VS-NFD Define Roles & Responsibilities

The Geheimschutzbeauftragter (classified information officer) is appointed by company management to implement all measures related to material and personnel security for classified information. Key duties include overseeing the classified registry, conducting security briefings, initiating security vetting procedures (SU1, SU2, SU3), monitoring proper storage of classified material, and advising management on all classification matters. The role holds a functional special status comparable to a data protection officer under German law.

The Sicherheitsbevollmaechtigter (security representative) is the senior company member who serves as the primary contact for the Federal Ministry for Economic Affairs (BMWi) on all security classification matters. This person holds classification-related authority within the organization. The Geheimschutzbeauftragter, by contrast, implements day-to-day operational security measures. In smaller companies, both roles may be held by one person. In larger organizations, separation of these roles is recommended for effective governance.

Organizations under security classification oversight must establish at minimum: the security representative as the top-level responsible person, the classified information officer for operational implementation, and the classified registry administrator for document management. A sabotage protection officer may also be required. Organizations processing only VS-NfD material (the lowest classification level) do not require formal security classification oversight but must designate a responsible person to ensure compliance with the VS-NfD guidelines.

A VS-NfD role matrix assigns clear tasks, authorities, and reporting lines to each function in the classified information governance structure. The matrix typically covers five dimensions: role (who), task (what), authority (may), escalation (where to), and deputy (who substitutes). It should be linked to existing compliance governance to avoid duplicate structures. ADVISORI develops these role matrices based on VSA requirements and your specific organizational structure.

For VS-NfD classified information (the lowest level), no formal security vetting of personnel is required. Employees need only be formally obligated to comply with VS-NfD handling guidelines. Starting from VS-Confidential classification, a basic security check (SU1) is required. VS-Secret requires an extended check (SU2), and Top Secret requires an extended check with security investigations (SU3). The classified information officer initiates and monitors these procedures in cooperation with the Federal Office for the Protection of the Constitution.

ADVISORI begins with an organizational analysis to assess existing structures and responsibilities. Based on the findings, we create a VSA-compliant role matrix, define position descriptions for the classified information officer, security representative, and registry administrator, develop training concepts, and implement governance processes. Our consultants have experience with the BMWi security classification procedure and also support preparation for formal security classification oversight proceedings.

Unclear responsibilities in classified information handling can lead to severe consequences: violations of the Verschlusssachenanweisung may result in withdrawal of security classification oversight, meaning the organization can no longer process government classified contracts. Operational risks include uncontrolled access to classified material, missing briefing records during audits, delayed security vetting, and lack of traceability in the classified registry. This can also carry criminal consequences under Section 353b of the German Criminal Code (breach of official secrets).