TOM Basic Package for SMEs: 12 Minimum Measures
TL;DR
- 12 minimum TOM measures reflect state of the art 2026 for SMEs with 50-250 employees
- Direct legal mandate: Art. 32(1) GDPR ("appropriate level of security") — measures derive from BSI Grundschutz, ENISA 2024, DPA decisions 2024-2025
- Microsoft 365 E5 covers ~70% of measures; gaps: backup (Veeam), physical security, supplier audit
- Realistic implementation cost: EUR 5-15k/year (DIY) up to EUR 15-30k/year (full external service)
- Review cadence: annual full audit, quarterly spot checks, ad-hoc after incidents or major IT changes
1. MFA Everywhere
Microsoft Authenticator plus FIDO2 keys for admins. Cost: EUR 0-60 per user. No exceptions for executives.
2. Encryption at Rest and in Transit
BitLocker on every endpoint, TLS 1.3 for all web connections, encrypted email for sensitive data flows.
3. Patch Management
Microsoft Defender for Endpoint or equivalent, monthly patch cycles, critical patches within 72 hours, SLA documented.
4. 3-2-1 Immutable Backup
Veeam with hardened repository, three copies on two media with one offsite, quarterly restore tests with sign-off.
5. Anti-Malware
Microsoft Defender for Endpoint (included in M365 E5) or Bitdefender, Sophos. EDR on every endpoint with central console.
6. Firewall and Network Segmentation
Default-deny firewall policy, separate network segments for Office, Production, Backup. Document the segmentation in the network diagram.
7. Access Control (RBAC)
Microsoft Entra ID plus Conditional Access enforcing need-to-know. Quarterly access reviews with sign-off.
8. Logging and Monitoring
Microsoft Sentinel or ELK stack with 90-day retention. 24/7 alerting for critical events (privileged login, mass deletion, unauthorized export).
9. Training and Awareness
Annual mandatory training plus quarterly phishing simulation. Track completion and remediate non-compliers individually.
10. Incident Response Plan
Documented crisis team, escalation paths, annual tabletop exercise. Connect to the GDPR 72h notification workflow.
11. Physical Security
Access control, locked server rooms, visitor escort policy, clean-desk rule for sensitive areas.
12. Supplier Audit
Annual audit of top-20 suppliers, DPA with mandatory clauses, sub-processor list with notification rights.
Summary
Art. 32 GDPR mandates only an "appropriate level of security" — these 12 concrete measures translate that into practice. Supervisory authorities measure compliance against them; gaps require documented risk-based justification (e.g., no remote work reduces some MFA scope). The pragmatic SME stack: Microsoft 365 E5 + Veeam + Compliance-Kit documentation totaling EUR 12-18k/year for 50-100 employees. Median GDPR fine without TOM documentation: EUR 12,500; systemic gaps run EUR 50-300k.
Frequently Asked Questions
Are the 12 minimum TOM measures for SMEs legally binding?
Directly mandatory is only Art. 32(1) GDPR ('appropriate level of protection'). The 12 specific measures represent the 'state of the art' according to BSI Baseline Protection, the ENISA recommendation 2024, and DSK resolutions 2024-2025. In practice: during audits/fine proceedings, the supervisory authority assesses against these standards. Those who fulfill all 12 are on the safe side. Those with gaps need a documented risk assessment explaining why the measure is not required (e.g. 'no remote work' → reduced MFA requirement).
Is Microsoft 365 E5 sufficient for TOM compliance?
Approximately 70% yes. M365 E5 covers: MFA (Authenticator + Conditional Access), EDR (Defender for Endpoint), DLP (Data Loss Prevention), Compliance Manager (audit trail), Sensitive Labels (classification), Sentinel-Light (logging), Customer Lockbox. What M365 E5 does NOT cover: backup (Veeam separately ~EUR 1,500/year), physical security (premises rights), supplier audit process (own documentation). For SMEs with 50-100 employees, M365 E5 + Veeam + Compliance-Kit documentation is the pragmatic stack: ~EUR 12,000-18,000/year.
What does TOM implementation realistically cost?
Three models: 1) DIY with Compliance-Kit templates: 25-40 person-days of in-house effort + ~EUR 5,000-15,000/year for software (Defender, Veeam, Authenticator apps). 2) External DPO consultancy: EUR 8,000-12,000 one-time + EUR 5,000-10,000/year for documentation maintenance + software. 3) Fully external (compliance-as-a-service): EUR 15,000-30,000/year flat rate. For SMEs with 50-150 employees: Model 1 or 2 is sensible. Fine risk without TOM documentation: median EUR 12,500 (DSK 2025), for systemic gaps EUR 50,000-300,000.
How often do the TOMs need to be reviewed?
Comprehensively annually (standard in the audit plan), additionally on an ad-hoc basis: after each data breach incident, in case of substantial IT changes (cloud migration, new HR software), in case of regulatory changes (e.g. trilogue adoption of the Digital Omnibus Proposal of 19.11.2025, impact of EU AI Act Art. 32). Practical pattern: quarterly spot checks (patching, MFA coverage, backup tests), annual full audit + ISO-27001-compliant CAPA measures. Documentation obligation: Art. 5(2) GDPR accountability principle.
Sources
- Regulation (EU) 2016/679 — GDPR (Art. 32) (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)
- BSIG 2025 (Section 30 measures) (As of: 2026-05-02)