Digital Compliance – The New Legal Framework for AI, Data, and Digital Resilience

Today, digitalization permeates virtually all business processes of medium-sized companies. Cloud services, digital collaboration platforms, data-driven business models, and AI-powered applications have long been an integral part of day-to-day business operations and are simultaneously subject to a growing number of regulatory requirements. In addition to the General Data Protection Regulation (GDPR), other regulations such as the AI Regulation, the NIS 2 Directive, and the Data Act are increasingly coming into play, imposing new requirements on organization, documentation, and risk management. As these new requirements grow, so do the liability risks – for the companies themselves, but also for their management. Nevertheless, in many medium-sized companies, digital compliance is still primarily reduced to data protection issues or is only marginally addressed from an organizational perspective. In the following, we outline which legal requirements fall under the umbrella of digital compliance, what liability risks exist for management, and what practical steps companies can take to ensure legally compliant implementation.

I. What is digital compliance?

Digital compliance refers to adherence to the legal requirements arising from the use of digital technologies, the processing of data, and the operation of IT-supported business processes. In corporate practice, the term thus encompasses a range of different regulatory requirements, ranging from data protection law and IT security requirements to specific regulations for digital services and data ecosystems. While large companies have often established specialized compliance structures for this purpose, in small and medium-sized enterprises (SMEs) such requirements are frequently perceived primarily as an IT or data protection issue. In reality, however, it is an organizational management task that must be integrated into the company’s compliance and risk management framework.

1. GDPR Requirements

Compliance with the General Data Protection Regulation (GDPR) remains a central component of digital compliance. It governs the conditions for processing personal data and thus affects virtually all of a company’s digital business processes – from human resources management and customer relations to the use of digital platforms or cloud-based IT infrastructures. Companies must not only observe individual substantive requirements but also establish a structured data protection management system that ensures organizational compliance with legal requirements.

The starting point for any data protection assessment is the question of the lawfulness of data processing. According to Article 6 of the GDPR, the processing of personal data is only permissible if there is a corresponding legal basis, such as the consent of the data subject, the performance of a contract, legal obligations, or the legitimate interests of the company. These requirements must be assessed and documented for each processing operation. At the same time, Article 5 of the GDPR requires companies to adhere to fundamental data protection principles – in particular purpose limitation, data minimization, transparency, and the integrity of data processing.

An essential component of compliance management is the obligation to provide information to data subjects. In accordance with Articles 13 and 14 of the GDPR, companies must provide comprehensive privacy notices, for example, to employees, job applicants, customers, or suppliers. This information must include, among other things, the purpose of the processing, the respective legal basis, potential recipients of the data, the retention period, and the rights of data subjects. Transparent information is of particular practical importance, especially in the context of employment or within the framework of digital application processes.

Furthermore, the GDPR requires companies to maintain extensive documentation. Pursuant to Article 30 of the GDPR, a record of processing activities must be maintained, in which all relevant data processing activities within the company are recorded. This record regularly serves as the basis for internal data protection audits as well as for potential inspections by supervisory authorities. In addition, technical and organizational measures must be implemented in accordance with Article 32 of the GDPR to ensure an appropriate level of protection for personal data. These include, for example, access and authorization policies, encryption, backup systems, or internal security guidelines.

Special requirements apply to processing operations that may pose a high risk to the rights and freedoms of data subjects. In such cases, a data protection impact assessment must be conducted in accordance with Article 35 of the GDPR. This may be the case, for example, when using new technologies, when processing large amounts of sensitive data, or when systematically monitoring individuals. The aim of the impact assessment is to identify potential risks at an early stage and to define appropriate protective measures. With the increasing use of AI, data protection impact assessments are also gaining in importance.

Finally, the GDPR also requires organizational measures to raise employee awareness. Data protection training, internal guidelines, and clear responsibilities within the company are essential elements of effective data protection management. This aspect is often underestimated, particularly in small and medium-sized enterprises, even though many data protection violations in practice can be attributed to organizational shortcomings or a lack of awareness regarding the handling of personal data.

2. Other Digital Law Requirements

In addition to data protection law, the regulatory framework for digital business processes is increasingly shaped by other EU legal requirements. In recent years, the European Union has adopted a multitude of new legal acts regulating the use of digital technologies, data handling, and IT security requirements in companies. Digital compliance is therefore no longer limited to data protection issues but encompasses a broad spectrum of requirements under European digital law.

Of particular practical significance is the Regulation on Artificial Intelligence (AI Regulation) (see our latest article). It establishes a uniform EU-wide legal framework for the development, distribution, and use of AI systems. The regulation follows a risk-based approach: While certain AI applications are completely prohibited, so-called high-risk AI systems are subject to extensive requirements, for example regarding risk management, data quality, documentation obligations, transparency, and human oversight. Companies that develop, distribute, or use AI systems in their business processes must therefore assess whether their applications fall under the relevant categories and what compliance obligations arise from this. Current adaptation considerations at the European level, some of which are being discussed under the banner of an “AI Omnibus,” also aim to clarify the practical implementation of individual requirements and make them more manageable for companies (we reported).

Another key component of European digital law is the NIS 2 Directive, which significantly expands cybersecurity requirements in security-relevant sectors (see topic page). Compared to the previous legal framework, the scope of affected companies has been significantly broadened and now includes numerous small and medium-sized enterprises across various industries. The directive requires companies, in particular, to implement comprehensive risk management measures in the area of IT security, to establish incident reporting structures, and to secure digital supply chains. At the same time, it explicitly emphasizes the responsibility of management, which is accountable for implementing and monitoring cybersecurity measures.

The Data Act, which regulates access to and the use of data in the European data economy, will also gain importance for many companies (we reported). Among other things, the regulation aims to facilitate access to data from connected products and digital services and to improve the ability to switch between cloud providers. Companies will therefore need to pay closer attention in the future to the data access and sharing obligations arising from the use of data-driven products or platforms and to the contractual adjustments that will be required.

For the financial sector, the Digital Operational Resilience Act (DORA) further specifies the requirements for IT risk management (see topic page). Banks, insurance companies, and other financial firms will be required to establish comprehensive ICT risk management, conduct regular security tests, and systematically monitor their dependencies on third-party IT service providers, particularly cloud providers. Here, too, the focus is shifting more strongly toward management’s responsibility.

The Cyber Resilience Act (CRA) is also of particular importance in this context (see topic page). The regulation establishes, for the first time, a uniform European legal framework for the cybersecurity of products with digital elements, thereby addressing in particular manufacturers, importers, and distributors of such products. Companies are required to incorporate security requirements as early as the development phase (“security by design”), systematically monitor vulnerabilities, and provide security updates throughout the entire product lifecycle. In addition, there are comprehensive documentation, reporting, and compliance obligations. Indirectly, increased requirements also arise for companies that merely use such products, for example, in the selection of suppliers, contract drafting, and within the framework of IT risk management.

Furthermore, other European initiatives are gaining relevance. Sector-specific data spaces such as the European Health Data Space (EHDS) are creating new frameworks for accessing and using sensitive data (we reported). The planned European digital identity (EUDI wallet) will bring new requirements for authentication and identity infrastructures (we reported). In addition, the E-Evidence Regulation aims to facilitate cross-border access to electronic evidence by law enforcement authorities, which creates additional requirements for handling official data access requests (we reported).

These regulatory developments are closely linked to the growing discussion surrounding corporate digital sovereignty (we reported). This refers to the ability to manage digital infrastructures, data flows, and IT dependencies in such a way that legal requirements are met and strategic risks are controlled. In particular, the widespread use of global cloud and platform providers raises questions regarding data access from third countries, technical dependencies, or limited options for switching providers. Numerous European digital laws, such as the NIS 2 Directive or the Data Act, therefore also aim to strengthen interoperability, reduce dependencies, and give companies more control over their digital resources. In practice, digital sovereignty is thus increasingly becoming an integral part of corporate digital compliance and risk strategies (see our event on April 21, 2026, on the topic of digital sovereignty).

II. Personal Liability of Management

The implementation of digital compliance affects not only organizational processes within the company but also the personal responsibility of management. Under Section 43(1) of the German Limited Liability Companies Act (GmbHG), managing directors of a limited liability company (GmbH) are obligated to exercise the due care of a prudent businessman. This includes, in particular, the duty to organize the company in such a way that legal requirements are complied with and legal risks can be adequately controlled. For members of the executive board of a stock corporation, this organizational duty is further specified by Section 91(2) of the German Stock Corporation Act (AktG), which requires the establishment of a monitoring system for the early detection of developments that could jeopardize the company’s continued existence. For publicly traded companies, Section 91(3) of the German Stock Corporation Act (AktG) further requires an appropriate and effective internal control and risk management system.

If digital legal requirements – such as those related to data protection, IT security, or the use of new technologies – are not adequately addressed within the company, this can therefore also have liability consequences. If management violates its organizational duties and the company suffers damages as a result – such as fines, claims for damages, or significant economic disadvantages – personal liability toward the company may generally be considered.

A practical liability risk arises in particular when breaches of duty only become apparent in retrospect. It is not uncommon for data protection violations, IT security incidents, or regulatory shortcomings to come to light only during regulatory audits, internal investigations, or in the context of a change in management. When a managing director leaves the company, compliance structures are frequently reviewed or reassessed. If it turns out that key requirements – such as those related to data protection or IT security measures – have not been implemented for an extended period, the company may generally consider holding the former managing director liable.

In addition, regulatory enforcement of digital regulations is gaining momentum. Data protection supervisory authorities have been conducting regular audits for years, and more intensive oversight is also expected in the area of cybersecurity regulation. With the implementation of new European digital legislation, corresponding control structures will be further expanded. Initial hearings and audit procedures already indicate that authorities are beginning to scrutinize the practical implementation of digital compliance requirements in companies more closely. This increases the pressure on management to establish appropriate structures early on and in a transparent manner.

III. Implementation Steps

Implementing digital compliance often presents practical challenges for small and medium-sized enterprises. Unlike large corporations, many companies have neither their own compliance departments nor extensive personnel or financial resources. Nevertheless, this does not mean that comprehensive and cost-intensive projects are necessary to achieve an adequate minimum level of digital compliance. Rather, what is crucial is a structured and pragmatic approach that focuses on the essential legal requirements.

1. Defining Roles and Responsibilities

A first step is to define clear responsibilities for digital compliance issues within the company. In practice, it is often the case that issues related to data protection, IT security, or the use of new technologies are spread across different departments and are therefore not systematically coordinated. Simply appointing a responsible contact person or consolidating relevant topics into a central function can help identify risks early on and implement regulatory requirements in a structured manner. At the same time, the issue should also be taken seriously at the executive level. It is no coincidence that the saying “data protection is a top priority” has been around for years.

2. Inventory of Digital Processes

Once responsibilities have been defined, a structured inventory should be conducted first. Companies should identify which digital systems, cloud services, or data-driven applications are in use and what types of data are being processed. This transparency forms the basis for assessing which specific regulatory requirements are relevant – such as those from the GDPR, the AI Regulation, or IT and security guidelines. In many cases, this reveals that only a limited portion of the existing systems actually triggers complex compliance requirements.

3. Establishing Minimum Documentation and Basic Structures

A key component of digital compliance is robust foundational documentation. This includes, in particular, privacy notices for different groups of individuals, a record of processing activities, and basic internal guidelines for handling data and digital systems. Such structures do not necessarily have to be extensive or highly complex. Even clear and comprehensible documentation of core processes can make a significant contribution to meeting regulatory requirements and remaining capable of acting during regulatory audits.

4. Raising Employee Awareness

Moreover, many compliance risks in everyday business operations do not arise from complex legal issues, but rather from a lack of awareness regarding the handling of data and digital applications. Regular training on data protection, IT security, or the use of new technologies can already make a significant contribution to risk minimization. Especially in small and medium-sized enterprises, such training measures can often be implemented with manageable effort and integrated into existing internal communication or training structures.

5. Prioritizing and pragmatically addressing risks

Ultimately, it makes sense for small and medium-sized enterprises to take a risk-based approach to digital compliance. Not every company is equally affected by all digital regulatory initiatives. While the AI Regulation, for example, is relevant only for certain applications, other requirements affect only specific industries or company sizes. A structured prioritization of the issues that are actually relevant makes it possible to allocate resources in a targeted manner while achieving an appropriate level of compliance.

IV. Conclusion and Outlook

Digital business processes are now subject to a growing number of regulatory requirements that go far beyond traditional data protection. For medium-sized companies, this means that digital compliance is increasingly becoming an integral part of proper corporate governance and is also coming more into focus for management from a liability perspective.

At the same time, practical experience shows that a robust minimum level of digital compliance can be achieved with manageable organizational measures. A structured approach is crucial, one that identifies key digital risks, establishes clear responsibilities, and implements fundamental documentation and organizational obligations.

In light of new European digital legislation such as the AI Regulation, NIS-2, or the Data Act, it is also reasonable to assume that regulatory requirements will continue to increase in the coming years. For medium-sized companies, it is therefore advisable to establish digital compliance early on as an integral part of the corporate organization and to gradually expand the corresponding structures.

This article was created in collaboration with our student employee Emily Bernklau.