Skip to content

Category Archives: Deutschland

Home

11 December 2025 | 6 min

Holiday gifts for business partners in the DACH region

During the Christmas season, many companies take the opportunity to thank their business partners with small gifts. These gestures strengthen relationships, show appreciation and are often part of a company’s culture. At the same time, tax rules, compliance requirements and internal guidelines must be respected – and these differ between Germany, Austria and Switzerland.

This article provides a current and balanced overview of the legal and practical framework for holiday gifts in all three DACH countries. It explains what companies should consider in order to give appropriately, avoid risks and maintain trust.

Key Takeaways

  • In all three countries, the same core principles apply: gifts must be business related, appropriate and transparent.
  • Germany has a tax threshold of 50 euros per recipient and calendar year for business gifts.
  • Austria and Switzerland do not use a single statutory value limit, but focus on appropriateness, business purpose and documentation.
  • Clear internal guidelines and consistent documentation are recommended throughout the DACH region.
  • Gifts to people in the public sector or highly regulated industries require particular caution.

Why clear rules are important in all three countries

Regardless of whether a company is based in Austria, Switzerland or Germany, gifts must never give the impression that they are intended to influence business decisions improperly. Compliance standards, anti-corruption rules and tax legislation are designed to ensure clean business relationships.

Companies should therefore apply clear and comprehensible principles in every country in which they operate. This prevents misunderstandings, reduces legal and tax risks and creates a uniform standard for all employees.

Current regulations at a glance

Germany

Germany is the only DACH country with a clearly defined tax limit for gifts to business partners. Business gifts are tax deductible up to 50 euros per recipient and calendar year if they are business related and properly documented.

For gifts that exceed this amount, the tax deduction may be denied unless the gift is clearly and exclusively usable for business purposes.

Austria

Austria does not work with a uniform fixed value limit. Instead, the following aspects are crucial:

  • the gift must serve a clear business purpose
  • the value must be reasonable in relation to the relationship and the occasion
  • the gift must be documented in a comprehensible way

As in the other DACH countries, gifts must not be used to gain improper advantages. Particular care is required in the public sector and in strongly regulated industries.

Switzerland

Switzerland also has no statutory standard limit for gifts to business partners. The focus is on:

  • usual appropriateness according to Swiss business practice
  • transparency and traceability
  • compliance with internal rules and industry-specific regulations

Swiss business culture tends to favour modest, high-quality but unobtrusive gifts rather than expensive luxury items.

Common basic principles for the entire DACH region

Despite the legal differences, companies in Germany, Austria and Switzerland can follow a common set of basic rules.

Appropriateness

The gift should match the business relationship, the role of the recipient and the occasion. Very expensive or flashy gifts can quickly appear inappropriate.

Business purpose

Holiday gifts should always serve a legitimate business purpose, such as maintaining a good relationship or thanking partners for successful cooperation. They must not be used to steer decisions or promises of business.

Documentation

For every gift, companies should record at least the following:

  • name of the recipient and company
  • occasion
  • date
  • value
  • business purpose

This documentation helps during tax audits and internal or external compliance checks.

Caution with public sector recipients

For employees of authorities, public hospitals, universities, municipalities and similar organisations, stricter requirements usually apply in all three countries. Often only very small tokens are permitted, and in some cases gifts are completely prohibited. When in doubt, it is better to ask in advance or avoid gifts altogether.

Recommendations for companies in the DACH region

  1. Create a clear, written gifting policy that applies in all locations.
  2. Define maximum values for gifts per person and per year.
  3. Ensure consistent documentation of all gifts to business partners.
  4. Pay special attention to sensitive sectors such as the public sector, healthcare or regulated industries.
  5. Plan gifts early and avoid borderline cases in terms of value or type of gift.
  6. Consider alternatives such as charitable donations in the name of a business partner instead of material gifts.

Why restraint is often the best strategy

No matter in which of the three countries a company operates, gifts that are too expensive or too personal can send the wrong signal. They may be perceived as an attempt to influence decisions and can trigger tax or compliance issues.

Modest, tasteful gifts or a personal handwritten card are often more effective and credible than high-value items. What counts in the long term is trust and partnership – not the material value of a present.

FAQ – Frequently asked questions in the DACH region

Is there a single value limit that applies to the whole DACH region?

No. Germany has a defined tax threshold of 50 euros per recipient and calendar year for business gifts. Austria and Switzerland use the principles of appropriateness, business purpose and documentation instead of fixed legal limits.

May I give expensive gifts in Austria or Switzerland if they seem appropriate?

In principle this is possible, but it is usually not advisable. High-value gifts increase the risk of compliance concerns, negative perceptions and disputes during audits. In practice, modest gifts are safer and more in line with expectations.

How should a business gift be documented correctly?

For each gift you should record who received it, for which company the person works, the date, the occasion, the value and the business reason. This information should be stored centrally, for example in a simple gifts register.

Are gifts to employees treated in the same way as gifts to business partners?

No. Gifts to employees are subject to different tax and payroll regulations in all three countries. Companies should therefore treat gifts to staff separately from gifts to external business partners and observe the respective rules.

How should I handle gifts to governmental bodies or public organisations?

With particular caution. In all DACH countries there are strict rules for the public sector, and many organisations either prohibit gifts completely or limit them to very small amounts. If you are unsure, ask for written guidance or refrain from giving a gift.

Share

Related posts

Why Zero Trust Data Governance Becomes Critical in 2026
27 January 2026 | 4 min

Why Zero Trust Data Governance Becomes Critical in 2026

 The rapid expansion of generative AI is not only changing how organizations use data – it is fundamentally reshaping risk management and compliance strategies. Gartner predicts that by 2028, 50% of all organizations will adopt Zero Trust Data Governance approaches to address the massive growth of unverified, AI-generated data and to mitigate risks such as<a href="https://zazoon.com/zero-trust-data-governance/">Continue reading <span class="sr-only">"Why Zero Trust Data Governance Becomes Critical in 2026"</span></a>
Read more
Third-Party and Supply Chain Risks as a GRC Focus: How Companies Can Regain Control Over Dependencies
07 October 2025 | 6 min

Third-Party and Supply Chain Risks as a GRC Focus: How Companies Can Regain Control Over Dependencies

 Global business today is more interconnected than ever before. Companies rely on a vast network of suppliers, service providers, and technology partners to keep operations running. This interconnectedness creates efficiency and flexibility – but it also introduces significant risks. Cyberattacks on suppliers, human rights violations in the supply chain, or the sudden insolvency of a<a href="https://zazoon.com/third-party-and-supply-chain-risks-as-a-grc-focus-how-companies-can-regain-control-over-dependencies/">Continue reading <span class="sr-only">"Third-Party and Supply Chain Risks as a GRC Focus: How Companies Can Regain Control Over Dependencies"</span></a>
Read more
EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity
22 April 2025 | 4 min

EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity

 Introduction: The Cyber Resilience Act Transforms GRC and Cybersecurity In today’s digital landscape, cyberattacks are no longer exceptions — they’re part of everyday business risks. With the introduction of the EU Cyber Resilience Act (CRA), the European Union is setting a groundbreaking global standard for the security of digital products and software. Companies now face<a href="https://zazoon.com/eu-cyber-resilience-act-cra-a-new-era-for-governance-risk-compliance-in-cybersecurity/">Continue reading <span class="sr-only">"EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity"</span></a>
Read more
Home

21 November 2025 | 5 min

NIS-2 Implemented: Why German Companies Must Act Now

In November 2025, the German Bundestag passed the law implementing the NIS-2 Directive. This introduced new national rules for cybersecurity and information security that go far beyond previous requirements. Companies that have so far operated under the radar must now assess whether they are affected – and if so, urgently adapt their security measures, processes and governance structures.

The delay in implementation gave many organisations a bit of breathing room, but now the pressure to act begins. Those who prepare early can gain a competitive advantage – those who react too late risk penalties, reputational damage or even business disruption.

Key Points at a Glance

The Bundestag adopted the NIS-2 Implementation Act on 13 November 2025.

The law expands its scope to significantly more companies and public authorities – an estimated 29,500 entities in Germany.

New obligations include risk management, technical and organisational measures, incident reporting with defined deadlines (e.g., first report within 24 hours), as well as expanded oversight and sanctions by the Federal Office for Information Security (BSI).

Companies should now carry out an impact assessment, revise regulatory and compliance processes and align governance and IT security architecture with the tightened requirements.

Why This Topic Matters

Digital connectivity and dependency on IT systems and services have increased significantly in recent years. At the same time, the threat posed by cyber attacks, targeted sabotage, espionage and hybrid attacks on critical infrastructure continues to grow. In this environment, the previous legal framework in Germany was no longer considered sufficient by many experts.

The EU NIS-2 Directive aims to ensure a high and consistent level of security for network and information systems across the Union.

Since Germany missed the deadline for implementing the directive, action was required – the newly adopted law represents the next crucial step.

For companies, this means the following: not only traditional operators of critical infrastructures (KRITIS) are affected, but also many organisations that were previously not within this category. This significantly increases the number of regulated entities – creating a competitive advantage for those who prepare early.

What Requirements and Obligations Must Be Met?

Companies that fall under the new rules face several new elements. The most important obligations at a glance:

Scope and Categories

The law distinguishes between “essential entities” and “important entities”. Both categories are subject to the requirements, with different intensities depending on criticality.

Companies from sectors such as energy, healthcare, transport, digital services or public administration typically fall under these rules. However, other organisations may also be affected if their services are relevant for the functioning of society.

Technical and Organisational Measures (TOM)

Affected entities must implement IT security measures that reflect the state of the art. These include risk analyses, business continuity plans, backup concepts, encryption, access controls and monitoring and detection of attacks.

The integration of supply chain and third-party risks is now much more strongly required – companies must understand and manage their dependencies.

Incident Reporting and Notification Obligations

A central element is the reporting obligation for security incidents. A new three-stage regime applies:

  • First notification within 24 hours after detection
  • Interim report after 72 hours
  • Final report no later than one month later

These deadlines turn incident reporting into a time-critical compliance and management task.

Expanded Oversight and Sanctions

The BSI assumes expanded supervisory and audit functions. It can issue sanctions, publish guidance and maintain the required registers.

Companies must also register and designate responsibilities – such as a person responsible for information security.

Role of Public Administration

New: Public authorities and federal administration are now also subject to minimum requirements. This brings governmental IT security to the same level as the private sector – an important step for overall resilience.

What Companies Should Do Now

  • Conduct an impact assessment to determine whether the organisation falls under the categories “essential” or “important”.
  • Perform a gap analysis of existing IT security, governance and reporting processes and align them with NIS-2 requirements.
  • Revise governance and risk management processes: Who is responsible? How is risk measured? How quickly do we report incidents?
  • Implement and document technical measures: risk analysis, access controls, incident response plan, backup and recovery strategy.
  • Establish reporting and notification processes: define responsibilities and ensure deadlines can be met.
  • Provide training and awareness programmes for employees: cyber risks, reporting obligations, responsibilities.
  • Set up monitoring and reporting structures: dashboards for incidents, risks and measures, including third-party risk management.

Those who start early can not only ensure compliance but also gain competitive advantages – for example, by strengthening trust in partner relationships or reducing insurance premiums.

Conclusion

With the law implementing the NIS-2 Directive, Germany marks a decisive step towards digital resilience. For companies, this means cybersecurity is no longer voluntary but becomes a regulated and strategically essential task.

The requirements are demanding – but those who act early secure legal certainty and build trust with customers, partners and investors.

FAQ

Who is affected by NIS-2 implementation?
Affected are companies classified as “essential entities” or “important entities”, particularly in sectors such as energy, healthcare, transport, digital services, as well as public authorities and administration.

When do the new regulations apply?
The Bundestag adopted the law on 13 November 2025. It still needs approval by the Bundesrat and publication in the Federal Law Gazette before it enters into force.

What deadlines apply for reporting security incidents?
Initial report within 24 hours of detection, interim report after 72 hours, final report after one month at the latest.

What happens if the requirements are not met?
The BSI receives extended supervisory and sanctioning powers. Violations may lead to fines and further legal consequences.

How should companies proceed now?
Conduct an impact and gap analysis, adjust governance and risk processes, document technical measures, establish reporting processes and train employees.

Share

Home

14 October 2025 | 6 min

Resilience at Sea – How Good GRC Makes the Shipping Industry Crisis-Proof

The global shipping industry is defying the slowdown. Despite geopolitical tensions, tariffs, and weak industrial production in Europe, many shipping companies report stable or even growing business. This is surprising, given that most economic indicators point in the opposite direction: trade barriers are increasing, transport costs are rising, and global demand is softening.

Yet, according to the latest shipping survey by PwC Germany, the industry remains remarkably resilient. Ninety-three percent of the companies surveyed said their ships are fully utilized, and 58 percent expect further growth in the next twelve months. Only four percent anticipate a downturn. This confidence stands in sharp contrast to the broader economic situation and highlights how effective governance, risk, and compliance (GRC) practices contribute directly to stability.

Key Takeaways

  • According to PwC Germany’s 2025 shipping survey, 93 percent of German shipping companies report full utilization, and 58 percent expect continued growth.
  • Despite tariffs, trade conflicts, and weak industrial output, the sector remains robust.
  • The main reason is strategic decoupling from the German economy and diversification across global markets.
  • Strong GRC – meaning sound governance, effective risk management, and reliable compliance – is the key driver of resilience.

Economic Situation: Between Slowdown and Strength

Traditionally, the maritime sector serves as a barometer of global trade. But while many industrial sectors are struggling, the shipping industry shows impressive stability.

PwC’s 2025 shipping study, now in its 17th edition, paints a surprisingly positive picture. Despite political unrest, volatile energy prices, and new trade barriers, most fleets remain busy. The Baltic Exchange’s 2025 outlook also predicts moderate growth in container and LNG segments, while Fitch Ratings describes the global shipping outlook for 2025 as “stable,” despite ongoing market uncertainty.

This strength is no coincidence. Over the past years, shipping companies have systematically adapted their business models. Only about 30 percent now depend directly on Germany’s industrial output. Instead, they focus on global markets, long-term charter contracts, and specialized niches.

Why the Shipping Sector is Thriving Despite the Crisis

Several factors explain the shipping industry’s resilience:

  1. Global Diversification
    Shipping companies have reduced their dependence on domestic markets. Operating in multiple regions allows them to offset weaknesses in individual economies.
  2. Long-Term Charter Contracts
    Many carriers rely on multi-year agreements that guarantee stable income even when spot market rates fall.
  3. Efficient Cost and Route Management
    Flexible rerouting, such as avoiding the Red Sea by sailing around the Cape of Good Hope, allows operators to manage geopolitical disruptions effectively.
  4. Investment in Technology and Sustainability
    The use of digital systems and cleaner fuels (like LNG and methanol) not only ensures regulatory compliance but also provides long-term competitive advantages.
  5. Solid Governance Structures
    Many shipping companies have strengthened their corporate governance with professional boards, risk committees, and compliance units – structures that were far less common a decade ago.

These factors form part of an integrated GRC approach – the foundation of today’s maritime resilience.

Governance: Stability Through Clear Leadership

Strong governance is the backbone of any resilient organization. Shipping companies that navigate uncertainty successfully have clear decision-making processes and transparent accountability structures.

In practice, this means that strategic decisions – regarding fleet expansion, financing, sustainability, or insurance – are made in close coordination with risk and compliance functions. Supervisory boards are not mere oversight bodies but active strategic partners.

Such governance models allow companies to react swiftly to market changes without losing control or consistency.

Risk Management: Early Warning for Geopolitical and Operational Threats

The shipping sector faces constant uncertainty: geopolitical conflicts, piracy, environmental regulations, fluctuating fuel prices, and cyberattacks. Effective risk management is therefore crucial.

Successful shipping companies use scenario planning to assess how trade wars, port strikes, or route blockages could impact operations. They continuously monitor key variables like fuel prices, insurance costs, and new regulations.

Cyber risk is now one of the top concerns. Digital systems on ships and in ports are increasingly vulnerable to attacks. According to PwC’s study, 78 percent of respondents now manage cybersecurity risks at the executive level – a major step toward operational resilience.

Compliance: Building Trust Through Integrity

Compliance is the third pillar of resilience, alongside governance and risk management. Regulatory pressure on shipping companies continues to grow – from emissions rules and ESG reporting to international trade and sanctions regulations.

Companies that take a proactive stance gain a clear advantage: they avoid fines, improve credit ratings, and strengthen stakeholder trust. ESG compliance is especially critical, as sustainability performance increasingly influences access to financing and new business.

A well-structured compliance management system, based on ISO 37301, provides the necessary framework. It standardizes procedures, simplifies audits, and ensures documentation of all key processes.

How Strong GRC Drives Resilience

Governance, Risk, and Compliance are no longer checkboxes for shipping companies – they are strategic enablers. GRC creates transparency, defines responsibilities, and ensures alignment with international standards.

By identifying and managing risks early, companies can maintain stability in volatile markets. The result is an industry that continues to grow – not because it is immune to crises, but because it is prepared for them.

Conclusion

Shipping remains a cornerstone of the global economy – and its resilience is no coincidence. Studies such as PwC’s 2025 survey make it clear: effective governance, solid risk management, and strong compliance practices distinguish resilient companies from vulnerable ones.

Organizations that view GRC as a strategic tool, not a regulatory burden, are better positioned to weather uncertainty. Governance provides navigation, risk management forecasts the storms, and compliance ensures the voyage stays on course. In short: good GRC is the compass that keeps the shipping industry steady, even in rough seas.

FAQ

Why is the shipping industry performing well despite the global slowdown?
Because many carriers have diversified internationally, secured long-term contracts, and strengthened their risk management systems.

What does the PwC Shipping Study 2025 reveal?
Ninety-three percent of shipping companies report full capacity utilization, and 58 percent expect growth – only four percent predict a decline.

What role does GRC play in the shipping industry?
GRC creates transparency, improves control, and ensures compliance with international regulations. It is the backbone of maritime resilience.

What are the main risks for shipping companies today?
Geopolitical tensions, trade barriers, cyberattacks, environmental regulations, and ESG reporting requirements are among the top challenges.

How can shipping companies improve their GRC practices?
By establishing clear governance structures, conducting regular risk assessments, implementing certified compliance systems (like ISO 37301), and using integrated digital GRC platforms for real-time oversight.

Share

Home

3 June 2025 | 3 min

How BaFin Uses Artificial Intelligence: Digitizing Financial Supervision

Germany’s Federal Financial Supervisory Authority (BaFin) is modernizing its tools for monitoring financial markets. To do this, it is increasingly relying on Artificial Intelligence (AI) to detect risks faster, uncover market manipulation, and automate compliance processes. In this blog post, we explore how BaFin uses AI, what benefits it brings, and what it means for companies and consumers.

AI in Market Surveillance: Algorithms Against Insider Trading

A key application of AI at BaFin is the detection of suspicious trading patterns. Using machine learning, BaFin analyzes vast amounts of trading data to uncover market manipulation and insider trading. These patterns are often hard for human analysts to detect but can be statistically significant indicators of abuse.

Automated Analysis of Company Data

Another field of application is the analysis of annual reports, ad-hoc disclosures, and financial statements. BaFin employs Natural Language Processing (NLP) to automatically identify risks, irregularities, or anomalies in corporate data. This accelerates the auditing of financial reports and helps detect adverse trends early.

AI in Banking Supervision: Risk Assessment and Early Warning Systems

AI is also used in regulatory assessments of banks and insurers. AI-powered early warning systems analyze metrics, capital structures, and market movements to identify risks early. This enables BaFin to intervene more quickly in times of crisis and prevent potential failures.

Anti-Money Laundering with AI

BaFin also uses AI to combat money laundering. By analyzing transaction patterns, suspicious activities can be automatically detected and reported. In collaboration with financial institutions, this improves both efficiency and the accuracy of prevention systems.

SupTech: Technological Shift in Supervision

Under the term SupTech (Supervisory Technology), BaFin is driving the digital transformation of its supervisory functions. AI plays a key role in processing large volumes of data, automating procedures, and making data-driven decisions.

Conclusion: Smarter Supervision Through Intelligent Systems

BaFin’s use of AI represents a decisive step toward modern, data-driven financial supervision. For companies, this means more transparency and faster processes. For consumers, it means greater protection from market abuse and financial crime. It also makes clear: supervisory authorities must evolve in the digital age to remain effective.

FAQ: Frequently Asked Questions About AI at BaFin

What is BaFin’s goal in using AI?

BaFin aims to detect risks earlier, uncover market abuse faster, and make supervision more efficient.

What technologies are being used?

Primarily machine learning, natural language processing (NLP), and data analytics.

Is the use of AI legally regulated?

Yes, BaFin must adhere to all applicable laws, including data protection and administrative law.

How do financial firms benefit?

Through clearer risk indicators, faster communication with regulators, and early warnings of potential problems.

What is SupTech?

SupTech refers to the technological advancement of supervisory work. AI is a central component of this development.

Share