German Compliance Requirements for US Subsidiaries: The Officer Map

Section 130 of the German Administrative Offences Act (§ 130 OWiG) makes management personally liable when supervisory duties at a German subsidiary are neglected, with corporate fines up to 10 million euros under § 30 OWiG and individual fines reaching seven figures. A US parent that operates a Geschäftsfuehrer for its German GmbH inherits this regime on day one of incorporation, regardless of how the group is governed in Delaware, California or New York. The compliance stack is not optional, not negotiable through a parent-company policy, and not covered by SOX, HIPAA or a US-style code of conduct that has been translated into German.

This article maps the mandatory officer roles a US-headquartered group must staff in Germany, the statutory deadlines that trigger personal liability, the fine ranges under NIS-2, GDPR, HinSchG and LkSG, and the operating model that lets a 40-person Munich office stay audit-ready without forcing the US parent to grow a German compliance team. The frame is operational, not legal advice, and it follows CIVAC's positioning as a Compliance-Plattform und Officer-as-a-Service for German entities of international groups. It is written for general counsel, heads of compliance and CFOs who sign the budget for the German entity each year.

A US group that runs a sophisticated SOX program, a HIPAA framework and a Department of Justice-aligned code of conduct typically assumes that its German subsidiary inherits this protection by extension. German supervisory authorities and labour courts do not share that view. Section 4f of the old Federal Data Protection Act, now Art. 37 GDPR plus § 38 BDSG, requires a dedicated data protection officer appointed in writing for the German entity once 20 employees process personal data on automated systems. The appointment must reference the German legal entity by its commercial register number, not a US-based privacy team or a parent-level Chief Privacy Officer. A signed Bestellurkunde, filed in the personnel records, is the threshold artefact that an inspector will request first.

The same logic applies to information security under the NIS-2 implementation law (NIS2UmsuCG), to occupational safety under § 5 ArbSchG and DGUV Vorschrift 2, and to whistleblower channels under § 12 HinSchG. Each statute names the legal entity in Germany, not the group. A US parent that ships its global ethics hotline to Frankfurt without a German-language channel, German data residency and a designated case manager is in violation from the day the German entity exceeds 50 employees. The remedy is not a policy memo but a documented appointment, an audit-ready process map and a deadline calendar that follows German working time, not Pacific or Eastern. CIVAC publishes the role-by-role obligation matrix on the overview of mandatory officer roles with the underlying paragraphs, fine ranges and triggering thresholds in one view.

The minimum staffing set for a typical commercial German GmbH with 40 to 250 employees, no production facility and no critical infrastructure, looks as follows. First, the data protection officer under Art. 37 GDPR and § 38 BDSG, appointed in writing, reachable in German, with documented independence. Second, the information security officer once the entity falls under NIS-2 important (50+ employees and 10 million euro turnover in the regulated sectors) or essential (250+ and 50 million euro) categories. Third, the occupational safety specialist (Fachkraft für Arbeitssicherheit) under § 5 ASiG, with hours scaled by DGUV Vorschrift 2 risk groups. Fourth, the company physician under § 2 ASiG.

Fifth, the fire safety officer (Brandschutzbeauftragter) once the building risk profile or insurance contract requires one, typically for office buildings above 200 employees, for assembly use or for buildings with raised fire-load. Sixth, the internal reporting channel manager under § 14 HinSchG for entities with 50 or more employees, with German-language intake and a 7-day acknowledgement clock. Seventh, the equal-treatment complaints office (AGG-Beschwerdestelle) under § 13 AGG, mandatory from the first employee, often forgotten by US-headquartered groups. Eighth, the supply-chain officer under the German Supply Chain Due Diligence Act (LkSG) once the group has 1,000 or more employees in Germany, calculated on a group basis including the US parent's German headcount. The central compliance officer sits above all eight roles and owns the deadline calendar plus the reporting line to the Geschäftsfuehrer with quarterly cadence.

The single biggest cultural gap between US incident-response playbooks and German statutory deadlines is the trigger. Under German law, deadlines start at the moment any responsible person at the German entity becomes aware of the incident. They do not pause for US legal review, do not wait for a global incident response team in Texas, and do not extend because the German managing director was on holiday or because the case landed in a US ticketing system first. Frist laeuft ab Kenntnis. The supervisory authority will calculate the clock from the timestamp on the first internal ticket or the first email confirming the incident, not from the moment the case lands on the desk of the US Chief Privacy Officer two days later.

The hard deadlines are clear and bounded. Personal data breach: 72 hours notification to the competent state authority under Art. 33 GDPR, with documented justification for any delay. NIS-2 cyber incident (essential entity): 24 hours early warning, 72 hours incident report, one month final report to the BSI under § 32 NIS2UmsuCG. Severe workplace accident: immediate report to the Berufsgenossenschaft under § 193 SGB VII. Whistleblower acknowledgement: 7 days under § 17 HinSchG, feedback within 3 months. Money-laundering suspicious activity report: immediate, no fixed window, but documented under § 43 GwG. The risk multiplier is not the breach itself but the missed deadline. CIVAC's workspace runs a 24/72-hour deadline counter linked to the appointment documents of the responsible officers, so the Berichtslinie is automatic. Der Prüfer ruft an, der Nachweis liegt bereit.

US executives often assume that the corporate veil and a directors-and-officers policy cover the German managing director the same way a Delaware D&O policy covers a corporate officer. The German system is structurally different. Section 130 OWiG creates a personal supervisory duty for the Geschäftsfuehrer that cannot be delegated away by board resolution, group policy or service agreement. If a regulatory violation occurs in the German GmbH and the managing director cannot prove that adequate supervision was in place (appointment documents, training records, audit logs, escalation paths, written instructions), the individual receives a personal fine that is not insurable in the same way as a board-level US claim. German prosecutors increasingly run § 130 OWiG proceedings against individuals after a corporate violation.

The fine ranges are concrete, not theoretical. GDPR: up to 20 million euros or 4 percent of worldwide group turnover under Art. 83 GDPR, calculated on the US parent's consolidated revenue. NIS-2: up to 10 million euros or 2 percent of group turnover for essential entities, up to 7 million euros or 1.4 percent for important entities. HinSchG: up to 50,000 euros per violation under § 40, multiplied by the number of cases. LkSG: up to 8 million euros or 2 percent of annual turnover under § 24 LkSG for groups above 400 million euros revenue. The amounts are bounded, published in supervisory authority press releases, and the Bundesamt für Justiz and the BSI have started publishing decisions. The structural protection is documentation: Bestellurkunde, unterschrieben, abgelegt, belegbar.

For US groups with a German subsidiary in manufacturing, chemicals, food, ICT services, digital infrastructure, postal services or critical supply categories, NIS-2 is the dominant new obligation. Approximately 29,500 German entities fall under the law. The German implementation classifies entities as essential (250+ employees, 50 million euro turnover) or important (50+ employees, 10 million euro turnover) per the sector annex of the NIS2UmsuCG. Each entity must appoint an information security officer in writing, implement the risk-management measures in § 30 NIS2UmsuCG (corresponding to ISO/IEC 27001:2022 Annex A controls), and register with the BSI within three months of falling into scope. Management responsibility under § 38 is explicit and non-delegable.

The pragmatic operating model is to anchor the German entity's information security management system on ISO/IEC 27001:2022, which provides 93 controls covering the NIS-2 risk-management catalogue. The certification gives the US parent a recognised auditor opinion that satisfies both NIS-2 evidence requirements and US customer due-diligence questions, including the typical SOC 2 references in master service agreements. CIVAC operates a workspace that maps the 93 controls to evidence artefacts and to the appointed information security officer of the German entity. The Berichtslinie to the managing director is documented in the appointment papers, the 24/72-hour incident pathway runs against the BSI portal, the deadline counter is automatic and the evidence archive is ready for the next inspector visit without late-night document hunts. The same workspace also serves the US parent's auditor when SOC 2 or customer due-diligence questionnaires touch the German entity. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.

The German Whistleblower Protection Act (HinSchG), implementing EU Directive 2019/1937, took full effect on 17 December 2023 for entities with 50 to 249 employees. The act requires every employer with 50 or more employees to operate an internal reporting channel that accepts written and oral reports in German, acknowledges receipt within 7 days, provides feedback within 3 months and protects the reporter against retaliation under § 36 HinSchG. A US-based global ethics line, even with German-speaking call handlers in Atlanta or Manila, does not satisfy the law if the channel is operated outside the EU, if the case manager is not designated in writing as the impartial person under § 15, or if the data flow does not respect EU residency requirements under Chapter V GDPR.

The fines under § 40 HinSchG reach 50,000 euros per case for blocking a report and 20,000 euros for missing the feedback window, multiplied across cases and reportable to the Bundesamt für Justiz. The structural fix is a German-language reporting channel hosted in the EU, with a documented case manager, encrypted intake, retention rules under § 11 HinSchG (three years), and a Berichtslinie to a Geschäftsfuehrer who is not also the subject of typical complaints. The channel must be reachable by phone, in writing and, on request, in person. CIVAC offers the channel as software inside the workspace and as a service through a bestellter case manager. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen.

Three German statutes regularly catch US-headquartered groups off-guard because they have no direct US analogue and they sit in the operational, not the financial, line of compliance. First, the Supply Chain Due Diligence Act (LkSG) since 1 January 2024 applies to companies with 1,000 or more employees in Germany. The headcount calculation includes the German GmbH plus employees of group companies that are seconded to or report into the German entity. Once in scope, the entity must appoint a human-rights officer, publish an annual report to the BAFA, run risk analyses across direct suppliers and document remediation actions across the supply chain. Fines under § 24 LkSG reach 8 million euros or 2 percent of annual turnover for groups above 400 million euros revenue.

Second, the General Equal Treatment Act (AGG) requires every employer to operate a complaints office (Beschwerdestelle) under § 13 from the first employee, with a designated impartial person, a written procedure and a documented case file format. The role is small in workload but mandatory in form. Third, the Occupational Safety Act (§ 5 ArbSchG) requires a written risk assessment for every workplace, regardless of size, signed by a Fachkraft für Arbeitssicherheit with hours scaled by DGUV Vorschrift 2. These three statutes share a pattern: low political profile, easy to forget in a US-driven onboarding, hard liability when an inspector arrives. Audit-fest, dokumentiert, §-fest is the operating standard. See the role profile for the LkSG officer for the full documentation set and supplier-risk template library.

A US parent has two practical operating models for its German subsidiary. Model A is the in-house route: appoint a German employee for each mandatory role, train them via accredited courses, equip them with audit templates and a deadline calendar, and report into the US compliance function on a quarterly cadence. The model works if the German entity is above 250 employees, has a dedicated compliance budget and can absorb the training cost in the first 18 months. The structural risk is the appointment gap when a person leaves on short notice: the role becomes vacant, the personal liability flips back to the Geschäftsfuehrer under § 130 OWiG, and the deadline calendar runs blind during the recruitment window. Most US parents underestimate this gap because US compliance roles rarely carry personal regulatory liability.

Model B is the externally bestellte officer: a qualified external person is appointed in writing for the German entity under the relevant statute, supported by software, evidence templates and a deadline engine. The route is the German legal standard for data protection officers (Art. 37(6) GDPR explicitly allows external DPOs), for company physicians, occupational safety specialists, fire safety officers, money-laundering officers and all 25 statutory roles in the standard mid-market matrix. The CIVAC SLA is 2 working days to appointment versus 2 to 6 weeks in the classical broker market. The dual-model framing matters here: license the workspace for your internal Beauftragten, or have CIVAC's Beauftragten appointed. Lizenzieren Sie den Workspace für Ihre internen Beauftragten, oder lassen Sie unsere Beauftragten bestellen.

The pragmatic next steps for a US group with a German subsidiary are bounded and concrete. Within 7 days, list every mandatory role for the German entity using the 25-role matrix, mark the current appointment status (signed Bestellurkunde or open), and identify the three roles where the German GmbH is currently exposed without written appointment. Within 14 days, draft the appointment documents for the missing roles, decide for each role whether to appoint internally or externally, and assign a clear Berichtslinie to the Geschäftsfuehrer with quarterly reporting cadence. Within 30 days, populate the deadline calendar with the 24-hour, 72-hour and statutory feedback windows that apply to the entity's sector, load the evidence templates into a single audit-ready workspace, and run a first dry-run of the incident reporting pathway to the BSI and the state data protection authority.

CIVAC supports both halves of the operating model. The Compliance-Plattform und Officer-as-a-Service publishes 490 audit-ready templates, 93 ISO 27001:2022 controls and a NIS-2 24/72-hour reporting pathway inside the EU data residency, with all evidence stored in EU regions only. The Berichtslinie to the German managing director is documented in the appointment papers, the Bestellurkunde is signed and timestamped, and the next supervisor request is answered from the archive in minutes, not days. Aus dem Lesen einen Auftrag machen. Contact the team via info@civac.de or the contact form on civac.de/faq for an entity-specific officer map within two working days, including a draft appointment-document set for the three roles you currently miss.