Public Ready: Operating successfully in the security environment

Companies that may have previously been less involved in government security contexts must now comply with extensive material, personnel, and technical security standards in the context of altered supply chains, cooperation agreements, and entirely new requirements.

On the one hand, this relates to classified information protection, which is entirely new for some companies (see our article on the latest developments in classified information protection). On the other hand, security-related contracts can entail general legal and organizational challenges. In addition, the complexity and special structure of a cooperation with the state must be considered.

The following provides an initial overview of the possible topics relevant for operating successfully in the security environment.

Regulatory and compliance challenges

Cooperation between state and industry leads to a complex area of tension between security requirements on the one hand and regulatory and compliance requirements on the other:

• Data protection: Security requirements, such as access restrictions and secret communication, can conflict with transparency and data protection rights for employees, customers, and users. Disclosure or monitoring obligations and security measures, such as extended access controls, potentially conflict with data protection principles, such as purpose limitation and data minimization.
• Regulation: In practice, it can be challenging to comply with legal regulatory requirements on transparency, whistleblowing, money laundering prevention and anti-corruption while also taking additional security requirements into account. Conflicting legal interests can create major areas of tension.
• Labor law: Measures such as security checks, access restrictions in the workplace, and technical surveillance and controls conflict with employees' rights (e.g. data protection rights, the right to co-determination with works councils, and equal treatment obligations).
• Internal compliance: The internal compliance requirements defined by companies themselves may conflict with security requirements. New requirements must be integrated into existing compliance systems, while the company's own requirements and those of its stakeholders must also be pursued.

Challenges arising from cooperation with the state

In addition, other legal challenges arising from the cooperation must also be considered:

• Security law: On the one hand, government agencies are bound by specific legal requirements, which limit their actions; on the other hand, however, these requirements also empower them to make specific decisions or take specific measures. This directly impacts the powers and working methods of the state, as well as indirectly impacting cooperation with it.
• Contract law: As well as complex contracts with the state, existing and new contracts with suppliers must be adapted to special security requirements. These include confidentiality agreements, security standards in product development, reporting obligations in the event of incidents, and sanctions for violations.
• Company law: Due to the complex security requirements, adjustments in the corporate structure may also be necessary or appropriate in order to bundle security-related tasks within a certain (sub-)company and to avoid placing a burden on the entire organization (e.g. spin-off, outsourcing).

Operational challenges

Cooperation between state and industry is significantly more complex than a cooperation within the private sector. Companies face specific requirements in terms of both the cooperation itself and the related internal organization.

• Processes of public authorities are characterized by formalized requirements and often lead to longer decision-making processes. Due to their more streamlined structures, many companies can act more quickly and flexibly, which can lead to tensions. Understanding these different dynamics is a basic prerequisite for smooth cooperation.
• Political influences at state level lead to additional complexities. Legal or party-political conditions can alter requirements and priorities at short notice, necessitating flexibility and adaptability from companies.
• There are often diverging expectations when it comes to communication. While public authorities emphasize formal reporting channels and documentation requirements, companies expect pragmatic, direct coordination processes. Information requirements and forms of communication must therefore be clarified at an early stage to enable projects to run smoothly.
• Building trust is also important, particularly in the context of security-related contracts. Regular information exchange, transparent decision-making processes, and involving relevant stakeholders can help strengthen trust and focus on shared objectives.
• Finally, there are implications for internal organization. Increased security measures affect operational procedures and established processes. Additionally, tensions may arise between security requirements and other corporate goals, such as efficiency, flexibility or speed of innovation.

Conclusion

While increased cooperation between state and industry in the field of security presents great opportunities, it also poses various challenges. The complexity of the practical and legal requirements necessitates careful and integrated management. Conflicts between security requirements, data protection, compliance, security law and operational aspects necessitate a holistic approach. Companies that can navigate this complexity and prepare their organization “public ready” can position themselves as reliable partners in an increasingly security-conscious environment.