Welcome to DataGuard’s first annual
Compliance Report

Is your organisation struggling to keep up with the ever-changing world of compliance? Do you find it challenging to navigate through the latest regulatory environment? Our special report is here to help.

Designed to keep you informed on the latest compliance landscape changes, this report is your go-to resource for staying up to date with the most recent regulatory updates. Our expert has analysed and examined the current state of compliance, tracing its journey from 2021 to 2023.

But that's not all. This report also provides actionable insights and predictions on compliance trends for 2023 and beyond.

Here, we discuss the call for holistic third-party risk management for ESG, achieving cyber resilience, strengthening cybersecurity through the NIS2 Directive, and the Cyber Resilience Act. We also emphasise the importance of taking Whistleblowing seriously and provide tips on how to be proactive.

Don't let the constantly evolving regulatory environment catch you off guard. Stay ahead of the game with our special report, and let it be your guide to navigating compliance in 2023 and beyond.

Old Wine in New Bottles – A Journey from 2021 to 2023

The world has changed in the last three years since the pandemic hit. While pandemic-related topics like occupational health and safety or data protection were still present at the beginning of 2022, they were no longer at the forefront of people’s minds. Instead, cybersecurity became a greater priority due to the changing geopolitical situation.

2021 saw the end of the deadline for transposing the EU Whistleblowing Directive into national law. And after 24 EU Member States failed to transpose the Whistleblowing Directive correctly or at all as of December 17, 2021, the European Commission launched corresponding infringement proceedings before the European Court of Justice (CJEU). Afterwards, whistleblowing became an important topic that accompanied us throughout 2022. It was also one of the hottest topics of conversation at all major compliance events.

The Supply Chain Duty of Care Act (Lieferkettensorgfaltspflichtengesetz- LkSG) was another topic from 2021 that was on the agendas of almost every compliance conference. The act was passed in the summer of 2021. The tasks in 2022 were to anchor a company’s corresponding due diligence obligations through appropriate processes and governance.

First things first: Why should companies care about whistleblowing?

Whistleblowing is essential for any company that wants to promote a culture of accountability and integrity. There are multiple reasons why whistleblowing is important:

• Exposing wrongdoings: Whistleblowing can help expose unethical or illegal activities that might otherwise remain hidden and bring them to the attention of relevant stakeholders and authorities. It can lead to corrective action being taken and prevent further harm.
  
  
• Accountability and transparency: Whistleblowing can increase accountability and transparency in organisations. It can deter employees from engaging in unethical or illegal behaviours and promote a culture of integrity and ethical conduct.
  
  
• Protection of public interest: Whistleblowing can serve the public interest by exposing fraud, waste, and abuse of power and preventing harm to individuals, society, and the environment.

The purpose of the EU Whistleblowing Directive is to enable whistleblowers to raise their concerns without fear and provide them with greater protection.

And similar to data protection, whistleblowing also gained new momentum in the spring of 2022 when the long-awaited draft bill for a Whistleblower Protection Act (HinSchG) was published. And it had a lot to live up to.

The draft law went far beyond the minimum requirements of the directive in many respects. For example, the scope of the HinSchG is much broader and not limited to reporting violations of European law but a variety of criminal and administrative offences.

The business community saw the draft as an “almost obsessive legislative over-reach“. The EU Commission also took umbrage at the German draft and criticised it in two statements.

1. The criticism was on the German approach, which states that a single central reporting channel is sufficient in corporate groups and incompatible with the Whistleblowing Directive. Instead, each company, even within a group, would have to set up its own separate reporting channel.
   
   
2. Compliance practitioners also criticised the requirement that anonymous reports should not be processed – a criticism we absolutely agree with. Experience shows that whistleblowing systems should be designed to be as low-threshold as possible. The government‘s fear of a flood of unjustified reports and denunciation to justify such regulation is also contradicted by relevant current studies.

The revised draft laws published during 2022 took up some of the criticism voiced. For example, information received anonymously from internal and external channels must also be processed – including an obligation to set up anonymous reporting channels.

The voices from Brussels were also supposedly heard: The directive allows outsourcing reporting channels to external third parties. The current draft law takes advantage of this. It enables a central reporting office to the extent that the respective group companies outsource these functions to another company as a “third party“. Only time will tell whether this construct will stand up or be ruled contrary to European law by the CJEU.

The German law was expected to enter into force in spring 2023. However, it failed epically to pass the second parliament chamber (“Bundesrat”) in February 2023. Incidentally, Germany is not alone. So far, 19 member states (including France, Denmark, and Sweden) have implemented the directive. And parliamentary deliberations are still underway in 8 countries.

ESG – Call for Holistic Third-Party Risk Management

The German Supply Chain Act came into force on January 1, 2023, and the EU Corporate Sustainability Due Diligence Directive will be negotiated in 2023. It will impose strict accountability and audit obligations on organisations‘ supply chains regarding violations of human or environmental rights. While German law only requires identifying and remedying infringements in first- and second-party vendors and suppliers, the proposed EU law is way stricter. It would cover the entire supply chain of your organisation.

Companies must also publish an annual report with analytics and implement a grievance mechanism for employees and the public to report potential risks or shortcomings. In recently published guidance, the German regulator demands holistic risk analyses and management. Thus, Third Party Risk Management (TPRM) will become a crucial factor for compliance managers in the future.

As these external partnerships got more complex over the years, the need for a new approach to supplier risk management became apparent. Current monitoring methods fail to take into account the inevitable changes in today‘s business. And regularly, they do not meet the required standards set by upcoming new regulations.

Is Your Organisation Prepared for Sophisticated Ransomware Attacks and Upcoming Strict Regulations?

With the advent of cyberwarfare and hacktivism in the geopolitical context, there has been a shift towards high-risk cyber operations and deadly cyberattacks.

According to recent reports by ENISA (European Union Agency for Cybersecurity) and its UK equivalent NCSC (National Cyber Security Centre), ransomware attacks fare as the prime and “most acute” threat, with more than 10 terabytes of data stolen monthly in 2022.

That means cyber resilience should be a key topic for your organisation in 2023. Such attacks will likely increase and become more sophisticated and efficient, causing more devastating harm to private companies and the entire public infrastructure.

What can you as an organisation do?

Due to geopolitical crises and corporate disruptions, organisations will need to stress-test their business continuity management processes. They should build a holistic framework for attack prevention and response, including ransomware threats. A holistic (i.e., structured and consistent) approach is critical to mitigating these cyberattacks.

We agree with leading cybersecurity experts that this approach should include a “maturity plan” to ensure cybersecurity and preventative measures. These measures can include staff training, auditing email and network security, backups, and internal governance to safeguard the confidentiality, integrity, and availability of data.

In the mid-term, this will become mandatory for many European organisations anyway. The EU has enacted and will enact several laws to address the increasing cyber threats as part of their broader digital & data strategy.

The NIS2 Directive: Strengthening cybersecurity

In November 2022, the EU Parliament adopted the NIS2 Directive in the first reading by a large majority. To ensure a high level of network and information security, to adapt it to the current needs and make it future-proof, the new edition of the European Directive aims to address the deficiencies of the previous NIS Directive.

NIS2 will provide for a massive expansion of the current directive‘s scope and, compared to its predecessor, only a short implementation period. The implementation period is 21 months after the directive entered into force on January 16, 2023.

Under NIS2, new legal obligations for cybersecurity will be imposed on businesses with more than 50 employees and an annual turnover of €10 million if they belong to a critical or important sector. Relevant sectors include, for example, cloud providers, data centres, content delivery networks and broad sections of industry (e.g., pharmaceuticals, medical devices, chemicals and food).

In particular, the NIS2 key provisions include:

1. Expansion of Scope: One of the most significant changes introduced by the NIS2 Directive is the expansion of scope. The directive applies to a broader range of organisations than the previous iteration, including online marketplaces, search engines, and cloud computing services.
   
   This expansion of scope aims to ensure that a more extensive range of organisations is held accountable for the security of their networks and information systems.
   
   
2. Cybersecurity Incident Reporting: Under the NIS2 Directive, organisations that provide essential services must report any significant cybersecurity incidents to the relevant national authority. This provision aims to improve the response time to cyber threats and ensure that member states have a comprehensive overview of cybersecurity incidents across the region.
   
   It is worth noting that some member states already have mandatory reporting requirements in place, and the NIS2 Directive builds upon these requirements.
   
   
3. Strengthening of Security Requirements: The NIS2 Directive also strengthens the security requirements for organisations that provide essential services. These requirements include implementing appropriate technical and organisational measures to ensure the security of their networks and information systems.
   
   They must also ensure effective incident response plans are in place to mitigate the impact of any cybersecurity incidents.
   
   
4. Certification Schemes: The NIS2 Directive introduces a framework for creating certification schemes for cybersecurity products
   and services. These schemes will help identify and select products and services that meet a high level of security requirements.
   
   They will also promote the development of cybersecurity products and services that meet the needs of the EU market.

What’s coming and how to prepare with ISO 27001? DataGuard teamed up with business newspaper Handelsblatt to talk with Dr. Marnix Dekker, Head of Sector NIS at ENISA (European Union Agency for Cybersecurity), our DataGuard Co-Founder Kivanc Semen and Dr. Frank Schemmel, Senior Director International Privacy & Compliance at DataGuard about why NIS2 was established, what changed compared to NIS1 and how to best prepare your company for the upcoming laws.

Cyber resilience act

Additionally, the EU Commission published the first draft of a new “Cyber Resilience Act” (CRA) in September 2022, aiming to safeguard consumers and businesses buying or using products or software with a digital component. Inadequate security features will become a thing of the past. Manufacturers and resellers of such products will have to fulfil mandatory cybersecurity requirements that span the entire product lifecycle.

Our Conclusion:

With the planned requirements of the CRA, the cybersecurity requirements for digital products will be tightened again, especially for manufacturers but also for importers and retailers of digital products.

Despite the transitional period of 12 and 24 months in the CRA, companies should address their obligations early and establish a product-related cybersecurity compliance management system to integrate them into their processes. The latter is also advisable for manufacturers to avoid possible product warnings due to security vulnerabilities by regulators such as the German Cybersecurity Agency BSI and the associated negative publicity and media coverage.

Are you taking Whistleblowing seriously?

In 2023, organisations should also become serious about whistleblowing. Every company in Germany with 250 or more employees will then be obliged to set up an internal reporting channel. This threshold will be lowered to 50 employees as of December 17, 2023.

Therefore, companies should act now.

You can find an overview of the most important requirements under the EU Whistleblowing Directive and HinSchG in the table on the right. It is generally advisable to use a digital solution to implement these requirements efficiently and in a scalable manner.

You prefer to read offline?