What officers need to know.
Regulatory shifts, framework updates and operational guidance, curated for Data Protection, IT Security, Compliance and AI Governance leads. Written from the field, verified against primary sources.
Company doctor: From what number of employees does the obligation to order apply?
The obligation to appoint a company doctor results from the ASiG and DGUV regulation 2 and is not rigidly tied to an employee threshold. This article explains standard and alternative support, calculation of operating times and the auditable documentation of the order.
Construction site regulations (BaustellV): Obligations, SiGeKo order and advance notice in practice
The Construction Site Ordinance has regulated coordination obligations on construction sites since 1998. This article explains advance notice, SiGe plan, SiGeKo order, building owner's obligations and the interface to construction management in practice in 2026.
HinSchG draft bill: history, current status, what the upcoming amendment means for internal reporting points
The draft bill for the Whistleblower Protection Act from 2022 has had a significant impact on today's legal situation. Anyone who knows the history of its origins understands the scope for interpretation and can set up their internal reporting office in such a way that it can survive a future amendment.
Have a market value report drawn up: plan the duration realistically
Depending on the property, it takes between three and twelve weeks from the order to the signed market value report. We break down the duration into five phases, name accelerators and show when a short report is sufficient and when only the full report is sufficient.
External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role
An external ISO 9001 quality manager in Germany must meet the same formal appointment requirements as an internal QMB. This article explains role, liability, audit chain and how CIVAC delivers an appointed quality manager with workspace access in 2 business days.
Order QMB externally: When an external quality management representative is the better choice
An external QMB provides ISO 9001 expertise, audit preparation and a documented QM system without a full-time position. The article clarifies responsibility, costs, selection criteria and the handover to permanent operation.
Occupational health care G 37 VDU work: duration, deadlines, documentation
Prevention according to DGUV G 37 (computer workstations) takes between 20 and 40 minutes of pure examination time. The intervals result from ArbMedVV. Who documents what and how long must evidence be kept? Answers for management and company doctors.
Company doctor in the company: duties, appointment and interaction with compliance
The Occupational Safety Act requires employers to appoint a company doctor in writing. This article explains the legal obligations, the operating times according to DGUV regulation 2, the collaboration with occupational safety specialists and the integration into a compliance platform.
Setting up a whistleblower hotline in medium-sized companies: duties, channels, reporting line
The obligation to have an internal reporting office under the HinSchG has also applied to companies with 50 to 249 employees since December 17, 2023. This article shows how medium-sized companies set up the whistleblower hotline in a legally secure manner, combine the complaints office and data protection and present evidence in the audit.
Set up an AGG complaint office: Section 13 AGG, appointment certificate and procedural model
Section 13 AGG obliges every employer to set up a complaints office for cases of discrimination. The article provides templates for ordering, procedures and documentation and shows how CIVAC operates the position as an internal function or as an external solution under Officer-as-a-Service.
Hazardous Substances Officer in Germany: Appointment, Duties, and Liability under GefStoffV
Germany's Hazardous Substances Ordinance (GefStoffV) requires structured oversight of chemical workplace risks. This guide explains who needs to appoint a Hazardous Substances Officer, what the role covers, and how to staff it without overspending in German subsidiaries.
Money laundering officer costs 2026: What internal, external and hybrid really costs
The costs of a money laundering officer range from 800 euros per month if appointed externally to 80,000 euros in total annual costs in the internal model. Which route is right depends on the obligor status, risk profile and volume. This guide classifies the cost types, ranges and obligations in 2026.
Introduce the KYC process: Duties, stages and roles according to the AMLA
A KYC process is more than just identification on onboarding. It includes risk analysis, due diligence requirements per risk class, continuous monitoring and suspicious activity reporting. This guide shows what obliged entities must set up structurally in accordance with Section 2 of the GwG.
Fire Safety Officer Services in Germany for English-Speaking Companies
International companies operating in Germany must appoint a Brandschutzbeauftragter under § 10 ArbSchG and ASR A2.2. This article explains the legal basis, scope, costs and how CIVAC delivers the role with English-language reporting.
Annual fire protection instruction: duties, content, evidence 2026
Annual fire safety training is mandatory, but rarely well documented. Anyone who knows the legal basis and keeps records cleanly avoids fines, insurance disputes and personal liability on the part of the management.
Appoint a fire protection officer: duty, qualifications and audit trail
The appointment of a fire protection officer is mandatory in many building regulations, meeting place regulations and insurance policies. This article explains the legal basis, qualifications according to vfdb 12-09, tasks and how CIVAC bundles the order, fire protection regulations and audit templates in one workspace.
ISO 9001 Quality Manager Services in Germany: Roles, Cost, and Appointment
ISO 9001:2015 certification requires a dedicated quality management representative, internal audits, and a documented management system. This guide explains the scope of external quality manager services in Germany, costs, appointment letters, and how CIVAC delivers the function in two business days.
Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist
Occupational safety consulting in Germany is regulated by the ASiG, the DGUV Vorschrift 2 and a body of technical rules. This article explains the legal framework, the practical scope of an external safety specialist and how to document the mandate.
Annual employee training: list of topics, duties and evidence
Annual training in accordance with Section 12 ArbSchG and Section 4 DGUV Regulation 1 is mandatory for every company. This guide shows a complete list of topics, the role of the occupational safety specialist and the requirements for an exam-proof instruction certificate.
Commission external SiFa: Obligation, selection and audit-proof ordering
In many companies, external SiFa is the economic answer to the ordering obligation according to Section 5 ASiG. The article explains which tasks can be delegated, what the appointment certificate looks like, what operating times DGUV Regulation 2 stipulates and how the mandate can be documented in an audit-proof manner.
When do I need an occupational safety specialist (SiFa)?
The obligation to appoint an occupational safety specialist begins with the first employment. This practical guide clarifies which number of hours you have to provide and from which number of employees and in which form of care.
Manage safety data sheets: obligations, processes, platform
Safety data sheets are mandatory documents according to REACH Annex II. If you only save them as PDFs, you will miss the operational requirement. This article shows how you can maintain SDBs, convert them into directories and translate them into operating instructions.
TRGS 510 Storage of hazardous substances: obligations, quantities and evidence
TRGS 510 regulates the storage of hazardous substances in portable containers. The article explains quantity thresholds, storage rules, structural requirements, containment areas and the evidence trail that supervisory authorities expect in the audit.
Hazardous substance list template: what is mandatory and what gaps templates typically leave
The list of hazardous substances is required according to Section 6 Paragraph 12 GefStoffV and is a first point of contact in every supervisory inspection. Which mandatory fields a reliable template contains, why pure Excel lists are often noticed in audits and how CIVAC relieves the burden with Workspace and Officer-as-a-Service.
CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail
A double materiality assessment is the entry point to CSRD reporting. This article walks through the template structure, the inputs auditors expect, and how to build a defensible audit trail under ESRS 1 and ESRS 2.
Environmental officer costs: What the order, duties and external commissioning really cost
How much does an environmental representative cost in a medium-sized company? The article classifies the legal ordering obligations, the typical hourly rates and the external monthly flat rate and shows where the workspace reduces running costs.
What does an environmental officer really do in a company?
An environmental officer coordinates the legally compliant fulfilment of environmental obligations within the company. The article describes the actual task profile, the distinction between specialised representatives (waste, water, pollution control, dangerous goods) and the requirements for an effective appointment according to ISO 14001:2015 and EMAS.
AML Compliance in Germany: Geldwaeschegesetz Obligations and How to Operate Them
Germany regulates anti-money laundering through the Geldwaeschegesetz (GwG) and BaFin guidance. This article explains who qualifies as an obliged entity, what risk analysis and KYC obligations apply and how CIVAC supports the AML officer with platform plus officer-as-a-service.
Waste representative: duty, tasks and appointment according to Section 59 KrWG
Facilities with relevant waste generation must appoint a waste representative. This article explains the legal basis in Section 59 KrWG and the AbfBeauftrV, describes tasks and reporting obligations and shows how orders and audit trails can be managed in the CIVAC workspace.
CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive
CSDDD consulting helps companies translate the EU Corporate Sustainability Due Diligence Directive into operational supply chain processes. This article explains scope, deliverables, the relationship to LkSG, and what a credible engagement looks like.
Supplier audit: process, obligations according to LkSG and ISO 9001, templates for audit practice
Since the Supply Chain Due Diligence Act and the EU Supply Chain Directive, supplier audits are no longer a voluntary practice, but a due diligence measure that requires documentation. This article shows the process, criteria and templates for audits that the BAFA report and the ISO 9001 certifier recognise equally.
External human rights officer: Costs, effort and models at a glance
An external human rights officer according to Section 4 LkSG costs between 18,000 and 80,000 euros per year, depending on the model. What does the contract cover, what hourly rates are standard in the market and how do workspaces reduce overall costs?
Supply Chain Act Officer: Order, tasks and test chain according to LkSG
The LkSG requires a human rights officer or a comparable function with a direct reporting line to management. This article clarifies the order, obligations, BAFA examination and interface to the CSDDD.
Workplace Risk Assessment Template Germany: What §5 ArbSchG Actually Requires
A workplace risk assessment template that works in Germany must satisfy §5 of the Occupational Safety and Health Act, the relevant Berufsgenossenschaft, and the labour inspectorate of the Bundesland. This article explains the legal minimum and how to keep the template auditable across sites.
CSDDD and LkSG in comparison: What the EU Supply Chain Directive will really change in 2027
The CSDDD will tighten the German LkSG in terms of scope, liability and climate protection plan from 2027. The article shows the 12 most important differences, clarifies threshold values and describes how both sets of rules can be fulfilled without duplicate structures.
NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer
The German NIS 2 transposition will apply to roughly 29,500 organisations. This is the operational playbook for the Information Security Officer: registration, governance training, incident reporting, supplier risk, and the BSI evidence cycle.
ISB-as-a-Service with NIS 2 Ready setup: Order in two working days instead of six weeks
With the implementation of NIS 2, around 29,500 companies in Germany are obliged to demonstrably implement technical and organisational cybersecurity measures. An appointed information security officer is the central operational person. This article describes CIVAC's ISB-as-a-Service model with a two-business-day SLA.
ISB consulting in medium-sized businesses: roles, costs and the step from consultation to order
In medium-sized businesses, ISB consulting is often purchased as a project and ends with no permanent role. This article shows how consulting, appointment and officer-as-a-service differ, what obligations the ISB has according to NIS 2 and ISO/IEC 27001:2022 and when the transition to permanent appointment is economical.
Order ISB for critical infrastructure: obligation, profile and appointment certificate in detail
KRITIS operators, particularly important and important facilities according to the NIS 2 Implementation Act, must appoint, document and provide evidence to the BSI of an information security officer. The article shows the legal basis, requirement profile, appointment certificate and the operational structure in the CIVAC workspace.
ISO 14001 Certification Consulting in Germany: A Practical Guide for 2026
ISO 14001:2015 certification in Germany requires more than a generic environmental management system. This guide explains the steps, costs, role of the Umweltbeauftragter, and what to expect from a credible German consulting partner.
ADR catalogue of fines 2022 for dangerous goods: How much does a violation really cost today?
The ADR fine catalogue 2022 is the reference for many freight forwarders and shippers. With the RSEB update in 2024 and the ADR revision in 2025, the facts, amounts of fines and responsibilities have changed. This guide classifies and shows how an appointed dangerous goods officer controls the risk of fines.
Instruction 1.3 ADR: Obligations, content and evidence for consignors and shippers
Chapter 1.3 ADR obliges all persons involved in the transport of dangerous goods to undergo documented training. This guide shows what the content includes, when the refresher is due and what the evidence in the audit must look like.
Dangerous goods classes 1 to 9 according to ADR: Overview, labelling and obligation to order
The nine dangerous goods classes according to ADR structure all dangerous substances for roads, rails and inland waterways. This article explains the classes, the labelling, the ordering requirement for GGB and the CIVAC model.
UN 3082 and hazard number 90: What shippers and agents need to know
UN 3082 with danger number 90 is encountered more often in everyday life than expected: lubricants, crop protection, cleaning chemicals. This article explains the ADR classification, the obligations of those involved and the typical errors in transport documents, labelling and packaging.
Dangerous goods stickers: classes, obligations and audit evidence in shipping
Dangerous goods stickers are not decoration, but mandatory labelling according to ADR and GGVSEB. This article explains the nine classes of dangerous goods, the correct attachment, the obligations of those involved and how CIVAC bundles the documentation, the dangerous goods officer and the audit evidence.
Supply Chain Due Diligence in Germany: LkSG, CSDDD and What Foreign Companies Must Do
Germany was the first large EU economy to impose mandatory supply chain due diligence. This guide covers the 2024 thresholds, eleven protected rights, BAFA enforcement record, and how to set up an audit-ready officer function in two working days.
Dangerous goods classes according to ADR: Overview, obligations and documentation
Dangerous goods classes structure the ADR and decide on labelling, packaging, transport and reporting obligations. This article explains the nine classes, the associated UN numbers and the operational responsibilities of those involved.
TISAX Certification Process for Automotive Suppliers: A Practical Roadmap
TISAX is the dominant information security label across the European automotive sector. This guide walks suppliers through the assessment levels, the VDA ISA catalogue, the ENX exchange platform and the typical timeline from gap analysis to label issuance.
Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model
German mid-sized companies face NIS-2, ISO 27001:2022 transition and EU AI Act obligations without a full-time CISO on payroll. A virtual CISO model provides accountable security leadership with documented mandates, board reporting and audit-ready evidence in the workspace.
ISO 27001 certification: duration, preparation, effort
An ISO/IEC 27001:2022 certification takes 9 to 18 months from the start of the project to the certificate in medium-sized companies. This guide breaks down the phases, names the effort and shows where audits typically fail.
BSI C5 attestation for cloud providers: What it does, when it is mandatory
The BSI's C5 certificate is the standard for the security of cloud services in the German market. This article explains the structure, type 1 and type 2 testing, relationship to ISO 27001 and operational preparation as a provider and as a customer.
How to Comply with the NIS-2 Directive in Germany: A 90-Day Operational Plan
Around 29,500 German entities fall in scope of NIS-2. The directive's value emerges from disciplined operational execution: scoping, risk management, named information security officer, 24/72 reporting, management training. This guide is a 90-day plan for entities still building the foundation.
Information security officer: role, duties and appointment in medium-sized companies
The information security officer (ISB) has operational responsibility for the ISMS according to ISO/IEC 27001:2022. The article explains tasks, the appointment certificate, the distinction between CISO and CIO as well as the obligations under NIS-2, KRITIS umbrella law and DORA.
TISAX consulting: what automotive suppliers really need to pass the assessment
TISAX assessments rarely fail due to technology, often due to unclear scope, incomplete documentation and officer roles that are not filled. The article shows how a reliable TISAX consultation is structured and where CIVAC relieves the burden with Workspace and Officer-as-a-Service.
Building an ISMS: Step-by-step instructions according to ISO 27001:2022
Anyone who builds an ISMS according to ISO/IEC 27001:2022 navigates 93 controls, four statements and seven process levels. This guide breaks down the journey into ten phases with responsibilities, artifacts, and realistic timelines.
Understanding Nordea ESG Stars: What the rating means for companies with ESG obligations
Nordea ESG Stars is an internal fund label from Nordea Asset Management. Companies that are in a Stars fund answer ESG questions differently than they would without investor pressure. The article classifies the label legally and shows the obligations in day-to-day business.
Flossbach von Storch and ESG: What investors need to know about integration
Flossbach von Storch manages around 70 billion euros and integrates ESG criteria into the investment process. The article places the practice within the regulatory framework: SFDR Article 8 funds, CSRD reporting requirements from fiscal year 2025, taxonomy quotas and the role of the sustainability officer.
MSCI World Momentum ESG: What the index means for corporate compliance
The MSCI World Momentum ESG combines two logics: price momentum and ESG rating. Whoever appears in the supply chain of an index candidate is also evaluated. This article explains the methodology, the obligations for German companies and the evidence that CSRD and supervision expect.
MSCI World ESG vs. SRI: Differences, methodology and importance for corporate ESG reporting
The MSCI ESG Leaders and SRI Select indices follow different methodologies. This article explains the filter logic, sector weighting, carbon footprint and the consequences for ESG officers and companies subject to CSRD.
Vanguard FTSE All Cap ESG: What companies learn from index logic
The Vanguard ESG Global All Cap UCITS ETF follows the FTSE Global All Cap Choice Index, which excludes certain sectors and thresholds. Companies that do not want to appear in such indices must prepare their ESG disclosure in a verifiable manner according to CSRD and ESRS.
Amundi Funds Global Ecology ESG: What companies derive from the fund for their own ESG obligations
The Amundi Funds Global Ecology ESG is an Article 9 fund under SFDR. What does this mean for investors and especially for companies that themselves have to report under CSRD and EU taxonomy? A practical guide to ESG governance.
ESG in the EU: CSRD, taxonomy and supply chain as an operational duty
ESG has been mandatory reporting practice in the EU since 2024. CSRD, EU taxonomy, CSDDD and ESRS interlock. This post shows how an ESG officer manages data points, dual materiality and audit evidence in one platform.
ESG 2026: From a catchphrase to an appointment certificate in German medium-sized businesses
ESG is no longer a marketing issue. CSRD, EU taxonomy, LkSG and CSDDD require reliable data, roles and reports. The article explains the obligations, the thresholds and the operational structure of an ESG function.
One Compliance Platform for All German Officer Roles: A Practical Buyer Guide
German law requires dedicated officers for data protection, money laundering, fire safety, hazardous goods, hygiene, whistleblowing, supply chain and many more. Twenty-five mandates, one platform. This guide explains how that consolidation works.
CIVAC Alternative: 14 evaluation criteria for compliance platforms in medium-sized companies
Anyone looking for a CIVAC alternative usually compares apples with oranges. Classic consulting firms, ISMS tools and platform solutions deliver different value propositions. This article provides 14 evaluation criteria, price bands and a decision tree for comparison.
Automate compliance training: e-learning, evidence and reporting lines in medium-sized companies
Training obligations are increasing: GDPR, NIS 2, HinSchG, ISO/IEC 27001:2022, hazardous substances, fire protection. Anyone who continues to keep records in Excel will fail the audit. This article shows how automated e-learning and a workspace carry the reporting line to management.
CIVAC Compliance: Platform, Officer-as-a-Service and the operational structure behind it
CIVAC is a German compliance platform and officer-as-a-service. The article explains how the platform brings together the mandatory representatives from DSB to fire protection in one place, which documents are kept and how CIVAC differs from classic consulting firms.
ISO 27001 Risk Assessment Template: What a Certifiable Workflow Looks Like in 2026
An ISO 27001 risk assessment is a workflow, not a spreadsheet. This guide explains the 2022 revision, the methodology your auditor expects, the structure of a defensible risk register, and how CIVAC packages the templates inside one Workspace.
ISO 27001:2022 Transition in Germany: What the October 2025 Deadline Means in 2026
The official transition window from ISO/IEC 27001:2013 to the 2022 edition closed on 31 October 2025. Certificates not migrated have expired. This article explains what that means for German organisations in 2026, what auditors now expect, and how to recover lost certification without a multi-quarter delay.
Building an integrated management system: From an ISO patchwork to a uniform compliance architecture
Anyone who maintains multiple ISO standards knows the problem: duplicate audits, contradictory procedures, redundant documents. An integrated management system based on a high level structure bundles requirements, reporting obligations and audit trails. This guide shows the structure, sequence and tools.
All agent roles in one software: When consolidation is worthwhile
Medium-sized companies manage six to twelve representative roles in parallel, usually in separate tools. Consolidated software reduces interface costs, closes audit gaps and makes the personal liability of management manageable. What needs to be taken into account.
§ 42 BDSG: Criminal liability for data misuse in German data protection law
Section 42 BDSG regulates criminal liability for intentional data misuse. This article explains the facts, the penalty range, the distinction from the GDPR fine and the organisational obligations of the management.
Doctor's practice hygiene plan 2022: What needs to be up to date since then
A hygiene plan is not a static document. Anyone who is still working with the 2022 version in 2026 risks complaints from the health department and KV. This article shows which RKI recommendations and legal bases have been updated since 2022.
Hygiene officers in nursing: What RKI and KRINKO require operationally
Care facilities must appoint hygiene officers according to clearly defined guidelines from the RKI and KRINKO. This article explains qualifications, tasks, documentation requirements and how CIVAC bundles the order, the hygiene plan and the audit evidence in one workspace.
KRINKO guidelines for hospital hygiene: obligations and implementation
Hospital hygiene is not a recommendation, but rather a requirement under the IfSG, state hygiene regulations and KRINKO specifications. This article shows how clinics document risk analyses, hygiene plans and reporting paths in a legally compliant manner.
Hygiene in care: worksheet, checklist and legally compliant instruction
A nursing hygiene worksheet is more than just a training slide. It is the central proof document for home supervision, MDK and the health department. This guide shows the structure, mandatory content and templates for practice.
Washing hands and hygiene: duties, methodology and evidence in the company
Washing your hands seems trivial, but it is anchored in the company's regulations: IfSG, LMHV, ArbStättV and the RKI-KRINKO recommendations prescribe procedures, means and evidence. The article shows obligations, methodology according to DIN EN 1499 and how hand hygiene can be documented in an audit-proof manner.
Hand hygiene in care: duties, indications, evidence
Hand hygiene is the single most effective measure against nosocomial infections. This guide organises the legal obligations according to Section 23 IfSG, the five WHO indications and the operational evidence that home supervision and MD examiners want to see.
Institute for Hygiene and Environmental Medicine: tasks, duties, practical role
Institutes for hygiene and environmental medicine provide analysis, inspection and advice. Anyone who has to fulfil operational hygiene obligations according to IfSG, BioStoffV and TrinkwV also needs an internal representative structure. This article explains tasks and interfaces.
Hygiene training online: legal framework, content and auditable evidence
Online hygiene training is recognised in many industries, but does not replace every instruction. The article explains Section 43 IfSG, annual follow-up instructions, minimum technical requirements and the trail of evidence with which hygiene officers and management satisfy supervisory authorities.
Metro hygiene: what wholesale, catering and HACCP really demand from each other
Anyone who buys food wholesale and processes it in the catering industry has a double hygiene chain. The article explains obligations according to LMHV, IfSG and HACCP, shows how hygiene officers keep a complete track of receipts from goods receipt to the guest and where CIVAC can provide relief.
Hygiene instructions according to § 43 IfSG: Obligation, deadline, proof
Anyone who handles food needs instruction in accordance with Section 43 of the Infection Protection Act. This article explains the scope, deadlines, content and how the hygiene officer keeps the evidence in a verifiable manner.
External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup
B2B SaaS founders in Germany face overlapping duties under GDPR, NIS-2, HinSchG, and ISO/IEC 27001:2022. An external compliance officer covers the controls without an internal hire, leaving the engineering roadmap untouched.
EU AI Act: Obligations for High-Risk AI Systems in Practice
The EU AI Act introduces twelve cumulative obligations for providers of high-risk AI systems and four additional duties for deployers. This article translates Articles 8 to 27 into a working compliance routine: risk management, data governance, logging, human oversight, transparency, and conformity assessment.
Compliance Training Platform for Multi-Role German Operations: A Buyer's Guide
A German mid-cap typically operates 8 to 12 statutory officer roles in parallel: DPO, ISO, fire safety, hazardous goods, hygiene, ESG, whistleblower, and more. A multi-role compliance training platform consolidates curricula, evidence, and audit exports into one system of record.
Officer-as-a-Service in Germany: How External Compliance Roles Actually Work
Officer-as-a-Service in Germany means appointing an external person to a statutory officer role under German law, with a written appointment letter, defined reporting line and documented duties. This guide explains the legal basis, the appointment workflow and the operational reality.
Compliance guidelines for medium-sized companies: templates that withstand regulatory scrutiny
Downloaded Word templates are rarely sufficient for a supervisory audit. This article shows which elements a compliance policy needs in medium-sized companies, how the appointment certificate, proof of training and escalation path are neatly interlinked and how CIVAC provides templates in a version-specific manner.
Compliance audit in medium-sized companies: Checklist 2026 for management and representatives
This 2026 checklist shows medium-sized companies step by step which 14 subject areas a compliance audit covers, which documents must be available and how the platform documentation reduces the effort.
Building a tax compliance management system: Seven building blocks according to IDW PS 980
A tax compliance management system only protects against criminal proceedings if all seven basic elements according to IDW PS 980 are implemented and documented. The application decree for Section 153 AO expressly recognises the Tax CMS as an indication of intent.
Kerberos Compliance: Check authentication, prove risks, pass audit
Kerberos is the silent backbone of many Active Directory environments. Reviewers ask about key lengths, ticket lifetimes, and Kerberoasting protection. This article shows what evidence ISO 27001:2022 and NIS-2 expect from you and how you can file it in a structured manner.
Governance, Risk and Compliance: How GRC becomes an operational discipline
Governance, risk and compliance only works if the appointment certificate, risk register and audit evidence live in the same system. This article shows how GRC according to ISO 37301 and ISO 31000 is managed as an operational process, not as a slide carousel.
Compliance consulting 2026: When the workshop is enough and when a representative has to take over
Compliance consulting often promises strategy and delivers PowerPoint. This article explains which form of delivery fulfils which obligation, how you differentiate between consultants, platforms and agents and how you measure audit robustness.
Who needs a compliance officer in the company: duty, thresholds, risk
There is only an explicit obligation to appoint a compliance officer in a few industries. In fact, Section 130 OWiG forces every management to supervise. This article specifically explains who is responsible and when.
Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire
An outsourced DPO covers GDPR Article 37 duties, breach reporting under Article 33, and evidence files for supervisory authorities. This guide explains scope, cost ranges, and how an external DPO integrates with German labour law and works alongside the information security officer.
GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide
GDPR enforcement against the German Mittelstand has intensified since the federal coordinated audit of 2025. This buyer guide shows what a modern compliance platform must deliver: records, breach pipelines, residency, officer workflows, and signed records of authority.
External DPO in Germany: When You Must Appoint One and How to Do It Properly
Germany has the strictest national rule for appointing a data protection officer in the European Union. This guide explains the legal thresholds, the documentation a supervisory authority expects, and how an external DPO model under CIVAC removes the bottleneck without diluting accountability.
Becoming an internal data protection officer: qualification, appointment and proof according to GDPR
If you want to become a data protection officer in your own company, you need more than an online course. Art. 37 GDPR and Section 38 BDSG require specialist knowledge, independence and a verifiable appointment certificate. This guide shows the path from the employee to the appointed internal DPO.
Alternative to other providers: When data protection needs more than one module
another provider covers data protection solidly. But medium-sized businesses and KRITIS companies need ISB, ISMS, NIS-2 notifications and appointment certificates in the same system. This comparison shows when a single tool is enough and when an integrated platform is the better choice.
External data protection officer in medium-sized companies: prices, services and the CIVAC approach
Prices for external data protection officers vary between 350 and 2,400 euros per month in medium-sized businesses. This article explains the factors, the cost traps and the CIVAC model as a compliance platform and officer-as-a-service.
Have a GDPR audit carried out: costs, scope of services and pitfalls in 2026
A GDPR audit is more than a checklist. If you want to estimate costs realistically, you must understand the scope, method and depth of evidence. This article classifies typical price ranges and shows how follow-up costs can be avoided.
DSB software: What a data protection officer really needs today
DSB software does not replace an appointment certificate, but it makes the difference between filing cabinets and audit resistance. This article shows which modules Articles 30, 33 and 35 GDPR actually require, how good platforms can be identified and how CIVAC closes the gap between tool and mandate.
AI Compliance Officer Services in Germany: An English Guide for International Operators
International companies operating in Germany need an AI compliance officer who works in English yet documents in German for the regulator. This guide explains the legal frame, deliverables, and how to engage one in 2026.
German Compliance Requirements for US Subsidiaries: The Officer Map
A US parent that incorporates a German GmbH inherits a stack of mandatory officer roles, hard deadlines and personal-liability rules that have no direct US counterpart. This guide maps the obligations, the fines and the operating model that keeps the German entity audit-ready without expanding US headcount.
Order processing contract according to Art. 28 GDPR: submission and obligations
An AVV template is more than a form. It is documented proof that you, as the controller, have your processors under control. This article explains mandatory components according to Art. 28 GDPR and shows the way to audit-proof documentation.
Create a processing list in accordance with Art. 30 GDPR: step-by-step guide
The processing directory is the central proof requirement according to Art. 30 GDPR. This guide shows which fields are mandatory, how a VVT can be set up in less than two weeks and which templates the supervisory authority accepts.
GDPR advice 2026: What companies really need instead of templates
GDPR advice is often delivered as a PDF bundle. It is only effective when recommendations result in appointment certificates, a TOM register, a 72-hour reporting path and auditable evidence in the workspace. The article shows how reliable advice can be recognised.
GDPR and personal data: definition, obligations, evidence
Personal data is not a legal special case, but your daily reality. Anyone who underestimates the definition risks fines according to Art. 83 GDPR. This guide organises the obligations and shows the way to verifiable documentation.
Federal Data Protection Act 2026: Obligations, thresholds, appointment certificate
The Federal Data Protection Act specifies the GDPR in Germany and requires a data protection officer for groups of 20 or more people. This article explains thresholds, fines, ordering obligations and what evidence is required in the audit.
Occupational health care G 25 for computer work: compulsory, offered and desired care separated out
G 25 is a DGUV precautionary recommendation for computer work. According to the Occupational Health Prevention Ordinance, it is mandatory as a precautionary measure. The article organises the occasions, content, documentation and the interface to the company medical reporting line.
Carrying out internal audits ISO 9001: checklist, process and templates for the QMB
ISO 9001:2015 Section 9.2 requires internal audits at scheduled intervals, with a documented program, qualified auditors and tracked actions. This checklist guides you through the program, plan, implementation, report and follow-up activities, with mandatory questions, templates and typical findings.
QM auditor in Germany: role, qualifications and tasks in the ISO 9001 audit
The QM auditor checks whether the quality management system according to ISO 9001:2015 is actually being implemented. This article explains qualifications, types of audits, obligations and the interface to the quality management representative in industrial and service companies.
Real estate appraiser: qualifications, order types and compliance requirements 2026
Choosing a real estate appraiser sounds like a purely valuation question. In fact, valuation standards, money laundering prevention, ESG reporting and data protection collide in every order. This article classifies the qualifications, the most common types of orders and the documentation requirements of the client.
HinSchG and the Federal Council: The long road to the whistleblower protection law and its operational obligations
The Federal Council blocked the HinSchG in February 2023. The Mediation Committee reached an agreement in May 2023, and the law came into force on July 2, 2023. This article organises the genesis and names the duties that are ongoing today.
GDPR Consulting in Germany: How Foreign Headquarters Stay Audit-Ready
GDPR consulting in Germany goes beyond translation. You need a designated DPO under Art. 37, a written appointment, and a documented 72-hour breach workflow. This guide explains the legal floor, the operational reality, and the dual delivery model.
When Is a DPO Mandatory Under GDPR: The Four Triggers Explained
Article 37 GDPR sets three independent triggers for a mandatory Data Protection Officer. In Germany, Section 38 BDSG adds a fourth. This article explains each criterion with thresholds, examples, and the documentation a supervisory authority will ask for.

Foreign Trade and Product Conformity: Customs, Export-Control and CE Officers
Practical guide for German businesses on appointing Customs, Export-Control, and CE Officers. Learn about legal bases, duties, and personal liability.

Youth Protection Officer, Anti-Discrimination Body and Trainer: Company Duties
Ensure compliance in Germany. Learn about mandatory corporate roles: Youth Protection Officers, AGG complaints bodies, and qualified trainers.

Outsourcing and Internal-Audit Officers under KWG, MaRisk and VAG
Understand the regulatory requirements, duties, and liability of outsourcing and internal-audit officers under KWG, MaRisk, VAG, and DORA in Germany.
Supplier Auditor: Mandate, Methods, and the German Legal Frame
A supplier auditor verifies that vendors meet contractual, regulatory, and ESG obligations. Under the German Lieferkettensorgfaltspflichtengesetz (LkSG), the EU CSDDD, and ISO 19011:2018, the function has moved from optional to evidence-bearing.
Construction manager and VOB: duties, interfaces and audit-proof documentation
The VOB regulates the awarding and execution of public and larger private construction work. Anyone who supervises VOB orders as a construction manager has to deal with the award protocol, construction diary, acceptance documentation and safety obligations. This article systematizes the obligations and shows operational documentation practice.
HinSchG and BMJV: Responsibilities, interpretations and operational consequences for reporting offices
The Federal Ministry of Justice is responsible for the Whistleblower Protection Act. Which interpretations does the BMJV publish? How do they affect companies with an internal reporting office? This article organises the publications, clarifies the interface to the Federal Reporting Office at the BfJ and shows what the interpretations mean for the appointment certificate.
Real estate appraiser: What does an appraisal cost and when is it worth it?
A real estate report by an expert costs between a few hundred and several thousand euros, depending on the scope and value of the property. This article explains fee structures, reasons and what owners and compliance officers should pay attention to when making their selection.
ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements
ISO 9001:2015 remains the most common management system certification in Germany. Selecting a consultancy that delivers an audit-ready QMS, not paperwork, is a procurement discipline. This guide covers scoping, fees, deliverables, and the role of a Quality Officer.

Transfusion, Transplantation and Medical-Device Officers in Hospitals
A guide to the legal duties, training, and liability risks for Transfusion, Transplantation, and Medical-Device Safety Officers in German hospitals.
Coordinating Construction Sites and Contractors: SiGeKo and Contractor Coordinator
Learn when and how German companies must appoint a SiGeKo or Contractor Coordinator to meet strict health, safety, and BaustellV compliance standards.
Quality management representative: tasks, duties and position according to ISO 9001:2015
With ISO 9001:2015, the obligation to appoint a quality management representative has been formally eliminated. In practice, the role remains standard. This article organises tasks, qualifications, orders and interfaces.
Calculate company doctor deployment time according to DGUV regulation 2: basic care, company-specific share, documentation
DGUV regulation 2 regulates the working hours of company doctors and occupational safety specialists. This article explains the calculation according to Appendix 2, the division into basic care and company-specific care and the obligation to provide written documentation.
Company doctor requirement: who needs it, when and to what extent
The obligation to have a company doctor applies to practically every employer in Germany. This article explains the legal basis, the operating times according to DGUV regulation 2, the occupational health care according to ArbMedVV and how CIVAC makes the order operational with the platform and Officer-as-a-Service.
AGG training for employees online: Mandatory, content and evidence in the audit
According to Section 12 Paragraph 2 AGG, AGG training is mandatory for employers of all sizes. This article clarifies the legal framework, mandatory content, requirements for online formats, documentation requirements and the interface to the complaints office in accordance with Section 13 AGG.
Whistleblower protection for 50 or more employees: obligation, deadline and reporting point
The Whistleblower Protection Act (HinSchG) requires companies with 50 or more employees to set up an internal reporting office. The article explains the scope, technical requirements, deadlines and fines of up to 50,000 euros.

Load-Securing Officer: Duties under VDI 2700 et seq.
Discover the legal duties of a Load-Securing Officer under VDI 2700 and § 22 StVO. Learn how to legally delegate liability and avoid heavy corporate fines.

Competent Person for Inspecting Cranes, Pressure Equipment and Lifts
Discover the legal duties, training rules, and liability risks for appointing a Competent Person for cranes, lifts and pressure equipment under BetrSichV.
Internal security measures according to Section 6 GwG: Implement obligations operationally
Section 6 of the GwG obliges banks, insurers, goods traders and many service providers to introduce internal security measures. This article explains what the standard specifically requires, which structures are typically missing, how risk management, employee screening and suspicious activity reports are properly documented and when an external money laundering officer makes sense.
Money laundering prevention: What Section 7 GwG really requires of medium-sized businesses
The Money Laundering Act covers far more companies than most management assume. Anyone who is obliged according to Section 2 of the GwG must have an appointed person in accordance with Section 7 of the GwG, due diligence obligations in accordance with Section 10 of the GwG and a suspicious transaction report to the FIU. Audit proof, documented.
External Fire Protection Officer in Germany: Mandate, Duties and Service Model
International companies operating sites in Germany must appoint a Brandschutzbeauftragter when their building permit, insurer or risk profile requires it. An external fire protection officer fulfils that mandate on a service basis. This article explains the legal basis, the duties and the operational model.
Create an escape plan: Obligations according to ASR A2.3 and DIN ISO 23601 are clearly implemented
An escape plan is not a graphic, but a safety measure according to ArbStättV § 4 and ASR A2.3. We show the structure according to DIN ISO 23601, the role of the fire protection officer and how a workspace carries the obligation to update.
Fire protection officer in the office: When the business is obliged to appoint one
Pure offices are not automatically exempt from the order requirement. This article clarifies from which sources the obligation for commercial office space follows, what requirements insurers and building inspectors impose, what qualifications the fire protection officer needs and how the role is managed in a verifiable manner.
AML Officer Services for Financial Institutions in Germany: External Appointment, Scope, Cost
Section 7 GwG requires obliged entities in the German financial sector to appoint a money laundering officer (Geldwaeschebeauftragter). External AML officer services keep the mandate audit-fest under BaFin supervision without expanding the internal headcount.

Aviation Security Officer: Appointment and Duties under LuftSiG
Learn the appointment process, training requirements, and liability risks for Aviation Security Officers under Section 9 LuftSiG in Germany.

Competent Person for Inspecting Ladders, Scaffolds and Storage Systems (§ 14 BetrSichV)
Ensure compliance with § 14 BetrSichV. Learn the legal duties, training requirements, and liability risks for competent persons inspecting German work equipment
Occupational Safety Specialist Services in Germany: A Buyer Guide
International employers operating in Germany must appoint a Fachkraft für Arbeitssicherheit under § 5 ASiG. This guide explains the legal duty, DGUV Vorschrift 2 hours, internal versus external models, and how CIVAC delivers Officer-as-a-Service with audit-ready evidence.
ASA meeting: Minutes template according to Section 11 ASiG with a verifiable structure
According to Section 11 ASiG, the occupational safety committee must meet at least quarterly. The meeting minutes are the central evidence. This article shows the mandatory fields, typical gaps and a testable structure for the template.
Commission an occupational safety service provider: legal basis, selection criteria, ordering method
Occupational safety requires an appointed occupational safety specialist. If you don't employ your own SiFa, you hire an external service provider. This article explains ASiG, DGUV regulation 2, the obligation to order from the first employee, operating times and a clear ordering process from contract to audit evidence.
German Hazmat Officer Services: From Statutory Duty to Auditable Operation
German hazardous substances law is not optional and not waivable. This guide shows how international operators can appoint a qualified officer, document the appointment correctly, and run a hazardous substances operation that holds up under inspection.
Hazardous substances officer: training, duration, costs and duties at a glance
Anyone who stores, uses or transports hazardous substances needs a qualified responsible person. This article explains the legal basis, duration of training, typical content, costs and the alternative of an external hazardous substances officer.
External ISO 9001 Quality Manager in Germany: When to Outsource the QMB Role
An external ISO 9001 quality manager in Germany must meet the same formal appointment requirements as an internal QMB. This article explains role, liability, audit chain and how CIVAC delivers an appointed quality manager with workspace access in 2 business days.

Human Rights Officer under the German Supply Chain Act (LkSG)
Learn the legal duties, qualification criteria, and liability risks of a Human Rights Officer under Section 4 Paragraph 3 of the German Supply Chain Act.

Biological Safety and Infection Control: Biosafety Officer and Infection Control Officer
Understand the German legal requirements, liabilities, and training intervals for Biosafety Officers and Infection Control Officers to protect your business.
TRGS 510 in small businesses: Which storage requirements really apply and from what quantity
TRGS 510 regulates the storage of hazardous substances in portable containers. This article explains the quantity from which which obligation applies, which substances may not be stored together and how a small business keeps the documentation in an audit-proof manner.
Hazardous substances register: Obligations, contents and audit-proof management in accordance with Section 6 GefStoffV
Section 6 of the Hazardous Substances Ordinance requires a list of all hazardous substances used in the company with defined mandatory information. Anyone who keeps the cadastre as an Excel list will fail at the latest when updating it. This article shows what has to go in, how it is managed and what the evidence is in tests.
ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation
ISO 14001:2015 has 18,000 certified sites in Germany. A consultant either accelerates the path to certification or duplicates work your environmental officer already owns. This guide separates the two and shows what to expect at each stage.
Immission control officer duty: What Section 53 BImSchG operationally requires
Section 53 BImSchG obliges operators of certain systems requiring approval to appoint an emissions control officer. The 5th BImSchV regulates who is covered by the obligation. This article explains the application, tasks, order and audit trail, without official jargon and with reference to the tasks of the environmental protection officer.
Introduce ISO 50001: Energy management system in eight steps to certification
An ISO 50001 system is not an audit, but an ongoing task. Anyone who introduces the standard in eight steps will gain tax advantages, eligibility for funding and verifiable energy controlling. This post provides the operational order.

Pharmaceutical Information and Graded-Plan Officers under the German AMG
Discover the legal duties, qualification criteria, and liability risks for Pharmaceutical Information and Graded-Plan Officers under the German AMG.

Fire Safety Assistants and Evacuation Marshals: Duties under ASR A2.2
Understand your legal duties for fire safety assistants and evacuation marshals under ASR A2.2 and DGUV. Ensure compliance and protect your business.
Environmental representative duty: who has to order, when, with what consequences
The obligation to appoint environmental officers does not arise from a uniform law, but from four special regimes: pollution control, waste, water, dangerous goods. Anyone who operates systems without an order risks fines of up to 50,000 euros per violation.
Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook
The Lieferkettensorgfaltspflichtengesetz (LkSG) requires German companies above defined thresholds to run human-rights and environmental due diligence across their supply chains. This article maps every operational obligation, the BAFA enforcement model, and the interface with the upcoming CSDDD.
EUDR 2026: Deforestation-free supply chain mandatory for German importers
From December 30, 2026, seven raw materials may only be imported into the EU if deforestation-free production has been proven since December 31, 2020. This article clarifies the due diligence requirements, the distinction from the LkSG, the geolocation requirement and the fines of up to 4 percent of EU turnover.
Supplier audit sustainability: process, obligations and auditable documentation according to LkSG and CSRD
A supplier sustainability audit is not a questionnaire, but a structured process according to LkSG § 7 and CSRD. This article describes the seven phases, the duties of the representatives and how you can document findings and measures in an audit-proof manner.
LkSG reporting obligation: When does it apply to you and how do you fulfil it
Since 2023, companies with 3,000 or more employees, and since 2024 with 1,000 or more employees, have been subject to the LkSG. The annual report to BAFA follows clear deadlines and structures. This guide shows thresholds, components and the path to an auditable reporting practice.
Fire Safety Officer Services in Germany for English-Speaking Companies
International companies operating in Germany must appoint a Brandschutzbeauftragter under § 10 ArbSchG and ASR A2.2. This article explains the legal basis, scope, costs and how CIVAC delivers the role with English-language reporting.

Risk Management Officer: Duties and Organisational Role
Master the duties, legal basis, and liability risks of the German Risk Management Officer under AktG, KonTraG, and StaRUG in this complete guide.

Compressed Air and Explosives: Responsible and Competent Persons
Learn the legal requirements, duties, and fine risks for appointing compressed air and explosives officers in Germany under DruckLV and SprengG.
LkSG report to BAFA: Guidelines for filling out, providing evidence and submitting
The LkSG annual report to BAFA is a mandatory part of the due diligence obligations according to Sections 10 and 12 LkSG. This guide organises the catalogue of questions, shows the most common sources of error and describes an audit-proof workflow from risk analysis to submission.
NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap
Around 29,500 companies in Germany fall under NIS-2. Mid-market firms with 50 to 5,000 employees rarely need another gap analysis. They need an appointed information security officer, an ISMS that produces audit-grade evidence and a tested 24-hour incident path.
IT security officer: role, order and operational reality
The IT security officer combines technical risks with supervisory duties and a reporting line to management. This article shows the tasks, the legal implications, the typical filling questions and how CIVAC makes the role fillable with a platform and officer-as-a-service.
Order ISB: Obligation, suitability, appointment certificate and cost framework
Ordering an ISB has been mandatory for around 29,500 companies in Germany since the NIS 2 Implementation Act came into force. This article explains suitability, scope of tasks, appointment certificate, reporting line and realistic cost framework for internal and external orders.
IT risk analysis according to NIS-2: method, steps and evidence
Section 30 NIS2UmsuCG obliges affected companies to carry out a documented risk analysis. The article describes step by step how to capture, assess and treat assets, threats, protection objectives and risks, including the interface to ISO/IEC 27005.
Occupational Safety Consulting in Germany: Roles, Duties, and the External Specialist
Occupational safety consulting in Germany is regulated by the ASiG, the DGUV Vorschrift 2 and a body of technical rules. This article explains the legal framework, the practical scope of an external safety specialist and how to document the mandate.

Ship Security Officer and Maritime Security under the ISPS Code
A practical guide to the legal duties, training, and liability of Ship Security Officers (SSO) and Company Security Officers (CSO) under German maritime law.

Qualified Electrician and Inspection of Electrical Installations under DGUV V3
Ensure compliance with DGUV V3 and ASR A3.4 by correctly appointing a VEFK and lighting competent person. Avoid heavy management liability and fines.
ADR 2023 from Verkehrsverlag Fischer: content, use, obligations
The ADR 2023, published by Verkehrsverlag Fischer, brings together the European agreement on the transport of dangerous goods by road. The article explains the structure, changes compared to predecessors, transition periods to ADR 2025 and the specific obligations that arise from this for senders, carriers and recipients.
ADR exam questions basic course: What drivers need to know and what protects the entrepreneur
The ADR basic course concludes with 30 multiple-choice questions and is a prerequisite for the transport of dangerous goods above certain quantities according to Section 6 GbV. Anyone who does not systematically document the training environment risks more than just the individual certificate.
Exam questions ADR basic course: structure, topics and operational consequences
The ADR basic course is the basis of every dangerous goods driver certificate according to ADR 8.2. This article explains the structure, typical examination questions, examination mode at the IHK, repetition obligations - and the role of the dangerous goods representative according to the GbV in the background.
UN 1965 in ADR: Liquefied gas transport between class 2.3 and § 23 GGVSEB
UN 1965 means hydrocarbon gas, liquefied, n.o.s. Anyone who loads in Germany falls under ADR Class 2 and Section 9 GGVSEB. We classify the classification, transport documents and duties of the dangerous goods officer.
Dangerous goods officer: Obligation to order, tasks and external solution according to GbV and ADR
As soon as your company transports, packs, loads or ships dangerous goods, the obligation to order in accordance with the Hazardous Goods Officer Ordinance applies. This article explains threshold values, tasks, annual reports, training, liability and the requirements for an external solution in medium-sized companies.
CSRD Double Materiality Assessment Template: Structure, Inputs, Audit Trail
A double materiality assessment is the entry point to CSRD reporting. This article walks through the template structure, the inputs auditors expect, and how to build a defensible audit trail under ESRS 1 and ESRS 2.

Safety Delegate (Sicherheitsbeauftragter): Duties and Appointment under § 22 SGB VII
Learn when and how to appoint a Safety Delegate (Sicherheitsbeauftragter) under § 22 SGB VII and manage occupational health and safety compliance.

Energy Management Officer under ISO 50001 and the German EnEfG
A compliance guide for the Energy Management Officer in Germany under ISO 50001 and EnEfG, detailing thresholds, duties, liability, and software.
Transport of dangerous goods: ADR obligations, exemptions and the role of the dangerous goods officer
Anyone who transports dangerous goods or has them transported is part of a dense network of ADR, GGVSEB and GbV. This article explains classes, exemptions, shipper's obligations and the role of the dangerous goods officer.
ISO 27001 Implementation: A Practical Path Through the 2022 Revision
Implementing ISO/IEC 27001:2022 is not a documentation exercise. It is the construction of an Information Security Management System that produces evidence on demand. This article maps the implementation steps, the 93 Annex A controls, and the typical pitfalls.
ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment
ISO 27001 consulting in Germany combines ISMS architecture, 93 Annex A controls and the operational reality of NIS-2, BDSG and BSI guidance. This guide outlines scope, transition timing to ISO/IEC 27001:2022, certification path and where an external information security officer fits.
Statement of Applicability ISO 27001: the template as an audit hinge
The Statement of Applicability is the most important template in the ISMS. Whoever maintains them passes the audit. Whoever copies them stands out in the sample contrast. This guide shows the structure, maintenance and pitfalls of the 2022 version.
BSI IT-Grundschutz vs ISO 27001: Which framework suits your organisation
Both frameworks lead to a certifiable ISMS, but solve different problems. This article systematically compares scope, depth, effort and audit logic and provides a decision-making logic for German medium-sized companies.
CSDDD Consulting: How German Mid-Market Companies Prepare for the EU Supply Chain Directive
CSDDD consulting helps companies translate the EU Corporate Sustainability Due Diligence Directive into operational supply chain processes. This article explains scope, deliverables, the relationship to LkSG, and what a credible engagement looks like.

Radiation Protection: Laser Safety Officer and Nuclear Safety Officer
Learn the legal requirements, qualifications, and operational duties for Laser Safety Officers and Nuclear Safety Officers under German compliance laws.

First Aid at Work: Appointing and Training First Aiders and Works Paramedics
Master Germany's workplace first aid compliance. Learn the exact headcounts, training cycles, and liabilities for first aiders and works paramedics.
DORA Regulation: What the Digital Operational Resilience Act requires of financial companies as of January 17, 2025
DORA has been directly applicable to financial companies and their ICT service providers since January 17, 2025. The article organises the five pillars, the reporting obligations, the supervision of critical third parties and the bridging to ISO/IEC 27001 along the officer tasks.
External CISO: When the virtual security officer is the right model
With NIS-2 and ISO/IEC 27001:2022, the need for strategic security leadership is growing. An external CISO takes on governance, risk and reporting lines to management without having to fill the position internally. This post explains when the model wears and when not.
DORA regulation: Obligations for banks and financial service providers since January 2025
The DORA regulation has been in effect since January 17, 2025. Banks, insurers and securities firms must manage ICT risk, incident reporting, resilience testing and third-party control according to harmonised rules. This post shows the duties in the order in which they are examined.
MSCI World ESG comparison: Which ESG variant fits which reporting requirement?
MSCI offers four ESG variants for the MSCI World alone. Anyone who only makes the comparison based on returns is overlooking the regulatory logic. This article classifies ESG Leaders, ESG Screened, SRI and Climate Paris Aligned according to CSRD, ESRS and SFDR Art. 8 / Art. 9 and shows what this means for your sustainability reporting.
ESG and EU taxonomy: Who has to report what, when and how the representative carries it out operationally
The EU taxonomy defines environmentally sustainable economic activities. The CSRD requires reporting. Who in the company provides the data points? This article organises duties, deadlines and responsibilities along the ESRS.
NIS 2 Compliance in Germany: Operational Playbook for the Information Security Officer
The German NIS 2 transposition will apply to roughly 29,500 organisations. This is the operational playbook for the Information Security Officer: registration, governance training, incident reporting, supplier risk, and the BSI evidence cycle.

Animal Welfare Officer: Appointment and Duties under the German TierSchG
Learn the legal requirements for appointing an Animal Welfare Officer in Germany under TierSchG Section 10 and TierSchVersV. Avoid up to 25,000 Euro fines.

Explosion Protection and Gas Measurement: Officers and Competent Persons
A comprehensive guide to German occupational safety rules for Explosion Protection Officers and Gas Freeing Competent Persons under GefStoffV and DGUV Rules.
The best ESG funds: what they measure and what companies learn from them
Top ESG funds make decisions based on hard data, not image brochures. If a company wants to be included in MSCI ESG Leaders, FTSE4Good or S&P 500 ESG, it needs verifiable evidence according to SFDR, CSRD and ESRS.
MSCI World Small Cap ESG: Index logic, reporting obligations and consequences for German small caps
ESG indices such as the MSCI World Small Cap ESG Screened or the ESG Leaders Small Cap define which small caps can be invested in sustainable funds. Anyone who wants to remain listed as a medium-sized company or listed small cap must systematically document CSRD, EU taxonomy and controversy screening.
Vanguard Global ESG All Cap: What the ETF reveals about ESG obligations for companies
The Vanguard Global ESG Select All Cap UCITS ETF is an investment product. For listed companies and companies seeking capital, it is also an early indicator: What ESG data does the index require? Who's flying out? This article translates the methodology into concrete requirements for ESG officers, CSRD reports and audit evidence.
Classifying Deka ESG funds: What investors and compliance officers should know about the SFDR classification
Deka ESG funds are classified according to the EU Disclosure Regulation SFDR and the Taxonomy Regulation. This article explains the classification according to Articles 6, 8 and 9 SFDR, classifies PAI obligations and shows how companies manage ESG reports in an audit-proof manner.
Classify Deka ESG: What companies derive from the fund field for their own obligations
Those looking for Deka ESG are usually looking for guidance in a crowded regulatory field. This article classifies the ESG structures of large fund providers and shows what obligations this creates for companies required to report, from SFDR to CSRD to the supply chain.

Sales Compliance Officer: Role and Responsibility in Regulated Industries
Understand the duties, appointment rules, and 15-hour training of a German Sales Compliance Officer under VAG Section 48 and GewO Section 34d.

Hazardous-Substance Expertise: Chemical Trade, Asbestos (TRGS 519) and Separators
Learn how to appoint and manage competent persons for ChemVerbotsV, TRGS 519, and separator systems to avoid severe personal liability and 50,000 Euro fines.
DataGuard Alternative for the German Mid Market: A Structured Comparison
Mid-market buyers increasingly look beyond DataGuard for external DPO, ISO 27001 and NIS-2 coverage. This guide explains where the alternatives differ, which capabilities matter under § 130 OWiG, and how to structure a sober evaluation.
Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service
German mid-market companies face 25-plus mandatory officer roles, NIS-2 reporting windows of 24 and 72 hours, and personal liability for managing directors under § 130 OWiG. A workable platform combines a workspace, audit templates and the option to outsource individual officer mandates.
Audit software: What a solution has to do that can really withstand audits
Audit software is intended to bundle evidence, meet deadlines and convince auditors. This article shows which functions a serious solution brings, which requirements from GDPR, NIS-2 and ISO/IEC 27001:2022 belong in the tool and why CIVAC combines the workspace with an officer-as-a-service.
Reducing compliance costs in medium-sized businesses: How digitalization halves the requirements specification
Compliance costs in medium-sized companies rarely arise from the lawyers and agents themselves, but from duplicate work, Excel lists and missing evidence before the audit. This article shows six concrete levers, hard numbers and an implementation plan for the first 90 days.
CIVAC: The German compliance platform with Officer-as-a-Service
CIVAC is a compliance platform and officer-as-a-service based in Germany. 25 representative roles are live, 37 audit templates are ready for use, the ISMS follows ISO/IEC 27001:2022. EU data residency is standard, not optional.
TISAX Certification Process for Automotive Suppliers: A Practical Roadmap
TISAX is the dominant information security label across the European automotive sector. This guide walks suppliers through the assessment levels, the VDA ISA catalogue, the ENX exchange platform and the typical timeline from gap analysis to label issuance.
Virtual CISO Germany: NIS-2, ISO 27001 and the case for a fractional model
German mid-sized companies face NIS-2, ISO 27001:2022 transition and EU AI Act obligations without a full-time CISO on payroll. A virtual CISO model provides accountable security leadership with documented mandates, board reporting and audit-ready evidence in the workspace.
Officer-as-a-Service: Organise ordering duties as a managed service
Ordering obligations are increasing: GDPR, NIS-2, LkSG, GwG, AGG. Officer-as-a-Service bundles the officer roles in a compliance platform with appointed people, fixed SLAs and audit templates. This article explains the model, its limitations, the cost logic and the interaction with the internal data protection or compliance team.
Book an external representative as a service: Monthly, cancellable, audit-proof
Mandatory representatives no longer have to be purchased for three years. A monthly service model for external DPOs, ISBs, HinSchG reporting offices or fire protection officers combines appointment certificates, workspace and audit templates from the first working day.
Personal data: definition, categories and obligations according to Art. 4 GDPR
The term personal data determines whether the GDPR applies. This article explains the definition according to Art. 4 No. 1 GDPR, the special categories according to Art. 9, the consequences for the directory, AV contracts and reporting obligations - factually, with paragraphs and examples.
Hand Hygiene Day 2022: What lessons remain in practice
Hand Hygiene Day 2022 was held under the WHO motto Unite for safety. We look back at what remains in the hygiene plans, what obligations § 23 IfSG stipulates and how a hygiene officer proves compliance today.
Hygiene in outpatient care: duties, hygiene plan and representative role
Outpatient care services range between household, tour and MDK examination. This article explains the hygiene obligations according to IfSG and state law, the role of the hygiene officer, how to set up a workable hygiene plan and how to provide evidence to supervisors and care insurance companies.
Hygiene in the kitchen: Worksheet, hygiene plan and HACCP mandatory documents according to LMHV
A reliable kitchen hygiene worksheet does not replace a hygiene plan, but it is its operational backbone. This article explains legal obligations, mandatory content and the interface between the training sheet, hygiene plan and HACCP documentation.
Hygiene checklist for old people's and nursing homes: Obligations according to IfSG and MedHygV
A hygiene checklist in old people's and nursing homes is the central inspection and verification form for hygiene officers, home supervision and the health department. This article shows mandatory fields, test intervals and the most common findings according to IfSG and state hygiene regulations.
Hygiene and washing hands in the company: obligations, RKI recommendations, audit evidence
Hand hygiene is the single most important measure for preventing infections in the workplace. This article shows the legal basis from IfSG and ArbSchG, the RKI recommendations, the duties of the hygiene officer and a clear path to audit-proof documentation.
Hygiene in the workplace: from notices to audit-proof hygiene operations
Hygiene in the workplace is more than just soap and dispensers. The obligations come from ArbStättV, BioStoffV and IfSG and require a plan, instruction and evidence. This guide shows the path to verifiable hygiene operations.
Implementing personal hygiene in a legally compliant manner: obligations, training and evidence
Personal hygiene is the first line of defence against contamination, infections and recalls. This article combines IfSG, LMHV and HACCP into an auditable process, shows typical deficiencies in the audit and names the role of the hygiene officer.
Health department hygiene instructions: when, for whom and at what frequency it must be verifiable
The instructions in accordance with Section 43 IfSG are a prerequisite for any activity with perishable food. The article organises initial and follow-up instructions, retention periods, online procedures and the interface to the hygiene officer into a verifiable file.
Health department hygiene training: obligations, evidence and deadlines for companies
From food staff to nursing staff: The health department requires different hygiene training courses with clear legal bases, deadlines and repetition intervals. This article explains what you as an employer have to document and where typical gaps in the audit are noticeable.
Corporate Compliance Program Template for Germany: Structure, Mandate, and Documentation
German law does not prescribe one statutory compliance program, yet § 130 OWiG, the Verbandssanktionengesetz draft, and § 91 AktG converge on the same elements. This template translates the duty of organisational oversight into a workable program structure.
Compliance Officer Services for Mid-Market Germany: A Practical Buyer Guide
Mid-market companies in Germany face the same compliance burden as DAX corporates but rarely have the headcount. This guide covers the legal basis under § 130 OWiG, scope of an external compliance officer, typical price ranges and how to evidence the mandate to auditors and prosecutors.
AI Act Compliance Obligations from August 2026: What General-Purpose and High-Risk Providers Must Deliver
From 2 August 2026, the bulk of the EU AI Act applies. Providers of high-risk systems, deployers in regulated sectors and importers face documentation, monitoring and reporting duties. This article translates the legal text into a working checklist.
One Compliance Platform for All German Officer Roles: A Practical Buyer Guide
German law requires dedicated officers for data protection, money laundering, fire safety, hazardous goods, hygiene, whistleblowing, supply chain and many more. Twenty-five mandates, one platform. This guide explains how that consolidation works.
Compliance officer and data protection officer: roles, duties, separation
Compliance officer (CO) and data protection officer (DPO) sound similar, but are legally two different functions. Anyone who confuses the two roles risks conflicts of interest, incorrect reporting lines and fines under Art. 83 GDPR.
Code of Conduct template for medium-sized companies: structure, obligations, audit trail
A Code of Conduct is not a marketing text, but a mandatory document in the compliance management system. These instructions show which components a medium-sized business code of conduct must actually contain, how you can put it into effect in a legally secure manner and document it in a comprehensible manner in accordance with Section 130 OWiG.
Compliance officer costs 2026: What internal and external models really cost
How much does a compliance officer cost in 2026? We compare permanent employment, external ordering and platform models based on real wage costs, insurance premiums and audit costs. With specific bandwidths for SMEs with 250 employees or more and corporate subsidiaries with up to 5,000 employees.
Compliance in the bank: Duties, roles and auditable evidence according to MaRisk and WpHG
Compliance in a bank is more than a guideline on the intranet. It is an appointed function with clear reporting obligations in accordance with MaRisk AT 4.4.2, WpHG § 80 and GwG. This article shows which obligations apply and how an institution achieves audit robustness operationally.
Compliance rules in the company: obligations, structures and evidence
Compliance rules are not a collection of information sheets, but a verifiable structure of obligations, responsibilities and evidence. This guide organises the most important standards, describes roles and shows how to document regulations in an audit-proof manner.
Compliance training: Obligations, evidence and repetition intervals according to Section 130 OWiG
Compliance training is not a marketing measure, but rather a supervisory obligation according to Section 130 OWiG. The article shows which content is mandatory, how often it has to be repeated and which evidence counts in the audit.
Set up a compliance management system according to IDW PS 980: Seven basic elements, documented in an audit-proof manner
The IDW PS 980 defines seven basic elements for an effective CMS. This article shows how to document culture, goals, risks, program, organisation, communication and monitoring so that an appropriateness and effectiveness test can pass.
GDPR Article 30 Record of Processing: A Template That Survives an Audit
Article 30 GDPR demands a written record of every processing activity, and supervisory authorities ask for it first. This article shows what a defensible template contains, how to maintain it, and how CIVAC operationalises the obligation for internal and external Data Protection Officers.
German Data Protection Officer as an Outsourced Service: A Decision Guide
An outsourced German data protection officer carries the same statutory duties as an internal appointee. This guide explains the legal frame under § 38 BDSG, scope of mandate, expected deliverables, cost ranges, and the evidence trail a supervisory authority will request.
DPO as a Service: External Data Protection Officer under GDPR, Done Right
GDPR Art. 37 forces many controllers and processors to designate a Data Protection Officer. DPO as a Service places a qualified officer plus the documentation engine on a fixed monthly retainer, with German law fully in scope.
Using ChatGPT in Compliance with the GDPR: A Guide for Operations
ChatGPT in operations is feasible if the contractual situation, the roles and the logs are right. This guide shows which GDPR obligations apply, when a DPIA falls due, and what a robust AI policy looks like. With concrete steps, templates and a role that holds it all together.
An Alternative to DataGuard: How German Compliance Platforms Rethink the External DPO
DataGuard delivers external data protection as an advisory service. Other providers rely on pure software. CIVAC combines both in an EU-hosted compliance platform with 25 appointable officer roles and 490 audit templates.
CIVAC vs. Single-Purpose Tools: Comparing Data Protection Automation for German Companies
CIVAC and single-purpose data-protection tools automate data protection processes. The difference lies in the model. This comparison describes the architecture, officer appointment, audit templates, EU data residency and escalation paths under Art. 33 GDPR – factually, without judgement, on the basis of publicly documented functions.
Data Protection Audit: From the Call for an Audit to Verifiable Evidence in 2 Business Days
A data protection audit examines whether your organisation operationally implements Art. 5, 24 and 32 GDPR. We show the structure, the mandatory evidence and the templates with which you close the typical findings yourself before the audit.
Appointing an External DPO: When the External Solution Beats the Internal Post
An external data protection officer is often appointed faster, costs less, and is freer from instructions than an internal solution. This article explains the obligation to appoint under Art. 37 GDPR, market-standard costs, liability questions, and the selection criteria by which you recognise a qualified external DPO.
External Compliance Officer for B2B SaaS in Germany: Roles, Cost, Setup
B2B SaaS founders in Germany face overlapping duties under GDPR, NIS-2, HinSchG, and ISO/IEC 27001:2022. An external compliance officer covers the controls without an internal hire, leaving the engineering roadmap untouched.
EU AI Act: Obligations for High-Risk AI Systems in Practice
The EU AI Act introduces twelve cumulative obligations for providers of high-risk AI systems and four additional duties for deployers. This article translates Articles 8 to 27 into a working compliance routine: risk management, data governance, logging, human oversight, transparency, and conformity assessment.
DPIA: When a Data Protection Impact Assessment under Art. 35 GDPR Becomes Mandatory
Anyone who processes personal data with a high risk owes a data protection impact assessment under Art. 35 GDPR. This article explains thresholds, must-lists, review steps and the role of the data protection officer in the procedure.
TOM Template under Art. 32 GDPR: Structure, Mandatory Fields, Audit-Readiness
A TOM template is not a form to tick off. It is the evidence under Art. 32 GDPR that you have assessed risks, derived measures and reviewed effectiveness. This article shows the mandatory fields, typical gaps and a verifiable structure.
From What Point Do You Need a Data Protection Officer: Thresholds, Obligations, Deadlines
The obligation to designate a data protection officer applies earlier than many management teams assume. This guide shows the Section 38 BDSG thresholds, the GDPR triggers, the consequences of a late appointment and a clean path from assessment to deed of appointment.
The Data Protection Regulation in the Company: From Statutory Text to Demonstrable Evidence
The GDPR does not demand theory but evidence. Anyone who keeps the record, notification path and deed of appointment in order weathers an audit and a data breach calmly. This guide shows the operational path.
Art. 15 GDPR in Practice: Handling Subject Access Requests in a Legally Sound and Timely Manner
Art. 15 GDPR obliges controllers to provide comprehensive information to data subjects within one month. This article explains scope, deadlines, identity verification and exceptions, and shows how to map the process in an audit-proof way in the CIVAC platform.
Outsourced DPO: When an External Data Protection Officer Outperforms an Internal Hire
An outsourced DPO covers GDPR Article 37 duties, breach reporting under Article 33, and evidence files for supervisory authorities. This guide explains scope, cost ranges, and how an external DPO integrates with German labour law and works alongside the information security officer.
GDPR Compliance Software for German Mid Market in 2026: A Practical Buyer Guide
GDPR enforcement against the German Mittelstand has intensified since the federal coordinated audit of 2025. This buyer guide shows what a modern compliance platform must deliver: records, breach pipelines, residency, officer workflows, and signed records of authority.
External DPO in Germany: When You Must Appoint One and How to Do It Properly
Germany has the strictest national rule for appointing a data protection officer in the European Union. This guide explains the legal thresholds, the documentation a supervisory authority expects, and how an external DPO model under CIVAC removes the bottleneck without diluting accountability.
Compliance: Covering All 12 Officer Roles in a Structured Way
Up to twelve officer roles may be simultaneously mandatory in a mid-sized company. Anyone who loses the overview risks fines, audit gaps and management liability. This article shows how all roles can be structured, filled and coordinated.
External Compliance Service Providers in the DACH Region Compared: Criteria, Models, Decision Framework
There are many providers of external compliance appointment in the DACH region – from DPO specialists to generic consultants to cross-role platforms. This article provides structured selection criteria for companies seeking external officers with documentation responsibility.
Alternative to DataGuard for SMEs: Compliance Beyond the DPO
DataGuard is established in the German-speaking market as a DPO platform. For companies that must cover information security, occupational safety, supply chain or other officer roles in addition to data protection, the question arises whether a data protection-focused provider is the right overall solution.
CIVAC Compliance Platform: German Cloud, All 25 Officer Roles, One Workspace
CIVAC is a German compliance platform with EU data residency, ISO/IEC 27001:2022-compliant ISMS and 25 officer roles available live. The article explains architecture, delivery models and the difference from generic GRC suites.
Alternative to Quentic for SMEs in the DACH Region: Which Solution Fits?
Quentic primarily addresses large-scale HSE structures. For SMEs in the DACH region that must operationally manage multiple officer roles, the question arises as to a more precisely tailored approach. This article sets out what matters in the selection process.
CIVAC Platform: 25 Officer Roles at a Glance – Duties, Appointment and Workspace
From Data Protection Officer to Major Hazards Officer: CIVAC maps all 25 statutory officer roles in one workspace. This article explains which roles are mandatory for whom and how the platform structures the appointment process.
Integrated Compliance Documentation: All Officer Roles, One Evidence Path
Anyone managing multiple officer mandates with separate filing systems structurally produces documentation gaps. An integrated evidence path across all roles is not only more efficient – it is the decisive difference in an audit.
AI-Based Risk Analysis in the Compliance Context: Benefits, Limitations and Legal Framework
AI-powered risk analyses can make compliance work significantly more efficient in mid-sized companies. This practical guide explains what to consider technically and legally.
Combining External DPO and ISB: Opportunities, Limitations and Legal Framework
Many mid-sized companies ask whether external DPO and ISB can be combined in a dual appointment. The answer is nuanced: legally permissible, but with conflict-of-interest pitfalls and capacity limits.
Compliance Software for SMEs: German Providers Compared
Compliance software for German mid-sized companies must combine 25 officer roles, EU data residency and audit evidence. This article sets out the criteria that determine the choice of provider.
Implementing a Whistleblowing System: Obligations Under the Whistleblower Protection Act (HinSchG) at a Glance
Since 17 December 2023, companies with 50 or more employees are required to establish an internal reporting office. This guide sets out what is required technically, organisationally and in terms of personnel.
External Compliance Officer for DACH SMEs: Mandate, Costs and Setup
An external Compliance Officer gives SMEs a qualified compliance function without a full-time position. This article explains when the external solution is advisable, what it costs and how collaboration is structured.
External Data Protection Officer: Realistic Cost Assessment for SMEs
An external Data Protection Officer costs German SMEs between €200 and €2,500 per month — depending on company size, processing structure and scope of services. Understanding the cost drivers leads to better negotiations and payment only for what is actually needed.
Employee Data Protection Training Online: Obligation, Content and Evidence
GDPR prescribes no training frequency, but Art. 5(2) requires evidence. Online training for employees meets this requirement — provided the content, certificate and documentation are sound. Here is what to bear in mind.
How to Find an External Data Protection Officer: Criteria, Sources and Selection Process
Finding an external Data Protection Officer is not a Google search, but a selection process with clear quality criteria. This article explains where to look, what to assess and what to insist upon in the contract.
What Does an External Data Protection Officer Cost: Costs, Models, and Calculations
Flat-fee contracts, hourly rates, annual retainers: the pricing models for external Data Protection Officers vary considerably. This article explains which cost drivers actually matter and what to look for when making a comparison.
External Data Protection Officer: Monthly Costs and What the Service Package Includes
The costs for an external Data Protection Officer depend on the size of the organisation, the processing risks, and the scope of service. This article explains the pricing structure, identifies typical monthly flat fees for mid-sized companies, and sets out what to look for when comparing proposals.
Data Protection Officer: Mandatory Appointment, Duties, and Designation Under Art. 37 GDPR
The Data Protection Officer (DPO) is a legal requirement for many organisations. Art. 37 GDPR and § 38 BDSG govern when appointment is mandatory, what qualifications the DPO must bring, and why the external solution is often the more cost-effective choice for mid-sized companies.
General Data Protection Regulation: What Companies Must Concretely Implement in 2026
The General Data Protection Regulation (GDPR) has been directly applicable EU law since May 2018. What obligations this concretely creates for mid-sized companies, what fines are at risk, and how a Data Protection Officer ensures implementation — explained concisely and practically.
Appointing a SiGeKo: Obligations Under the Construction Site Ordinance (BaustellV) and How to Engage the Coordinator with Legal Certainty
Those who build bear responsibility. The BaustellV stipulates when a SiGeKo must be appointed, what qualifications the coordinator must bring, and how the engagement must be documented so that it withstands scrutiny.
Appointing a SiGeKo: Step-by-Step Guide for Clients
A client who must appoint a SiGeKo requires a written letter of appointment, a qualified officer, and a clear documentation structure. This article shows the complete appointment process under the Construction Site Ordinance (BaustellV) – from qualification verification to handover of the health and safety file.
Site Manager VOB (German Construction Contract Procedures) Hourly Rate for SMEs: Cost Range, Influencing Factors, and Calculation
What does an external site manager cost under VOB (German Construction Contract Procedures) for mid-sized businesses? This article explains market-standard hourly rates, remuneration structures under VOB/B, and the cost comparison between classic commissioning and Officer-as-a-Service.
SiGeKo (Construction Site Safety Coordinator): Obligations, Tasks, and Appointment Requirements on the Construction Site
The SiGeKo coordinates occupational health and safety on construction sites involving multiple companies. This article explains the statutory obligation under the Construction Site Ordinance (BaustellV), the core tasks, the qualification requirements, and how clients document the appointment in a structured manner.
Internal Audit: Conducting ISO 9001, 14001, and 27001 in Combination
Those who operate ISO 9001, ISO 14001, and ISO/IEC 27001 in parallel can combine internal audits. This article shows what is normatively required, how an integrated audit plan is structured, and where companies commonly make mistakes.
Audit Management Software: What a Professional Solution for SMEs Must Deliver
Audit management software structures the planning, execution, and follow-up of internal audits. This article shows what functions are indispensable under ISO 9001, 14001, and 27001, and what SMEs should look for when selecting a solution.
Conducting a Supplier Audit: Process, Checklist, and Documentation under ISO 9001
A supplier audit under ISO 9001:2015 follows a clearly defined process. Those who structure planning, execution, and reporting consistently create reliable evidence for quality management and LkSG due diligence.
External Supplier Auditor for SMEs: Requirements and Process
Mid-sized businesses with supply chain obligations under ISO 9001, IATF 16949, or LkSG must audit suppliers systematically. An external supplier auditor closes the capacity gap – provided mandate, qualification, and documentation are in order.
Major Accident (Störfall): Legal Obligations, Appointed Officer, and Prevention at a Glance
Anyone operating an installation with dangerous substances above the threshold quantities in Annex I of the 12th Federal Immission Control Ordinance (12. BImSchV) is subject to strict obligations. This article explains the appointment obligation, task profile, and documentation requirements for the Major Accident Officer.
External Company Doctor: Appointment, Qualification, and Legally Compliant Commissioning under § 3 ASiG
Most mid-sized businesses do not need an employed doctor but a qualified external company doctor. How to commission one in a legally compliant manner, what obligations arise, and what to consider in the service contract.
Company Doctor Costs: What Employers Must Pay and How Prices Are Structured
Company doctor costs vary considerably: from a few hundred euros annually for small office businesses to six-figure sums for manufacturing companies. Those who understand the cost drivers can plan realistically and fulfil § 3 ASiG without budget surprises.
External Company Doctor: Cost per Hour, Flat-Rate Packages and Billing Models Compared
The hourly rate of an external company doctor ranges from €90 to €200 depending on qualification and region. Understanding the billing models avoids surprises on the invoice and ensures legally compliant fulfilment of the obligation under § 3 ASiG.
Finding a Company Doctor: Obligations, Search Strategies and Legally Compliant Appointment
§ 3 ASiG obliges every employer to appoint a company doctor. Many mid-sized businesses do not know how to find a qualified physician or what the appointment requires under law.
Setting Up a Reporting Channel under the Whistleblower Protection Act (HinSchG): A Step-by-Step Guide to a Legally Compliant Reporting Office
The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Companies still not operating a functioning reporting channel are committing a regulatory offence. This guide sets out which steps are required and in what order.
External AGG Complaints Office: Obligations, Structure, and Legally Compliant Appointment
§ 13 AGG obliges every employer to establish a complaints office for discrimination. An external AGG complaints office resolves the independence problem that can structurally burden internal solutions.
Digital Reporting Channel under the Whistleblower Protection Act (HinSchG): Requirements, Software Selection and Operation
The Whistleblower Protection Act (HinSchG) requires companies with 50 or more employees to establish an internal reporting office. A digital reporting channel is the most practical implementation — provided it fully meets the statutory requirements.
External AGG Complaints Office as a Service Provider: Obligations, Process and Appointment
Section 13 of the General Equal Treatment Act (AGG) obliges employers to establish a complaints office for discrimination. External service providers assume this obligation on a contractually secure basis. This article explains the requirements, selection criteria and the CIVAC approach.
Quality Management Software: What a QMS Workspace Must Deliver
Quality management software determines whether a QMS stands up at a surveillance audit or collapses. This article describes which functions are indispensable under ISO 9001:2015 and why a pure document repository is insufficient.
Quality Management Consulting: What an External QMR Delivers and What Matters
Quality management consulting encompasses far more than preparation for an ISO 9001 certification. What services an external QMR delivers, when a consulting engagement is appropriate and how the appointment is structured on a legally sound basis.
ISO 9001 Certification: Process, Requirements and the Role of the QMR
ISO 9001 certification under DIN EN ISO 9001:2015 is a prerequisite for supplier approvals and public contracts in many industries. This article explains the certification process, the requirements for the QMS and the tasks of the Quality Management Officer.
ISO 9001 Certification for SMEs: Process, Costs and Appointment Obligations
DIN EN ISO 9001:2015 requires a formally appointed QMR with documented evidence. This article describes the six-step certification process, realistic cost frameworks for SMEs and explains how an external QMR can be operational through CIVAC within two business days.
Reviewing Obligated Parties under § 2 GwG: Who Falls under the Money Laundering Act
§ 2 GwG contains an exhaustive list of obligated parties. Whether a company falls within scope determines which due diligence obligations, risk analysis requirements, and appointment obligations apply. A structured review protects against unrecognised breaches of duty.
External Money Laundering Compliance Officer: Appointment Obligation, Duties, and Legally Sound Engagement
Anti-money laundering legislation requires numerous companies to appoint a money laundering compliance officer. Those who ignore the obligation risk fines under § 56 GwG. This article explains the appointment obligation, duties, qualification requirements, and the option of external appointment.
Appointing a Money Laundering Compliance Officer (GwB): Obligation, Procedure, and Appointment Deed under § 7 GwG
§ 7 GwG requires a clearly defined group of companies to appoint a money laundering compliance officer. Failure to make the appointment, or a procedurally defective appointment, risks substantial fines. This article explains the procedure step by step.
External Money Laundering Compliance Officer: Annual Costs and What the Appointment Includes
§ 7 GwG requires certain companies to appoint a money laundering compliance officer. Depending on the scope of services, an external officer costs between EUR 2,000 and EUR 15,000 per year. This article explains what must be included in this price — and what is frequently missing.
Supply Chain Due Diligence Act (LkSG): When Does the Obligation Apply and How Are Employees Counted Correctly?
The LkSG has applied since 1 January 2024 to companies with at least 1,000 employees. How the threshold is correctly calculated, what role subsidiaries play, and what companies must do in the year they first exceed it.
LkSG Risk Analysis: Methodology, Structure and BAFA-Compliant Documentation
The risk analysis is the methodological foundation of LkSG compliance. § 5 LkSG prescribes an annual and event-triggered risk assessment — for the company's own business area, direct suppliers and, where there is justified cause, indirect suppliers. Gaps here risk BAFA enquiries and evidentiary shortfalls.
LkSG Software: Mandatory Functions, Selection Criteria and the Officer Evidence Requirement
The Supply Chain Due Diligence Act (LkSG) obliges affected companies to eight due diligence obligations, the evidence for which must be complete before BAFA. LkSG software that only sends questionnaires does not solve the compliance problem — it defers it.
Supply Chain Due Diligence Act (LkSG) Software Compared: What DACH Mid-Sized Companies Should Look For
The LkSG obliges companies with at least 1,000 employees to conduct a systematic risk analysis, maintain documentation and submit a BAFA report. This article examines the decisive software features and what a comparison for the DACH mid-market looks like.
Appointing an Environmental Officer: Obligation, Process and Legally Compliant Letter of Appointment
Any company that must appoint an environmental officer but is unaware of the mandatory prerequisites risks a formal gap that will be identified immediately at the next regulatory inspection. This article provides the complete legal basis.
ISO 14001 Certification: Process, Requirements and Environmental Officer
ISO 14001:2015 requires a documented environmental management system with measurable objectives, internal audits and a named accountability. This article walks through the certification process step by step.
External Environmental Protection Officer for Industrial Operations: Obligations, Services, and Appointment
Industrial operations with installation obligations under BImSchG, water hazard risk, or elevated waste volumes require formally appointed environmental officers. The appointment obligation arises from three different statutes that audit independently of one another.
ISO 14001 Certification: Process, Timeline, and Realistic Cost Calculation
ISO 14001 certification typically takes six to twelve months and costs between 8,000 and 40,000 euros depending on company size. Understanding the process avoids surprises on audit day.
External Fire Protection Officer: Monthly Costs and Decision Criteria
External fire protection officers cost between 200 and 800 euros per month depending on company size and scope of services. Understanding the cost structure enables an informed decision rather than one that conceals liability risks.
Fire Safety Regulations Parts A, B, and C: Structure, Obligations, and Preparation
Fire safety regulations under DIN 14096 are structured in three mandatory parts. Understanding the differences avoids gaps at the next inspection by the fire brigade or professional association.
Preparing Escape and Rescue Plans in Accordance with DIN ISO 23601: Obligations and Practice
ASR A2.3 and the Workplace Ordinance oblige employers to prepare escape and rescue plans and keep them current. DIN ISO 23601 sets the graphic standard. This article explains what is mandatory, what the standard requires, and how the fire protection officer manages the process.
Having the Fire Safety Regulations Part B Drawn Up: Mandatory Content, Standards, and Officer Obligations
Part B of the fire safety regulations is directed at all employees and must be prepared and regularly updated in accordance with DIN 14096. Anyone who prepares it without qualified guidance risks formal gaps that become a liability issue in the event of a fire.
Appointing a SiFa: Legally Secure Appointment in Two Working Days via Officer-as-a-Service
Appointing a SiFa means more than commissioning a service provider. The appointment document must contain the statutory minimum content, qualifications must be verified, and the documentation infrastructure must be in place. CIVAC fulfils all three requirements in two working days.
Finding an Occupational Safety Specialist: Qualifications, Appointment, and the Fast Track
Finding a SiFa means more than placing a job advertisement. Qualifications, industry knowledge, appointment document, and documentation infrastructure must all fit together. This article describes the structured path.
External SiFa: Hourly Costs for SMEs — Market Overview and Alternatives
External SiFas typically charge between 90 and 180 euros per hour in SMEs. Which factors determine the hourly rate, what DGUV V2 requires as a minimum, and how costs can be reduced through a structured approach.
SiFa Software for DGUV Documentation: What Your Workspace Must Deliver
DGUV Regulation 2 mandates deployment hours, inspection reports, and annual plans in writing. Which software structurally meets these requirements — and why a generic tool is not sufficient.
Who Needs a Hazardous Substances Officer in Their Company?
The GefStoffV does not recognise a mandatory role under the title of hazardous substances officer, but does require competent persons for every activity involving hazardous substances. Which companies are affected, which sectors have special obligations and how the role is filled in a legally compliant manner.
Risk Assessment for Hazardous Substances: TRGS 400 Template and Mandatory Requirements
The risk assessment under TRGS 400 is the regulatory foundation of hazardous substance management. A legally compliant template covers all seven mandatory steps — from exposure determination to effectiveness testing. This article explains the structure, documentation obligations and typical errors in implementation.
Hazardous Substance Management Software: Requirements, Functions and Selection Criteria
Digital hazardous substance management does not replace expertise, but it creates the structural conditions for audit-proof documentation. This article explains which functions software must provide and how CIVAC integrates hazardous substance management into a complete officer workspace.
External Hazardous Substances Officer: Obligation, Tasks and Appointment Process
Section 6 GefStoffV requires structured risk assessments and proof of expertise. Companies lacking suitable in-house personnel should appoint externally. This article explains what makes a qualified external hazardous substances officer and how appointment works in a legally sound manner.
Dangerous Goods Transport: Obligations, ADR Rules and Who Must Maintain Oversight
Dangerous goods transport is subject to a dense regulatory framework comprising the ADR, GGVSEB and GbV. This article explains who must observe what, when a dangerous goods officer is mandatory and how documentation can be made audit-proof.
Labelling Dangerous Goods: UN Numbers, Hazard Labels and Vehicle Marking under the ADR
The labelling of dangerous goods is governed in binding terms by ADR Chapters 5.2 and 5.3: packages bear hazard labels and UN numbers, vehicles orange warning panels and large labels. Labelling errors constitute administrative offences under Section 10 GGVSEB for consignors, loaders and carriers.
Transport of Dangerous Goods: Regulations, Classes and Operational Obligations
The transport of dangerous goods is strictly regulated by the ADR, GGVSEB and several supplementary standards. Three key questions arise for companies: what obligations exist for shippers and carriers, what documentation is mandatory, and from what point must a dangerous goods officer be appointed.
ADR Certificate: Obligation, Period of Validity and Renewal at a Glance
The ADR certificate — officially the ADR training certificate pursuant to subsection 8.2.2.8 ADR — is a mandatory document for drivers who transport dangerous goods by road. This article explains the content, period of validity, renewal procedure and the company's documentation obligation.
HinSchG Legislative History: What the Final Act Means for Your Internal Reporting Office
The Whistleblower Protection Act passed through several draft stages before entering into force in July 2023. Understanding the legislative history explains why certain exceptions apply and how companies must set up their internal reporting office in a legally sound manner.
Whistleblower Protection Act (HinSchG): Obligations, Reporting Offices and Implementation
The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Who must establish a reporting office, what requirements apply, what fines are threatened — a structured overview.
HinSchG Current Status: Obligations, Deadlines, and Implementation 2024
HinSchG requires organisations with 50+ employees to operate a compliant internal reporting channel — with confidentiality guarantees, acknowledgement obligations, and a strict non-retaliation regime.
ESG Regulations in the EU: CSRD, Taxonomy, and SFDR Explained
CSRD, EU Taxonomy Regulation, SFDR: the European ESG regulatory package is complex but logically structured. This article explains the three central regulations, their interactions, and what companies must derive from them in practice.
ESG Reporting Obligation: Who Must Report When under CSRD?
CSRD applies in waves based on company size — understanding the 'two of three' criteria and which reporting wave applies is the first step in compliance planning.
ESG Sustainability Report: Obligations, Deadlines, and Implementation under CSRD
From 2025, CSRD applies to large capital-market-oriented companies, and from 2026 to further large companies. The ESG sustainability report follows ESRS standards. Those who are prepared avoid fines and reputational risks.
What ESG Stands For: E, S, and G Explained in a Business Context
ESG stands for Environmental, Social, Governance. What lies behind these three letters, which standards create concrete obligations, and what an ESG Officer must deliver in the organisation — read the structured overview here.
HinSchG: What the German Whistleblower Protection Act Requires from Organisations
The Whistleblower Protection Act (HinSchG) has been in force since July 2023. Organisations with 50 or more employees are required to establish a confidential reporting channel and operate an internal reporting office. Read here what this means in detail.
Hygiene in Healthcare: Legal Obligations, MRSA Prevention, and Documentation Standards
Care facilities bear a special hygiene responsibility: § 36 IfSG, KRINKO recommendations, and state-level residential care laws set clear requirements. MRSA prevention, hand hygiene, and complete documentation are not optional — they are mandatory. What facilities need to know.
Hygiene Training: Legal Obligations, Content, and Operational Implementation
Hygiene training is legally prescribed in Germany — for food businesses, healthcare facilities, and many other sectors. Which standards apply, what must be documented, and who bears the obligation — read the concise summary here.
Institute for Hygiene and the Environment: Tasks, Inspections, and Business Implications
The Institute for Hygiene and the Environment (HU Hamburg) is Germany's largest municipal testing authority. It analyses drinking water, food, and environmental samples. What businesses need to know about official inspections and how a Hygiene Officer maintains the evidence.
Occupational Hygiene: Obligations, Roles, and Structured Implementation
Occupational hygiene is not a recommendation but a statutory mandatory programme. § 36 IfSG, TrinkwV, and KRINKO recommendations define concrete obligations. Which companies are affected and how a Hygiene Officer keeps documentation audit-ready.
Booking a CIVAC Compliance Platform Demo: Process, Preparation, and Next Steps
The CIVAC compliance platform manages all 25 German officer roles in a shared workspace. This article explains what is demonstrated in the demo, how to prepare, and how the platform licence is activated after the session.
CIVAC Officer-as-a-Service: Book a Demo and Appoint Your Officer Within Two Business Days
The CIVAC demo shows the complete Officer-as-a-Service process: appointment instrument, workspace handover, and reporting line in a single live session. This article explains what is shown in the demo, what preparation is useful, and how the appointment process works after the session.
Federal Data Protection Act (BDSG): Obligations, Thresholds, and Its Relationship to the GDPR
The Federal Data Protection Act (BDSG) 2018 specifies the European GDPR for the German legal framework. This article explains the structure, the appointment obligation under § 38 Federal Data Protection Act (BDSG), the fine framework, and the practical consequences for companies with 20 or more persons.
Personal Data: Definition, Categories, and Legal Obligations under the GDPR and the Federal Data Protection Act (BDSG)
Personal data is the foundation of European data protection law. Art. 4 GDPR defines the term broadly — with significant consequences for processing, storage, and DPO appointment. This article clarifies what falls within its scope, which categories trigger heightened protection obligations, and how companies can fulfil their documentation requirements.
ISO 27001 Consultant: What Matters When Selecting, Mandating, and Verifying
An ISO 27001 consultant can significantly accelerate certification preparation — provided they work with the right mandate, verifiable qualifications, and a platform that generates audit-proof documentation.
CISO as a Service: Information Security Leadership Without Full-Time Employment
CISO as a Service delivers strategic IT security leadership on a mandate basis. For companies under NIS-2 or with ISO 27001 obligations, the model is often the more economical alternative to a full-time position.
ISO 27001 Certification for Mid-Market Companies: Costs, Duration, and Savings Potential
ISO 27001 certification costs between €25,000 and €80,000 in mid-market companies — depending on scope, certification body, and self-service proportion. This article breaks down cost drivers and shows where effort can be structurally reduced.
Virtual CISO for SMEs: Monthly Subscription, Immediately Effective
A virtual CISO (vCISO) provides SMEs with strategic IT security leadership and a legally compliant appointment certificate without a full-time position. Monthly subscription, scalable, NIS-2 compliant.
Security Awareness Training: Employee Obligation Under NIS-2 and ISO 27001
NIS-2 and ISO/IEC 27001:2022 require verifiable awareness measures for all employees. Those who carry out training as a mandatory programme without documentation risk audit findings and fines.
External Cyber Security Officer: Monthly Subscription, Instant Appointment
NIS-2 and ISO/IEC 27001:2022 require an appointed Information Security Officer. Those who keep the role external and on a monthly subscription save build-up time, stay scalable, and keep the appointment certificate up to date at all times.
External IT Security Officer as a Service Provider: Scope, Selection, and Contract Design
External IT Security Officers as service providers promise flexibility and expertise without fixed headcount. But not every provider delivers what NIS-2 and ISO/IEC 27001:2022 require. This article explains what to look for in the service agreement, the contract, and the evidence trail.
External IT Security Officer: What Does the Monthly Mandate Really Cost?
Between €800 and €4,500 per month is the range for an external IT Security Officer — but price alone says little about actual scope of services. This article breaks down the key cost drivers and explains what a reliable mandate must cover as a minimum.
Compliance Management Software in the DACH Comparison: What Matters for SMEs
Which compliance software suits a mid-sized company in Germany, Austria, or Switzerland? This comparison shows the criteria to use for selection, which categories dominate the market — and where most tools reach their limits.
What Does an External Compliance Officer Cost? Pricing, Models, and Decision Criteria
An external Compliance Officer costs between €3,000 and €30,000 annually depending on the model — significantly less than a full-time position. This article explains what pricing structure is credible, what must be included in the offer, and which models are suitable for SMEs and mid-sized companies.
Compliance Training for Employees: Annual Obligation, Online Implementation, and Audit-Proof Documentation
Compliance training for employees is not an HR bonus but a core component of the statutory supervisory duty under § 130 OWiG. Anyone who cannot produce training records during a regulatory inspection risks substantial fines. This article explains how to build and document online training in a legally sound manner.
Corporate Compliance: Legal Obligations, Organisational Structure and Operational Implementation
Corporate compliance is not optional for German organisations. § 130 OWiG imposes a personal supervisory duty on management. Those who build a documented compliance management system according to IDW PS 980 create verifiable evidence — and reduce the risk of fines and reputational damage.
External Data Protection Officer: Appointment Obligation, Costs and Selection Criteria
Art. 37(6) GDPR explicitly permits the appointment of an external Data Protection Officer. For SMEs with limited internal resources, this is often the more efficient choice — provided the appointment document is correctly drafted.
Privacy Policy: Mandatory Disclosures, Update Obligations and Structured Accountability
The privacy policy is not a one-off document, but an information instrument that must be continuously maintained. Arts. 13 and 14 GDPR each list 14 mandatory disclosures. If even one is missing, a transparency violation exists. Who bears responsibility and how the maintenance process works.
Corporate Data Protection: Obligations, Structures and Documentation
Corporate data protection encompasses far more than a privacy policy on a website. Controllers must maintain records, meet deadlines and train employees — in an audit-ready and documented manner.
GDPR: Obligations, Deadlines and Fine Risks for Companies – An Overview
The GDPR has applied directly in all EU member states since 25 May 2018. Those who know their obligations, meet deadlines and maintain complete documentation significantly reduce the risk of fines and reputational damage.
Supplier Auditor: Mandate, Methods, and the German Legal Frame
A supplier auditor verifies that vendors meet contractual, regulatory, and ESG obligations. Under the German Lieferkettensorgfaltspflichtengesetz (LkSG), the EU CSDDD, and ISO 19011:2018, the function has moved from optional to evidence-bearing.
ISO 9001 Consulting in Germany: How to Choose, Scope, and Run Engagements
ISO 9001:2015 remains the most common management system certification in Germany. Selecting a consultancy that delivers an audit-ready QMS, not paperwork, is a procurement discipline. This guide covers scoping, fees, deliverables, and the role of a Quality Officer.
External Fire Protection Officer in Germany: Mandate, Duties and Service Model
International companies operating sites in Germany must appoint a Brandschutzbeauftragter when their building permit, insurer or risk profile requires it. An external fire protection officer fulfils that mandate on a service basis. This article explains the legal basis, the duties and the operational model.
Occupational Safety Specialist Services in Germany: A Buyer Guide
International employers operating in Germany must appoint a Fachkraft für Arbeitssicherheit under § 5 ASiG. This guide explains the legal duty, DGUV Vorschrift 2 hours, internal versus external models, and how CIVAC delivers Officer-as-a-Service with audit-ready evidence.
German Hazmat Officer Services: From Statutory Duty to Auditable Operation
German hazardous substances law is not optional and not waivable. This guide shows how international operators can appoint a qualified officer, document the appointment correctly, and run a hazardous substances operation that holds up under inspection.
ISO 14001 Consulting in Germany: Scoping, Implementation, and Audit Preparation
ISO 14001:2015 has 18,000 certified sites in Germany. A consultant either accelerates the path to certification or duplicates work your environmental officer already owns. This guide separates the two and shows what to expect at each stage.
Germany's Supply Chain Act (LkSG): Obligations, BAFA Enforcement and Operational Playbook
The Lieferkettensorgfaltspflichtengesetz (LkSG) requires German companies above defined thresholds to run human-rights and environmental due diligence across their supply chains. This article maps every operational obligation, the BAFA enforcement model, and the interface with the upcoming CSDDD.
NIS-2 Implementation Consulting for the Mid-Market: A Twelve-Week Operational Roadmap
Around 29,500 companies in Germany fall under NIS-2. Mid-market firms with 50 to 5,000 employees rarely need another gap analysis. They need an appointed information security officer, an ISMS that produces audit-grade evidence and a tested 24-hour incident path.
ISO 27001 Implementation: A Practical Path Through the 2022 Revision
Implementing ISO/IEC 27001:2022 is not a documentation exercise. It is the construction of an Information Security Management System that produces evidence on demand. This article maps the implementation steps, the 93 Annex A controls, and the typical pitfalls.
ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment
ISO 27001 consulting in Germany combines ISMS architecture, 93 Annex A controls and the operational reality of NIS-2, BDSG and BSI guidance. This guide outlines scope, transition timing to ISO/IEC 27001:2022, certification path and where an external information security officer fits.
DataGuard Alternative for the German Mid Market: A Structured Comparison
Mid-market buyers increasingly look beyond DataGuard for external DPO, ISO 27001 and NIS-2 coverage. This guide explains where the alternatives differ, which capabilities matter under § 130 OWiG, and how to structure a sober evaluation.
Compliance Platform for the German Mid-Market: Workspace Plus Officer-as-a-Service
German mid-market companies face 25-plus mandatory officer roles, NIS-2 reporting windows of 24 and 72 hours, and personal liability for managing directors under § 130 OWiG. A workable platform combines a workspace, audit templates and the option to outsource individual officer mandates.
NIS-2 Implementation in Germany: What Management Boards Need to Know in 2026
Germany's NIS2UmsuCG tightens BSIG duties for essential and important entities, with personal management liability, a staggered incident-reporting clock, and a vastly expanded sector catalogue. An overview for boards and managing directors.
EU AI Act: Compliance Obligations for Enterprises From August 2026
On 2 August 2026, the main application date of Regulation (EU) 2024/1689 kicks in. Any organisation that develops, distributes or deploys high-risk AI needs a risk-management system under Art. 9, data governance under Art. 10 and human oversight under Art. 14, and AI-literacy training for every employee working with AI.
ISO/IEC 27001:2022, Transition From 2013 and What Must Happen by October 2026
The transition window to ISO/IEC 27001:2022 has closed. Certifications still running on the 2013 version lost their validity on 31 October 2025. A structured look at the new controls, themes, and the non-negotiable re-certification on the current standard.