Skip to content

Category Archives: Germany

Home

22 December 2025 | 5 min

GRC Regulation 2026: New Laws and Key Dates in the DACH Region

The turn of the year traditionally marks the starting point for new regulatory requirements in the field of Governance, Risk, and Compliance. While 2025 was heavily characterized by the final implementation of major EU frameworks such as DORA and NIS 2, the year 2026 is defined by expansion and technological deepening. For companies in the DACH region (Germany, Austria, Switzerland), January 1, 2026, specifically means: Grace periods are over, new reporting standards in the crypto sector take effect, and sustainability reporting reaches the next escalation level regarding the breadth of affected companies.

Key Takeaways

  • In Switzerland, the automatic exchange of information on crypto-assets (CARF) enters into force on January 1, 2026.
  • The CSRD reporting obligation expands to large, non-capital-market-oriented companies starting with the 2026 financial year.
  • For DORA and NIS 2, the implementation phase ends; from 2026 onwards, supervisory authorities will focus on auditing and sanctioning.
  • The EU AI Act approaches decisive deadlines, making 2026 the central year for AI governance implementation.

Switzerland: Transparency Push via CARF and Expanded AEOI

A central focus at the start of 2026 lies on Switzerland. On January 1, 2026, the Federal Council enacts the Crypto-Asset Reporting Framework (CARF) as well as amendments to the Common Reporting Standard (AIA/AEOI). This is a decisive step for tax transparency in the realm of digital assets.

The CARF framework obliges Swiss crypto service providers to record transaction data of their clients and information on held crypto-assets. This data must be reported to the Federal Tax Administration (FTA), which in turn exchanges it with partner states. The goal is to close tax loopholes that existed due to the previous non-recording of crypto-assets in the classic AEOI. For GRC managers at Swiss financial institutions and crypto service providers, this means that due diligence processes and KYC procedures (Know Your Customer) must be fully adapted to the new asset classes and reporting standards by the January 2026 deadline.

In parallel, amendments to the AEOI Act come into force, implementing recommendations of the Global Forum on Transparency and Exchange of Information for Tax Purposes. This affects, among other things, more precise due diligence obligations for Non-Reporting Financial Institutions.

CSRD: The Second Wave Rolls In

At the European level, January 1, 2026, is a crucial date for the Corporate Sustainability Reporting Directive (CSRD). While previously primarily capital-market-oriented companies were subject to reporting obligations, the obligation for large limited liability companies that are not capital-market-oriented begins with the 2026 financial year.

Companies fall under this second wave if they exceed at least two of the three following criteria: more than 250 employees, more than 50 million euros in net turnover, or more than 25 million euros in balance sheet total (taking into account inflation-related threshold adjustments). For compliance departments in these companies, the start of the 2026 financial year means that data collection for the report to be published in 2027 must now be operational. The time for preparation is over; from now on, ESG data must be recorded in an audit-proof manner. This requires functioning Internal Control Systems (ICS) for sustainability information.

DORA and NIS 2: From Project Mode to Regular Operations

Both the Digital Operational Resilience Act (DORA) and the NIS 2 Directive formally entered into force before 2026. Nevertheless, January 2026 marks a watershed moment. The phase of “Day 1 Compliance,” which was often still characterized by transitional solutions, is over.

From 2026 onwards, it is expected that national supervisory authorities – such as BaFin in Germany or FMA in Austria – will intensify their auditing activities. For DORA, this means that ICT third-party risk management must not only exist on paper, but contractual adjustments with IT service providers must be concluded. Registers of information relationships must be current and complete. GRC experts should use the year 2026 to test the processes implemented in the previous year for their operational effectiveness (e.g., through TLPT – Threat Led Penetration Testing), as real sanctions now loom.

Outlook: Supply Chain Acts and CSDDD

In Germany, the Supply Chain Due Diligence Act (LkSG) remains relevant, but the focus is increasingly shifting towards harmonization with the European Corporate Sustainability Due Diligence Directive (CSDDD). Although the national implementation laws of the CSDDD will only fully enter into force later, companies must strategically align their risk analyses with the more far-reaching requirements of the EU Directive from 2026 onwards to avoid double work. In particular, the climate transition plans, which are part of the CSDDD, require a lead time that should begin in January 2026.

FAQ

Who does the new CARF law in Switzerland affect starting January 2026?

It primarily affects Crypto-Asset Service Providers (CASPs/VASPs) resident in Switzerland. They must record client data and transactions and report them to the tax authorities.

Does my company have to create a CSRD report starting in 2026?

If your company is not capital-market-oriented but meets two of the three criteria (Balance sheet > 25m EUR, Turnover > 50m EUR, > 250 employees), the duty to collect data begins for the financial year 2026. The report itself will then appear in 2027.

What changes in 2026 regarding DORA?

Regulatorily, nothing new changes, but the grace period is over. From 2026, the first in-depth audits by supervisory authorities are expected to take place, and processes must be “lived and tested.”

What role does the EU AI Act play in January 2026?

The AI Act is already in force, but many obligations for high-risk AI systems only become strictly effective in mid-2026. January 2026 is therefore the starting signal for the final implementation phase of these requirements.

Share

Related posts

MiCA: The New EU Crypto Regulation and Its Impact on GRC
26 August 2025 | 3 min

MiCA: The New EU Crypto Regulation and Its Impact on GRC

 The regulation of crypto-assets in the European Union has reached a historic milestone with the introduction of the Markets in Crypto-Assets Regulation (MiCA). Fully applicable since the end of 2024, MiCA establishes, for the first time, a unified legal framework for the crypto market across all EU member states. Its goal is to foster market<a href="https://zazoon.com/mica-the-new-eu-crypto-regulation-and-its-impact-on-grc/">Continue reading <span class="sr-only">"MiCA: The New EU Crypto Regulation and Its Impact on GRC"</span></a>
Read more
European Data Act Explained
14 January 2022 | 4 min

European Data Act Explained

 Data is a non-rival good. They can be consumed many times without the fear that the supply can be dwindled. The volume of data is growing perennially. It was estimated that 33 zettabytes of data were generated in the year of 2018, and it is expected to reach around 175 zettabytes in 2025. It is<a href="https://zazoon.com/governance-framework/">Continue reading <span class="sr-only">"European Data Act Explained"</span></a>
Read more
Switzerland potential whistleblower legislation
02 January 2023 | 4 min

Switzerland potential whistleblower legislation

 The term ‘Whistleblowing’ refers to the reporting of any wrongdoing and/or misconduct that includes unethical behavior, fraud, corruption, mismanagement, cronyism, abuse, bribery, racism, intimidation, harassment, crime, etc. within organizations. These defects, which are also ubiquitous in our society, can devalue the reputation of an organization if left concealed and untreated. The notion and practice of<a href="https://zazoon.com/test-8/">Continue reading <span class="sr-only">"Switzerland potential whistleblower legislation"</span></a>
Read more
Home

11 December 2025 | 6 min

Holiday gifts for business partners in the DACH region

During the Christmas season, many companies take the opportunity to thank their business partners with small gifts. These gestures strengthen relationships, show appreciation and are often part of a company’s culture. At the same time, tax rules, compliance requirements and internal guidelines must be respected – and these differ between Germany, Austria and Switzerland.

This article provides a current and balanced overview of the legal and practical framework for holiday gifts in all three DACH countries. It explains what companies should consider in order to give appropriately, avoid risks and maintain trust.

Key Takeaways

  • In all three countries, the same core principles apply: gifts must be business related, appropriate and transparent.
  • Germany has a tax threshold of 50 euros per recipient and calendar year for business gifts.
  • Austria and Switzerland do not use a single statutory value limit, but focus on appropriateness, business purpose and documentation.
  • Clear internal guidelines and consistent documentation are recommended throughout the DACH region.
  • Gifts to people in the public sector or highly regulated industries require particular caution.

Why clear rules are important in all three countries

Regardless of whether a company is based in Austria, Switzerland or Germany, gifts must never give the impression that they are intended to influence business decisions improperly. Compliance standards, anti-corruption rules and tax legislation are designed to ensure clean business relationships.

Companies should therefore apply clear and comprehensible principles in every country in which they operate. This prevents misunderstandings, reduces legal and tax risks and creates a uniform standard for all employees.

Current regulations at a glance

Germany

Germany is the only DACH country with a clearly defined tax limit for gifts to business partners. Business gifts are tax deductible up to 50 euros per recipient and calendar year if they are business related and properly documented.

For gifts that exceed this amount, the tax deduction may be denied unless the gift is clearly and exclusively usable for business purposes.

Austria

Austria does not work with a uniform fixed value limit. Instead, the following aspects are crucial:

  • the gift must serve a clear business purpose
  • the value must be reasonable in relation to the relationship and the occasion
  • the gift must be documented in a comprehensible way

As in the other DACH countries, gifts must not be used to gain improper advantages. Particular care is required in the public sector and in strongly regulated industries.

Switzerland

Switzerland also has no statutory standard limit for gifts to business partners. The focus is on:

  • usual appropriateness according to Swiss business practice
  • transparency and traceability
  • compliance with internal rules and industry-specific regulations

Swiss business culture tends to favour modest, high-quality but unobtrusive gifts rather than expensive luxury items.

Common basic principles for the entire DACH region

Despite the legal differences, companies in Germany, Austria and Switzerland can follow a common set of basic rules.

Appropriateness

The gift should match the business relationship, the role of the recipient and the occasion. Very expensive or flashy gifts can quickly appear inappropriate.

Business purpose

Holiday gifts should always serve a legitimate business purpose, such as maintaining a good relationship or thanking partners for successful cooperation. They must not be used to steer decisions or promises of business.

Documentation

For every gift, companies should record at least the following:

  • name of the recipient and company
  • occasion
  • date
  • value
  • business purpose

This documentation helps during tax audits and internal or external compliance checks.

Caution with public sector recipients

For employees of authorities, public hospitals, universities, municipalities and similar organisations, stricter requirements usually apply in all three countries. Often only very small tokens are permitted, and in some cases gifts are completely prohibited. When in doubt, it is better to ask in advance or avoid gifts altogether.

Recommendations for companies in the DACH region

  1. Create a clear, written gifting policy that applies in all locations.
  2. Define maximum values for gifts per person and per year.
  3. Ensure consistent documentation of all gifts to business partners.
  4. Pay special attention to sensitive sectors such as the public sector, healthcare or regulated industries.
  5. Plan gifts early and avoid borderline cases in terms of value or type of gift.
  6. Consider alternatives such as charitable donations in the name of a business partner instead of material gifts.

Why restraint is often the best strategy

No matter in which of the three countries a company operates, gifts that are too expensive or too personal can send the wrong signal. They may be perceived as an attempt to influence decisions and can trigger tax or compliance issues.

Modest, tasteful gifts or a personal handwritten card are often more effective and credible than high-value items. What counts in the long term is trust and partnership – not the material value of a present.

FAQ – Frequently asked questions in the DACH region

Is there a single value limit that applies to the whole DACH region?

No. Germany has a defined tax threshold of 50 euros per recipient and calendar year for business gifts. Austria and Switzerland use the principles of appropriateness, business purpose and documentation instead of fixed legal limits.

May I give expensive gifts in Austria or Switzerland if they seem appropriate?

In principle this is possible, but it is usually not advisable. High-value gifts increase the risk of compliance concerns, negative perceptions and disputes during audits. In practice, modest gifts are safer and more in line with expectations.

How should a business gift be documented correctly?

For each gift you should record who received it, for which company the person works, the date, the occasion, the value and the business reason. This information should be stored centrally, for example in a simple gifts register.

Are gifts to employees treated in the same way as gifts to business partners?

No. Gifts to employees are subject to different tax and payroll regulations in all three countries. Companies should therefore treat gifts to staff separately from gifts to external business partners and observe the respective rules.

How should I handle gifts to governmental bodies or public organisations?

With particular caution. In all DACH countries there are strict rules for the public sector, and many organisations either prohibit gifts completely or limit them to very small amounts. If you are unsure, ask for written guidance or refrain from giving a gift.

Share

Home

2 July 2025 | 4 min

Leadership Change in Risk Management at N26: What Companies Can Learn from a GRC Perspective

Intro

In the summer of 2025, German neobank N26 announced a significant leadership change: Chief Risk Officer (CRO) Carina Kozole will leave the company. She will be succeeded by Jochen Klöpper, formerly with Santander Consumer Bank.

Leadership transitions in key risk roles are always noteworthy – not only because of their impact on the organization itself, but also for what they reveal about the structural requirements of Governance, Risk, and Compliance (GRC) in fast-growing and heavily regulated businesses.

This article analyzes the developments at N26 through a systemic lens, outlines common challenges for digital financial service providers, and explains how integrated GRC systems help companies remain stable, compliant, and resilient during leadership transitions.

What Happened at N26?

Carina Kozole joined N26 in late 2023 as Chief Risk Officer and was responsible for enterprise-wide risk and compliance oversight. In 2025, the company announced her departure and named Jochen Klöpper as her successor. Klöpper brings extensive experience in risk management from his previous roles at Santander and other banks.

The timing is notable: N26, like many neobanks, is under increasing regulatory scrutiny. Topics such as AML compliance, IT security, credit risk, and internal controls are becoming critical not only from a regulatory perspective but also in terms of business continuity and market trust.

The Challenge: Growth, Complexity, and Regulatory Exposure

Digital organizations like N26 often face three structural issues:

1. Growth outpaces governance

Startups and digital scale-ups tend to prioritize innovation and customer growth. Governance, compliance, and process maturity often come later – sometimes too late.

2. Layered, evolving regulation

Digital banks operate under overlapping and evolving regulatory frameworks across jurisdictions. Without structured systems to track and manage these requirements, even competent teams can fall behind.

3. Dependency on individuals

In organizations where governance processes are not systematized, key responsibilities may rest with individuals. When those people leave, knowledge gaps, delays, or even compliance breaches can occur.

The GRC Perspective: Mitigating Risk Through Structure

Modern GRC systems help institutionalize risk and compliance processes, reduce dependency on individuals, and provide transparency across the organization.

What GRC software enables:

1. Centralized, auditable risk management

Risk categories, ownership, evaluations, and mitigation measures are documented in a structured, traceable system – not in spreadsheets.

2. Real-time regulatory oversight

Requirements (e.g., AML laws, data protection regulations, banking guidelines) are tracked centrally, with automated compliance status and escalation workflows.

3. Continuity during leadership transitions

With roles, responsibilities, deadlines, and documentation centralized, a new CRO can pick up critical tasks without process disruption or blind spots.

4. Visible governance culture

GRC systems can also track qualitative indicators – such as training effectiveness, audit response times, and cultural maturity – and contribute to an overall view of risk readiness.

Lessons Learned: From N26 to the Broader Market

  • People matter – but systems carry the organization. GRC systems ensure continuity when leadership changes.
  • Regulation is continuous, not project-based. Real-time visibility and structured compliance management are essential.
  • Good governance combines structure and culture. Systems alone are not enough; values, communication, and accountability must follow.
  • GRC tools are strategic, not just administrative. When well-integrated, they reduce risk exposure, improve investor confidence, and support long-term resilience.

Conclusion

The CRO transition at N26 illustrates the high stakes of governance and compliance in modern digital organizations. Especially in regulated sectors, leadership continuity and process integrity are inseparable.

A robust GRC system turns governance from a reactive obligation into a proactive capability – one that protects the organization, enables growth, and earns trust.

FAQ – Frequently Asked Questions on CRO Transitions and GRC

What does CRO stand for?
CRO stands for Chief Risk Officer – the executive responsible for enterprise-wide risk governance, including financial, regulatory, operational, and strategic risks.

Why is a CRO transition significant in banking?
Banks operate under strict regulatory regimes. A leadership change in the risk function may signal strategic shifts, regulatory attention, or internal restructuring. It can also affect market perception.

What happened at N26?
Carina Kozole will leave N26 in 2025. She will be succeeded by Jochen Klöpper, a seasoned risk executive from Santander. The move comes amid continued focus on strengthening risk and compliance capabilities.

What is a GRC system?
GRC (Governance, Risk, and Compliance) systems are software solutions that integrate regulatory management, risk monitoring, policy controls, and reporting into one framework.

How does a GRC platform support leadership transitions?
It ensures that responsibilities, regulatory obligations, and ongoing tasks are transparent and documented. That way, new leaders can take over without disruption or knowledge gaps.

Is GRC only relevant to large corporations or banks?
No. Any organization facing regulatory complexity, rapid growth, or cross-functional risk exposure can benefit from GRC systems – including in health care, energy, technology, and public administration.

What are the benefits of using GRC software?

  • Full visibility into risks and control measures
  • Regulatory tracking and automated compliance reporting
  • Role continuity and institutional memory
  • Improved audit readiness and accountability
  • Enhanced risk culture and decision-making

Share

Home

3 June 2025 | 3 min

How BaFin Uses Artificial Intelligence: Digitizing Financial Supervision

Germany’s Federal Financial Supervisory Authority (BaFin) is modernizing its tools for monitoring financial markets. To do this, it is increasingly relying on Artificial Intelligence (AI) to detect risks faster, uncover market manipulation, and automate compliance processes. In this blog post, we explore how BaFin uses AI, what benefits it brings, and what it means for companies and consumers.

AI in Market Surveillance: Algorithms Against Insider Trading

A key application of AI at BaFin is the detection of suspicious trading patterns. Using machine learning, BaFin analyzes vast amounts of trading data to uncover market manipulation and insider trading. These patterns are often hard for human analysts to detect but can be statistically significant indicators of abuse.

Automated Analysis of Company Data

Another field of application is the analysis of annual reports, ad-hoc disclosures, and financial statements. BaFin employs Natural Language Processing (NLP) to automatically identify risks, irregularities, or anomalies in corporate data. This accelerates the auditing of financial reports and helps detect adverse trends early.

AI in Banking Supervision: Risk Assessment and Early Warning Systems

AI is also used in regulatory assessments of banks and insurers. AI-powered early warning systems analyze metrics, capital structures, and market movements to identify risks early. This enables BaFin to intervene more quickly in times of crisis and prevent potential failures.

Anti-Money Laundering with AI

BaFin also uses AI to combat money laundering. By analyzing transaction patterns, suspicious activities can be automatically detected and reported. In collaboration with financial institutions, this improves both efficiency and the accuracy of prevention systems.

SupTech: Technological Shift in Supervision

Under the term SupTech (Supervisory Technology), BaFin is driving the digital transformation of its supervisory functions. AI plays a key role in processing large volumes of data, automating procedures, and making data-driven decisions.

Conclusion: Smarter Supervision Through Intelligent Systems

BaFin’s use of AI represents a decisive step toward modern, data-driven financial supervision. For companies, this means more transparency and faster processes. For consumers, it means greater protection from market abuse and financial crime. It also makes clear: supervisory authorities must evolve in the digital age to remain effective.

FAQ: Frequently Asked Questions About AI at BaFin

What is BaFin’s goal in using AI?

BaFin aims to detect risks earlier, uncover market abuse faster, and make supervision more efficient.

What technologies are being used?

Primarily machine learning, natural language processing (NLP), and data analytics.

Is the use of AI legally regulated?

Yes, BaFin must adhere to all applicable laws, including data protection and administrative law.

How do financial firms benefit?

Through clearer risk indicators, faster communication with regulators, and early warnings of potential problems.

What is SupTech?

SupTech refers to the technological advancement of supervisory work. AI is a central component of this development.

Share

Home

26 September 2023 | 0 min

Supply chain due diligence act (LkSG) from 1.1.2023

No content found

Share