Germany 2026: What Boards and Management Must Know About Updated Corporate Criminal Liability and Compliance Obligations

Germany’s regulatory landscape for board duties compliance has shifted decisively in 2026. A convergence of national transpositions of EU directives, recalibrated Geldwäschegesetz (GWG) obligations, and a more assertive enforcement posture by public prosecutors and BaFin has created new personal-liability exposure for management board members and supervisory directors alike. This practitioner briefing provides a structured, action-oriented roadmap covering the legal changes, compliance programme design, AML readiness, M&A due diligence adjustments, and internal investigation protocols that every German board needs to address now. It is designed for Vorstand and Aufsichtsrat members, general counsel, compliance officers, and PE/M&A decision-makers seeking practical tools rather than abstract commentary.

Executive TL;DR for Boards, Four Immediate Actions

Before reading the detailed analysis below, every board should have these four priorities on its agenda for the next one to three months. Each represents a concrete step to close the most urgent gaps created by the 2026 reforms.

• Conduct a legal gap analysis. Commission external counsel to benchmark your existing compliance programme against the 2026 corporate criminal liability framework and the updated GWG. Identify where written policies, reporting lines, or monitoring tools fall short of the new statutory expectations. This analysis forms the evidentiary foundation a board needs if its programme is ever tested by prosecutors.
• Update reporting lines and escalation protocols. Ensure the Chief Compliance Officer (CCO) or equivalent reports directly to the Vorstand, not through an intermediary. Document escalation paths for sanctions hits, suspicious activity reports (SARs), and whistleblower disclosures. Clear, documented lines of accountability are now central to demonstrating adequate board oversight.
• Prioritise AML/GWG fixes. Review customer due diligence (CDD) procedures, transaction monitoring thresholds, and sanctions screening tools against the revised GWG requirements. Where automated systems are absent or outdated, schedule procurement and implementation within a defined timeline.
• Review M&A clause libraries. Update warranty, representation, and indemnity language in template share purchase agreements (SPAs) to reflect expanded compliance due diligence expectations. Ensure post-closing remediation holdbacks or compliance escrow mechanics are available for transactions involving targets with elevated regulatory risk.

What Changed in 2026, Legal Summary for Board Duties Compliance in Germany

The 2026 reforms are not a single legislative act but a cluster of interconnected changes. Understanding the full picture is essential for any management board seeking to discharge its duties effectively. Three pillars define the new landscape: corporate criminal liability adjustments, AML/GWG recalibrations, and a shift in enforcement culture. Together, these changes make board duties compliance in Germany materially more demanding than in any prior year.

Corporate Criminal Liability Updates

Germany has historically relied on the Ordnungswidrigkeitengesetz (OWiG), specifically § 30 OWiG, to impose fines on legal entities for offences committed by their management or supervisory personnel. The 2026 reforms strengthen this framework by incorporating principles from EU-level directives on corporate accountability, raising the ceiling for administrative fines, and codifying the relevance of compliance management systems (CMS) as a mitigating factor in sanctioning decisions. Prosecutors and courts now have clearer statutory guidance to consider the adequacy of a company’s compliance programme when determining corporate penalties, a development that fundamentally links programme quality to financial exposure.

AML / Geldwäschegesetz Recalibrations

The Geldwäschegesetz has been updated to align with EU Anti-Money Laundering Directive requirements and to prepare for the transition to the EU Anti-Money Laundering Authority (AMLA) supervisory architecture. Key changes include expanded risk-based CDD obligations, tighter beneficial-ownership transparency requirements, and enhanced SAR reporting standards. BaFin’s supervisory posture has shifted toward more frequent on-site inspections and thematic reviews, particularly for non-financial obliged entities that were previously subject to lighter supervision.

Enforcement Posture

Industry observers note a marked increase in cross-agency coordination between BaFin, the Financial Intelligence Unit (FIU), and state prosecutors. The likely practical effect is that compliance failures, particularly systemic ones, will be identified faster and prosecuted more aggressively. Boards that cannot demonstrate documented, risk-proportionate oversight face elevated exposure to both corporate fines under § 30 OWiG and personal liability claims. As broader global corporate law trends confirm, Germany is following a wider international trajectory toward holding boards personally accountable for compliance architecture.

Who in the Company Is Accountable, Board Structure and Legal Roles

Two-Tier Boards: Vorstand vs Aufsichtsrat, Practical Consequences for Management Board Duties

Germany’s mandatory two-tier board structure divides responsibilities in a way that has direct implications for compliance accountability. The Vorstand (management board) bears operational responsibility for establishing, maintaining, and enforcing an effective compliance programme. Under the German Corporate Governance Code (DCGK), compliance is an explicit management board duty, it cannot be fully delegated to a subordinate function without the Vorstand retaining residual oversight. The Aufsichtsrat (supervisory board) is responsible for monitoring the Vorstand’s discharge of its duties, including compliance-related ones. The 2026 reforms reinforce this division: both tiers must now document their respective oversight activities more rigorously to demonstrate that corporate governance duties are being fulfilled.

Delegation and Documentation, Demonstrating “Reasonable” Delegation

A board may delegate day-to-day compliance management to a CCO or Chief Risk Officer (CRO), but delegation does not extinguish board-level responsibility. To qualify as “reasonable” delegation under the current framework, the following conditions must be met and documented:

Director and Officer Liability, How Personal Liability May Change and How to Reduce It

Director liability in Germany has always been a serious consideration, but the 2026 reforms sharpen the risk profile. Boards that fail to implement adequate compliance structures may face both civil claims from the company itself (or its shareholders) and, in extreme cases, criminal prosecution for supervisory negligence.

Criminal Versus Civil Liability Tests

Civil liability under § 93 AktG requires the board member to have breached a duty of care and caused damage to the company. The standard is whether a diligent and conscientious manager in the same position would have acted differently. Criminal liability, under § 130 OWiG (failure to supervise) or general criminal law provisions, requires a higher threshold of culpability: typically wilful neglect or recklessness. Early indications suggest that prosecutors are increasingly willing to test the boundaries of § 130 OWiG against individual board members where compliance failures are systemic and well-documented warnings were ignored.

Insurance and D&O Considerations

D&O insurance remains a critical risk-transfer tool, but boards should be aware that policies typically exclude coverage for intentional misconduct and may contain sub-limits or exclusions for regulatory fines. In light of the 2026 reforms, boards should review policy terms to ensure coverage for defence costs in regulatory and criminal investigations, confirm that side-A (individual-only) coverage is adequate, and negotiate provisions addressing the expanded definition of supervisory offences.

Practical Steps to Reduce Exposure, Seven-Point Board Checklist

This checklist represents the decisive steps a board should take to mitigate director liability in Germany under the 2026 framework:

1. Document every compliance decision. Record board discussions, resolutions, and dissenting opinions in formal minutes. Contemporaneous documentation is the single most important defence asset.
2. Commission annual independent compliance audits. Use external counsel or qualified auditors to test the CMS against current legal requirements and industry benchmarks.
3. Adopt a written compliance programme. Ensure the programme is board-approved, covers all material risk areas, and is reviewed at least annually.
4. Establish and test escalation protocols. Define clear triggers and timelines for escalating compliance incidents from operational level to board level.
5. Respond to red flags promptly. Document how and when the board addressed each identified risk or incident. Delayed responses are treated as evidence of neglect.
6. Obtain and review D&O cover annually. Confirm coverage scope, exclusions, and limits align with current regulatory exposure.
7. Participate in compliance training. Board-level training, documented with attendance records, demonstrates personal engagement and awareness.

Designing a 2026-Compliant Compliance Programme in Germany, Board Checklist

An effective compliance program in Germany must satisfy both the general duty-of-care standard under corporate law and the specific regulatory requirements introduced or strengthened in 2026. The following framework breaks the programme into its core components, each of which should be addressed in a board-approved compliance charter.

Core Elements: Risk Assessment, Policies, Monitoring, Reporting, Remediation

• Risk assessment. Conduct a company-wide compliance risk assessment at least annually. Map risks by business unit, geography, and transaction type. Use the results to set priorities and allocate resources. The risk assessment should be formally presented to the Vorstand and documented in board minutes.
• Policies and procedures. Maintain written policies covering anti-corruption, AML, sanctions, competition law, data protection, and any sector-specific regulatory areas. Policies must be accessible, translated where necessary, and accompanied by practical procedures that employees can follow.
• Monitoring and controls. Deploy monitoring tools proportionate to risk, automated transaction monitoring for financial institutions, periodic sampling and audits for non-financial entities. Define KPIs and report them to the board on a scheduled basis.
• Reporting and whistleblowing. Implement a confidential reporting channel compliant with the Hinweisgeberschutzgesetz (Whistleblower Protection Act). Ensure reports are triaged, investigated, and resolved within defined timelines. Report statistics and outcomes to the Vorstand quarterly.
• Remediation. When compliance failures are identified, document the root cause, corrective actions taken, and measures implemented to prevent recurrence. A remediation log should be maintained and available for supervisory review.

Sample Compliance KPI Dashboard

AML / Geldwäschegesetz (GWG), Granular Actions for Board Duties Compliance in Germany

AML compliance in Germany has moved from a back-office function to a board-level priority. The 2026 GWG amendments demand a more granular, risk-sensitive approach to customer due diligence, and BaFin has signalled that Geldwäschegesetz compliance will be a supervisory focus area across both financial and non-financial obliged entities.

GWG Changes Summary

The updated GWG aligns German law with the latest EU AML framework, including enhanced requirements for beneficial-ownership identification, expanded obligations for non-financial gatekeepers (lawyers, notaries, real estate agents, dealers in high-value goods), and strengthened SAR reporting standards. The law also prepares the ground for the future supervisory role of the EU AMLA, which is expected to assume direct supervisory responsibilities for certain high-risk obliged entities.

Risk-Based Customer Due Diligence Updates

Under the revised GWG, obliged entities must calibrate CDD intensity to the assessed risk of each customer relationship. Simplified CDD remains available for lower-risk relationships, but the criteria for qualifying as “lower risk” have been tightened. Enhanced CDD is now required for a broader range of scenarios, including relationships involving complex ownership structures, high-risk third countries, and politically exposed persons (PEPs). Boards must ensure that CDD policies reflect these changes and that staff are trained on the updated risk categories.

Recordkeeping and Screening Obligations

Recordkeeping periods under the GWG require retention of CDD documentation and transaction records for a defined statutory period from the end of the business relationship or the completion of the transaction. Sanctions screening must be conducted against all applicable EU and national sanctions lists, with results documented and escalated where hits are identified. Boards should verify that screening technology is updated in real time as sanctions lists are amended.

Interaction With the Sanctions Regime

The GWG obligations intersect with the EU sanctions framework, which has expanded significantly in recent years. Boards must ensure that sanctions compliance is integrated into the AML programme rather than treated as a separate workstream. This means unified screening processes, coordinated escalation protocols, and joint training for AML and sanctions staff.

AML Controls by Entity Type, Comparison Table

AML Owner Checklist

• Confirm CDD policies reflect the 2026 GWG risk categories
• Verify sanctions screening lists are updated automatically
• Test SAR reporting workflows end-to-end (from detection to FIU submission)
• Schedule annual independent AML audit
• Document board-level review of AML risk assessment
• Ensure PEP screening covers domestic and foreign PEPs
• Retain CDD and transaction records for the full statutory retention period

M&A, Transactions and Warranties, Updating Compliance Due Diligence

The 2026 reforms have direct implications for how compliance due diligence is scoped, conducted, and documented in German M&A transactions. Buyers who fail to account for the expanded compliance framework risk inheriting material liabilities, and sellers who cannot demonstrate adequate programmes may face price adjustments or deal failure.

Scope Changes, Target Coverage, Supply Chain, Third-Party Risk

Compliance due diligence must now extend beyond the target company’s internal policies to encompass third-party risk, supply chain compliance, and the adequacy of AML and sanctions programmes. Acquirers should verify whether the target has a functioning CMS, documented risk assessments, up-to-date CDD records, and a clean enforcement history. Where the target operates in high-risk sectors or jurisdictions, enhanced due diligence, including interviews with compliance personnel and review of investigation files, is becoming standard practice. For deeper analysis of warranty mechanisms, see our guide on why disclosure letters are crucial in M&A deals.

Warranties and Representations, Drafting Considerations

Template SPAs should be updated to include specific representations covering: the existence and adequacy of the target’s CMS, compliance with GWG/AML obligations, absence of pending or threatened enforcement actions, and confirmation that no material compliance incidents have been concealed. Indemnities should address post-closing discovery of pre-existing compliance failures, with defined baskets, caps, and survival periods calibrated to the target’s risk profile.

Post-Closing Remediation Holdbacks and Compliance Escrow

For higher-risk transactions, acquirers should negotiate remediation holdbacks, a portion of the purchase price retained in escrow to fund compliance remediation if deficiencies are identified post-closing. The escrow mechanics should specify release conditions, dispute resolution procedures, and a defined remediation timeline. This approach is increasingly expected by PE sponsors and strategic acquirers navigating the updated compliance landscape.

Stepwise Due Diligence Playbook

• Pre-sign: Scope compliance due diligence; request CMS documentation, risk assessments, training records, enforcement correspondence, SAR logs (anonymised), and whistleblower statistics. Conduct management interviews with CCO/CRO.
• Pre-close: Verify remediation of identified gaps; negotiate compliance-specific warranties, indemnities, and escrow arrangements. Confirm D&O coverage for acquired board members.
• Post-close: Integrate target’s compliance programme into acquirer’s framework; conduct day-one training; audit CDD records; establish reporting lines to acquiring-entity compliance function.

Internal Investigations, Remediation, and Enforcement Playbook

When compliance failures surface, whether through whistleblower reports, audit findings, or regulatory inquiries, boards must act decisively. The 2026 framework rewards proactive response and penalises delay. For a broader overview of investigation methodology, see our guide on white-collar crime investigations and forensic techniques.

When to Self-Report

Self-reporting to authorities should be considered, after obtaining legal advice, where an internal investigation reveals systemic misconduct, involvement of senior management, ongoing criminal activity, or material regulatory breaches with significant public or market impact. Voluntary disclosure is increasingly recognised as a mitigating factor in enforcement proceedings under the revised framework, but it must be approached strategically and with full legal privilege protections in place.

Conducting Privileged Internal Investigations

Investigations should be led by external counsel to maximise privilege protection. Establish a clear investigation mandate, define the scope, secure and preserve relevant documents, and conduct interviews under privilege. Report investigation findings to the Vorstand (and, where appropriate, the Aufsichtsrat) with recommendations for remediation and, if applicable, self-reporting.

Remediation and Monitorship, What Boards Must Demand

Post-investigation remediation should include root-cause analysis, disciplinary action where warranted, policy and procedure updates, enhanced monitoring for the affected area, and, where negotiated with authorities, an independent monitorship or compliance verification engagement. Boards should insist on a written remediation plan with milestones, assign accountability for implementation, and track progress through the compliance KPI dashboard.

Practical Resources, Templates, and Next Steps for Boards

To translate the guidance above into board-room action, the following six deliverables should be developed, approved, and maintained as standing governance documents:

• Board minutes checklist. A standardised template ensuring every compliance-related discussion is recorded with date, attendees, matters discussed, resolutions, dissents, and follow-up actions.
• AML policy template summary. A one-page executive summary of the company’s GWG compliance programme, suitable for board review and sign-off.
• Escalation matrix. A visual chart mapping incident types to escalation levels (operational → CCO → Vorstand → Aufsichtsrat → external counsel → authorities), with defined response timelines.
• Sample M&A warranty wording. Pre-approved compliance warranty and indemnity clauses for inclusion in SPAs, adaptable to transaction-specific risk profiles.
• Remediation timetable. A project-management template for tracking compliance remediation from root-cause analysis through implementation and verification.
• Director decision log. A personal record for individual board members documenting their compliance-related decisions, inquiries, and follow-up actions, a critical personal liability defence tool.

Conclusion, Three Actions Every German Board Should Take Now

The 2026 reforms to board duties compliance in Germany are not incremental, they represent a step-change in regulatory expectations and personal-liability risk. Boards that act decisively now will be positioned to demonstrate the documented, risk-proportionate oversight that prosecutors and regulators expect. Three actions stand above all others: first, commission and document a comprehensive compliance gap analysis against the 2026 framework; second, ensure that AML/Geldwäschegesetz compliance programmes are updated, tested, and board-approved; and third, update M&A due diligence and warranty frameworks to reflect the expanded scope of compliance obligations. German boards that treat compliance as a governance priority, rather than a delegated back-office function, will be best protected against the enforcement risks that lie ahead.

Sources

1. Geldwäschegesetz (GWG), Consolidated Law Text (Gesetze im Internet)
2. Bundesministerium der Justiz (BMJ), Legislation Portal
3. BaFin, Federal Financial Supervisory Authority
4. German Corporate Governance Code (DCGK)
5. Gleiss Lutz, Resilience Compliance as a Board-Level Duty
6. CMS, Expert Guide for Directors in Germany
7. Frankfurt School / OECD Factbook, Corporate Governance in Germany
8. EU Commission, Anti-Money Laundering and Countering Financing of Terrorism
9. GlobalComplianceNews