OLG Nuremberg: Obligation to set up a CMS even in small companies

In a decision from March 2023, the Higher Regional Court (OLG) Nuremberg significantly expanded the scope of duties of managing directors in medium-sized and small GmbHs in particular by requiring the “establishment of a compliance management system” regardless of the size of the company. The following article highlights the implications of this decision.

The decision

The managing director of a German company failed to adequately supervise his 13 (!) employees, with the result that the company’s assets were significantly damaged by the manipulations of one employee. The criminal proceedings against the managing director and the manipulating employee were discontinued against payment of a not inconsiderable fine in each case. According to the plaintiff’s submission – accepted by the OLG Nuremberg – the defendant managing director “did not demand compliance with the four-eyes-priniple” (para. 69). Accordingly, it ordered the managing director to pay damages for breach of the duty of care incumbent upon him as managing director pursuant to § 43 GmbHG.

So far, so good and so understandable. In the further course, however, the OLG Nuremberg felt obliged to make additional fundamental statements:

“The duty of legality results in the obligation of the managing director to set up a compliance management system, i.e. to take organisational precautions to prevent the company or its employees from committing legal violations.” (para. 115)

From the perspective of legal counselling, the quintessence of this decision is that the managing director of a company – however legally constituted – must maintain a compliance management system (CMS) and probably an internal control system (ICS; see para. 116).


This judgement goes far beyond the previous rulings on the necessity of a CMS. In its groundbreaking “Neubürger ruling” from 2013, The Munich Regional Court (LG) I (judgement of 10.12.2013 – 5 HK O 1387/10, in German) ruled with regard to Siemens AG that “the type, size and organisation of the company, the regulations to be observed, the geographical presence as well as suspicious cases from the past are decisive for the scope [of the CMS] in detail“. (Guiding principle). In other words, the size of the company certainly plays a role in the obligation to establish a CMS. In its so-called “Panzerhaubitzen ruling” (judgement of 9 May 2017 – 1 StR 265/16, in German), the BGH then emphasised the sanction-reducing effect the establishment of a CMS may have (“For the assessment of the fine, it is also important to what extent the secondary party fulfils its obligation to prevent legal violations from the sphere of the company and has installed an efficient compliance management system that must be designed to prevent legal violations….” (para. 118)).

The OLG Nuremberg is now breaking with this case law by indiscriminately extending the obligation to establish a CMS to small companies (see definition here, in German). For this reason alone, the decision not to allow an appeal against the judgement seems questionable. In addition, the obligation to maintain an ICS regardless of the size of the company – which is not expressly referred to as such, but is described accordingly in para. 116 (and therefore also understood as such by the literature) – overshoots the mark. This is because the BGH’s judgement (of 20 February 1995 – II ZR 9/94, in German) cited by the OLG Nuremberg to justify this obligation, against the background of the obligation to convene a shareholders’ meeting in the event of a loss of half of the share capital pursuant to § 49 para. 3 GmbHG or the obligation to file for insolvency (now § 15a InsO), only stated that the managing director of a GmbH must ensure “an organisation that enables him to have the necessary overview of the economic and financial situation of the company at all times“. While the BGH manifested a monitoring obligation for precisely defined – legally fixed – cirumstances, the OLG Nuremberg delimits the obligations. This is because CMS and ICS involve the establishment of systems that encompass the entire company and are operated independently of any specific event; the establishment of such systems follows precisely defined standards – such as IDW PS 980 for CMS or IDW PS 982 for ICS. These standards are obviously not tailored for small (and in case of doubt also not for medium-sized) companies.

It may be argued that the legislator itself has already ensured a similar removal of boundaries with the introduction of the StaRUG. Since 2021, the provision of § 1 StaRUG stipulates that managing directors (regardless of size and legal form) must “continuously monitor developments that could jeopardise the continued existence of the legal entity“. However, in § 101 StaRUG, the legislator has simultaneously committed to providing corresponding “information on the availability of tools provided by public authorities for the early identification of crises” on the Internet – and is doing so: BMJ: “Early warning systems pursuant to § 101 StaRUG” (in German). An examination of these links (see also here) shows that the “information” provided therein requires considerably less and more specific effort on the part of the companies than the establishment of a CMS or ICS.

Numerous regulations relating to the CMS are also based on the size of the company; a number of laws, for example, only apply from a certain number of employees (HinGSchG, 50 employees, see here or LKSG, 1,000 employees, here).

Conclusion: In summary, according to the current state of higher court rulings, managing directors are obliged to set up a CMS and ICS – regardless of size. In addition to the tightening economic conditions for companies, this further increases the bureaucratic burden and liability risks for managing directors.

Until the obligations imposed by the OLG Nuremberg are (hopefully) once again limited, managing directors of small companies are also advised to consider the possibilities of establishing an effective (i.e. liability-minimising) CMS and ICS in their companies as efficiently as possible. It seems rather doubtful, though, whether the mere establishent of a four-eyes-principle and monitoring compliance with it, will be considered sufficient by the courts.

OLG Nürnberg, 30.03.2022 – 12 U 1520/19 (in German)

Leave a Comment