ISMS Copilot for German healthcare compliance
KRITIS health thresholds and B3S, NIS-2-DE duties, and BDSG health-data documentation — without putting patient data in chats.
Read this first: ISMS Copilot is for documentation, not patient-data processing
ISMS Copilot does not sign an Auftragsverarbeitungsvertrag (AVV) for patient data and is not a processor for besondere Kategorien personenbezogener Daten under Art. 9 GDPR / § 22 BDSG. Use it to draft your B3S evidence, your § 30 BSIG risk-management measures, your DSFA methodology and staff training — but never paste actual patient data (names, Versichertennummer, diagnoses, treatment notes, patient-provider conversations) into chats. If you need an AI assistant that processes patient data, you need an AVV-bound vendor instead.
Full health-data stance →The German health compliance stack
- Run the KRITIS health applicability test: sector + threshold against the BSI-KritisV anlagen and patient/case thresholds
- Prepare branchenspezifische Sicherheitsstandards (B3S) evidence for the health sector under § 8a BSIG
- Map NIS-2-DE / BSIG § 30 risk-management measures for besonders wichtige / wichtige Einrichtungen
- Work the 24-hour / 72-hour / one-month BSI incident-reporting cascade
- Document Art. 9 GDPR + § 22 BDSG legal bases for processing health data
- Cross-map B3S, NIS-2-DE and ISO 27001 so each control is written once
Built for German health compliance leads
B3S health-sector control library mapped to ISO 27001 Annex A
KRITIS registration and BSI notification workflow guidance
NIS-2-DE § 30 measures and senior-management liability documentation
Attack-detection-system (SzA) implementation support for health KRITIS
DSFA (Datenschutz-Folgenabschatzung) methodology for health processing
BDSG § 22 / Art. 9 GDPR safeguards documentation — no patient data required
B3S and KRITIS thresholds for German health providers
German health providers face a two-layer national stack on top of GDPR. Layer one is KRITIS: if your facility exceeds the BSI-KritisV thresholds for the health sector (broadly, hospitals above the defined annual case count), you become a KRITIS operator and must demonstrate § 8a BSIG compliance — the sector route for this is the branchenspezifischer Sicherheitsstandard (B3S) for medical care. Layer two is NIS-2-DE: the NIS2UmsuCG / amended BSIG pulls many health entities in as besonders wichtige or wichtige Einrichtungen with § 30 risk-management duties, BSI registration and the staged incident report. ISMS Copilot maps B3S, § 30 BSIG and ISO 27001 to one control set, and keeps the BDSG / Art. 9 health-data analysis documentation-only — no patient data ever enters a chat.
KRITIS guidance for German operators →Frequently Asked Questions
Are we a KRITIS operator?
It depends on the BSI-KritisV thresholds for the health sector — broadly, hospitals above the defined annual full-stationary case count, plus other in-scope health facilities. ISMS Copilot runs the applicability test against your facility type and volumes and explains the § 8a BSIG obligations and the B3S health-sector route that follow.
Can we paste patient data into chats to get better answers?
No. ISMS Copilot is not an AVV-bound processor for Art. 9 / § 22 BDSG health data. Keep patient identifiers, diagnoses and treatment notes out of chats entirely. Describe processes, controls and architectures instead — that is what produces the B3S, § 30 BSIG and DSFA documentation you need.
How do KRITIS and NIS-2-DE overlap for a hospital?
A large hospital can be both a KRITIS operator (§ 8a BSIG, B3S route) and a besonders wichtige Einrichtung under NIS-2-DE / BSIG § 30. The duties overlap heavily, so ISMS Copilot generates a combined control matrix across B3S, § 30 BSIG and ISO 27001 rather than three separate ones.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.