Protecting classified information in Germany: Key requirements for the international arena
For companies in the defence and security sector, protection of classified information is essential because their work routinely involves exchanging highly sensitive government data. It is crucial that companies know how to handle classified information securely, particularly in an international context. Laws and requirements vary depending on the classification level. Failure to comply can result in significant legal and commercial risks.
Legal Foundations
German law distinguishes four levels of classification: “For Official Use Only” (VS‑NfD), “Confidential”, “Secret” and “Top Secret”, each with increasingly stringent personnel, technical and organisational security requirements. Companies involved in sensitive projects are legally required to protect classified information. The central regulatory framework comprises the German Security Clearance Act (Sicherheitsüberprüfungsgesetz – SÜG) and the German Secret Protection Manual (Geheimschutzhandbuch – GHB). Annex 4 of the GHB governs the VS‑NfD Code of Practice.
Protective Measures for Information “For Official Use Only” (VS‑NfD)
Although VS‑NfD is the lowest classification level, companies must still implement robust protective measures. Contractors must enter into a legally binding agreement with the relevant public authority, committing to comply with the VS‑NfD Code of Practice.
A key requirement is the need‑to‑know principle, which limits access to individuals who require the information to perform their tasks. A designated responsible person must instruct staff in accordance with the Code of Practice, obtain their acknowledgement of obligations and document all training. Mandatory physical and technical safeguards include secure storage in locked rooms or containers, use of approved IT systems with strong encryption and strict rules for remote work.
Disclosure of VS‑NfD information to third parties (including in the context of VS‑NfD subcontracts) requires the originator’s explicit consent. Contractors must also ensure that subcontractors are contractually bound to comply with the VS‑NfD Code of Practice (Annex 4 to the GHB). International transfers generally require a bilateral government‑to‑government agreement on the mutual protection of classified information.
Protective Measures for Information Classified “Confidential” or Higher
Handling information classified as “Confidential” or higher involves considerably stricter organisational, personnel and technical measures. Companies must enter into a formal agreement with the Federal Ministry for Economic Affairs and Energy (BMWE) and appoint a dedicated security officer. In many cases, companies must also establish secured work areas (“classified zones”).
Only personnel who have successfully completed the security clearance process under the SÜG and received explicit authorisation may access this information. The security officer oversees personnel‑related and physical security measures, including access control systems and secure IT infrastructure. Any transfer, duplication or destruction of classified information must be fully documented. Cross‑border disclosures are permitted only with the originator’s explicit consent and confirmation that the recipient can guarantee an equivalent level of protection, typically demonstrated by a valid Facility Security Clearance (FSC). Remote work is not permitted.
