77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Compliance rules in the company: obligations, structures and evidence
Governance & Compliance

Compliance rules in the company: obligations, structures and evidence

2 June 202612 min readBy Dr. Henrik Bauer
CIVAC

Compliance rules are not a collection of information sheets, but a verifiable structure of obligations, responsibilities and evidence. This guide organises the most important standards, describes roles and shows how to document regulations in an audit-proof manner.

According to Section 130 OWiG, the company management is liable for the violation of supervisory obligations with fines of up to 10 million euros per violation. Compliance rules are therefore not a voluntary standard, but rather the documented response to this obligation. You translate legal requirements into procedures, responsibilities and evidence that an external auditor finds in a file.

This article shows which sets of rules are expected under German and European law, how you can clearly delineate the roles of management, compliance officer and specialist representative, and what evidence an authority wants to see in an emergency. The focus is on operational implementation: appointment certificate, reporting line, control intervals, documented training. Once you set up these structures properly, you measurably reduce liability risks and can respond to audit requests in days instead of weeks.

Key Takeaways

  • Compliance rules are enforced by Section 130 OWiG, Section 91 Paragraph 2 AktG and industry-specific laws such as GwG, LkSG or NIS-2, not chosen voluntarily.
  • A reliable set of rules consists of four layers: Code of Conduct, guidelines, procedural instructions and evidence files with appointment certificates and training protocols.
  • Audit robustness does not arise from scope, but rather from complete documentation of the order, reporting line and control activities of those responsible.

What compliance rules legally require

Compliance rules are the written translation of legal obligations into internal company procedures. The central norm is Section 130 OWiG: Anyone who owns a business and intentionally or negligently fails to take the necessary supervisory measures is liable for violations by their employees. For stock corporations, Section 91 (2) AktG supplements the obligation to set up a monitoring system that detects developments that threaten their continued existence at an early stage.

There are also area-specific obligations. Section 7 of the Money Laundering Act requires a money laundering officer for obliged entities under Section 2 of the GwG. According to Section 4 LkSG, the Supply Chain Due Diligence Act requires risk management and reporting to BAFA. According to Article 37, the GDPR requires a data protection officer for extensive processing of special categories. According to §§ 30 ff. BSIG-E, NIS-2 requires information security management with documented procedures and a 24/72-hour reporting path.

A common misunderstanding: Compliance rules do not arise from the adoption of a Code of Conduct. They only arise when every duty is assigned to a role, every role to a procedure and every procedure to a proof. This is exactly where the work of a compliance officer comes in: He manages the rules operationally and makes them auditable.

The four layers of a resilient set of rules

In practice, a compliance set of rules has four layers that build on one another. Anyone who skips a shift creates gaps that become visible in the exam.

Layer one is the Code of Conduct. It summarizes basic principles: integrity, anti-corruption, data protection, prohibition of discrimination, handling of gifts. The usual format is six to twelve pages, signed by management and acknowledged annually by all employees.

Layer two is the guidelines. They specify the code for defined topics: anti-corruption guidelines, data protection guidelines, IT security guidelines, complaints guidelines according to the HinSchG. Each policy specifies responsible role, scope, non-compliance procedure and audit cycle.

Layer three is the procedural instructions. They describe specific processes: How is suspected money laundering reported? Who checks gift offers over 50 euros? How is a data breach processed within the 72-hour period according to Art. 33 GDPR? Procedural instructions are the layer in which theory becomes practice.

Layer four is the evidence file. It contains appointment documents of the representatives, training minutes with lists of participants, meeting minutes of the compliance board, audit reports, corrective action plans. The appointment certificate, signed, filed, verifiable. This file is what the examiner asks for first.

Roles and reporting lines: Who is responsible for what

Compliance rules rarely fail because of missing documents, but rather because of unclear responsibilities. The German legal system has a clear hierarchy of responsibility.

The management bears ultimate responsibility according to Section 130 OWiG. She can delegate tasks, but not responsibility. Delegation only relieves pressure if it is done in writing, with a clear list of tasks and resources, and if management controls the exercise.

The compliance officer coordinates the entire system. He reports directly to the management or the supervisory board, at least annually, and immediately after separate incidents. His appointment certificate lists tasks, authorities, resources, access rights and protection against dismissal, to the extent provided for by law.

In addition, there are specialist officers for specialist areas: data protection officer according to Art. 37 GDPR, money laundering officer according to Section 7 GwG, information security officer in the context of NIS-2, whistleblower reporting office according to HinSchG. Each role has its own appointment certificate, its own reporting line and its own control obligations.

In practice, these roles work via a common compliance workspace: common risk matrix, common action list, separate files for legally separate duties. If you structure this clearly, you will avoid duplication of work and close the gaps where risks would otherwise be overlooked.

Which industries absolutely need which rules

The obligation to have a formal compliance system depends on the industry, size and activity. An overview:

Financial companies and insurers are subject to MaRisk and VAIT. A compliance officer with an independent reporting line to the board is mandatory, supplemented by a money laundering officer, data protection officer and information security officer. BaFin's inspection intensity is high.

Industry and trade with more than 1,000 employees will be subject to the LkSG from 2024, and gradually to the EU Supply Chain Directive from 2027. Documented risk management along the supply chain, a complaint procedure and annual reporting to BAFA are mandatory.

Companies that fall under NIS-2 (energy, health, transport, digital services, public administration and other sectors) need information security management with a clear 24/72-hour reporting path to the BSI. The EU Commission estimates around 29,500 affected companies in Germany.

Health and care facilities also need a hygiene officer in accordance with IfSG and MPDG duties, depending on the scope of care. Construction companies need safety and health protection coordinators according to BaustellV. Chemical companies need incident, dangerous goods and hazardous substances officers. The following applies in every constellation: The appointment certificate is the first proof that the obligation has been recognised and fulfilled.

Risk analysis as the foundation of the rules

A set of rules without risk analysis is occupational therapy. The risk analysis identifies which breaches of duty are likely, what level of damage they will trigger, and which controls will reduce them to an acceptable residual risk.

The combination of top-down and bottom-up has proven methodically successful. Top-Down: Management identifies strategic risks from business model, geography and industry. Bottom-up: The departments report operational risks using structured questionnaires. Both strands flow into a risk matrix with probability of occurrence and impact.

A control is defined for each significant risk: preventive (e.g. four-eye principle for payments over 25,000 euros), detective (e.g. monthly comparison of supplier base against sanctions lists), corrective (e.g. internal investigation in the event of information).

The control is only effective if it is tested regularly. A typical cycle: annual self-assessment by the department, biannual audit by internal audit or an external auditor. Results flow into an action plan with deadlines and responsible persons. An open measure lasting more than twelve months is a signal of structural failure and is critically examined in every audit.

This risk analysis is also the basis on which you decide which rules you actually need. Anyone who sets up rules without analysis produces paper with no effect.

Training, awareness and proof of effectiveness

A set of rules only works if the workforce knows them. Training is not a compulsory exercise, but rather an independent proof component. In an emergency, authorities ask for participant lists, content and evidence of the knowledge test.

A three-level concept has proven successful. Level one: annual mandatory training for all employees on the Code of Conduct, data protection, information security and whistleblower system. Level two: role-specific deepening for purchasing (anti-corruption, LkSG), sales (competition law, gift guidelines), IT (NIS-2, incident response), finance (AMLA, sanctions lists). Level three: event-related training following changes in the law or incidents.

Each training is documented: date, content, duration, participants, result of the knowledge test. For e-learning, a system-supported protocol is sufficient; for attendance, a signed list of participants is sufficient. The file ends up in the compliance workspace and must be kept for at least three years.

Effectiveness can be measured. Usual key figures: training coverage per area (goal: 100% of mandatory training completed within 60 days of joining), knowledge rate in samples, trend in incoming whistleblower reports (an increase is usually a signal of trust, not an alarm). These key figures belong in the annual compliance report to the management and are a frequent topic in supervisory board meetings.

Sanctions for rule violations: What is really threatening

The sanctions landscape has become significantly more severe in recent years. Anyone who does not maintain compliance rules or only formally maintains them risks in several dimensions.

Fine according to Section 130 OWiG: up to 10 million euros per violation for intentional failure to take supervisory measures. If benefits arise from the violation, an asset confiscation according to Section 73 StGB will be added.

GDPR: up to 20 million euros or 4% of global group sales according to Art. 83 Paragraph 5 GDPR. Data protection regulators have imposed fines of more than 2.1 billion euros in 2024, with a clear upward trend.

NIS-2: up to 10 million euros or 2% of group turnover for essential institutions, up to 7 million euros or 1.4% for important institutions. Personal liability of the management is expressly provided for in the BSIG-E.

GwG: up to 5 million euros or 10% annual turnover in accordance with Section 56 GwG. LkSG: up to 8 million euros or 2% of group turnover in accordance with Section 24 LkSG, supplemented by exclusion from public contracts.

In addition to fines, damage to reputation, loss of contracts with large customers who require compliance clauses and loss of insurance cover also affect. D&O insurance regularly excludes gross breaches of duty. Anyone who relies on a clean process not only protects the cash register, but also the personal assets of the management.

Compliance as software: From filing cabinet to platform

Many companies today still manage compliance like a filing cabinet: Word templates on a share point, Excel lists for open measures, an appointment certificate in the personnel file folder. This works as long as nothing happens. As soon as an auditor calls, the search begins.

Others run compliance like a filing cabinet. We run it like software. In practice, this means: a central platform with defined data structures for roles, duties, risks, controls, incidents and evidence. Versioned documents, verified training statuses, automatic deadlines, searchable incident files.

A specific use case: A data breach according to Art. 33 GDPR. The 72-hour period expires as soon as we become aware of it. In software-managed compliance, the incident is recorded in the workspace, the data protection officer is automatically notified, a pre-filled report is generated to the supervisory authority, the reporting line to management is documented, and a corrective action plan is opened. The entire process is traceable and auditable.

CIVAC is a compliance platform and officer-as-a-service. The workspace includes 490 ready-to-use audit templates, 25 representative roles with stored task catalogues and an integrated 24/72-hour reporting path according to NIS-2. Data is located exclusively in the EU. Licence the workspace for your internal representatives, or have our representatives order it. Both models provide the same depth of evidence, but differ in terms of responsibility and effort.

Turn reading into an assignment

The practice of the last two years shows: Companies rarely fail because of a lack of will to comply, but rather because of a lack of structure. Rules and regulations grow ad hoc, responsibilities become blurred, evidence is scattered. When an auditor calls, the question is not whether the obligations were fulfilled, but whether this can be shown in the file. The auditor calls, the evidence is ready. This goal can be achieved if compliance is set up as an operational system, not as a collection of guidelines.

If your company is facing an audit, has to fulfil a new obligation under NIS-2, LkSG or the AI ​​Act, or wants to consolidate the existing set of regulations, talk to us. CIVAC provides workspace and officers in one model: platform plus officer-as-a-service. Order in two working days, instead of the industry standard two to six weeks. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. Within 48 hours you will receive an assessment of your compliance maturity level and a concrete suggestion as to which roles, templates and deadlines are relevant to your situation.

FAQ

Which law requires compliance rules in Germany?

There is no single compliance law. The central norm is Section 130 OWiG: Company management must take the necessary supervisory measures, otherwise they face fines of up to 10 million euros. There are also area-specific obligations from the AMLA, LkSG, GDPR, BSIG-E (NIS-2) and sectoral laws such as KWG or VAG.

Does every company have to appoint a compliance officer?

There is a general obligation to order only for regulated industries (finance, insurance, critical care sectors). Other companies are effectively obliged as soon as the risk situation requires central coordination. In practice, we recommend ordering from around 250 employees or for international operations.

Which documents must an auditor see in an audit?

Appointment documents from the officers, documented risk analysis, current regulations (Code of Conduct plus guidelines), training protocols from the last three years, incident files with corrective measures and annual compliance report to management. If individual components are missing, the audit assessment becomes much more critical.

How does compliance differ from internal audit?

Compliance sets rules and monitors compliance in day-to-day business. Internal Audit independently verifies whether rules and controls are effective. Both functions report to the management or the supervisory board, but may not be carried out in conjunction with one another. This separation is anchored in MaRisk, VAIT and ISO/IEC 27001:2022.

Can compliance rules be outsourced?

The operational responsibility can be outsourced to external service providers; the ultimate responsibility of the management always remains in-house according to Section 130 OWiG. An external compliance officer is permitted if he or she has the same access to information, resources and reporting line as an internal one.

Which deadlines are the most operationally critical?

Three deadlines occur regularly: 72 hours for reporting a data breach in accordance with Art. 33 GDPR, 24 hours of early warning and 72 hours of follow-up reporting for significant security incidents in accordance with NIS-2, as well as reporting obligations under the AMLA immediately in the event of suspected cases. The clock starts on awareness.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles