Germany's financial regulator BaFin is creating a dedicated division to conduct targeted IT inspections at financial firms, focusing on vulnerabilities related to AI-enabled cyber attacks. This signals increased enforcement of IT security requirements and heightened regulatory scrutiny on AI cybersecurity risks in the financial sector.
No articles specifically tagged for Germany yet. Check our blog for general compliance coverage.
Germany's BaFin found widespread deficiencies in banks' sustainability risk management, ordering improvements on 79 specific issues. Banks must promptly address ESG risk identification and management gaps to comply with regulatory expectations.
The Thuringian Higher Labor Court ruled that employers cannot enforce blanket policies restricting consecutive vacation to two weeks. Annual leave must generally be granted as uninterrupted time, and denials require specific, case-by-case reasons. This reinforces existing German labor law and may require employers to adjust internal vacation policies.
A proposed German healthcare reform will introduce partial incapacity for work (25%, 50%, 75%) for statutory health insurance members with illnesses over four weeks. Employers must adapt internal processes for assessment and payroll, with full salary during the six-week continued-remuneration period and partial pay thereafter.
Germany's Carbon Contracts for Difference (CCfDs) program for 2026 allocates €5 billion to decarbonize energy-intensive industries. Key changes include relaxed emission reduction targets (50% after 4 years, 85% final year) and expanded eligibility for CCUS and industrial steam projects.
The German Federal Labor Court ruled that traditional works council election rules apply unchanged to digital platform work, requiring institutionalized management structures for establishment status. This provides legal certainty for employers but excludes remote digital work units from works council elections under current law, prompting calls for legislative reform.
Germany has implemented a phased B2B e-invoicing mandate requiring all companies to receive e-invoices since January 1, 2025, with full issuance requirements rolling out by 2028 based on company size. The German Federal Ministry of Finance has issued FAQs clarifying practical implementation details, including that simple email inboxes may suffice for receiving and that fully automated processing is not mandatory. This aligns with the EU's VAT in the Digital Age (ViDA) initiative and requires structured formats like XRechnung or ZUGFeRD compliant with EN 16931.
Germany has implemented mandatory e-invoicing for domestic B2B transactions effective January 1, 2025 through the Growth Opportunities Act. The regulation requires structured electronic formats (XRechnung or ZUGFeRD 2.0.1+ compliant with EN 16931) and aligns with the broader EU VAT in the Digital Age (ViDA) framework. The Federal Ministry of Finance updated FAQs in March 2026 to clarify practical implementation aspects.
Germany plans to eliminate paper checks entirely by 2027, with the Bundesbank shutting down automated interbank check processing infrastructure. This regulatory change requires businesses to transition to digital payment methods like SEPA real-time transfers, which are supported by EU mandates for payment service providers.
German financial regulator BaFin led Operation Heracles, shutting down over 1,400 illegal domains in Eastern Europe linked to investment fraud. This enforcement action highlights increased regulatory scrutiny on cross-border financial crime and AI-enabled scams, signaling that firms must strengthen AML/KYC and fraud detection measures.
The German Federal Labor Court ruled that blanket paid-leave release clauses in employment contracts are unenforceable if they allow employers to place terminated employees on leave without stating reasons or balancing interests. Paid leave remains permissible with case-by-case justification and documentation, and company car revocation clauses tied to paid leave must include specific conditions and safeguards.
The German Federal Labor Court ruled that employers remain liable for compensation when job applicants are rejected based on religious headscarves, even if recruitment is outsourced to external selection companies. The court clarified that applicants need only present evidence making discrimination 'predominantly probable' (proof by indicia), shifting the burden to employers to provide full proof of non-discriminatory reasons. This enforcement action reinforces anti-discrimination obligations under the AGG and requires employers to ensure external recruiters comply with these laws.
The Bavarian data protection authority has ruled that credit reference agency CRIF illegally traded personal data with address trader Acxiom, violating GDPR principles including purpose limitation and transparency requirements. This enforcement action signals increased regulatory scrutiny of data trading practices and may lead to a general ban on data purchases from address traders in Germany.
German Data Protection Authorities have failed to decide GDPR complaints against six major political parties for illegal political microtargeting during the 2021 elections, allowing continued use of proxy targeting methods. This enforcement gap highlights ongoing non-compliance with Article 9 GDPR protections for sensitive political data, posing election integrity risks.
Acxiom is using legal maneuvers to block privacy advocacy group noyb from accessing GDPR enforcement case files, potentially delaying action against alleged violations involving data misuse for credit scoring. This highlights ongoing enforcement challenges under GDPR, including corporate resistance tactics that may prolong non-compliant data processing.
The German Federal Court of Justice (BGH) issued a landmark ruling establishing that the mere loss of control over personal data constitutes compensable damage under the GDPR, even without proof of additional harm like financial loss or misuse. This overturns previous German court practices that required tangible harm for GDPR damages claims and strengthens data subject rights enforcement in Germany.
The German Data Protection Authority of Lower Saxony (LfD) has ruled the 'Pay or Okay' model used by heise.de illegal, issuing a reprimand for violating GDPR consent requirements. This enforcement action signals increased regulatory scrutiny of consent mechanisms that force users to choose between paying or accepting extensive data processing, aligning with similar rulings in Austria and German DSK guidelines.
German political parties face GDPR enforcement actions for using Facebook microtargeting during the 2021 federal election, violating Article 9 protections for political opinions as sensitive data. This signals increased regulatory scrutiny of political data processing and microtargeting practices across Europe.
Privacy organization noyb has filed a lawsuit against German data protection authorities in North Rhine-Westphalia and Hesse for failing to act on GDPR complaints about 'Pay or OK' systems for nearly four years. This signals potential increased enforcement scrutiny of consent mechanisms that force users to choose between paying for privacy or consenting to tracking, which may violate GDPR's 'freely given' consent requirement.
The Hamburg Data Protection Authority has initiated an Article 66 GDPR urgency procedure against Meta and the Irish DPC regarding Meta's AI training practices. This enforcement action could compel Meta's lead regulator to halt AI training that uses user data without consent, signaling increased regulatory scrutiny of AI data processing under GDPR.