Norms, Standards & Guidelines

Are you a provider of a cloud service and would like to have your current cloud infrastructure objectively assessed? With an audit in accordance with the Cloud Computing Compliance Controls Catalogue, C5 for short, from the German Federal Office for Information Security (BSI), you will receive a transparent assessment.

The smart meter gateway (SMGW) is the functional centrepiece of every intelligent metering system (iMSys). CLS communication adapters are used to ensure a communicative connection of technical devices to the HAN interface of the SMGW. Manufacturers prove that these are really secure and fulfil the state of the art with a test in accordance with TR-03109-5.

Fits in with the ID card law

Routers are considered the centrepiece of modern home networking. For this reason, they are an attractive target for hacker attacks and need to be protected effectively. With the BSI TR-03148 for "Secure Broadband Router", you as a manufacturer can prove that your broadband routers fulfil the security requirements defined by the BSI.

In order to protect electronic cash register systems from such unauthorised tampering, the integrity, authenticity and completeness of the corresponding data must be guaranteed. This is made possible by the use of a technical security device (TSE), which protects and stores the data to be recorded. This must be certified in accordance with BSI TR-03153.

Healthcare applications store and process a lot of sensitive and particularly sensitive data. It is therefore particularly important for manufacturers of healthcare applications to consider basic security standards - as defined in the BSI Technical Guideline TR-03161 - from the outset and implement them accordingly.

BSI TR-03174 is aimed at manufacturers, developers, and operators of digital applications in the financial sector. It specifies binding, verifiable security requirements with the aim of ensuring a uniform and high level of security for financial apps, web applications, and backend systems.

Digitisation projects in government, business and society require particularly secure protection and transmission of sensitive data. It is therefore important to implement and utilise the necessary cryptographic processes in accordance with an established standard. This requires a Cryptographic Service Provider (CSP) that is structured in accordance with the technical guideline TR-03181 CSP2.

Whether natural disasters, supply chain disruptions or the rapidly increasing number of cyber attacks, they still hit companies and organisations suddenly and unexpectedly without thorough risk prevention. Companies that want to take precautions in good time to prepare themselves for emergencies are supported by experienced experts from TÜVIT.

Large amounts of data can be stored and processed flexibly and efficiently in the cloud. At the same time, the use of cloud-based systems also harbours risks, such as cyberattacks, data loss, misconfiguration or unauthorised access. To counter these risks, companies should implement comprehensive security measures.

Common Criteria (CC) is a state-run certification system, which in Germany has the Federal Office for Information Security (BSI) as its certification body. Through the Arrangement on the Recognition of Common Criteria Certificates (CCRA), the certificates are recognised in 31 countries.

The Cyber Resilience Act (CRA) adopted by the Council of EU Home Affairs Ministers in 2024 will impose new minimum requirements on manufacturers of networked devices in terms of cybersecurity.

There are still major security concerns about smart home devices. With the CyberSecurity Certified (CSC) certification mark, manufacturers of smart home devices and consumer IoT products can counter this problem and objectively demonstrate the implementation of security measures.

Article 42 of the EU GDPR creates the prerequisites for certification in accordance with the EU General Data Protection Regulation. TÜVIT is currently undergoing the accreditation process for data protection certification.

The GDPR poses major challenges for companies or their service providers as well as developers and operators of websites or online shops: Expensive implementation of data protection regulations and the risk of high fines if the legal requirements are not met.This is where TÜVIT can help: with our flexible data protection audits.

Data protection management systems (DMS) provide companies with legal protection, minimise risks and create trust among customers and partners. They structure data protection processes, ensure transparency and prevent breaches of the GDPR. TÜVIT certifications prove their effectiveness - turning data protection into a competitive advantage.

Put your operational data protection in the hands of our experts: We will provide you with external, certified data protection officers who will support you with the GDPR-compliant data protection organisation in your company. Our data protection experts will help you with all matters relating to operational data protection and monitor compliance with data protection regulations.

If you want your digital nursing application (DiPA) to be officially included in the DiPA directory and therefore eligible for reimbursement, you must prove that your application fulfils certain IT security, data protection and data security requirements. With the right services, we can support you successfully on the way to obtaining health insurance coverage.

In order for your digital health application to be eligible for reimbursement, you must prove to the Federal Institute for Drugs and Medical Devices (BfArM) that your application fulfils certain IT security, data protection and data security requirements. We accompany you on your way to reimbursable DiGA.

Components used in electronic payment transactions must fulfil the EMVCo security standards and those of the German banking industry. TÜVIT's IT security laboratory has been evaluating chips, applications, chip cards or smart cards and the associated operating systems for the banking sector for over twenty years and prepares security reports.

Digital identities are becoming increasingly important in everyday life - whether for online banking, accessing government services or proof of age. The EUDI Wallet in combination with the eIDAS Regulation 2.0 is intended to offer users a secure, trustworthy and Europe-wide recognised way to digitally manage their identity data and official documents such as boarding passes and tickets.

Authenticators and biometric user verifications are designed to make authentication for users on the Internet more secure, faster and easier - provided they fulfil certain security standards themselves. The FIDO Alliance has developed open standards specifically for these authentication solutions, which manufacturers can use to objectively prove their security.

FIPS 140-3 creates the conditions for uniform security standards for cryptographic modules and thus enables international comparability. The standard addresses current threats as well as modern cryptography and security technologies and thus provides a contemporary basis.

With the Fixed-time cybersecurity certification (BSZ), you can prove the security statement of your IT product with an independent certificate. BSZ focusses on the security robustness of your IT product. Through a combination of evaluations and penetration tests, you objectively prove that your product fulfils the specified security performance.

The Network Equipment Security Assurance Scheme, NESAS for short, is a cross-industry scheme defined jointly by the 3rd Generation Partnership Project (3GPP) and the GSM Association (GSMA) to strengthen confidence in the IT security of mobile phone components. Network devices are tested by independent testing service providers such as TÜVIT.

As trusted network computers, hardware security modules protect particularly important and security-relevant information and processes in the infrastructure backend. How? As hardened servers with security management functions and high performance at the same time.

In the energy industry, data and communication protocols are used that do not have their own security mechanisms. This makes it all the more important to protect them appropriately. IEC 62351 is an efficient tool: With the help of the specific standard requirements, process communication between control and telecontrol technology can be secured in the best possible way.

As an operator, integrator or manufacturer of industrial automation systems, IEC 62443 provides you with the best possible protection against cyber attacks and improves the general security of your processes, products or systems. The standard provides you with effective guidelines in the form of criteria and security requirements.

With Business Continuity Management (BCM), your company is prepared for emergencies: If emergencies or disruptions threaten to restrict your business activities or even bring them to a standstill, BCM in accordance with ISO 22301 comes into play. It defines the requirements for holistic crisis and emergency management.

ISO 27001 certification provides companies with objective proof that they operate an effective information security management system (ISMS) that protects their operational information, data and systems against hacker attacks and data loss in the best possible way.

The international standard ISO 27017 contains specific requirements for the information security of cloud services. It provides providers and users of cloud-based services with efficient guidelines for implementing effective information security controls.

ISO 27018 provides cloud computing providers with guidelines that they can use to ensure the secure processing of personal data within the cloud environment. The standard should be seen as a supplement to the ISO 27001, ISO 27002 and ISO 27017 standards and can therefore be easily integrated into an existing information security management system (ISMS).

With ISO 27701, you can add relevant data protection-specific requirements to your existing information security management system (ISMS) in accordance with ISO 27001. The international standard ISO 27701 can also serve as a systematic basis for successfully integrating the requirements of the GDPR into data protection management.

With IT-Grundschutz, the German Federal Office for Information Security (BSI) provides companies with a methodology with which they can comprehensively secure their data, systems and information and successfully implement an information security management system (ISMS).

Cyber attacks and data theft now affect almost everything and everyone. The management of information security plays a decisive role in whether a company can secure its business processes and enjoy trust on the market.

The Internet of Everything (IoE) is revolutionising the way in which people, processes, data and things are connected. It increases efficiency, promotes innovation and new business models and creates personalised experiences.

Integrity, robustness and confidentiality are the fundamental requirements for trustworthy communication. They guarantee the trust of users in technology and operators.

Secure operating and database systems are fundamental for the integrity and protection mechanisms of data and applications against unauthorised access.

Thinking about tomorrow today: Confidential information runs the risk of no longer being protected in the future.

With the Radio Equipment Directive (RED), the EU Commission has created a regulatory framework for placing radio equipment on the market.On this page you will find everything you need to know about the RED.

For effective protection and trustworthiness in the networked world.

With the Security Qualification (SQ), TÜVIT offers a standardised and flexible certification procedure that enables a holistic view of products and networked system solutions in accordance with the cyber security requirements of the EU.

Informationally and functionally secure software and firmware is a basic prerequisite for reliable, secure and efficient utilisation of business processes, machines and devices.

With Trusted Site Privacy (TSP), TÜVIT pursues a holistic approach. As part of this widely respected certificate, IT systems are tested under legal and technical aspects with regard to the responsible handling of customers' personal data.

If you would like to become a certified video service provider and have your service officially listed on the KBV website, you must prove that you fulfil the requirements for confidentiality, integrity and availability of personal data as well as other information technology security requirements.

As an operator of critical infrastructures (KRITIS), you must prove every two years that your IT security is state of the art in accordance with Section 8a of the BSI Act. According to the BSI Criticism Ordinance (BSI-KritisV), proof is provided by means of a corresponding audit in accordance with Section 8a of the BSI-Act.