KORTHEXkorthex.flowence.cc

Jurisdictions / Germany

Germany: BSI, NIS2 and Grundschutz

Germany's cryptographic expectations are set by one authority with three faces: BSI TR-02102 defines the algorithm baseline, IT-Grundschutz (building block CON.1) demands the documented Kryptokonzept around it, and the German NIS2 implementation holds critical infrastructure to the state of the art. Korthex covers all three from one scan, with the German enterprise profile activating the BSI channel as its base.

The German regulatory stack

  • BSI TR-02102-1: key-size floors (RSA 3000 bit, ECC 250 bit), approved hashes and modes, hybrid PQC guidance - covered by the 16-rule BSI channel
  • IT-Grundschutz CON.1: the documented Kryptokonzept, with the CBOM as its living inventory annex
  • NIS2 implementation (KRITIS and important entities): state-of-the-art cryptography evidence via the NIS2 tags the BSI channel carries
  • Air-gapped and on-premise operation as the deployment default German federal and KRITIS environments typically require

Recommended configuration

German enterprises activate the BSI channel (plus the Korthex-curated fallback); operators under NIS2 add ANSSI for the second EU authority stance. There is deliberately no separate Germany overlay: BSI is the national authority, so the authority channel IS the jurisdiction mapping, and the Grundschutz deep dive covers the audit-evidence workflow.

Frequently asked questions

Why is there no separate Germany rule overlay?

Because BSI is the German authority: TR-02102 is the national baseline, so the BSI channel carries the jurisdiction. Overlays exist where a region adds rules on top of foreign authorities (UK on NIST, for example).

Does this cover KRITIS obligations?

The cryptography slice, yes: BSI-channel findings carry NIS2 tags, and the recurring CBOM documents the state of the art. Registration, incident reporting and the wider KRITIS duties live outside a scanner.

Is Korthex itself a German product?

Yes. Korthex is built in Germany by Flowence and runs fully on-premise, including air-gapped, so source code never leaves your infrastructure.