77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Compliance consulting 2026: When the workshop is enough and when a representative has to take over
Governance & Compliance

Compliance consulting 2026: When the workshop is enough and when a representative has to take over

21 June 202613 min readBy Dr. Henrik Bauer
CIVAC

Compliance consulting often promises strategy and delivers PowerPoint. This article explains which form of delivery fulfils which obligation, how you differentiate between consultants, platforms and agents and how you measure audit robustness.

Compliance advice in Germany is rarely ordered as a requirement, but rather as a reaction: an audit is pending, an incident has happened, a major customer requires ISO/IEC 27001:2022 as a supplier criterion. The market responds to this with three very different delivery forms that are often used synonymously in sales. Classic consultants provide strategy and concepts. Software providers provide tools. Officer-as-a-Service models provide an appointed person with an appointment certificate, reporting line and liability coverage. Anyone who confuses these three forms of delivery is buying advice when an agent is required, or vice versa. The result is regularly double purchasing, an open obligation and a risk of fines according to Section 130 OWiG, which quickly reaches double digits within the group.

This article sorts the market according to the obligations that lie behind the keyword compliance. You will find out which form of delivery covers which requirements from the GDPR, NIS-2, GwG, HinSchG, LkSG, AGG, ISO/IEC 27001:2022 and Section 130 OWiG, how you can check the content of an offer and how you can tell whether the service can be proven in the audit at all. The answer is rarely either/or. It is usually: concept phase as consultation, continuous operation via platform or external representative. Here you can read when which mix makes sense, which cost items should be honestly calculated and where exactly the transition to CIVAC as a compliance platform and officer-as-a-service lies. The end result is a practical decision-making framework that you can compare directly with an offer.

Key Takeaways

  • Compliance consulting in the narrower sense provides the concept and roadmap, not the continuous operation. For continuous operation, a platform plus a designated representative is required.
  • A PowerPoint concept without an appointment certificate, without a reporting line and without a verification structure does not fulfil the § 130 OWiG obligation and does not pass an audit.
  • Licence for internal officers or external officers as an order. Both models run in the same workspace and remain auditable on EU data residency.

What compliance consulting actually includes and what it doesn't

In German practice, the term compliance consulting covers three very different services. The first is strategic consulting, in which an external provider takes stock, identifies gaps and designs a roadmap. This phase usually ends with a written risk analysis, a list of measures and a gap evaluation against specific standards such as ISO/IEC 27001:2022, the GDPR or the AMLA. The second service is implementation support, in which guidelines are written, processes are modelled and training courses are set up. The third service is ongoing operations with a designated representative, reporting line to management and obligation to document. In many offers, these three services are sold under a uniform term without it being stated in the contract which of them is actually part.

Only the third level materially covers the requirements of Section 38 BDSG, Section 7 GwG, Section 12 HinSchG or Section 130 OWiG. A consulting project alone does not fulfil an appointment requirement because no person is formally named and no reporting line has been established. Anyone who is sold a consulting mandate as a replacement compliance officer should check whether an order including an appointment certificate is agreed in the contract. At CIVAC, the separation is explicit: strategy consulting is project work, the external compliance representative is an ongoing mandate with an appointment, reporting line and audit trail. Beide Bausteine können kombiniert werden, sie sind aber nicht austauschbar. This distinction prevents you from purchasing concept work twice and leaving obligations unanswered. The first question in every offer review should therefore be which of the three services with which number of hours, which person and which documented result is actually included and which is optionally offered as an additional module.

Duties as a driver: Which standard requires what

Compliance advice begins with the question of which standard specifically triggers which obligation. Section 38 BDSG requires a data protection officer for at least 20 people who are constantly involved in the automated processing of personal data. Art. 37 GDPR supplements this with the obligation for regular systematic monitoring or extensive processing of special categories. NIS-2 obliges around 29,500 companies in Germany to appoint a body responsible for information security, for risk analysis and for 24-hour early warning with 72-hour follow-up notification. Section 7 GwG requires obligated parties to have a money laundering officer and deputy. Section 12 HinSchG requires an internal reporting office for 50 or more employees, with documented confidentiality and response deadlines. In the event of violations, fines are levied based on group sales.

The LkSG involves companies with 1,000 or more employees in a risk analysis of the supply chain with human rights officers. The EU-CSDDD will extend this obligation to more companies from 2027. Section 130 OWiG sanctions violations of supervisory obligations with fines of up to 10 million euros. Each of these regulations has its own trigger, order path and reporting requirement. Eine seriöse Compliance-Beratung listet diese Pflichten zuerst auf, gleicht sie mit Ihrer Mitarbeiterzahl, Branche und Verarbeitungstiefe ab und benennt erst dann konkrete Rollen. Anyone who works without this matrix sells effort that does not fit the obligation. CIVAC provides the matrix in the form of 25 representative roles and 490 audit templates, which are assigned directly in the workspace. A lawyer briefing on the GDPR does not replace this structured assignment. The matrix is ​​also the basis for budget planning because it shows which duties are covered internally, externally or through a platform and where there is duplication of work. Only after this clarification does the selection of the form of delivery begin.

Three delivery forms in direct comparison

The market offers three forms of delivery that are billed differently and cover different obligations. Classic compliance consulting is provided on a daily rate basis, usually between 1,200 and 2,400 euros per consulting day. A complete ISMS development project according to ISO/IEC 27001:2022 often takes between 40 and 120 consulting days over 9 to 18 months. Software licences for compliance platforms cost between 6,000 and 60,000 euros per year in the DACH region, depending on the scope of modules, number of users and audit connection. Officer-as-a-Service is usually billed as a monthly mandate fee, often between 600 and 2,800 euros per month per role, with a clear lower hour limit and documented availability within agreed response windows.

The crucial question is not the price, but the auditability. A consultation alone produces recommendations, but not an appointment certificate. Software alone provides templates, but not an appointed person. Officer-as-a-Service delivers both: order, reporting line and ongoing activity. CIVAC consistently works with dual logic: Licence the workspace for your internal representatives, or have our representatives order it. Both variants run in the same system, with the same 490 audit templates and the same EU data residency. The SLA for taking on a mandate is 2 working days instead of the classic 2 to 6 weeks that a selection process for external consultants typically takes. In the event of an incident, this time difference determines whether the 72-hour deadline is adhered to. Others run compliance like a filing cabinet. We run it like software. If you only look at the daily rates when comparing, you will overlook the follow-up costs from tool lock, lack of replacement and non-transferable evidence that will arise the next time you change provider. A reliable comparison therefore does not compare the list price, but rather the total cost of compliance per obligation over at least two contract years.

When external compliance advice makes economic sense

External compliance advice is worthwhile in four clearly definable constellations. Firstly, when setting up a new company or entering a regulated market, when the basic structure is missing and there is neither experience nor capacity internally. Secondly, when preparing for an initial certification, such as ISO/IEC 27001:2022 or TISAX, where the gaps must be systematically closed. Thirdly, after a specific incident that requires a forensic investigation and at the same time the hardening of the processes. Fourth, in a transaction where due diligence must demonstrate compliance maturity in the data room. In all four cases, the advice is limited in time, has a defined end state and ends with a documented handover to permanent operation.

In all other cases, external advice is rarely efficient as a permanent solution. Recurring operations, i.e. reports, training, annual risk analysis, supplier checks, audit preparation, are routine and belong to a platform or to a designated representative. Anyone who continues to work here on a daily rate pays for waiting times and handover costs. The rule of thumb is: concept phase as advice, continuous operation as licence or mandate. CIVAC cleanly separates these phases. The relevant roles are selected during onboarding, after which either an internal officer with licence access or an external data protection officer with an appointment certificate takes over. The daily rates for ad hoc advice remain available, but are not the default mode. This separation usually reduces the overall costs by 30 to 50 percent compared to a purely advisory model with the same mandatory scope. Just as important: The transition from the concept to the operational phase takes place without data migration because the same workspace system continues to be used.

Selection criteria for a compliance consultant or representative

Anyone who checks an external provider should systematically query seven criteria. First: What specific role is filled, with what appointment document, with what reporting line to management? Secondly: What formal qualifications do you have, such as ISO/IEC 27001 Lead Auditor, data protection expertise in accordance with Article 37 of the GDPR, AMLA expertise in accordance with Section 7 Para. 5 of the AMLA? Thirdly: What liability does the provider assume, to what extent and with what financial loss liability? Fourth: Where is data processed and does the EU data residency principle apply? Fifth: What is the response time in the event of an incident? Is there a documented SLA for the 24-hour early warning according to NIS-2 or the 72-hour notification according to Art. 33 GDPR? These five criteria clarify the mandatory level and distinguish a reliable mandate from a pure consulting offer.

Sixth: Which templates and evidence are included, are they versioned, and are they in plain text in the workspace, not in a consultant's own tool that disappears after the end of the contract? Seventh: What handover logic applies at the end of the mandate; can orders, reports and audit trails be continued without data migration? CIVAC answers these questions explicitly in the appointment certificate and in the mandate contract. The appointment certificate, signed, filed, verifiable. The 490 audit templates are versioned, the reporting line is mapped in the system, and the workspace remains under the client's control even if the operational representative changes. A provider who cannot guarantee one of these seven criteria in writing will not be included in the final round of selection. It is also worth taking a look at references from comparable industries as well as the scope of the substitute regulation, because a single external representative cannot maintain the 24-hour early warning without backup in the event of illness.

Establish or sharpen a compliance management system

A compliance management system according to IDW PS 980 or comparable standards consists of seven elements: culture, goals, risks, program, organisation, communication, monitoring. A reputable compliance consultancy anchors these seven elements in a documented form, not as a diagram. The risk analysis is carried out in a sector-specific manner, for example with a focus on corruption in accordance with Section 299 of the Criminal Code for sales organisations, data protection in processing activities, money laundering for obligated parties within the meaning of Section 2 GwG, sanctions in foreign trade. The organisation determines who is the representative, who acts as representative, how the reporting line is structured and how the supervisory body is informed. In addition, there is a clear escalation matrix so that incidents do not get stuck in mailboxes.

The program consists of guidelines, training, whistleblower channel, supplier checking and sanctions list comparison. Monitoring is carried out via internal audits, key figures and a documented follow-up register. Anyone who starts and ends with PowerPoint slides will have a problem in the test case. Audit-proof, documented, Section 130-proof. In the CIVAC workspace, the seven elements are displayed as a module structure, with the 490 templates, the 93 controls according to ISO/IEC 27001:2022 and a version history that logs every change. The auditor calls, the evidence is ready. Building a CMS in this structure typically takes 8 to 14 weeks instead of the classic 9 to 18 months because templates, roles and reporting lines do not have to be reinvented every time. Anyone who sharpens an existing CMS also benefits from the fact that the platform automatically displays gaps in the 93 controls and links the measures with those responsible and deadlines. This logic replaces the typical Excel table for tracking measures and at the same time provides the database for the report to management and the supervisory body.

Costs honestly calculated: consulting days, licence, mandate

An honest cost accounting takes six items into account. Firstly, the one-off concept costs for gap analysis, risk analysis and roadmap, 8 to 40 consulting days depending on the scope. Secondly, the ongoing personnel costs for the representative, internal or external. A full-time internal data protection officer costs 75,000 to 110,000 euros per year including additional wage costs; an external appointment costs between 7,200 and 33,600 euros per year, depending on the size of the company. Thirdly, the training costs for the workforce, usually 25 to 80 euros per person per year. Fourth, the audit costs for external certifications, around 8,000 to 25,000 euros for an initial ISO/IEC 27001 certification. These four items can be written down individually for each obligation.

Fifth, the tool costs for the compliance platform, in the DACH region between 6,000 and 60,000 euros per year. Sixth, the internal costs for governance, workshops and reporting lines, which are often underestimated. These six items result in the total cost of compliance per obligation. With the dual CIVAC logic, items 2 and 5 are combined in one contract: Licence the workspace for your internal representatives, or have our representatives order it. In both cases, there is no need to purchase tools separately and the SLA is taken over in 2 working days. Item 1 can often be reduced by 40 to 60 percent because the 490 templates shorten the concept phase. This invoice can be verified based on the specific representative roles of your company before the contract is concluded. Once you have clearly written down the total cost of compliance, you can quickly see where a classic consulting mandate is overfinanced and where a platform logic with officer-as-a-service is structurally cheaper.

Risks in the consulting project and how to avoid them

Four risks regularly arise in classic compliance consulting projects. Firstly, the concept risk: The roadmap is available after 6 months, implementation is waiting for internal capacity, the second phase does not start. The days invested are wasted because templates become outdated and regulations change. Secondly, the tool lock risk: consultants use their own tools that cannot be handed over after the end of the mandate, the client starts all over again with the next provider. Thirdly, the personnel risk: The representative leaves the company or the consultant, the mandate stands still, but the 72-hour period according to Art. 33 GDPR still runs. These three risks often come together in a single incident in which several weak points become visible at the same time.

Fourth, the liability risk: The consultant's liability is capped in the contract; in the event of damage, the management remains personally responsible in accordance with Section 130 OWiG. These four risks can be mitigated structurally. If the concept runs in the same system in which continuous operation will later take place, there is no handover gap. If the external representative is organised via a platform with a replacement arrangement, the mandate will not be canceled in the event of a change in personnel. Wenn die Vorlagen versioniert im Workspace liegen, übersteht das Audit auch einen Anbieterwechsel. Deadline begins as soon as we become aware of it. CIVAC uses this logic consistently across the EU data residency and reporting line in the system. An additional change of provider does not mean a reset. The appointment certificate is re-signed, the templates, risk analyses and audit traces remain. This shifts the risk situation away from the individual consultant towards an institutionalized structure that remains sustainable even the next time the operational person changes.

From the advisory offer to the appointment certificate

Compliance advice ends either in a concept or in an order. Both paths have their place, but they have different consequences for obligations, costs and auditability. Anyone who buys a concept is buying orientation. When you purchase an order, you are purchasing a duty fulfilment with reporting line and liability coverage. As a compliance platform and officer-as-a-service, CIVAC is structured in such a way that both paths end in one system. The concept phase uses the same 490 audit templates, the same 25 representative roles and the same EU data residency, which will later remain relevant in ongoing operation. The transfer from consulting to permanent operation does not take 8 weeks, but takes place in the same workspace with the same data. This eliminates the most common breaking point in classic consulting projects.

The dual logic remains: Licence the workspace for your internal representatives, or have our representatives order it. The SLA for a first-time mandate is 2 working days. The appointment certificate is created, signed and stored in the workspace. The reporting line to management is part of the standard. The appointment certificate, signed, filed, verifiable. If you put a specific obligation on the table, such as NIS 2 preparation, GDPR order or LkSG risk analysis, it can be clarified in an initial conversation which form of delivery is suitable. Turn reading into a mandate.: info@civac.de or the contact form on civac.de. The role is commissioned, not the consultant day. This changes the calculation, the speed and the verifiability in the next audit. You will receive a written indication of all monthly costs after clarification of the number of employees, industry and affected areas of responsibility. At the same appointment, it can be decided whether the concept phase will be set up as a separate consulting mandate or whether it will be linked directly to the order so that the form of delivery fits the obligation from day one.

FAQ

How does compliance consulting differ from an external compliance officer?

Compliance consulting provides a concept, risk analysis and roadmap without formally appointing a person. An external compliance officer is appointed in accordance with Section 130 OWiG, receives an appointment document, a reporting line to the management and takes over ongoing activities with documented liability coverage. Only the formal order fulfils the material obligation and can be proven in the audit, while advice alone remains a preparatory step.

What daily rates are standard for compliance consulting in Germany?

Depending on the specialization and region, daily rates are between 1,200 and 2,400 euros net. An ISO/IEC 27001:2022 development project typically involves 40 to 120 consulting days over 9 to 18 months. A GDPR gap analysis ranges between 8 and 20 days. Instead, Officer-as-a-Service bills monthly and often includes the concept pro rata, so that the total costs over two years usually remain well below a pure consulting model.

When is compliance advice legally mandatory?

A consultation itself is never obligatory. The appointment of certain representatives is mandatory above threshold values, such as data protection officers for 20 or more people with automated processing in accordance with Section 38 BDSG, money laundering officer for those obliged to comply with the AMLA, internal reporting office for 50 or more employees in accordance with Section 12 HinSchG, ISB function for companies affected by NIS 2. Advice usually serves as preparation for these duties and does not replace the formal appointment.

Can small businesses without their own compliance department fulfil the same obligations?

Yes. Medium-sized companies usually fulfil their obligations through external representatives, a compliance platform and selective advice in concept phases. This combination often costs 60 to 80 percent less annually than an internal full-time position, without sacrificing audit reliability. The prerequisite is a clean role and template structure, a documented reporting line and a contractually guaranteed replacement in the event of absence.

How quickly can an external compliance officer be appointed?

In the classic consultant market, the selection and contracting process takes 2 to 6 weeks. CIVAC works with an SLA of 2 working days for the first order because the role, templates and reporting line are standardised in the workspace. The appointment certificate is generated, signed and filed in the system, and operations begin immediately. This means that acute mandatory situations can also be covered in a timely manner shortly before an audit or after an incident.

What documents should a compliance consultant always provide?

Risk analysis with reference to specific standards, action plan with responsible persons and deadlines, appointment certificates for the relevant roles, reporting line description, versioned guidelines, audit templates, training certificates and a handover plan for the end of the mandate. If one of these documents is missing, the service is difficult to prove in an audit or in the event of damage and can only be used to a limited extent in the event of a dispute in court or with the supervisory authority.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles