Regulatory Relevance Assessment
The legal landscape for companies and organisations is constantly evolving. Keeping track is not easy. In addition to sector-specific regulations, new requirements at EU level regularly affect national legislation.
With a Regulatory Relevance Assessment, we support organisations in identifying applicable regulatory requirements and assessing them from a compliance and risk perspective.
“Another new law?!”
You are probably familiar with this thought from your daily business routine. Companies are confronted with an increasing density of regulation, and the intervals between legislative changes are becoming shorter. Even a seemingly simple amendment — for example, the adjustment of a threshold value — may require immediate changes to internal processes.
A recent example is the implementation of the NIS 2 Directive across EU Member States. National implementation acts significantly expand the scope of regulated entities and introduce enhanced governance, documentation and risk management obligations.
Against this background, it is essential to stay informed and to establish an internal process that continuously monitors and evaluates the relevance of new or amended legal requirements.
Our Approach to a Regulatory Relevance Assessment
A Regulatory Relevance Assessment (Compliance Impact Assessment) aims to identify and prioritise potential compliance risks. The starting point is always your organisation, your business model and your industry.
Our assessment typically includes the following steps:
- Identification of regulatory relevance: Structured analysis and prioritisation of new or amended legal requirements with regard to your organisation, business model and sector.
- Assessment of your current compliance management system: Review of the status quo of your existing compliance structures.
- Clarification of responsibilities: Identification of the responsible department and the designated “risk owner”.
- Alignment with your compliance management system (CMS): Comparison of regulatory requirements with existing policies and processes, including recommendations for implementation or further development of a CMS where necessary.
The results of the Regulatory Relevance Assessment serve as the foundation for a structured Compliance Management System (CMS). A CMS enables the systematic handling of compliance risks and forms the basis for implementing an effective compliance strategy.
By managing compliance risks proactively, organisations can avoid financial penalties and reputational damage while strengthening a culture of integrity and responsible leadership.
Certification under ISO 37301 provides internationally recognised confirmation of a robust Compliance Management System.
Overview of Relevant Laws and Regulatory Frameworks
Through our Regulatory Relevance Assessment and our expertise in compliance, we support you in identifying and implementing the regulatory requirements applicable to your organisation. In view of the wide range of obligations, it is important to move from reactive responses to proactive governance.
Privacy & Data Protection
- General Data Protection Regulation (GDPR)
- Specific data protection laws of EU Member States
- Non-EU data protection laws (e.g. Brazil (LGPD), China (PIPL), India, Mexico, Switzerland, Türkiye, USA, United Kingdom)
- Church data protection regimes
- Sector-specific privacy frameworks (e.g. healthcare, telecommunications, employment-related privacy laws)
- Telecommunications and digital services data protection frameworks
Information and Cyber Security
- NIS 2 Directive and national implementation acts
- EU Cybersecurity Act (CSA)
- Cyber Resilience Act (CRA)
- Digital Operational Resilience Act (DORA)
- Sector-specific security standards
- Energy and telecommunications regulatory frameworks
- Critical infrastructure regulations
Artificial Intelligence (AI)
- AI Act (AI Regulation)
- National implementation and supervisory frameworks
- Sector-specific AI compliance requirements
- AI systems in HR, healthcare, finance and critical infrastructure
Data Governance
- Data Act (DA)
- Data Governance Act (DGA)
- Digital Services Act (DSA)
- Digital market and platform regulations
- Health data frameworks at EU level
- Data sharing and interoperability obligations
Compliance (Corporate & Regulatory Governance)
- Anti-money laundering legislation
- Whistleblower protection legislation
- Administrative offence frameworks
- Protection of trade secrets
- Accessibility legislation / European Accessibility Act (EAA)
- Equal treatment and anti-discrimination law
- EU Pay Transparency Directive
- Unfair competition law
- Supply chain due diligence legislation / Corporate Sustainability Due Diligence Directive (CSDDD)
- EU Deforestation Regulation (EUDR)
- Corporate Sustainability Reporting Directive (CSRD)
Special Focus: Germany
For organisations operating in or targeting the German market, regulatory relevance assessments require particular attention to the structural and enforcement characteristics of the German legal system.
German legislation may apply even where an organisation does not have a physical establishment in Germany. Regulatory obligations can be triggered, for example, by offering services to the German market, targeting German customers or employees, operating digital platforms accessible in Germany, processing data of individuals located in Germany, or providing services in regulated sectors such as healthcare, energy, financial services or critical infrastructure.
Accordingly, international organisations frequently face the question whether – and to what extent – German law applies to their business activities. A structured Regulatory Relevance Assessment provides clarity on jurisdictional reach, supervisory competence and resulting compliance obligations.
Germany has a long tradition of detailed regulatory frameworks and comparatively active enforcement practice. Supervisory authorities — particularly in the areas of data protection and IT security — are well resourced and experienced. The country’s federal structure results in multiple competent authorities with established case law and enforcement history. In practice, this leads to a comparatively high level of regulatory scrutiny and enforcement intensity.
EU regulations are often supplemented by detailed German implementation acts that introduce additional governance, documentation and organisational duties. This is particularly visible in the areas of IT security (e.g. NIS 2 implementation), critical infrastructure, healthcare and digital services.
A distinctive feature of the German legal system is the strong framework of co-determination under the Works Constitution Act (BetrVG). Many compliance, digitalisation and AI-related initiatives trigger mandatory participation rights of the Works Council, especially in connection with employee data processing, monitoring technologies, whistleblowing systems or AI-based HR tools. Even international groups implementing global compliance or HR systems must assess German co-determination requirements where employees in Germany are affected.
Another unique aspect is the existence of autonomous church data protection regimes. Organisations affiliated with the Catholic or Protestant Church are subject not only to the GDPR but also to independent church data protection laws (KDG and EKD), enforced by separate supervisory authorities. These parallel regimes require specific assessment within compliance structures.
Sector-specific regulation is particularly pronounced in Germany, especially in healthcare, medical devices, clinical research, energy, financial services and critical infrastructure. The interplay between EU regulations and national legislation often requires coordinated, interdisciplinary analysis.
Within this context, our Regulatory Relevance Assessments regularly include consideration of, inter alia:
- German Federal Data Protection Act (BDSG) and State Data Protection Acts (LDSG)
- Telecommunications-Digital Services Data Protection Act (TDDDG)
- Church Data Protection Acts (KDG and EKD)
- Social Code (SGB), Genetic Diagnostics Act (GenDG), Security Clearance Act (SÜG)
- BSI Act (BSIG) and German NIS2 Implementation Act
- IT Security Act (IT-SiG) and Critical Infrastructure Regulation (BSI-KritisV)
- Technical Guidelines of the BSI and BNetzA security catalogues
- Energy Industry Act (EnWG)
- Medical Devices Implementation Act (MPDG) and Digital Health Applications Regulation (DiGAV)
- Pharmaceuticals Act (AMG) in the context of clinical trials
- German Money Laundering Act (GwG)
- Whistleblower Protection Act (HinSchG)
- Act on the Protection of Trade Secrets (GeschGehG)
- Accessibility Strengthening Act (BFSG)
- General Equal Treatment Act (AGG)
- Act Against Unfair Competition (UWG)
- Supply Chain Due Diligence Act (LkSG)
This integrated approach ensures that German regulatory developments are assessed not in isolation, but in light of their jurisdictional reach, enforcement practice and interaction with EU law — particularly for international organisations evaluating the applicability of German legislation to cross-border business models.
Contact Us for a Regulatory Relevance Analysis
Get in touch with our experts for a Regulatory Relevance Analysis to ensure your organization meets all legal requirements.
Wiebke Kummer, Jurist
ppa | Head of Compliance International
Email: wkummer@re-move-this.first-privacy.com
Phone: +49 421 69 66 32-884
FIRST PRIVACY GmbH, Bremen
Cihan Parlar, LL.M.
Managing Director
Email: cparlar@re-move-this.first-privacy.com
Phone: +31 20 211 71 16
FIRST PRIVACY B.V., Amsterdam
Mag. iur.
Markus Strasser
Managing Director | Senior Privacy Counsel
Email: mstrasser@re-move-this.first-privacy.com
Phone: +43 662 62 10 04-11
FIRST PRIVACY Austria GmbH, Salzburg
If your inquiry concerns an organization based in Germany, these contacts will help you
Dominik Bleckmann, Lawyer
ppa | Head of Compliance
Email: dbleckmann@re-move-this.datenschutz-nord.de
Phone: +49 421 69 66 32-349
datenschutz nord GmbH, Bremen
Markus Schönmann, Lawyer
Head of Compliance | Senior Privacy Counsel
Email: mschoenmann@re-move-this.datenschutz-sued.de
Phone: +49 931 30 49 76-24
datenschutz süd GmbH, Würzburg
