M365 Is Not Ready for KRITIS… Or Is It? How to Make Microsoft 365 Compliant with BSI Requirements in Critical Infrastructure

Here’s the uncomfortable truth: moving KRITIS or government workloads to Microsoft 365 is rarely a technical problem—it’s an organizational survival test. One overlooked decision around identity, baselines or governance can quietly undermine BSI compliance before the first user even logs in, turning what looked like a smooth cloud migration into an audit liability. In this episode, we use real‑world patterns to show why many regulated M365 projects are already non‑compliant in their first 90 days, and how you can design your rollout so auditors see a controlled, documented environment instead of screenshots and explanations after the fact.We start with the illusion of safety that comes from Microsoft’s long list of certifications. Platform compliance is often mistaken for customer compliance: leaders assume “Microsoft is certified, so we’re covered,” and rush into licensing and enablement. You’ll hear how that shared‑responsibility gap plays out when a public body rolls out Exchange Online, Teams and SharePoint at speed—only to fail an early audit because identity design, privileged access controls, logging and documentation were never aligned with BSI expectations from day one. The services worked; the evidence didn’t.From there, we unpack why most failures are decided long before migration cut‑over. If you skip a clear strategy phase—mapping which workloads fall under KRITIS, which BSI controls apply, and what auditors will want to see—you build on guesswork, not requirements. Weak identity architecture and rushed directory sync, inconsistent conditional access, and documentation written after the rollout are exactly the “bathroom window” auditors spot first, no matter how many other controls you’ve implemented correctly. We show how these early blind spots create a domino effect: once the foundation is misaligned, every later configuration inherits the same compliance cracks.Then we walk through the three planning phases that actually decide whether your M365 KRITIS rollout will pass or fail: strategy, architecture and governance. Strategy means writing down in plain language what you must protect, which laws and BSI modules apply, and how success will be measured. Architecture means making hard choices about which services are in scope, which must be restricted or technically compensated, and how identities, logs and data residency are designed to meet local requirements. Governance means setting rules and roles before the first user signs in: who creates Teams, how external access is controlled, how changes and exceptions are documented, and how you’ll prove ongoing control instead of one‑time setup.Finally, we tie everything together with practical guidance for your first 90 days. You’ll learn which artifacts auditors ask for first (not last), which identity and logging decisions you must lock in before rollout, and how to avoid the trap of “we’ll fix compliance later” once users are already in production. Think of this episode as a checklist to stress‑test your current or planned project: if you can’t show clear answers for strategy, architecture and governance, your M365 environment may already be out of alignment with KRITIS and BSI expectations—whether anyone has told you yet or not.WHAT YOU’LL LEARNWhy many M365 KRITIS/government rollouts are non‑compliant within 90 days.How platform certification and customer compliance diverge under BSI rules.The three planning phases—strategy, architecture, governance—that make or break regulated deployments.Which identity, logging and documentation decisions auditors check first.THE CORE INSIGHTThe core insight of this episode is that you don’t “fail compliance” years later in a surprise audit—you fail it in the first months if your M365 rollout is treated like a normal IT project instead of a regulated transformation. Once you plan Microsoft 365 for KRITIS with strategy, architecture and governance at the center, you can move fast on modern work without leaving auditors, regulators and your own accountability behind.WHO THIS EPISODE IS FORPublic sector and KRITIS IT leaders planning or rescuing an M365 rollout.Security, compliance and data protection officers working with BSI‑regulated environments.Architects and project managers who need Microsoft 365 to be both modern and audit‑ready from day one.ABOUT THE AUTHOR / HOSTMirko Peters is a Microsoft 365, security and governance consultant and host of the M365.FM podcast, helping KRITIS operators and public authorities design cloud environments that satisfy both modern work demands and strict BSI expectations. He works with teams in regulated sectors to align identity, architecture and governance so that Microsoft 365 rollouts don’t just function technically—but stand up to audits without last‑minute scrambling.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.