KonTraG — Act on Control and Transparency in Business

A mid-sized stock corporation keeps IT risks in the risk inventory, yet without any link to liquidity, market risk or supply chain. A ransomware incident halts order processing for four weeks — the liquidity risk arising from this was never assessed in the early-warning system. The supervisory board asks for the reporting chain: who knew what and when, and what measures were taken? An organisation that does not run the early-warning system as an integrated model cannot answer these questions plausibly — and the management board is personally on the hook.

The Act on Control and Transparency in Business (KonTraG) introduced Section 91(2) AktG in 1998: the management board must establish a system that allows developments threatening the continued existence of the company to be detected early. This was the birth of enterprise-wide risk management in Germany — and hence a central reference point for any ISMS in a stock corporation.

Full name: Act on Control and Transparency in Business; embedded in Sections 91, 93, 116 AktG, Sections 289, 315 HGB and Sections 43, 49 GmbHG
Scope: Stock corporations (AG) directly; larger GmbHs, KGaAs, capital-market-oriented companies indirectly; group parent companies with group-wide effect
Supervisory authority: Supervisory board (oversight of the management board), auditors under annual-accounts audit (Section 317(4) HGB), BaFin (Federal Financial Supervisory Authority) for listed companies
Penalty range: Personal liability of management board members towards the company (Section 93 AktG); criminal liability for delaying insolvency filings; nullity of the annual accounts in the event of material control-system failings
In force since: 1 May 1998; significant extensions through BilMoG (2009), the CSR Directive Implementation Act (2017) and FISG (2021)

Who is affected?

Directly only stock corporations — in practice many more organisations. The wording of Section 91(2) AktG addresses the management board of the AG. Practice has broadened the circle of duty-holders:

Stock corporations (AG) — directly addressed; the management board bears the full duty.
Partnerships limited by shares (KGaA) — same as AG.
Larger GmbHs — through Section 43 GmbHG and settled case law; the bigger and more complex the GmbH, the stricter the yardstick. At group level and in capital-market-adjacent activity, the KonTraG standard always applies in practice.
Capital-market-oriented companies — stricter duties for management-report disclosure of the internal control and risk management system (Sections 289(4), 315(4) HGB).
Insurers, banks — additional sector-specific requirements (VAG, KWG, MaRisk, BAIT/VAIT, and going forward DORA).

Even without formal scope, every organisation benefits from looking into KonTraG: the methodology (risk inventory, assessment, escalation, measures, reporting) is universally applicable.

What does the law require?

KonTraG itself is an umbrella act that amended several existing laws. The core points relevant to information security:

Section 91(2) AktG — Early-warning system — the management board establishes a system that allows going-concern-threatening developments to be detected early. This covers risk identification, risk assessment, measures and reporting.
Section 93 AktG — Duty of care — Business Judgment Rule: board members are not liable if they made a reasonable business decision on the basis of adequate information. The burden of proof lies with the board.
Section 116 AktG — Supervisory board duties — the supervisory board oversees the effectiveness of risk management and the early-warning system.
Section 317(4) HGB — Audit of the early-warning system — for listed companies, the auditor verifies that the board has fulfilled its duties under Section 91(2) AktG. IDW PS 340 is the applicable auditing standard.
Sections 289, 315 HGB — Management report — description of the material risks and of how the internal control and risk management system works.
FISG (2021) — new duty for the board and the supervisory board of listed AGs to establish effective internal control and risk management systems (Section 91(3) AktG); audit committee mandatory.

The requirement of an “appropriate early-warning system” is worded in open terms. Key concretisations come from IDW PS 340, the German Corporate Governance Code and the relevant ISO standards (ISO 31000 for risk management, ISO 27001/27005 for IT risks).

In practice

Cyber risks are going-concern-threatening. Ransomware incidents have paralysed mid-sized firms and large groups for weeks. An organisation that does not explicitly include cyber risks in the KonTraG early-warning system has failed to document its risk posture for the times we live in. The assessment belongs in the annual risk inventory and is coordinated among IT security, management and internal audit.

Define escalation thresholds up front. What is reported to the board, what to the supervisory board, what to the audit committee — these thresholds should be set out in writing. In a crisis there is no time for competence debates. Proven in practice: an escalation tree with clear triggers (outage > 24 h, data loss > X records, regulatory enquiry, etc.).

Involve the supervisory board — beyond mere information. The supervisory board carries its own responsibility through the duty to review the effectiveness of risk management. In practice that means regular reporting in the audit committee, occasional direct engagement with ICT risks (e.g. after major incidents or audits) and documented resolutions to accept or reject material risks.

Mapping to ISO 27001

The KonTraG early-warning system and the ISO 27001 ISMS overlap substantially in structure. An organisation running a certified ISMS has largely covered the IT-related part of the early-warning system — the integration with non-IT risks remains a task of its own.

Directly relevant controls:

A.5.1 — Policies for information security: anchoring the security policy through top management.
A.5.2 — Information security roles and responsibilities: clear responsibilities as a precondition for board liability.
A.5.4 — Management responsibilities: explicit bridge to the management’s accountability.
A.5.7 — Threat intelligence: information basis for the early-warning system.
A.5.24 — Information security incident management planning and preparation: preparation for going-concern-threatening incidents.
A.5.29 — Information security during disruption: operational resilience.
A.5.30 — ICT readiness for business continuity: central link to business continuity duties.
A.5.36 — Compliance with policies, rules and standards for information security: compliance check as part of the internal control system.
A.6.3 — Information security awareness, education and training: risk awareness at management and business-unit level.
A.8.8 — Management of technical vulnerabilities: continuous risk reduction.
A.8.16 — Monitoring activities: early-warning signals from day-to-day operations.

Typical audit findings

Fragmented risk inventory — IT risks, market risks and operational risks run on separate lists; a consolidated view is missing.
Going-concern threshold never defined — the level at which a risk counts as going-concern-threatening is not quantified. As a consequence, no risk is ever classified as such.
Informal escalation path — who reports what to the board and the supervisory board when depends on the gut feeling of the respective unit head.
Effectiveness review skipped — the audit under IDW PS 340 or comparable does not take place; the auditor flags this in the audit opinion.
Uninformative management report — risk reporting in the management report describes standard risks in boilerplate, without company-specific reference.
Cyber risks not linked to business risks — the IT security report mentions incidents without connecting them to business continuity, liquidity or market position.

Sources

AktG full text (gesetze-im-internet.de) — official version of the Stock Corporation Act, including Section 91(2)
HGB full text (gesetze-im-internet.de) — Sections 289, 315, 317 on risk reporting and audit
Federal Law Gazette 1998 Part I No. 24 — promulgation of KonTraG
IDW PS 340 — Audit of the risk early-warning system — recognised auditing standard
German Corporate Governance Code — complementary recommendations for listed companies
FISG — Financial Market Integrity Strengthening Act — extension of duties in 2021

ISO 27001 Controls Covered

A.5.1 Policies for information security A.5.2 Information security roles and responsibilities A.5.4 Management responsibilities A.5.7 Threat intelligence A.5.24 Information security incident management planning and preparation A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.6.3 Information security awareness, education and training A.8.8 Management of technical vulnerabilities A.8.16 Monitoring activities

Frequently asked questions

Who is in scope of KonTraG?

Section 91(2) AktG (Stock Corporation Act) addresses the management board of every stock corporation (AG). Via the reference in Section 43 GmbHG (Limited Liability Companies Act) and settled case law, the duty to run a risk early-warning system is extended to larger GmbHs -- especially those with a group structure, a capital-market-oriented business model or elevated liability risk. Listed companies are additionally subject to Sections 289 and 315 HGB (Commercial Code) on management-report disclosure of the internal control system.

What is a going-concern-threatening risk?

A risk that can jeopardise the continued existence of the company -- typically liquidity, solvency or operational risks of significant magnitude. Cyber incidents (ransomware, prolonged IT outages, severe data breaches) have routinely fallen into this category for years. The management board must monitor the likelihood of occurrence, the damage potential and the speed of escalation.

How does KonTraG relate to ISO 27001?

ISO 27001 requires a risk-based approach to information security (Clauses 6.1, 8.2, 8.3) and anchoring in top management. An organisation running a certified ISMS has largely operationalised the IT portion of the KonTraG early-warning system. KonTraG additionally requires integration with non-IT risks (market, liquidity, strategy) and reporting to the management board and the supervisory board.