GDPR, NIS-2 and ISO 27001 on One Platform: The German Compliance Stack
Three regulations, one workspace. This briefing explains why GDPR, NIS-2 and ISO/IEC 27001:2022 share 60 percent of their controls, how a unified platform cuts documentation effort by half, and what German enterprises should require before signing any vendor contract.
Since the German NIS-2 Implementation Act (NIS2UmsuCG) entered the consultation phase in 2024 and the ISO/IEC 27001:2022 transition deadline of 31 October 2025 has passed, German enterprises face three overlapping compliance regimes at the same time: the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the NIS-2 Directive (Directive (EU) 2022/2555) and the international information security standard ISO/IEC 27001:2022. Each regime defines its own scope, its own authority and its own deadlines, but the operational controls behind them overlap by roughly 60 percent. Companies that document each regime separately effectively pay three times for the same work.
This briefing explains how a unified platform consolidates GDPR records of processing, NIS-2 risk management and ISO 27001 controls into one workspace, why German data residency matters for sensitive sectors and what enterprise buyers should require from any vendor before signing. You will see the concrete mapping between Article 32 GDPR, Article 21 NIS-2 and Annex A of ISO/IEC 27001:2022, learn which 93 controls cover all three regimes, and understand how CIVAC operates as a compliance platform and officer-as-a-service so that documentation, evidence and certification stay under one roof.
Auf einen Blick
- GDPR Article 32, NIS-2 Article 21 and ISO/IEC 27001:2022 Annex A overlap by roughly 60 percent in their operational control requirements.
- A unified German platform with EU data residency removes the documentation duplication that costs mid-sized enterprises 40 to 60 percent of compliance effort.
- Audit-ready evidence, signed appointment letters and the NIS-2 24-hour and 72-hour reporting paths must live in the same workspace, not in scattered SharePoint folders.
Three Regimes, One Reality: Why GDPR, NIS-2 and ISO 27001 Belong Together
GDPR has been directly applicable across the EU since 25 May 2018. Its Article 32 requires controllers and processors to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. NIS-2 entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. Its Article 21 sets out ten cybersecurity risk-management measures that essential and important entities must implement. ISO/IEC 27001:2022 was published on 25 October 2022 and consolidates 93 information security controls in Annex A. The previous 2013 edition with 114 controls was withdrawn on 31 October 2025, ending the transition window for certified organisations.
For a German enterprise that processes personal data, runs critical or important services and holds an ISO 27001 certificate, all three regimes apply simultaneously. The GDPR is enforced by 17 supervisory authorities (16 state authorities plus the federal BfDI), NIS-2 by the BSI as the national competent authority, and ISO 27001 by accredited certification bodies. A single security incident can trigger reporting obligations under all three: 72 hours under Article 33 GDPR, 24-hour early warning plus 72-hour follow-up under NIS-2 Article 23, and an immediate internal incident process under ISO 27001 control 5.24. Operating these in three separate systems is technically possible but operationally unsustainable, because the same evidence has to be produced in three different formats for three different audiences. Multiply this by routine recertification cycles every three years for ISO 27001, recurring biennial supervisory inspections under GDPR and annual NIS-2 self-assessments, and the duplication becomes a structural cost driver, not just an inconvenience.
The 60 Percent Overlap: Mapping Article 32 GDPR, Article 21 NIS-2 and ISO 27001 Annex A
The operational overlap between the three regimes is concrete, not theoretical. Article 32 GDPR lists pseudonymisation and encryption, confidentiality, integrity, availability and resilience of systems, the ability to restore availability after an incident, and a process for regular testing. Article 21 NIS-2 lists risk analysis policies, incident handling, business continuity, supply chain security, vulnerability disclosure, cryptography, access control, multi-factor authentication, secure communications and human resources security. ISO/IEC 27001:2022 Annex A covers all of these and more in its 93 controls grouped into organisational (37), people (8), physical (14) and technological (34) themes.
A practical mapping shows that 56 of the 93 ISO controls satisfy at least one Article 32 GDPR TOM, 71 of them satisfy at least one Article 21 NIS-2 measure, and 38 controls satisfy requirements in all three regimes simultaneously. The German Federal Office for Information Security (BSI) has published cross-reference tables that confirm this overlap. The practical consequence is that a company running ISO 27001 with documented controls already covers most of NIS-2 and the technical part of GDPR. The remaining gap is organisational, not technical: appointment letters for the data protection officer and the information security officer, reporting lines, the 72-hour breach notification process and the supply-chain due diligence required by NIS-2 Article 21(2)(d). Read more about the appointment of an information security officer and the external data protection officer roles that close this gap. Audit-ready, documented, paragraph-tested. The mapping is not static: every revision of ISO 27001, every BSI sector guidance update and every European Data Protection Board guideline can shift a single control across multiple regimes, which is why a platform-based mapping is more sustainable than a spreadsheet that has to be re-stitched manually every quarter.
What German Enterprises Actually Need: Data Residency, Officer Bestellung, Audit Trail
For enterprises in Germany, three buyer requirements consistently outrank all others when selecting a compliance platform. First, EU data residency, ideally German data residency, because controllers under GDPR and operators under NIS-2 must be able to demonstrate where their compliance evidence is stored, processed and backed up. A US-hosted SaaS that processes German breach reports is not automatically non-compliant, but it triggers additional safeguards under Chapter V GDPR and complicates BSI conversations. Second, a documented Bestellung (appointment) process for the Datenschutzbeauftragter, the Informationssicherheitsbeauftragter and other statutory officers, with appointment letters, reporting lines and termination protection that meet German legal standards.
Third, an audit trail that withstands the IDW PS 951 service organisation control review and the ISO 27001 surveillance audit. This means versioning every document, timestamping every change, recording every approval and exporting the evidence in a format that auditors accept without further conversion. The phrase appointment letter, signed, filed, provable describes the bar. CIVAC operates as a compliance platform and officer-as-a-service from EU data centres with German-language contracts and a documented audit trail, which closes the three buyer requirements in a single procurement decision. License the workspace for your internal officers or have our officers appointed; both models share the same workspace, the same evidence and the same EU data residency. Procurement teams should also confirm whether the vendor is a subprocessor of any non-EU cloud provider, because cascading subprocessor chains can introduce Chapter V GDPR obligations that defeat the original residency promise, and the platform should document each subprocessor with country, role and a current transfer impact assessment.
Incident Reporting in Practice: 24h, 72h and the GDPR Clock
A single ransomware incident at a German manufacturer with operations in the EU can trigger three reporting clocks at once. The GDPR clock starts when the controller becomes aware that personal data has been breached, with a 72-hour notification deadline to the competent supervisory authority under Article 33 GDPR. The NIS-2 clock starts when an essential or important entity becomes aware of a significant incident, with a 24-hour early warning to the BSI under Article 23(4)(a) NIS-2, followed by a 72-hour incident notification with initial assessment under Article 23(4)(b). The ISO 27001 clock is internal and runs under control 5.24, which requires an incident management plan with defined roles, escalation and learning.
The deadline starts ab Kenntnis, from awareness, not from the technical detection. That distinction matters because a SIEM alert without human triage does not automatically start the clock, but a confirmed compromise does. A unified platform plays four roles in this scenario: it captures the incident with a timestamp, it routes the notification to the right authority through pre-filled templates, it documents the internal investigation and corrective measures, and it links the incident to the affected assets and processes for the next audit. CIVAC ships with a NIS-2 24/72 reporting path, breach notification templates aligned with Article 33 GDPR and a documented incident log that satisfies ISO 27001 control 5.24. Deadline starts on awareness. The phrase is not a slogan, it is the legal trigger that distinguishes a manageable incident from a regulatory penalty.
Officer Roles in a Unified Platform: DPO, ISO, Compliance Officer
German law requires several statutory officers depending on company size, sector and risk profile. A data protection officer (Datenschutzbeauftragter, DPO) is mandatory under Section 38 BDSG for companies that regularly process personal data with at least 20 employees engaged in such processing, plus the cases listed in Article 37 GDPR. An information security officer (Informationssicherheitsbeauftragter, ISB) is not strictly mandatory under federal law but required in practice for entities falling under NIS-2, KRITIS regulations and the BSI sector-specific guidance. A compliance officer (Compliance-Beauftragter) is required de facto for companies above 250 employees or in regulated sectors, following the BGH Neubürger ruling from 2017.
In a unified platform, these three officers share a single workspace but operate in separate role contexts, with permissions that respect confidentiality and independence. The DPO sees the records of processing, data subject requests and breach notifications. The ISB sees the risk register, asset inventory, control implementation status and incident records. The compliance officer sees the obligations register, the audit plan, training records and the management review reports. CIVAC implements these role contexts with auditable access logs and a documented separation of duties. License the workspace for your internal officers or have our officers appointed under our officer-as-a-service model. Both options share the same data layer, the same audit trail and the same EU data residency, and you can move between models without losing history. The platform also tracks substitute coverage for each officer, which matters in long absences such as parental leave or extended sickness, because regulators expect uninterrupted statutory coverage and a documented chain of responsibility, not informal vacation arrangements between colleagues.
Vendor Selection Checklist: What to Require Before Signing
Procurement teams in Germany typically apply a 30-item vendor checklist when selecting a compliance platform. The most important items fall into five categories. First, regulatory coverage: does the platform map controls to GDPR, NIS-2, ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018 and at least one sector standard (BAIT, VAIT, KAIT, ZAIT, BSI C5)? Second, data architecture: where is data stored (Germany or EU), how is it encrypted at rest and in transit, what is the key management model, and how is data exported on contract termination? Third, identity and access: does the platform support SAML SSO with Azure Entra ID, Okta or Keycloak, multi-factor authentication, role-based access and granular permissions for officer roles?
Fourth, audit and evidence: does the platform record an immutable audit trail, support versioning of documents, generate auditor-friendly reports (PDF, signed XML, CSV) and provide an evidence locker that exports complete record sets for ISO 27001 surveillance audits and IDW PS 951 reviews? Fifth, operational support: does the vendor provide German-language support, an SLA with response times below two business days, an officer-as-a-service option for companies that prefer external appointment, and a defined exit strategy with structured data export? CIVAC answers all five categories in a single contract, with a service level agreement of two business days for officer-as-a-service inquiries, German contract law and a documented exit clause that returns all evidence in standard formats. A defensible procurement record also requires that each requirement is mapped to a concrete artefact the vendor can hand over before signature, not a marketing claim that surfaces in the next audit as an open finding.
Cost Model: Where Consolidation Saves Documentation Effort
The financial case for a unified platform rests on the cost of documentation, not the cost of software. A mid-sized German enterprise with 800 employees and three regulated activities typically spends between 1,200 and 1,800 working days per year on compliance documentation, audits and officer activities across GDPR, NIS-2 and ISO 27001. Of this effort, 40 to 60 percent is duplication: the same control documented in three different formats, the same evidence collected three times, the same audit interview repeated for three auditors. Consolidating the documentation into one workspace removes the duplication without removing the control rigour.
The savings split across three categories. First, documentation reuse, where one control description, one evidence link and one approval trail serve all three regimes. Second, audit efficiency, where the same auditor walk-through covers multiple scopes and the auditor receives a pre-mapped evidence set. Third, training and onboarding, where new officers learn one platform instead of three, and new auditors receive a consistent evidence package. CIVAC ships with the mapping pre-built across the 93 ISO/IEC 27001:2022 controls, the 10 NIS-2 risk-management measures and the GDPR TOMs catalogue, so consolidation does not start from a blank page. The phrase others manage compliance like a filing cabinet, we manage it like software is not marketing prose; it captures the operational delta that turns 1,800 working days into 900. The same logic applies to certification cost: external auditors quote per-day rates, and a pre-mapped evidence set typically reduces the on-site audit days by 30 to 40 percent, which alone often pays for the platform license in the first certification cycle.
Migration Path: How to Move From Three Systems to One in 90 Days
Most German enterprises arrive at the unified-platform question after running three separate systems for three to five years: a GDPR record-of-processing tool, an ISO 27001 GRC system and an NIS-2 risk register in spreadsheets. Migrating these into a single workspace works best in a four-phase plan over 90 days. Phase one, weeks 1 to 2, is inventory: list all officers, their appointment letters, all current controls, all current evidence and the upcoming audit milestones. Phase two, weeks 3 to 6, is import and mapping: load the existing data into the unified workspace, map controls to the ISO/IEC 27001:2022 Annex A baseline and identify the gaps against NIS-2 and GDPR.
Phase three, weeks 7 to 10, is parallel run: operate the new workspace alongside the existing systems, route new incidents and new evidence into both, and validate that audit reports produce the same conclusions. Phase four, weeks 11 to 13, is cutover: switch officer appointments to the unified workspace, archive the old systems with an export and run the first internal audit entirely from the new platform. CIVAC supports this migration through structured onboarding workshops, German-language documentation templates and a dedicated implementation manager. The result is a single source of truth, where the auditor calls and the evidence is ready, instead of a multi-system search that consumes audit weeks. License the workspace for your internal officers or have our officers appointed; either way, the migration timeline holds. A common pitfall during cutover is incomplete user provisioning, which leaves officers without access to evidence they need on day one; the implementation manager mitigates this by validating SSO and role assignments in week eleven, before the first cutover audit interview.
Turning the Reading Into an Engagement
The case for one platform across GDPR, NIS-2 and ISO/IEC 27001:2022 is operational, not theoretical. Sixty percent of the controls overlap, the reporting clocks share a common trigger of awareness, and the audit evidence needs to live in a German-language, EU-resident workspace with full versioning and timestamping. CIVAC was built as a compliance platform and officer-as-a-service for exactly this purpose: 25 statutory officer roles, 490 ready-to-run audit templates, 93 mapped ISO 27001 controls, the NIS-2 24/72 reporting path, EU data residency, German contract law and a documented exit clause. You decide whether you license the workspace for your internal officers or whether our officers are appointed under the officer-as-a-service model. Both options share the same workspace, the same audit trail and the same evidence base.
From reading to engagement. Reach us at info@civac.de or book a discovery call through the contact form on civac.de. In a 45-minute call we will assess your current state across the three regimes, identify the duplication that is costing you working days and propose a 90-day migration path with clear milestones. You will leave the call with a written summary, a maturity rating per regime and an honest answer to the question whether a workspace license or officer-as-a-service is the better fit for your size, sector and risk profile. Others manage compliance like a filing cabinet. We manage it like software. The auditor calls and the evidence is ready, in German or English, audit-ready and paragraph-tested across all three regimes simultaneously.
FAQ
Why do GDPR, NIS-2 and ISO 27001 overlap so much in practice?
All three regimes target the same operational goal: protecting confidentiality, integrity and availability of information. GDPR focuses on personal data, NIS-2 on critical and important services, and ISO 27001 on information assets generally. Sixty percent of the controls (encryption, access management, incident response, continuity) satisfy requirements in all three regimes simultaneously.
Is EU data residency strictly required for a compliance platform in Germany?
EU data residency is not a strict legal requirement for every dataset, but for sensitive evidence such as breach notifications, officer appointment letters and personal data records, German enterprises strongly prefer EU or German data residency to avoid Chapter V GDPR safeguards. The BSI also recommends EU residency for NIS-2 evidence.
How long does a typical migration from three systems to one take?
A structured migration runs in four phases over 90 days: two weeks inventory, four weeks import and mapping, four weeks parallel run, three weeks cutover. The timeline assumes that existing officer appointments, records of processing and risk registers are documented in some form, even if they are spread across spreadsheets and SharePoint.
What is officer-as-a-service compared to a workspace license?
Under a workspace license, your internal officers operate the platform themselves. Under officer-as-a-service, CIVAC appoints external officers with a signed appointment letter, defined reporting line and substitute coverage. Both models share the same workspace and produce identical audit evidence; you can switch between them without losing history.
How does the platform support the NIS-2 24-hour and 72-hour reporting clocks?
The platform captures incidents with a timestamp, routes the early warning to the BSI within 24 hours and the follow-up notification within 72 hours through pre-filled templates aligned with Article 23 NIS-2, and links the incident to the affected assets and corrective measures. The audit trail records every step for the next ISO 27001 surveillance audit.
Do I need separate appointment letters for the DPO, ISO and compliance officer?
Yes. German law treats the data protection officer, the information security officer and the compliance officer as separate roles with separate appointment letters, reporting lines and protections. The platform generates each appointment letter from a legally reviewed template, files it in the audit trail and tracks substitute coverage for absences.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.