77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Code of Conduct template for medium-sized companies: structure, obligations, audit trail
Governance & Compliance

Code of Conduct template for medium-sized companies: structure, obligations, audit trail

2 June 202612 min readBy Dr. Henrik Bauer
CIVAC

A Code of Conduct is not a marketing text, but a mandatory document in the compliance management system. These instructions show which components a medium-sized business code of conduct must actually contain, how you can put it into effect in a legally secure manner and document it in a comprehensible manner in accordance with Section 130 OWiG.

Since the reform of Section 130 OWiG, supervisory authorities and insurers have required medium-sized companies to have a documented compliance management system. The Code of Conduct is the highest reference document on which guidelines, training and sanctions are based. Anyone who adopts a generic template from the Internet risks formal deficiencies in audits, supplier inquiries according to Section 4 LkSG or ISO 27001:2022 certifications.

These instructions describe the structure, implementation and documentation of a code of conduct suitable for medium-sized businesses. You will receive a structural overview with twelve mandatory modules, a recommendation for formal approval by management and information on audit-proof filing. The article is aimed at managing directors, compliance officers and human resources managers in companies with between 50 and 1,500 employees.

Key Takeaways

  • A Code of Conduct must be formally implemented by the management and provided with a date, version and signature, otherwise it has neither binding nor exculpatory effect in accordance with Section 130 OWiG.
  • Twelve building blocks are mandatory in medium-sized companies: scope, basis of values, anti-corruption, antitrust law, data protection, information security, supply chain, ban on discrimination, whistleblower channel, sanctions, implementation, revision clause.
  • The code of conduct must be linked to the internal reporting office according to the HinSchG, the ISMS and the supplier evaluation so that audits have a consistent track.

Why a template alone is not enough

A PDF template from the Internet does not meet three requirements: It is not tailored to the company's risk profile, it is not formally implemented, and it is not linked to training, reporting channels and sanctions grids. According to Section 130 OWiG, supervisory authorities assess whether the company has taken the supervisory measures required under the circumstances. A code of conduct that is not practiced is more likely to be a burden than a relief in the fine proceedings.

Medium-sized companies also underestimate the supplier perspective. Anyone who works as a supplier for DAX companies or public clients receives questionnaires on compliance maturity. These questionnaires not only check whether a Code of Conduct exists, but also its versioning, implementation, training quota and interlinking with the supply chain due diligence obligation according to LkSG. A generic template regularly fails here.

The code of conduct should therefore be treated as an operational document, not as an image brochure. The task of a compliance officer is to review the code annually, translate incidents into sanction decisions and enforce the training requirement for new employees. Without this care, the code remains a document without evidentiary value.

The twelve mandatory modules at a glance

A code of conduct suitable for medium-sized businesses contains twelve sections. The first building block is the scope. This determines which companies, locations, employee groups and business partners the code is binding for. Subsidiaries abroad must be explicitly mentioned, as should temporary workers and interns.

The second building block is the basis of values. Integrity, legal compliance and respect are succinctly formulated here. The following are the technical obligation chapters: anti-corruption with reference to Sections 299, 331 StGB, antitrust law according to GWB, data protection according to GDPR, information security according to ISO/IEC 27001:2022, supply chain care according to LkSG, anti-discrimination according to AGG and occupational safety.

The ninth building block is the whistleblower channel according to HinSchG with reference to the internal Reporting office. This is followed by a sanctions grid that ranges from verbal warnings to immediate termination and supports the steps with example cases. The eleventh component is the entry into force by the management with a date and signature. The twelfth building block is the revision clause, in which the annual review is anchored.

These twelve building blocks form the framework. Depending on the industry, extensions are added, such as export controls, sanctions list checks or money laundering prevention. What is important is that each obligation is backed up with a concrete rule of conduct and an escalation path.

Scope, language and addressees

Scope is the most common weak point in medium-sized codes of conduct. Anyone who only addresses the parent company creates gaps in subsidiaries, joint ventures and investments. The recommendation is to list all consolidated companies by name and to add a self-commitment clause for non-consolidated investments.

Language and target group must also be precisely defined. The code must be made available in the working language of the respective workforce. For international locations, a German version is not sufficient. English is the minimum standard; further translations depend on the workforce structure. It is important that all language versions are versioned and refer to the same German master version.

The recipients are not just permanent employees. The code also binds management, the supervisory board, working students, interns, temporary workers and, in a graduated form, suppliers. Suppliers usually have their own Supplier Code of Conduct, the content of which is derived from the internal code. The dovetailing is important: Anyone who demands anti-corruption in the internal code must reflect the same requirement in the supplier code and query it in the LkSG supplier evaluation.

The management should declare in writing that they bind themselves and all managers to the code. This self-binding clause increases credibility and is an indication of relief in fine proceedings.

Implementation, versioning, archiving

The formal entry into force separates an effective code of conduct from a non-binding draft. Three elements are mandatory: date, version number and signature of the management. In the case of multi-person management, all managing directors sign, but at least the person responsible for compliance according to the business distribution plan.

Versioning is carried out according to a comprehensible scheme, such as v1.0 (first edition March 1st, 2026) or v1.1 (supplement to HinSchG July 1st, 2026). Each new version replaces the previous one, but the older version is not deleted but rather archived in an audit-proof manner. During the audit, it must remain traceable which version was valid at which point in time and which incidents were processed under which version.

Archival takes place in a system with access protection, version history and deletion lock. A normal network drive is not enough, as changes can be made there without a trace. The CIVAC Compliance Platform and Officer-as-a-Service offers a workspace with audit-proof storage, version management and audit log. The appointment certificate, signed, filed, verifiable. The retention period is at least ten years, correspondingly longer in regulated industries.

The entry into force must also be communicated to the workforce. Simply publishing on the intranet is not enough. A combined communication consisting of e-mail to all employees, display in the personnel files and mandatory initial training within four weeks of entry into force is recommended.

Training, confirmation, training quota

A code of conduct only has an impact if the recipients are aware of it. The training requirement is therefore an integral part of the implementation. We recommend an initial training course of 30 to 45 minutes, which is integrated into the onboarding process, as well as an annual refresher course of 15 to 20 minutes.

The training must be documented. Each employee confirms in writing or digitally that they have read the code and its essential obligations. This confirmation is stored in the personnel file or in the compliance workspace. Without confirmation, the code is deemed not to have been received in the event of a dispute, which makes sanctions more difficult.

The training rate is the central key figure. It is collected quarterly and reported to management. A rate of less than 95 percent in annual training needs to be explained in the audit. New entrants must be trained within the probationary period, but no later than 90 days. For managers, an in-depth training course of 90 minutes is useful, which also covers anti-corruption, antitrust law and supervisory obligations according to Section 130 OWiG.

The training content should use case studies from your own business. Generic e-learning modules with no industry reference create click fatigue and no change in behaviour. The evaluation is carried out through a learning success control with at least five questions, the passing rate of which is documented.

Interlocking with HinSchG, ISMS and supplier evaluation

The Code of Conduct does not stand in isolation. It is linked to the internal reporting office according to HinSchG, the information security management system according to ISO 27001:2022 and the supplier evaluation according to LkSG. These three interlockings are the most common test points in the audit.

The internal reporting office according to HinSchG must be explicitly mentioned in the code, including the contact channels and the protection guarantees for whistleblowers. Violations of the Code are a typical subject of reporting. Anyone who conceals the reporting channel in the code runs the risk of information going externally to the authorities because the internal contact point is unknown.

The integration with the ISMS affects the data protection and information security chapters. The code refers to the information security guidelines and the 93 controls according to ISO/IEC 27001:2022. However, specific requirements for passwords, mobile devices and cloud usage do not belong in the code, but in the subordinate guidelines.

The integration with the supplier evaluation takes place via the Supplier Code of Conduct and the risk analysis in accordance with Section 5 LkSG. Suppliers sign the Supplier Code and their self-disclosure is included in the annual risk analysis. Anomalies are reported via the same reporting channel that is also open to internal reports. This creates a continuous trace from the securities to operational supplier management.

Sanctions grid and consequences

A code of conduct without a sanctions framework cannot be enforced. The grid must describe the range of possible violations and their consequences. A four-stage model is recommended: verbal warning, written warning, transfer or withdrawal of function, termination without notice. In the case of criminally relevant violations, a criminal complaint is added.

The assignment of violation to sanction must be described as an example, not conclusively. A minor violation of the gift policy will result in a warning, while deliberately incorrect time recording over several months will justify immediate termination. It is important that the grid is applied consistently. Unequal treatment undermines the credibility of the entire compliance system.

The sanction decision is documented. Who decided, on what basis, with what result. These decisions must be filed in the compliance workspace and linked to the original report. In the audit, the sanctions statistics show whether the company is actually pursuing violations. A statistic without a single incident in three years requires explanation because it indicates a weak reporting culture rather than a clean workforce.

The management must not be excluded from the sanctions grid. Violations by management must be dealt with by the supervisory board or an external auditor. This clause is unusual in medium-sized companies, but is a clear signal of credibility in the audit.

Annual review and adjustment

A code of conduct is not a one-off project, but a living document. The annual review is anchored in the audit clause and is the responsibility of the compliance officer. It includes three steps: comparison with new laws, evaluation of incidents from the previous year and adaptation to business model changes.

New laws from the previous year must be systematically examined. In 2026, this applies in particular to the implementation of the NIS 2 directive, the transition to ISO 27001:2022 and the first obligations from the EU AI Act. Where new obligations affect the Code, an addition is required. Where existing obligations are tightened, a clarification in the subordinate directive is often sufficient.

The incident evaluation provides the most important information about gaps. If three incidents of the same type occurred, either a rule, training, or control point is missing. The evaluation is reported to the management and results in concrete measures.

Business model changes are the third reason for adjustments. A new foreign business requires a sanction list check, a new sales channel can trigger new corruption risks, an acquisition brings with it foreign cultures and legacy issues. The review is recorded and the protocol is filed with the date and signature. Others run compliance like a filing cabinet. We run it like software.

From document to compliance system

A Code of Conduct is the visible tip of a compliance system. Sustainability only arises through integration with training, reporting channels, sanctions grids and supplier management. Medium-sized companies rarely fail because they want to, but because they have the capacity to maintain all of these building blocks in parallel and document them in an audit-proof manner.

CIVAC is a compliance platform and officer-as-a-service with EU data residency. The workspace bundles 490 ready-to-use audit templates, a versioned policy archive, an integrated reporting channel according to the HinSchG and the reporting line to management. Licence the workspace for your internal representatives, or have our representatives order it. In the second model, CIVAC takes on the role of external compliance officer with an appointment certificate, reporting line and a response time of two working days.

The auditor calls, the evidence is ready. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. In the initial consultation, we will clarify whether the licence solution or the officer appointment fits the size of your organisation and provide you with the code of conduct template as a starting point.

FAQ

Is a PDF template from the Internet sufficient as a Code of Conduct?

No. A generic template is neither tailored to your risk profile nor formally implemented. In the fine procedure according to Section 130 OWiG, a code that is not lived is more of a burden than a relief. You need an adapted version with entry into force, training and reporting channel.

Who has to sign the code of conduct?

The management formally implements the code. In the case of multi-person management, all managing directors sign, but at least the person responsible for compliance according to the business distribution plan. A self-binding clause from management significantly increases credibility in the audit.

How often does a Code of Conduct have to be revised?

At least annually. The review includes new laws, evaluated incidents and business model changes. The revision clause in the code itself sets this rhythm. Each adjustment increases the version number and the older version is archived in an audit-proof manner.

Do suppliers have to sign the internal code of conduct?

Suppliers usually sign a Supplier Code of Conduct, the content of which is derived from the internal code. The core obligations regarding anti-corruption, human rights, occupational safety and the environment must be identical. The LkSG risk analysis is based on this.

How do I connect the Code to the whistleblower channel?

The code names the internal reporting office according to the HinSchG with contact channels and protection guarantees. Violations of the Code are a typical subject of reporting. Without a visible internal contact point, information goes directly to the authorities, which accelerates the escalation spiral.

What training rate is acceptable in the audit?

At the annual refresher, at least 95 percent of the workforce should be trained. New entrants receive initial training within 90 days. Lower rates require explanation in the audit and are considered an indication of a weak compliance system.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles