From cyber security to supply chains: Companies need to know these laws

"Not again!" These three words are probably among the typical reactions of companies when a new law is passed and is soon to come into force. Yes, newly enacted laws, regulations and directives usually have a difficult time. One of the reasons for this is that companies usually see them as a brake on innovation and an obstacle to growth. Yet such laws not only bring challenges, but also open up opportunities. At the same time, there is usually no way around them. This is because companies risk high penalties if they disregard them. We present the most important laws and give an outlook on what companies can expect in the future.
 

Supply Chain Duty of Care Act: Act globally, be liable locally

Since January 1, 2023, the Supply Chain Duty of Care Act (LkSG), or Supply Chain Act for short, has been setting new standards in terms of corporate responsibility. Companies based in Germany with more than 3,000 employees are obliged to comply with human rights and environmental due diligence obligations along their entire supply chain. From January 1, 2024, the scope of application was extended to companies with more than 1,000 employees, which particularly affects the upper small and medium-sized enterprises. As a result, the focus is increasingly on sectors with strong global networks, such as the automotive, electronics, food and textile industries.

❗ Important information ❗
Politicians are currently discussing reforming the law in order to reduce the burden on the German economy. The debate reflects the tensions between economic interests and the protection of human rights - an issue that companies should follow closely.

Duties: Identify risks and publish reports

The Supply Chain Act instructs companies to carry out systematic risk analyses in order to identify potential violations of human rights and environmental standards at an early stage. Particularly critical aspects include unfair working conditions, child labor and environmental destruction. It is not only important to take preventive measures to proactively prevent such violations, but also to act quickly and effectively when violations occur. At the same time, companies are obliged to document their efforts and publish them in an annual report.
 

Opportunities: transparency creates trust

The Supply Chain Act not only creates obligations, but also opens up opportunities: if companies make their supply chains sustainable and transparent, this creates trust among their customers and strengthens their reputation. Conversely, violations of the Supply Chain Act can have serious consequences. In addition to fines of up to eight million euros or two percent of global annual turnover, there is also the threat of exclusion from public contracts. It is important to note that the regulations not only affect large companies, but also small suppliers who are contractually bound to comply with the due diligence obligations. As a result, the Supply Chain Act indirectly places many medium-sized companies under obligation.

The Supply Chain Act therefore marks a turning point for companies in Germany. It not only forces them to rethink compliance, but also requires companies to take proactive measures to protect human rights and uphold environmental standards.
 

Corporate Sustainability Reporting Directive: sustainability = duty

The Corporate Sustainability Reporting Directive (CSRD) came into force in January 2024, obliging large companies to produce extensive sustainability reports. The new regulation builds on the previous Non-Financial Reporting Directive (NFRD) and significantly tightens the reporting obligations. Companies must now provide detailed insights into their sustainability strategy and disclose how their business activities impact society and the environment. In the coming years, CSRD reporting will be extended to other groups of companies: from 2025, it will apply to all companies with large balance sheets. And from 2026, capital market-oriented small and medium-sized enterprises (SMEs) with at least ten employees will also be required to report.
 

Sustainability becomes the reporting standard

The EU has developed the European Sustainability Reporting Standards (ESRS) in order to ensure uniformly designed reports. These specify exactly what information must be disclosed. Among other things, companies must report on their governance structure, objectives and progress. This requirement not only serves as a management tool for the companies themselves, but above all enables investors to assess the sustainability of portfolios and make well-founded investment decisions. Sustainability is therefore becoming a standard topic in reporting - and an obligation for companies.
 

Convince with credibility and transparency

Companies that rely on comprehensive sustainability reporting at an early stage can position themselves as pioneers and secure competitive advantages. What's more, with credible and transparent reports, companies strengthen their long-term trust with customers, investors and stakeholders. However, implementation is not without its challenges: creating sustainability reports requires new processes and structures. It also requires a deep understanding of the company's own sustainability aspects and risks. Here too, companies can expect severe sanctions if they fail to meet their reporting obligations. This makes it all the more important to act in good time and take the necessary measures to implement CSRD.

📖Reading tip
Find out in the interview with ESG expert Karolin Rohmer how SMEs can navigate the regulatory jungle and get off to a pragmatic start when it comes to sustainability.

AI Act: Rules of the game for the future of AI

The European Union's AI Act came into force in August 2024 - a groundbreaking law that regulates the use of artificial intelligence (AI) in the EU. On the one hand, the AI Act aims to support innovations "Made in Europe". On the other hand, it creates clear rules for the safe deployment and responsible use of AI-based systems. The AI Act affects a large number of companies that use artificial intelligence in some form. Essentially, the Act aims to assess the risk of AI systems and issue corresponding regulations. This is particularly relevant for companies operating in highly regulated sectors such as healthcare, financial services and critical infrastructure. However, human resources is also affected by the impact of the AI Act.
 

The riskier the AI system, the stronger the regulation

The AI Act takes a risk-based approach. This means that the higher the risk associated with an AI application, the stricter the regulations. AI systems are divided into four risk groups:

• Acceptable risk: Systems that are (or can be) used for social scoring or real-time biometric remote identification will be prohibited in future.
• High risk: Applications that are used within critical infrastructures, by security authorities or in personnel administration are subject to strict requirements, such as human control of the systems, precise technical documentation and robust risk management.
• Limited risk: Systems such as chatbots or AI-based customer hotlines may be used if their operators ensure transparency and let users know that they are interacting with an AI.
• Minimal risk: AI applications such as spam filters or AI-powered video games fall under this category and are not subject to any special requirements.

💡READING TIP 💡
In our article AI in recruiting, you can find out more about the opportunities and risks. We also present our own approach.

Must-have: AI governance program

For companies, this means that they need to carefully analyse their AI systems and adapt them according to the risk classification. High-risk applications in particular, such as those used in HR processes to assess applicants, require strict measures. From February 2025, companies will be prohibited from using AI systems with "unacceptable risk". At the same time, all AI systems that are classified as "high-risk" must comply with the requirements of the AI Act by August 2025 at the latest. This also applies to companies: Those who focus on compliance at an early stage strengthen trust - both among customers and investors. In addition, the use of innovative and secure AI solutions can give companies a competitive edge in the long term. Violations can result in high fines of up to 35 million euros or seven percent of global annual turnover - whichever is higher. It is therefore important that companies set up an AI governance programme at an early stage to comply with legal requirements and minimize risks.
 

NIS 2 Directive: Protect yourself if you can

The NIS 2 Directive, also known as the "Network and Information Security" Directive, has been in force throughout the EU since 2023 and is expected to be transposed into national law in Germany in March 2025. The aim is to raise the level of cyber security in the EU to a uniformly high level and to better protect critical infrastructures (KRITIS) against cyber attacks. The NIS 2 Directive affects companies from a total of 18 sectors, including energy, finance, healthcare, transportation and digital platforms. Service providers and suppliers of critical infrastructure are also affected. This means that even smaller companies that play a significant role in the supply chain are now held responsible.
 

Managing IT security risks systematically

The NIS 2 Directive introduces uniform minimum requirements for cyber security across the EU. These must be implemented according to an "all-hazards approach". This ensures that companies are not only prepared for targeted cyber attacks, but for all potential threats. To strengthen the resilience of their IT systems, companies must implement measures such as risk analyses, incident management and crisis management. This includes the following aspects:

• Risk assessment: Companies are required to carry out a continuous assessment of security risks and implement suitable protective measures.
• Business continuity and crisis management: Backups and restoring systems quickly after an incident are key requirements.
• Supply chain security: Companies must ensure that their suppliers comply with high cyber security standards.
• Reporting obligation: Companies must report security incidents within 24 hours and submit a detailed report within 72 hours.
   

Robust risk management and comprehensive security strategy

The NIS 2 directive also increases the penalties for breaches. Companies that neglect their security measures or fail to report security incidents in good time face fines of up to ten million euros or two percent of their global annual turnover - whichever is higher. For SMEs, fines of up to seven million euros or 1.4 percent of global turnover can be imposed for violations. While large companies have been pursuing cyber security strategies for some time, many SMEs and suppliers are now also required to adapt their security architecture. In order to meet the requirements and avoid possible sanctions, it is important to develop robust risk management and a comprehensive security strategy as early as possible.
 

Accessibility Reinforcement Act: Surfing without digital hurdles

The Barrierefreiheitsstärkungsgesetz (BFSG) will come into full force on June 28, 2025. It requires companies to make their digital services and products accessible. This regulation implements the EU Accessibility Directive (European Accessibility Act, EAA) in Germany. The BFSG ensures that digital services are accessible to all users - especially people with disabilities. For the first time, the Accessibility Reinforcement Act obliges the private sector to implement digital accessibility. Companies that offer websites, apps or other digital services must ensure that their offerings are accessible by 2025. This applies equally to B2C and B2B companies. The BFSG is also binding for companies that provide digital content or products, such as banking services, e-commerce platforms or telephone services.
 

Digital services for all

In order to make their digital services accessible, companies are required to implement various measures. This includes, for example, providing text alternatives for visual content such as images and videos so that people with visual impairments can also use the information without any problems. In addition,all content must be compatible with screen reader technologies so that it can be correctly captured and reproduced by them. Another important element is the possibility of keyboard navigation. This means that websites must be designed in such a way that users can navigate through the content without a mouse. It is also important to ensure media accessibility, for example by providing subtitles or sign language translations for videos. Finally, users should be able to make individual adjustments, for example with regard to font sizes, colors or contrasts.
 

Take action now

Even if the law does not fully apply until 2025, companies should start checking their digital offerings for accessibility now. This is because adaptations often require far-reaching technical and design changes that take time and resources. In addition, accessible digital offerings are a sign of social responsibility and offer companies the opportunity to stand out positively in the market. If companies do not comply with the requirements of the BFSG, they can face penalties of up to 100,000 euros. Placing non-accessible products or services on the market is also punishable as an administrative offense.
 

Positioning for the future - with the support of external experts

There is no question that the latest laws pose significant challenges for companies, particularly in the areas of compliance, cyber security and sustainability. Companies should prepare for this at an early stage by adapting their internal processes and taking measures to comply with the regulations. However, they do not have to do all of this alone. With the help of external experts, such as our experienced interim professionals, companies can proactively tackle regulatory and legal requirements without overburdening existing resources. For example, interim managers can help optimize supply chain processes, audit AI systems, make digital offerings accessible and develop sustainability and cyber security strategies. This ensures that all regulations are implemented correctly from the outset and that companies meet all compliance requirements in the long term - for a future-proof path that creates transparency and strengthens trust.

Do you need support to implement regulatory requirements efficiently? Or would you first like to get an overview of which measures are relevant for you? Our interim professionals are here to help you. Feel free to contact us at any time!