VS-NFD Ongoing Compliance

Ongoing VS-NfD compliance covers all measures a company must continuously implement to handle classified information at the VS-NfD (Nur für den Dienstgebrauch / For Official Use Only) level in a compliant manner. This includes regular employee training per the VS-NfD memorandum, maintaining security clearances (SÜG) for all personnel with access to classified materials, updating IT security concepts per BSI requirements, and preparing for classified information audits by the BMWK. Without ongoing compliance measures, companies risk losing their Geheimschutz status and the ability to participate in classified contracts.

The Verschlusssachenanweisung (VSA) requires companies with access to VS-NfD material to implement comprehensive protective measures. These include physical security (secure storage, access controls, transport regulations), personnel security (security clearances under the SÜG, commitment declarations), classification and management of classified documents, and IT security (encrypted transmission, BSI-approved systems). Since the

2023 VSA revision, stricter requirements apply for digital processing of classified information.

All employees with access to VS-NfD classified information must receive an initial briefing per the VS-NfD memorandum (GHB Annex 4) and sign a commitment declaration before starting work. Regular refresher training is then required, typically at least annually in practice. All training must be documented and archived in an audit-ready manner. ADVISORI supports the design, delivery, and documentation of these training sessions.

During a Geheimschutz audit, the Federal Ministry for Economic Affairs and Climate Action (BMWK) or the responsible security authority examines whether the company fully meets the requirements of the Geheimschutzhandbuch (GHB) and the Verschlusssachenanweisung (VSA). Key audit areas include the organization of classified information protection (Geheimschutzbeauftragter), secure storage of classified materials, IT security measures, currency of security clearances, training records, and documentation of classified document inventory. ADVISORI prepares companies specifically for these audits.

The Federal Office for Information Security (BSI) defines technical requirements for processing VS-NfD information on IT systems. This includes approval of encryption products, specifications for VPN infrastructure, multi-factor authentication requirements, and review of IT security concepts. Companies must use exclusively BSI-approved or BSI-recommended solutions for digital processing of VS-NfD materials and demonstrate this as part of ongoing compliance.

Physical security (materieller Geheimschutz) covers all technical and organizational measures for protecting classified materials: secure storage (e.g., steel cabinets, security rooms), access control systems, transport and destruction procedures, and IT security measures. Personnel security (personeller Geheimschutz) concerns the individuals who receive access to classified information: security clearances under the SÜG, commitment declarations, regular training, and monitoring of access authorizations. Both areas must be continuously maintained as part of ongoing VS-NfD compliance.

Violations of VS-NfD regulations can have severe consequences. At the corporate level, companies face withdrawal of their Geheimschutz status, which means exclusion from classified contracts. For individuals, criminal prosecution under sections

93 ff. of the German Criminal Code (treason, endangering external security) is possible, as even VS-NfD material can constitute a state secret. Additional risks include contractual penalties and reputational damage. Ongoing compliance measures with regular monitoring prevent such violations from occurring.