+49 6430 9227117
Portal loginPortal
Compliance & audit

Compliance is not an acronym salad. It's an audit trail.

Six compliance domains pressing mid-market and regulated sectors across DACH 2025–2027. For each domain we clarify precisely: what the audit checks, which TechCare service delivers what evidence, which documentation arrives automatically with every contract — compliance-officer and CISO-grade, no marketing fluff.

Request audit support → 6 domains in detail
6
Compliance domains
8
Auto-doc packs per contract
24/72h
NIS2/DORA incident reporting
DACH
Engineer pool with no tier-3 sub

Which sector are you in?

Different compliance focus per sector. Jump directly to the audit stories relevant to you.

Banks & financial services BAIT / MaRisk · EU DORA · ISO/IEC 27001:2022 Insurance BAIT / MaRisk · EU DORA · ISO/IEC 27001:2022 Energy & utilities NIS2 · KRITIS · ISO/IEC 27001:2022 Healthcare & hospitals NIS2 · KRITIS · ISO/IEC 27001:2022 Automotive TISAX · ISO/IEC 27001:2022 Public sector & KRITIS operators KRITIS · NIS2 · ISO/IEC 27001:2022
The 6 domains

What the audit checks. What TechCare delivers. What docs arrive automatically.

EU DORA Digital Operational Resilience Act · Art. 28

Operational resilience for ICT third parties

Banks · Insurance · Financial services Effective since January 2025
What the audit checks

Hardware maintenance counts as a critical ICT third-party service. Auditors verify that TechCare is contractually integrated, regularly tested and resilient under stress.

Which TechCare service delivers?

Written SLA with documented response times and availability targets, annual TLPT-capable resilience test (threat-led penetration testing), sub-outsourcing register covering all engineer pools.

What documentation arrives automatically

Quarterly resilience report (SLA performance, incident logs, sub-outsourcing mapping), DORA-compliant contract template, audit trail of every hardware intervention.

NIS2 Network & Information Security Directive · Art. 21

Cybersecurity baseline for essential entities

Energy · Transport · Health · Water · Telecom · Digital Transposition deadline October 2024 · DACH rollout underway
What the audit checks

Auditors verify the ten mandatory areas from Art. 21: risk management, incident handling, supply-chain security, vulnerability management, crypto, MFA, backup. Hardware patching and firmware updates are hard minimum requirements.

Which TechCare service delivers?

Firmware patch management cross-checked with OEM bulletins, documented incident response within 24h, vulnerability tracking per model, secured supply chain for spare parts (chain of custody).

What documentation arrives automatically

Maintenance log with patch status per system, NIS2-compliant incident reports within 24h/72h, supply-chain mapping for every hardware delivery.

KRITIS BSI-IT-SiG · KRITIS-Verordnung

Minimum standard for critical infrastructure

Energy · Water · Health · Finance · Transport · Telecom Effective since 2017 · regular BSI evidence audit
What the audit checks

BSI audits the state of the art in security management every two years. Hardware maintenance must be available 24/7, with German-based engineers (no sub-sub-outsourcing risk) and TÜV-certified data erase on decommissioning.

Which TechCare service delivers?

24/7 hotline with engineer escalation within 2h, German engineer pool without tier-3 subcontractor chain, TÜV-certified data erase per BSI wipe standards, spare parts from EU stock.

What documentation arrives automatically

Quarterly SLA report, engineer-certification register (refreshed annually), data-erase certificate per decommissioning, spare-parts origin proof.

BAIT / MaRisk Bankaufsichtliche Anforderungen an die IT · BaFin

IT outsourcing with crisis resilience and sub-outsourcing transparency

Banks · Savings banks · Investment firms · BaFin-regulated financial services Updated 2021 · DORA-complemented 2025
What the audit checks

BaFin audits the outsourcing contract, the sub-outsourcing chain, crisis tests and exit strategy. Hardware maintenance must be contractually embedded, with documented SLA and a verifiable disaster-recovery plan.

Which TechCare service delivers?

BAIT-compliant contract with outsourcing clauses, complete sub-outsourcing register (no hidden tier-3), annual crisis test with switch-over drill, documented exit strategy per contract.

What documentation arrives automatically

BAIT-compliant outsourcing report (template), quarterly SLA performance report, crisis-test protocol with switch-over time, exit-plan update annually.

TISAX Trusted Information Security Assessment Exchange · VDA-ISA

Information security for automotive supplier chains

Automotive · OEM · Tier-1/tier-2 suppliers VDA-ISA standard · audit level per protection requirement
What the audit checks

TISAX audits the VDA-ISA catalogue: confidentiality of prototype data, engineer NDAs, secured spare-parts warehousing, hardware disposal with data destruction. Automotive OEMs require level-2 or level-3 audits from maintenance partners.

Which TechCare service delivers?

ISO 27001-certified service provider, NDA for every field engineer per site, secured spare-parts warehouse with access logging, R2v3-certified disposal partner for end-of-life hardware.

What documentation arrives automatically

TISAX mapping sheet (which VDA-ISA controls TechCare covers), engineer NDA and background-check confirmation per site, R2v3 disposal certificate per hardware decommissioning.

ISO/IEC 27001:2022 Information Security Management System · ISO 27001:2022

ISMS anchor for structured security evidence

Cross-sector · prerequisite for many supplier audits Certification 3-yearly · annual surveillance audit
What the audit checks

External auditors (TÜV, DQS, BSI) verify the 14 Annex A domains of the ISO 27001 catalogue. Relevant for hardware maintenance: A.15 supplier relationships, A.18 compliance, A.5 information security policies, A.8 asset management.

Which TechCare service delivers?

TechCare runs a certifiable ISMS with documented policies, clear asset inventory, contractually secured supplier relationships and controlled compliance tracking.

What documentation arrives automatically

ISO 27001 certificate (on request), SoA mapping (statement of applicability) of relevant Annex A controls, auditor-ready service reports, audit logs of all engineer accesses.

Auto documentation

Eight documentation packs that arrive automatically with every contract.

Compliance officers and CISOs need evidence, not marketing claims. These eight packs sit in the portal quarterly or per intervention — traceable, auditor-grade, no request loops.

Quarterly

SLA performance report

Response times and availability per site, comparison to agreed SLA levels, escalations with root-cause analysis.

On every intervention

Audit trail of all engineer access

Who was when, where, on which system — full logging with engineer ID, ticket reference and site.

Per decommissioning

Data-erase certificate

TÜV/BSI-compliant wipe proof (NIST 800-88, BSI-GS) with serial number, wipe method and verification hash.

Per spare part

Chain-of-custody record

Origin of every spare part — from which distributor, with which OEM original serial number, through whose hands before delivery.

Refreshed annually

Engineer certification register

List of all field engineers with current OEM certifications, background-check status (on request), TISAX/NDA signature.

Within 24h/72h mandatory reporting

Incident reports

NIS2/DORA-compliant: initial notification within 24h, deeper report within 72h, final report with lessons learned. Delivery format BSI-compliant on request.

Annually + on changes

Outsourcing & sub-outsourcing report

BAIT/DORA-compliant: TechCare as outsourcing partner, complete sub-outsourcing list (engineer pools, distributors), risk assessment.

Annually

Crisis-test protocol

Switch-over drill with measured response time, documented exit strategy and emergency engineer pool. DORA resilience-test ready.

Audit support

How we support your audit — in three phases.

  1. 1

    Kickoff & scope

    Which audits are upcoming? Which documents will the auditor request? Which TechCare contracts need referencing? We map your needs against our service modules.

  2. 2

    Documentation & auditor brief

    You receive an audit pack with all required evidence — SLA reports, engineer lists, certificates, sub-outsourcing mapping, contractual clauses. On request, coordinated directly with your auditor.

  3. 3

    Audit support & follow-ups

    During the audit itself, our compliance officer and service-delivery manager are on standby. We answer post-audit requests within 48h with traceable evidence from the service trail.

Frequently asked

What compliance officers ask most.

Are you ISO 27001 certified?

We run a certifiable ISMS and supply the current certificate plus SoA mapping (Statement of Applicability) on request. We operate in a DACH-specific audit reality — TÜV, DQS and BSI are the typical certifiers our customers recognise.

How do you specifically support our DORA audit?

DORA Art. 28 requires a written contract with documented SLAs, a full sub-outsourcing register, annual resilience tests and an exit strategy. We deliver the DORA-compliant contract template, the quarterly resilience report and run an annual switch-over drill — verifiable to any TLPT auditor.

What do I receive automatically each quarter?

Standard compliance pack: SLA performance report, audit trail of all engineer access, incident logs, sub-outsourcing status. On agreement we extend with spare-parts chain-of-custody, engineer certification register and crisis-test protocol.

Who has access to our hardware data — and how is that audited?

On-site interventions are handled by a defined engineer pool, each with signed NDA. Every access runs through a ticket with audit trail (who, when, which system, which action). Data carriers never leave the site without documented data erase or sealed security container.

What happens during a security incident — e.g. a defective spare part with potential data remnants?

Immediate escalation to our compliance officer (within 4h). Initial notification to you within 24h, deeper report within 72h — exactly per NIS2/DORA deadline. Defective data carriers are destroyed on-site (BSI-compliant wipe or physical destruction) and never returned without a documented erase certificate.

Can we run a background check on TechCare engineers?

Yes. For TISAX level-3 sites or KRITIS security areas, background checks are standard, performed by certified providers (Bundesdruckerei, Schufa-Wirtschaftsdienst). On request we provide the signed confirmation per assigned engineer.

How does your compliance documentation differ from the OEM standard?

Three points: (1) We have a dedicated compliance officer, OEM maintenance typically runs via international service hubs with no EU compliance focus. (2) We deliver reports in German, audit-ready for DACH auditors. (3) Sub-outsourcing transparency: with OEMs the engineer chain is often three tiers deep (OEM → continental partner → local sub) and opaque — with us it's one to two tiers and contractually documented.

Do I need a separate contract for KRITIS or NIS2?

No. The standard maintenance contract already includes NIS2/KRITIS-relevant clauses (incident-response deadlines, sub-outsourcing transparency, engineer certifications). During onboarding we add the KRITIS-specific appendices (e.g. B3S hospital mapping, BSI wipe standard) at no extra cost.

What sub-outsourcing transparency do you offer?

Complete list of all engineer pools (full-time staff and contractors), spare-parts distributors with locations, plus specialised disposal partners (R2v3-certified). Updated annually plus on every change in the standard appendix. No hidden tier-3 — we name names.

Who is my compliance contact at TechCare?

Per contract a dedicated service-delivery manager as operational contact and the compliance officer as escalation instance for audit topics. Direct line, no hotline maze. Both speak German and understand DACH compliance vocabulary (BAIT, MaRisk, BSI, BaFin, NIS2).

Ready for your next audit?

Send us the audit domain and approximate date — within 48 hours we prepare a matching documentation pack for your auditor. On request directly in a meeting with your compliance officer and our service-delivery manager.

Request audit support → Browse whitepapers

Note: This page describes our standard service contribution and does not constitute legal advice. For concrete audit preparation we refer to the original regulations and recommend consulting a compliance officer or external auditor.

Read next

Stay on the topic

Service
EOSL maintenance

Patch lifecycle vs. EOSL — asynchronous lifecycle matters for BAIT/KRITIS compliance.

View more →
Lifecycle
Hardware lifecycle

Data erase certificates, R2v3 disposal, chain of custody — compliance building blocks in practice.

View more →
Whitepaper
OEM vs. TPM 2026

Cost comparison with TCO table, documented migration and 6-step path.

View more →
Service building blocks

Other service topics

All services in overview
EOSL maintenance

Run hardware past End of Service Life — 5–10 years beyond the OEM cut-off.

View more →
Post-warranty

Seamless maintenance transition from day 1 after factory warranty — typically 30–70 % below OEM.

View more →
Maintenance extension

OEM contract running out? TPM extension with identical SLA, no bundle lock-in.

View more →
Hardware lifecycle

Buyback, refurbishment, R2v3/WEEE disposal with documented data erase.

View more →
Installation & relocation

Rack-in, rollouts, datacenter relocation — with risk plan and rollback path.

View more →
Related topics
Core service
Hardware maintenance in detail
What's behind the maintenance: contract, SLA, engineer pool, spare parts — the service that the compliance documentation evidences.
View detail →
Lifecycle
Hardware lifecycle
Data erase, R2v3 disposal, chain of custody — the compliance-relevant lifecycle building blocks in practice.
Open lifecycle →
Enquiry
Request audit support
Send us the audit domain and date — within 48h we prepare a matching documentation pack for your auditor.
Discuss audit →