Regulatory Innovations in Corporate Governance

Regulatory Innovations in Corporate Governance
August 1, 2021
Insights overview

The legislature does not let compliance departments rest. Risk management, control, and whistleblower systems are demanded, more sustainability information is required, and a closer examination of human rights risks in the supply chain is necessary. To provide a better overview, we present seven innovations in corporate governance in a nutshell.

EU Whistleblower Protection Directive

The EU Directive "on the protection of persons reporting breaches of Union law" requires companies with more than 50 employees to establish internal reporting channels for the submission of unlawful actions or omissions in the business field, while maintaining the confidentiality of the whistleblowers' identities. Furthermore, protection for the whistleblower and affected third parties against reprisals must be ensured. To achieve this, the burden of proof has been reversed: employers must now prove reasons for alleged disadvantages. In addition, internal whistleblowers will no longer be given preference over external whistleblowers in the future – hence, reports can also be directly submitted to external authorities.

The whistleblower must receive confirmation of the receipt of their report, and a comprehensive response regarding the measures taken must be provided within the following three months. If cases of hindrance of reporting, lack of anonymity protection, or reprisals become known, sanctions will be imposed on the company. The design of these sanctions is left to individual member states.

The EU regulation comes into effect on December 17, 2021, with an extended deadline until the end of 2023 for companies with 50 to 249 employees. It is expected to apply unchanged in Germany, as an agreement on a national whistleblower protection law could not be reached. 

Supply Chain Due Diligence Act – LkSG

On July 22, 2021, the German Federal Cabinet issued the final version of the Supply Chain Due Diligence Act. This law applies to companies with 3,000 employees or more from the year 2023, and the threshold decreases to 1,000 employees the following year. According to the law, human rights and environmental risks in the supply chain should be identified and assessed through a risk analysis, and appropriate preventive measures should be taken. Preventive measures include, for example, training, inspections, supplier contracts, as well as procurement strategies. To uncover potential violations, there will be a publicly accessible complaint procedure. Through annual reporting, information must be provided on risks, measures, the effectiveness of the assessment, and conclusions – but only concerning the company's own business operations and immediate suppliers. The Supply Chain Due Diligence Act is monitored by the Federal Office for Economic Affairs and Export Control. Furthermore, NGOs and trade unions have the right to file lawsuits in case of violations of due diligence in the supply chain.

For more information, read our article "New Challenge Due to the Planned Supply Chain Law“.

Corporate Sustainability Reporting Directive – CSRD

The CSR Directive Implementation Act (CSR-RUG) has been in effect in Germany since the 2017 business year for large capital market-oriented companies with more than 500 employees, as well as for banks, financial service providers, and insurance companies. It generally obliges these entities to provide non-financial reporting. Now, the amendment to the underlying European directive is on the horizon – and it promises significant expansions. 

With the Corporate Sustainability Reporting Directive, which is available as a Commission proposal dated April 21, 2021, sustainability reporting is intended to be elevated to the same level as financial reporting. This involves making external assurance mandatory, as well as publishing it in the management report and introducing a new materiality principle, namely double materiality. Additionally, the new regulation will apply to a much larger number of companies: Starting from 2024, it brings all large companies, i.e., those with more than 250 employees, into compliance for the 2023 business year. The extension to small and medium-sized enterprises (SMEs) subject to the capital market's influence takes three years longer, but from the 2026 business year, the obligation will apply to them as well – with regulations adapted to the size of the business.

Of general interest are the announced uniform, binding reporting standards. These are intended to replace the various guidelines used so far, such as those of GRI or the German Sustainability Code, in favor of EU-wide comparability.

StaRUG: Stabilization and Restructuring Framework for Companies

The Corporate Stabilization and Restructuring Act (StaRUG) has been in effect since January of this year, establishing the obligation for early crisis detection and crisis management. The new regulation applies to all limited liability legal forms and implies that the management must not only continuously monitor potentially threatening developments but also take corresponding countermeasures. This means that corporations are expected to have a risk management system and an internal control system in place 

Financial Market Integrity Strengthening Act – FISG

Under the Financial Market Integrity Act of June 3, 2021, there is now an obligation for the introduction and ongoing maintenance of a risk management system and an internal control system for publicly listed companies. These systems are expected to be introduced appropriately and effectively based on the scope of business activities. Furthermore, there is a requirement to establish audit committees, each with two (instead of one) financial experts – one for accounting and one for audit. The audit committee has a direct right to information, and failure to establish it may result in fines for the company. Regarding the audit, there are numerous new regulations on liability, cooperation, and non-audit services. Most provisions of the law came into effect on July 1, 2021. The FISG will also serve as a benchmark for non-listed companies.

Act on the Digitization of the GWB

On January 18, 2021, the Civil Code was expanded with the Act on the Digitization of the GWB, which, among other things, introduces the consideration of compliance programs when determining the amount of (antitrust) fines. According to §81d (1) sent. 2 No. 4 and 5 GWB, measures and efforts by the company to detect or prevent violations should be taken into account in the assessment of the amount of the fine and can thus have a mitigating effect on fines. 

Proposal for a Legal Framework for Artificial Intelligence by the European Commission

On April 21, 2021, the European Commission proposed an initial legal framework for artificial intelligence. This includes a ban on the use of artificial intelligence in certain areas or establishes a dependency on the use of certain technical and organizational requirements.


While some new regulations like StaRUG and FISG are already in effect, companies with more than 249 employees should not wait to implement the Whistleblower Directive, as it will be applicable by the end of the year. Additionally, it remains to be seen whether the due diligence and reporting obligations under the Supply Chain Due Diligence Act and the Corporate Sustainability Reporting Directive will apply to them.