nuwacom Covers §203 StGB and DORA - What That Means for Regulated Industries

Most AI platforms are built for organizations whose main governance questions are internal by nature: who can access what, how are outputs reviewed, how is data classified? That is a reasonable set of constraints to design around. But it disregards an entire segment of the market where the stakes are materially different: professions and industries where the confidentiality of client and patient data is not a policy decision but a statutory obligation.

Two recent additions to nuwacom’s legal and regulatory framework address this gap directly.

A Supplementary Agreement for Professions with Statutory Secrecy Obligations

§203 of the German Criminal Code (Strafgesetzbuch) establishes criminal liability for the unauthorized disclosure of secrets entrusted to professionals in the course of their work. Lawyers, physicians, tax advisors, auditors, psychotherapists - the list covers a wide range of advisory and care professions. The obligation is strict, and it extends to third-party service providers: since a 2017 amendment, AI and cloud vendors can be engaged as “collaborating persons” under §203, but only if they are contractually bound to confidentiality in writing and explicitly informed of the criminal consequences of a breach.

A standard GDPR data processing agreement does not satisfy this requirement. The legal basis differs, as does the obligation and the professional’s exposure to personal liability.

nuwacom now publishes a supplementary agreement (Zusatzvereinbarung) specifically designed for Berufsgeheimnisträger - professionals with statutory secrecy obligations - available in the nuwacom Trust Center. This agreement provides the contractual foundation that lawyers, physicians, tax advisors, and other regulated professionals need to use nuwacom with client, patient, and advisory data on a legally sound basis.

DORA Compliance for the Financial Sector

The Digital Operational Resilience Act (DORA) has been in force across the EU since January 2025. It mandates that banks, insurance companies, investment firms, and payment service providers meet unified standards for ICT risk management, incident reporting, operational resilience testing, and third-party vendor oversight. Critically, DORA does not stop at the financial institution itself - it extends requirements directly to the technology providers those institutions depend on.

For financial sector organizations evaluating AI platforms, this creates a concrete due diligence obligation. The question is not only whether the AI platform is useful, but whether it can be integrated within the governance structures, contractual arrangements, and third-party risk frameworks that DORA requires.

nuwacom now publishes dedicated DORA compliance documentation at this page, covering the regulatory requirements relevant to banks, insurers, and financial services providers and how nuwacom’s architecture supports them.

Why This Matters Beyond the Documentation

Adding legal documentation to a Trust Center is table stakes. What makes these additions meaningful is the architecture they sit on.

nuwacom is built around a governance layer that upholds access rights inherited from connected applications, maintains granular role and permissions controls, and keeps sensitive data under clearly defined organizational jurisdiction. For organizations operating under §203 StGB or DORA, that architecture is a precondition - not a nice-to-have. A contractual commitment to confidentiality is only as strong as the system it governs.

For organizations that require hosting on German soil - either due to regulatory mandate, internal policy, or client expectations - nuwacom also offers deployment on STACKIT, the sovereign cloud infrastructure of Schwarz Group, operating under German and EU jurisdiction with data residency in Germany. That option, combined with the formal legal documentation now available for these specific regulatory contexts, means nuwacom can meet the full requirement stack for some of the most demanding compliance environments in the European market.

The combination is not common. Many AI platforms address one dimension of enterprise compliance - contractual, architectural, or infrastructure-level - but not all three. nuwacom’s position is to cover all three for the organizations that need it.

What This Means in Practice

For law firms and legal professionals: nuwacom can now be used for mandate data, client communications, and document work with the contractual foundation that §203 StGB requires.

For medical practices, clinics, and healthcare organizations: the same applies to patient data, clinical documentation, and the confidential records that constitute the core of any healthcare professional’s information environment.

For banks, insurance companies, and financial services providers: nuwacom can be evaluated and deployed within the third-party risk and vendor governance frameworks that DORA mandates.

The documentation is available now. For organizations working through vendor due diligence or looking to understand how nuwacom fits within their specific regulatory context, the Trust Center is your starting point.

nuwacom is the AI operating system built for European enterprises. If your organization operates under strict data protection, security, or compliance requirements and you want to see how nuwacom works within those constraints, book a demo.