Current developments in classified information protection

Growing importance of classified information protection for companies

With growing public sector contracts – for example in the defense, digitization, or infrastructure sectors – more and more companies, including SMEs and start-ups, are being required to handle classified information and implement regulatory requirements (e.g., security vettings on employees and organizational adjustments with regard to the material protection of classified information) in the context of public sector contracts. It poses a challenge for SMEs in particular, but also for complex corporate structures. This is because compliance with the applicable regulations usually requires a variety of measures, both in terms of IT infrastructure and organizational processes.

Legal framework for confidentiality

The legal basis for secrecy protection in Germany can be found primarily in the Handbook of Industrial Security (Geheimschutzhandbuch, GHB) and its annexes, the Security Screening Act (Sicherheitsüberprüfungsgesetz, SÜG) and the Classified Information Directive (VS-Anweisung – VSA). We already published an overview of the key requirements here in 2017.

The legal framework is continuously evaluated in order to identify any need for adjustments, particularly with regard to technical innovations and changes in the security situation.

A new version of the Classified Information Directive (VS-Anweisung – VSA), the central reference point for practical classified information protection, came into force on April 1, 2023. The amendment has resulted in the following key changes in particular:

• Mandatory introduction of continuous risk management, which requires the management of classified information to be continuously adapted to current threat situations.
• Stricter requirements for the use and approval of IT systems when handling classified information, including proof of compliance with BSI standards.
• Stricter and more uniform documentation requirements—especially for the classification, reclassification, and labeling of classified information, including in a digital context.
• The subsequent upgrading of the classification level of simple classified information is generally excluded.
• Regular checks and reporting requirements have been made mandatory.

The VS-NfD information sheet, an important part of the GHB, has also been revised with effect from September 1, 2023, in particular to integrate new digital and IT processes.

Planned amendment to the Security Screening Act (SÜG)

On October 9, 2025, the draft bill presented by the federal government "on the modernization of the Security Screening Act and the amendment of civil service regulations" (October 1, 2025 - 21/1926) was discussed in the Bundestag in its first reading. The bill was then referred to the committees for further consultation. The Interior Committee is in charge.

The most important topics of the draft bill include:

• Introduction of mandatory internet and social media searches for all types of screenings to improve risk detection.
• Stricter reporting requirements and fines for unvetted personnel in security-sensitive positions.
• Expanded obligations to disclose contacts with foreign intelligence services and organizations with extremist tendencies.
• Digital file management and accelerated, risk-oriented processing of security checks.
• Alignment of personnel sabotage protection regulations with secrecy protection standards.

These amendments are intended to strengthen protection against espionage, sabotage, and other threats and significantly improve the efficiency of security screenings.

Outlook

In view of the increasing cooperation between the public and private sector, the classified information protection is becoming a strategic task for the industry. This is because the ability to protect and handle classified information is no longer relevant only to the security and defense industry. The changed security situation is already leading to new collaborations and supply chains, particularly in the areas of IT and infrastructure. Companies that familiarize themselves with the requirements of classified information protection at an early stage and position themselves as "public ready" increase their competitiveness and market opportunities.