Choosing a nearshore software development partner in Germany

TL;DR

Since 6 December 2025, German companies have new, immediate cybersecurity obligations under the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which amends the BSI Act (Reed Smith, January 2026). These obligations explicitly extend to direct suppliers and service providers under §30 II No. 4 of the revised BSI Act (YPOG, February 2026), meaning your software development partner is now part of your regulated supply chain.

Choosing a non-compliant vendor can expose your management to personal liability and fines of up to €10 million or 2% of global annual turnover (Reed Smith, January 2026). This article gives you a 15-point evaluation framework, five criteria each for compliance posture, operational maturity and engineering practices, that you can use to score and compare nearshore vendors against the German NIS2 baseline.

Why vendor selection looks different in 2026

NIS2 turned software supply chain decisions into a regulated process for a much wider population of German companies than the previous KRITIS framework.

Under the German implementation, most entities are in scope if they operate in covered sectors and exceed either 49 employees or €10 million in turnover, with limited carve-outs for “negligible activities” under §28 III BSIG (YPOG, February 2026). The law applied immediately on 6 December 2025 with no grace period, and in-scope entities had to register with the BSI by 6 March 2026 via the BSI portal that launched on 6 January 2026 (Lexology, January 2026; DLA Piper, February 2026).

The shift that matters most for vendor selection is buried in §30 II No. 4 of the revised BSI Act: appropriate technical and organizational measures must now explicitly address “security in connection with direct suppliers and service providers” (YPOG, February 2026). As YPOG’s analysis puts it directly, NIS2 compliance is no longer just a legal hurdle — it is a prerequisite for participating in the premium B2B supply chain, and enterprise clients will increasingly require it from their vendors as part of their own obligations.

Management personal liability adds urgency. Under §38 BSIG, managing directors are personally responsible for approving and overseeing risk management measures and can be held liable for damages caused by breaches under existing general principles of company law (YPOG, February 2026).

The good news, per Reed Smith’s January 2026 analysis: organizations with ISO 27001 already meet roughly 70–80% of the basic IT security requirements under the NIS2 Directive. Asking your nearshore partner the right questions becomes a tractable exercise, provided you ask the right questions.

How to use this checklist

Score each of the 15 criteria from 0 to 2:

• 0 = Does not meet
• 1 = Partially meets, with documented compensating controls
• 2 = Fully meets, with current third-party evidence

Total possible score: 30 points.

Recommended thresholds:

These thresholds are guidance, not regulatory mandates. Your legal counsel should make the final call based on your specific risk classification under §28 BSIG.

Section A – Compliance & legal posture (5 criteria)

These directly address NIS2 §30 supply chain obligations. Skipping any of these is high-risk.

1. Current ISO 27001 certification

Why it matters: ISO 27001 maps to roughly 70–80% of NIS2’s baseline IT security requirements, per Reed Smith’s January 2026 analysis. Without it, your vendor cannot evidence systematic information security risk management.

Ascendro holds current ISO 27001 certification, complemented by ISO 9001 for quality management.

2. TISAX certification (mandatory for automotive supply chain work)

Why it matters: TISAX is the automotive industry’s binding information security standard, governed by the ENX Association on behalf of the German automotive industry (VDA). If your nearshore partner touches any code, data, or documentation related to your automotive customers, TISAX is non-negotiable.

Ascendro is TISAX certified, which is one reason we are able to deliver software work for automotive clients including BMW and Audi.

3. EU jurisdiction and GDPR-native operations

Why it matters: NIS2’s risk-management obligations apply to “direct suppliers” regardless of where they sit, but data residency, IP enforceability and incident response coordination are dramatically easier inside the EU. A direct nearshore engagement with EU-resident engineers under a properly structured Data Processing Agreement avoids the non-EU data processing complexity introduced by platforms or vendors headquartered outside the EU (Highcircl, April 2026).

Engagements run through Ascendro PRO GmbH (Germany) for the contracting relationship and Ascendro Pro Development SRL (Timișoara) for delivery, with both Romanian and German speaking engineers. Both entities operate inside the EU, with all engineering staff EU-resident.

4. Documented incident response capability (24h / 72h / 1-month)

Why it matters: Under the revised BSIG, significant incidents trigger an initial notice within 24 hours, a detailed report within 72 hours, and a final report within one month (Reed Smith, January 2026; DLA Piper, February 2026). Your vendor must be able to support that timeline. A vendor with weekend voicemail cannot.

Incident response procedures are part of Ascendro’s ISO 27001 and TISAX management systems, with documented runbooks and designated response roles that align with the NIS2 reporting timeline.

5. Demonstrable software supply chain security

Why it matters: §30 II No. 4 cascades. If your vendor uses subcontractors heavily, or pulls in open-source components without scanning, those fourth parties become your concern. Per The Hacker News’ May 2026 analysis, the Shai-Hulud npm supply chain attack of September 2025 compromised over 500 packages and time-to-exploit for CVEs has fallen to 44 days, with 28.3% of CVEs exploited within 24 hours of disclosure per the Mandiant M-Trends 2026 report (also cited in The Hacker News, May 2026).

Dependency scanning, secrets scanning and SBOM generation are part of our standard engineering baseline on client engagements. Subcontracting is the exception rather than the rule, most senior work is delivered by in-house engineers.

Section B – Operational Maturity (5 criteria)

NIS2 is also about governance discipline. These criteria assess whether the vendor can be a long-term partner, not just an order-taker.

6. Track record of continuous operation under stable leadership

Why it matters: NIS2’s documented-evidence requirements span years. A vendor with rotating ownership, frequent rebranding, or unclear corporate continuity cannot demonstrate the audit trail regulators expect.

Ascendro has operated continuously since 2011, with the German GmbH continuity verifiable in the Handelsregister (HRB 8741, Friedberg).

7. Verifiable client references in your sector

Why it matters: Sector experience reduces onboarding risk and demonstrates the vendor understands your regulatory context. Generic “we worked with enterprise clients” claims do not.

Named client engagements include BMW (ASBC SMACC), Audi, Samsung (release management system), Wolf GmbH (multi-country Pimcore implementation across 9 countries, 14 languages, 4 brands), Thinksurance (PHP-to-microservices migration) and TH-OWL Smart Factory. Several of these are documented in third-party Clutch reviews.

8. German-language and time-zone overlap

Why it matters: BSI documentation, regulator communication, internal post-mortems and most procurement audits happen in German. A nearshore partner without German-speaking project managers (not just sales reps) creates friction on every critical communication path.

With a German GmbH headquartered in Hesse and 14 years of DACH delivery, German-speaking project management is part of the standard engagement model.

9. Named senior engineers (not “the team”)

Why it matters: Body-shop nearshore models substitute engineers freely between projects. NIS2’s access-control and accountability obligations require role clarity. You need to know exactly which individuals have access to your systems and data, with personal accountability.

Ascendro provides CVs for senior roles before contract signing, with engineer retention built into the SOW. We’ve published our internal CV Generator methodology, which anonymizes engineer identities externally while preserving named accountability inside the client engagement.

10. Documented onboarding and ramp-time benchmarks

Why it matters: Vendor productivity claims need data. A mature partner has measured time-to-productivity across past engagements and can show how a new engineer ramps on an unfamiliar codebase.

Our internal Skill Matrix and PM Autotools track ramp time across engagements and we can share anonymized benchmark data with prospective clients on request as part of the procurement process.

Section C – Engineering Practices (5 criteria)

This section is where many “compliant on paper” vendors fail in practice.

11. Clean IP and source code handling

Why it matters: NIS2’s supply chain measures presume controllable IP boundaries. If a vendor cannot clearly explain where source code lives, who has access, and how access is logged, your audit trail is broken before an incident even happens.

Standard contract templates assign IP to the client from the first commit. Device-level controls (full-disk encryption, monitored access) are part of the ISO 27001 management system, with access logs retained for the period required by client agreements.

12. Security-aware development lifecycle (SAST/DAST in pipeline)

Why it matters: Under §30 BSIG, technical measures must cover the software lifecycle, not just production hardening (YPOG, February 2026). Static and dynamic application security testing must be built into the CI/CD pipeline, not run ad-hoc before release.

Pipeline security gates are part of our DevOps engagement baseline, with the specific tooling adapted to each client’s existing stack. Our published DevOps Infrastructure Blueprint outlines the default approach.

13. Cloud partnership status (AWS, Azure, or GCP)

Why it matters: Hyperscaler partner status proves the vendor has trained, certified engineers and access to architectural review programs. For NIS2-relevant workloads, you want partners who can configure cloud workloads against specific compliance baselines such as AWS European Sovereign Cloud or the Microsoft Azure EU Data Boundary.

Ascendro is a member of the AWS Partner Network, with certified engineers on staff. Cloud engagements are scoped to EU-residency baselines by default for German clients.

14. AI-assisted coding governance

Why it matters: AI coding tools (Claude Code, GitHub Copilot, Cursor, Codex) are now in nearly every engineering workflow. Per The Hacker News’ May 2026 analysis of agentic AI security, these tools are already embedded across developer workflows whether formally approved or not, and “what data they can access, how they interact with codebases, and what actions they can take is baseline security knowledge at this point.” NIS2 management liability extends to how your vendor uses AI on your code.

We’ve spent the past year developing and publishing a structured approach to AI-assisted coding, including our Architecture Lock File framework and internal AI governance policy. The framework is designed to keep AI generation inside reviewable, auditable boundaries rather than letting it drift across client code freely.

15. Sustainable scaling path (BOT, dedicated team, or augmentation)

Why it matters: NIS2 expects governance maturity that grows with your engagement. A vendor offering only one engagement model may not be the right partner for a multi-year roadmap, where your needs may shift from augmentation to a dedicated team to an eventual internal hub.

Ascendro supports IT staff augmentation, fully managed dedicated nearshore teams and Build-Operate-Transfer engagements where clients eventually establish their own development hub. All three models operate under the same German-Romanian legal structure, which simplifies governance transitions between them.

Scoring summary

NIS2 isn’t really a new rulebook. It’s a reframing of how German companies are expected to treat their software supply chain,  as a regulated extension of their own security perimeter, with personal accountability for the people signing off on it.

The 15 criteria in this checklist won’t, by themselves, make you compliant. They’re a tool for narrowing the field of nearshore partners to the ones who can credibly survive the kind of audit your enterprise customers will increasingly ask you to pass on to your suppliers. That’s the real value of running this exercise early: it turns vendor selection from a cost conversation into a risk conversation, and it gives you defensible documentation that the choice was made on substance, not on price.

The shape of a NIS2-ready partner is recognizable. EU jurisdiction, current certifications, stable leadership, named accountability, governance maturity that scales as your engagement grows. Many vendors will tick some of these boxes. Fewer will tick most. Even fewer were structured around these requirements from the start.

Ascendro was built on the German-Romanian model precisely because the buyers we serve, automotive Tier 1 suppliers, regulated manufacturers, fintech and healthcare companies, have always required this combination of EU jurisdiction, automotive-grade information security and stable long-term partnership. NIS2 has made the requirements explicit. The model behind them is what we’ve been building since 2011.

If you’d like to see how Ascendro evidences each of the 15 criteria, we’re happy to walk through it with you. Contact us at info@ascendro.de.