Background: Legal requirements

1. Relevance to the present and economic significance

With the new version of the Energy Services Act (EDL-G) of 2015, the German legislator transposed the EU's energy efficiency strategy (Directive 2012/27/EU) into national law. The overarching goal is a Europe-wide increase in energy efficiency and energy savings in companies and organisations. Thus, the EDL-G is considered an important component of the energy transition and serves as a partial aspect of achieving the German government's goal of reducing primary energy consumption by 20% by 2020 compared to 2008 and by 50% by 2050. Under the new version of the EDL-G, energy audits according to the DIN EN 16247-1 standard or management systems according to ISO 50001 or EMAS will become mandatory for large companies that are not SMEs according to the EU definition.

2. Content

Numerous German companies are required to conduct regular energy audits according to EDL-G. This applies not only to energy-intensive companies in the manufacturing industry, but to all sectors, provided the following criteria are met:

• more than 250 employees in the company or
• an annual turnover of more than 50 million euros,
• an annual balance sheet total of more than 43 million euros.

Also affected are companies that fulfil the above criteria in company groups by belonging to group companies or together with partner or group companies. In addition, there are all municipal enterprises, provided that the associated municipality has more than 5,000 inhabitants. However, the introduction of a corresponding management system or an energy audit can also make sense for small and medium-sized enterprises (SMEs) to which the above criteria do not apply, since the implemented structures and knowledge gained can have a positive effect on the company in many places.

In order to meet the requirements of the EDL-G, the companies concerned have various options at their disposal: On the one hand, the introduction and subsequent certification or validation of a management system according to ISO 50001 or EMAS, on the other hand, an energy audit according to DIN EN 16247-1. Such an energy audit is carried out by a qualified and independent expert, provides for an energy consultation and must be repeated every four years. As part of the audit, the energy flows in your company are recorded, the current energy situation is analysed and energy performance indicators are created. The information obtained is presented in a comprehensive energy balance. This enables a systematic evaluation of energy use and consumption in your company.

3. Summary and Highlights

Through the energy audit according to DIN EN 16247-1, energy improvement potentials in your company can be identified and analysed, concrete options for action can be derived and savings targets can be effectively controlled. These can, especially in combination with the implementation of a suitable management system according to ISO 14001 or EMAS, lead to noticeable increases in efficiency and energy as well as cost savings.

4. KPMG Cert GmbH as contact person

As an accredited auditing organisation with many years of experience, KPMG Cert GmbH offers comprehensive services for meeting the requirements of the EDL-G. This includes a readiness assessment, which assists in clarifying whether or which parts of your company are affected by the EDL-G and designs a timely and custom-fit implementation strategy. Our team of experts is also qualified to carry out energy audits according to DIN EN 16247-1 and can demonstrate many years of experience and comprehensive, interdisciplinary competence in this area.

Since the results of an energy audit can serve as a basis for the introduction of an effective energy management system, further development or optimisation of your energy management system is also possible afterwards. Here, KPMG Cert GmbH can support your company with certification according to the ISO 50001 standard, for which we are accredited by the German Accreditation Body (DAkkS).

1. Relevance and economic importance

In Germany, there are numerous organisations and institutions that provide basic services for the community. They thus form the basis of our everyday life and have an important significance for the state community or public safety. For this reason, they are also referred to as critical infrastructures (CRITIS). The stability of these infrastructures is also increasingly threatened by cyber attacks. Due to the advancing digitalisation and networking, failures or impairments of IT components can, under certain circumstances, also result in an impairment of supply services and, in the worst case, lead to a complete interruption of supply.

2. Content

Since the first draft of the law, we have been following the developments and changes to the CRITIS sectors, the IT Security Act and the CRITIS regulations. With the IT Security Act, which came into force in July 2015, the legislator created a regulatory requirement for information security that is intended to lead to a higher level of security and thus prevent failures. Supplementary legal ordinances from 2016 and 2017 (CRITIS Ordinance) concretise the IT Security Act. They are intended to help identify who falls under the regulations of the law as a CRITIS operator.

3. KPMG Cert GmbH as contact person

To minimise the time you spend on certification, we offer certification of your ISMS according to ISO/IEC 27001 as an accredited certification and auditing company. Of course, we also take into account industry-specific standards, in the energy industry for example ISO/IEC TR 27019 and the IT security catalogue of the BNetzA. Our IT security and industry experts from KPMG AG Wirtschaftsprüfungsgesellschaft will also be happy to support you with the initial analysis of how you are affected and the further roadmap for alignment with the new regulatory requirements.

1. Relevance and economic importance

Together with the data protection laws of the Länder, the Federal Data Protection Act (BDSG) regulates the handling of personal data. On 05 July 2017, the BDSG-neu, which will come into force on 25 May 2018, was published as Article 1 of the "Act on the Adaptation of Data Protection to Regulation (EU) 2016/679 and the Implementation of Directive (EU) 2016/680" (DSAnpUG-EU).  Together with the DSAnpUG-EU and the BDSG-neu contained therein, data protection regulations are adapted to the EU General Data Protection Regulation. In its dual function, the new BDSG requires both the concretisation of the GDPR and the implementation of Directive (EU) 2016/680.

2. Content

In order to meet the new European requirements and specifications for data protection, an amendment to the BDSG was recently necessary. Unlike a directive, which must first be transposed into German law, the GDPR affects all EU member states as directly applicable law when it enters into force on 25 May 2018. The specific objective of the GDPR is to achieve an equivalent level of protection of the rights of natural persons in data processing operations in the Member States.

The European General Data Protection Regulation aims in particular at the establishment of a management system for the protection of personal data. Previous processes and responsibilities must be fundamentally reconsidered and, if necessary, realigned within the framework of the regulation, which comes into force on 25 May 2018. In essence, the GDPR provides for the following adjustments in particular:

• Increased sanctions for data protection violations (up to 20 million euros or up to four percent of the previous year's global turnover).
• Significantly expanded liability risks in the sense of accountability
• A stricter deadline for reporting data protection breaches. In future, these must be reported within 72 hours.
• Extensive expansion of the information and notification obligations.
• Companies must be able to submit a data protection impact assessment based on a risk analysis.

3. KPMG Cert GmbH as contact person

As an accredited auditing organisation with many years of experience, KPMG Cert GmbH offers comprehensive services to meet the requirements of the BDSG and the GDPR. This includes a readiness assessment that helps clarify which parts or processes of your company are affected by the GDPR and designs a timely and tailored implementation strategy.