Elementary Threat · BSI IT-Grundschutz

G 0.29 — Violation of Laws or Regulations

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.3A.5.4A.5.5A.5.6A.5.7A.5.9A.5.10A.5.11A.5.14A.5.15A.5.16A.5.17A.5.18A.5.19A.5.20A.5.21A.5.22A.5.23A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.30A.5.31A.5.32A.5.34A.5.35A.5.36A.5.37A.6.1A.6.2A.6.3A.6.4A.6.5A.6.6A.6.7A.6.8A.7.1A.7.2A.7.3A.7.4A.7.5A.7.6A.7.7A.7.9A.7.10A.7.11A.7.12A.7.13A.7.14A.8.1A.8.3A.8.4A.8.5A.8.6A.8.7A.8.8A.8.10A.8.13A.8.14A.8.15A.8.16A.8.17A.8.18A.8.19A.8.20A.8.21A.8.22A.8.23A.8.24A.8.25A.8.26A.8.27A.8.28A.8.30A.8.31A.8.34 BSI IT-GrundschutzISO 27001ISO 27002

During the annual audit of a medium-sized company, the auditor identifies serious security deficiencies in the IT-supported accounting. Access rights are not assigned in a traceable way, changes to booking-relevant data are not logged. The auditor cannot issue a clean opinion — with immediate consequences for the company’s creditworthiness.

Violations of laws or regulations (G 0.29) often arise where information security does not keep pace with legal requirements. BSI lists this threat as one of the broadest in the IT-Grundschutz catalogue.

What’s behind it?

The legal landscape around information security is complex and constantly evolving. Organisations must comply with a multitude of laws, regulations and contractual obligations simultaneously — and correctly assess their relevance to their specific situation.

Regulatory areas

Data protection — GDPR, BDSG and the German federal state data protection acts govern the handling of personal data. Violations can lead to fines of up to 20 million euros or 4% of annual turnover.
Commercial and tax law — HGB and AO require the proper processing of booking-relevant data, including traceability and audit-proof records.
Corporate law — KonTraG, GmbHG and AktG establish due diligence obligations of management in the area of risk management and information security.
Industry-specific regulation — Operators of critical infrastructure are subject to the IT Security Act, financial service providers to BAIT/VAIT, healthcare institutions to SGB V.
Contractual obligations — In the automotive industry, for example, manufacturers require their suppliers to comply with certain security standards (TISAX). Violations can result in contractual penalties or loss of the business relationship.

Impact

Legal violations cause multi-dimensional damage: fines, contractual penalties, civil damage claims, criminal consequences for responsible persons and reputational loss. The reputational damage can exceed the financial damage in the long term — especially in data protection breaches that become public.

Practical examples

Data protection violation through missing deletion routines. A company stores customer data from contractual relationships that ended more than ten years ago. The data has never been deleted, and no deletion concept exists. During a supervisory audit, the violation of storage limitation (GDPR Art. 5) is identified. A six-figure fine follows.

Supplier loses TISAX approval. An automotive supplier fails to implement the security measures required by its client. In the TISAX assessment, the company fails. The client sets a three-month remediation deadline. If the requirements are not met, termination of the business relationship looms — an existential risk for the supplier.

Missing logging in financial audit. A company’s accounting uses an ERP system in which changes to booking entries are not logged in an audit-proof manner. The auditor cannot confirm the integrity of the financial data and refuses to issue an unqualified opinion. Banks and investors read this as an alarm signal.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 79 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.5.31 — Legal, statutory, regulatory and contractual requirements: Systematic identification and documentation of all relevant requirements.
A.5.34 — Privacy and protection of personal identifiable information (PII): Specific measures for compliance with data protection requirements.
A.5.36 — Compliance with policies, rules and standards for information security: Regular review of whether policies and standards are complied with.
A.6.3 — Information security awareness, education and training: Training on legal requirements and consequences of non-compliance.

Detection:

A.5.35 — Independent review of information security: Internal and external audits uncover compliance gaps.
A.8.15 — Logging: Audit-proof logging as evidence for auditors and supervisory authorities.

Response:

A.5.24 — Information security incident management planning and preparation: Notification duties for data breaches (72-hour deadline under GDPR Art. 33).
A.5.5 — Contact with authorities: Established communication channels to supervisory authorities, data protection authorities and other relevant bodies.

BSI IT-Grundschutz

G 0.29 is linked by the BSI IT-Grundschutz catalogue to the following modules:

ORP.5 (Compliance management) — Requirements for systematic compliance with legal and contractual obligations.
ORP.2 (Personnel) — Employment law aspects and duties of employees.
CON.1 (Cryptographic concept) — Compliance with regulatory requirements for cryptography.
DER.3.1 (Audits and inspections) — Internal and external review of compliance.

Sources

BSI: The State of IT Security in Germany — Annual report with reference to regulatory developments
BSI IT-Grundschutz: Elementary Threats, G 0.29 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 5.31 — Implementation guidance on legal and regulatory requirements

ISO 27001 Controls Covering This Threat

A.5.3 Segregation of duties A.5.4 Management responsibilities A.5.5 Contact with authorities A.5.6 Contact with special interest groups A.5.7 Threat intelligence A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier services A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.31 Legal, statutory, regulatory and contractual requirements A.5.32 Intellectual property rights A.5.34 Privacy and protection of PII A.5.35 Independent review of information security A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.6.8 Information security event reporting A.7.1 Physical security perimeters A.7.2 Physical entry A.7.3 Securing offices, rooms and facilities A.7.4 Physical security monitoring A.7.5 Protecting against physical and environmental threats A.7.6 Working in secure areas A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.10 Information deletion A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.34 Protection of information systems during audit testing

Frequently asked questions

Which laws are relevant for information security?

This depends on the industry and location. In Germany, typically the GDPR, BDSG, the IT Security Act (for operators of critical infrastructure), the HGB, the AO and industry-specific regulations (e.g. BAIT for financial service providers) are relevant. Companies with international locations must additionally observe the respective national regulations.

Is management personally liable for inadequate information security?

Yes, under certain circumstances. KonTraG, GmbHG and AktG require management to exercise appropriate diligence, which includes information security. In cases of gross negligence, personal liability can arise. A documented, adequate security organisation is therefore indispensable, also for liability reasons.

How do ISO 27001 and legal requirements relate?

ISO 27001 is an international standard, not a law. Implementing an ISMS according to ISO 27001 helps to systematically identify and meet legal requirements. In many industries, ISO 27001 certification is accepted by customers or supervisory authorities as evidence of adequate security measures.