Compliance 2026/27: Which regulations you should have on your radar now

On 1 January 2027, a decades-long standard for German employers will finally come to an end: the paper payslip. Simultaneously, the first reporting obligations of the Cyber Resilience Act will take effect in September 2026, and an EU framework for digital sovereignty is potentially tightening the requirements for cloud infrastructures.

In this article, we have summarised the key legal changes and deadlines regarding compliance and digitalisation, including tips on how you can start taking action now.

TL;DR – The essentials at a glance:

• Cyber Resilience Act (CRA): Starting September 2026, the first reporting obligations for manufacturers and providers of digital products will come into force, regardless of company size.

• EU Tech Sovereignty Package: The EU is increasing the pressure regarding digital sovereignty. For companies using cloud services outside the EU for sensitive processes, regulatory risks are mounting.

• BVV Section 8 – Digital Payroll Records: As of 1 January 2027, payroll documents must be archived in a fully digital, audit-proof, and machine-readable format. Evidence of accessibility must be provided.

Overview: What is changing simultaneously

Compliance obligations rarely come in isolation. This is no coincidence: the EU and German legislators are tightening rules on several fronts at once. Anyone viewing these regulations in isolation misses the common denominator: digital processes must be demonstrably secure, traceable, and sovereign.

Three developments are particularly relevant for IT managers, CISOs, and HR decision-makers in the DACH region: the CRA, the Tech Sovereignty Package, and the obligation to provide digital payroll records.

Cyber Resilience Act: First obligations take effect from September 2026

The Cyber Resilience Act (CRA) has been in force across the EU since December 2024. It mandates comprehensive cybersecurity measures for all manufacturers, distributors, and importers of products with "digital elements." This specifically includes software, hardware, and IoT devices that can connect to a network, either directly or indirectly.

A crucial detail: the CRA makes no exceptions regarding company size. Whether you are a global corporation or a micro-enterprise, if you distribute digital products in the EU, you are affected.

The first reporting obligations will take effect on 11 September 2026. Actively exploited vulnerabilities and security-relevant incidents must be reported within tight timeframes:

• Initial notification: Within 24 hours.

• Follow-up notification: Within 72 hours.

• Final report: No later than 14 days after a corrective measure becomes available.

Companies that do not yet have internal processes for vulnerability management and incident response must establish them now. This requires close collaboration between IT and the executive level, as management carries personal liability in the event of a breach.

Another frequently underestimated factor is that many companies have not yet fully determined how the act applies to them. For example, pure SaaS solutions and products with embedded open-source components also fall under the CRA as soon as they connect to devices or networks.

A recommended first step is creating a Software Bill of Materials (SBOM): a structured overview of all software components used, including proprietary code, purchased libraries, and third-party components. This creates transparency and serves as the foundation for rapid action in an emergency.

In short: by September 2026, standing still is no longer an option regarding the CRA. Those who clarify their status now and build reporting processes will gain both operational flexibility and credibility as a supply chain partner.

EU Tech Sovereignty Package: Digital sovereignty becomes measurable

Parallel to the CRA, the EU is increasing the pressure regarding digital sovereignty. In the summer of 2026, the EU Commission intends to present its Tech Sovereignty Package (TSP). The centrepiece is the Cloud and AI Development Act (CADA). For the first time, it aims to provide an EU-wide definition of a "sovereign cloud" and mandate that sensitive health, judicial, and financial data in certain public sectors may only be processed within such environments.

Put simply: it is about who has access to your data and under which jurisdiction. Two points are vital to understand here: the requirements are explicitly aimed at the public sector, not private companies. Furthermore, the package must still be officially presented and subsequently approved by all 27 EU member states.

However, the direction of travel is already clear. Operators of critical infrastructure (KRITIS) and companies acting

The response “somewhere in the cloud” or “on a European server” is no longer sufficient (and, in truth, never really was). This is because those who believe they are on the safe side by using the EU data centre of a US provider often underestimate the 2018 US CLOUD Act. This law follows the company, not the server; it mandates that US companies must disclose data upon official request, regardless of where that data is physically stored. Only companies that rely on independent, German, or European providers are structurally positioned for true sovereignty.

Digital payroll records: An underestimated obligation

While the CRA and Tech Sovereignty are garnering significant attention, a compliance project is unfolding in the background that remains under the radar for many—particularly HR departments. Yet, the clock is already ticking.

The Federal Labour Court (BAG) ruling of January 2025

On 28 January 2025, the German Federal Labour Court (BAG, Case Ref. 9 AZR 48/24) issued a landmark ruling: employers are permitted to provide payslips exclusively in digital form. Employee consent is not required for this, as a general right to paper documentation no longer exists. While employees can actively object to digital provision, the onus is now on them to do so.

This might sound like a technicality, but it marks a significant shift. For years, a legal grey area protected companies from having to make a definitive decision. That grey area has now vanished.

The hard deadline: BVV Section 8 from 1 January 2027

From 1 January 2027, Section 8 of the Contribution Procedure Ordinance (BVV) will become mandatory. The BVV regulates how payroll records must be maintained and archived. From 2027, all records must be: fully digital, audit-proof, and machine-readable (i.e., euBP-compliant—the German standard for electronic social security audits).

In practice, this means that hybrid filing structures consisting of paper folders, email inboxes, and local drives will no longer be permitted. Auditors will expect all relevant documents to be immediately searchable, clearly assigned, and available for digital transfer. This deadline is fixed and applies to all employers subject to external audits.

Importantly: BVV Section 8 covers far more than just the monthly payslip. All supporting documentation required for correct payroll accounting and social security assessment must also be maintained digitally. This includes:

• Health insurance membership certificates

• Applications for exemption from pension insurance obligations (for marginal employment/mini-jobs)

• Declarations regarding secondary employment

• Time-tracking records

• Proof of parenthood (required for the correct calculation of long-term care insurance contributions)

Anyone who believes they are compliant simply by switching the delivery method of the payslip is underestimating the scope of these requirements.

The proof of delivery problem: Sending is not the same as accessing

A crucial point often overlooked is that the BVV requires the employer to be able to demonstrably document that a statement has been made accessible to the employee. This must include a timestamp for every single staff member.

A standard email does not suffice. Those sending payslips as PDF attachments may have a delivery confirmation from their own mail server, but they cannot prove whether the email reached the recipient's inbox, ended up in spam, or if the attachment was ever opened. In an employment court, this does not constitute proof.

The Federal Labour Court clarified this in the same ruling: the decisive factor is verifiable accessibility, not mere dispatch. Legally, the difference is substantial.

The blue-collar problem: Are you reaching everyone?

For companies in manufacturing, production, logistics, and retail, there is an additional hurdle. In manufacturing, 50% to 80% of the workforce typically has neither a company PC nor a corporate email address. Conventional HR self-service portals, however, require both. Consequently, usage rates for such portals in this segment are typically below 20%.

This is not a usability issue that can be solved with better onboarding. It is a structural problem: these employees are simply not reachable via traditional digital channels. A solution that relies solely on a portal works for the office floor, but fails the business as a whole.

The timeline: Why you need to act now

While 2027 might seem a long way off, the numbers suggest otherwise. Typically, the various project phases require significant lead time:

• Works council agreement: 3 to 6 months

• System integration (e.g. in SAP): 1 to 3 months

• Pilot phase and rollout: 2 to 4 months

This results in a typical total project duration of 9 to 16 months. Anyone who has not started by the summer of 2026 will likely miss the deadline. Furthermore, every month that paper-based delivery continues, costs mount. Postage, printing, and stationery alone cost between €3 and €5 per payslip. For a company with 500 employees, this adds up to between €18,000 and €30,000 per year.

What a future-proof implementation looks like

To harmonise the compliance requirements currently emerging from the CRA, TSP, and BVV Section 8, software solutions should meet three key criteria:

1. Legally secure proof: It is not enough simply to send documents securely. The solution must also document the fact that they were made accessible (e.g. via a timestamp) in a legally robust manner.

2. Sovereign infrastructure: In light of the TSP and the US CLOUD Act, sensitive data such as payroll records should be stored encrypted with European providers on European servers.

3. Inclusive accessibility: For production staff (blue-collar workers) in particular, access must be barrier-free (without the need for a VPN or mandatory app) and GDPR-compliant via private devices.

Companies such as Solothurner Spitäler or REINER® are already successfully using the FTAPI infrastructure. Solothurner Spitäler AG, with 4,500 employees, reduced the HR team's workload for sending payslips from half a morning to just 15 minutes per month. REINER® GmbH & Co. KG, with 300 employees, was fully operational one month after the decision and accelerated their process by 70%, including an automatic paper fallback via ePost.

Conclusion: Compliance is no longer a solo discipline

CRA, digital sovereignty, BVV Section 8: it is no coincidence that these three frameworks are arriving at the same time. Rather, they are expressions of the same trend: digital processes must be demonstrably secure, structured, and sovereign. Those who view these as isolated compliance tasks should expect significant extra effort. Those who understand them as a fundamental infrastructure decision will gain a clear advantage. The issue of digital payroll records, in particular, permits no further delay. The deadline is fixed, and the window for a clean implementation is closing. Secure, traceable delivery and archiving of all payroll-related documents—whether in the office or on the production floor—is now mandatory.

This article does not constitute legal advice. While all content has been prepared with the greatest possible care, it makes no claim to be exhaustive or legally binding.