Automate compliance training: e-learning, evidence and reporting lines in medium-sized companies
Training obligations are increasing: GDPR, NIS 2, HinSchG, ISO/IEC 27001:2022, hazardous substances, fire protection. Anyone who continues to keep records in Excel will fail the audit. This article shows how automated e-learning and a workspace carry the reporting line to management.
The training obligation of the person responsible follows from several regulations at the same time. Article 39 Paragraph 1 Letter b GDPR obliges the data protection officer to raise awareness and train employees involved in processing operations. Section 4 (3) HinSchG requires all employees to be informed about the internal reporting office. Appendix A.6.3 ISO/IEC 27001:2022 requires documented security awareness. The NIS2UmsuCG will extend this obligation to around 29,500 companies in Germany in 2026. Anyone who continues to keep the training records in Excel lists will produce a structural finding at the next inspection, because the lists cannot be versioned or secured cryptographically and rarely survive a change in personnel in the compliance team.
This article shows how compliance training can be automated across all relevant roles. You will find out which legal minimum intervals apply, how an e-learning module is connected to the reporting line and the list of processing activities, which content is mandatory for which roles and how, in the event of an audit, management can demonstrate the complete training status within two hours. CIVAC brings together these functions as a compliance platform and officer-as-a-service in a workspace that already contains the 25 officer roles, 93 controls according to ISO/IEC 27001:2022 and 490 audit templates and links the training objects with the appointment certificate of the respective officer.
Key Takeaways
- Training certificates in accordance with Art. 39 GDPR, § 4 HinSchG and Appendix A.6.3 ISO/IEC 27001:2022 must be versioned, signed and exportable in the workspace, not in Excel.
- Automated e-learning does not replace the representative, but it relieves him of 60 to 80 percent of the routine and maintains the capacity for substantial risk work.
- In the CIVAC workspace, training is linked to role, processing directory and reporting line, so that audit exports are available without rework.
Which training obligations German medium-sized businesses will fulfil in 2026
The list of obligations is extensive and not centrally regulated. Article 39 Paragraph 1 Letter b GDPR requires staff to be sensitized and trained in all processing operations. Section 4 Paragraph 3 HinSchG requires verifiable information about the internal reporting office. Appendix A.6.3 ISO/IEC 27001:2022 requires a documented awareness program, the effectiveness of which is measured according to § 9.1 ISO/IEC 27001:2022. Section 12 (1) ArbSchG requires instruction in occupational safety, the Hazardous Substances Ordinance requires annual instruction for activities with hazardous substances, the Dangerous Goods Officer Ordinance prescribes role-related training, and Section 14 GwG requires regular information for employees in companies subject to money laundering obligations. In addition, there are sector-specific obligations from the KRITIS-DachG and, from 2026, the training obligations from the EU AI Act for high-risk systems, the specific design of which will be further specified by the national supervisory authorities in the coming months.
In practice, this means between 6 and 15 mandatory topics per year for medium-sized companies, depending on the industry and size. Each topic requires a content definition, a list of recipients, proof of implementation, proof of effectiveness and a retention period. Retention periods range from two years for general data protection awareness to ten years for dangerous goods-related training. Anyone who maintains this catalogue without a structured system accumulates a documentation burden that is no longer manageable and which is viewed as a systematic deficiency in the audit. In addition, most of these duties require not only implementation but also effectiveness, which cannot be proven without learning control. The transition to an automated e-learning system is therefore not a question of convenience, but rather a prerequisite for appointment of the respective representatives at economically viable conditions.
What automation actually means in compliance training
Automation in this context does not mean replacing content with algorithms, but rather separating content, allocation, execution and evidence into four connected layers. The content layer contains role-specific modules that are curated by qualified specialists, such as an external data protection officer for the GDPR modules or an occupational safety specialist for the ArbSchG modules. The assignment layer automatically assigns these modules based on the employee's role without the need for an HR department to maintain lists. The implementation layer records the start, end, pass rate and repeat date. The evidence layer creates version-proof audit exports that are provided with cryptographic time stamps and can therefore also survive a forensic audit.
These four layers replace three classic bottlenecks. Firstly, there is no need for manual tracking by HR or office management, which, depending on the size of the company, ties up between 0.2 and 0.8 full-time equivalents. Secondly, the annual catch-up race before the ISO audit is eliminated, in which training gaps have to be closed at short notice and the credibility of effectiveness suffers. Thirdly, there is no discussion with the supervisory authority about the effectiveness of the training because proof of effectiveness is provided systemically through learning control and repetition intervals. CIVAC maps these four layers in the workspace. The training objects are linked to the reporting line of the responsible officer, so that management can view the training status per role and per location in the quarterly report without having to generate a separate report from the learning management system. This coupling also reduces the disruptive interfaces between HR, IT and compliance because all three functions see the same data status and discussions about figures are eliminated. Others run compliance like a filing cabinet. We run it like software., and this applies in particular to the training documentation, which is most often broken in classic systems.
Contents: What a legally compliant e-learning library must contain at least
An exam-proof e-learning library covers at least eight subject areas, each in a role-related general version and in a more in-depth specialist version for the responsible representatives. Firstly, data protection in accordance with Articles 5, 6, 32 and 33 GDPR including the obligation to report within 72 hours. Secondly, information security according to Annex A ISO/IEC 27001:2022 with a focus on password hygiene, phishing detection and handling of mobile devices. Thirdly, whistleblower protection according to the HinSchG including the accessibility of the internal reporting office. Fourth, money laundering prevention for affected companies according to the AMLA. Fifthly, anti-corruption according to IDW PS 980 and Section 130 OWiG. Sixth, occupational safety according to Section 12 of the ArbSchG. Seventh, fire protection according to DGUV Information 205-001. Eighth, role-specific topics such as dangerous goods, hazardous substances or radiation protection, if applicable, each with the regulation-specific repetition intervals.
The content must be checked annually to ensure that it is up to date and re-certified after every relevant legal change. A library that was last updated in 2024 will not meet EU AI Act obligations from August 2026. A library that only maps ISO/IEC 27001:2022 in the old 2013 version will fail from October 2025. CIVAC maintains the library via the maintenance team, which continuously incorporates the NIS 2 implementation and the ISO transitions into the modules. Each module version is provided with a version number, an entry into force date and a list of sources so that the auditor can understand which legal statuses the workforce was trained at and when. Licence the workspace for your internal representatives, or have our representatives order it. In both models, the content of the library is identical and is updated in the same way, without the client having to commission separate update projects. Additional language versions for locations outside German-speaking countries are also maintained centrally and are not created per client.
Assignment: role, location, risk
The training courses are assigned according to three dimensions that are configured in the workspace. The first dimension is the role: a warehouse employee needs different modules than a managing director, a developer needs different modules than a field sales representative. The second dimension is the location: a plant that handles hazardous substances triggers different obligations than a pure office building, and a location in a KRITIS sector triggers additional obligations from the KRITIS-DachG. The third dimension is the risk: Employees with access to special categories of personal data according to Art. 9 GDPR require in-depth data protection training, employees with administrative rights in ISMS-relevant systems require in-depth ISMS training with a focus on privileged access and the dual control principle.
The assignment is deterministic and based on a matrix of these three dimensions. When a new employee joins, the mandatory modules are set up automatically, the repeat date is set, and the reminder to the employee and the escalation to the superior run without manual maintenance. If a role changes, the matrix adapts the mandatory modules without HR or Compliance having to intervene. In the event of a departure, training records are archived for at least five years, which covers most supervision periods, and for special duties such as dangerous goods, up to ten years. Special cases are also covered: External service providers with access to the ISMS receive a limited set of modules, interns and working students receive a set adapted to the length of employment. The appointment certificate, signed, filed, verifiable, and the same is true with the proof of training: it is provided with a time stamp that makes the implementation provable and is visible to management in the quarterly report.
Evidence: What an auditor expects in 2026
In 2026, an auditor will no longer just expect confirmation of participation, but full proof of effectiveness. The proof of effectiveness consists of four components. Firstly, the proof of content: which module and which version was run through. Secondly, the proof of implementation: who started the module, when, when it was completed, with what result and with what repetition loop in the event of failure. Third, proof of recurrence: when was the last refresh, when is the next one due, and what external events, such as security incidents or legal changes, triggered extraordinary recurrences. Fourthly, the proof of escalation: what happened when a module was due but not carried out, and how was the gap closed.
The data protection conference systematically examined the training certificates in the coordinated audit in 2025 and found numerous deficiencies because the repetition and escalation layer is typically missing in Excel solutions. According to § 9.1 ISO/IEC 27001:2022, the ISO auditor explicitly requires the measurement of effectiveness, which cannot be achieved without structured learning control. The CIVAC workspace exports the four types of evidence in an audit package that can be checked without rework and in which the data has been available unchanged since the respective collection time. A sample test in which the auditor questions randomly selected employees about training content is also prepared through the structured learning control because the pass rate per module and per location is visible and weak modules can be identified. The auditor calls, the evidence is ready. Audit-proof, documented, Section 39-proof, so that even a supervisory audit announced at short notice does not put time pressure on the compliance team and management goes into the audit discussion with a reliable report instead of an emergency solution. Structured escalation regularly convinces auditors more than any argument because it shows that gaps are not ignored but are closed in a documented manner.
Integration: From the training module to the directory of processing activities
Training courses are not isolated objects. They are linked to the processing activities, the risk assessments, the ISMS controls and the reporting line. A new processing operation that processes special categories of personal data in accordance with Art. 9 GDPR creates an obligation for in-depth data protection training for the accessing persons. A new ISMS control that gives administrative rights to a wider group of people creates an obligation for in-depth ISMS training. A reporting obligation according to Art. 33 GDPR or Section 32 NIS2UmsuCG that results from an incident can result in extraordinary training as a corrective measure, which is stored in the workspace with incident ID and deadline.
This integration is structurally designed in the CIVAC workspace. The directory of processing activities links to the mandatory training of the accessing roles. The risk assessment links to the training that reduces the risk. The reporting line of the data protection officer or the information security officer receives the training metrics in the quarterly report. A training gap is therefore not just an HR problem, but a documented residual risk that appears in management's risk acceptance. The interlocking also works in the other direction: if an employee has completed in-depth training, the training is recognised as a control in the ISMS risk assessment and reduces the residual risk of the associated processing activity. This integration is what distinguishes an e-learning tool from an integrated compliance platform. Others run compliance like a filing cabinet. We run it like software., and the software makes the connections automatically. This means that the historically most common source of inconsistent compliance findings disappears: separate lists with different current statuses that do not match each other in the event of an audit. The integration solves this structural problem at the technical level, not through additional discipline in the compliance team. This also gives the management's risk acceptance a different quality because the accepted residual risk is anchored in a current level of training.
Effort and cost-effectiveness: A calculation for medium-sized businesses
A conservative calculation illustrates the economic efficiency. A medium-sized company with 500 employees and 9 compulsory topics per year carries out 4,500 compulsory modules per year. Manual management via Excel and email reminders takes an estimated 15 minutes per module to assign, remind, track and file, a cumulative 1,125 hours, or about 0.7 full-time equivalents. With a fully charged salary of 75,000 euros per year for an HR or compliance employee, that's 52,500 euros in pure administrative costs without any content. In addition, there is an estimated 25,000 euros for the annual external training procurement via classic providers with individual effort per module and a further 10,000 euros for external audit preparations in which training gaps are subsequently filled in.
An automated solution via the CIVAC workspace reduces the administrative effort to around 100 hours per year because the allocation, reminders and tracking are carried out systemically. The content is included in the platform price because the library is curated once and used for all clients. In the example case, the difference is around 65,000 to 75,000 euros per year, and it is independent of whether the company is ever audited because the released capacity can immediately be used for substantial risk work. The investment is therefore budget-neutral and at the same time reduces the audit risk. For larger companies with multiple locations, the effect scales linearly because the platform keeps the overhead per additional location close to zero, while manual management increases proportionately with each location. Turn reading into a mandate. is the operational consequence of this calculation as soon as the administrative costs have become transparent. In addition, it should be taken into account that the platform solution additionally relieves management within the framework of Section 130 OWiG, because the documented obligation to supervise the training situation can be used as reliable evidence in the event of a fine procedure.
The two operating models: Licence and Officer-as-a-Service
CIVAC offers two operating models that do not differ technically, but fit differently organizationally. In the licence model, the internal data protection officer, the information security officer or the compliance officer operates the platform himself. He maintains the reporting line, defines mandatory training, checks effectiveness metrics and exports the audit package. The model is suitable for companies with qualified internal staffing of representative roles and established compliance structures. It is the most economically advantageous model because the platform costs are the only external component and the internal compliance team retains technical sovereignty without involving an external third party in the reporting line.
In the officer-as-a-service model, CIVAC appoints the representatives and manages the platform for the client. The model is suitable for companies that do not have qualified internal candidates, that want independence in accordance with Art. 38 Para. 6 GDPR or that want to consolidate across multiple locations and companies. Both models share the same workspace, 490 audit templates, training library, and reporting line. If the company changes the model in the middle of the contract, for example because an internal data protection officer is hired, data and training certificates remain unchanged in the workspace and there is no migration break. A partial configuration is also possible, in which CIVAC only provides the information security officer, while data protection and occupational safety are staffed internally. Licence the workspace for your internal representatives, or let our representatives appoint them, and make the operating model decision based on your HR strategy, not the platform architecture. The optionality remains for the entire contract term, and the handover of a role between internal and external staff is shown in the workspace as a regulated procedure with reporting line adjustment and appointment certificate update.
Turn reading into an assignment: Here's how to get started
An informed decision about automating compliance training begins with three documents: the company's current training catalogue, the list of employees by role and location, and the most recent audit finding that addressed training gaps. The scope of the mandatory modules, the matrix of role, location and risk to be implemented as well as the migration path from the existing Excel solution to the workspace are derived from these documents. A 60-minute scoping discussion is enough to clarify which of the two operating models is suitable and which modules are not already available in the CIVAC library and should be created individually. The question of retention periods per module topic is also clarified in the scoping because it plays a central role in the migration of legacy data.
Commissioning takes place at a service level of 2 working days from the signed order to the executable workspace with activated training matrix. Within the first 30 days, the employees are migrated, the appointment certificates for the responsible representatives are created and the reporting line to management is signed. Licence the workspace for your internal representatives or have our representatives order it and decide on the model again after the first 30 days have been completed and you have seen the platform in operation. Turn reading into an assignment. You can reach the onboarding team at info@civac.de or via the contact form on civac.de. The initial response will be made within one working day, the offer within two working days, including a fixed price for the first twelve months and a documented transitional arrangement for the ongoing training cycles. A pilot operation via a single location or a single subsidiary is possible if the risk situation requires a gradual rollout.
FAQ
What legal obligations require training in medium-sized businesses?
Relevant are Art. 39 Paragraph 1 Letter b GDPR, Section 4 Paragraph 3 HinSchG, Annex A.6.3 ISO/IEC 27001:2022, Section 12 ArbSchG, the Hazardous Substances Ordinance, the Dangerous Goods Officer Ordinance and Section 14 GwG. There are also sector-specific obligations from the KRITIS-DachG and, from August 2026, the obligations from the EU AI Act for high-risk systems. The catalogue of duties typically covers between 6 and 15 topics per year.
Does automated e-learning replace the internal training manager?
No. It replaces manual administration, not professional responsibility. The data protection officer, the information security officer or the occupational safety specialist remains technically responsible. The platform handles assignment, reminders, tracking, proof of effectiveness and audit export, allowing the assignee to focus on substantive risk work and management to view training status at any time.
How long must training records be kept?
The retention periods vary depending on the topic. General data protection awareness should be proven for at least three years, training in accordance with the Dangerous Goods Officer Ordinance for up to ten years, occupational safety instructions at least until the next repeat training, ISMS awareness throughout the entire certification cycle. The CIVAC workspace sets standard deadlines, which the person responsible can extend in individual cases and keep them audit-proof throughout the entire retention period.
What happens to the training data when you change provider?
The training data belongs to the person responsible and is exported upon request in a structured, machine-readable format. In the CIVAC workspace, the export function is part of the standard contract and can be triggered by the client at any time. This ensures the continuity of compliance evidence across provider boundaries and a later change of provider does not lead to a gap in the audit documentation.
What content does the CIVAC training library cover as standard?
The library covers data protection according to GDPR and BDSG, information security according to ISO/IEC 27001:2022, whistleblower protection according to HinSchG, money laundering prevention according to AMLA, anti-corruption, occupational safety, fire protection, hazardous substances and dangerous goods. Sector-specific modules such as radiation protection or KRITIS are added if necessary. The content is updated annually and after every relevant legal change and documented with version numbers, effective date and list of sources.
How quickly is an automated training solution productive?
In the CIVAC service level, the executable workspace with activated training matrix is available two working days after the order is placed. The migration of the employee list and the signing of the reporting line will take place within 30 days. Classic implementations via separate learning management systems, on the other hand, typically take between two and six months and during this time they tie up considerable internal capacity that is not available for substantial risk work.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.