External Compliance Officer for DACH SMEs: Mandate, Costs and Setup
An external Compliance Officer gives SMEs a qualified compliance function without a full-time position. This article explains when the external solution is advisable, what it costs and how collaboration is structured.
§ 130 OWiG holds managing directors personally liable where they fail to fulfil the supervisory duties that would have prevented compliance breaches. Read together with IDW PS 980, which defines the principles of a proper Compliance Management System (CMS), this creates a clear set of requirements for SMEs: a compliance function is not optional but forms part of the minimum liability standard.
For companies with 50 to 2,000 employees operating in the DACH region — Germany, Austria, Switzerland — establishing a full-time internal Compliance Officer position is frequently not economically viable. The external Compliance Officer addresses this problem: the mandate is assumed on the basis of a service contract, immediately deployable expertise is brought in and activities are documented to a standard that holds up under scrutiny. This article sets out what the mandate covers, what it costs and how collaboration is structured for DACH SMEs.
Key Takeaways
- § 130 OWiG establishes personal liability of management for compliance failures — a CMS in accordance with IDW PS 980 demonstrably reduces this risk.
- An external Compliance Officer costs SMEs between €400 and €3,000 per month depending on scope, and is generally less expensive than an internal full-time position.
- In the DACH region, relevant differences exist in national law (GwG/Germany vs. FM-GwG/Austria, CO requirements in Switzerland) that an experienced external CO must know.
Legal Basis: Why SMEs Need a Compliance Function
The compliance obligation for companies under German law arises primarily from § 130 OWiG. Under this provision, anyone who, as the owner of a business or enterprise, intentionally or negligently fails to take supervisory measures necessary to prevent violations within that business or enterprise is acting unlawfully. The risk of fines extends to €10 million; for companies, an additional corporate fine may be imposed under § 30 OWiG.
In addition, IDW PS 980, as a recognised auditing standard, prescribes what a proper Compliance Management System (CMS) must encompass: compliance culture, compliance objectives, compliance risks, compliance programme, compliance organisation, compliance communication and compliance monitoring. This seven-element framework is the benchmark against which external auditors and courts assess the quality of a CMS.
In Austria, the Commercial Code (UGB) applies in conjunction with the GmbHG and criminal business law. In Switzerland, the Code of Obligations (OR) and the Administrative Criminal Law Act (VStrR) provide similar impetus. An external Compliance Officer operating in the DACH region must know these differences and take them into account in their work. Details of the tasks of the Compliance Officer are available on the corresponding CIVAC page.
Tasks of the External Compliance Officer: What the Mandate Covers
The Compliance Officer is not an inspector but the architect and operator of the Compliance Management System. Core tasks include:
- Compliance risk analysis: Identification of the compliance risks relevant to the company — by sector, geography and internal control status. The basis is a structured inventory of applicable laws, regulations and standards.
- Compliance programme: Policies, Code of Conduct, approval procedures for critical transactions (donations, sponsorship, consultancy agreements), four-eyes principle arrangements.
- Training and communication: Employee training on anti-corruption, competition law, anti-money laundering, supply chain requirements under the Supply Chain Due Diligence Act (LkSG). Documentation with certificate and record.
- Whistleblower system: Establishment and operation of the Internal Reporting Office under the Whistleblower Protection Act (HinSchG) (in Germany from 50 employees) and the EU Whistleblower Directive.
- Compliance reporting: Regular report to management in accordance with IDW PS 980. Documentation of compliance incidents, risk measures and system improvements.
- Regulatory authority communication: Support during investigations, searches or inquiries from the public prosecutor's office, BAFA (LkSG) or other authorities.
DACH Specifics: What the External CO Must Know
An external Compliance Officer working for companies in the DACH region must master more than German law. The relevant differences in Austria and Switzerland are not trivial:
Austria: The Money Laundering Act (FM-GwG) and the Register of Beneficial Owners Act (WiEReG) have their own requirements that differ from the German GwG. The appointment of a Compliance Officer is expressly provided for in the Austrian Banking Act (BWG) and the Securities Supervision Act (WAG) for regulated companies. For unregulated SMEs, the general corporate law duties of care apply.
Switzerland: The Code of Obligations (OR) requires joint-stock companies above certain thresholds to have internal audit and an internal control system (ICS). The VStrR is relevant in cases of business offences. Swiss companies operating in the EU must nonetheless comply with GDPR and the LkSG if they exceed certain thresholds.
A professional external CO for the DACH SME sector has networks in all three countries and coordinates with local specialists on cross-border matters. Superficial knowledge is insufficient here. In addition to the CO function, further officers are frequently relevant, such as the Data Protection Officer and the Internal Reporting Office Officer.
Costs: Price Ranges for the External CO in the SME Sector
The costs for an external Compliance Officer vary depending on company class, sector and scope of mandate. As a guide for the DACH SME sector:
| Company Class | Employees | Monthly Indicative Rate | Annual Value |
|---|---|---|---|
| Small SME | 50 to 150 | €400 to €700 | €4,800 to €8,400 |
| Medium SME | 150 to 500 | €700 to €1,500 | €8,400 to €18,000 |
| Larger SME | 500 to 1,000 | €1,500 to €2,500 | €18,000 to €30,000 |
| Upper mid-market | 1,000 to 2,000 | €2,000 to €3,000 | €24,000 to €36,000 |
By comparison: an internal Compliance Officer in the SME sector on a full-time salary, including employer costs, continuing education and infrastructure, costs at least €90,000 to €130,000 annually. The external solution is considerably less expensive in virtually all SME classes — and brings immediate operational readiness without a ramp-up period.
For sector-regulated companies (financial services, pharmaceuticals, critical infrastructure operators), surcharges of 30 to 60 per cent are realistic, as the scope of the mandate and the required specialisation increase significantly.
Mandate Setup: The First Three Months
A professional compliance mandate does not begin with general recommendations but with a structured inventory. The first three months typically follow a clear sequence:
- Month 1 — Compliance risk analysis: Identification of the applicable laws and regulations for the respective company (sector, size, markets). Assessment of existing measures against IDW PS 980. Identification of gaps.
- Month 2 — Programme design: Drafting of policies, Code of Conduct, approval procedures. Defining reporting lines. Designing the training programme for employees and management.
- Month 3 — Implementation and training: Roll-out of the compliance programme, first training round with documentation. Establishment or review of the whistleblower system under the Whistleblower Protection Act (HinSchG). First compliance report to management.
After this initial setup phase, regular operations follow: quarterly or bi-annual reports, ongoing monitoring of legal changes, repeat training sessions, accompanying special projects and regulatory inquiries.
The quality of these first three months is decisive — both for the subsequent audit readiness of the system and for ensuring that management experiences the mandate as useful rather than bureaucratic. Audit-ready, documented, § 130 OWiG-compliant.
Compliance and Further Officer Obligations: The Interplay
In practice, the Compliance Officer is rarely the only officer function that an SME needs to fill. § 130 OWiG and IDW PS 980 concern the overarching compliance function; alongside this, numerous specific appointment obligations exist depending on sector and company size:
- Data Protection Officer under Art. 37 GDPR and § 38 of the Federal Data Protection Act (BDSG)
- Information Security Officer under §§ 30, 38 BSIG (NIS-2)
- Anti-Money Laundering Officer under § 7 GwG for regulated companies
- Supply Chain Officer under § 4 LkSG for companies with more than 1,000 employees from 2024
- Internal Reporting Office Officer under the Whistleblower Protection Act (HinSchG) for companies with 50 or more employees
Coordinating between these roles is operationally demanding. A Compliance Officer working on a platform that integrates all officer roles avoids duplicate documentation and creates consistent evidence across all functions. CIVAC offers precisely this integration: all 25 officer roles in one workspace, one audit log, one documentation structure.
Contract Design: What Belongs in the Mandate Document
The contract with the external Compliance Officer differs from a standard consulting contract in several material respects. It must govern:
- Scope of mandate: Explicit service catalogue — which of the IDW PS 980 elements are covered, and which remain the company's own responsibility?
- Reporting obligation: To whom and at what frequency does the CO report? A direct reporting line to management is standard. Weekly email exchanges do not replace a formalised compliance report.
- Confidentiality: The CO gains access to sensitive company and personnel data. A clear confidentiality agreement is indispensable, particularly where the CO simultaneously holds other mandates.
- Liability arrangement: To what extent is the external CO liable for incorrect advice? The professional indemnity insurance should clearly state the coverage amount.
- Notice periods and handover: How is it ensured at the end of the mandate that documentation is handed over in full and no gap arises?
- Conflict of interest provision: Disclosure obligation for new mandates that could give rise to conflicts of interest.
Letter of appointment, signed, filed, evidenced. For the CO as well: formal documentation of the mandate is the starting point for any evidence vis-à-vis authorities and courts.
Quality Signals: How to Recognise a Competent External CO
The market for external Compliance Officers is less regulated than that for external Data Protection Officers — there is no statutory qualification requirement comparable to Art. 37(5) GDPR. This makes quality assessment more important, not easier.
The following signals are meaningful:
- Certifications: Certified Compliance Professional (CCP) of the Compliance Academy, CCEP (Certified Compliance and Ethics Professional) of the SCCE, specialist lawyer in criminal law or commercial and corporate law with CMS focus.
- Sector experience: A CO for the pharmaceutical industry must know AMG and AMVV compliance; a CO for financial services must know MaRisk and BAIT. Generalist COs without sector knowledge quickly reach their limits with regulated companies.
- Demonstrable CMS implementations: Has the provider built and successfully audited a CMS in accordance with IDW PS 980 for comparable companies?
- Sample reports: A reputable CO can present sample compliance reports (anonymised). Anyone unfamiliar with structured reports is not working to IDW standards.
- Professional indemnity insurance: Coverage amounts below €500,000 are insufficient for mandates with significant liability exposure.
CIVAC: Compliance Officer as a Service, with Workspace and DACH Network
CIVAC is a compliance platform and Officer-as-a-Service for the German, Austrian and Swiss SME sector. The CIVAC model combines the external Compliance Officer with a structured workspace: task management, project module for audits and assessments in accordance with IDW PS 980, training module with certificate, documentation module and AI assistant with confidence score and source references.
Appointment is completed within two working days: contract, letter of appointment, initial reporting line. The CIVAC network covers all relevant DACH markets and coordinates between German, Austrian and Swiss specialists on cross-border compliance requirements.
License the workspace for your internal officers — or have our officers appointed. Both are documentable on the same platform, with a unified audit log and coordinated reporting lines for all officer roles your company requires.
If you wish to clarify your specific compliance needs in the DACH region, speak with us. Turn reading into action: info@civac.de or via the contact form at civac.de.
FAQ
From what company size does an SME need a Compliance Officer?
There is no statutory threshold for the CO obligation comparable to that for the DPO. However, § 130 OWiG establishes a supervisory duty of management from the first employee. In practice, auditors and lawyers recommend a formalised compliance function from 50 employees.
What distinguishes a Compliance Officer from a lawyer?
A lawyer provides legal advice and is subject to the professional conduct rules of the BRAO. A Compliance Officer implements and operates a CMS, trains employees, reports to management and monitors the effectiveness of measures. This operational function goes beyond legal advice but does not constitute legal advice within the meaning of the RDG.
Does a German Compliance Management System also apply to subsidiaries in Austria and Switzerland?
Partly, but not fully. A German CMS in accordance with IDW PS 980 covers the German requirements. For Austrian and Swiss subsidiaries, national law (GmbHG, UGB, OR, VStrR) and local regulatory requirements must be taken into account. An experienced DACH CO coordinates these differences.
Can an external CO also act as the Internal Reporting Office Officer under the Whistleblower Protection Act (HinSchG)?
Yes, provided no conflict of interest arises. § 14 of the Whistleblower Protection Act (HinSchG) permits the appointment of external bodies as the Internal Reporting Office. A CO who also operates the Internal Reporting Office creates a coherent compliance function. Confidentiality towards whistleblowers must be contractually guaranteed.
How frequently must the Compliance Officer report to management?
Under IDW PS 980, at least annually; under good practice, bi-annually. Quarterly brief reports on material compliance risks or ongoing cases are standard. The frequency should be fixed in the mandate contract.
What is the difference between a Compliance Officer and a compliance consultant?
A Compliance Officer assumes a formal function within the company — with reporting lines, authority over compliance matters and ongoing operational responsibility. A compliance consultant produces opinions and recommendations but bears no ongoing operational responsibility. In a liability context, this distinction is highly material.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.