A cyberattack is now one of the greatest threats to companies — and at the same time, a challenge for IT compliance. It affects not only large corporations with complex IT structures but increasingly also medium-sized businesses and specialized service providers. This makes it all the more important that companies are prepared not only technically but also legally. Mistakes in handling an extortion case — whether in prevention or crisis management — can lead to significant liability and criminal consequences.
Prevention is Mandatory
Those who believe that a cyberattack is primarily an IT problem overlook the legal risks. The General Data Protection Regulation (GDPR) requires companies to ensure a level of security appropriate to the risk. The requirements for technical and organizational measures (TOM) under Art. 32 GDPR are based on the state of the art and form a key component of any effective IT compliance program. Encrypted data storage, strict access rights management based on roles, regular security updates, and multi-factor authentication are typically part of the basic expectations for an adequate security level. Many companies still do not fully meet these standards — posing significant GDPR compliance risks.
The penalties for violations are severe. Infringements of Art. 32 GDPR are subject not only to administrative fines but also highlight how closely data protection, IT security, and IT compliance are intertwined. The GDPR provides for fines of up to 20 million euros or 4% of the company’s global annual turnover. Furthermore, the ECJ clarified in its judgment of December 5, 2023 (Case C-807/21, Deutsche Wohnen SE) that companies can be held liable even without specific individual culpability.
In addition to fines, companies face administrative measures—such as bans on processing personal data—and compensation claims from affected individuals. All of this often strikes companies in the midst of crisis management. Prevention is therefore not just advisable—it is a legal obligation.
NIS-2 and New Liability Risks
The new EU Directive NIS-2 imposes additional obligations on many companies, especially operators of critical services, but also many medium-sized enterprises in industry, trade, and services. Violations of reporting obligations or inadequate security concepts could soon open up broader grounds for liability. Although national implementation is still pending, affected companies should already prepare for stricter requirements.
Breach of Trust Due to Insufficient Prevention?
Little known but legally significant is the fact that failure to implement preventive measures can also be considered a criminal breach of trust (§ 266 StGB – German Criminal Code). This applies, for example, when a managing director, a Chief Information Security Officer, or a compliance officer breaches their fiduciary duty — at least with conditional intent — and causes damage to the company as a result. A violation of Art. 32 GDPR or the NIS-2 Directive alone may not be sufficient — there is often no direct financial link. However, the employment contract and the responsibilities it establishes for IT security may provide relevant points of reference here.
Direct damages can include operational downtime, third-party claims for damages, or the costs of restoring systems. The criminal significance of such cases remains disputed—especially as intent is often lacking—but the debate is gaining momentum.
Paying Ransom – Legal or Criminal?
Notification Obligations under Art. 33 GDPR for Cyberattacks
If a company becomes the victim of a cyberattack and faces extortion, the question quickly arises whether it is even permissible to pay ransom. Legally, this is complex. In principle, paying ransom is not prohibited. However, in certain circumstances, it can become criminally relevant.
For example, failure to report under Art. 33 (1) GDPR is subject to fines. Fines under Art. 83 (4) (a) GDPR can reach up to 10 million euros or 2% of annual turnover. There is no obligation to file a criminal complaint under § 138 StGB (German Criminal Code).
Breach of Trust and Internal Decision Processes
Paying ransom can also entail risks. As part of IT compliance, it should always be reviewed before making such a decision whether all internal approval processes have been followed and all relevant assessment criteria have been documented. A ransom payment may be considered a breach of trust, especially if it is made prematurely or without a clear reciprocal benefit. A transparent evaluation and thorough documentation are therefore essential.
Additionally, criminal risks can arise — for example, under § 129 StGB (supporting a criminal organization), § 89c (terrorism financing), or § 18 AWG (Foreign Trade and Payments Act: violation of sanctions law). In all these cases, conditional intent is sufficient, and a defence of necessity is usually rejected. Legal assessment heavily depends on the specifics of each case.
Conclusion
A cyberattack is no longer a niche issue — it is a real threat and a legal challenge, making robust IT compliance the first line of defence. Companies need more than just good firewalls. They need a clear action plan for emergencies — and a preventive strategy that works not only technically but also legally.
Legal advice is of central importance here. Criminal defence lawyers with experience in white-collar crime are familiar with the mindset and procedures of investigative authorities and can help companies avoid early missteps. Whether evaluating the legal implications of a potential ransom payment, planning a strategic response to regulators, or preparing for potential fine proceedings — professional guidance helps companies assess risks accurately and safeguard their room for maneuver.
This article was created as part of a specialist event organized by the Northern Regional Group of the Berufsverband der Compliance Manager e.V. (Federal Association of Compliance Managers – BCM), held on March 27, 2025, at the offices of Pragal & Prinzenberg. Under the title “Criminal and Civil Liability Risks in the Prevention and Defence Against Cyber Extortion,” participants discussed current issues around cybercrime, corporate responsibility, and risk management. In addition to Dr. Oliver Pragal, who covered the criminal law perspective, RA Wolfgang Prinzenberg spoke on civil liability, and Dr. Peter Dickstein discussed the role of cyber insurance. The key criminal law insights from the evening are explored in depth in this article.
