About us — Vision 2045

Europe's leading security company — and a benchmark.

EUSEC® is the European cyber rating agency. We protect the information and supply chains of those who rely on us — government agencies, private companies and partner firms who secure their portfolios through us — so they can focus on what matters most: their business and the people they serve.

We are a young company, and we treat that as a strength. Many established providers charge a premium for their name. We believe there is another way: genuine expertise, transparent and fair advice, and economically sound solutions that don't have to be expensive to be excellent.

Get in touch Report a concern

EUSEC at a glance

Founded 2022 · as Botiguard GmbH

2023 BaySec mbH

Since 2025 European brand EUSEC®

Jurisdiction EU & Germany

Model Public Money = Public Code

Focus Ratings · Testing · Supply chain

Exhibit 01 — Our background

From a Bavarian start-up to a European brand.

In 2022 Benjamin Nitzinger founded Botiguard GmbH. In 2023 the company expanded into BaySec — Bayerische Gesellschaft für Cybersicherheit mbH — operating across Europe. Since 2025 we have worked under the European brand EUSEC®.

2022

Botiguard GmbH

Founded by Benjamin Nitzinger. The first public-code projects — "Botiguard" and the "Watzmann Game" — set the tone for affordable, government-tailored cybersecurity.

2023

BaySec mbH

Bayerische Gesellschaft für Cybersicherheit — the company broadened its mandate and began operating throughout Europe.

2025

EUSEC®

A single European brand for the cyber rating agency, with a clear identity: high-quality, fair and pragmatic security for organisations of every size.

Public Money
= Public Code

When a public authority commissions us, we make the results available to every other German authority free of charge under a Public Code License v1. Cybersecurity stays affordable while remaining tailored to the needs of government — and the public benefits more than once from work it has already paid for.

Exhibit 02 — Values manifesto

What we stand for.

Four commitments shape how we work — with clients, with each other, and with the public institutions that trust us.

01 — Customer focus

We take ownership of our clients' success.

— We give constructive support, go the extra mile for clients and three times further for government when needed.
— Trust matters more than money; we start where you are and listen actively to truly understand.
— Balanced cost — we never default to the most expensive solution.

02 — Integrity, compliance & truth

We hold to the law in an exemplary way.

— We keep relationships positive and constructive, and never speak ill of clients, colleagues or the company.
— In doubt, we act with complete transparency.
— We own and correct our mistakes — and we never bend the law, relationships or trust.

03 — Performance orientation

Good solutions don't have to be expensive.

— We are performance- and future-oriented.
— We stay strictly cost-conscious so we can operate sustainably.
— We consciously avoid expensive frills and invest where it creates real value.

04 — Loyalty

Our loyalty lies with the EU and Germany.

— We keep our distance from the governments of unstable states.
— We work only with parties directly or indirectly aligned with the EU.
— European sovereignty is a design principle, not an afterthought.

Exhibit 03 — Management

Led by an auditor's discipline.

Benjamin Nitzinger

Managing Partner · Gesellschafter-Geschäftsführer

Beyond his professional work, Benjamin has spent many years in volunteer service. With a local branch of the German Child Protection Association (DKSB) he supported children from difficult family and social circumstances, including supervised contact in sensitive cases. He has tutored and coached primary and secondary students in the Berchtesgaden region, and for years supported an international children's aid organisation — carrying out on-site inspections and internal anti-corruption audits to ensure that aid actually reached the children who needed it, uncovering and following up several cases of misuse.

Academic education

Diploma in Business Information Systems — Wismar University of Applied Sciences
MSc Advanced Security & Digital Forensics — Edinburgh Napier University

Selected qualifications

ISO/IEC 27001:2022 Lead Auditor (CQI & IRCA)
Information Security Officer to ISO 27001 (TÜV Saarland)
Testing competence for § 8a (3) BSIG (TÜV SÜD)

Certifications

Data Protection Auditor · TÜV Data Protection Officer · GDPR & BDSG-neu ISO 27001 ISO · TÜV Saarland § 8a (3) BSIG · TÜV SÜD BSI IT-Grundschutz 200-x · TÜV Nord ISO/IEC 27001:2022 Lead Auditor ISTQB Advanced · Test Manager ISTQB Advanced · Test Analyst ISTQB CTFL

Anonymous compliance reporting

Integrity is non-negotiable.

compliance@eusec.net

Lawful conduct and integrity matter to us above all else, and we tolerate no misconduct. To report a potential violation, write to compliance@eusec.net — anonymously if you prefer. We acknowledge every report and follow up where needed, so please describe the matter as precisely as you can.

Please use the channel responsibly: abusive or knowingly false accusations are not acceptable. As a rule we do not attempt to trace anonymous reports — the only exception being a message that itself contains unlawful content. If you wish to stay anonymous, make sure your email does not reveal your identity; temporary addresses are fine, though further communication may then not be possible.

Exhibit 04 — Our security

We hold ourselves to the standard we measure others against.

Protecting the information entrusted to us is the core of what we do. We operate an information security management system aligned with ISO/IEC 27001:2022, and our policies are reviewed, communicated and approved by management at least once a year.

Security governance

An ISMS aligned with ISO/IEC 27001:2022. Policies are owned by management, reviewed annually, and every role carries clear security responsibilities.

Data protection

Customer data is encrypted at rest and in transit. Personal data is handled in line with the GDPR and the BDSG, under clear privacy notices.

European hosting

Our services run on hardened cloud infrastructure located within the European Union; provider security and compliance are monitored on an ongoing basis.

Identity & access

Unique accounts, enforced multi-factor authentication and least-privilege access, with single sign-on (SAML / OIDC) where configured and access reviewed regularly.

Application security

A documented secure development lifecycle with peer review, automated dependency and image scanning in the build pipeline, and independent penetration testing.

Endpoint security

Access is restricted to managed devices with encrypted drives and endpoint detection & response, continuously checked against a security baseline.

Logging & monitoring

System activity and security events are logged, protected from tampering and monitored, with alerting for unusual usage and defined retention periods.

Subprocessors

Third parties that may process data are risk-assessed before onboarding and reviewed regularly; the current list is available to customers on request.

Resilience

Important data and systems are backed up and tested, with business continuity and disaster recovery plans maintained so we keep calm and carry on.

Responsible disclosure

Found a vulnerability? Tell us.

If you believe you have found a security vulnerability in our service, please report it to security@eusec.net. If you think your account has been compromised or you notice suspicious activity, use the same address. We review every report and act on it promptly.

security@eusec.net

No bug-bounty programme at this time

→ Imprint → Data Privacy Declaration → About us

Exhibit 05 — Infrastructure & certifications

Information security for our cloud infrastructure & IT operations.

The API, dashboard, website and email systems behind EUSEC run on hardened cloud infrastructure operated entirely within the European Union by our infrastructure provider, Hetzner Online GmbH. That infrastructure carries the independently audited certifications and attestations below — so the foundation we build on is held to the same standard we measure others against.

ISO/IEC 27001:2022 BSI C5 · Type 2 KRITIS-V · § 8a BSIG NIS-2 PCI DSS v4.0 TÜV Rheinland audited

Last modified 07.04.2025 • Created 24.07.2024 • ID: GE-F72E4

01 — Certification

ISO/IEC 27001:2022

The infrastructure is certified to ISO/IEC 27001:2022. With respect to the controls in Annex A of the standard, there are no exclusions.

View certificate More information

02 — Attestation

BSI C5 — Type 2 attestation

A BSI C5 Type 2 attestation demonstrates an independently audited, high level of security for the cloud services. C5 — the Cloud Computing Compliance Criteria Catalogue — is published by Germany's Federal Office for Information Security (BSI) and defines minimum requirements for the information security of cloud services. A Type 2 attestation confirms that the criteria are not only appropriately implemented but have also been effectively applied over a defined period. The catalogue is wide-ranging, spanning organisational, technical and operational measures, governance and management structures, transparency obligations and legal frameworks. Its base criteria incorporate all ISO/IEC 27001 criteria and require a management system aligned with that standard.

View attestation

03 — Regulatory status

KRITIS-V / NIS-2

The provider is classified in Germany by the Federal Office for Information Security (BSI) as an operator of critical services under the national KRITIS regulation, and is certified in accordance with § 8a BSIG.

More information

04 — Certification

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised security standard for companies that process or transmit credit card data. The provider itself does not store credit card information; processing is handled exclusively through its certified German payment service provider, Computop. Card details are entered directly in the provider's customer account, which fully complies with PCI DSS in its current version 4.0, revision 1.0.

View certificate

Statement of Applicability (SoA)

The SoA is an internal document that is not made available to third parties. There are no exclusions from the Annex A controls of ISO/IEC 27001:2022.

Technical & organisational measures (TOMs)

A wide range of measures safeguards the processing of personal data. An overview of the technical and organisational measures is provided in Annex 2 of the data processing agreement (DPA). The TOMs are reviewed at regular intervals by an external data protection organisation — currently TÜV Rheinland — and the audit report is made available to customers with a DPA directly in their customer account.

General Information Security Policy.

This policy sets out EUSEC's commitment to protecting the information and IT assets entrusted to it — including computers, mobile devices, network equipment, software and sensitive data — against internal, external, deliberate and accidental threats, and to reducing the risks of theft, loss, misuse, damage or abuse of these systems.

Our commitments

Authorised access only

Information is protected against unauthorised access. Users may reach only the resources they have been explicitly authorised to use; privileges are tightly controlled and reviewed regularly.

Confidentiality

We keep information from being disclosed to unauthorised parties.

Integrity

We keep information from being altered by unauthorised parties.

Availability

We ensure authorised parties can reach the information they need, when business processes require it.

Compliance — and beyond

We meet and, wherever possible, exceed national legal and regulatory requirements, standards and good practice.

Continual improvement

We continuously improve the information security management system through corrective actions that increase its effectiveness.

Business continuity

We build, maintain and test business continuity plans so we stay on course despite the obstacles we may meet — keeping calm and carrying on.

A culture of awareness

Security training is available to everyone. Awareness and targeted training run consistently, security responsibilities are reflected in job descriptions, and compliance is an expected and accepted part of our culture.

No retaliation

No action is taken against anyone who raises a security concern — by reporting it or in direct contact with the Information Security Officer — unless the disclosure clearly evidences, beyond reasonable doubt, an unlawful act, gross negligence, or repeated wilful disregard of rules or procedures.

Breach reporting

All actual or suspected information security breaches are reported to security@eusec.net or through our incident management procedure.

Enforcement, exceptions & complaints

Enforcement

Non-conformance with this policy may lead to disciplinary action — from informal or formal warnings up to termination of contract.

Exceptions

Any exception requires written authorisation by email from the Information Security Officer and is granted as a time-limited policy waiver.

Complaints

Anyone covered by this policy may submit complaints about it at any time. Complaints are filed and answered within 14 days of submission.

Requests for exceptions and complaints are addressed to the Information Security Officer at security@eusec.net.

Exhibit 07 — Trust & controls

Our controls, mapped to ISO/IEC 27001:2022.

The measures below are organised across the four domains of the international standard. Together they describe how EUSEC governs people, processes, premises and technology to keep information safe.

Information security policy

A documented information security policy, approved by leadership and backed by topic-specific policies, sets the direction for the whole programme and is reviewed at planned intervals and after significant change.

Roles & responsibilities

Specific security duties are assigned to named people, so accountability for protecting information and assets — including risk ownership — is always clear.

Management responsibilities

Leadership actively backs the programme: staff are briefed on their obligations, resourced, trained annually and given a confidential channel to raise concerns.

Segregation of duties

Conflicting tasks are deliberately split so no single person holds enough access or authority to act unchecked, reducing the risk of error or fraud.

Documented operating procedures

Up-to-date, easy-to-follow procedures for IT operations live in our internal wiki, so work is carried out consistently and securely.

Inventory of assets

We keep a current register of information and assets together with the people accountable for each, so nothing falls outside management.

Acceptable use of assets

Clear rules govern how company information and equipment may be used and handled, and those expectations are communicated to everyone.

Return of assets

Structured offboarding checklists ensure departing staff and partners hand back every company asset they hold.

Classification of information

A documented scheme rates information by sensitivity and business value so it can be handled with appropriate care.

Labelling of information

Information carries labels that reflect its classification, making the required level of protection obvious to anyone who handles it.

Information transfer

Data moving inside or outside EUSEC follows defined, secure rules that preserve its confidentiality and integrity.

Protection of records

Records are stored securely with least-privilege access and retained per legal requirements, guarding against loss or tampering.

Intellectual property rights

We respect copyright and licensing, use only properly licensed software, and follow defined rules to protect our own and third-party IP.

Access control

A documented policy governs who may reach which systems; network access is limited to authorised people and reviewed regularly.

Identity management

The full lifecycle of accounts is managed so every user is uniquely identifiable and holds only appropriate rights.

Authentication information

Passwords and other credentials are issued, stored and protected carefully so only legitimate users gain access.

Access rights

Permissions are granted, adjusted and revoked in step with people's roles, and reviewed periodically.

Supplier relationships

We maintain a supplier register and work only with partners who meet defined security expectations for handling our data.

Security in supplier agreements

Contracts spell out the security requirements and responsibilities of each party, so risk is managed and data stays protected.

ICT supply-chain security

Security requirements are set for providers of cloud services, connected devices and hosting, and their compliance is monitored across the chain.

Monitoring of supplier services

Supplier security is reviewed on a risk-prioritised basis — higher-risk providers at least annually — with issues addressed promptly.

Security in project management

Security considerations, including vendor due diligence, are built into projects from the outset to ensure secure outcomes.

Security for cloud services

Selecting, using and exiting cloud services follows defined guidance, with clear roles and responsibilities for each service.

Threat intelligence

We collect and analyse information on emerging threats to anticipate them and make better-informed defensive decisions.

Incident planning & preparation

Roles, responsibilities and processes for incidents are defined and documented in advance, so we respond quickly and keep stakeholders informed.

Assessing security events

Events are triaged for severity and prioritised, with decisions and supporting detail recorded for later analysis.

Incident response

Incidents are handled with documented procedures covering containment, evidence handling and clear communication throughout.

Learning from incidents

Insights from past incidents feed back into stronger controls, better response plans and sharper staff awareness.

Collection of evidence

Defined procedures govern how evidence is identified, gathered and preserved, so it stays sound for any legal or disciplinary use.

Contact with authorities

We define when and by whom regulators, supervisory bodies or law enforcement are contacted, and how incidents are reported in good time.

Special interest groups

We take part in security communities and advisories to stay current on threats, good practice and new vulnerabilities.

Security during disruption

Plans set out how security is maintained when normal operations are disrupted, captured in our continuity and recovery documentation.

ICT readiness for continuity

Continuity arrangements for IT are defined and tested so systems and data stay available and protected through unexpected events.

Legal & regulatory compliance

We identify and track our legal, regulatory and contractual obligations — DPAs, NDAs, SLAs and more — to remain consistently compliant.

Independent review of information security

Our security approach and its controls are reviewed independently at planned intervals and after major change — through internal audits and external assessments such as ISO/IEC 27001 — to confirm they remain effective.

Compliance with policies, standards & rules

We check regularly that day-to-day work complies with our own security policies, standards and procedures, and address any gaps so practice stays aligned with the programme.

Privacy & protection of PII

Personal data is handled in line with applicable law and contracts under clear privacy notices, with systems that process it kept under close review.

Controls are described at a summary level and mapped to the four domains of ISO/IEC 27001:2022 (Annex A).

Scalable. Trusted.

Let's secure your supply chain together.

Rate up to 10 companies for free — no credit card, no account, zero obligation.

See how it works