New German Safety and Cyber Laws Create Twin Compliance Challenge for Mid-Sized Firms

Germany's mid-sized businesses are facing a double regulatory shake-up that tightens both physical workplace safety and digital resilience. Since late May, two separate legal changes have taken effect, each with distinct thresholds now forcing thousands of companies to reassess their compliance obligations.

Under a revision to § 22 of the Social Code Book VII (SGB VII) , the threshold for appointing a safety officer (Sicherheitsbeauftragter) has been raised from 20 to 50 employees. The Bundestag approved the amendment on March 26, and it entered force on May 29, 2026. The rule now reads:

• Companies with 50 to 249 employees must designate at least one safety officer.
• Firms with 250 or more staff remain bound by existing requirements on the number of officers.
• Small operations with fewer than 20 employees continue to be exempt.
• Employers with 20 to 49 workers are only obliged to appoint a safety officer if their activities involve particular hazards.

Ignoring the new regulation can result in fines of up to €10,000.

With fines of this magnitude, ensuring your workplace risk assessments are thorough and up-to-date is essential. The free Risk Assessment Toolkit gives you 41 ready-to-use templates and checklists covering fire safety, manual handling, first aid, and lone working — everything you need to document hazards and stay compliant. Download the free Risk Assessment Toolkit

On the digital side, the transposition of the NIS-2 Directive into German law is tightening reporting and risk-management duties. The Bundestag passed the NIS2UmsuCG on November 13, 2025, followed by the Bundesrat on November 21. The rules apply to any company with more than 50 employees or an annual turnover above €10 million, provided it operates in a regulated sector such as energy, transport, or manufacturing. Affected firms must verify their status and register with the Federal Office for Information Security (BSI) .

Under NIS-2, obligations include structured risk analyses, incident management, business continuity planning, supply-chain security, multi-factor authentication, and robust governance frameworks. Digital service providers face even stricter documentation requirements under the EU Implementing Regulation 2024/2690. Crucially, company management now bears increasing personal liability for timely reporting.

Parallel trends in liability are also visible in the Public Country-by-Country Reporting (pCbCR) regime, where executives carry full responsibility for transparency and internal controls without a mandatory external audit.

Industry experts advise adopting a holistic compliance strategy for 2026, noting that physical safety and cyber resilience are becoming tightly interlinked. Quantitative risk analyses that combine insurance data, climate maps, and cyber-threat intelligence are increasingly in demand.

As enforcement pressure grows on both physical and digital compliance, having a complete health and safety documentation system is your best defence. Over 37,000 UK businesses already use the free Health & Safety Toolkit, which provides risk assessments, checklists, and toolbox talks covering key regulations like COSHH, PUWER, and the Health & Safety at Work Act — helping you protect employees and avoid costly penalties. Get the free Health & Safety Toolkit

To help businesses navigate the changes, several industry events are scheduled for summer 2026:

• June 10, 2026: Webinar by G DATA CyberDefense AG on correct reporting under NIS-2
• June 11–12, 2026: KNX Summit 2026 in Hanover, featuring ZVEH vice-president Karsten Krügener on integrated building security
• July and October 2026: Special workshops on ISO-27001 implementation in the context of NIS-2

Both labour inspectorates and the BSI have announced they will rigorously enforce the new rules. The message is clear: neglecting either set of requirements carries real financial and legal risks.

en | boerse | 69485042 |