[{"data":1,"prerenderedAt":920},["ShallowReactive",2],{"navigation-docs_en":3,"/en/blog/bsi-it-grundschutz-microsoft-365-posts_en":51,"/en/blog/bsi-it-grundschutz-microsoft-365-surround-posts_en":910},[4],{"title":5,"path":6,"stem":7,"children":8,"page":25},"En","/en","en",[9],{"title":10,"path":11,"stem":12,"children":13,"page":25},"Docs","/en/docs","en/1.docs",[14,26],{"title":15,"path":16,"stem":17,"children":18,"icon":25},"Getting Started","/en/docs/getting-started","en/1.docs/1.getting-started/1.index",[19,21],{"title":20,"path":16,"stem":17,"children":-1},"Introduction",{"title":22,"path":23,"stem":24,"children":-1},"Migration Roadmap","/en/docs/getting-started/migration-fahrplan","en/1.docs/1.getting-started/2.migration-fahrplan",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Technologies","/en/docs/technologies","en/1.docs/2.technologies",[31,35,39,43,47],{"title":32,"path":33,"stem":34,"children":-1},"Nextcloud","/en/docs/technologies/nextcloud","en/1.docs/2.technologies/1.nextcloud",{"title":36,"path":37,"stem":38,"children":-1},"Matrix / Element","/en/docs/technologies/matrix","en/1.docs/2.technologies/2.matrix",{"title":40,"path":41,"stem":42,"children":-1},"ONLYOFFICE","/en/docs/technologies/onlyoffice","en/1.docs/2.technologies/3.onlyoffice",{"title":44,"path":45,"stem":46,"children":-1},"Ubuntu Linux","/en/docs/technologies/ubuntu","en/1.docs/2.technologies/4.ubuntu",{"title":48,"path":49,"stem":50,"children":-1},"Keycloak","/en/docs/technologies/keycloak","en/1.docs/2.technologies/5.keycloak",{"id":52,"title":53,"authors":54,"badge":60,"body":62,"date":855,"description":856,"extension":857,"faq":858,"howto":876,"image":902,"meta":904,"navigation":905,"path":906,"seo":907,"stem":908,"__hash__":909},"posts_en/en/3.blog/11.bsi-it-grundschutz-microsoft-365.md","BSI IT-Grundschutz and Microsoft 365 – Why the Combination Cannot Be Compliant",[55],{"name":56,"to":57,"avatar":58},"europioneer Team","https://europioneer.io",{"src":59},"/favicon.svg",{"label":61},"Information Security",{"type":63,"value":64,"toc":816},"minimark",[65,69,86,109,116,121,128,167,178,182,187,205,209,212,230,240,244,251,258,262,279,283,331,335,348,352,356,376,380,383,406,413,417,424,428,501,508,512,520,524,550,554,574,578,598,602,628,632,661,665,668,672,675,679,682,686,689,698,705,714,722,726,729,733,736,752,756,766,782,785,791,794,799],[66,67,53],"h1",{"id":68},"bsi-it-grundschutz-and-microsoft-365-why-the-combination-cannot-be-compliant",[70,71,72,73,77,78,81,82,85],"p",{},"Germany's ",[74,75,76],"strong",{},"Federal Office for Information Security (BSI)"," publishes the ",[74,79,80],{},"IT-Grundschutz Compendium",", the binding information-security methodology for German federal authorities and a de-facto standard for SMEs. With ",[74,83,84],{},"C5"," (Cloud Computing Compliance Criteria Catalogue), the BSI added a cloud-specific catalogue.",[70,87,88,89,96,97,100,101,104,105,108],{},"Anyone subject to ",[90,91,93],"a",{"href":92},"/en/blog/nis2-gdpr-microsoft-paradox",[74,94,95],{},"NIS2",", anyone contracting with the ",[74,98,99],{},"public sector",", anyone seeking ",[74,102,103],{},"cyber insurance"," or sitting in a ",[74,106,107],{},"NIS2 supply chain"," cannot avoid IT-Grundschutz.",[70,110,111,112,115],{},"And here it gets uncomfortable: ",[74,113,114],{},"Microsoft 365 fully meets none of the security-critical Grundschutz modules."," Below, module by module.",[117,118,120],"h2",{"id":119},"what-it-grundschutz-actually-requires","What IT-Grundschutz actually requires",[70,122,123,124,127],{},"IT-Grundschutz is ",[74,125,126],{},"not a marketing seal",", it is a documentation-heavy process:",[129,130,131,138,144,150,156,162],"ol",{},[132,133,134,137],"li",{},[74,135,136],{},"Structural analysis"," of the information network",[132,139,140,143],{},[74,141,142],{},"Protection-needs assessment"," per component",[132,145,146,149],{},[74,147,148],{},"Modelling"," using the modules of the compendium",[132,151,152,155],{},[74,153,154],{},"IT-Grundschutz check"," – are the requirements implemented?",[132,157,158,161],{},[74,159,160],{},"Risk analysis"," per BSI Standard 200-3 for high protection needs",[132,163,164],{},[74,165,166],{},"Implementation and maintenance",[70,168,169,170,173,174,177],{},"Each module defines ",[74,171,172],{},"basic, standard and elevated"," requirements. Certification requires ",[74,175,176],{},"all basic and standard requirements"," to be implemented and proven.",[117,179,181],{"id":180},"the-critical-modules-in-the-microsoft-365-context","The critical modules in the Microsoft 365 context",[183,184,186],"h3",{"id":185},"con3-data-backup-concept","CON.3 – Data backup concept",[70,188,189,192,193,196,197,200,201,204],{},[74,190,191],{},"CON.3.A4: Creation of a backup concept","\nRequires documented, tested backups. Microsoft 365 does ",[74,194,195],{},"not"," back up data in the sense of the BSI. Microsoft's shared-responsibility model explicitly places this on the customer. Without ",[74,198,199],{},"third-party backup"," (e.g. to EU S3 storage), CON.3 in a pure Microsoft setup is ",[74,202,203],{},"not achievable",".",[183,206,208],{"id":207},"ops22-cloud-usage","OPS.2.2 – Cloud usage",[70,210,211],{},"The decisive module for any Microsoft 365 use.",[70,213,214,217,218,221,222,225,226,229],{},[74,215,216],{},"OPS.2.2.A11: Contingency plan for a cloud service","\nMust cover provider failure and data repatriation. With a ",[74,219,220],{},"vendor-lock-in architecture"," like Microsoft 365 (proprietary formats, proprietary APIs, proprietary identity), realistic emergency repatriation is to be measured in ",[74,223,224],{},"months, not hours",". The BSI demands ",[74,227,228],{},"robust documentation"," for this – which in most cases simply does not exist.",[70,231,232,235,236,239],{},[74,233,234],{},"OPS.2.2.A14: Secure migration to another cloud provider / reverse migration","\nWith Microsoft 365's proprietary data formats (Teams channels, OneNote notebooks, SharePoint sites, Power Platform flows) this is ",[74,237,238],{},"practically impossible"," without significant data loss.",[183,241,243],{"id":242},"app52-microsoft-exchange-and-outlook-bsi-explicitly-publishes-this-module","APP.5.2 – Microsoft Exchange and Outlook (BSI explicitly publishes this module!)",[70,245,246,247,250],{},"The BSI-authored module addresses the on-premise variant. ",[74,248,249],{},"For Exchange Online (part of M365) there is no analogous cloud module"," addressing the specific risks. OPS.2.2 only partially fills the gap.",[70,252,253,254,257],{},"In particular APP.5.2.A10 (secure configuration) and A14 (mail encryption) are ",[74,255,256],{},"only partially achievable"," in Exchange Online, because Microsoft holds the keys.",[183,259,261],{"id":260},"con1-crypto-concept","CON.1 – Crypto concept",[70,263,264,267,268,271,272,275,276,204],{},[74,265,266],{},"CON.1.A8: Secure storage of cryptographic keys","\nIn Microsoft 365, ",[74,269,270],{},"Microsoft holds the keys"," for indexing, search, anti-spam, Copilot and – in the worst case – CLOUD Act requests. ",[74,273,274],{},"BYOK changes nothing fundamental",", since the key sits in Microsoft-administered HSMs. A BSI auditor will, in honest assessment, mark this as ",[74,277,278],{},"\"not met\"",[183,280,282],{"id":281},"orp5-compliance-management","ORP.5 – Compliance management",[70,284,285,288,289,292,293,292,296,292,299,302,303,309,310,313,314,317,318,321,322,326,327,330],{},[74,286,287],{},"ORP.5.A2: Observance of legal frameworks","\nIncludes ",[74,290,291],{},"GDPR",", ",[74,294,295],{},"German Trade Secrets Act (GeschGehG)",[74,297,298],{},"TKDSG",[74,300,301],{},"BDSG",", sector-specific laws. Microsoft 365 is subject to the ",[90,304,306],{"href":305},"/en/blog/cloud-act-2026",[74,307,308],{},"US CLOUD Act",", which ",[74,311,312],{},"structurally violates"," ",[74,315,316],{},"GeschGehG §4"," and ",[74,319,320],{},"GDPR Art. 48"," the moment a US authority issues a request. With the upcoming ",[90,323,325],{"href":324},"/en/blog/schrems-iii-cjeu-ruling","Schrems III ruling"," in sight, ORP.5.A2 is ",[74,328,329],{},"structurally not achievable"," with Microsoft 365.",[183,332,334],{"id":333},"net11-network-architecture","NET.1.1 – Network architecture",[70,336,337,340,341,344,345,204],{},[74,338,339],{},"NET.1.1.A14: Protection against unauthorised external access","\nMicrosoft operates a worldwide backbone (Microsoft Global Network) whose access paths are ",[74,342,343],{},"not inspectable"," under IT-Grundschutz. The Midnight Blizzard incident (2024, senior leadership mailboxes compromised) showed these paths ",[74,346,347],{},"are actually exploited",[117,349,351],{"id":350},"common-questions-about-c5-attestation-and-bsi-conformity-of-microsoft-365","Common questions about C5 attestation and BSI conformity of Microsoft 365",[183,353,355],{"id":354},"is-a-c5-attestation-sufficient-proof-of-bsi-compliant-cloud-usage","Is a C5 attestation sufficient proof of BSI-compliant cloud usage?",[70,357,358,359,362,363,366,367,292,370,372,373,204],{},"No. A ",[74,360,361],{},"C5 attestation"," is a ",[74,364,365],{},"self-assessment with auditor confirmation",", not a legal opinion. Microsoft holds a C5 attestation (Type 2) – sounds good, but is misleading. It examines ",[74,368,369],{},"operational security measures",[74,371,195],{}," the ",[74,374,375],{},"third-country access problem",[183,377,379],{"id":378},"which-c5-criteria-are-critical-for-microsoft-365","Which C5 criteria are critical for Microsoft 365?",[70,381,382],{},"In particular:",[384,385,386,391,396,401],"ul",{},[132,387,388],{},[74,389,390],{},"BC-01 (data location)",[132,392,393],{},[74,394,395],{},"BC-02 (sub-processors)",[132,397,398],{},[74,399,400],{},"BC-03 (legal jurisdiction)",[132,402,403],{},[74,404,405],{},"BC-04 (disclosure to state authorities)",[70,407,408,409,412],{},"are declared met by Microsoft by reference to the \"EU Data Boundary\". ",[74,410,411],{},"This self-assessment does not hold under legal scrutiny"," once the CLOUD Act is considered. Microsoft France confirmed this publicly before the French Senate in 2025.",[183,414,416],{"id":415},"does-a-c5-attestation-automatically-imply-gdpr-or-nis2-conformity","Does a C5 attestation automatically imply GDPR or NIS2 conformity?",[70,418,419,420,423],{},"No. ",[74,421,422],{},"C5 attestation ≠ GDPR conformity ≠ NIS2 conformity."," The BSI itself explicitly notes this in the C5 documentation.",[117,425,427],{"id":426},"the-honest-balance","The honest balance",[429,430,431,444],"table",{},[432,433,434],"thead",{},[435,436,437,441],"tr",{},[438,439,440],"th",{},"BSI module / criterion",[438,442,443],{},"Achievable with Microsoft 365?",[445,446,447,456,463,471,479,486,494],"tbody",{},[435,448,449,453],{},[450,451,452],"td",{},"CON.1 crypto concept (key sovereignty)",[450,454,455],{},"❌ No",[435,457,458,461],{},[450,459,460],{},"CON.3 backup (without third-party backup)",[450,462,455],{},[435,464,465,468],{},[450,466,467],{},"OPS.2.2 cloud usage (exit strategy)",[450,469,470],{},"⚠️ Only with massive effort",[435,472,473,476],{},[450,474,475],{},"APP.5.2 Exchange (mail encryption)",[450,477,478],{},"⚠️ Limited",[435,480,481,484],{},[450,482,483],{},"ORP.5 compliance (CLOUD Act vs. GDPR Art. 48)",[450,485,455],{},[435,487,488,491],{},[450,489,490],{},"NET.1.1 network architecture (external access)",[450,492,493],{},"❌ Not verifiable",[435,495,496,499],{},[450,497,498],{},"C5 BC-01 through BC-04 (location & disclosure)",[450,500,455],{},[70,502,503,504,507],{},"This is not \"Microsoft bashing\". This is the ",[74,505,506],{},"module-by-module application of the BSI compendium",". Any honest auditor reaches the same conclusion.",[117,509,511],{"id":510},"what-it-grundschutz-compliant-open-source-infrastructure-delivers","What IT-Grundschutz-compliant open-source infrastructure delivers",[70,513,514,515,519],{},"For each gap, a sovereign solution exists that we implement at ",[90,516,518],{"href":517},"/en/","europioneer",":",[183,521,523],{"id":522},"key-sovereignty-con1","Key sovereignty (CON.1)",[384,525,526,532,538,544],{},[132,527,528,531],{},[74,529,530],{},"Own KMS",": HashiCorp Vault / OpenBao on EU hardware",[132,533,534,537],{},[74,535,536],{},"HSM",": nCipher, Utimaco, Securosys – BSI-certified HSMs available",[132,539,540,543],{},[74,541,542],{},"Mail encryption",": S/MIME or OpenPGP, keys entirely with the customer",[132,545,546,549],{},[74,547,548],{},"Nextcloud E2EE",": client-side encryption with customer-held keys",[183,551,553],{"id":552},"backup-con3","Backup (CON.3)",[384,555,556,562,568],{},[132,557,558,561],{},[74,559,560],{},"Borgbackup / Restic"," to a second EU cloud (Hetzner Storage Box, OVHcloud Cold)",[132,563,564,567],{},[74,565,566],{},"Versioning & 3-2-1 rule"," as standard",[132,569,570,573],{},[74,571,572],{},"Weekly restore tests"," automated and documented",[183,575,577],{"id":576},"cloud-usage-exit-ops22","Cloud usage & exit (OPS.2.2)",[384,579,580,586,592],{},[132,581,582,585],{},[74,583,584],{},"Open formats",": ODF (instead of OOXML), Markdown, ICS, vCard, MBOX",[132,587,588,591],{},[74,589,590],{},"Standard APIs",": CalDAV, CardDAV, IMAP, WebDAV, S3, OIDC",[132,593,594,597],{},[74,595,596],{},"No vendor lock-in"," – every component is replaceable in days, not months",[183,599,601],{"id":600},"compliance-jurisdiction-orp5","Compliance & jurisdiction (ORP.5)",[384,603,604,610,616,622],{},[132,605,606,609],{},[74,607,608],{},"Hosting"," exclusively in the EU (Hetzner DE/FI, OVHcloud FR, Scaleway FR, IONOS DE) or on-premise",[132,611,612,615],{},[74,613,614],{},"Contractual structure"," fully under German law",[132,617,618,621],{},[74,619,620],{},"CLOUD Act risk",": structurally excluded, because no US provider is involved",[132,623,624,627],{},[74,625,626],{},"Source code"," fully inspectable and auditable (true open source, not \"open inspection\")",[183,629,631],{"id":630},"network-architecture-net11","Network architecture (NET.1.1)",[384,633,634,648,655],{},[132,635,636,639,640,643,644,647],{},[74,637,638],{},"Wazuh"," for SIEM, ",[74,641,642],{},"Suricata"," for IDS, ",[74,645,646],{},"CrowdSec"," for IPS",[132,649,650,651,654],{},"Logs sit ",[74,652,653],{},"with you",", not with a US corporation",[132,656,657,660],{},[74,658,659],{},"Zero-trust"," with Keycloak + OPA + Cilium",[117,662,664],{"id":663},"a-realistic-bsi-aligned-migration-path","A realistic BSI-aligned migration path",[70,666,667],{},"We migrate in the order the BSI itself suggests:",[183,669,671],{"id":670},"step-1-structural-analysis-and-protection-needs-assessment-week-12-step-1","Step 1: Structural analysis and protection-needs assessment (week 1–2) {#step-1}",[70,673,674],{},"Capture the information network in full, determine protection needs per component, identify critical modules.",[183,676,678],{"id":677},"step-2-identity-access-orp-keycloak-replaces-entra-id-week-34-step-2","Step 2: Identity & access (ORP) – Keycloak replaces Entra ID (week 3–4) {#step-2}",[70,680,681],{},"Keycloak as central identity platform, MFA and federated authentication, migrate user identities without password reset.",[183,683,685],{"id":684},"step-3-email-app52-mailcow-stalwart-replaces-exchange-online-week-57-step-3","Step 3: Email (APP.5.2) – Mailcow / Stalwart replaces Exchange Online (week 5–7) {#step-3}",[70,687,688],{},"Mail server in EU data centre, S/MIME or OpenPGP for mail encryption, IMAP/JMAP migration of all mailboxes, MX cutover with zero downtime.",[183,690,692,693,697],{"id":691},"step-4-file-collaboration-app4-nextcloud-onlyoffice-replaces-onedrive-sharepoint-and-office-week-811-step-4","Step 4: File & collaboration (APP.4) – ",[90,694,696],{"href":695},"/en/blog/nextcloud-vs-onedrive-sharepoint","Nextcloud + ONLYOFFICE"," replaces OneDrive, SharePoint and Office (week 8–11) {#step-4}",[70,699,700,704],{},[90,701,703],{"href":702},"/en/blog/nextcloud-for-smes","Nextcloud Hub for SMEs"," with ONLYOFFICE or Collabora, migrate files from OneDrive/SharePoint including version history, E2EE for sensitive areas.",[183,706,708,709,713],{"id":707},"step-5-communication-element-matrix-replaces-teams-week-1213-step-5","Step 5: Communication – ",[90,710,712],{"href":711},"/en/blog/microsoft-teams-alternative","Element / Matrix"," replaces Teams (week 12–13) {#step-5}",[70,715,716,717,721],{},"Following the example of the ",[90,718,720],{"href":719},"/en/blog/eu-commission-matrix","EU Commission's own migration",": Matrix homeserver in EU, Element as client, Element Call for video conferencing.",[183,723,725],{"id":724},"step-6-endpoint-hardening-sys2x-week-1416-step-6","Step 6: Endpoint hardening (SYS.2.x) (week 14–16) {#step-6}",[70,727,728],{},"Linux or hardened Windows client with Wazuh agent, disk encryption, MDM profiles, application whitelisting.",[183,730,732],{"id":731},"step-7-continuous-audit-documentation-per-it-grundschutz-methodology-step-7","Step 7: Continuous audit documentation per IT-Grundschutz methodology {#step-7}",[70,734,735],{},"Structural analysis, protection-needs assessment, modelling, IT-Grundschutz check and risk analysis documented module by module — as audit evidence for GDPR, NIS2 and cyber insurance.",[70,737,738,739,742,743,746,747,751],{},"For an SME of 20–100 employees: ",[74,740,741],{},"8–16 weeks",", fixed price, ",[74,744,745],{},"Grundschutz documentation included"," for audit / NIS2 evidence / cyber insurance. The ",[90,748,750],{"href":749},"/en/blog/microsoft-vs-opensource","Microsoft 365 vs. open-source cost comparison"," also shows that the migration makes economic sense — typically paying back within 12 months.",[117,753,755],{"id":754},"conclusion","Conclusion",[70,757,758,759,762,763,204],{},"There is no serious reading of the IT-Grundschutz Compendium in which Microsoft 365 ",[74,760,761],{},"fully meets"," the security-critical modules. Whoever sells a Microsoft 365 setup as \"BSI-compliant\" – internally or as a service provider – has ",[74,764,765],{},"either not read the modules, or is withholding the result",[70,767,768,769,292,772,292,775,778,779,204],{},"EU open-source stack alternatives are today ",[74,770,771],{},"mature",[74,773,774],{},"interoperable",[74,776,777],{},"cheaper in total cost of ownership"," and – most importantly – ",[74,780,781],{},"structurally BSI-compliant",[70,783,784],{},"We turn the compliance risk into a documented, auditable asset.",[70,786,787],{},[90,788,790],{"href":789},"/en/contact?subject=BSI-Grundschutz","Book a BSI-Grundschutz workshop →",[792,793],"hr",{},[70,795,796],{},[74,797,798],{},"Related posts:",[384,800,801,806,811],{},[132,802,803],{},[90,804,805],{"href":92},"NIS2 and GDPR with Microsoft 365 – The Compliance Paradox",[132,807,808],{},[90,809,810],{"href":305},"CLOUD Act 2026 – Why US cloud is no longer legally tenable",[132,812,813],{},[90,814,815],{"href":749},"Microsoft 365 vs. Open Source – Total cost of ownership for SMEs",{"title":817,"searchDepth":818,"depth":818,"links":819},"",2,[820,821,830,835,836,843,854],{"id":119,"depth":818,"text":120},{"id":180,"depth":818,"text":181,"children":822},[823,825,826,827,828,829],{"id":185,"depth":824,"text":186},3,{"id":207,"depth":824,"text":208},{"id":242,"depth":824,"text":243},{"id":260,"depth":824,"text":261},{"id":281,"depth":824,"text":282},{"id":333,"depth":824,"text":334},{"id":350,"depth":818,"text":351,"children":831},[832,833,834],{"id":354,"depth":824,"text":355},{"id":378,"depth":824,"text":379},{"id":415,"depth":824,"text":416},{"id":426,"depth":818,"text":427},{"id":510,"depth":818,"text":511,"children":837},[838,839,840,841,842],{"id":522,"depth":824,"text":523},{"id":552,"depth":824,"text":553},{"id":576,"depth":824,"text":577},{"id":600,"depth":824,"text":601},{"id":630,"depth":824,"text":631},{"id":663,"depth":818,"text":664,"children":844},[845,846,847,848,850,852,853],{"id":670,"depth":824,"text":671},{"id":677,"depth":824,"text":678},{"id":684,"depth":824,"text":685},{"id":691,"depth":824,"text":849},"Step 4: File & collaboration (APP.4) – Nextcloud + ONLYOFFICE replaces OneDrive, SharePoint and Office (week 8–11) {#step-4}",{"id":707,"depth":824,"text":851},"Step 5: Communication – Element / Matrix replaces Teams (week 12–13) {#step-5}",{"id":724,"depth":824,"text":725},{"id":731,"depth":824,"text":732},{"id":754,"depth":818,"text":755},"2026-05-20T00:00:00.000Z","Germany's BSI demands demonstrable control over keys, location and audit in its IT-Grundschutz catalogue. Microsoft 365 fully meets none of the critical modules. We walk through OPS.2.2, APP.5.2, CON.1, CON.3 – and the migration path that does work.","md",[859,861,864,867,870,873],{"q":355,"a":860},"No. A C5 attestation is a self-assessment with auditor confirmation, not a legal opinion. It examines operational security measures, not the third-country access problem. In particular criteria BC-01 to BC-04 (location, sub-processors, jurisdiction, disclosure to state authorities) do not survive legal scrutiny against the CLOUD Act.",{"q":862,"a":863},"Can BYOK (Bring Your Own Key) satisfy BSI requirements?","No. With Microsoft 365, BYOK keys sit in Microsoft-administered HSMs. Microsoft retains access for indexing, search, anti-spam and Copilot. CON.1.A8 (secure key storage) remains unmet — a BSI auditor will honestly mark it \"not met\".",{"q":865,"a":866},"Is there a dedicated BSI module for Exchange Online?","No. The APP.5.2 module addresses on-premise Exchange/Outlook. For Exchange Online (part of M365) only OPS.2.2 partially fills the gap — the specific cloud risks remain unaddressed.",{"q":868,"a":869},"Is an OPS.2.2-compliant exit strategy from Microsoft 365 realistic?","Only with massive effort. Microsoft 365 uses proprietary formats (Teams channels, OneNote notebooks, SharePoint sites, Power Platform flows) and proprietary identity. A realistic repatriation is to be calculated in months, not hours — and entails significant data loss.",{"q":871,"a":872},"Are ORP.5 (compliance management) and Microsoft 365 structurally incompatible?","Yes. ORP.5.A2 requires compliance with GDPR and the German Trade Secrets Act. Both are structurally violated by the CLOUD Act the moment US authorities issue a request — GDPR Art. 48 and GeschGehG §4 cannot coexist with mandatory US disclosure.",{"q":874,"a":875},"Which open-source components fully satisfy the critical BSI modules?","Key sovereignty (CON.1) through HashiCorp Vault / OpenBao + BSI-certified HSMs (nCipher, Utimaco, Securosys). Backup (CON.3) through Borg / Restic to a second EU cloud. Cloud exit (OPS.2.2) through open formats (ODF, Markdown, ICS, vCard, MBOX) and standard APIs (CalDAV, IMAP, S3, OIDC). Hosting in the EU or on-premise structurally rules out the CLOUD Act risk.",{"name":877,"description":878,"totalTime":879,"steps":880},"BSI IT-Grundschutz compliant migration from Microsoft 365 to sovereign open-source infrastructure","Seven-step migration path along BSI methodology — from structural analysis through identity and email replacement to continuous audit documentation.","P16W",[881,884,887,890,893,896,899],{"name":882,"text":883},"Structural analysis and protection-needs assessment","Capture the information network in full, determine protection needs per component, identify critical modules. Weeks 1–2.",{"name":885,"text":886},"Identity & access (ORP) – Keycloak replaces Entra ID","Deploy Keycloak as central identity platform, MFA and federated authentication, migrate user identities without password reset via SCIM/LDIF. Weeks 3–4.",{"name":888,"text":889},"Email (APP.5.2) – Mailcow / Stalwart replaces Exchange Online","Set up mail server in EU data centre, S/MIME or OpenPGP for mail encryption, IMAP/JMAP migration of all mailboxes, MX cutover with zero downtime. Weeks 5–7.",{"name":891,"text":892},"File & collaboration (APP.4) – Nextcloud + ONLYOFFICE replaces OneDrive, SharePoint and Office","Nextcloud Hub with ONLYOFFICE or Collabora as office suite, migrate files from OneDrive/SharePoint including version history, E2EE configuration for sensitive areas. Weeks 8–11.",{"name":894,"text":895},"Communication – Element / Matrix replaces Teams","Matrix homeserver in EU, Element as client, Element Call for video conferencing, room and channel migration by department. Weeks 12–13.",{"name":897,"text":898},"Endpoint hardening (SYS.2.x)","Linux or hardened Windows client with Wazuh agent, disk encryption, MDM profiles, application whitelisting. Weeks 14–16.",{"name":900,"text":901},"Continuous audit documentation per IT-Grundschutz methodology","Structural analysis, protection-needs assessment, modelling, IT-Grundschutz check and risk analysis documented module by module — as audit evidence for GDPR, NIS2 and cyber insurance. Runs parallel to all migration steps.",{"src":903},"https://images.unsplash.com/photo-1518770660439-4636190af475?w=1200&q=80",{},true,"/en/blog/bsi-it-grundschutz-microsoft-365",{"title":53,"description":856},"en/3.blog/11.bsi-it-grundschutz-microsoft-365","3B1ecGHtxbjC8pufrt2dNj1IoIbSi5i3nXbNw8TS4EQ",[911,915],{"title":912,"path":92,"stem":913,"description":914,"children":-1},"NIS2 and GDPR with Microsoft 365 – The Compliance Paradox of European Companies","en/3.blog/10.nis2-gdpr-microsoft-paradox","NIS2, GDPR and BSI demand strict data control. At the same time 90% of companies run on US cloud, wide open through the CLOUD Act. Why the compliance illusion collapses in 2026 – and what to do now.",{"title":916,"path":917,"stem":918,"description":919,"children":-1},"Microsoft 365 Copilot Flex Routing – How the EU Data Boundary is Quietly Being Eroded in 2026","/en/blog/microsoft-copilot-flex-routing","en/3.blog/12.microsoft-copilot-flex-routing","Since April 2026, Copilot AI inference leaves the EU under peak load – by default. Plus Anthropic as a sub-processor outside the EU Data Boundary. What German SMEs must check and disable now.",1779405609812]