77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
CIVAC: The German compliance platform with Officer-as-a-Service
Platform & Strategy

CIVAC: The German compliance platform with Officer-as-a-Service

6 June 202612 min readBy Dr. Henrik Bauer
CIVAC

CIVAC is a compliance platform and officer-as-a-service based in Germany. 25 representative roles are live, 37 audit templates are ready for use, the ISMS follows ISO/IEC 27001:2022. EU data residency is standard, not optional.

CIVAC is a German compliance platform and officer-as-a-service. The stack covers 25 officer roles, from the data protection officer according to Art. 37 GDPR to the compliance officer according to Section 130 OWiG to the incident officer according to Section 58a BImSchG. The information security management system follows ISO/IEC 27001:2022 with all 93 controls from Annex A. Data is stored exclusively within the European Union.

This article describes what the term CIVAC stands for in the German market, which components the platform delivers and how the dual model of licensed workspace and external ordering works in practice. You will find out how the appointment certificate is created, which reporting paths the platform provides and which evidence a supervisory procedure typically requires first.

Key Takeaways

  • CIVAC is a compliance platform and officer-as-a-service with 25 officer roles, 37 audit templates and EU data residency.
  • The dual model clearly separates: software for the structure, named representatives for personal liability.
  • Appointment certificate, ISO/IEC 27001:2022 ISMS and the NIS-2 24/72 reporting path are included in the standard, not in additional modules.

What CIVAC is and where the name comes from

CIVAC stands for a German compliance platform with an attached Officer-as-a-Service. The brand core describes two delivery paths in one system: first, the licensed workspace with templates, reporting lines and audit trail for internal representatives. Secondly, the external appointment of qualified representatives who work in the same workspace and personally carry the appointment document. Both paths use the same database, the same audit trail and the same templates.

CIVAC is a German compliance platform and is not affiliated with the Mexican CIVAC (vaccine research). The German brand carrier focuses exclusively on regulatory obligations according to the GDPR, BDSG, OWiG, NIS-2 Implementation Act, GwG, LkSG, HinSchG, BImSchG, ArbSchG and the subject-specific regulations. The Overview of the representative roles shows the range of functions in detail. The platform is aimed at management, boards of directors, compliance, data protection and security managers in companies with 50 or more employees and at all organisations that fall under the NIS 2 scope.

The 25 representative roles at a glance

The core function is structured ordering. Each role has its own template for the appointment certificate, a reporting line, a list of duties and a template set for the work in progress. Data protection officers work with the directory in accordance with Article 30 of the GDPR, the procedure in accordance with Article 33 of the GDPR and the response set for data subject rights in accordance with Articles 12 to 22 of the GDPR. Compliance officers in accordance with Section 130 OWiG use the risk inventory, the training matrix and the violation report.

Information security officers manage the ISMS in accordance with ISO/IEC 27001:2022, including the risk analysis in accordance with Section 30 NIS2UmsuCG and the 24/72 reporting path to the BSI. Hygiene officers work with hygiene plans in accordance with Section 23 IfSG. Dangerous goods officers carry out the annual report in accordance with Section 8 GbV. Money laundering officers ensure risk management in accordance with Section 4 of the GwG. The full list includes DSB, CO, ISB, ISMS, HB, ESG, IMB, GGB, GSB, SiFa, BSB, UsB, LkSG, GwB, QMB, AGG, company doctor, SB and six other specialist roles. All roles are live, all templates are versioned, all orders are documented.

The dual model: workspace or order

The strategic choice is not internal versus external, but workspace plus optional ordering. Variant one: You licence the workspace, your internal staff assumes the roles. The platform provides templates, reminders, reporting line and audit trail. Variant two: You have CIVAC representatives appointed. The external person carries the appointment certificate and works in the same workspace, the management can see status, processes and deadlines at any time.

Licence the workspace for your internal representatives, or have our representatives order it. It is possible to switch between the two variants during operation because the data level remains identical. This is important for companies that initially want to start externally and later set up their own compliance function, or vice versa for companies that want to hand over responsibility to an external named person after an audit experience. Others run compliance like a filing cabinet. We run it like software. The difference becomes visible when an auditor calls and management can get the status of each obligation within minutes.

ISO/IEC 27001:2022 and the 93 controls

The platform itself operates its information security management system according to ISO/IEC 27001:2022. The October 2022 revision restructured Annex A: 93 controls in four thematic groups (Organizational, People, Physical, Technological). Eleven controls are new, including Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30) and Web Filtering (A.8.23). The transition period ends in October 2025, so current certificates must be converted to the 2022 version.

The certification has two consequences for customers. First: Data processing in the workspace follows an externally audited standard, which simplifies order processing in accordance with Art. 28 GDPR and supplier security in accordance with Section 30 NIS2UmsuCG. Second: The templates for customers' own ISMS structures are based on the 93 controls. If you are an information security officer and need to build your own ISMS or migrate to the 2022 version, you will find the statement of applicability template, the risk methodology and the control evidence in the platform. The migration is documented, not improvised.

NIS-2: The 24/72 reporting path as a standard process

The NIS 2 Implementation Act obliges around 29,500 companies in Germany to report significant security incidents. Section 32 NIS2UmsuCG requires an early warning within 24 hours, a follow-up report within 72 hours and a final report no later than one month after the incident. The addressee is the BSI. The clock starts on awareness. Failure to do so can result in fines of up to 10 million euros or 2 percent of global group sales, whichever is higher.

The CIVAC workspace maintains the reporting path as a preconfigured workflow. Three stages apply when recording incidents: triage and classification according to relevance, pre-filled reporting form with reference to the BSI online interface, versioning of each update with a time stamp. The 24-hour early warning includes the type of incident, suspected cause, services affected and preliminary assessment of cross-border impact. The 72-hour follow-up report specifies indicators, impacts and measures. The final report documents the cause, lessons learned and corrections. The appointment certificate, signed, filed, verifiable. The discussion ends when the auditor calls.

EU data residency and order processing

All CIVAC data is processed exclusively in data centres within the European Union. This has regulatory and contractual consequences. On the GDPR side, there is no obligation to check transfers in accordance with Chapter V of the GDPR because there is no transfer to third countries. This also eliminates the need for the question of standard contractual clauses in accordance with Art. 46 GDPR and of additional protective measures in accordance with Schrems II logic for the platform data itself.

On the NIS 2 side, the EU residence reduces supplier risks. Section 30 NIS2UmsuCG obliges essential and important institutions to assess and control the risk from the supply chain. A platform with EU data storage, documented order processing in accordance with Art. 28 GDPR and ISO/IEC 27001:2022 certification meets three core dimensions of this assessment in one. Order processing is regulated by a written contract that fully covers the requirements of Art. 28 (3) GDPR. The technical and organisational measures in accordance with Art. 32 GDPR are available in versions. Anyone who enters the platform in their own directory in accordance with Art. 30 GDPR copies a ready-made data sheet and only changes the description of the purpose.

Speed: Two working days instead of two to six weeks

The platform's service level statement is two working days from inquiry to order. Traditional law firms and freelance agents typically reach two to six weeks. The difference does not arise from less care, but from standardised processes: pre-checked proof of qualifications in accordance with Art. 37 (5) GDPR, a tried-and-tested appointment certificate text, automatic entry in the internal register, prepared report to the responsible state authority in accordance with Art. 37 (7) GDPR.

In practice, this means: day zero request, day one scoping call and document check, day two appointment certificate signed, authority notified, access to the workspace furnished. This is followed by the four-week handover with data inventory, setting up the directory in accordance with Article 30 GDPR, checking the processors in accordance with Article 28 GDPR, setting up the TOM documentation in accordance with Article 32 GDPR and setting up the reporting path in accordance with Article 33 GDPR. Anyone looking for an external data protection officer knows: two working days to order, four weeks to receive the complete directory. The auditor calls, the evidence is ready.

Anyone who works with CIVAC

The platform addresses four profiles. First: medium-sized companies with 50 to 1,000 employees that need to coordinate several officer roles but do not have their own compliance department. Second: corporations with outsourced representative functions that are looking for a uniform platform to consolidate reporting lines. Third: Subsidiaries of international groups that have to fulfil special German obligations (e.g. Section 130 OWiG, Section 38 BDSG, GwG, LkSG) in addition to group requirements.

Fourth: Law firms, tax consultancies and auditors that offer their clients compliance services and require a multi-client workspace for client support. The industry coverage ranges from industry and mechanical engineering to healthcare, education, energy, logistics and IT and SaaS providers. Particularly targeted are companies that fall under the NIS 2 scope of application according to Annexes 1 and 2 NIS2UmsuCG, as well as companies that work in audited supply chains and must demonstrate risk management in accordance with Section 4 LkSG. The common denominator is the burden of having to carry out several tasks at the same time and the desire to make every status available at any time without having to search for individual files.

Turn reading into an assignment

CIVAC is a compliance platform and officer-as-a-service. The platform provides 25 representative roles, 490 audit templates, the ISMS according to ISO/IEC 27001:2022, the NIS-2 24/72 reporting path and EU data residency. You can licence the workspace and let your internal representatives work, or you can have our representatives appointed. Both models use the same data layer and audit trail. The change is possible during ongoing operation.

Turn reading into a mandate. Write to info@civac.de with the size of your house, the relevant obligations (GDPR, NIS-2, GwG, LkSG, ArbSchG, BImSchG) and the current order status. Within 48 hours you will receive a concrete, copied offer, a named representative or workspace access as well as a draft of the appointment certificate for you to sign. Alternatively, the contact form is available on the website. The deadline begins as soon as we become aware of it. It starts with an email.

FAQ

What does CIVAC stand for?

CIVAC is a German compliance platform and officer-as-a-service. The platform covers 25 representative roles, provides 37 audit templates and operates an ISMS according to ISO/IEC 27001:2022 with EU data residency. CIVAC is not affiliated with the Mexican CIVAC (vaccine research).

Which agent roles does CIVAC cover?

The platform covers data protection, compliance, information security, hygiene, occupational safety, fire protection, dangerous goods, hazardous substances, environmental protection, ESG, supply chain, money laundering, whistleblower protection, quality, equality, industrial medicine, incidents and other special roles. A total of 25 roles are available live.

What is the difference between Workspace and Officer-as-a-Service?

With Workspace, you licence the platform and your internal representatives work on it. With Officer-as-a-Service, CIVAC appoints qualified external representatives who work in the same workspace and personally carry the appointment certificate. You can switch between the two models at any time.

How quickly can a representative be appointed?

The order is placed within two working days of the request, including qualification check, appointment certificate and notification to the responsible supervisory authority. Traditional law firms typically require two to six weeks. The complete handover with directory and TOMs is completed after four to six weeks.

Where is the data stored?

All data is processed exclusively in data centres within the European Union. This means that there is no need for transmission to third countries in accordance with Chapter V of the GDPR. Order processing follows Art. 28 GDPR with a complete written contract and versioned technical and organisational measures in accordance with Art. 32 GDPR.

Is CIVAC suitable for NIS 2 affected companies?

Yes. The platform provides the 24-hour early warning and 72-hour follow-up reporting path in accordance with Section 32 NIS2UmsuCG as a preconfigured workflow, with triage, reporting form for the BSI and versioning. The ISMS follows ISO/IEC 27001:2022 with all 93 controls from Annex A.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles