77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
News & Insights

What officers need to know.

Regulatory shifts, framework updates and operational guidance, curated for Data Protection, IT Security, Compliance and AI Governance leads. Written from the field, verified against primary sources.

Featured
Company doctor: From what number of employees does the obligation to order apply?
Occupational Medicine7 July 202612 min read

Company doctor: From what number of employees does the obligation to order apply?

The obligation to appoint a company doctor results from the ASiG and DGUV regulation 2 and is not rigidly tied to an employee threshold. This article explains standard and alternative support, calculation of operating times and the auditable documentation of the order.

Read more
Latest
Construction site regulations (BaustellV): Obligations, SiGeKo order and advance notice in practice
Construction & SiGeKo7 July 202614 min read

Construction site regulations (BaustellV): Obligations, SiGeKo order and advance notice in practice

The Construction Site Ordinance has regulated coordination obligations on construction sites since 1998. This article explains advance notice, SiGe plan, SiGeKo order, building owner's obligations and the interface to construction management in practice in 2026.

Read more
HinSchG draft bill: history, current status, what the upcoming amendment means for internal reporting points
Whistleblower Protection7 July 202614 min read

HinSchG draft bill: history, current status, what the upcoming amendment means for internal reporting points

The draft bill for the Whistleblower Protection Act from 2022 has had a significant impact on today's legal situation. Anyone who knows the history of its origins understands the scope for interpretation and can set up their internal reporting office in such a way that it can survive a future amendment.

Read more
Have a market value report drawn up: plan the duration realistically
Expert Assessors7 July 202612 min read

Have a market value report drawn up: plan the duration realistically

Depending on the property, it takes between three and twelve weeks from the order to the signed market value report. We break down the duration into five phases, name accelerators and show when a short report is sufficient and when only the full report is sufficient.

Read more
External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role
Quality Management7 July 202613 min read

External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role

An external ISO 9001 quality manager in Germany must meet the same formal appointment requirements as an internal QMB. This article explains role, liability, audit chain and how CIVAC delivers an appointed quality manager with workspace access in 2 business days.

Read more
Order QMB externally: When an external quality management representative is the better choice
Quality Management6 July 202613 min read

Order QMB externally: When an external quality management representative is the better choice

An external QMB provides ISO 9001 expertise, audit preparation and a documented QM system without a full-time position. The article clarifies responsibility, costs, selection criteria and the handover to permanent operation.

Read more
Occupational health care G 37 VDU work: duration, deadlines, documentation
Occupational Medicine6 July 202611 min read

Occupational health care G 37 VDU work: duration, deadlines, documentation

Prevention according to DGUV G 37 (computer workstations) takes between 20 and 40 minutes of pure examination time. The intervals result from ArbMedVV. Who documents what and how long must evidence be kept? Answers for management and company doctors.

Read more
Company doctor in the company: duties, appointment and interaction with compliance
Occupational Medicine6 July 202613 min read

Company doctor in the company: duties, appointment and interaction with compliance

The Occupational Safety Act requires employers to appoint a company doctor in writing. This article explains the legal obligations, the operating times according to DGUV regulation 2, the collaboration with occupational safety specialists and the integration into a compliance platform.

Read more
Setting up a whistleblower hotline in medium-sized companies: duties, channels, reporting line
Equality & AGG6 July 202612 min read

Setting up a whistleblower hotline in medium-sized companies: duties, channels, reporting line

The obligation to have an internal reporting office under the HinSchG has also applied to companies with 50 to 249 employees since December 17, 2023. This article shows how medium-sized companies set up the whistleblower hotline in a legally secure manner, combine the complaints office and data protection and present evidence in the audit.

Read more
Set up an AGG complaint office: Section 13 AGG, appointment certificate and procedural model
Equality & AGG6 July 202613 min read

Set up an AGG complaint office: Section 13 AGG, appointment certificate and procedural model

Section 13 AGG obliges every employer to set up a complaints office for cases of discrimination. The article provides templates for ordering, procedures and documentation and shows how CIVAC operates the position as an internal function or as an external solution under Officer-as-a-Service.

Read more
Hazardous Substances Officer in Germany: Appointment, Duties, and Liability under GefStoffV
Gefahrstoff & Arbeitsschutz6 July 202613 min read

Hazardous Substances Officer in Germany: Appointment, Duties, and Liability under GefStoffV

Germany's Hazardous Substances Ordinance (GefStoffV) requires structured oversight of chemical workplace risks. This guide explains who needs to appoint a Hazardous Substances Officer, what the role covers, and how to staff it without overspending in German subsidiaries.

Read more
Money laundering officer costs 2026: What internal, external and hybrid really costs
Anti-Money Laundering5 July 202614 min read

Money laundering officer costs 2026: What internal, external and hybrid really costs

The costs of a money laundering officer range from 800 euros per month if appointed externally to 80,000 euros in total annual costs in the internal model. Which route is right depends on the obligor status, risk profile and volume. This guide classifies the cost types, ranges and obligations in 2026.

Read more
Introduce the KYC process: Duties, stages and roles according to the AMLA
Anti-Money Laundering5 July 202613 min read

Introduce the KYC process: Duties, stages and roles according to the AMLA

A KYC process is more than just identification on onboarding. It includes risk analysis, due diligence requirements per risk class, continuous monitoring and suspicious activity reporting. This guide shows what obliged entities must set up structurally in accordance with Section 2 of the GwG.

Read more
Fire Safety Officer Services in Germany for English-Speaking Companies
Fire Safety5 July 202614 min read

Fire Safety Officer Services in Germany for English-Speaking Companies

International companies operating in Germany must appoint a Brandschutzbeauftragter under § 10 ArbSchG and ASR A2.2. This article explains the legal basis, scope, costs and how CIVAC delivers the role with English-language reporting.

Read more
Annual fire protection instruction: duties, content, evidence 2026
Fire Safety5 July 202613 min read

Annual fire protection instruction: duties, content, evidence 2026

Annual fire safety training is mandatory, but rarely well documented. Anyone who knows the legal basis and keeps records cleanly avoids fines, insurance disputes and personal liability on the part of the management.

Read more
Appoint a fire protection officer: duty, qualifications and audit trail
Fire Safety5 July 202612 min read

Appoint a fire protection officer: duty, qualifications and audit trail

The appointment of a fire protection officer is mandatory in many building regulations, meeting place regulations and insurance policies. This article explains the legal basis, qualifications according to vfdb 12-09, tasks and how CIVAC bundles the order, fire protection regulations and audit templates in one workspace.

Read more
ISO 9001 Quality Manager Services in Germany: Roles, Cost, and Appointment
Qualitätsmanagement5 July 202612 min read

ISO 9001 Quality Manager Services in Germany: Roles, Cost, and Appointment

ISO 9001:2015 certification requires a dedicated quality management representative, internal audits, and a documented management system. This guide explains the scope of external quality manager services in Germany, costs, appointment letters, and how CIVAC delivers the function in two business days.

Read more
Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist
Occupational Safety4 July 202612 min read

Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist

Occupational safety consulting in Germany is regulated by the ASiG, the DGUV Vorschrift 2 and a body of technical rules. This article explains the legal framework, the practical scope of an external safety specialist and how to document the mandate.

Read more
Annual employee training: list of topics, duties and evidence
Occupational Safety4 July 202613 min read

Annual employee training: list of topics, duties and evidence

Annual training in accordance with Section 12 ArbSchG and Section 4 DGUV Regulation 1 is mandatory for every company. This guide shows a complete list of topics, the role of the occupational safety specialist and the requirements for an exam-proof instruction certificate.

Read more
Commission external SiFa: Obligation, selection and audit-proof ordering
Occupational Safety4 July 202613 min read

Commission external SiFa: Obligation, selection and audit-proof ordering

In many companies, external SiFa is the economic answer to the ordering obligation according to Section 5 ASiG. The article explains which tasks can be delegated, what the appointment certificate looks like, what operating times DGUV Regulation 2 stipulates and how the mandate can be documented in an audit-proof manner.

Read more
When do I need an occupational safety specialist (SiFa)?
Occupational Safety4 July 202613 min read

When do I need an occupational safety specialist (SiFa)?

The obligation to appoint an occupational safety specialist begins with the first employment. This practical guide clarifies which number of hours you have to provide and from which number of employees and in which form of care.

Read more
Manage safety data sheets: obligations, processes, platform
Hazardous Substances & Occupational Health4 July 202614 min read

Manage safety data sheets: obligations, processes, platform

Safety data sheets are mandatory documents according to REACH Annex II. If you only save them as PDFs, you will miss the operational requirement. This article shows how you can maintain SDBs, convert them into directories and translate them into operating instructions.

Read more
TRGS 510 Storage of hazardous substances: obligations, quantities and evidence
Hazardous Substances & Occupational Health3 July 202612 min read

TRGS 510 Storage of hazardous substances: obligations, quantities and evidence

TRGS 510 regulates the storage of hazardous substances in portable containers. The article explains quantity thresholds, storage rules, structural requirements, containment areas and the evidence trail that supervisory authorities expect in the audit.

Read more
Hazardous substance list template: what is mandatory and what gaps templates typically leave
Hazardous Substances & Occupational Health3 July 202613 min read

Hazardous substance list template: what is mandatory and what gaps templates typically leave

The list of hazardous substances is required according to Section 6 Paragraph 12 GefStoffV and is a first point of contact in every supervisory inspection. Which mandatory fields a reliable template contains, why pure Excel lists are often noticed in audits and how CIVAC relieves the burden with Workspace and Officer-as-a-Service.

Read more
CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail
Environmental Protection3 July 202614 min read

CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail

A double materiality assessment is the entry point to CSRD reporting. This article walks through the template structure, the inputs auditors expect, and how to build a defensible audit trail under ESRS 1 and ESRS 2.

Read more
Environmental officer costs: What the order, duties and external commissioning really cost
Environmental Protection3 July 202612 min read

Environmental officer costs: What the order, duties and external commissioning really cost

How much does an environmental representative cost in a medium-sized company? The article classifies the legal ordering obligations, the typical hourly rates and the external monthly flat rate and shows where the workspace reduces running costs.

Read more
What does an environmental officer really do in a company?
Environmental Protection3 July 202613 min read

What does an environmental officer really do in a company?

An environmental officer coordinates the legally compliant fulfilment of environmental obligations within the company. The article describes the actual task profile, the distinction between specialised representatives (waste, water, pollution control, dangerous goods) and the requirements for an effective appointment according to ISO 14001:2015 and EMAS.

Read more
AML Compliance in Germany: Geldwaeschegesetz Obligations and How to Operate Them
Geldwäscheprävention3 July 202613 min read

AML Compliance in Germany: Geldwaeschegesetz Obligations and How to Operate Them

Germany regulates anti-money laundering through the Geldwaeschegesetz (GwG) and BaFin guidance. This article explains who qualifies as an obliged entity, what risk analysis and KYC obligations apply and how CIVAC supports the AML officer with platform plus officer-as-a-service.

Read more
Waste representative: duty, tasks and appointment according to Section 59 KrWG
Environmental Protection2 July 202612 min read

Waste representative: duty, tasks and appointment according to Section 59 KrWG

Facilities with relevant waste generation must appoint a waste representative. This article explains the legal basis in Section 59 KrWG and the AbfBeauftrV, describes tasks and reporting obligations and shows how orders and audit trails can be managed in the CIVAC workspace.

Read more
CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive
Supply Chain2 July 202614 min read

CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive

CSDDD consulting helps companies translate the EU Corporate Sustainability Due Diligence Directive into operational supply chain processes. This article explains scope, deliverables, the relationship to LkSG, and what a credible engagement looks like.

Read more
Supplier audit: process, obligations according to LkSG and ISO 9001, templates for audit practice
Supply Chain2 July 202614 min read

Supplier audit: process, obligations according to LkSG and ISO 9001, templates for audit practice

Since the Supply Chain Due Diligence Act and the EU Supply Chain Directive, supplier audits are no longer a voluntary practice, but a due diligence measure that requires documentation. This article shows the process, criteria and templates for audits that the BAFA report and the ISO 9001 certifier recognise equally.

Read more
External human rights officer: Costs, effort and models at a glance
Supply Chain2 July 202613 min read

External human rights officer: Costs, effort and models at a glance

An external human rights officer according to Section 4 LkSG costs between 18,000 and 80,000 euros per year, depending on the model. What does the contract cover, what hourly rates are standard in the market and how do workspaces reduce overall costs?

Read more
Supply Chain Act Officer: Order, tasks and test chain according to LkSG
Supply Chain2 July 202612 min read

Supply Chain Act Officer: Order, tasks and test chain according to LkSG

The LkSG requires a human rights officer or a comparable function with a direct reporting line to management. This article clarifies the order, obligations, BAFA examination and interface to the CSDDD.

Read more
Workplace Risk Assessment Template Germany: What §5 ArbSchG Actually Requires
Arbeitssicherheit2 July 202613 min read

Workplace Risk Assessment Template Germany: What §5 ArbSchG Actually Requires

A workplace risk assessment template that works in Germany must satisfy §5 of the Occupational Safety and Health Act, the relevant Berufsgenossenschaft, and the labour inspectorate of the Bundesland. This article explains the legal minimum and how to keep the template auditable across sites.

Read more
CSDDD and LkSG in comparison: What the EU Supply Chain Directive will really change in 2027
Supply Chain1 July 202614 min read

CSDDD and LkSG in comparison: What the EU Supply Chain Directive will really change in 2027

The CSDDD will tighten the German LkSG in terms of scope, liability and climate protection plan from 2027. The article shows the 12 most important differences, clarifies threshold values ​​and describes how both sets of rules can be fulfilled without duplicate structures.

Read more
NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer
IT Security & NIS-21 July 202613 min read

NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer

The German NIS 2 transposition will apply to roughly 29,500 organisations. This is the operational playbook for the Information Security Officer: registration, governance training, incident reporting, supplier risk, and the BSI evidence cycle.

Read more
ISB-as-a-Service with NIS 2 Ready setup: Order in two working days instead of six weeks
IT Security & NIS-21 July 202613 min read

ISB-as-a-Service with NIS 2 Ready setup: Order in two working days instead of six weeks

With the implementation of NIS 2, around 29,500 companies in Germany are obliged to demonstrably implement technical and organisational cybersecurity measures. An appointed information security officer is the central operational person. This article describes CIVAC's ISB-as-a-Service model with a two-business-day SLA.

Read more
ISB consulting in medium-sized businesses: roles, costs and the step from consultation to order
IT Security & NIS-21 July 202612 min read

ISB consulting in medium-sized businesses: roles, costs and the step from consultation to order

In medium-sized businesses, ISB consulting is often purchased as a project and ends with no permanent role. This article shows how consulting, appointment and officer-as-a-service differ, what obligations the ISB has according to NIS 2 and ISO/IEC 27001:2022 and when the transition to permanent appointment is economical.

Read more
Order ISB for critical infrastructure: obligation, profile and appointment certificate in detail
IT Security & NIS-21 July 202614 min read

Order ISB for critical infrastructure: obligation, profile and appointment certificate in detail

KRITIS operators, particularly important and important facilities according to the NIS 2 Implementation Act, must appoint, document and provide evidence to the BSI of an information security officer. The article shows the legal basis, requirement profile, appointment certificate and the operational structure in the CIVAC workspace.

Read more
ISO 14001 Certification Consulting in Germany: A Practical Guide for 2026
Umweltschutz1 July 202613 min read

ISO 14001 Certification Consulting in Germany: A Practical Guide for 2026

ISO 14001:2015 certification in Germany requires more than a generic environmental management system. This guide explains the steps, costs, role of the Umweltbeauftragter, and what to expect from a credible German consulting partner.

Read more
ADR catalogue of fines 2022 for dangerous goods: How much does a violation really cost today?
Dangerous Goods & Logistics30 June 202614 min read

ADR catalogue of fines 2022 for dangerous goods: How much does a violation really cost today?

The ADR fine catalogue 2022 is the reference for many freight forwarders and shippers. With the RSEB update in 2024 and the ADR revision in 2025, the facts, amounts of fines and responsibilities have changed. This guide classifies and shows how an appointed dangerous goods officer controls the risk of fines.

Read more
Instruction 1.3 ADR: Obligations, content and evidence for consignors and shippers
Dangerous Goods & Logistics30 June 202613 min read

Instruction 1.3 ADR: Obligations, content and evidence for consignors and shippers

Chapter 1.3 ADR obliges all persons involved in the transport of dangerous goods to undergo documented training. This guide shows what the content includes, when the refresher is due and what the evidence in the audit must look like.

Read more
Dangerous goods classes 1 to 9 according to ADR: Overview, labelling and obligation to order
Dangerous Goods & Logistics30 June 202614 min read

Dangerous goods classes 1 to 9 according to ADR: Overview, labelling and obligation to order

The nine dangerous goods classes according to ADR structure all dangerous substances for roads, rails and inland waterways. This article explains the classes, the labelling, the ordering requirement for GGB and the CIVAC model.

Read more
UN 3082 and hazard number 90: What shippers and agents need to know
Dangerous Goods & Logistics30 June 202613 min read

UN 3082 and hazard number 90: What shippers and agents need to know

UN 3082 with danger number 90 is encountered more often in everyday life than expected: lubricants, crop protection, cleaning chemicals. This article explains the ADR classification, the obligations of those involved and the typical errors in transport documents, labelling and packaging.

Read more
Dangerous goods stickers: classes, obligations and audit evidence in shipping
Dangerous Goods & Logistics30 June 202612 min read

Dangerous goods stickers: classes, obligations and audit evidence in shipping

Dangerous goods stickers are not decoration, but mandatory labelling according to ADR and GGVSEB. This article explains the nine classes of dangerous goods, the correct attachment, the obligations of those involved and how CIVAC bundles the documentation, the dangerous goods officer and the audit evidence.

Read more
Supply Chain Due Diligence in Germany: LkSG, CSDDD and What Foreign Companies Must Do
Lieferkette30 June 202614 min read

Supply Chain Due Diligence in Germany: LkSG, CSDDD and What Foreign Companies Must Do

Germany was the first large EU economy to impose mandatory supply chain due diligence. This guide covers the 2024 thresholds, eleven protected rights, BAFA enforcement record, and how to set up an audit-ready officer function in two working days.

Read more
Dangerous goods classes according to ADR: Overview, obligations and documentation
Dangerous Goods & Logistics29 June 202612 min read

Dangerous goods classes according to ADR: Overview, obligations and documentation

Dangerous goods classes structure the ADR and decide on labelling, packaging, transport and reporting obligations. This article explains the nine classes, the associated UN numbers and the operational responsibilities of those involved.

Read more
TISAX Certification Process for Automotive Suppliers: A Practical Roadmap
IT Security & NIS-229 June 202614 min read

TISAX Certification Process for Automotive Suppliers: A Practical Roadmap

TISAX is the dominant information security label across the European automotive sector. This guide walks suppliers through the assessment levels, the VDA ISA catalogue, the ENX exchange platform and the typical timeline from gap analysis to label issuance.

Read more
Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model
IT Security & NIS-229 June 202613 min read

Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model

German mid-sized companies face NIS-2, ISO 27001:2022 transition and EU AI Act obligations without a full-time CISO on payroll. A virtual CISO model provides accountable security leadership with documented mandates, board reporting and audit-ready evidence in the workspace.

Read more
ISO 27001 certification: duration, preparation, effort
IT Security & NIS-229 June 202614 min read

ISO 27001 certification: duration, preparation, effort

An ISO/IEC 27001:2022 certification takes 9 to 18 months from the start of the project to the certificate in medium-sized companies. This guide breaks down the phases, names the effort and shows where audits typically fail.

Read more
BSI C5 attestation for cloud providers: What it does, when it is mandatory
IT Security & NIS-229 June 202614 min read

BSI C5 attestation for cloud providers: What it does, when it is mandatory

The BSI's C5 certificate is the standard for the security of cloud services in the German market. This article explains the structure, type 1 and type 2 testing, relationship to ISO 27001 and operational preparation as a provider and as a customer.

Read more
How to Comply with the NIS-2 Directive in Germany: A 90-Day Operational Plan
IT-Sicherheit & NIS-229 June 202614 min read

How to Comply with the NIS-2 Directive in Germany: A 90-Day Operational Plan

Around 29,500 German entities fall in scope of NIS-2. The directive's value emerges from disciplined operational execution: scoping, risk management, named information security officer, 24/72 reporting, management training. This guide is a 90-day plan for entities still building the foundation.

Read more
Information security officer: role, duties and appointment in medium-sized companies
IT Security & NIS-228 June 202612 min read

Information security officer: role, duties and appointment in medium-sized companies

The information security officer (ISB) has operational responsibility for the ISMS according to ISO/IEC 27001:2022. The article explains tasks, the appointment certificate, the distinction between CISO and CIO as well as the obligations under NIS-2, KRITIS umbrella law and DORA.

Read more
TISAX consulting: what automotive suppliers really need to pass the assessment
IT Security & NIS-228 June 202613 min read

TISAX consulting: what automotive suppliers really need to pass the assessment

TISAX assessments rarely fail due to technology, often due to unclear scope, incomplete documentation and officer roles that are not filled. The article shows how a reliable TISAX consultation is structured and where CIVAC relieves the burden with Workspace and Officer-as-a-Service.

Read more
Building an ISMS: Step-by-step instructions according to ISO 27001:2022
IT Security & NIS-228 June 202614 min read

Building an ISMS: Step-by-step instructions according to ISO 27001:2022

Anyone who builds an ISMS according to ISO/IEC 27001:2022 navigates 93 controls, four statements and seven process levels. This guide breaks down the journey into ten phases with responsibilities, artifacts, and realistic timelines.

Read more
Understanding Nordea ESG Stars: What the rating means for companies with ESG obligations
ESG & Sustainability28 June 202613 min read

Understanding Nordea ESG Stars: What the rating means for companies with ESG obligations

Nordea ESG Stars is an internal fund label from Nordea Asset Management. Companies that are in a Stars fund answer ESG questions differently than they would without investor pressure. The article classifies the label legally and shows the obligations in day-to-day business.

Read more
Flossbach von Storch and ESG: What investors need to know about integration
ESG & Sustainability28 June 202613 min read

Flossbach von Storch and ESG: What investors need to know about integration

Flossbach von Storch manages around 70 billion euros and integrates ESG criteria into the investment process. The article places the practice within the regulatory framework: SFDR Article 8 funds, CSRD reporting requirements from fiscal year 2025, taxonomy quotas and the role of the sustainability officer.

Read more
MSCI World Momentum ESG: What the index means for corporate compliance
ESG & Sustainability27 June 202612 min read

MSCI World Momentum ESG: What the index means for corporate compliance

The MSCI World Momentum ESG combines two logics: price momentum and ESG rating. Whoever appears in the supply chain of an index candidate is also evaluated. This article explains the methodology, the obligations for German companies and the evidence that CSRD and supervision expect.

Read more
MSCI World ESG vs. SRI: Differences, methodology and importance for corporate ESG reporting
ESG & Sustainability27 June 202613 min read

MSCI World ESG vs. SRI: Differences, methodology and importance for corporate ESG reporting

The MSCI ESG Leaders and SRI Select indices follow different methodologies. This article explains the filter logic, sector weighting, carbon footprint and the consequences for ESG officers and companies subject to CSRD.

Read more
Vanguard FTSE All Cap ESG: What companies learn from index logic
ESG & Sustainability27 June 202614 min read

Vanguard FTSE All Cap ESG: What companies learn from index logic

The Vanguard ESG Global All Cap UCITS ETF follows the FTSE Global All Cap Choice Index, which excludes certain sectors and thresholds. Companies that do not want to appear in such indices must prepare their ESG disclosure in a verifiable manner according to CSRD and ESRS.

Read more
Amundi Funds Global Ecology ESG: What companies derive from the fund for their own ESG obligations
ESG & Sustainability27 June 202613 min read

Amundi Funds Global Ecology ESG: What companies derive from the fund for their own ESG obligations

The Amundi Funds Global Ecology ESG is an Article 9 fund under SFDR. What does this mean for investors and especially for companies that themselves have to report under CSRD and EU taxonomy? A practical guide to ESG governance.

Read more
ESG in the EU: CSRD, taxonomy and supply chain as an operational duty
ESG & Sustainability27 June 202613 min read

ESG in the EU: CSRD, taxonomy and supply chain as an operational duty

ESG has been mandatory reporting practice in the EU since 2024. CSRD, EU taxonomy, CSDDD and ESRS interlock. This post shows how an ESG officer manages data points, dual materiality and audit evidence in one platform.

Read more
ESG 2026: From a catchphrase to an appointment certificate in German medium-sized businesses
ESG & Sustainability26 June 202614 min read

ESG 2026: From a catchphrase to an appointment certificate in German medium-sized businesses

ESG is no longer a marketing issue. CSRD, EU taxonomy, LkSG and CSDDD require reliable data, roles and reports. The article explains the obligations, the thresholds and the operational structure of an ESG function.

Read more
One Compliance Platform for All German Officer Roles: A Practical Buyer Guide
Platform & Strategy26 June 202612 min read

One Compliance Platform for All German Officer Roles: A Practical Buyer Guide

German law requires dedicated officers for data protection, money laundering, fire safety, hazardous goods, hygiene, whistleblowing, supply chain and many more. Twenty-five mandates, one platform. This guide explains how that consolidation works.

Read more
CIVAC Alternative: 14 evaluation criteria for compliance platforms in medium-sized companies
Platform & Strategy26 June 202613 min read

CIVAC Alternative: 14 evaluation criteria for compliance platforms in medium-sized companies

Anyone looking for a CIVAC alternative usually compares apples with oranges. Classic consulting firms, ISMS tools and platform solutions deliver different value propositions. This article provides 14 evaluation criteria, price bands and a decision tree for comparison.

Read more
Automate compliance training: e-learning, evidence and reporting lines in medium-sized companies
Platform & Strategy26 June 202612 min read

Automate compliance training: e-learning, evidence and reporting lines in medium-sized companies

Training obligations are increasing: GDPR, NIS 2, HinSchG, ISO/IEC 27001:2022, hazardous substances, fire protection. Anyone who continues to keep records in Excel will fail the audit. This article shows how automated e-learning and a workspace carry the reporting line to management.

Read more
CIVAC Compliance: Platform, Officer-as-a-Service and the operational structure behind it
Platform & Strategy26 June 202613 min read

CIVAC Compliance: Platform, Officer-as-a-Service and the operational structure behind it

CIVAC is a German compliance platform and officer-as-a-service. The article explains how the platform brings together the mandatory representatives from DSB to fire protection in one place, which documents are kept and how CIVAC differs from classic consulting firms.

Read more
ISO 27001 Risk Assessment Template: What a Certifiable Workflow Looks Like in 2026
IT-Sicherheit & NIS-226 June 202612 min read

ISO 27001 Risk Assessment Template: What a Certifiable Workflow Looks Like in 2026

An ISO 27001 risk assessment is a workflow, not a spreadsheet. This guide explains the 2022 revision, the methodology your auditor expects, the structure of a defensible risk register, and how CIVAC packages the templates inside one Workspace.

Read more
ISO 27001:2022 Transition in Germany: What the October 2025 Deadline Means in 2026
IT-Sicherheit & NIS-226 June 202613 min read

ISO 27001:2022 Transition in Germany: What the October 2025 Deadline Means in 2026

The official transition window from ISO/IEC 27001:2013 to the 2022 edition closed on 31 October 2025. Certificates not migrated have expired. This article explains what that means for German organisations in 2026, what auditors now expect, and how to recover lost certification without a multi-quarter delay.

Read more
Building an integrated management system: From an ISO patchwork to a uniform compliance architecture
Platform & Strategy25 June 202614 min read

Building an integrated management system: From an ISO patchwork to a uniform compliance architecture

Anyone who maintains multiple ISO standards knows the problem: duplicate audits, contradictory procedures, redundant documents. An integrated management system based on a high level structure bundles requirements, reporting obligations and audit trails. This guide shows the structure, sequence and tools.

Read more
All agent roles in one software: When consolidation is worthwhile
Platform & Strategy25 June 202613 min read

All agent roles in one software: When consolidation is worthwhile

Medium-sized companies manage six to twelve representative roles in parallel, usually in separate tools. Consolidated software reduces interface costs, closes audit gaps and makes the personal liability of management manageable. What needs to be taken into account.

Read more
§ 42 BDSG: Criminal liability for data misuse in German data protection law
Platform & Strategy25 June 202614 min read

§ 42 BDSG: Criminal liability for data misuse in German data protection law

Section 42 BDSG regulates criminal liability for intentional data misuse. This article explains the facts, the penalty range, the distinction from the GDPR fine and the organisational obligations of the management.

Read more
Doctor's practice hygiene plan 2022: What needs to be up to date since then
Health & Hygiene25 June 202613 min read

Doctor's practice hygiene plan 2022: What needs to be up to date since then

A hygiene plan is not a static document. Anyone who is still working with the 2022 version in 2026 risks complaints from the health department and KV. This article shows which RKI recommendations and legal bases have been updated since 2022.

Read more
Hygiene officers in nursing: What RKI and KRINKO require operationally
Health & Hygiene25 June 202612 min read

Hygiene officers in nursing: What RKI and KRINKO require operationally

Care facilities must appoint hygiene officers according to clearly defined guidelines from the RKI and KRINKO. This article explains qualifications, tasks, documentation requirements and how CIVAC bundles the order, the hygiene plan and the audit evidence in one workspace.

Read more
KRINKO guidelines for hospital hygiene: obligations and implementation
Health & Hygiene24 June 202612 min read

KRINKO guidelines for hospital hygiene: obligations and implementation

Hospital hygiene is not a recommendation, but rather a requirement under the IfSG, state hygiene regulations and KRINKO specifications. This article shows how clinics document risk analyses, hygiene plans and reporting paths in a legally compliant manner.

Read more
Hygiene in care: worksheet, checklist and legally compliant instruction
Health & Hygiene24 June 202613 min read

Hygiene in care: worksheet, checklist and legally compliant instruction

A nursing hygiene worksheet is more than just a training slide. It is the central proof document for home supervision, MDK and the health department. This guide shows the structure, mandatory content and templates for practice.

Read more
Washing hands and hygiene: duties, methodology and evidence in the company
Health & Hygiene24 June 202612 min read

Washing hands and hygiene: duties, methodology and evidence in the company

Washing your hands seems trivial, but it is anchored in the company's regulations: IfSG, LMHV, ArbStättV and the RKI-KRINKO recommendations prescribe procedures, means and evidence. The article shows obligations, methodology according to DIN EN 1499 and how hand hygiene can be documented in an audit-proof manner.

Read more
Hand hygiene in care: duties, indications, evidence
Health & Hygiene24 June 202613 min read

Hand hygiene in care: duties, indications, evidence

Hand hygiene is the single most effective measure against nosocomial infections. This guide organises the legal obligations according to Section 23 IfSG, the five WHO indications and the operational evidence that home supervision and MD examiners want to see.

Read more
Institute for Hygiene and Environmental Medicine: tasks, duties, practical role
Health & Hygiene24 June 202613 min read

Institute for Hygiene and Environmental Medicine: tasks, duties, practical role

Institutes for hygiene and environmental medicine provide analysis, inspection and advice. Anyone who has to fulfil operational hygiene obligations according to IfSG, BioStoffV and TrinkwV also needs an internal representative structure. This article explains tasks and interfaces.

Read more
Hygiene training online: legal framework, content and auditable evidence
Health & Hygiene23 June 202612 min read

Hygiene training online: legal framework, content and auditable evidence

Online hygiene training is recognised in many industries, but does not replace every instruction. The article explains Section 43 IfSG, annual follow-up instructions, minimum technical requirements and the trail of evidence with which hygiene officers and management satisfy supervisory authorities.

Read more
Metro hygiene: what wholesale, catering and HACCP really demand from each other
Health & Hygiene23 June 202612 min read

Metro hygiene: what wholesale, catering and HACCP really demand from each other

Anyone who buys food wholesale and processes it in the catering industry has a double hygiene chain. The article explains obligations according to LMHV, IfSG and HACCP, shows how hygiene officers keep a complete track of receipts from goods receipt to the guest and where CIVAC can provide relief.

Read more
Hygiene instructions according to § 43 IfSG: Obligation, deadline, proof
Health & Hygiene23 June 202612 min read

Hygiene instructions according to § 43 IfSG: Obligation, deadline, proof

Anyone who handles food needs instruction in accordance with Section 43 of the Infection Protection Act. This article explains the scope, deadlines, content and how the hygiene officer keeps the evidence in a verifiable manner.

Read more
External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup
Governance & Compliance23 June 202613 min read

External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup

B2B SaaS founders in Germany face overlapping duties under GDPR, NIS-2, HinSchG, and ISO/IEC 27001:2022. An external compliance officer covers the controls without an internal hire, leaving the engineering roadmap untouched.

Read more
EU AI Act: Obligations for High-Risk AI Systems in Practice
Governance & Compliance23 June 202613 min read

EU AI Act: Obligations for High-Risk AI Systems in Practice

The EU AI Act introduces twelve cumulative obligations for providers of high-risk AI systems and four additional duties for deployers. This article translates Articles 8 to 27 into a working compliance routine: risk management, data governance, logging, human oversight, transparency, and conformity assessment.

Read more
Compliance Training Platform for Multi-Role German Operations: A Buyer's Guide
Plattform & Strategie23 June 202613 min read

Compliance Training Platform for Multi-Role German Operations: A Buyer's Guide

A German mid-cap typically operates 8 to 12 statutory officer roles in parallel: DPO, ISO, fire safety, hazardous goods, hygiene, ESG, whistleblower, and more. A multi-role compliance training platform consolidates curricula, evidence, and audit exports into one system of record.

Read more
Officer-as-a-Service in Germany: How External Compliance Roles Actually Work
Plattform & Strategie23 June 202612 min read

Officer-as-a-Service in Germany: How External Compliance Roles Actually Work

Officer-as-a-Service in Germany means appointing an external person to a statutory officer role under German law, with a written appointment letter, defined reporting line and documented duties. This guide explains the legal basis, the appointment workflow and the operational reality.

Read more
Compliance guidelines for medium-sized companies: templates that withstand regulatory scrutiny
Governance & Compliance22 June 202612 min read

Compliance guidelines for medium-sized companies: templates that withstand regulatory scrutiny

Downloaded Word templates are rarely sufficient for a supervisory audit. This article shows which elements a compliance policy needs in medium-sized companies, how the appointment certificate, proof of training and escalation path are neatly interlinked and how CIVAC provides templates in a version-specific manner.

Read more
Compliance audit in medium-sized companies: Checklist 2026 for management and representatives
Governance & Compliance22 June 202614 min read

Compliance audit in medium-sized companies: Checklist 2026 for management and representatives

This 2026 checklist shows medium-sized companies step by step which 14 subject areas a compliance audit covers, which documents must be available and how the platform documentation reduces the effort.

Read more
Building a tax compliance management system: Seven building blocks according to IDW PS 980
Governance & Compliance22 June 202613 min read

Building a tax compliance management system: Seven building blocks according to IDW PS 980

A tax compliance management system only protects against criminal proceedings if all seven basic elements according to IDW PS 980 are implemented and documented. The application decree for Section 153 AO expressly recognises the Tax CMS as an indication of intent.

Read more
Kerberos Compliance: Check authentication, prove risks, pass audit
Governance & Compliance22 June 202612 min read

Kerberos Compliance: Check authentication, prove risks, pass audit

Kerberos is the silent backbone of many Active Directory environments. Reviewers ask about key lengths, ticket lifetimes, and Kerberoasting protection. This article shows what evidence ISO 27001:2022 and NIS-2 expect from you and how you can file it in a structured manner.

Read more
Governance, Risk and Compliance: How GRC becomes an operational discipline
Governance & Compliance22 June 202612 min read

Governance, Risk and Compliance: How GRC becomes an operational discipline

Governance, risk and compliance only works if the appointment certificate, risk register and audit evidence live in the same system. This article shows how GRC according to ISO 37301 and ISO 31000 is managed as an operational process, not as a slide carousel.

Read more
Compliance consulting 2026: When the workshop is enough and when a representative has to take over
Governance & Compliance21 June 202613 min read

Compliance consulting 2026: When the workshop is enough and when a representative has to take over

Compliance consulting often promises strategy and delivers PowerPoint. This article explains which form of delivery fulfils which obligation, how you differentiate between consultants, platforms and agents and how you measure audit robustness.

Read more
Who needs a compliance officer in the company: duty, thresholds, risk
Governance & Compliance21 June 202612 min read

Who needs a compliance officer in the company: duty, thresholds, risk

There is only an explicit obligation to appoint a compliance officer in a few industries. In fact, Section 130 OWiG forces every management to supervise. This article specifically explains who is responsible and when.

Read more
Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire
Data Protection & Privacy21 June 202613 min read

Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire

An outsourced DPO covers GDPR Article 37 duties, breach reporting under Article 33, and evidence files for supervisory authorities. This guide explains scope, cost ranges, and how an external DPO integrates with German labour law and works alongside the information security officer.

Read more
GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide
Data Protection & Privacy21 June 202613 min read

GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide

GDPR enforcement against the German Mittelstand has intensified since the federal coordinated audit of 2025. This buyer guide shows what a modern compliance platform must deliver: records, breach pipelines, residency, officer workflows, and signed records of authority.

Read more
External DPO in Germany: When You Must Appoint One and How to Do It Properly
Data Protection & Privacy21 June 202612 min read

External DPO in Germany: When You Must Appoint One and How to Do It Properly

Germany has the strictest national rule for appointing a data protection officer in the European Union. This guide explains the legal thresholds, the documentation a supervisory authority expects, and how an external DPO model under CIVAC removes the bottleneck without diluting accountability.

Read more
Becoming an internal data protection officer: qualification, appointment and proof according to GDPR
Data Protection & Privacy20 June 202613 min read

Becoming an internal data protection officer: qualification, appointment and proof according to GDPR

If you want to become a data protection officer in your own company, you need more than an online course. Art. 37 GDPR and Section 38 BDSG require specialist knowledge, independence and a verifiable appointment certificate. This guide shows the path from the employee to the appointed internal DPO.

Read more
Alternative to other providers: When data protection needs more than one module
Data Protection & Privacy20 June 202612 min read

Alternative to other providers: When data protection needs more than one module

another provider covers data protection solidly. But medium-sized businesses and KRITIS companies need ISB, ISMS, NIS-2 notifications and appointment certificates in the same system. This comparison shows when a single tool is enough and when an integrated platform is the better choice.

Read more
External data protection officer in medium-sized companies: prices, services and the CIVAC approach
Data Protection & Privacy20 June 202614 min read

External data protection officer in medium-sized companies: prices, services and the CIVAC approach

Prices for external data protection officers vary between 350 and 2,400 euros per month in medium-sized businesses. This article explains the factors, the cost traps and the CIVAC model as a compliance platform and officer-as-a-service.

Read more
Have a GDPR audit carried out: costs, scope of services and pitfalls in 2026
Data Protection & Privacy20 June 202613 min read

Have a GDPR audit carried out: costs, scope of services and pitfalls in 2026

A GDPR audit is more than a checklist. If you want to estimate costs realistically, you must understand the scope, method and depth of evidence. This article classifies typical price ranges and shows how follow-up costs can be avoided.

Read more
DSB software: What a data protection officer really needs today
Data Protection & Privacy20 June 202612 min read

DSB software: What a data protection officer really needs today

DSB software does not replace an appointment certificate, but it makes the difference between filing cabinets and audit resistance. This article shows which modules Articles 30, 33 and 35 GDPR actually require, how good platforms can be identified and how CIVAC closes the gap between tool and mandate.

Read more
AI Compliance Officer Services in Germany: An English Guide for International Operators
Governance & Compliance20 June 202613 min read

AI Compliance Officer Services in Germany: An English Guide for International Operators

International companies operating in Germany need an AI compliance officer who works in English yet documents in German for the regulator. This guide explains the legal frame, deliverables, and how to engage one in 2026.

Read more
German Compliance Requirements for US Subsidiaries: The Officer Map
Governance & Compliance20 June 202612 min read

German Compliance Requirements for US Subsidiaries: The Officer Map

A US parent that incorporates a German GmbH inherits a stack of mandatory officer roles, hard deadlines and personal-liability rules that have no direct US counterpart. This guide maps the obligations, the fines and the operating model that keeps the German entity audit-ready without expanding US headcount.

Read more
Order processing contract according to Art. 28 GDPR: submission and obligations
Data Protection & Privacy19 June 202612 min read

Order processing contract according to Art. 28 GDPR: submission and obligations

An AVV template is more than a form. It is documented proof that you, as the controller, have your processors under control. This article explains mandatory components according to Art. 28 GDPR and shows the way to audit-proof documentation.

Read more
Create a processing list in accordance with Art. 30 GDPR: step-by-step guide
Data Protection & Privacy19 June 202613 min read

Create a processing list in accordance with Art. 30 GDPR: step-by-step guide

The processing directory is the central proof requirement according to Art. 30 GDPR. This guide shows which fields are mandatory, how a VVT can be set up in less than two weeks and which templates the supervisory authority accepts.

Read more
GDPR advice 2026: What companies really need instead of templates
Data Protection & Privacy19 June 202612 min read

GDPR advice 2026: What companies really need instead of templates

GDPR advice is often delivered as a PDF bundle. It is only effective when recommendations result in appointment certificates, a TOM register, a 72-hour reporting path and auditable evidence in the workspace. The article shows how reliable advice can be recognised.

Read more
GDPR and personal data: definition, obligations, evidence
Data Protection & Privacy19 June 202613 min read

GDPR and personal data: definition, obligations, evidence

Personal data is not a legal special case, but your daily reality. Anyone who underestimates the definition risks fines according to Art. 83 GDPR. This guide organises the obligations and shows the way to verifiable documentation.

Read more
Federal Data Protection Act 2026: Obligations, thresholds, appointment certificate
Data Protection & Privacy19 June 202613 min read

Federal Data Protection Act 2026: Obligations, thresholds, appointment certificate

The Federal Data Protection Act specifies the GDPR in Germany and requires a data protection officer for groups of 20 or more people. This article explains thresholds, fines, ordering obligations and what evidence is required in the audit.

Read more
Occupational health care G 25 for computer work: compulsory, offered and desired care separated out
Occupational Medicine18 June 202612 min read

Occupational health care G 25 for computer work: compulsory, offered and desired care separated out

G 25 is a DGUV precautionary recommendation for computer work. According to the Occupational Health Prevention Ordinance, it is mandatory as a precautionary measure. The article organises the occasions, content, documentation and the interface to the company medical reporting line.

Read more
Carrying out internal audits ISO 9001: checklist, process and templates for the QMB
Quality Management18 June 202614 min read

Carrying out internal audits ISO 9001: checklist, process and templates for the QMB

ISO 9001:2015 Section 9.2 requires internal audits at scheduled intervals, with a documented program, qualified auditors and tracked actions. This checklist guides you through the program, plan, implementation, report and follow-up activities, with mandatory questions, templates and typical findings.

Read more
QM auditor in Germany: role, qualifications and tasks in the ISO 9001 audit
Quality Management18 June 202613 min read

QM auditor in Germany: role, qualifications and tasks in the ISO 9001 audit

The QM auditor checks whether the quality management system according to ISO 9001:2015 is actually being implemented. This article explains qualifications, types of audits, obligations and the interface to the quality management representative in industrial and service companies.

Read more
Real estate appraiser: qualifications, order types and compliance requirements 2026
Expert Assessors18 June 202612 min read

Real estate appraiser: qualifications, order types and compliance requirements 2026

Choosing a real estate appraiser sounds like a purely valuation question. In fact, valuation standards, money laundering prevention, ESG reporting and data protection collide in every order. This article classifies the qualifications, the most common types of orders and the documentation requirements of the client.

Read more
HinSchG and the Federal Council: The long road to the whistleblower protection law and its operational obligations
Whistleblower Protection18 June 202613 min read

HinSchG and the Federal Council: The long road to the whistleblower protection law and its operational obligations

The Federal Council blocked the HinSchG in February 2023. The Mediation Committee reached an agreement in May 2023, and the law came into force on July 2, 2023. This article organises the genesis and names the duties that are ongoing today.

Read more
GDPR Consulting in Germany: How Foreign Headquarters Stay Audit-Ready
Datenschutz & Privacy18 June 202613 min read

GDPR Consulting in Germany: How Foreign Headquarters Stay Audit-Ready

GDPR consulting in Germany goes beyond translation. You need a designated DPO under Art. 37, a written appointment, and a documented 72-hour breach workflow. This guide explains the legal floor, the operational reality, and the dual delivery model.

Read more
When Is a DPO Mandatory Under GDPR: The Four Triggers Explained
Datenschutz & Privacy18 June 202612 min read

When Is a DPO Mandatory Under GDPR: The Four Triggers Explained

Article 37 GDPR sets three independent triggers for a mandatory Data Protection Officer. In Germany, Section 38 BDSG adds a fourth. This article explains each criterion with thresholds, examples, and the documentation a supervisory authority will ask for.

Read more
Foreign Trade and Product Conformity: Customs, Export-Control and CE Officers
Foreign Trade17 June 202619 min read

Foreign Trade and Product Conformity: Customs, Export-Control and CE Officers

Practical guide for German businesses on appointing Customs, Export-Control, and CE Officers. Learn about legal bases, duties, and personal liability.

Read more
Youth Protection Officer, Anti-Discrimination Body and Trainer: Company Duties
Governance & ESG17 June 202614 min read

Youth Protection Officer, Anti-Discrimination Body and Trainer: Company Duties

Ensure compliance in Germany. Learn about mandatory corporate roles: Youth Protection Officers, AGG complaints bodies, and qualified trainers.

Read more
Outsourcing and Internal-Audit Officers under KWG, MaRisk and VAG
Financial Compliance17 June 202619 min read

Outsourcing and Internal-Audit Officers under KWG, MaRisk and VAG

Understand the regulatory requirements, duties, and liability of outsourcing and internal-audit officers under KWG, MaRisk, VAG, and DORA in Germany.

Read more
Supplier Auditor: Mandate, Methods, and the German Legal Frame
Audits & Suppliers17 June 202613 min read

Supplier Auditor: Mandate, Methods, and the German Legal Frame

A supplier auditor verifies that vendors meet contractual, regulatory, and ESG obligations. Under the German Lieferkettensorgfaltspflichtengesetz (LkSG), the EU CSDDD, and ISO 19011:2018, the function has moved from optional to evidence-bearing.

Read more
Construction manager and VOB: duties, interfaces and audit-proof documentation
Construction & SiGeKo17 June 202613 min read

Construction manager and VOB: duties, interfaces and audit-proof documentation

The VOB regulates the awarding and execution of public and larger private construction work. Anyone who supervises VOB orders as a construction manager has to deal with the award protocol, construction diary, acceptance documentation and safety obligations. This article systematizes the obligations and shows operational documentation practice.

Read more
HinSchG and BMJV: Responsibilities, interpretations and operational consequences for reporting offices
Whistleblower Protection17 June 202612 min read

HinSchG and BMJV: Responsibilities, interpretations and operational consequences for reporting offices

The Federal Ministry of Justice is responsible for the Whistleblower Protection Act. Which interpretations does the BMJV publish? How do they affect companies with an internal reporting office? This article organises the publications, clarifies the interface to the Federal Reporting Office at the BfJ and shows what the interpretations mean for the appointment certificate.

Read more
Real estate appraiser: What does an appraisal cost and when is it worth it?
Expert Assessors17 June 202612 min read

Real estate appraiser: What does an appraisal cost and when is it worth it?

A real estate report by an expert costs between a few hundred and several thousand euros, depending on the scope and value of the property. This article explains fee structures, reasons and what owners and compliance officers should pay attention to when making their selection.

Read more
ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements
Quality Management17 June 202612 min read

ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements

ISO 9001:2015 remains the most common management system certification in Germany. Selecting a consultancy that delivers an audit-ready QMS, not paperwork, is a procurement discipline. This guide covers scoping, fees, deliverables, and the role of a Quality Officer.

Read more
Transfusion, Transplantation and Medical-Device Officers in Hospitals
Healthcare & Pharma16 June 202615 min read

Transfusion, Transplantation and Medical-Device Officers in Hospitals

A guide to the legal duties, training, and liability risks for Transfusion, Transplantation, and Medical-Device Safety Officers in German hospitals.

Read more
Occupational Safety16 June 202616 min read

Coordinating Construction Sites and Contractors: SiGeKo and Contractor Coordinator

Learn when and how German companies must appoint a SiGeKo or Contractor Coordinator to meet strict health, safety, and BaustellV compliance standards.

Read more
Quality management representative: tasks, duties and position according to ISO 9001:2015
Quality Management16 June 202613 min read

Quality management representative: tasks, duties and position according to ISO 9001:2015

With ISO 9001:2015, the obligation to appoint a quality management representative has been formally eliminated. In practice, the role remains standard. This article organises tasks, qualifications, orders and interfaces.

Read more
Calculate company doctor deployment time according to DGUV regulation 2: basic care, company-specific share, documentation
Occupational Medicine16 June 202612 min read

Calculate company doctor deployment time according to DGUV regulation 2: basic care, company-specific share, documentation

DGUV regulation 2 regulates the working hours of company doctors and occupational safety specialists. This article explains the calculation according to Appendix 2, the division into basic care and company-specific care and the obligation to provide written documentation.

Read more
Company doctor requirement: who needs it, when and to what extent
Occupational Medicine16 June 202612 min read

Company doctor requirement: who needs it, when and to what extent

The obligation to have a company doctor applies to practically every employer in Germany. This article explains the legal basis, the operating times according to DGUV regulation 2, the occupational health care according to ArbMedVV and how CIVAC makes the order operational with the platform and Officer-as-a-Service.

Read more
AGG training for employees online: Mandatory, content and evidence in the audit
Equality & AGG16 June 202613 min read

AGG training for employees online: Mandatory, content and evidence in the audit

According to Section 12 Paragraph 2 AGG, AGG training is mandatory for employers of all sizes. This article clarifies the legal framework, mandatory content, requirements for online formats, documentation requirements and the interface to the complaints office in accordance with Section 13 AGG.

Read more
Whistleblower protection for 50 or more employees: obligation, deadline and reporting point
Equality & AGG16 June 202613 min read

Whistleblower protection for 50 or more employees: obligation, deadline and reporting point

The Whistleblower Protection Act (HinSchG) requires companies with 50 or more employees to set up an internal reporting office. The article explains the scope, technical requirements, deadlines and fines of up to 50,000 euros.

Read more
Load-Securing Officer: Duties under VDI 2700 et seq.
Occupational Safety15 June 202617 min read

Load-Securing Officer: Duties under VDI 2700 et seq.

Discover the legal duties of a Load-Securing Officer under VDI 2700 and § 22 StVO. Learn how to legally delegate liability and avoid heavy corporate fines.

Read more
Competent Person for Inspecting Cranes, Pressure Equipment and Lifts
Inspection Duties15 June 202617 min read

Competent Person for Inspecting Cranes, Pressure Equipment and Lifts

Discover the legal duties, training rules, and liability risks for appointing a Competent Person for cranes, lifts and pressure equipment under BetrSichV.

Read more
Internal security measures according to Section 6 GwG: Implement obligations operationally
Anti-Money Laundering15 June 202613 min read

Internal security measures according to Section 6 GwG: Implement obligations operationally

Section 6 of the GwG obliges banks, insurers, goods traders and many service providers to introduce internal security measures. This article explains what the standard specifically requires, which structures are typically missing, how risk management, employee screening and suspicious activity reports are properly documented and when an external money laundering officer makes sense.

Read more
Money laundering prevention: What Section 7 GwG really requires of medium-sized businesses
Anti-Money Laundering15 June 202612 min read

Money laundering prevention: What Section 7 GwG really requires of medium-sized businesses

The Money Laundering Act covers far more companies than most management assume. Anyone who is obliged according to Section 2 of the GwG must have an appointed person in accordance with Section 7 of the GwG, due diligence obligations in accordance with Section 10 of the GwG and a suspicious transaction report to the FIU. Audit proof, documented.

Read more
External Fire Protection Officer in Germany: Mandate, Duties and Service Model
Fire Safety15 June 202612 min read

External Fire Protection Officer in Germany: Mandate, Duties and Service Model

International companies operating sites in Germany must appoint a Brandschutzbeauftragter when their building permit, insurer or risk profile requires it. An external fire protection officer fulfils that mandate on a service basis. This article explains the legal basis, the duties and the operational model.

Read more
Create an escape plan: Obligations according to ASR A2.3 and DIN ISO 23601 are clearly implemented
Fire Safety15 June 202612 min read

Create an escape plan: Obligations according to ASR A2.3 and DIN ISO 23601 are clearly implemented

An escape plan is not a graphic, but a safety measure according to ArbStättV § 4 and ASR A2.3. We show the structure according to DIN ISO 23601, the role of the fire protection officer and how a workspace carries the obligation to update.

Read more
Fire protection officer in the office: When the business is obliged to appoint one
Fire Safety15 June 202613 min read

Fire protection officer in the office: When the business is obliged to appoint one

Pure offices are not automatically exempt from the order requirement. This article clarifies from which sources the obligation for commercial office space follows, what requirements insurers and building inspectors impose, what qualifications the fire protection officer needs and how the role is managed in a verifiable manner.

Read more
AML Officer Services for Financial Institutions in Germany: External Appointment, Scope, Cost
Geldwäscheprävention15 June 202614 min read

AML Officer Services for Financial Institutions in Germany: External Appointment, Scope, Cost

Section 7 GwG requires obliged entities in the German financial sector to appoint a money laundering officer (Geldwaeschebeauftragter). External AML officer services keep the mandate audit-fest under BaFin supervision without expanding the internal headcount.

Read more
Aviation Security Officer: Appointment and Duties under LuftSiG
Security & Compliance14 June 202616 min read

Aviation Security Officer: Appointment and Duties under LuftSiG

Learn the appointment process, training requirements, and liability risks for Aviation Security Officers under Section 9 LuftSiG in Germany.

Read more
Competent Person for Inspecting Ladders, Scaffolds and Storage Systems (§ 14 BetrSichV)
Inspection Duties14 June 202616 min read

Competent Person for Inspecting Ladders, Scaffolds and Storage Systems (§ 14 BetrSichV)

Ensure compliance with § 14 BetrSichV. Learn the legal duties, training requirements, and liability risks for competent persons inspecting German work equipment

Read more
Occupational Safety Specialist Services in Germany: A Buyer Guide
Occupational Safety14 June 202612 min read

Occupational Safety Specialist Services in Germany: A Buyer Guide

International employers operating in Germany must appoint a Fachkraft für Arbeitssicherheit under § 5 ASiG. This guide explains the legal duty, DGUV Vorschrift 2 hours, internal versus external models, and how CIVAC delivers Officer-as-a-Service with audit-ready evidence.

Read more
ASA meeting: Minutes template according to Section 11 ASiG with a verifiable structure
Occupational Safety14 June 202612 min read

ASA meeting: Minutes template according to Section 11 ASiG with a verifiable structure

According to Section 11 ASiG, the occupational safety committee must meet at least quarterly. The meeting minutes are the central evidence. This article shows the mandatory fields, typical gaps and a testable structure for the template.

Read more
Commission an occupational safety service provider: legal basis, selection criteria, ordering method
Occupational Safety14 June 202612 min read

Commission an occupational safety service provider: legal basis, selection criteria, ordering method

Occupational safety requires an appointed occupational safety specialist. If you don't employ your own SiFa, you hire an external service provider. This article explains ASiG, DGUV regulation 2, the obligation to order from the first employee, operating times and a clear ordering process from contract to audit evidence.

Read more
German Hazmat Officer Services: From Statutory Duty to Auditable Operation
Hazardous Substances & Occupational Health14 June 202613 min read

German Hazmat Officer Services: From Statutory Duty to Auditable Operation

German hazardous substances law is not optional and not waivable. This guide shows how international operators can appoint a qualified officer, document the appointment correctly, and run a hazardous substances operation that holds up under inspection.

Read more
Hazardous substances officer: training, duration, costs and duties at a glance
Hazardous Substances & Occupational Health14 June 202613 min read

Hazardous substances officer: training, duration, costs and duties at a glance

Anyone who stores, uses or transports hazardous substances needs a qualified responsible person. This article explains the legal basis, duration of training, typical content, costs and the alternative of an external hazardous substances officer.

Read more
External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role
Qualitätsmanagement14 June 202613 min read

External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role

An external ISO 9001 quality manager in Germany must meet the same formal appointment requirements as an internal QMB. This article explains role, liability, audit chain and how CIVAC delivers an appointed quality manager with workspace access in 2 business days.

Read more
Human Rights Officer under the German Supply Chain Act (LkSG)
Governance & ESG13 June 202618 min read

Human Rights Officer under the German Supply Chain Act (LkSG)

Learn the legal duties, qualification criteria, and liability risks of a Human Rights Officer under Section 4 Paragraph 3 of the German Supply Chain Act.

Read more
Biological Safety and Infection Control: Biosafety Officer and Infection Control Officer
Healthcare13 June 202615 min read

Biological Safety and Infection Control: Biosafety Officer and Infection Control Officer

Understand the German legal requirements, liabilities, and training intervals for Biosafety Officers and Infection Control Officers to protect your business.

Read more
TRGS 510 in small businesses: Which storage requirements really apply and from what quantity
Hazardous Substances & Occupational Health13 June 202612 min read

TRGS 510 in small businesses: Which storage requirements really apply and from what quantity

TRGS 510 regulates the storage of hazardous substances in portable containers. This article explains the quantity from which which obligation applies, which substances may not be stored together and how a small business keeps the documentation in an audit-proof manner.

Read more
Hazardous substances register: Obligations, contents and audit-proof management in accordance with Section 6 GefStoffV
Hazardous Substances & Occupational Health13 June 202613 min read

Hazardous substances register: Obligations, contents and audit-proof management in accordance with Section 6 GefStoffV

Section 6 of the Hazardous Substances Ordinance requires a list of all hazardous substances used in the company with defined mandatory information. Anyone who keeps the cadastre as an Excel list will fail at the latest when updating it. This article shows what has to go in, how it is managed and what the evidence is in tests.

Read more
ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation
Environmental Protection13 June 202613 min read

ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation

ISO 14001:2015 has 18,000 certified sites in Germany. A consultant either accelerates the path to certification or duplicates work your environmental officer already owns. This guide separates the two and shows what to expect at each stage.

Read more
Immission control officer duty: What Section 53 BImSchG operationally requires
Environmental Protection13 June 202612 min read

Immission control officer duty: What Section 53 BImSchG operationally requires

Section 53 BImSchG obliges operators of certain systems requiring approval to appoint an emissions control officer. The 5th BImSchV regulates who is covered by the obligation. This article explains the application, tasks, order and audit trail, without official jargon and with reference to the tasks of the environmental protection officer.

Read more
Introduce ISO 50001: Energy management system in eight steps to certification
Environmental Protection13 June 202613 min read

Introduce ISO 50001: Energy management system in eight steps to certification

An ISO 50001 system is not an audit, but an ongoing task. Anyone who introduces the standard in eight steps will gain tax advantages, eligibility for funding and verifiable energy controlling. This post provides the operational order.

Read more
Pharmaceutical Information and Graded-Plan Officers under the German AMG
Healthcare & Pharma12 June 202618 min read

Pharmaceutical Information and Graded-Plan Officers under the German AMG

Discover the legal duties, qualification criteria, and liability risks for Pharmaceutical Information and Graded-Plan Officers under the German AMG.

Read more
Fire Safety Assistants and Evacuation Marshals: Duties under ASR A2.2
Fire Safety12 June 202615 min read

Fire Safety Assistants and Evacuation Marshals: Duties under ASR A2.2

Understand your legal duties for fire safety assistants and evacuation marshals under ASR A2.2 and DGUV. Ensure compliance and protect your business.

Read more
Environmental representative duty: who has to order, when, with what consequences
Environmental Protection12 June 202612 min read

Environmental representative duty: who has to order, when, with what consequences

The obligation to appoint environmental officers does not arise from a uniform law, but from four special regimes: pollution control, waste, water, dangerous goods. Anyone who operates systems without an order risks fines of up to 50,000 euros per violation.

Read more
Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook
Supply Chain12 June 202613 min read

Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook

The Lieferkettensorgfaltspflichtengesetz (LkSG) requires German companies above defined thresholds to run human-rights and environmental due diligence across their supply chains. This article maps every operational obligation, the BAFA enforcement model, and the interface with the upcoming CSDDD.

Read more
EUDR 2026: Deforestation-free supply chain mandatory for German importers
Supply Chain12 June 202613 min read

EUDR 2026: Deforestation-free supply chain mandatory for German importers

From December 30, 2026, seven raw materials may only be imported into the EU if deforestation-free production has been proven since December 31, 2020. This article clarifies the due diligence requirements, the distinction from the LkSG, the geolocation requirement and the fines of up to 4 percent of EU turnover.

Read more
Supplier audit sustainability: process, obligations and auditable documentation according to LkSG and CSRD
Supply Chain12 June 202613 min read

Supplier audit sustainability: process, obligations and auditable documentation according to LkSG and CSRD

A supplier sustainability audit is not a questionnaire, but a structured process according to LkSG § 7 and CSRD. This article describes the seven phases, the duties of the representatives and how you can document findings and measures in an audit-proof manner.

Read more
LkSG reporting obligation: When does it apply to you and how do you fulfil it
Supply Chain12 June 202613 min read

LkSG reporting obligation: When does it apply to you and how do you fulfil it

Since 2023, companies with 3,000 or more employees, and since 2024 with 1,000 or more employees, have been subject to the LkSG. The annual report to BAFA follows clear deadlines and structures. This guide shows thresholds, components and the path to an auditable reporting practice.

Read more
Fire Safety Officer Services in Germany for English-Speaking Companies
Brandschutz12 June 202614 min read

Fire Safety Officer Services in Germany for English-Speaking Companies

International companies operating in Germany must appoint a Brandschutzbeauftragter under § 10 ArbSchG and ASR A2.2. This article explains the legal basis, scope, costs and how CIVAC delivers the role with English-language reporting.

Read more
Risk Management Officer: Duties and Organisational Role
Governance & ESG11 June 202619 min read

Risk Management Officer: Duties and Organisational Role

Master the duties, legal basis, and liability risks of the German Risk Management Officer under AktG, KonTraG, and StaRUG in this complete guide.

Read more
Compressed Air and Explosives: Responsible and Competent Persons
Occupational Safety11 June 202617 min read

Compressed Air and Explosives: Responsible and Competent Persons

Learn the legal requirements, duties, and fine risks for appointing compressed air and explosives officers in Germany under DruckLV and SprengG.

Read more
LkSG report to BAFA: Guidelines for filling out, providing evidence and submitting
Supply Chain11 June 202613 min read

LkSG report to BAFA: Guidelines for filling out, providing evidence and submitting

The LkSG annual report to BAFA is a mandatory part of the due diligence obligations according to Sections 10 and 12 LkSG. This guide organises the catalogue of questions, shows the most common sources of error and describes an audit-proof workflow from risk analysis to submission.

Read more
NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap
IT Security & NIS-211 June 202613 min read

NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap

Around 29,500 companies in Germany fall under NIS-2. Mid-market firms with 50 to 5,000 employees rarely need another gap analysis. They need an appointed information security officer, an ISMS that produces audit-grade evidence and a tested 24-hour incident path.

Read more
IT security officer: role, order and operational reality
IT Security & NIS-211 June 202612 min read

IT security officer: role, order and operational reality

The IT security officer combines technical risks with supervisory duties and a reporting line to management. This article shows the tasks, the legal implications, the typical filling questions and how CIVAC makes the role fillable with a platform and officer-as-a-service.

Read more
Order ISB: Obligation, suitability, appointment certificate and cost framework
IT Security & NIS-211 June 202613 min read

Order ISB: Obligation, suitability, appointment certificate and cost framework

Ordering an ISB has been mandatory for around 29,500 companies in Germany since the NIS 2 Implementation Act came into force. This article explains suitability, scope of tasks, appointment certificate, reporting line and realistic cost framework for internal and external orders.

Read more
IT risk analysis according to NIS-2: method, steps and evidence
IT Security & NIS-211 June 202613 min read

IT risk analysis according to NIS-2: method, steps and evidence

Section 30 NIS2UmsuCG obliges affected companies to carry out a documented risk analysis. The article describes step by step how to capture, assess and treat assets, threats, protection objectives and risks, including the interface to ISO/IEC 27005.

Read more
Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist
Arbeitssicherheit11 June 202612 min read

Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist

Occupational safety consulting in Germany is regulated by the ASiG, the DGUV Vorschrift 2 and a body of technical rules. This article explains the legal framework, the practical scope of an external safety specialist and how to document the mandate.

Read more
Ship Security Officer and Maritime Security under the ISPS Code
Security & Compliance10 June 202615 min read

Ship Security Officer and Maritime Security under the ISPS Code

A practical guide to the legal duties, training, and liability of Ship Security Officers (SSO) and Company Security Officers (CSO) under German maritime law.

Read more
Qualified Electrician and Inspection of Electrical Installations under DGUV V3
Inspection Duties10 June 202615 min read

Qualified Electrician and Inspection of Electrical Installations under DGUV V3

Ensure compliance with DGUV V3 and ASR A3.4 by correctly appointing a VEFK and lighting competent person. Avoid heavy management liability and fines.

Read more
ADR 2023 from Verkehrsverlag Fischer: content, use, obligations
Dangerous Goods & Logistics10 June 202612 min read

ADR 2023 from Verkehrsverlag Fischer: content, use, obligations

The ADR 2023, published by Verkehrsverlag Fischer, brings together the European agreement on the transport of dangerous goods by road. The article explains the structure, changes compared to predecessors, transition periods to ADR 2025 and the specific obligations that arise from this for senders, carriers and recipients.

Read more
ADR exam questions basic course: What drivers need to know and what protects the entrepreneur
Dangerous Goods & Logistics10 June 202611 min read

ADR exam questions basic course: What drivers need to know and what protects the entrepreneur

The ADR basic course concludes with 30 multiple-choice questions and is a prerequisite for the transport of dangerous goods above certain quantities according to Section 6 GbV. Anyone who does not systematically document the training environment risks more than just the individual certificate.

Read more
Exam questions ADR basic course: structure, topics and operational consequences
Dangerous Goods & Logistics10 June 202612 min read

Exam questions ADR basic course: structure, topics and operational consequences

The ADR basic course is the basis of every dangerous goods driver certificate according to ADR 8.2. This article explains the structure, typical examination questions, examination mode at the IHK, repetition obligations - and the role of the dangerous goods representative according to the GbV in the background.

Read more
UN 1965 in ADR: Liquefied gas transport between class 2.3 and § 23 GGVSEB
Dangerous Goods & Logistics10 June 202612 min read

UN 1965 in ADR: Liquefied gas transport between class 2.3 and § 23 GGVSEB

UN 1965 means hydrocarbon gas, liquefied, n.o.s. Anyone who loads in Germany falls under ADR Class 2 and Section 9 GGVSEB. We classify the classification, transport documents and duties of the dangerous goods officer.

Read more
Dangerous goods officer: Obligation to order, tasks and external solution according to GbV and ADR
Dangerous Goods & Logistics10 June 202613 min read

Dangerous goods officer: Obligation to order, tasks and external solution according to GbV and ADR

As soon as your company transports, packs, loads or ships dangerous goods, the obligation to order in accordance with the Hazardous Goods Officer Ordinance applies. This article explains threshold values, tasks, annual reports, training, liability and the requirements for an external solution in medium-sized companies.

Read more
CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail
Umweltschutz10 June 202614 min read

CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail

A double materiality assessment is the entry point to CSRD reporting. This article walks through the template structure, the inputs auditors expect, and how to build a defensible audit trail under ESRS 1 and ESRS 2.

Read more
Safety Delegate (Sicherheitsbeauftragter): Duties and Appointment under § 22 SGB VII
Occupational Safety9 June 202617 min read

Safety Delegate (Sicherheitsbeauftragter): Duties and Appointment under § 22 SGB VII

Learn when and how to appoint a Safety Delegate (Sicherheitsbeauftragter) under § 22 SGB VII and manage occupational health and safety compliance.

Read more
Energy Management Officer under ISO 50001 and the German EnEfG
Environment & Energy9 June 202619 min read

Energy Management Officer under ISO 50001 and the German EnEfG

A compliance guide for the Energy Management Officer in Germany under ISO 50001 and EnEfG, detailing thresholds, duties, liability, and software.

Read more
Transport of dangerous goods: ADR obligations, exemptions and the role of the dangerous goods officer
Dangerous Goods & Logistics9 June 202612 min read

Transport of dangerous goods: ADR obligations, exemptions and the role of the dangerous goods officer

Anyone who transports dangerous goods or has them transported is part of a dense network of ADR, GGVSEB and GbV. This article explains classes, exemptions, shipper's obligations and the role of the dangerous goods officer.

Read more
ISO 27001 Implementation: A Practical Path Through the 2022 Revision
IT Security & NIS-29 June 202613 min read

ISO 27001 Implementation: A Practical Path Through the 2022 Revision

Implementing ISO/IEC 27001:2022 is not a documentation exercise. It is the construction of an Information Security Management System that produces evidence on demand. This article maps the implementation steps, the 93 Annex A controls, and the typical pitfalls.

Read more
ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment
IT Security & NIS-29 June 202612 min read

ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment

ISO 27001 consulting in Germany combines ISMS architecture, 93 Annex A controls and the operational reality of NIS-2, BDSG and BSI guidance. This guide outlines scope, transition timing to ISO/IEC 27001:2022, certification path and where an external information security officer fits.

Read more
Statement of Applicability ISO 27001: the template as an audit hinge
IT Security & NIS-29 June 202613 min read

Statement of Applicability ISO 27001: the template as an audit hinge

The Statement of Applicability is the most important template in the ISMS. Whoever maintains them passes the audit. Whoever copies them stands out in the sample contrast. This guide shows the structure, maintenance and pitfalls of the 2022 version.

Read more
BSI IT-Grundschutz vs ISO 27001: Which framework suits your organisation
IT Security & NIS-29 June 202613 min read

BSI IT-Grundschutz vs ISO 27001: Which framework suits your organisation

Both frameworks lead to a certifiable ISMS, but solve different problems. This article systematically compares scope, depth, effort and audit logic and provides a decision-making logic for German medium-sized companies.

Read more
CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive
Lieferkette9 June 202614 min read

CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive

CSDDD consulting helps companies translate the EU Corporate Sustainability Due Diligence Directive into operational supply chain processes. This article explains scope, deliverables, the relationship to LkSG, and what a credible engagement looks like.

Read more
Radiation Protection: Laser Safety Officer and Nuclear Safety Officer
Radiation Protection8 June 202618 min read

Radiation Protection: Laser Safety Officer and Nuclear Safety Officer

Learn the legal requirements, qualifications, and operational duties for Laser Safety Officers and Nuclear Safety Officers under German compliance laws.

Read more
First Aid at Work: Appointing and Training First Aiders and Works Paramedics
Occupational Safety8 June 202616 min read

First Aid at Work: Appointing and Training First Aiders and Works Paramedics

Master Germany's workplace first aid compliance. Learn the exact headcounts, training cycles, and liabilities for first aiders and works paramedics.

Read more
DORA Regulation: What the Digital Operational Resilience Act requires of financial companies as of January 17, 2025
IT Security & NIS-28 June 202613 min read

DORA Regulation: What the Digital Operational Resilience Act requires of financial companies as of January 17, 2025

DORA has been directly applicable to financial companies and their ICT service providers since January 17, 2025. The article organises the five pillars, the reporting obligations, the supervision of critical third parties and the bridging to ISO/IEC 27001 along the officer tasks.

Read more
External CISO: When the virtual security officer is the right model
IT Security & NIS-28 June 202613 min read

External CISO: When the virtual security officer is the right model

With NIS-2 and ISO/IEC 27001:2022, the need for strategic security leadership is growing. An external CISO takes on governance, risk and reporting lines to management without having to fill the position internally. This post explains when the model wears and when not.

Read more
DORA regulation: Obligations for banks and financial service providers since January 2025
IT Security & NIS-28 June 202614 min read

DORA regulation: Obligations for banks and financial service providers since January 2025

The DORA regulation has been in effect since January 17, 2025. Banks, insurers and securities firms must manage ICT risk, incident reporting, resilience testing and third-party control according to harmonised rules. This post shows the duties in the order in which they are examined.

Read more
MSCI World ESG comparison: Which ESG variant fits which reporting requirement?
ESG & Sustainability8 June 202612 min read

MSCI World ESG comparison: Which ESG variant fits which reporting requirement?

MSCI offers four ESG variants for the MSCI World alone. Anyone who only makes the comparison based on returns is overlooking the regulatory logic. This article classifies ESG Leaders, ESG Screened, SRI and Climate Paris Aligned according to CSRD, ESRS and SFDR Art. 8 / Art. 9 and shows what this means for your sustainability reporting.

Read more
ESG and EU taxonomy: Who has to report what, when and how the representative carries it out operationally
ESG & Sustainability8 June 202613 min read

ESG and EU taxonomy: Who has to report what, when and how the representative carries it out operationally

The EU taxonomy defines environmentally sustainable economic activities. The CSRD requires reporting. Who in the company provides the data points? This article organises duties, deadlines and responsibilities along the ESRS.

Read more
NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer
IT-Sicherheit & NIS-28 June 202613 min read

NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer

The German NIS 2 transposition will apply to roughly 29,500 organisations. This is the operational playbook for the Information Security Officer: registration, governance training, incident reporting, supplier risk, and the BSI evidence cycle.

Read more
Animal Welfare Officer: Appointment and Duties under the German TierSchG
Governance & ESG7 June 202615 min read

Animal Welfare Officer: Appointment and Duties under the German TierSchG

Learn the legal requirements for appointing an Animal Welfare Officer in Germany under TierSchG Section 10 and TierSchVersV. Avoid up to 25,000 Euro fines.

Read more
Explosion Protection and Gas Measurement: Officers and Competent Persons
Hazardous Substances7 June 202616 min read

Explosion Protection and Gas Measurement: Officers and Competent Persons

A comprehensive guide to German occupational safety rules for Explosion Protection Officers and Gas Freeing Competent Persons under GefStoffV and DGUV Rules.

Read more
The best ESG funds: what they measure and what companies learn from them
ESG & Sustainability7 June 202613 min read

The best ESG funds: what they measure and what companies learn from them

Top ESG funds make decisions based on hard data, not image brochures. If a company wants to be included in MSCI ESG Leaders, FTSE4Good or S&P 500 ESG, it needs verifiable evidence according to SFDR, CSRD and ESRS.

Read more
MSCI World Small Cap ESG: Index logic, reporting obligations and consequences for German small caps
ESG & Sustainability7 June 202613 min read

MSCI World Small Cap ESG: Index logic, reporting obligations and consequences for German small caps

ESG indices such as the MSCI World Small Cap ESG Screened or the ESG Leaders Small Cap define which small caps can be invested in sustainable funds. Anyone who wants to remain listed as a medium-sized company or listed small cap must systematically document CSRD, EU taxonomy and controversy screening.

Read more
Vanguard Global ESG All Cap: What the ETF reveals about ESG obligations for companies
ESG & Sustainability7 June 202613 min read

Vanguard Global ESG All Cap: What the ETF reveals about ESG obligations for companies

The Vanguard Global ESG Select All Cap UCITS ETF is an investment product. For listed companies and companies seeking capital, it is also an early indicator: What ESG data does the index require? Who's flying out? This article translates the methodology into concrete requirements for ESG officers, CSRD reports and audit evidence.

Read more
Classifying Deka ESG funds: What investors and compliance officers should know about the SFDR classification
ESG & Sustainability7 June 202612 min read

Classifying Deka ESG funds: What investors and compliance officers should know about the SFDR classification

Deka ESG funds are classified according to the EU Disclosure Regulation SFDR and the Taxonomy Regulation. This article explains the classification according to Articles 6, 8 and 9 SFDR, classifies PAI obligations and shows how companies manage ESG reports in an audit-proof manner.

Read more
Classify Deka ESG: What companies derive from the fund field for their own obligations
ESG & Sustainability7 June 202612 min read

Classify Deka ESG: What companies derive from the fund field for their own obligations

Those looking for Deka ESG are usually looking for guidance in a crowded regulatory field. This article classifies the ESG structures of large fund providers and shows what obligations this creates for companies required to report, from SFDR to CSRD to the supply chain.

Read more
Sales Compliance Officer: Role and Responsibility in Regulated Industries
Governance & ESG6 June 202620 min read

Sales Compliance Officer: Role and Responsibility in Regulated Industries

Understand the duties, appointment rules, and 15-hour training of a German Sales Compliance Officer under VAG Section 48 and GewO Section 34d.

Read more
Hazardous-Substance Expertise: Chemical Trade, Asbestos (TRGS 519) and Separators
Hazardous Substances6 June 202615 min read

Hazardous-Substance Expertise: Chemical Trade, Asbestos (TRGS 519) and Separators

Learn how to appoint and manage competent persons for ChemVerbotsV, TRGS 519, and separator systems to avoid severe personal liability and 50,000 Euro fines.

Read more
DataGuard Alternative for the German Mid Market: A Structured Comparison
Platform & Strategy6 June 202612 min read

DataGuard Alternative for the German Mid Market: A Structured Comparison

Mid-market buyers increasingly look beyond DataGuard for external DPO, ISO 27001 and NIS-2 coverage. This guide explains where the alternatives differ, which capabilities matter under § 130 OWiG, and how to structure a sober evaluation.

Read more
Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service
Platform & Strategy6 June 202612 min read

Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service

German mid-market companies face 25-plus mandatory officer roles, NIS-2 reporting windows of 24 and 72 hours, and personal liability for managing directors under § 130 OWiG. A workable platform combines a workspace, audit templates and the option to outsource individual officer mandates.

Read more
Audit software: What a solution has to do that can really withstand audits
Platform & Strategy6 June 202612 min read

Audit software: What a solution has to do that can really withstand audits

Audit software is intended to bundle evidence, meet deadlines and convince auditors. This article shows which functions a serious solution brings, which requirements from GDPR, NIS-2 and ISO/IEC 27001:2022 belong in the tool and why CIVAC combines the workspace with an officer-as-a-service.

Read more
Reducing compliance costs in medium-sized businesses: How digitalization halves the requirements specification
Platform & Strategy6 June 202613 min read

Reducing compliance costs in medium-sized businesses: How digitalization halves the requirements specification

Compliance costs in medium-sized companies rarely arise from the lawyers and agents themselves, but from duplicate work, Excel lists and missing evidence before the audit. This article shows six concrete levers, hard numbers and an implementation plan for the first 90 days.

Read more
CIVAC: The German compliance platform with Officer-as-a-Service
Platform & Strategy6 June 202612 min read

CIVAC: The German compliance platform with Officer-as-a-Service

CIVAC is a compliance platform and officer-as-a-service based in Germany. 25 representative roles are live, 37 audit templates are ready for use, the ISMS follows ISO/IEC 27001:2022. EU data residency is standard, not optional.

Read more
TISAX Certification Process for Automotive Suppliers: A Practical Roadmap
IT-Sicherheit & NIS-26 June 202614 min read

TISAX Certification Process for Automotive Suppliers: A Practical Roadmap

TISAX is the dominant information security label across the European automotive sector. This guide walks suppliers through the assessment levels, the VDA ISA catalogue, the ENX exchange platform and the typical timeline from gap analysis to label issuance.

Read more
Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model
IT-Sicherheit & NIS-26 June 202613 min read

Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model

German mid-sized companies face NIS-2, ISO 27001:2022 transition and EU AI Act obligations without a full-time CISO on payroll. A virtual CISO model provides accountable security leadership with documented mandates, board reporting and audit-ready evidence in the workspace.

Read more
Officer-as-a-Service: Organise ordering duties as a managed service
Platform & Strategy5 June 202612 min read

Officer-as-a-Service: Organise ordering duties as a managed service

Ordering obligations are increasing: GDPR, NIS-2, LkSG, GwG, AGG. Officer-as-a-Service bundles the officer roles in a compliance platform with appointed people, fixed SLAs and audit templates. This article explains the model, its limitations, the cost logic and the interaction with the internal data protection or compliance team.

Read more
Book an external representative as a service: Monthly, cancellable, audit-proof
Platform & Strategy5 June 202612 min read

Book an external representative as a service: Monthly, cancellable, audit-proof

Mandatory representatives no longer have to be purchased for three years. A monthly service model for external DPOs, ISBs, HinSchG reporting offices or fire protection officers combines appointment certificates, workspace and audit templates from the first working day.

Read more
Personal data: definition, categories and obligations according to Art. 4 GDPR
Platform & Strategy5 June 202612 min read

Personal data: definition, categories and obligations according to Art. 4 GDPR

The term personal data determines whether the GDPR applies. This article explains the definition according to Art. 4 No. 1 GDPR, the special categories according to Art. 9, the consequences for the directory, AV contracts and reporting obligations - factually, with paragraphs and examples.

Read more
Hand Hygiene Day 2022: What lessons remain in practice
Health & Hygiene5 June 202612 min read

Hand Hygiene Day 2022: What lessons remain in practice

Hand Hygiene Day 2022 was held under the WHO motto Unite for safety. We look back at what remains in the hygiene plans, what obligations § 23 IfSG stipulates and how a hygiene officer proves compliance today.

Read more
Hygiene in outpatient care: duties, hygiene plan and representative role
Health & Hygiene5 June 202613 min read

Hygiene in outpatient care: duties, hygiene plan and representative role

Outpatient care services range between household, tour and MDK examination. This article explains the hygiene obligations according to IfSG and state law, the role of the hygiene officer, how to set up a workable hygiene plan and how to provide evidence to supervisors and care insurance companies.

Read more
Hygiene in the kitchen: Worksheet, hygiene plan and HACCP mandatory documents according to LMHV
Health & Hygiene4 June 202612 min read

Hygiene in the kitchen: Worksheet, hygiene plan and HACCP mandatory documents according to LMHV

A reliable kitchen hygiene worksheet does not replace a hygiene plan, but it is its operational backbone. This article explains legal obligations, mandatory content and the interface between the training sheet, hygiene plan and HACCP documentation.

Read more
Hygiene checklist for old people's and nursing homes: Obligations according to IfSG and MedHygV
Health & Hygiene4 June 202612 min read

Hygiene checklist for old people's and nursing homes: Obligations according to IfSG and MedHygV

A hygiene checklist in old people's and nursing homes is the central inspection and verification form for hygiene officers, home supervision and the health department. This article shows mandatory fields, test intervals and the most common findings according to IfSG and state hygiene regulations.

Read more
Hygiene and washing hands in the company: obligations, RKI recommendations, audit evidence
Health & Hygiene4 June 202612 min read

Hygiene and washing hands in the company: obligations, RKI recommendations, audit evidence

Hand hygiene is the single most important measure for preventing infections in the workplace. This article shows the legal basis from IfSG and ArbSchG, the RKI recommendations, the duties of the hygiene officer and a clear path to audit-proof documentation.

Read more
Hygiene in the workplace: from notices to audit-proof hygiene operations
Health & Hygiene4 June 202612 min read

Hygiene in the workplace: from notices to audit-proof hygiene operations

Hygiene in the workplace is more than just soap and dispensers. The obligations come from ArbStättV, BioStoffV and IfSG and require a plan, instruction and evidence. This guide shows the path to verifiable hygiene operations.

Read more
Implementing personal hygiene in a legally compliant manner: obligations, training and evidence
Health & Hygiene4 June 202612 min read

Implementing personal hygiene in a legally compliant manner: obligations, training and evidence

Personal hygiene is the first line of defence against contamination, infections and recalls. This article combines IfSG, LMHV and HACCP into an auditable process, shows typical deficiencies in the audit and names the role of the hygiene officer.

Read more
Health department hygiene instructions: when, for whom and at what frequency it must be verifiable
Health & Hygiene3 June 202611 min read

Health department hygiene instructions: when, for whom and at what frequency it must be verifiable

The instructions in accordance with Section 43 IfSG are a prerequisite for any activity with perishable food. The article organises initial and follow-up instructions, retention periods, online procedures and the interface to the hygiene officer into a verifiable file.

Read more
Health department hygiene training: obligations, evidence and deadlines for companies
Health & Hygiene3 June 202612 min read

Health department hygiene training: obligations, evidence and deadlines for companies

From food staff to nursing staff: The health department requires different hygiene training courses with clear legal bases, deadlines and repetition intervals. This article explains what you as an employer have to document and where typical gaps in the audit are noticeable.

Read more
Corporate Compliance Program Template for Germany: Structure, Mandate, and Documentation
Governance & Compliance3 June 202613 min read

Corporate Compliance Program Template for Germany: Structure, Mandate, and Documentation

German law does not prescribe one statutory compliance program, yet § 130 OWiG, the Verbandssanktionengesetz draft, and § 91 AktG converge on the same elements. This template translates the duty of organisational oversight into a workable program structure.

Read more
Compliance Officer Services for Mid-Market Germany: A Practical Buyer Guide
Governance & Compliance3 June 202613 min read

Compliance Officer Services for Mid-Market Germany: A Practical Buyer Guide

Mid-market companies in Germany face the same compliance burden as DAX corporates but rarely have the headcount. This guide covers the legal basis under § 130 OWiG, scope of an external compliance officer, typical price ranges and how to evidence the mandate to auditors and prosecutors.

Read more
AI Act Compliance Obligations from August 2026: What General-Purpose and High-Risk Providers Must Deliver
Governance & Compliance3 June 202613 min read

AI Act Compliance Obligations from August 2026: What General-Purpose and High-Risk Providers Must Deliver

From 2 August 2026, the bulk of the EU AI Act applies. Providers of high-risk systems, deployers in regulated sectors and importers face documentation, monitoring and reporting duties. This article translates the legal text into a working checklist.

Read more
One Compliance Platform for All German Officer Roles: A Practical Buyer Guide
Plattform & Strategie3 June 202612 min read

One Compliance Platform for All German Officer Roles: A Practical Buyer Guide

German law requires dedicated officers for data protection, money laundering, fire safety, hazardous goods, hygiene, whistleblowing, supply chain and many more. Twenty-five mandates, one platform. This guide explains how that consolidation works.

Read more
Compliance officer and data protection officer: roles, duties, separation
Governance & Compliance2 June 202612 min read

Compliance officer and data protection officer: roles, duties, separation

Compliance officer (CO) and data protection officer (DPO) sound similar, but are legally two different functions. Anyone who confuses the two roles risks conflicts of interest, incorrect reporting lines and fines under Art. 83 GDPR.

Read more
Code of Conduct template for medium-sized companies: structure, obligations, audit trail
Governance & Compliance2 June 202612 min read

Code of Conduct template for medium-sized companies: structure, obligations, audit trail

A Code of Conduct is not a marketing text, but a mandatory document in the compliance management system. These instructions show which components a medium-sized business code of conduct must actually contain, how you can put it into effect in a legally secure manner and document it in a comprehensible manner in accordance with Section 130 OWiG.

Read more
Compliance officer costs 2026: What internal and external models really cost
Governance & Compliance2 June 202612 min read

Compliance officer costs 2026: What internal and external models really cost

How much does a compliance officer cost in 2026? We compare permanent employment, external ordering and platform models based on real wage costs, insurance premiums and audit costs. With specific bandwidths for SMEs with 250 employees or more and corporate subsidiaries with up to 5,000 employees.

Read more
Compliance in the bank: Duties, roles and auditable evidence according to MaRisk and WpHG
Governance & Compliance2 June 202612 min read

Compliance in the bank: Duties, roles and auditable evidence according to MaRisk and WpHG

Compliance in a bank is more than a guideline on the intranet. It is an appointed function with clear reporting obligations in accordance with MaRisk AT 4.4.2, WpHG § 80 and GwG. This article shows which obligations apply and how an institution achieves audit robustness operationally.

Read more
Compliance rules in the company: obligations, structures and evidence
Governance & Compliance2 June 202612 min read

Compliance rules in the company: obligations, structures and evidence

Compliance rules are not a collection of information sheets, but a verifiable structure of obligations, responsibilities and evidence. This guide organises the most important standards, describes roles and shows how to document regulations in an audit-proof manner.

Read more
Compliance training: Obligations, evidence and repetition intervals according to Section 130 OWiG
Governance & Compliance1 June 202612 min read

Compliance training: Obligations, evidence and repetition intervals according to Section 130 OWiG

Compliance training is not a marketing measure, but rather a supervisory obligation according to Section 130 OWiG. The article shows which content is mandatory, how often it has to be repeated and which evidence counts in the audit.

Read more
Set up a compliance management system according to IDW PS 980: Seven basic elements, documented in an audit-proof manner
Governance & Compliance1 June 202613 min read

Set up a compliance management system according to IDW PS 980: Seven basic elements, documented in an audit-proof manner

The IDW PS 980 defines seven basic elements for an effective CMS. This article shows how to document culture, goals, risks, program, organisation, communication and monitoring so that an appropriateness and effectiveness test can pass.

Read more
GDPR Article 30 Record of Processing: A Template That Survives an Audit
Data Protection & Privacy1 June 202612 min read

GDPR Article 30 Record of Processing: A Template That Survives an Audit

Article 30 GDPR demands a written record of every processing activity, and supervisory authorities ask for it first. This article shows what a defensible template contains, how to maintain it, and how CIVAC operationalises the obligation for internal and external Data Protection Officers.

Read more
German Data Protection Officer as an Outsourced Service: A Decision Guide
Data Protection & Privacy1 June 202612 min read

German Data Protection Officer as an Outsourced Service: A Decision Guide

An outsourced German data protection officer carries the same statutory duties as an internal appointee. This guide explains the legal frame under § 38 BDSG, scope of mandate, expected deliverables, cost ranges, and the evidence trail a supervisory authority will request.

Read more
DPO as a Service: External Data Protection Officer under GDPR, Done Right
Data Protection & Privacy1 June 202612 min read

DPO as a Service: External Data Protection Officer under GDPR, Done Right

GDPR Art. 37 forces many controllers and processors to designate a Data Protection Officer. DPO as a Service places a qualified officer plus the documentation engine on a fixed monthly retainer, with German law fully in scope.

Read more
Using ChatGPT in Compliance with the GDPR: A Guide for Operations
Data Protection & Privacy31 May 202612 min read

Using ChatGPT in Compliance with the GDPR: A Guide for Operations

ChatGPT in operations is feasible if the contractual situation, the roles and the logs are right. This guide shows which GDPR obligations apply, when a DPIA falls due, and what a robust AI policy looks like. With concrete steps, templates and a role that holds it all together.

Read more
An Alternative to DataGuard: How German Compliance Platforms Rethink the External DPO
Data Protection & Privacy31 May 202612 min read

An Alternative to DataGuard: How German Compliance Platforms Rethink the External DPO

DataGuard delivers external data protection as an advisory service. Other providers rely on pure software. CIVAC combines both in an EU-hosted compliance platform with 25 appointable officer roles and 490 audit templates.

Read more
CIVAC vs. Single-Purpose Tools: Comparing Data Protection Automation for German Companies
Data Protection & Privacy31 May 202612 min read

CIVAC vs. Single-Purpose Tools: Comparing Data Protection Automation for German Companies

CIVAC and single-purpose data-protection tools automate data protection processes. The difference lies in the model. This comparison describes the architecture, officer appointment, audit templates, EU data residency and escalation paths under Art. 33 GDPR – factually, without judgement, on the basis of publicly documented functions.

Read more
Data Protection Audit: From the Call for an Audit to Verifiable Evidence in 2 Business Days
Data Protection & Privacy31 May 202612 min read

Data Protection Audit: From the Call for an Audit to Verifiable Evidence in 2 Business Days

A data protection audit examines whether your organisation operationally implements Art. 5, 24 and 32 GDPR. We show the structure, the mandatory evidence and the templates with which you close the typical findings yourself before the audit.

Read more
Appointing an External DPO: When the External Solution Beats the Internal Post
Data Protection & Privacy31 May 202612 min read

Appointing an External DPO: When the External Solution Beats the Internal Post

An external data protection officer is often appointed faster, costs less, and is freer from instructions than an internal solution. This article explains the obligation to appoint under Art. 37 GDPR, market-standard costs, liability questions, and the selection criteria by which you recognise a qualified external DPO.

Read more
External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup
Governance & Compliance31 May 202613 min read

External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup

B2B SaaS founders in Germany face overlapping duties under GDPR, NIS-2, HinSchG, and ISO/IEC 27001:2022. An external compliance officer covers the controls without an internal hire, leaving the engineering roadmap untouched.

Read more
EU AI Act: Obligations for High-Risk AI Systems in Practice
Governance & Compliance31 May 202613 min read

EU AI Act: Obligations for High-Risk AI Systems in Practice

The EU AI Act introduces twelve cumulative obligations for providers of high-risk AI systems and four additional duties for deployers. This article translates Articles 8 to 27 into a working compliance routine: risk management, data governance, logging, human oversight, transparency, and conformity assessment.

Read more
DPIA: When a Data Protection Impact Assessment under Art. 35 GDPR Becomes Mandatory
Data Protection & Privacy30 May 202612 min read

DPIA: When a Data Protection Impact Assessment under Art. 35 GDPR Becomes Mandatory

Anyone who processes personal data with a high risk owes a data protection impact assessment under Art. 35 GDPR. This article explains thresholds, must-lists, review steps and the role of the data protection officer in the procedure.

Read more
TOM Template under Art. 32 GDPR: Structure, Mandatory Fields, Audit-Readiness
Data Protection & Privacy30 May 202612 min read

TOM Template under Art. 32 GDPR: Structure, Mandatory Fields, Audit-Readiness

A TOM template is not a form to tick off. It is the evidence under Art. 32 GDPR that you have assessed risks, derived measures and reviewed effectiveness. This article shows the mandatory fields, typical gaps and a verifiable structure.

Read more
From What Point Do You Need a Data Protection Officer: Thresholds, Obligations, Deadlines
Data Protection & Privacy30 May 202612 min read

From What Point Do You Need a Data Protection Officer: Thresholds, Obligations, Deadlines

The obligation to designate a data protection officer applies earlier than many management teams assume. This guide shows the Section 38 BDSG thresholds, the GDPR triggers, the consequences of a late appointment and a clean path from assessment to deed of appointment.

Read more
The Data Protection Regulation in the Company: From Statutory Text to Demonstrable Evidence
Data Protection & Privacy30 May 202612 min read

The Data Protection Regulation in the Company: From Statutory Text to Demonstrable Evidence

The GDPR does not demand theory but evidence. Anyone who keeps the record, notification path and deed of appointment in order weathers an audit and a data breach calmly. This guide shows the operational path.

Read more
Art. 15 GDPR in Practice: Handling Subject Access Requests in a Legally Sound and Timely Manner
Data Protection & Privacy30 May 202612 min read

Art. 15 GDPR in Practice: Handling Subject Access Requests in a Legally Sound and Timely Manner

Art. 15 GDPR obliges controllers to provide comprehensive information to data subjects within one month. This article explains scope, deadlines, identity verification and exceptions, and shows how to map the process in an audit-proof way in the CIVAC platform.

Read more
Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire
Datenschutz & Privacy29 May 202613 min read

Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire

An outsourced DPO covers GDPR Article 37 duties, breach reporting under Article 33, and evidence files for supervisory authorities. This guide explains scope, cost ranges, and how an external DPO integrates with German labour law and works alongside the information security officer.

Read more
GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide
Datenschutz & Privacy29 May 202613 min read

GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide

GDPR enforcement against the German Mittelstand has intensified since the federal coordinated audit of 2025. This buyer guide shows what a modern compliance platform must deliver: records, breach pipelines, residency, officer workflows, and signed records of authority.

Read more
External DPO in Germany: When You Must Appoint One and How to Do It Properly
Datenschutz & Privacy29 May 202612 min read

External DPO in Germany: When You Must Appoint One and How to Do It Properly

Germany has the strictest national rule for appointing a data protection officer in the European Union. This guide explains the legal thresholds, the documentation a supervisory authority expects, and how an external DPO model under CIVAC removes the bottleneck without diluting accountability.

Read more
Compliance: Covering All 12 Officer Roles in a Structured Way
Platform & Strategy27 May 202612 min read

Compliance: Covering All 12 Officer Roles in a Structured Way

Up to twelve officer roles may be simultaneously mandatory in a mid-sized company. Anyone who loses the overview risks fines, audit gaps and management liability. This article shows how all roles can be structured, filled and coordinated.

Read more
External Compliance Service Providers in the DACH Region Compared: Criteria, Models, Decision Framework
Platform & Strategy27 May 202612 min read

External Compliance Service Providers in the DACH Region Compared: Criteria, Models, Decision Framework

There are many providers of external compliance appointment in the DACH region – from DPO specialists to generic consultants to cross-role platforms. This article provides structured selection criteria for companies seeking external officers with documentation responsibility.

Read more
Alternative to DataGuard for SMEs: Compliance Beyond the DPO
Platform & Strategy27 May 202612 min read

Alternative to DataGuard for SMEs: Compliance Beyond the DPO

DataGuard is established in the German-speaking market as a DPO platform. For companies that must cover information security, occupational safety, supply chain or other officer roles in addition to data protection, the question arises whether a data protection-focused provider is the right overall solution.

Read more
CIVAC Compliance Platform: German Cloud, All 25 Officer Roles, One Workspace
Platform & Strategy27 May 202612 min read

CIVAC Compliance Platform: German Cloud, All 25 Officer Roles, One Workspace

CIVAC is a German compliance platform with EU data residency, ISO/IEC 27001:2022-compliant ISMS and 25 officer roles available live. The article explains architecture, delivery models and the difference from generic GRC suites.

Read more
Alternative to Quentic for SMEs in the DACH Region: Which Solution Fits?
Platform & Strategy27 May 202612 min read

Alternative to Quentic for SMEs in the DACH Region: Which Solution Fits?

Quentic primarily addresses large-scale HSE structures. For SMEs in the DACH region that must operationally manage multiple officer roles, the question arises as to a more precisely tailored approach. This article sets out what matters in the selection process.

Read more
CIVAC Platform: 25 Officer Roles at a Glance – Duties, Appointment and Workspace
Platform & Strategy27 May 202612 min read

CIVAC Platform: 25 Officer Roles at a Glance – Duties, Appointment and Workspace

From Data Protection Officer to Major Hazards Officer: CIVAC maps all 25 statutory officer roles in one workspace. This article explains which roles are mandatory for whom and how the platform structures the appointment process.

Read more
Integrated Compliance Documentation: All Officer Roles, One Evidence Path
Platform & Strategy27 May 202612 min read

Integrated Compliance Documentation: All Officer Roles, One Evidence Path

Anyone managing multiple officer mandates with separate filing systems structurally produces documentation gaps. An integrated evidence path across all roles is not only more efficient – it is the decisive difference in an audit.

Read more
AI-Based Risk Analysis in the Compliance Context: Benefits, Limitations and Legal Framework
Platform & Strategy27 May 202612 min read

AI-Based Risk Analysis in the Compliance Context: Benefits, Limitations and Legal Framework

AI-powered risk analyses can make compliance work significantly more efficient in mid-sized companies. This practical guide explains what to consider technically and legally.

Read more
Combining External DPO and ISB: Opportunities, Limitations and Legal Framework
Platform & Strategy27 May 202612 min read

Combining External DPO and ISB: Opportunities, Limitations and Legal Framework

Many mid-sized companies ask whether external DPO and ISB can be combined in a dual appointment. The answer is nuanced: legally permissible, but with conflict-of-interest pitfalls and capacity limits.

Read more
Compliance Software for SMEs: German Providers Compared
Platform & Strategy27 May 202612 min read

Compliance Software for SMEs: German Providers Compared

Compliance software for German mid-sized companies must combine 25 officer roles, EU data residency and audit evidence. This article sets out the criteria that determine the choice of provider.

Read more
Implementing a Whistleblowing System: Obligations Under the Whistleblower Protection Act (HinSchG) at a Glance
Governance & Compliance27 May 202612 min read

Implementing a Whistleblowing System: Obligations Under the Whistleblower Protection Act (HinSchG) at a Glance

Since 17 December 2023, companies with 50 or more employees are required to establish an internal reporting office. This guide sets out what is required technically, organisationally and in terms of personnel.

Read more
External Compliance Officer for DACH SMEs: Mandate, Costs and Setup
Governance & Compliance27 May 202612 min read

External Compliance Officer for DACH SMEs: Mandate, Costs and Setup

An external Compliance Officer gives SMEs a qualified compliance function without a full-time position. This article explains when the external solution is advisable, what it costs and how collaboration is structured.

Read more
External Data Protection Officer: Realistic Cost Assessment for SMEs
Data Protection & Privacy27 May 202612 min read

External Data Protection Officer: Realistic Cost Assessment for SMEs

An external Data Protection Officer costs German SMEs between €200 and €2,500 per month — depending on company size, processing structure and scope of services. Understanding the cost drivers leads to better negotiations and payment only for what is actually needed.

Read more
Employee Data Protection Training Online: Obligation, Content and Evidence
Data Protection & Privacy27 May 202612 min read

Employee Data Protection Training Online: Obligation, Content and Evidence

GDPR prescribes no training frequency, but Art. 5(2) requires evidence. Online training for employees meets this requirement — provided the content, certificate and documentation are sound. Here is what to bear in mind.

Read more
How to Find an External Data Protection Officer: Criteria, Sources and Selection Process
Data Protection & Privacy27 May 202612 min read

How to Find an External Data Protection Officer: Criteria, Sources and Selection Process

Finding an external Data Protection Officer is not a Google search, but a selection process with clear quality criteria. This article explains where to look, what to assess and what to insist upon in the contract.

Read more
What Does an External Data Protection Officer Cost: Costs, Models, and Calculations
Data Protection & Privacy27 May 202612 min read

What Does an External Data Protection Officer Cost: Costs, Models, and Calculations

Flat-fee contracts, hourly rates, annual retainers: the pricing models for external Data Protection Officers vary considerably. This article explains which cost drivers actually matter and what to look for when making a comparison.

Read more
External Data Protection Officer: Monthly Costs and What the Service Package Includes
Data Protection & Privacy27 May 202611 min read

External Data Protection Officer: Monthly Costs and What the Service Package Includes

The costs for an external Data Protection Officer depend on the size of the organisation, the processing risks, and the scope of service. This article explains the pricing structure, identifies typical monthly flat fees for mid-sized companies, and sets out what to look for when comparing proposals.

Read more
Data Protection Officer: Mandatory Appointment, Duties, and Designation Under Art. 37 GDPR
Data Protection & Privacy27 May 202612 min read

Data Protection Officer: Mandatory Appointment, Duties, and Designation Under Art. 37 GDPR

The Data Protection Officer (DPO) is a legal requirement for many organisations. Art. 37 GDPR and § 38 BDSG govern when appointment is mandatory, what qualifications the DPO must bring, and why the external solution is often the more cost-effective choice for mid-sized companies.

Read more
General Data Protection Regulation: What Companies Must Concretely Implement in 2026
Data Protection & Privacy27 May 202612 min read

General Data Protection Regulation: What Companies Must Concretely Implement in 2026

The General Data Protection Regulation (GDPR) has been directly applicable EU law since May 2018. What obligations this concretely creates for mid-sized companies, what fines are at risk, and how a Data Protection Officer ensures implementation — explained concisely and practically.

Read more
Appointing a SiGeKo: Obligations Under the Construction Site Ordinance (BaustellV) and How to Engage the Coordinator with Legal Certainty
Construction & SiGeKo27 May 202612 min read

Appointing a SiGeKo: Obligations Under the Construction Site Ordinance (BaustellV) and How to Engage the Coordinator with Legal Certainty

Those who build bear responsibility. The BaustellV stipulates when a SiGeKo must be appointed, what qualifications the coordinator must bring, and how the engagement must be documented so that it withstands scrutiny.

Read more
Appointing a SiGeKo: Step-by-Step Guide for Clients
Construction & SiGeKo27 May 202612 min read

Appointing a SiGeKo: Step-by-Step Guide for Clients

A client who must appoint a SiGeKo requires a written letter of appointment, a qualified officer, and a clear documentation structure. This article shows the complete appointment process under the Construction Site Ordinance (BaustellV) – from qualification verification to handover of the health and safety file.

Read more
Site Manager VOB (German Construction Contract Procedures) Hourly Rate for SMEs: Cost Range, Influencing Factors, and Calculation
Construction & SiGeKo27 May 202612 min read

Site Manager VOB (German Construction Contract Procedures) Hourly Rate for SMEs: Cost Range, Influencing Factors, and Calculation

What does an external site manager cost under VOB (German Construction Contract Procedures) for mid-sized businesses? This article explains market-standard hourly rates, remuneration structures under VOB/B, and the cost comparison between classic commissioning and Officer-as-a-Service.

Read more
SiGeKo (Construction Site Safety Coordinator): Obligations, Tasks, and Appointment Requirements on the Construction Site
Construction & SiGeKo27 May 202612 min read

SiGeKo (Construction Site Safety Coordinator): Obligations, Tasks, and Appointment Requirements on the Construction Site

The SiGeKo coordinates occupational health and safety on construction sites involving multiple companies. This article explains the statutory obligation under the Construction Site Ordinance (BaustellV), the core tasks, the qualification requirements, and how clients document the appointment in a structured manner.

Read more
Internal Audit: Conducting ISO 9001, 14001, and 27001 in Combination
Audits & Suppliers27 May 202612 min read

Internal Audit: Conducting ISO 9001, 14001, and 27001 in Combination

Those who operate ISO 9001, ISO 14001, and ISO/IEC 27001 in parallel can combine internal audits. This article shows what is normatively required, how an integrated audit plan is structured, and where companies commonly make mistakes.

Read more
Audit Management Software: What a Professional Solution for SMEs Must Deliver
Audits & Suppliers27 May 202612 min read

Audit Management Software: What a Professional Solution for SMEs Must Deliver

Audit management software structures the planning, execution, and follow-up of internal audits. This article shows what functions are indispensable under ISO 9001, 14001, and 27001, and what SMEs should look for when selecting a solution.

Read more
Conducting a Supplier Audit: Process, Checklist, and Documentation under ISO 9001
Audits & Suppliers27 May 202612 min read

Conducting a Supplier Audit: Process, Checklist, and Documentation under ISO 9001

A supplier audit under ISO 9001:2015 follows a clearly defined process. Those who structure planning, execution, and reporting consistently create reliable evidence for quality management and LkSG due diligence.

Read more
External Supplier Auditor for SMEs: Requirements and Process
Audits & Suppliers27 May 202612 min read

External Supplier Auditor for SMEs: Requirements and Process

Mid-sized businesses with supply chain obligations under ISO 9001, IATF 16949, or LkSG must audit suppliers systematically. An external supplier auditor closes the capacity gap – provided mandate, qualification, and documentation are in order.

Read more
Major Accident (Störfall): Legal Obligations, Appointed Officer, and Prevention at a Glance
Major Accident & Critical Infrastructure27 May 202612 min read

Major Accident (Störfall): Legal Obligations, Appointed Officer, and Prevention at a Glance

Anyone operating an installation with dangerous substances above the threshold quantities in Annex I of the 12th Federal Immission Control Ordinance (12. BImSchV) is subject to strict obligations. This article explains the appointment obligation, task profile, and documentation requirements for the Major Accident Officer.

Read more
External Company Doctor: Appointment, Qualification, and Legally Compliant Commissioning under § 3 ASiG
Occupational Medicine27 May 202612 min read

External Company Doctor: Appointment, Qualification, and Legally Compliant Commissioning under § 3 ASiG

Most mid-sized businesses do not need an employed doctor but a qualified external company doctor. How to commission one in a legally compliant manner, what obligations arise, and what to consider in the service contract.

Read more
Company Doctor Costs: What Employers Must Pay and How Prices Are Structured
Occupational Medicine27 May 202612 min read

Company Doctor Costs: What Employers Must Pay and How Prices Are Structured

Company doctor costs vary considerably: from a few hundred euros annually for small office businesses to six-figure sums for manufacturing companies. Those who understand the cost drivers can plan realistically and fulfil § 3 ASiG without budget surprises.

Read more
External Company Doctor: Cost per Hour, Flat-Rate Packages and Billing Models Compared
Occupational Medicine27 May 202612 min read

External Company Doctor: Cost per Hour, Flat-Rate Packages and Billing Models Compared

The hourly rate of an external company doctor ranges from €90 to €200 depending on qualification and region. Understanding the billing models avoids surprises on the invoice and ensures legally compliant fulfilment of the obligation under § 3 ASiG.

Read more
Finding a Company Doctor: Obligations, Search Strategies and Legally Compliant Appointment
Occupational Medicine27 May 202612 min read

Finding a Company Doctor: Obligations, Search Strategies and Legally Compliant Appointment

§ 3 ASiG obliges every employer to appoint a company doctor. Many mid-sized businesses do not know how to find a qualified physician or what the appointment requires under law.

Read more
Setting Up a Reporting Channel under the Whistleblower Protection Act (HinSchG): A Step-by-Step Guide to a Legally Compliant Reporting Office
Equality & AGG27 May 202612 min read

Setting Up a Reporting Channel under the Whistleblower Protection Act (HinSchG): A Step-by-Step Guide to a Legally Compliant Reporting Office

The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Companies still not operating a functioning reporting channel are committing a regulatory offence. This guide sets out which steps are required and in what order.

Read more
External AGG Complaints Office: Obligations, Structure, and Legally Compliant Appointment
Equality & AGG27 May 202612 min read

External AGG Complaints Office: Obligations, Structure, and Legally Compliant Appointment

§ 13 AGG obliges every employer to establish a complaints office for discrimination. An external AGG complaints office resolves the independence problem that can structurally burden internal solutions.

Read more
Digital Reporting Channel under the Whistleblower Protection Act (HinSchG): Requirements, Software Selection and Operation
Equality & AGG27 May 202612 min read

Digital Reporting Channel under the Whistleblower Protection Act (HinSchG): Requirements, Software Selection and Operation

The Whistleblower Protection Act (HinSchG) requires companies with 50 or more employees to establish an internal reporting office. A digital reporting channel is the most practical implementation — provided it fully meets the statutory requirements.

Read more
External AGG Complaints Office as a Service Provider: Obligations, Process and Appointment
Equality & AGG27 May 202612 min read

External AGG Complaints Office as a Service Provider: Obligations, Process and Appointment

Section 13 of the General Equal Treatment Act (AGG) obliges employers to establish a complaints office for discrimination. External service providers assume this obligation on a contractually secure basis. This article explains the requirements, selection criteria and the CIVAC approach.

Read more
Quality Management Software: What a QMS Workspace Must Deliver
Quality Management27 May 202611 min read

Quality Management Software: What a QMS Workspace Must Deliver

Quality management software determines whether a QMS stands up at a surveillance audit or collapses. This article describes which functions are indispensable under ISO 9001:2015 and why a pure document repository is insufficient.

Read more
Quality Management Consulting: What an External QMR Delivers and What Matters
Quality Management27 May 202612 min read

Quality Management Consulting: What an External QMR Delivers and What Matters

Quality management consulting encompasses far more than preparation for an ISO 9001 certification. What services an external QMR delivers, when a consulting engagement is appropriate and how the appointment is structured on a legally sound basis.

Read more
ISO 9001 Certification: Process, Requirements and the Role of the QMR
Quality Management27 May 202612 min read

ISO 9001 Certification: Process, Requirements and the Role of the QMR

ISO 9001 certification under DIN EN ISO 9001:2015 is a prerequisite for supplier approvals and public contracts in many industries. This article explains the certification process, the requirements for the QMS and the tasks of the Quality Management Officer.

Read more
ISO 9001 Certification for SMEs: Process, Costs and Appointment Obligations
Quality Management27 May 202612 min read

ISO 9001 Certification for SMEs: Process, Costs and Appointment Obligations

DIN EN ISO 9001:2015 requires a formally appointed QMR with documented evidence. This article describes the six-step certification process, realistic cost frameworks for SMEs and explains how an external QMR can be operational through CIVAC within two business days.

Read more
Reviewing Obligated Parties under § 2 GwG: Who Falls under the Money Laundering Act
Anti-Money Laundering27 May 202612 min read

Reviewing Obligated Parties under § 2 GwG: Who Falls under the Money Laundering Act

§ 2 GwG contains an exhaustive list of obligated parties. Whether a company falls within scope determines which due diligence obligations, risk analysis requirements, and appointment obligations apply. A structured review protects against unrecognised breaches of duty.

Read more
External Money Laundering Compliance Officer: Appointment Obligation, Duties, and Legally Sound Engagement
Anti-Money Laundering27 May 202612 min read

External Money Laundering Compliance Officer: Appointment Obligation, Duties, and Legally Sound Engagement

Anti-money laundering legislation requires numerous companies to appoint a money laundering compliance officer. Those who ignore the obligation risk fines under § 56 GwG. This article explains the appointment obligation, duties, qualification requirements, and the option of external appointment.

Read more
Appointing a Money Laundering Compliance Officer (GwB): Obligation, Procedure, and Appointment Deed under § 7 GwG
Anti-Money Laundering27 May 202612 min read

Appointing a Money Laundering Compliance Officer (GwB): Obligation, Procedure, and Appointment Deed under § 7 GwG

§ 7 GwG requires a clearly defined group of companies to appoint a money laundering compliance officer. Failure to make the appointment, or a procedurally defective appointment, risks substantial fines. This article explains the procedure step by step.

Read more
External Money Laundering Compliance Officer: Annual Costs and What the Appointment Includes
Anti-Money Laundering27 May 202612 min read

External Money Laundering Compliance Officer: Annual Costs and What the Appointment Includes

§ 7 GwG requires certain companies to appoint a money laundering compliance officer. Depending on the scope of services, an external officer costs between EUR 2,000 and EUR 15,000 per year. This article explains what must be included in this price — and what is frequently missing.

Read more
Supply Chain Due Diligence Act (LkSG): When Does the Obligation Apply and How Are Employees Counted Correctly?
Supply Chain27 May 202612 min read

Supply Chain Due Diligence Act (LkSG): When Does the Obligation Apply and How Are Employees Counted Correctly?

The LkSG has applied since 1 January 2024 to companies with at least 1,000 employees. How the threshold is correctly calculated, what role subsidiaries play, and what companies must do in the year they first exceed it.

Read more
LkSG Risk Analysis: Methodology, Structure and BAFA-Compliant Documentation
Supply Chain27 May 202612 min read

LkSG Risk Analysis: Methodology, Structure and BAFA-Compliant Documentation

The risk analysis is the methodological foundation of LkSG compliance. § 5 LkSG prescribes an annual and event-triggered risk assessment — for the company's own business area, direct suppliers and, where there is justified cause, indirect suppliers. Gaps here risk BAFA enquiries and evidentiary shortfalls.

Read more
LkSG Software: Mandatory Functions, Selection Criteria and the Officer Evidence Requirement
Supply Chain27 May 202612 min read

LkSG Software: Mandatory Functions, Selection Criteria and the Officer Evidence Requirement

The Supply Chain Due Diligence Act (LkSG) obliges affected companies to eight due diligence obligations, the evidence for which must be complete before BAFA. LkSG software that only sends questionnaires does not solve the compliance problem — it defers it.

Read more
Supply Chain Due Diligence Act (LkSG) Software Compared: What DACH Mid-Sized Companies Should Look For
Supply Chain27 May 202612 min read

Supply Chain Due Diligence Act (LkSG) Software Compared: What DACH Mid-Sized Companies Should Look For

The LkSG obliges companies with at least 1,000 employees to conduct a systematic risk analysis, maintain documentation and submit a BAFA report. This article examines the decisive software features and what a comparison for the DACH mid-market looks like.

Read more
Appointing an Environmental Officer: Obligation, Process and Legally Compliant Letter of Appointment
Environmental Protection27 May 202612 min read

Appointing an Environmental Officer: Obligation, Process and Legally Compliant Letter of Appointment

Any company that must appoint an environmental officer but is unaware of the mandatory prerequisites risks a formal gap that will be identified immediately at the next regulatory inspection. This article provides the complete legal basis.

Read more
ISO 14001 Certification: Process, Requirements and Environmental Officer
Environmental Protection27 May 202612 min read

ISO 14001 Certification: Process, Requirements and Environmental Officer

ISO 14001:2015 requires a documented environmental management system with measurable objectives, internal audits and a named accountability. This article walks through the certification process step by step.

Read more
External Environmental Protection Officer for Industrial Operations: Obligations, Services, and Appointment
Environmental Protection27 May 202612 min read

External Environmental Protection Officer for Industrial Operations: Obligations, Services, and Appointment

Industrial operations with installation obligations under BImSchG, water hazard risk, or elevated waste volumes require formally appointed environmental officers. The appointment obligation arises from three different statutes that audit independently of one another.

Read more
ISO 14001 Certification: Process, Timeline, and Realistic Cost Calculation
Environmental Protection27 May 202612 min read

ISO 14001 Certification: Process, Timeline, and Realistic Cost Calculation

ISO 14001 certification typically takes six to twelve months and costs between 8,000 and 40,000 euros depending on company size. Understanding the process avoids surprises on audit day.

Read more
External Fire Protection Officer: Monthly Costs and Decision Criteria
Fire Protection27 May 202612 min read

External Fire Protection Officer: Monthly Costs and Decision Criteria

External fire protection officers cost between 200 and 800 euros per month depending on company size and scope of services. Understanding the cost structure enables an informed decision rather than one that conceals liability risks.

Read more
Fire Safety Regulations Parts A, B, and C: Structure, Obligations, and Preparation
Fire Protection27 May 202612 min read

Fire Safety Regulations Parts A, B, and C: Structure, Obligations, and Preparation

Fire safety regulations under DIN 14096 are structured in three mandatory parts. Understanding the differences avoids gaps at the next inspection by the fire brigade or professional association.

Read more
Preparing Escape and Rescue Plans in Accordance with DIN ISO 23601: Obligations and Practice
Fire Protection27 May 202612 min read

Preparing Escape and Rescue Plans in Accordance with DIN ISO 23601: Obligations and Practice

ASR A2.3 and the Workplace Ordinance oblige employers to prepare escape and rescue plans and keep them current. DIN ISO 23601 sets the graphic standard. This article explains what is mandatory, what the standard requires, and how the fire protection officer manages the process.

Read more
Having the Fire Safety Regulations Part B Drawn Up: Mandatory Content, Standards, and Officer Obligations
Fire Protection27 May 202612 min read

Having the Fire Safety Regulations Part B Drawn Up: Mandatory Content, Standards, and Officer Obligations

Part B of the fire safety regulations is directed at all employees and must be prepared and regularly updated in accordance with DIN 14096. Anyone who prepares it without qualified guidance risks formal gaps that become a liability issue in the event of a fire.

Read more
Appointing a SiFa: Legally Secure Appointment in Two Working Days via Officer-as-a-Service
Occupational Safety27 May 202611 min read

Appointing a SiFa: Legally Secure Appointment in Two Working Days via Officer-as-a-Service

Appointing a SiFa means more than commissioning a service provider. The appointment document must contain the statutory minimum content, qualifications must be verified, and the documentation infrastructure must be in place. CIVAC fulfils all three requirements in two working days.

Read more
Finding an Occupational Safety Specialist: Qualifications, Appointment, and the Fast Track
Occupational Safety27 May 202612 min read

Finding an Occupational Safety Specialist: Qualifications, Appointment, and the Fast Track

Finding a SiFa means more than placing a job advertisement. Qualifications, industry knowledge, appointment document, and documentation infrastructure must all fit together. This article describes the structured path.

Read more
External SiFa: Hourly Costs for SMEs — Market Overview and Alternatives
Occupational Safety27 May 202612 min read

External SiFa: Hourly Costs for SMEs — Market Overview and Alternatives

External SiFas typically charge between 90 and 180 euros per hour in SMEs. Which factors determine the hourly rate, what DGUV V2 requires as a minimum, and how costs can be reduced through a structured approach.

Read more
SiFa Software for DGUV Documentation: What Your Workspace Must Deliver
Occupational Safety27 May 202612 min read

SiFa Software for DGUV Documentation: What Your Workspace Must Deliver

DGUV Regulation 2 mandates deployment hours, inspection reports, and annual plans in writing. Which software structurally meets these requirements — and why a generic tool is not sufficient.

Read more
Who Needs a Hazardous Substances Officer in Their Company?
Hazardous Substances and Occupational Safety27 May 202612 min read

Who Needs a Hazardous Substances Officer in Their Company?

The GefStoffV does not recognise a mandatory role under the title of hazardous substances officer, but does require competent persons for every activity involving hazardous substances. Which companies are affected, which sectors have special obligations and how the role is filled in a legally compliant manner.

Read more
Risk Assessment for Hazardous Substances: TRGS 400 Template and Mandatory Requirements
Hazardous Substances and Occupational Safety27 May 202612 min read

Risk Assessment for Hazardous Substances: TRGS 400 Template and Mandatory Requirements

The risk assessment under TRGS 400 is the regulatory foundation of hazardous substance management. A legally compliant template covers all seven mandatory steps — from exposure determination to effectiveness testing. This article explains the structure, documentation obligations and typical errors in implementation.

Read more
Hazardous Substance Management Software: Requirements, Functions and Selection Criteria
Hazardous Substances and Occupational Safety27 May 202612 min read

Hazardous Substance Management Software: Requirements, Functions and Selection Criteria

Digital hazardous substance management does not replace expertise, but it creates the structural conditions for audit-proof documentation. This article explains which functions software must provide and how CIVAC integrates hazardous substance management into a complete officer workspace.

Read more
External Hazardous Substances Officer: Obligation, Tasks and Appointment Process
Hazardous Substances and Occupational Safety27 May 202612 min read

External Hazardous Substances Officer: Obligation, Tasks and Appointment Process

Section 6 GefStoffV requires structured risk assessments and proof of expertise. Companies lacking suitable in-house personnel should appoint externally. This article explains what makes a qualified external hazardous substances officer and how appointment works in a legally sound manner.

Read more
Dangerous Goods Transport: Obligations, ADR Rules and Who Must Maintain Oversight
Dangerous Goods and Logistics27 May 202612 min read

Dangerous Goods Transport: Obligations, ADR Rules and Who Must Maintain Oversight

Dangerous goods transport is subject to a dense regulatory framework comprising the ADR, GGVSEB and GbV. This article explains who must observe what, when a dangerous goods officer is mandatory and how documentation can be made audit-proof.

Read more
Labelling Dangerous Goods: UN Numbers, Hazard Labels and Vehicle Marking under the ADR
Dangerous Goods and Logistics27 May 202612 min read

Labelling Dangerous Goods: UN Numbers, Hazard Labels and Vehicle Marking under the ADR

The labelling of dangerous goods is governed in binding terms by ADR Chapters 5.2 and 5.3: packages bear hazard labels and UN numbers, vehicles orange warning panels and large labels. Labelling errors constitute administrative offences under Section 10 GGVSEB for consignors, loaders and carriers.

Read more
Transport of Dangerous Goods: Regulations, Classes and Operational Obligations
Dangerous Goods and Logistics27 May 202612 min read

Transport of Dangerous Goods: Regulations, Classes and Operational Obligations

The transport of dangerous goods is strictly regulated by the ADR, GGVSEB and several supplementary standards. Three key questions arise for companies: what obligations exist for shippers and carriers, what documentation is mandatory, and from what point must a dangerous goods officer be appointed.

Read more
ADR Certificate: Obligation, Period of Validity and Renewal at a Glance
Dangerous Goods and Logistics27 May 202612 min read

ADR Certificate: Obligation, Period of Validity and Renewal at a Glance

The ADR certificate — officially the ADR training certificate pursuant to subsection 8.2.2.8 ADR — is a mandatory document for drivers who transport dangerous goods by road. This article explains the content, period of validity, renewal procedure and the company's documentation obligation.

Read more
HinSchG Legislative History: What the Final Act Means for Your Internal Reporting Office
Whistleblower Protection27 May 202612 min read

HinSchG Legislative History: What the Final Act Means for Your Internal Reporting Office

The Whistleblower Protection Act passed through several draft stages before entering into force in July 2023. Understanding the legislative history explains why certain exceptions apply and how companies must set up their internal reporting office in a legally sound manner.

Read more
Whistleblower Protection Act (HinSchG): Obligations, Reporting Offices and Implementation
Whistleblower Protection27 May 202612 min read

Whistleblower Protection Act (HinSchG): Obligations, Reporting Offices and Implementation

The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Who must establish a reporting office, what requirements apply, what fines are threatened — a structured overview.

Read more
HinSchG Current Status: Obligations, Deadlines, and Implementation 2024
Whistleblower Protection27 May 202612 min read

HinSchG Current Status: Obligations, Deadlines, and Implementation 2024

HinSchG requires organisations with 50+ employees to operate a compliant internal reporting channel — with confidentiality guarantees, acknowledgement obligations, and a strict non-retaliation regime.

Read more
ESG Regulations in the EU: CSRD, Taxonomy, and SFDR Explained
ESG & Sustainability27 May 202612 min read

ESG Regulations in the EU: CSRD, Taxonomy, and SFDR Explained

CSRD, EU Taxonomy Regulation, SFDR: the European ESG regulatory package is complex but logically structured. This article explains the three central regulations, their interactions, and what companies must derive from them in practice.

Read more
ESG Reporting Obligation: Who Must Report When under CSRD?
ESG & Sustainability27 May 202612 min read

ESG Reporting Obligation: Who Must Report When under CSRD?

CSRD applies in waves based on company size — understanding the 'two of three' criteria and which reporting wave applies is the first step in compliance planning.

Read more
ESG Sustainability Report: Obligations, Deadlines, and Implementation under CSRD
ESG & Sustainability27 May 202612 min read

ESG Sustainability Report: Obligations, Deadlines, and Implementation under CSRD

From 2025, CSRD applies to large capital-market-oriented companies, and from 2026 to further large companies. The ESG sustainability report follows ESRS standards. Those who are prepared avoid fines and reputational risks.

Read more
What ESG Stands For: E, S, and G Explained in a Business Context
ESG & Sustainability27 May 202612 min read

What ESG Stands For: E, S, and G Explained in a Business Context

ESG stands for Environmental, Social, Governance. What lies behind these three letters, which standards create concrete obligations, and what an ESG Officer must deliver in the organisation — read the structured overview here.

Read more
HinSchG: What the German Whistleblower Protection Act Requires from Organisations
Whistleblower Protection27 May 202612 min read

HinSchG: What the German Whistleblower Protection Act Requires from Organisations

The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Organisations with 50 or more employees are required to establish a confidential reporting channel and operate an internal reporting office. Read here what this means in detail.

Read more
Hygiene in Healthcare: Legal Obligations, MRSA Prevention, and Documentation Standards
Health & Hygiene27 May 202612 min read

Hygiene in Healthcare: Legal Obligations, MRSA Prevention, and Documentation Standards

Care facilities bear a special hygiene responsibility: § 36 IfSG, KRINKO recommendations, and state-level residential care laws set clear requirements. MRSA prevention, hand hygiene, and complete documentation are not optional — they are mandatory. What facilities need to know.

Read more
Hygiene Training: Legal Obligations, Content, and Operational Implementation
Health & Hygiene27 May 202612 min read

Hygiene Training: Legal Obligations, Content, and Operational Implementation

Hygiene training is legally prescribed in Germany — for food businesses, healthcare facilities, and many other sectors. Which standards apply, what must be documented, and who bears the obligation — read the concise summary here.

Read more
Institute for Hygiene and the Environment: Tasks, Inspections, and Business Implications
Health & Hygiene27 May 202612 min read

Institute for Hygiene and the Environment: Tasks, Inspections, and Business Implications

The Institute for Hygiene and the Environment (HU Hamburg) is Germany's largest municipal testing authority. It analyses drinking water, food, and environmental samples. What businesses need to know about official inspections and how a Hygiene Officer maintains the evidence.

Read more
Occupational Hygiene: Obligations, Roles, and Structured Implementation
Health & Hygiene27 May 202612 min read

Occupational Hygiene: Obligations, Roles, and Structured Implementation

Occupational hygiene is not a recommendation but a statutory mandatory programme. § 36 IfSG, TrinkwV, and KRINKO recommendations define concrete obligations. Which companies are affected and how a Hygiene Officer keeps documentation audit-ready.

Read more
Booking a CIVAC Compliance Platform Demo: Process, Preparation, and Next Steps
Platform & Strategy27 May 202612 min read

Booking a CIVAC Compliance Platform Demo: Process, Preparation, and Next Steps

The CIVAC compliance platform manages all 25 German officer roles in a shared workspace. This article explains what is demonstrated in the demo, how to prepare, and how the platform licence is activated after the session.

Read more
CIVAC Officer-as-a-Service: Book a Demo and Appoint Your Officer Within Two Business Days
Platform & Strategy27 May 202612 min read

CIVAC Officer-as-a-Service: Book a Demo and Appoint Your Officer Within Two Business Days

The CIVAC demo shows the complete Officer-as-a-Service process: appointment instrument, workspace handover, and reporting line in a single live session. This article explains what is shown in the demo, what preparation is useful, and how the appointment process works after the session.

Read more
Federal Data Protection Act (BDSG): Obligations, Thresholds, and Its Relationship to the GDPR
Platform & Strategy27 May 202612 min read

Federal Data Protection Act (BDSG): Obligations, Thresholds, and Its Relationship to the GDPR

The Federal Data Protection Act (BDSG) 2018 specifies the European GDPR for the German legal framework. This article explains the structure, the appointment obligation under § 38 Federal Data Protection Act (BDSG), the fine framework, and the practical consequences for companies with 20 or more persons.

Read more
Personal Data: Definition, Categories, and Legal Obligations under the GDPR and the Federal Data Protection Act (BDSG)
Platform & Strategy27 May 202612 min read

Personal Data: Definition, Categories, and Legal Obligations under the GDPR and the Federal Data Protection Act (BDSG)

Personal data is the foundation of European data protection law. Art. 4 GDPR defines the term broadly — with significant consequences for processing, storage, and DPO appointment. This article clarifies what falls within its scope, which categories trigger heightened protection obligations, and how companies can fulfil their documentation requirements.

Read more
ISO 27001 Consultant: What Matters When Selecting, Mandating, and Verifying
IT Security & NIS-227 May 202612 min read

ISO 27001 Consultant: What Matters When Selecting, Mandating, and Verifying

An ISO 27001 consultant can significantly accelerate certification preparation — provided they work with the right mandate, verifiable qualifications, and a platform that generates audit-proof documentation.

Read more
CISO as a Service: Information Security Leadership Without Full-Time Employment
IT Security & NIS-227 May 202612 min read

CISO as a Service: Information Security Leadership Without Full-Time Employment

CISO as a Service delivers strategic IT security leadership on a mandate basis. For companies under NIS-2 or with ISO 27001 obligations, the model is often the more economical alternative to a full-time position.

Read more
ISO 27001 Certification for Mid-Market Companies: Costs, Duration, and Savings Potential
IT Security & NIS-227 May 202612 min read

ISO 27001 Certification for Mid-Market Companies: Costs, Duration, and Savings Potential

ISO 27001 certification costs between €25,000 and €80,000 in mid-market companies — depending on scope, certification body, and self-service proportion. This article breaks down cost drivers and shows where effort can be structurally reduced.

Read more
Virtual CISO for SMEs: Monthly Subscription, Immediately Effective
IT Security & NIS-227 May 202612 min read

Virtual CISO for SMEs: Monthly Subscription, Immediately Effective

A virtual CISO (vCISO) provides SMEs with strategic IT security leadership and a legally compliant appointment certificate without a full-time position. Monthly subscription, scalable, NIS-2 compliant.

Read more
Security Awareness Training: Employee Obligation Under NIS-2 and ISO 27001
IT Security & NIS-227 May 202612 min read

Security Awareness Training: Employee Obligation Under NIS-2 and ISO 27001

NIS-2 and ISO/IEC 27001:2022 require verifiable awareness measures for all employees. Those who carry out training as a mandatory programme without documentation risk audit findings and fines.

Read more
External Cyber Security Officer: Monthly Subscription, Instant Appointment
IT Security & NIS-227 May 202612 min read

External Cyber Security Officer: Monthly Subscription, Instant Appointment

NIS-2 and ISO/IEC 27001:2022 require an appointed Information Security Officer. Those who keep the role external and on a monthly subscription save build-up time, stay scalable, and keep the appointment certificate up to date at all times.

Read more
External IT Security Officer as a Service Provider: Scope, Selection, and Contract Design
IT Security & NIS-227 May 202612 min read

External IT Security Officer as a Service Provider: Scope, Selection, and Contract Design

External IT Security Officers as service providers promise flexibility and expertise without fixed headcount. But not every provider delivers what NIS-2 and ISO/IEC 27001:2022 require. This article explains what to look for in the service agreement, the contract, and the evidence trail.

Read more
External IT Security Officer: What Does the Monthly Mandate Really Cost?
IT Security & NIS-227 May 202612 min read

External IT Security Officer: What Does the Monthly Mandate Really Cost?

Between €800 and €4,500 per month is the range for an external IT Security Officer — but price alone says little about actual scope of services. This article breaks down the key cost drivers and explains what a reliable mandate must cover as a minimum.

Read more
Compliance Management Software in the DACH Comparison: What Matters for SMEs
Governance & Compliance27 May 202612 min read

Compliance Management Software in the DACH Comparison: What Matters for SMEs

Which compliance software suits a mid-sized company in Germany, Austria, or Switzerland? This comparison shows the criteria to use for selection, which categories dominate the market — and where most tools reach their limits.

Read more
What Does an External Compliance Officer Cost? Pricing, Models, and Decision Criteria
Governance & Compliance27 May 202612 min read

What Does an External Compliance Officer Cost? Pricing, Models, and Decision Criteria

An external Compliance Officer costs between €3,000 and €30,000 annually depending on the model — significantly less than a full-time position. This article explains what pricing structure is credible, what must be included in the offer, and which models are suitable for SMEs and mid-sized companies.

Read more
Compliance Training for Employees: Annual Obligation, Online Implementation, and Audit-Proof Documentation
Governance & Compliance27 May 202612 min read

Compliance Training for Employees: Annual Obligation, Online Implementation, and Audit-Proof Documentation

Compliance training for employees is not an HR bonus but a core component of the statutory supervisory duty under § 130 OWiG. Anyone who cannot produce training records during a regulatory inspection risks substantial fines. This article explains how to build and document online training in a legally sound manner.

Read more
Corporate Compliance: Legal Obligations, Organisational Structure and Operational Implementation
Compliance & Governance27 May 202612 min read

Corporate Compliance: Legal Obligations, Organisational Structure and Operational Implementation

Corporate compliance is not optional for German organisations. § 130 OWiG imposes a personal supervisory duty on management. Those who build a documented compliance management system according to IDW PS 980 create verifiable evidence — and reduce the risk of fines and reputational damage.

Read more
External Data Protection Officer: Appointment Obligation, Costs and Selection Criteria
Data Protection & Privacy27 May 202612 min read

External Data Protection Officer: Appointment Obligation, Costs and Selection Criteria

Art. 37(6) GDPR explicitly permits the appointment of an external Data Protection Officer. For SMEs with limited internal resources, this is often the more efficient choice — provided the appointment document is correctly drafted.

Read more
Privacy Policy: Mandatory Disclosures, Update Obligations and Structured Accountability
Data Protection & Privacy27 May 202612 min read

Privacy Policy: Mandatory Disclosures, Update Obligations and Structured Accountability

The privacy policy is not a one-off document, but an information instrument that must be continuously maintained. Arts. 13 and 14 GDPR each list 14 mandatory disclosures. If even one is missing, a transparency violation exists. Who bears responsibility and how the maintenance process works.

Read more
Corporate Data Protection: Obligations, Structures and Documentation
Data Protection & Privacy27 May 202612 min read

Corporate Data Protection: Obligations, Structures and Documentation

Corporate data protection encompasses far more than a privacy policy on a website. Controllers must maintain records, meet deadlines and train employees — in an audit-ready and documented manner.

Read more
GDPR: Obligations, Deadlines and Fine Risks for Companies – An Overview
Data Protection & Privacy27 May 202612 min read

GDPR: Obligations, Deadlines and Fine Risks for Companies – An Overview

The GDPR has applied directly in all EU member states since 25 May 2018. Those who know their obligations, meet deadlines and maintain complete documentation significantly reduce the risk of fines and reputational damage.

Read more
Supplier Auditor: Mandate, Methods, and the German Legal Frame
Audits & Lieferanten27 May 202613 min read

Supplier Auditor: Mandate, Methods, and the German Legal Frame

A supplier auditor verifies that vendors meet contractual, regulatory, and ESG obligations. Under the German Lieferkettensorgfaltspflichtengesetz (LkSG), the EU CSDDD, and ISO 19011:2018, the function has moved from optional to evidence-bearing.

Read more
ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements
Qualitätsmanagement27 May 202612 min read

ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements

ISO 9001:2015 remains the most common management system certification in Germany. Selecting a consultancy that delivers an audit-ready QMS, not paperwork, is a procurement discipline. This guide covers scoping, fees, deliverables, and the role of a Quality Officer.

Read more
External Fire Protection Officer in Germany: Mandate, Duties and Service Model
Brandschutz27 May 202612 min read

External Fire Protection Officer in Germany: Mandate, Duties and Service Model

International companies operating sites in Germany must appoint a Brandschutzbeauftragter when their building permit, insurer or risk profile requires it. An external fire protection officer fulfils that mandate on a service basis. This article explains the legal basis, the duties and the operational model.

Read more
Occupational Safety Specialist Services in Germany: A Buyer Guide
Arbeitssicherheit27 May 202612 min read

Occupational Safety Specialist Services in Germany: A Buyer Guide

International employers operating in Germany must appoint a Fachkraft für Arbeitssicherheit under § 5 ASiG. This guide explains the legal duty, DGUV Vorschrift 2 hours, internal versus external models, and how CIVAC delivers Officer-as-a-Service with audit-ready evidence.

Read more
German Hazmat Officer Services: From Statutory Duty to Auditable Operation
Gefahrstoff & Arbeitsschutz27 May 202613 min read

German Hazmat Officer Services: From Statutory Duty to Auditable Operation

German hazardous substances law is not optional and not waivable. This guide shows how international operators can appoint a qualified officer, document the appointment correctly, and run a hazardous substances operation that holds up under inspection.

Read more
ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation
Umweltschutz27 May 202613 min read

ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation

ISO 14001:2015 has 18,000 certified sites in Germany. A consultant either accelerates the path to certification or duplicates work your environmental officer already owns. This guide separates the two and shows what to expect at each stage.

Read more
Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook
Lieferkette27 May 202613 min read

Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook

The Lieferkettensorgfaltspflichtengesetz (LkSG) requires German companies above defined thresholds to run human-rights and environmental due diligence across their supply chains. This article maps every operational obligation, the BAFA enforcement model, and the interface with the upcoming CSDDD.

Read more
NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap
IT-Sicherheit & NIS-227 May 202613 min read

NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap

Around 29,500 companies in Germany fall under NIS-2. Mid-market firms with 50 to 5,000 employees rarely need another gap analysis. They need an appointed information security officer, an ISMS that produces audit-grade evidence and a tested 24-hour incident path.

Read more
ISO 27001 Implementation: A Practical Path Through the 2022 Revision
IT-Sicherheit & NIS-227 May 202613 min read

ISO 27001 Implementation: A Practical Path Through the 2022 Revision

Implementing ISO/IEC 27001:2022 is not a documentation exercise. It is the construction of an Information Security Management System that produces evidence on demand. This article maps the implementation steps, the 93 Annex A controls, and the typical pitfalls.

Read more
ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment
IT-Sicherheit & NIS-227 May 202612 min read

ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment

ISO 27001 consulting in Germany combines ISMS architecture, 93 Annex A controls and the operational reality of NIS-2, BDSG and BSI guidance. This guide outlines scope, transition timing to ISO/IEC 27001:2022, certification path and where an external information security officer fits.

Read more
DataGuard Alternative for the German Mid Market: A Structured Comparison
Plattform & Strategie27 May 202612 min read

DataGuard Alternative for the German Mid Market: A Structured Comparison

Mid-market buyers increasingly look beyond DataGuard for external DPO, ISO 27001 and NIS-2 coverage. This guide explains where the alternatives differ, which capabilities matter under § 130 OWiG, and how to structure a sober evaluation.

Read more
Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service
Plattform & Strategie27 May 202612 min read

Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service

German mid-market companies face 25-plus mandatory officer roles, NIS-2 reporting windows of 24 and 72 hours, and personal liability for managing directors under § 130 OWiG. A workable platform combines a workspace, audit templates and the option to outsource individual officer mandates.

Read more
NIS-2 Implementation in Germany: What Management Boards Need to Know in 2026
Regulation15 April 20269 min read

NIS-2 Implementation in Germany: What Management Boards Need to Know in 2026

Germany's NIS2UmsuCG tightens BSIG duties for essential and important entities, with personal management liability, a staggered incident-reporting clock, and a vastly expanded sector catalogue. An overview for boards and managing directors.

Read more
EU AI Act: Compliance Obligations for Enterprises From August 2026
AI & Regulation8 April 202612 min read

EU AI Act: Compliance Obligations for Enterprises From August 2026

On 2 August 2026, the main application date of Regulation (EU) 2024/1689 kicks in. Any organisation that develops, distributes or deploys high-risk AI needs a risk-management system under Art. 9, data governance under Art. 10 and human oversight under Art. 14, and AI-literacy training for every employee working with AI.

Read more
ISO/IEC 27001:2022, Transition From 2013 and What Must Happen by October 2026
Information Security2 April 202611 min read

ISO/IEC 27001:2022, Transition From 2013 and What Must Happen by October 2026

The transition window to ISO/IEC 27001:2022 has closed. Certifications still running on the 2013 version lost their validity on 31 October 2025. A structured look at the new controls, themes, and the non-negotiable re-certification on the current standard.

Read more