedure (GDPR 72h notification + NIS2 24/72h reporting)
  5. Get DPAs from your vendors (GDPR processor requirement)
  6. Segment your network (NIS2 + BSI)
  7. Conduct annual security awareness training (NIS2 + BSI)

This list is achievable without a dedicated compliance team. The documentation is the harder part — the technical controls are largely already available in Microsoft 365 Business Premium.

Free for Berlin SMBs

Find Out Where Your IT Actually Stands

We review your security posture, Microsoft 365 setup, network resilience, and compliance gaps — and give you a written report at no cost.

Book Your Free IT Assessment →

No obligation. Written report included. ~45 minutes of your time.

Our free IT assessment includes a compliance gap review covering GDPR technical controls, NIS2 relevance check, and basic data handling practices relevant to your business size and sector. The written report tells you specifically what is in place and what is missing.

Similar Posts