EU AI Act Fines of €35 Million Loom as German Firms Face Twin Compliance Pressures
24.06.2026 - 12:04:53 | boerse-global.de
More than 30,000 companies across Germany must prepare for a regulatory deadline that carries penalties of up to €35 million or seven percent of annual worldwide turnover. The EU AI Act's compliance requirements for high-risk artificial intelligence systems take effect on 2 August 2026, demanding that businesses already have a governance structure and risk analyses in place.
Yet the AI Act is only one front in a widening battlefield. The NIS-2 implementation law, transposed from an EU directive, adds another layer of digital compliance. Operators of critical infrastructure and many other entities now face obligations to harden their operational technology (OT) systems using a risk-based approach. The two regulatory frameworks are pushing safety and security far beyond traditional physical protections.
Older Machinery and the False Promise of Grandfathering
Many companies running legacy equipment assume they are protected by grandfathering clauses. That assumption is increasingly misguided. A continuous risk assessment and retrofitting cycle has become mandatory. An older machine may keep running only if its safety is permanently guaranteed — and the foundation for that guarantee is a thorough hazard evaluation.
Staying on top of risk assessments across legacy and new equipment is a growing challenge—especially when regulations keep tightening. Many companies discover gaps in their documentation only when it is too late. A free toolkit with 41 ready-to-use templates and checklists helps you capture every hazard systematically and keep your compliance up to date. Download the free Risk Assessment Toolkit
For work platforms and maintenance gantries, the German Ordinance on Industrial Safety and Health (BetrSichV) together with the Technical Rules for Operational Safety (TRBS 2121) impose specific requirements. Manufacturers are already offering project-specific solutions built on individual risk assessments, responding to the tightening regulatory environment.
Lone Workers: Dead-Man Switches and Automated Alarms
Employee safety during lone work — tasks performed out of sight and earshot of colleagues — remains a central concern. The DGUV Rule 112-139 obligates employers to use personal emergency signal devices (PNA). When a worker stops moving, the device automatically triggers an alarm and transmits the person's location.
Technical aids, however, are not substitutes for a comprehensive risk assessment. They supplement it. The process analysis technology (PAT) community, under the umbrella of NAMUR, recently issued a new position paper recommending diagnostic functions, watchdog concepts and diverse redundancy for complex safety systems.
When Software Ages Faster Than Machines
A chronic mismatch in lifecycle durations exposes companies to cyber risks. Building infrastructure often lasts more than 50 years; machinery 10 to 20 years. Software components, by contrast, become obsolete within one to three years. Cyberattacks increasingly exploit known vulnerabilities that arise from this gap.
Continuous patch management and monitoring have therefore become essential. Many firms are automating firmware analysis and vulnerability management to meet regulatory requirements such as the Cyber Resilience Act (CRA) and the IEC 62443 standard for industrial cybersecurity.
When an incident occurs—whether an accident, a near-miss, or a regulatory inspection—your risk assessment documentation is the first thing investigators ask for. Without a complete record, your organisation faces legal and financial exposure. The free Risk Assessment Toolkit gives you 41 professionally designed checklists and templates to ensure every hazard is identified, documented, and managed proactively. Get the free Risk Assessment Toolkit
Hardware Disposal: The Dangers of Incomplete Data Erasure
Safety obligations do not end when equipment is taken out of service. Discarded hardware can leak sensitive data, triggering fines under the General Data Protection Regulation (GDPR). Simply deleting files with software is often insufficient, especially with damaged storage media.
Experts recommend physical destruction in line with the DIN 66399 standard for secure data erasure. Only that method guarantees complete elimination of data and minimises legal liability.
