Skip to main content
Unsere Website gibt es auch auf Deutsch - würden Sie gerne zu dieser Version wechseln?Zur deutschen Version wechseln
MADE & HOSTED IN GERMANY
ISO 27001 CERTIFIED, BSI C5
critical-infrastructure

Stackfield as project management software for critical infrastructure

9 min read  •  July 15, 2026

Critical infrastructure operators have faced significantly stricter regulatory requirements in recent years, especially in Germany. NIS2, Germany's IT Security Act 2.0, and the Critical Infrastructure Protection Act (KRITIS Umbrella Act) all require organizations to demonstrate that the software they use complies with the current state of the art. Many organizations only discover during an audit that their project management solution falls short of these requirements. Choosing the right software is therefore no longer a matter of convenience, but a strategic decision with regulatory consequences.

The essentials at a glance

  • Growing regulatory pressure: NIS2, the IT Security Act 2.0, and the KRITIS Umbrella Act impose concrete compliance obligations on critical infrastructure operators. The software in use must demonstrate compliance with the current state of the art.
  • Data protection is mandatory: Project data within critical infrastructure organizations often contains sensitive infrastructure information. Tools without true end-to-end encryption and hosting in Germany / Europe increase risk instead of reducing it.
  • Stackfield meets these requirements: With BSI C5 attestation, ISO 27001 certification, and hosting in Germany, Stackfield is one of the few project management platforms designed to meet the demands of critical infrastructure audits – without compromising on project management capabilities.
  • Full functionality without compromise: Tasks, Gantt charts, chat, video conferencing, and file management in a single platform. No external integrations, no additional attack surface.
Project management for critical infrastructure that stands up to scrutiny
Stackfield combines comprehensive project management—including tasks, Gantt charts, chat, video conferencing, PERT and file management—with BSI C5 attestation, ISO 27001 certification, and hosting in Germany. No trade-off between security and functionality. Start your free 14-day trial today. Start working KRITIS-compliant

Why do common project management tools fail to meet critical infrastructure requirements?

Most project management tools were not designed for regulated environments. They were built for agencies, startups, and businesses where speed takes priority over security. In critical infrastructure organizations, those priorities are reversed and this is where many tools begin to fall short.

Many widely used platforms are subject to the US CLOUD Act. This means that even if their servers are located in Europe, US authorities may require the provider to disclose data under certain circumstances. For critical infrastructure operators working daily with sensitive infrastructure plans, security concepts, and mission-critical project documentation, this is far from a theoretical concern.

Another common issue is the lack of recognized certifications. Providers without BSI C5 attestation or ISO 27001 certification cannot offer auditors objective proof that their platform meets established security standards. Compliance with the state of the art is demonstrated through certifications, and not through marketing claims.

Additional weaknesses of many project management tools include:

  • No true end-to-end encryption: The provider itself can access customer data. For infrastructure plans and security concepts, this represents a fundamental security risk.
  • No audit-proof documentation: Changes to tasks, decisions, and project activities cannot always be traced in a way that satisfies audit requirements.
  • No on-premises deployment option: Organizations with the highest security requirements cannot maintain full control over their own infrastructure.

This is not a niche issue. It affects every critical infrastructure operator that continues to rely on a project management platform without the certifications and security architecture required for today's regulatory environment.

What makes project management in critical infrastructure organizations unique

Project management in critical infrastructure is about far more than efficiency. A system outage, a data breach, or an undocumented decision can have immediate consequences for society. Energy supply, drinking water, healthcare, transportation—projects in these sectors support services that extend far beyond the organization itself.

At the same time, critical infrastructure operators work within one of Europe's most demanding regulatory environments. The key frameworks include:

  • NIS2 (effective since October 2024): Requires risk management, incident reporting, and demonstrable compliance for regulatory authorities.
  • Germany's IT Security Act 2.0:: Defines minimum technical and organizational security requirements and requires organizations to demonstrate compliance with the current state of the art.
  • The Critical Infrastructure Protection Act (KRITIS Umbrella Act) (adopted in January 2025, implementation by October 2026): Establishes the first unified framework for the physical and digital protection of all critical infrastructure sectors in Germany.

Information security must therefore be embedded into everyday project work: into every task, every decision, and every file attachment.

What must project management software provide for critical infrastructure?

  1. Audit-proof documentation: Changes to tasks, decisions, and documents must be fully traceable through comprehensive audit logs.
  2. Granular access control: Users should only be able to access the information relevant to their role.
  3. True encryption: Not just transport encryption (TLS), but genuine end-to-end encryption for all content.
  4. Hosting in Germany / EU jurisdiction: No exposure to data access requests under the US CLOUD Act.
  5. Recognized certifications: BSI C5 attestation and ISO 27001 certification as verifiable evidence of compliance with the current state of the art.
  6. On-premises deployment option: For organizations operating their own infrastructure or requiring the highest levels of security.
Project management without compromise

Five criteria critical infrastructure operators should consider when evaluating project management software

The technical requirements are well known. But how can you verify during the evaluation process that a vendor truly meets them? Here are the five questions every critical infrastructure operator should ask before making a decision.

  1. Does the vendor provide certifications that auditors recognize? BSI C5 attestation and ISO 27001 certification are not optional—they are essential. Without them, a project management platform is unlikely to satisfy the requirements of a critical infrastructure audit. Ask specifically: Is the attestation available? What is its validity period? Was it issued by an accredited certification body?
  2. Who owns the company behind the software, and which legal jurisdiction applies? A data center in Germany does not eliminate the implications of the US CLOUD Act if the provider is a US company. What matters is the vendor's legal jurisdiction, not the physical location of its servers. Only a provider operating exclusively under German and EU law can offer genuine digital sovereignty.
  3. Can the software support offline operation or emergency scenarios? Critical infrastructure organizations must be able to continue project work during network outages or security incidents. Does the platform offer an on-premises deployment option or local data storage that remains available independently of cloud services?
  4. Can the platform be fully integrated into your ISMS and your roles and permissions model? The software should adapt to your security policies, not the other way around. Granular access control and comprehensive audit logs are not optional features, but rather fundamental requirements.
  5. How many additional tools will you still need? Every external integration represents a potential security risk. A platform that combines task management, communication, file management, and video conferencing without relying on third-party services significantly reduces the overall attack surface.
Expert tip: Plan a trial phase using a real project from your day-to-day operations. Feature lists rarely tell the full story. What matters is whether the platform works with your existing roles and permissions model, documentation requirements, and access control policies.

Stackfield: Project management without compromise for critical infrastructure

Stackfield was not retrofitted to meet the requirements of critical infrastructure operators. Security is not treated as an additional feature—it is the foundation of the platform. At the same time, Stackfield remains a fully featured project management solution.

Compliance at a glance:

  • BSI C5 attestation: a recognized security standard for cloud services in Germany
  • ISO 27001, ISO 27017 and ISO 27018: Internationally recognized information security certifications
  • Hosting in Germany under German and EU law: Not subject to the US CLOUD Act
  • True end-to-end encryption (AES-256 + RSA-2048) with a zero-knowledge architecture: Not even Stackfield can access your content
  • On-premises deployment available for organizations with the highest security requirements

Full-featured project management without limitations:

What sets Stackfield apart from security-focused solutions is that it is first and foremost a comprehensive project management platform. Task management, Kanban boards, Gantt charts, project portfolios, and time tracking are fully integrated.

There is no need for third-party communication tools. Chat, threaded discussions, audio and video conferencing with screen sharing all run directly within Stackfield. Decisions are documented in structured discussion threads and remain fully traceable for audit purposes. You don't have to choose between a secure platform and a productive one.

Stackfield project management interface: Tasks, Kanban board, and team communication for critical infrastructure operators in one platform

Who is already using Stackfield in critical infrastructure sectors?

Critical infrastructure operators already use Stackfield in production environments. The following example from the healthcare sector illustrates how the platform is used in practice.

Bavarian Red Cross Emergency Medical Services (Healthcare sector)
The Bavarian Red Cross (BRK) is one of Bavaria's largest emergency medical service providers and has been using Stackfield since 2016. Its central EMS department coordinates cross-functional IT projects, procurement, and quality management across eight emergency dispatch centers throughout Bavaria. Data protection was the decisive factor in selecting Stackfield. BRK required a platform that enabled cross-team collaboration, complied with German data protection requirements, and provided a structured way to manage a large volume of tasks.

Today, collaboration between internal teams and external partners takes place within a single platform. External participants are invited directly into projects with restricted permissions, eliminating the need to manage accounts across multiple systems.

"We needed a digital system that would allow us to work across teams while meeting Germany's fundamental data protection requirements."
Michael Höhnel, Air and Ground Rescue Team, BRK Medical Services

Which critical infrastructure sectors is Stackfield suitable for?

Sector Typical operators Why it matters
Energy Municipal utilities, grid operators, energy providers BSI C5 is a baseline requirement for cloud services
Healthcare Healthcare Hospitals, emergency medical services, laboratories NIS2 compliance and protection of sensitive patient data/td>
Water Water utilities, wastewater treatment operators High availability requirements, KRITIS Umbrella Act
Transport & Mobility Airports, railway operators, public transportation providers Auditability and compliance requirements
Public Administration Government authorities, municipal organizations BSI minimum standards for cloud services and GDPR compliance
Finance & Insurance Banks, insurance companies DORA requirements, ISO 27001
Food Supply Food retailers and providers of essential food services Supply chain security and documentation requirements
Information Technology & Telecommunications Data centers, network operators, cloud providers Maximum availability requirements and BSI C5
Media & Culture Public broadcasters, news agencies Confidentiality and information security
Waste Management Municipal waste management operators Business continuity and KRITIS Umbrella Act
Space Ground infrastructure operators, satellite service providers NIS2 risk management and high availability and supply chain requirements

Project management software for critical infrastructure: Making the right choice

Regulatory pressure on critical infrastructure operators continues to increase, and choosing the right project management software is no longer a secondary consideration. Organizations that still rely on non-certified tools are likely to discover the consequences during their next audit.

Selecting the right platform is not simply an IT decision, it is a strategic decision that affects the entire organization. Security and productivity do not have to be mutually exclusive. With the right evaluation criteria, you can choose a solution that delivers both.

Stackfield is one of the few project management platforms that fully meets the requirements of critical infrastructure operators: BSI C5 attested, ISO 27001 certified, hosted in Germany, and protected by true end-to-end encryption. Stackfield is not a security product with project management features added on. It is a comprehensive collaboration platform designed from the ground up with data protection and compliance at its core.

Work in a KRITIS-compliant environment

Stackfield is BSI C5 attested, ISO 27001 certified, and hosted exclusively on German servers. Start your free 14-day trial
Stackfield Plattform

FAQ

Does using Stackfield qualify as a technical measure under Germany's IT Security Act?

Yes. Stackfield's BSI C5 attestation and ISO 27001 certification are recognized proof of compliance with the current state of the art and can be presented directly during an audit. However, the platform itself does not replace the documentation required for an Information Security Management System (ISMS).

Why isn't a US-based project management platform with German data centers sufficient for critical infrastructure?

The US CLOUD Act requires US companies to provide data to US authorities upon request, regardless of where that data is stored. Stackfield is a German company operating exclusively under German and EU law. As a result, it is not subject to the US CLOUD Act.

How does Stackfield support NIS2 compliance?

Stackfield provides audit-ready building blocks, including audit logs, tamper-resistant documentation of project decisions, and recognized certifications such as BSI C5 and ISO 27001. Overall ISMS documentation and regulatory reporting obligations remain the responsibility of the organization.

How long does it take to implement Stackfield?

As a SaaS platform, Stackfield can be deployed immediately. For critical infrastructure organizations, a structured onboarding process with dedicated support is recommended. On-premises deployments are planned and implemented on an individual basis.

Can Stackfield be integrated into an existing ISMS?

Yes. Stackfield supports granular roles and permissions as well as comprehensive audit logs that align with existing security policies. The platform integrates seamlessly into an existing ISMS without requiring changes to its established structure.

Rate this article?
2 Reviews / 4.5 Stars
Ready to try Stackfield?Trusted by over 10,000 companies since 2012
Try it free for 14 days
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.
Your Email
Subscribe
Christopher Diesing
About the Author:
Christopher Diesing is the COO of Stackfield. He loves all kinds of marketing, product design as well as photography.