The year 2024 brings with it a dynamic shift in the regulatory landscape that will present a variety of protections as well as challenges for businesses. In navigating the complexities of an ever-evolving regulatory environment, it’s crucial to familiarize yourself with this year’s changes.
In this article, we take a look at some of the key trends that will drive GRC in 2024, broken down into digital, environmental and labor.
The European Artificial Intelligence Act (AI Act) is to be passed by the end of May 2024 at the latest. This regulation provides for AI systems to be divided into four groups, depending on how risky these systems are. Once this law has been passed, companies can expect to meet various compliance requirements, including documentation and transparency obligations.
The Digital Services Act (DSA) came into force in mid-November 2022, but will not take full effect until February 17, 2024. This law affects digital intermediary services and, more recently, smaller companies within the EU. It stipulates that companies that act as digital intermediaries and provide consumers with access to services, content and goods must fulfill special due diligence obligations.
The Platforms Tax Transparency Act transposes the EU Directive DAC7 into German law. This law is not new and came into force at the beginning of last year. However, the first reports must be submitted by January 31, 2024 by reporting information on transactions carried out on digital platforms to the Federal Central Tax Office (BZSt). Failure to do so can result in penalties of up to EUR 50,000.
The NIS2 Implementation Act will apply from October 2024, especially for critical infrastructure companies (KRITIS). Compliance with the requirements of the law must also be reported to the BSI from 2027. NIS2 contains additional requirements to promote the cybersecurity of companies, particularly in the areas of risk management and supplier management. In Germany, around 30,000 companies will be affected by this law.
The European Sustainability Reporting Standards will come into force in stages from 2024.
New requirements will be added for companies that already have to comply with the Corporate Sustainability Reporting Directive (CSRD). In addition, these companies will be required to describe how their economic activities are organized in an ecological and sustainable manner in accordance with the Taxonomy Regulation. In future, smaller companies will also be affected by these disclosure obligations with regard to their sustainability efforts.
According to the new EU directive, importers of emission-intensive groups of goods such as cement, iron, steel, aluminium, fertilizers, electricity and hydrogen will be obliged to report the CO2 content of their goods at the turn of the year 2024. Although payment obligations will not apply until 2026, fines are already being imposed for non-reporting.
A further change to the import of raw materials from non-EU countries will come into force with the EU regulation on deforestation-free supply chains. This states that raw materials such as soy, cattle, palm oil, wood, cocoa, coffee, rubber and their products may only be imported if they have been produced without deforestation and without sustainably damaging forests. Large companies are also subject to additional due diligence and reporting obligations.
Companies with a total annual energy consumption of more than 7.5 gigawatt hours must introduce an energy management system (ISO 50001) or environmental management system (EMAS) in future according to the End Energy Consumption Act.
Companies with a total annual energy consumption of between 2.5 and 7.5 gigawatt hours must develop energy efficiency measures. These must be both published and audited within three years, according to the new law. However, special obligations apply to data centers with regard to energy management and waste heat control.
In addition to the existing registration obligation for all companies under the Money Laundering Act, additional rules will apply to so-called obliged entities from 2024. These are required to register in the reporting portal goAML Web of the Financial Intelligence Unit (FIU). Obligated entities include, in particular, credit institutions, insurance companies, real estate markers and other financial companies. Failure to register could result in high fines from January 01, 2024.
The Whistleblower Protection Act came into force on July 17, 2023 for companies with 250 employees or more; companies with between 50 and 249 employees have been affected by the obligations of this law since December 17. The law requires companies to create an internal reporting office for legal violations within the company. What is new is that companies with 250 or more employees will face fines of up to EUR 20,000 for violations from December 1, 2023.
The new law is intended to facilitate the migration of skilled workers from non-EU countries. This is to be achieved by reducing the salary requirements for applying for a Blue Card. In addition, a recognition partnership will be introduced to facilitate the qualification of workers in Germany. Additional regulations for non-regulated professions include entry opportunities for people with verifiable qualifications and an annual income of at least EUR 40,000 as well as for people from the Balkan regions.