Fraunhofer Institute for Material Flow and Logistics IML
Fraunhofer Institute for Material Flow and Logistics IML

Deregulation in the data center – governance rightsizing for IT

Deregulation in the data center – governance rightsizing instead of compliance congestion

What is deregulation in the data center?

 

In this context, "deregulation" does not mean less security – but rather the right level of governance. In many data centers that operate in systemically important environments (e.g., KRITIS, universities, public administration, healthcare), a very dense set of rules has developed over the years: operating manuals, instructions, ISMS documentation, multi-level approvals, and formalized decision-making processes.

This made sense historically. Today, it often leads to a compliance bottleneck: new rules are added, old ones are never deleted, processes become confusing – and the organization loses its speed of action.

Governance rightsizing addresses precisely this issue: we separate mandatory requirements from self-imposed rules, eliminate redundancies, and design governance in such a way that it remains risk-adequate, understandable, and livable.

What aspects does governance rightsizing cover?

Our approach combines organizational development, process and documentation work with regulatory clarity:

  • Mandatory vs. optional: What is really required (e.g., BSI/ISO/NIS2/KRITIS) – and what has developed historically?
  • Regulatory cleanup: Redundancies, contradictions, duplicate files, "dead rules" and unclear responsibilities.
  • Risk-adequate control: Simple processes with simple approvals; critical processes retain strict controls.
  • Decision-making and approval logic: Lean approval flows, clear escalation paths, RACI, and committee logic.
  • Documentation that can be maintained: Modular, digital, versioned, with clear ownership and review cycles.
  • Change & anchoring: Because even deregulation generates resistance – and requires a clean transition design.

Why deregulation?

When governance increases over the years, typical effects arise that are noticeable in everyday life:

  • Standard issues take too long because approvals are no longer proportional to the risk.
  • Documentation grows faster than maintenance capacity – timeliness and trust decline.
  • "Silent circumvention" increases: processes are shortened in everyday life because they are no longer practicable.
  • Change becomes difficult: innovation, modernization, and new services progress too slowly.
  • Attractiveness as an employer suffers because creative freedom disappears.
  • Deregulation (properly understood) brings governance back into effect: stable, compliant, and at the same time capable of action.

Our approach – in 6 phases

We work in a structured but pragmatic way – with a clear goal: less ballast, more impact.

1) Analysis of the current regulatory framework

What applies, what works – and what is being circumvented?

Result: Inventory of regulations + initial heat map (critical/redundant/outdated/unclear/highly effective)

2) Regulatory mapping

Which rules are mandatory – and why?

Result: Compliance matrix (mandatory/recommended/optional) + reduction/simplification list including risk assessment

3) Governance maturity analysis

Where does the organization stand between chaos, overregulation, and adaptability?

Result: Maturity profile + bottleneck analysis (bottlenecks in decisions, roles, committees, controls)

4) Target concept: Adaptive governance (right-sized governance)

Control proportional to risk – fast where possible; strict where necessary.

Result: Target governance model + decision map + approval logic according to risk classes (Lean Approval Flows)

5) Change Management & Transition

Introduce deregulation without losing security – and without disrupting the culture.

Result: Transition plan (wave plan), stakeholder & communication concept, enablement building blocks

6) Documentation Redesign

Away from monolithic manuals – toward modular, maintainable documentation.

Result: New structure including templates/taxonomy/ownership + migration plan + “minimum viable documentation”

 

Result: What you have gained after the project

 

  • Clarity about which rules are mandatory and which are not
  • Faster decisions thanks to risk-adequate approvals
  • Less redundancy, fewer contradictions, fewer shadow processes
  • Documentation that works: modular, up-to-date, maintainable
  • Greater capacity to act in operations and modernization projects

Restore your data center's ability to act

When governance becomes a hindrance, another document won't help - what you need is a lean, risk-appropriate control model that works in everyday life.

Get started now with a free initial consultation.

 

 

Request advice

FAQ - Frequently asked questions

Expand all Close all

  • No – on the contrary. Governance rightsizing strengthens the effectiveness of security because it clearly identifies mandatory requirements and reduces "regulatory noise". Controls remain strong where the risk is high.

  • When rules are constantly being added but never consolidated or deleted. The result: overly complex approvals, contradictory documents, declining acceptance – and informal workarounds.

  • Typical signs include long turnaround times for standard decisions, multiple "valid" versions of rules, poor maintenance quality, high meeting/approval loads, and uncertainty about what is really mandatory.

  • They are not "abolished" but restructured: modular, versioned, clearly accountable – with a review process that is realistically sustainable.

  • That depends on the scope. Focused rightsizing (inventory + mapping + target model) can often be completed in a few weeks. Documentation redesign and transition then take place iteratively.

Overview