Compliance 2026: Five concrete steps for management and supervisory boards

 
NIS2, whistleblower protection, and ESG: integrating them in a pragmatic, effective, and feasible way

Prof. Dr. Peter Fissenewert, Susanne Wirth

Compliance 2026 – Management signs document with digital compliance dashboard for risk monitoring, audit trail and regulation in the background

Blog: Compliance - Article from 24.02.2026
New compliance issues such as NIS2, whistleblower protection, and ESG may seem complex at first glance. In practice, however, they can be implemented in a structured manner with manageable effort. The key is not perfection, but a clear, documented approach. For management and supervisory boards, the current requirements can be broken down into five concrete steps.

Step 1: Update risks – don’t reinvent them

The starting point is not a fundamental discussion, but a targeted update of the existing risk analysis:

  • IT and cyber risks (NIS2)
  • Internal reporting systems and response processes
  • ESG and supply chain risks

Existing risk overviews are often sufficient – they just need to be supplemented and prioritized.

Step 2: Clearly define responsibilities

Compliance rarely fails because of rules, but because of ambiguity. It is important to have:

  • clear overall responsibility at management level
  • designated contact persons for IT, HR, and legal
  • transparent reporting lines to the supervisory board

Documented responsibilities create certainty and relieve the burden.

Step 3: Update existing regulations

Many companies already have:

  • a code of conduct
  • a compliance manual
  • internal guidelines

These should be specifically adapted, not rewritten – for example, by adding short additions on NIS2, whistleblower protection, and ESG. Less scope, more relevance.

Step 4: Keep training short, regular, and practical

Instead of extensive training programs, we recommend:

  • A compact update format (e.g., 90–120 minutes)
  • Focus on new risks and typical practical cases
  • Documented participation

This makes training a living part of corporate management.

Step 5: Check effectiveness – without bureaucracy

Finally, a quick check is all it takes:

  • Are reporting systems being used?
  • Are responsibilities known?
  • Are risks reported regularly?

Short reports to management and the supervisory board are usually sufficient to meet documentation and control requirements.

Compliance 2026 is not a mammoth project.

With five clear steps, new obligations can be implemented pragmatically, effectively, and in a legally compliant manner—without unnecessary bureaucracy, but with tangible added value for management and supervision.

The most important points in brief

  • New compliance issues can be integrated in a structured manner
  • Existing systems are the right starting point
  • Clarity and timeliness are more important than scope

Word cloud on the topic of compliance in 2026, featuring terms such as compliance, CMS, rules, legal requirements, corporate management, guidelines, violations and liability.

Blog: Compliance
Compliance 2026: Why old rules no longer provide protection
Why ‘We have a manual’ becomes a liability risk
03.02.2026
Peter Fissenewert, Susanne Wirth

Geschenke, Glühwein & Grenzen: Was an Weihnachten erlaubt ist – und was nicht

Blog: Compliance
Gifts, mulled wine & boundaries
What is allowed at Christmas – and what is not
27.11.2025
Peter Fissenewert, Susanne Wirth

Quarterly figures with bar and line charts as well as financial analyses, presented in an annual report with a ballpoint pen.

Blog: Compliance
Quarterly figures: transparency or dead weight?
Why abolition would be a risk to trust and markets
25.09.2025
Peter Fissenewert, Susanne Wirth

Hands typing on an accessible keyboard

Blog: Compliance
The Accessibility Reinforcement Act – new accessibility requirements from 28.06.2025. What web shop operators and other economic operators now need to consider.
20.03.2025
Albrecht von Wilucki

Management and cyber attacks: Liability and responsibility

Blog: Compliance
Management and cyber attacks: Liability and responsibility. How managing directors can protect themselves from liability risks in the event of cyber attacks.
09.01.2025
Peter Fissenewert, Susanne Wirth

ESG challenges: What board members need to look out for now.

Blog: Compliance
ESG challenges: What board members need to look out for now. Sustainability and compliance: focus on the ESG agenda.
27.12.2024
Susanne Wirth, Peter Fissenewert
Links

Professionals
Expertise
Blog us

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB