An Approach for a Supporting Multi-LLM System for Automated Certification Based on the German IT-Grundschutz

Researchers propose a multi-LLM system with hybrid retrieval-augmented generation to automate German IT-Grundschutz security certifications, addressing NIS2 compliance demands and specialist shortages. The architecture combines large language models with knowledge graphs to streamline certification phases while maintaining security quality standards.

This research addresses a significant infrastructure challenge within European cybersecurity governance. The German IT-Grundschutz framework represents one of Europe's most comprehensive security certification standards, but faces bottlenecks as the NIS2 directive expands compliance requirements to critical infrastructure operators across member states. The shortage of qualified certifiers and high implementation costs create market friction that delays organizational compliance timelines.

The proposed multi-LLM system represents a pragmatic response to operational constraints rather than a technological breakthrough. By automating routine certification phases—protection needs assessment, IT-Grundschutz checks, and measure consolidation—the system reduces certifier workload for standardized tasks while preserving human oversight for complex security judgments. The hybrid RAG approach using knowledge graphs suggests the system can maintain contextual understanding of interconnected security controls, critical for certification validity.

For the security consulting and compliance industry, this development creates both opportunities and competitive pressures. Organizations offering certification services may accelerate time-to-compliance for clients, potentially reducing service margins if automation becomes widespread. Enterprise IT departments face improved timelines for NIS2 certification, reducing compliance costs. However, the approach's effectiveness depends heavily on training data quality and knowledge graph comprehensiveness—factors that will determine whether automated certifications meet regulatory scrutiny.

The broader implication concerns regulatory technology infrastructure across the EU. If successful, this framework could model approaches for automating compliance assessment in other directive-mandated frameworks, potentially reshaping how European cybersecurity governance operates at scale. Critical unknowns include regulatory acceptance of AI-assisted certifications and whether the system's recommendations consistently meet BSI standards.

• →Multi-LLM architecture with hybrid RAG targets efficiency gains in German IT-Grundschutz certifications amid NIS2 compliance surge
• →System automates routine assessment phases while maintaining human oversight for security judgment preservation
• →Addresses documented specialist shortage constraining organizations' compliance timelines across Europe
• →Success depends on knowledge graph quality and regulatory acceptance of AI-assisted security certifications
• →Model could establish precedent for automating compliance assessment in broader EU regulatory frameworks