Key Aspects of Crisis Management

For the purposes of this article, the authors define “crisis” as any internal or external situation that poses an acute and significant threat to an organisation’s reputation, assets or operations and that therefore requires immediate action. Crisis management is understood as dealing with such situations.

The following aspects are particularly important.

Economic challenges

The economic challenges of previous years have prompted companies to enhance their crisis preparedness. After two years of recession, the German economy has returned to modest growth. According to initial calculations by the Federal Statistical Office (Destatis), the German GDP was 0.2% higher in 2025 than in the previous year. Businesses are still focusing on financial resilience and supply chain stability to navigate economic uncertainties.

Global political developments

Recent political manoeuvres have introduced new risks, leading companies to reassess their crisis management strategies to address potential political instability. Political changes can lead to delays or changes in the legislative process and can affect the country’s geopolitical stance, potentially altering international relations and trade agreements.

Cyber-attacks

Cyber-risks have become increasingly significant – especially due to an increase in cyber-attacks and the malevolent use of AI. This has driven more professionalised crisis structures, playbooks, and testing. Cyber crisis management has become the “default” crisis scenario.

Integration of AI

AI and machine learning enhance sales, predictive analytics, real-time monitoring and automated responses. Irresponsible implementation, especially in the absence of clear regulations, can become a catalyst for crises and lead to severe management failures. However, the use of AI in crisis management processes — ranging from predictive analytics for crisis forecasting to automating response plans — has become increasingly important.

Sanctions

Sanctions and export controls have become increasingly important following Russia’s invasion of Ukraine in 2022. Businesses with ties to Russia must remain vigilant as EU sanctions violations are legally punishable in Germany. To strengthen enforcement, Germany introduced the Sanctions Enforcement Acts I and II (Sanktionsdurchsetzungsgesetz – SDG I and II) in 2022, which expanded powers to investigate and seize assets, established a centralised sanctions enforcement body and increased anti-money laundering measures.

ESG/working conditions

This global trend reflects society’s increasing focus on sustainability, which is leading to greater scrutiny and potential legal consequences for companies. However, there has been an ongoing global regulatory shift concerning ESG issues, leading to significant legal uncertainty. On a European level, the European Commission has proposed so-called “omnibus packages” which aim to reduce regulatory requirements as well as bureaucracy. By the end of 2025, the European Commission had introduced a total of ten omnibus packages. In December 2025, the EU Parliament formally amended both the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD). On 26 February 2026, the Amending Directive (EU) 2026/470 was published in the Official Journal of the European Union. On a national level the German government aims to amend the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG).

The year 2025 also marked a turning point in the global approach to diversity, equity and inclusion (DEI). Companies reduced or rebranded DEI initiatives in response to political pressure and litigation risk, particularly in the United States. At the same time, EU and German law continued to impose anti-discrimination and equal treatment obligations.

Anti-money laundering

Certain laws, such as Section 5 of the German Anti-Money Laundering Act (Geldwäschegesetz – GWG), mandate risk analysis for money laundering and terrorist financing. The EU has established the Anti-Money Laundering Authority (AMLA), which commenced its operations in summer 2025. The GwG Reporting Ordinance was published in the Federal Law Gazette in October 2025. It specifies the form and content of suspicious transaction reports to the Financial Intelligence Unit (FIU) and is scheduled to enter into force in March 2026. Companies must stay alert to regulatory changes and address their money-laundering risks.

These trends have driven organisations to adopt proactive and comprehensive crisis management approaches, emphasising agility, regulatory compliance and stakeholder communication to effectively navigate developments.

The energy-intensive industries and the automotive and logistics sectors were the most susceptible to crises in the past 12 months. Geopolitical tensions (eg, between Russia and Ukraine) led to production stoppages, supply chain disruptions and increased costs. To enhance resilience, supply chains are being diversified, and investments in renewable energy are increasing. This is supported by government measures and technological innovations.

The primary laws governing crisis management in Germany include the following.

• The Constitution of the Federal Republic of Germany (Grundgesetz, or GG) provides a framework for crisis responses. The GG stipulates that disaster control/relief is the responsibility of the federal states. However, special provisions allow disaster relief efforts by federal authorities in the event of natural disasters and accidents.
• Each of the 16 German federal states has its own legislation on disaster management, specifying the roles and responsibilities of local authorities in crisis situations.
• The Civil Defence and Disaster Relief Act (Gesetz über den Zivilschutz und die Katastrophenhilfe des Bundes, or ZSKG) regulates the protection of the population in the case of crises, and defines the framework for disaster assistance in the event of natural disasters and major emergencies.
• The Act on Fire Protection, Assistance and Disaster Control (Gesetz über den Brandschutz, die Hilfeleistung und den Katastrophenschutz, or BHKG) regulates fire protection and disaster control measures at state level and the duties of local authorities.
• The German Civil Code (Bürgerliches Gesetzbuch, or BGB) contains special clauses on force majeure. These clauses allow companies to modify or suspend contracts in the case of natural disasters and other unforeseeable events.
• The Environmental Damage Act (Umweltschadensgesetz, or USchadG), the Environmental Liability Act (Umwelthaftungsgesetz, or UmweltHG) and the Federal Soil Protection Act (Bundesbodenschutzgesetz, or BBodSchG) are relevant for man-made crises, such as industrial accidents. 
• The Federal Emission Control Act (Bundesimmissionsschutzgesetz, or BImSchG) is relevant for man-made crises, such as industrial accidents.
• The Infection Protection Act (Infektionsschutzgesetz, or IfSG) defines safety measures to protect public health in the event of pandemics and infectious diseases.
• The Corporate Stabilisation and Restructuring Act (Gesetz über den Stabilisierungs- und Restrukturierungsrahmen für Unternehmen, or StaRUG) provides companies with instruments for early restructuring and avoiding insolvency by enabling them to take independent restructuring measures and involve creditors in the process.
• Company owners can be held liable under Section 130 of the German Administrative Offences Act (Gesetz über Ordnungswidrigkeiten, or OWiG) if they fail to take appropriate supervisory measures that could have prevented or significantly impeded a breach of duty. Effective supervision therefore requires a clear understanding of the risks and a constant risk analysis.
• The duty to assess risks also derives from the duty of legality (Legalitätspflicht) pursuant to Section 93 of the German Stock Corporation Act (Aktiengesetz, or AktG). Additionally, Section 91 of the AktG mandates a monitoring system to identify threats at an early stage. The German Federal Court of Justice emphasises that board members fulfil their obligations only by establishing a compliance programme focused on risk prevention. This requires a profound culture of compliance within companies (see 3.3 Executive Liability).

These laws are enforced by federal, state and local governments and their designated authorities.

In Germany, there have been recent amendments to or ongoing discussions about amending the following laws.

• Cybersecurity laws have become more stringent with the introduction of the European Network and Information Security Directive (NIS 2). The NIS 2 Directive was transposed into national law and came into force in December 2025, requiring organisations in critical sectors (energy, finance, health, IT services) to implement comprehensive cybersecurity measures.
• The Critical Infrastructure Umbrella Law (KRITIS-Dachgesetz or KRITIS-DachG) progressed at federal level (cabinet decision in September 2025; parliamentary debate ongoing). Once implemented, this legislation aims to enhance the resilience of critical infrastructures, ensuring that vital sectors such as energy, water and transportation can withstand crises and continue to operate effectively.
• In September 2025, the German Federal Cabinet proposed an amendment to the LkSG, aiming to abolish the reporting requirements under Section 10(2) LkSG with retrospective effect for the reporting period from 1 January 2023. The German Federal Cabinet also published a draft bill to transpose the CSRD.
• The GwG Reporting Ordinance was published in 2025 and is set to apply from 1 March 2026, specifying electronic format and minimum content standards for FIU reports.

Third-party litigation funding is generally lawful in Germany and increasingly used in complex and high-volume disputes. However, collective redress mechanisms remain procedurally limited compared to common law jurisdictions.

In response to the Diesel emissions scandal and broader consumer protection concerns, the model declaratory action (Musterfeststellungsklage) was introduced in 2019. Individual consumers, however, were still required to enforce their claims separately if voluntary compliance failed. To address this enforcement gap, the action for redress (Abhilfeklage) was introduced in 2023. It enables consumer associations to seek direct performance or payment on behalf of registered consumers.

As a result, collective litigation in Germany has become more effective in crisis-related mass harm scenarios. Companies face increased exposure to co-ordinated claims, reputational pressure, and settlement dynamics, even though US-style class actions remain unavailable.

The Federal Ministry of the Interior (Bundesministerium des Inneren und für Heimat, or BMI) is responsible for co-ordinating civil protection and disaster management at the federal level. It oversees preparedness actions, develops policies, provides guidelines and supports state authorities. The Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, or BBK) plays a central role in co-ordinating civil defence measures. It implements civil protection policies, organises training, and provides resources and information for crisis management.

The federal government monitors and evaluates crisis response measures through reporting by the ministries and authorities involved, as well as through reviews and follow-up of operations to optimise future procedures.

In Germany, crisis management is primarily framed at the federal level, while implementation and enforcement largely rest with the federal states (Länder). This division results in a multi-layered regulatory framework. Federal law sets overarching obligations and co-ordination mechanisms, whereas state authorities exercise decisive powers in areas such as civil protection, public safety, health emergencies, and infrastructure disruptions.

Federal institutions, such as the Technisches Hilfswerk (THW), support state and local authorities by providing technical expertise, equipment, and personnel. However, they do not replace state-level command structures.

For companies, this allocation of competencies may create practical challenges during crises. In practice, companies address these challenges through authority mapping, decentralised compliance structures, and crisis management frameworks.

Local and state authorities play a central operational role in the oversight of crises affecting the public.

While the legal framework is largely defined at federal level, implementation, supervision, and enforcement are primarily carried out by state and local authorities. At the local level, municipalities and districts are responsible for executing specific crisis measures.

As part of their duties, public authorities are obliged to review their ability to respond adequately to crises. This ensures that effective action can be taken if necessary.

The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, or BaFin) plays an important role, ensuring that institutions in the financial sector have appropriate emergency and crisis plans in place. It is responsible for monitoring the financial stability of such institutions.

The Federal Network Agency (Bundesnetzagentur, or BnetzA) ensures that critical infrastructure sectors, such as energy, telecommunications and transportation, meet specific security and preparedness standards. For public institutions, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) provides guidelines on IT security and resilience, and assesses measures to secure the digital infrastructure. Independent studies and audits contribute to the review of crisis preparedness and ensure that both private and public organisations have a suitable framework for crisis situations.

There are mandatory mechanisms to ensure public reporting and provide transparency in Germany. This includes but is not limited to sector-specific disclosure requirements designed to create transparency in dealing with crises. For example, there is an ad hoc disclosure obligation in capital markets, and there are reporting obligations under the German Banking Act (Kreditwesengesetz, or KWG) for the granting of certain loans, including with regard to ESG. There are further transparency requirements under the Freedom of Information Act (Informationsfreiheitsgesetz, or IFG).

• The ad hoc disclosure obligation requires listed companies to promptly publish information that could significantly affect their share prices. This includes transparency about financial health and reporting on the impact of crises, disclosing material risks from economic downturns or disruptions. This obligation aims to ensure market transparency and prevent insider trading, as outlined in the European Market Abuse Regulation (MAR). In Germany, the BaFin enforces compliance, and violations can result in administrative penalties and significant fines.
• According to Section 18 of the KWG, credit institutions are sometimes obliged to disclose the financial circumstances of their borrowers.
• Though primarily focused on ESG aspects, the CSRD requires large companies to report on their sustainability and resilience strategies, including those related to crisis situations. The German Federal Cabinet published a draft bill to implement the CSRD. The scope of the CSRD was significantly reduced as a result of the European Commission omnibus-initiative.
• Furthermore, the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG) mandates that companies report on their efforts to identify and mitigate human rights and environmental risks within their supply chains. As part of their due diligence obligations, companies must publicly disclose actions taken to address these risks, which can also include crisis-related measures. However, in September 2025, the German federal cabinet proposed an amendment to the LkSG. The BAFA has since stopped the examination of LkSG company reports and announced procedural simplifications.
• In the public sector, Germany has the IFG, which allows citizens to request information from federal authorities. This contributes to transparency by enabling public access to government-held information, including crisis response actions.

These mandatory mechanisms ensure that both private and public entities remain accountable and transparent about their crisis response actions, thereby enhancing the overall resilience and preparedness of German society.

Germany has established specific regulatory requirements for crisis management and prevention across key sectors such as healthcare, finance, and critical infrastructure.

Healthcare

Hospitals are mandated to enhance their IT security measures in order to comply with the standards of the BSI. By the end of 2021, all hospitals were required to upgrade their IT systems accordingly. Furthermore, each state has its own health authority to supervise public health crisis management, requiring the development of guidelines and response protocols for health crises.

Finance

Financial institutions must adhere to stringent crisis management protocols as outlined by the BaFin. These include maintaining robust risk management frameworks and ensuring liquidity to handle potential crises.

Critical Infrastructure

Since 2009, Germany has implemented a National Strategy for Critical Infrastructure. The KRITIS-DachG is designed to introduce cross-sector requirements for operators of critical infrastructures, necessitating comprehensive risk management strategies. Companies are required to register and implement protective measures to comply with this legislation. The German Federal Cabinet passed a bill on the KRITIS-DachG in September 2025.

In Germany, there are several pre-structured public-private co-operation frameworks to enhance crisis prevention and response.

• The BBK expressly promotes co-operation between public and private sectors in relation to civil protection. It develops concepts and programmes that facilitate the involvement of private companies in crisis prevention and management.
• The federal government of Germany’s “Disaster Risk Management in and by Germany” (Katastrophenrisikomanagement in und durch Deutschland) initiative (KatRiMa) provides detailed information on actors, strategies, instruments or best practices for disaster risk management in and by Germany. As KatRiMa is a participatory information platform, this information is provided by the respective stakeholders, compiled in co-operation with them and/or on the basis of publicly accessible sources.
• In Germany, PPP models in infrastructure and technology sectors can also be adapted for crisis situations. These partnerships allow for shared investment and risk management in projects that strengthen resilience, such as critical infrastructure development and maintenance.
• The BSI collaborates with private companies to enhance cybersecurity resilience against threats that could escalate into crises. Information-sharing initiatives and joint exercises are part of this co-operative framework, ensuring that critical infrastructures are protected and prepared.
• In sectors such as energy and finance, specific alliances exist to prepare for and respond to crises. These alliances often involve contingency planning, joint simulations and communication protocols to minimise disruption and facilitate a swift recovery. One sector-specific alliance in Germany is the so-called Energiepartnerschaft (Energy Partnership) framework. This initiative involves co-operation between public authorities, energy companies and industry associations to address energy security, grid stability, and crisis preparedness. By uniting key stakeholders, the Energy Partnership aims to ensure that Germany’s energy sector can effectively manage crises and transition towards more sustainable energy sources.

Germany has a national crisis management policy framework that is structured to address various types of crises. This framework is anchored in several laws and regulations as well as in the crisis management developed at federal and state level.

The national crisis management plan is divided into several stages: prevention, preparation, response and recovery. It includes co-ordination between various state institutions, such as the BBK and other relevant authorities at state and local level.

The BMI supervises crisis management and co-ordinates with other ministries (such as the Federal Ministry of Health) during health crises. Central to this is the federal government’s crisis team, which unites relevant ministries and authorities for a co-ordinated approach when necessary. At the operational level, situation centres in ministries, such as the BBK, are responsible for crisis response (see 2.11 National Crisis Management Plan).

Regular co-ordination at various government levels facilitates real-time communication and strategy adaptation. Federal and state agencies conduct joint exercises and simulations to refine protocols, test communication channels and enhance co-ordination.

Through these mechanisms, Germany ensures that government entities can work together effectively.

In multi-jurisdictional crises, companies typically co-ordinate their response through a centralised crisis governance structure. Strategic decisions are defined at group level whilst considering local regulatory requirements. This approach aims to ensure consistency while preserving compliance with mandatory local rules.

The primary challenge arises from diverging regulatory regimes and timelines. During a crisis, differences must be reconciled in real time, often on the basis of incomplete or evolving facts. This increases the risk of inconsistent disclosures, delayed notifications, or regulatory breaches.

A further challenge is maintaining a coherent global legal and communications strategy while managing parallel enforcement actions in multiple jurisdictions.

Depending on the nature of the incident, companies may be subject to reporting obligations in several jurisdictions at the same time. Incidents with cross-border effects can trigger notification duties towards different authorities.

The main difficulty is the lack of alignment between reporting standards and timelines. Companies usually address this through central co-ordination and early legal assessment, allowing notifications to be sequenced and aligned. The aim is to meet mandatory local requirements while ensuring factual consistency and, where appropriate, safeguarding legal privilege across jurisdictions.

Companies typically structure their crisis management plans to align with:

• legal requirements;
• industry best practices, such as the German Corporate Governance Code;
• standards issued by the Institute of Public Auditors in Germany (Institute of Auditors, or IDW); and
• international standards such as ISO 22301 (Business Continuity Management) and ISO 31000 (Risk Management).

German companies emphasise risk assessment, regulatory compliance and structured response protocols to ensure resilience during crises.

Key components of an effective crisis management strategy in Germany are as follows.

• Risk assessment and prevention:
1. identifying potential crises;
2. conducting vulnerability and impact analyses; and
3. establishing preventative measures to minimise risks.
• Legal and regulatory compliance – ensuring compliance with German regulations such as the LkSG, the GDPR and the IT Security Act.
• Crisis team and leadership structure:
1. designating a crisis management team with clear roles;
2. establishing a chain of command and decision-making hierarchy; and
3. assigning an incident commander to oversee response efforts.
• Crisis communication strategy:
1. developing internal and external communication protocols;
2. ensuring transparency and timely updates to stakeholders; and
3. utilising multilingual communication where needed (especially for multinational corporations and cross-border crises).
• Business continuity planning:
1. creating contingency plans for operations, IT infrastructure and supply chains;
2. ensuring redundancy in key areas; and
3. regularly testing and updating continuity plans.
• Emergency response and operational resilience:
1. establishing a Standard Operating Procedure (SOP) for different crisis scenarios;
2. conducting training and simulation exercises; and
3. co-ordinating with local emergency services and government agencies (eg, BKK).
• IT security and cyber-resilience:
1. implementing cybersecurity protocols in line with the BSI guidelines;
2. preparing for cyber-attacks with incident response plans and back-up solutions; and
3. conducting penetration testing and continuous monitoring.
• Regular testing and exercises – conducting exercises to test incident response.
• Post-crisis evaluation and adaption:
1. conducting a “lessons learned” analysis after a crisis;
2. updating policies; and
3. engaging in stakeholder feedback.

In Germany, various legal provisions require the establishment of a risk management system (eg, Section 91 paragraph 2 of the AktG). However, the specific design of this system is not mandated by law; companies are allowed to design this system according to their individual needs.

Therefore, the organisation of companies’ internal governance depends on multiple factors, such as size of the company, risk proneness of the services provided and previous points of contact with critical issues. Companies typically organise their internal governance for crisis prevention and response through different structures that sometimes also include special crisis committees dealing specifically with the preparation and management of crisis situations. However, there is no obligation to establish a crisis committee; whether this is necessary depends on the impact of the crisis. While a low-impact crisis might be handled by a sole crisis manager, crises with a greater impact may need to be handled by a dedicated risk management committee.

Directors and officers may face both civil and criminal liability in crisis situations. Their core obligations derive from the duty of legality and proper management under German corporate law, including the duty to assess risks and to establish appropriate monitoring and compliance systems.

Civil liability may arise if a crisis is attributable to inadequate governance, delayed decision-making, or breaches of regulatory obligations, including reporting duties. Criminal liability may apply in more severe cases, particularly where crises involve fraud, insolvency offences, environmental harm, sanctions violations, or serious compliance failures.

Individual liability may be mitigated through compliance and risk management systems, well-documented decision-making processes, and the early involvement of legal experts (“expert reliance defence”). The business judgment rule offers protection where management decisions are taken on an informed basis and in the company’s best interest. In addition, D&O insurance, indemnification arrangements, and a clear allocation of responsibilities may provide practical safeguards.

Larger companies or those in high-risk industries tend to have permanent crisis committees to evaluate risks and prepare for potential crises, while others convene them on an ad hoc basis as required. Their formation and structure can vary by industry, company size and the respective crisis. Common features of crisis committees are a clear structure with defined roles and responsibilities, regular meetings to update crisis plans and the organisation of crisis exercises. In terms of the degree of independence, a crisis committee usually has limited autonomy and works closely with the company management.

A crisis management team typically consists of members from various key departments to ensure a comprehensive response. These members usually include the following.

• Head of crisis management – often a senior executive or a person in a high-level management position such as the Chief Operations Officer or Chief Risk Officer, who oversees the overall crisis management efforts.
• Legal and compliance officer – responsible for assessing legal implications and ensuring compliance with relevant regulations.
• Public/investor relations officer – manages internal and external communications, drafts messages for stakeholders (including capital markets communication) and maintains the company’s public image.
• HR representative – looks after employee matters during a crisis, manages internal communications and oversees any necessary changes related to staffing levels.
• IT and security expert – deals with data security issues and ensures the integrity and resilience of IT systems.
• Operations manager – focuses on maintaining or restoring normal operations and minimising disruptions.
• Financial officer – assesses the financial impact of the crisis and manages budgetary considerations.
• External experts (if needed).

The frequency of meetings depends on the severity and nature of the crisis.

Companies usually engage external experts (such as lawyers and communication experts) to manage crisis management and prevention, especially if they lack specific expertise or need an unbiased, objective perspective. External experts provide specialised knowledge, experience from past crises and resources that are not readily available within the company. If lawyers serve on the crisis committee as external experts, communication may be protected by attorney-client privilege.

External advisers possess strong analytical skills, strategic foresight and the ability to make quick, informed decisions under pressure. Their experience helps businesses prepare for crises. Their investigative skills allow them to assess past failures, mitigate risks and implement sustainable solutions to prevent recurrence.

The criteria for selecting external experts usually include the following.

• Expertise and experience – the expert’s track record in dealing with similar crises or their specific industry experience are key.
• Reputation and references – companies often look for experts or firms with a good reputation and positive references from previous clients.
• Approach and methodology – the strategies and methods proposed by the experts should be in line with the needs and culture of the company.
• Availability and responsiveness – the experts must be available to respond quickly, as crises can occur unexpectedly.
• Communication skills – clear and effective communication is essential to ensure co-operation and understanding between the company and the external experts.
• Cost-effectiveness – as regards budget considerations, companies may assess the potential return on investment of hiring external experts against the costs involved.

In Germany, third-party and supply-chain risks are primarily managed through ex ante contractual risk allocation and predefined escalation mechanisms, rather than ad hoc intervention during a crisis. Key suppliers are increasingly integrated into companies’ crisis management plan, particularly where operational resilience or regulatory compliance is critical.

Contracts typically include notification obligations requiring third parties to promptly inform the company of incidents that may affect performance or trigger regulatory duties. In addition, contracts often provide audit and information rights, allowing companies to assess compliance and risk exposure.

Common indicators used by companies to assess the success of crisis management efforts include the response time and the effectiveness of communication strategies. Other indicators include minimising financial losses, maintaining business operations, employee and stakeholder satisfaction, and feedback from people involved in crisis management.

In order to continuously improve crisis management strategies, companies conduct follow-up meetings after a crisis (see 8.1 Post-Crisis Review: Learning Lessons).

While ESG requirements can themselves trigger corporate crises, particularly when regulatory expectations diverge across key markets, they increasingly influence crisis management strategies, particularly in relation to supply chains.

Due diligence obligations require companies to identify adverse impacts, assess risks, and respond appropriately where violations occur or are imminent. These requirements are therefore increasingly embedded in crisis planning and response frameworks.

Crisis management is currently affected by shifting regulatory dynamics at EU and national level, which complicate planning and legal assessment. This creates legal uncertainty that must be factored into crisis preparedness.

Non-compliance with ESG-related obligations may trigger regulatory scrutiny, civil liability, and significant reputational harm.

Companies with global operations address human rights and labour issues through due-diligence frameworks that operate alongside the immediate operational response in a crisis. These frameworks are designed to identify risks to employees, contractors, and affected communities, and to trigger protective and remedial measures where necessary.

While group-wide standards and policies are commonly applied, legal obligations must be assessed on a jurisdiction-by-jurisdiction basis.

A company can identify a crisis and its potential legal implications through several channels. These include a direct approach from authorities (such as a warrant or dawn raid), internal whistle-blower reports, subpoenas, or external sources (such as media articles). The way a crisis is identified will often determine the immediate steps taken in response.

• Crisis identification – it is vital to gather as much information as possible to provide the appropriate response to the crisis. To ensure no data is lost, the document preservation protocols are activated.
• Initial communication – companies reach out to the crisis management and leadership team to provide preliminary information. The crisis management team co-ordinates and aligns the response efforts.
• External engagement – depending on the nature and severity of the crisis, companies might engage external legal counsel, forensic experts, auditors or other specialists.

To assist with the crisis identification and communication, companies may use tools such as risk management software, alert systems and communication platforms.

Companies use various frameworks or models for crisis management, often inspired by international standards such as ISO 22301 providing a framework for business continuity management. In critical infrastructure sectors in particular, there are strict legal requirements, such as the KRITIS programme (see 2.9 Sectorial Requirements) or the BSI IT baseline protection for cybersecurity (see 3.1 Crisis Management Plans).

Another essential standard is IDW standard No 6. It requires a comprehensive restructuring concept that assesses a company’s viability in crises, and is prepared by an independent third party. Additionally, a draft for a new IDW standard (IDW ES 16), regarding the design of crisis early detection and crisis management according to Section 1 of the StaRUG, has been published.

Typically, a company’s crisis response plan contains several key elements:

• crisis identification and assessment;
• response strategies;
• communication plans for internal and external stakeholders;
• roles and responsibilities;
• resource management;
• recovery strategy; and
• business continuity measures to quickly resolve business interruptions.

Companies usually identify and assess potential risks that could lead to a crisis as part of a systematic risk management process. This process often includes the following steps.

• Identification of risks – companies use tools such as SWOT (strengths, weaknesses, opportunities, threats) analysis, brainstorming sessions and stakeholder consultations to identify potential risks in their business, industry and external environment.
• Risk assessment – once the risks have been identified, they are assessed based on their likelihood and potential impact. Companies use risk matrices and quantitative models to prioritise risks and focus on those that pose the greatest threat.
• Monitoring – continuous monitoring of identified risks using Key Risk Indicators (KRIs) and other metrics helps organisations monitor for changes that could increase the level of risk.
• Regulatory and compliance reviews – companies often need to comply with legal and regulatory requirements that require specific risk assessments, particularly in highly regulated industries.

Risk factors relevant for crisis preparation include the following.

• Operational risks – issues related to supply chain disruptions, equipment breakdowns, or inefficient processes.
• Financial risks – market instability, currency fluctuations, credit risks and risks of insolvency.
• Destructive intervention – destructive intervention (existenzvernichtender Eingriff) occurs when the company’s shareholders unlawfully withdraw the assets necessary for repaying its debts, thereby causing a crisis and potentially the company’s insolvency.
• Reputational risks – negative publicity, brand damage and customer dissatisfaction.
• Regulatory and compliance risks – changes in regulations, legal disputes and non-compliance with industry standards.
• Geopolitical risks – political unrest and government changes.
• Environmental risks – natural disasters, climate change impacts and resource scarcity.
• Cybersecurity risks – data breaches, cyber-attacks and IT system failures.
• Product liability/green claims – defective products or misleading marketing claims.

These risks can generally be mitigated by preventative measures.

• Developing crisis management plans – creating comprehensive plans that define specific responses and responsibilities during a crisis.
• Regular training and exercises – conducting training and simulations to prepare employees for various crisis scenarios.
• Insurance and financial protection – use of insurance policies and financial instruments to protect against financial losses from identified risks.
• Robust IT security and infrastructure – implementing cybersecurity protocols and investing in secure IT infrastructure to prevent data breaches.
• Supplier diversification – reducing supply chain risks by sourcing materials from multiple suppliers.
• Compliance programmes – establishing an actual culture of compliance within the company to ensure compliance with legal and regulatory requirements.
• Developing standard crisis communication materials – implementing communication structures and preparing statements that are easily adaptable to the crisis at hand.

By systematically identifying and assessing risks and implementing preventative measures, companies seek to minimise the likelihood and impact of potential crises.

Simulation exercises can prepare companies for potential crises. The frequency of such simulation exercises depends on company size, sector and risk exposure. Many companies conduct them at least annually. Some high-risk industries, such as finance, may perform exercises more frequently to ensure preparedness and compliance with regulatory requirements.

Common scenarios in simulation exercises include the following.

• Cybersecurity breaches – reviews and tests of cybersecurity during a crisis can be conducted through “ethical hacking”. This involves authorised examinations of computer systems, networks or web applications to identify and fix security vulnerabilities. Ethical hackers simulate cyber-attacks, using techniques similar to malicious hackers, but aim to improve system protection and prevent breaches. Best practices include partnering with certified ethical hackers, clearly defining the scope and objectives, and thoroughly documenting findings.
• Natural disasters – exercises for events such as earthquakes, floods or fires test the company’s emergency response, evacuation procedures and business continuity plans.
• Supply chain disruptions – companies simulate disruptions due to supplier failures or transportation issues to assess and improve their supply chain resilience.
• Operational failures – scenarios may involve key equipment or system failures, testing maintenance and back-up processes.
• Regulatory challenges – developments under public law often pose a challenge. Investigations are carried out and audits are conducted to ensure compliance with public law regulations.
• Investigations – when investigating, authorities carry out dawn raids on a company’s premises if there is reasonable suspicion of an offence by the company, its management or one of its employees. Training on the “dos and don’ts” in the event of such a dawn raid and simulation of dawn raids (“mock dawn raid”) have proven useful.

By conducting these exercises regularly, companies aim to refine their crisis management strategies, improve team co-ordination and ensure that employees are well prepared to handle real-life crises effectively.

Companies provide training programmes to ensure employees understand best practices for crisis prevention and response. The training covers the crisis response plan, individual responsibilities and communication procedures. Employees also engage in simulations of critical scenarios to reinforce their roles.

Regular updates and refresher courses are recommended to keep staff informed about crisis management practices, and companies offer handbooks and online resources for easy access to protocols. Co-ordination with legal and compliance teams is essential to ensure awareness of operational and regulatory considerations.

Training initiatives are typically managed by crisis management teams or departments such as HR, with support from senior management to encourage participation.

Many companies implement specific policies for crisis preparation and prevention, establishing a crisis management framework that includes response procedures, communication plans, risk assessments and training for employees. These policies are formally documented and include procedures and measures for activation and communication.

To ensure that the crisis management plan remains effective, companies must regularly review and update their policies to reflect changes in their operational landscape and emerging risks.

During a crisis, companies face a plethora of legal challenges in Germany, not only caused by the crisis itself but by subsequent events such as internal investigations, criminal charges or third-party actions.

Overall, the following (potential) legal challenges can be identified.

• Building trust – the management of a company is obliged to build and protect the reputation of a company. This comprises the building of trust with relevant stakeholders. In crises, this might help to establish trust, which is important in overcoming critical situations.
• Regulatory compliance and evolving legal frameworks – compliance with evolving laws, such as the LkSG, requires close monitoring to ensure compliance in complex supply chains. This is particularly important as German and European regulations might be applicable. Non-compliance may lead to fines, sanctions or business interruptions.
• Civil liability and contractual obligations – defending against third-party legal actions, including collective redress, can lead to costly and time-consuming litigation.
• Labour relations – facing issues in the workforce, including high absenteeism and union negotiations, can lead to litigation.
• Financial distress – economic downturns increase the risk of insolvency, so companies must deal with German insolvency laws to avoid excessive debt and financial instability.
• Data protection – compliance with strict data protection laws, such as the GDPR, is crucial, especially in the event of a crisis when data breaches or increased data processing may occur.

Addressing these challenges requires proactive and proper legal risk management, continuous monitoring of regulatory changes, and effective communication with stakeholders to mitigate potential legal impacts during a crisis.

Companies must ensure that they comply with all relevant regulations in order to minimise liability risks. This often requires close co-operation with compliance and legal departments. The following main authorities can represent significant exposure to legal liability for companies and management:

• the Public Prosecutor’s Office in the case of criminal offences, including corporate crimes;
• civil courts in civil proceedings arising from contractual breaches;
• the Federal Environment Agency (UBA) or state environmental agencies in the case of violations of environmental law;
• the BaFin in the event of breaches of financial laws and regulations;
• the Federal Cartel Office in the event of breaches of competition law;
• the BSI in the case of violations related to information security and critical infrastructure; and
• the BfDI in the case of data breaches or non-compliance with data protection obligations.

For internationally active companies, foreign or European enforcement authorities can also pose a risk. These can include the following:

• the European Public Prosecutor’s Office – an independent and decentralised prosecution office of the EU, which has the competence to investigate and prosecute crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud;
• the EC – investigates suspected breaches of EU competition law;
• the US Federal Trade Commission (FTC) co-operates with foreign counterparts to enforce US consumer protection and privacy laws; and
• other foreign authorities may investigate/enforce through administrative assistance from German authorities.

During a crisis, companies need to co-operate with enforcement and supervisory authorities – particularly on regulatory and legal matters, which may include regular reporting and (at times) appointing an external monitor to ensure compliance. Companies typically provide updates to authorities, with the frequency depending on the nature of the crisis and the legal requirements.

German companies assess potential legal risks and liabilities through risk management frameworks, internal audits and legal compliance reviews. This process includes identifying regulatory obligations, evaluating contractual risks and analysing past legal issues to prevent future liabilities. Legal teams, often in collaboration with compliance officers and external counsel, conduct due diligence, monitor legislative changes and review industry-specific risks.

Potential litigation risks are carefully analysed and re-evaluated on an ongoing basis to prepare companies for possible legal challenges and to develop appropriate risk mitigation strategies.

For further information see 4.3 Risk Assessment and Mitigation.

In-house teams play a crucial role in crisis management, ensuring compliance with laws and industry-specific regulations while mitigating legal and reputational risks. They support developing crisis management policies and procedures, and handle regulatory reporting, crisis communication oversight, contract disputes and potential litigation. Legal teams handle communication with regulatory authorities and participate in after-action reviews to assess the company’s response, identify any legal weakness and improve risk management.

The legal team’s structure depends on the company’s size, the industry in which it operates and the specific nature of possible crises. Typically, it includes in-house counsel familiar with the company, compliance officers ensuring regulatory adherence and regulatory experts with knowledge of complex legal frameworks. The legal team collaborates closely with executives to align legal and business strategies.

Many companies, especially in regulated sectors, engage external legal counsel for specialised expertise. External legal counsel is selected based on:

• expertise;
• industry and regulatory experience;
• a strong crisis management track record;
• availability and responsiveness; and
• the ability to communicate complex legal concepts and strategies.

In complex cases, companies and their boards may even retain multiple law firms to cover different aspects of legal defence and reputation management.

In Germany, companies are subject to retention obligations under commercial law. For example, the German Commercial Code (Handelsgesetzbuch, or HGB) requires that consolidated financial statements, management reports and group management reports – as well as related work instructions – be retained for a period of ten years. Even if not required by German law, companies may consider implementing document holds as part of their due diligence, especially if they operate internationally and may face foreign investigations.

Document preservation should start early in a crisis, suspending deletion protocols to avoid losing relevant information. Close collaboration with the IT department is vital for identifying custodians and determining the scope of preservation. Organisations must therefore establish and actively manage clear policies to ensure that all relevant information is properly captured, secured and retained to meet legal requirements.

Methods for capturing and storing relevant documents and evidence include:

• document management systems;
• action protocols if a crisis is identified;
• data back-up solutions; and
• e-discovery tools.

These methods also help the company to ensure compliance with legal requirements for evidence preservation.

Settlement arrangements for consensual resolution of litigation derived from the crisis is typically based on the nature of the dispute, the parties involved and the specific circumstances. The following are suitable methods for resolving legal disputes in connection with a crisis:

• settlement payment;
• contract amendment;
• injunctive relief;
• non-monetary settlements; and
• mediation or arbitration.

Non-monetary agreements may include agreements to implement changes in procedures and policies to address the issue that led to the crisis or litigation.

Settlement agreements must comply with the applicable laws and may require approval from authorities.

Common types of insurance include:

• public liability insurance;
• D&O liability insurance;
• cyber liability insurance; and
• legal expenses insurance.

Further, the scope of insurances may include:

• environmental liability insurance;
• business interruption insurance; and
• specialised crisis management insurance.

To manage claims and obtain insurance cover, companies in Germany generally work closely with insurers or insurance brokers. This includes the following.

• Immediate notification – companies must notify insurers immediately of any incidents or claims that could trigger insurance cover and ensure compliance with the terms and conditions of the policy.
• Documentation and reporting – detailed documentation and reporting of the incident or claim so that insurers can properly assess the situation.
• Collaborative claims management – continuous communication with insurers to efficiently manage claims and develop resolution strategies. This involves responding to any requests for additional information or clarification as well as co-operation in any investigation of the insurer.
• Risk mitigation and compliance – demonstrating adherence to risk management practices and regulatory requirements, which can enable smoother claims handling. By demonstrating a proactive approach to risk management, companies can assure insurers that they have taken steps to minimise potential claims risks.

Through clear communication and compliance, companies can effectively use their insurance cover to manage crisis-related costs and litigation.

The term “reputation” refers to the perception and credibility of a company among its stakeholders – ie, shareholders, customers, employees and the public. Reputation can significantly influence the success and sustainability of a company. Proactive reputational management strategies – such as a functional compliance management system – foster stakeholder trust and ensure transparent communication.

After a crisis, companies must assess the impact on their reputation. Indicators include media analysis, customer feedback, stakeholder interviews and financial performance. Tools such as social media monitoring, brand perception surveys and analysis software aid in assessing public opinion. Additionally, share prices, customer retention rates and regulatory audits are key indicators of reputational damage.

To restore reputation after a crisis, companies take several steps.

• Transparent communication and accountability – taking responsibility, issuing public statements, openness, apologies and updates to rebuild trust with stakeholders and the public, to demonstrate commitment to solving the issues.
• Corrective action and monitoring progress – evaluating and implementing policy changes, compliance measures and training of employees.
• Stakeholder engagement – rebuilding relationships with employees, customers, investors and regulators through proactive dialogue, as well as providing updates on recovery efforts and ongoing improvements.
• Corporate social responsibility (CSR) initiatives – investing in CSR initiatives and launching sustainability projects, ethical business practices or community engagement programmes to improve public perception.
• Rebranding and marketing initiatives – running PR campaigns, adapting brand messaging or emphasising corporate values to restore credibility.

There are various crisis reporting requirements in Germany, particularly including the following.

• Listed companies must promptly disclose price-sensitive information to meet ad hoc publicity obligations, especially during crises that could impact the company’s value.
• In accordance with Article 33 of the GDPR, data breaches must be reported to the relevant data protection authority within 72 hours.
• Financial institutions are subject to supervision by the BaFin and must report significant risks and changes in their financial situation. This includes crises such as fraud, money-laundering incidents or other regulatory breaches.
• Operators of critical infrastructures must report IT security incidents to the BSI.
• Companies are often obliged to report environmental damages (Section 4 of the USchadG).
• Management boards of stock corporations and limited liability companies are obliged to call for a shareholders’ meeting when half the capital stock is consumed through losses (Section 93 of the AktG, Section 49, paragraph 3 of the GmbHG).
• Insurance policies may also require that the company notify its insurers immediately upon becoming aware of a potential claim, which may arise from a crisis.

Organisations co-ordinate communication between different stakeholders through well-structured communication strategies and clearly defined responsibilities. Typically, a centralised communications team or crisis communications department ensures consistent messaging. In addition to the crisis management team, the public relations officer is involved in drafting and disseminating messages.

Common triggers for communicating crises to stakeholders include:

• regulatory requirements;
• operational disruptions;
• negative media coverage;
• significant events that can have an impact on the business; or
• incidents that attract public or media attention.

Effective internal communication during a crisis is essential for aligning employee responses and fostering trust. The crisis communication plan should outline how and when to convey information, using centralised channels and intranet updates. Companies must provide ongoing updates and a contact point for employee inquiries.

The first key stakeholders to be informed include:

• executive leadership (CEO, board members, crisis management team) to make strategic decisions and co-ordinate responses (however, if the executive leadership has caused the crisis, the supervisory board may also be involved in making the strategic decisions);
• legal and compliance teams, investor relations, communication teams and the supervisory board to assess risks, regulatory obligations and potential liabilities;
• HR and employee representatives to handle workforce concerns, well-being and internal morale;
• IT and security teams if the crisis involves cybersecurity threats or operational disruptions; and
• department heads and team leaders to disseminate information effectively to employees.

Informing the supervisory board is essential as it oversees management’s actions during a crisis, provides strategic guidance, and ensures compliance with legal and regulatory requirements (see 6.4 Investor Relations).

An effective public and media communication strategy involves prompt and transparent messaging following a crisis to build credibility and trust with stakeholders.

Timing and the extent of the first communication depend on the unique circumstances of the crisis, as the origin and extent of the crisis might still be unknown. Companies must balance the benefits of timely communication with the risks of sharing incomplete or inaccurate information. The initial message sets the tone for future communications, and overpromising can lead to reputational damage. Therefore, it is crucial to avoid definitive commitments that may need to be retracted later.

Furthermore, all communications should deliver consistent messages. After a crisis is resolved, companies provide follow-up communication outlining what has been learned, changes that will be made and how future incidents will be prevented.

Another key strategy for effective crisis communication is proactive media engagement. This enables the company to have established points of contact and trusted sources when a crisis arises, helping to ensure that information is communicated quickly and accurately. Proactive engagement includes providing regular updates to the media, holding press conferences when necessary and giving interviews. This approach helps companies control the narrative, reduce speculation and prevent misinformation.

Main challenges faced by companies include the rapidly changing situation during a crisis. Therefore, a challenge for companies is keeping pace with new information or changing circumstances while deciding on the proper extent and timing of communication. Companies must filter through an overwhelming amount of information, making it difficult to provide a clear response. Successful crisis communication should explain the incident, simplify complex issues and provide possible solutions.

Companies communicate with investors and shareholders about crises and potential legal disputes through official channels such as ad hoc announcements, corporate news, quarterly reports and investor conferences/calls. They aim to communicate clearly and transparently about the nature of the crisis, potential impacts, and the steps being taken to mitigate risks. Transparency and immediate communication are crucial to maintain investor confidence. After the crisis, companies often provide follow-up reports to investors.

In addition, companies engage in direct communication with key institutional investors and major shareholders.

The supervisory board – in particular, the chairperson – needs to be addressed in a timely manner, as it ensures that the company’s response complies with legal and regulatory requirements. This is sometimes delayed due to reliance on management or the lack of established protocols for escalation in critical situations.

During a crisis, addressing customer concerns and maintaining trust is critical for companies. The following strategies are commonly used.

• Transparent communication – companies should be open and honest about the situation, providing clear and accurate information. This includes acknowledging the issue, detailing the steps being taken to resolve it, and setting realistic expectations for resolution.
• Timely updates – frequent updates help reassure customers that the company is actively managing the crisis. Timing is crucial to prevent misinformation and to keep customers informed of new developments.
• Empathy and support – demonstrating an understanding of customers’ concerns helps maintain trust. Companies should offer support and solutions tailored to customers’ needs, such as refunds, replacements or additional services.
• Dedicated crisis teams and hotlines – establishing crisis response teams and dedicated customer support hotlines can provide direct assistance and ensure that customer enquiries are addressed quickly and consistently.
• Accountability – taking responsibility for the crisis can help restore confidence, especially when coupled with actions to prevent future occurrences.

During a crisis, German companies ensure that employees are informed and supported through transparent communication, dedicated support programmes, and leadership engagement. They can use regular updates via email, intranet portals, meetings and crisis hotlines to keep employees informed.

Companies often establish specific communication channels for those affected by a crisis, sometimes in response to the requirements based on the nature of the crisis.

For example, data privacy laws mandate notifying affected individuals in the event of a data breach. In addition, product safety and consumer laws require companies to communicate in crisis situations. According to the German Product Safety Act (Produktsicherheitsgesetz, or ProdSG), companies must immediately recall products that pose a risk to the health and safety of consumers and inform the affected consumers. This also requires specific communication measures to reach the affected persons quickly. In accordance with the German Act for the Better Protection of Whistle-Blowers (Hinweisgeberschutzgesetz, or HinSchG), companies are required to establish and maintain internal reporting channels to allow employees to report violations.

Companies increasingly treat social media and digital platforms as integral elements of crisis management rather than as standalone communications channels. Digital media often surfaces incidents before internal reporting mechanisms, and uncoordinated online narratives can rapidly escalate legal and reputational exposure. Social media and digital platforms are therefore integrated into the crisis communication plan (see 4.2 Planning).

Companies increasingly incorporate technologies such as AI, big data, and, to a lesser extent, blockchain into crisis management frameworks to enhance early risk detection, decision-making, and response speed. Data-driven tools and dashboards are used to assess impacts, prioritise measures, and co-ordinate responses across jurisdictions in near real time.

At the same time, that technology itself may become a source of crisis if governance is inadequate. Crisis management plans therefore typically provide for human oversight and fallback procedures.

A key risk in the use of AI for crisis management concerns accountability and attribution. Management remains legally responsible for decisions, even where AI tools inform or recommend specific actions. Excessive reliance on automated assessments may be regarded as a breach of organisational and oversight duties if decisions later prove flawed.

Crisis situations often involve sensitive personal or business data, and accelerated processing through AI increases the risk of unlawful use, data leakage, or non-compliant cross-border transfers.

To mitigate these risks, companies limit AI to decision-support functions and ensure effective human oversight.

Companies carry out the “lessons learned” process after a crisis, conducting analysis workshops to assess the strengths and weaknesses of the crisis management system. This includes stakeholders, the crisis management team, managers and leaders from affected departments. Companies may involve external experts to provide an objective evaluation and specialised insights. The results are documented and reported.

The post-crisis reviews should include answers to the following questions.

• Assessment of response:
1. Was the response effective?
2. What could have been improved?
• Identification of root causes:
1. What caused the crisis?
2. Has this issue been resolved?
• Reputation:
1. Was the company’s reputation harmed?
2. Which measures will rebuild the public’s trust?
• Implementation of changes: how will changes be implemented in the crisis management system?

All findings need to be documented thoroughly.

Companies update their strategies and procedures after a crisis by transforming the “lessons learned” into concrete measures, which might include updating the crisis management plan, communicating any changes in the crisis management to employees and organising training. Companies establish mechanisms to monitor the effectiveness of updated policies and procedures. Implementing feedback systems also allows for continuous input after updating the policies. The approach outlined in 8.1 Post-Crisis Review: Learning Lessons is an iterative process that ensures that companies continuously learn from past experiences and strengthen their resilience to future crises.

Companies can measure the effectiveness of their crisis management strategies using various methods, such as:

• assessing response time;
• analysing the financial impact, and customer and employee satisfaction;
• conducting debriefings to evaluate the implementation of crisis plans; and
• post-crisis surveys or feedback.

Comparing performance in crisis situations with predefined key performance indicators (KPIs) helps to identify weaknesses and strengths.

There are several public sources for benchmarks, industry standards and best practices in the field of crisis management in Germany, which also help companies to stay updated. Organisations such as the BBK offer guidelines and resources related to crisis management and civil protection. International standards, such as ISO 22301 for business continuity management, also serve as a reference for best practice for companies. IDW standards, such as IDW S6, help enhance risk management by providing a structured and consistent framework that facilitates comprehensive risk assessment and accountability. This standardised approach promotes best practices, ensures regulatory compliance and supports continuous improvement in risk management processes.