Flash scaling and aggressive business models: Innovation between progress and evasion

Digitalization has given rise to a new generation of business models that are growing at a rapid pace and revolutionizing traditional industries. Terms such as flash scaling (a concept coined by LinkedIn founder Reid Hoffman, among others) – the ultra-fast scaling up of a start-up – stand for this aggressive growth strategy. Often, such lightning-fast scaling companies go to the limits of what is permitted or even beyond. They gain a market advantage by deliberately circumventing the law and exploiting regulatory gray areas (known as regulatory arbitrage). This is a kind of race: Legislation often lags behind new technologies, which opens up loopholes in the short term – the very spaces that startups can use for arbitrage. But as soon as legislators wake up, these loopholes are usually closed. Startups are therefore operating in a temporary window if they rely on regulatory inexperience. The fundamental question arises as to whether it is better to work cooperatively towards changes in the law instead of temporarily exploiting gray areas that could disappear at any time. This approach raises an area of tension: Innovation versus legal order. In this context, legal scholars also speak of “regulatory entrepreneurship”: start-ups deliberately pursue a strategy in which changing or overcoming existing laws is part of the business model.

Companies such as Uber, Airbnb, Binance and Facebook are examples of how groundbreaking innovation can go hand in hand with deliberate disregard for the rules. For young companies and start-ups – especially in Germany and Europe – the question arises as to how far one can go in the service of progress and what risks are associated with this. This article takes a comprehensive and practical look at the moral, economic, investment law and legal aspects of aggressive business models and flash scaling. The article is structured accordingly: First, lightning scaling and regulatory arbitrage are conceptually categorized. We then look at the moral and ethical dimension as well as the economic opportunities and risks of such strategies. This is followed by a detailed analysis of the legal pitfalls in selected industries (from FinTech to AI to media/gaming), underpinned by standards and case law. Finally, we provide practical recommendations for founders before summarizing the most important findings in a conclusion. The aim is to provide founders and start-up teams in Germany with a well-founded guide – based on German and European law – that warns of pitfalls without losing sight of opportunities.

It also shows how thin the line is between disruptive innovation and regulatory infringement. Relevant standards from IT law, media law, company law, competition law and contract law are presented, as are groundbreaking court decisions. Without moralizing, but with legal clarity, the article aims to raise awareness that sustainable entrepreneurial success in Europe is only possible in accordance with the legal system.

Flash scaling and legal loopholes: Innovation at the limit

First of all, it is important to understand the phenomenon of flash scaling and regulatory arbitrage. Blitz scaling (often based on the Silicon Valley principle of “grow fast, break things”) refers to the deliberate acceptance of enormous risks in order to achieve a dominant market position in the shortest possible time. Growth is prioritized over efficiency – costs and rules play a subordinate role for the time being. The aim is to present competitors and authorities with a fait accompli through sheer size and speed. Regulatory arbitrage, on the other hand, refers to the targeted exploitation of loopholes or inconsistencies in the legal framework in order to carry out business activities that would be prohibited or severely restricted in a strictly regulated environment. For example, start-ups choose legal forms, business structures or technologies in such a way that existing laws do not clearly apply.

Examples of such regulatory entrepreneurship tactics include: operating in legal grey areas as long as there are no clear prohibitions; growing so quickly that you effectively become “too big to ban” and a ban is difficult to enforce politically or socially; mobilizing your own user base as a means of exerting pressure to force legalization; or relocating the business to jurisdictions with weaker regulation in order to avoid strict domestic regulations. Uber, for example, launched its service in many places despite clear prohibitions in passenger transportation law in the hope that millions of enthusiastic users would later persuade authorities and politicians to be lenient. Airbnb began to expand globally, even though many cities had bans on the misuse of residential space – with the strategy of gathering enough supporters to bring about changes to local laws.

From an idealistic perspective, this approach can be seen as an engine for encrusted regulations: Innovation creates facts and forces legislators to adapt outdated rules. From a critical perspective, however, the question arises as to whether profit-driven players are placing their own interests above the common good and the rule of law. The credo “grow first, then sort out the formalities” may be successful in the short term, but it poses considerable problems in the long term – both of an ethical and legal nature.

Moral implications of aggressive growth strategies

Aggressively flash-scaling business models raise serious moral questions. On the one hand, a conflict of justice arises: established market players adhere to laws and regulations, while newcomers deliberately ignore them and gain a competitive advantage. Is it morally justifiable to break rules in order to grow faster? Many would argue that this creates unequal competition – “honest” companies are punished, while rule-breakers benefit. The cab industry vs. Uber provides an example here: traditional cab companies complied with licensing requirements, insurance obligations and tariff commitments, while Uber drivers initially transported passengers without a passenger transport license and without fixed tariffs. The result was a price advantage for Uber and an erosion of the business basis of regular cabs. Ethically, this is on shaky ground, as competition should not be carried out at the expense of legality.

Secondly, aggressive models often affect responsibility towards society and consumers. Facebook’s motto in the early years was characteristically “move fast and break things” – growth was prioritized above all else, including the protection of user data or the prevention of social damage. At times, the unbridled platform enabled the mass dissemination of disinformation and the analysis of personal data without effective control (think of the Cambridge Analytica scandal). Morally, the question arises as to whether the collateral damage to society caused by such business practices is justified. Similarly with Airbnb: the model, which originally started out as a harmless sharing economy, led to a housing shortage and price increases for tenants in many major cities because apartment owners preferred to rent to tourists. The pursuit of profit and social responsibility collide directly here.

The treatment of workers in flash-scaling companies is also becoming a moral touchstone. Gig economy platforms such as Uber or delivery services have long circumvented labor law and social standards by declaring their drivers and couriers as “independent partners”. Social security contributions and minimum wages were saved in this way – at the expense of precarious workers who enjoy no protection whatsoever. In cases of doubt, society then has to bear the consequential costs (e.g. topping up social security systems). This outsourcing of risks is viewed critically from a moral point of view. In the meantime, courts – for example in the UK – have granted Uber drivers employee status, which points to the unsustainability of the previous model.

Last but not least, the fundamental question arises as to whether breaking the law can be seen as a legitimate means of innovation. Some startup founders justify their actions by claiming that they were only able to successfully create something new because they disregarded outdated rules. However, this utilitarian approach (“the end justifies the means”) reaches its limits where fundamental legal interests or values are violated. The legal system embodies not only formalities, but often also moral decisions of the community – from consumer protection and fair competition to the safety of citizens. Anyone who undermines these foundations risks losing trust and acceptance.

In addition, the long-term social effect must not be ignored. A start-up culture that notoriously flouts the rules can shake public confidence in new technologies and providers. Citizens and consumers could view innovations with skepticism if they gain the impression that the tech industry is flouting law and order. In addition to formal approval, companies also need a social license to operate – in other words, acceptance by society and the public. Those who squander this informal legitimacy through reckless behavior will also face economic headwinds in the long term. In a country like Germany, which traditionally values the rule of law and responsible technology assessment, the image of a “rule-breaking” start-up is damaging to business. It is morally and strategically more sustainable to combine progress with responsibility – because in the long term, acceptance in society and politics will be gained by those who drive innovation in line with fundamental values.

Business opportunities and risks

From a business management point of view, lightning scaling initially appears extremely attractive. The strategy promises to achieve competitive advantages through sheer speed and size that would be denied to a company that grows slowly and organically. In rapidly emerging digital markets, a winner-takes-all principle often applies: the first platform to achieve critical mass can build up a monopoly-like lead. Rapidly scaling companies secure market power, user base and data early on and can thus skim off network effects. There are plenty of examples: Facebook displaced competing networks within a few years; Uber created a global ride-hailing market at lightning speed; Netflix conquered the streaming segment with enormous capital investment before traditional media groups could react. From the perspective of founders and investors, these successes justify the high investment of resources and the acceptance of losses in the early phase.

However, there are two sides to flash scaling. The flip side of the coin is considerable business risks and management challenges. On the one hand, it triggers an enormous capital requirement: lightning-scaling start-ups often burn through hundreds of millions of euros in venture capital in a very short space of time in order to buy growth (marketing, expansion, customer acquisition often below cost). The business model must rely on these losses being recouped later through market dominance – an uncertain bet. If additional legal problems arise, investors can quickly jump ship, causing the house of cards to collapse. WeWork was a prominent example: aggressive growth without a viable revenue model ended in a massive valuation correction when it became clear that the fundamentals were not up to scratch (although this was due to internal management errors rather than breaches of the law, it shows the dangers of uncovered growth speculation).

Secondly, hyperbolic growth often overwhelms the internal structures of a young company. Processes, personnel and compliance can barely keep up. Customer service, IT security, quality control – all of these can easily fall behind during turbulent scale-up phases. This can damage a company’s reputation (e.g. if a FinTech app is constantly down due to overload or customer data is poorly protected). Compliance and legal conformity in particular often fall by the wayside in the case of fast-scaling start-ups because they are perceived as an “annoying brake”. However, retrofitting compliance structures at a later date is expensive and complex. N26, a German neo-bank start-up, experienced this: Following explosive customer growth, the financial supervisory authority criticized serious deficiencies in money laundering prevention. As a result, BaFin imposed a limit in 2021 on how many new customers N26 was allowed to accept per month in order to relieve the overburdened control system – a severe blow to growth. In addition, N26 received a fine of around 9 million euros in 2023 for reporting failures. In business terms, this means not only direct costs, but also lost growth and reputational damage.

Aggressive business models often calculate with the formula that short-term profits or market shares exceed the subsequent costs of regulatory damage. However, this risk-reward calculation is difficult to control. For example, Uber subsidized rides for years with risk capital in order to keep fares unbeatably low and drive competitors out of the market – on the assumption that it would be able to raise prices once it had achieved market dominance. This business strategy is similar to classic predatory pricing, which is tricky under antitrust law. So far, however, Uber has hardly been able to achieve sustainable profits; the plan to become profitable through sheer size remains risky. If a monopoly does not emerge in the end (e.g. because local alternatives arise or regulation prevents it), the losses may not be recouped. For a start-up without the financial strength of Uber, such an approach would be fatal – it would simply go bankrupt long before it could become the top dog.

Some startup investors cynically argue that regulatory violations can be deliberately “priced in” – in other words, possible fines or legal costs can be estimated as calculated losses in the business plan as long as market growth outweighs them. This approach views regulatory costs in a similar way to other business indicators. But it fails to recognize the potential limitlessness of legal risks: a court ruling can prohibit an entire business model, a criminal case against management can paralyze management, and reputational damage is difficult to quantify. The idea that breaking the law can simply be treated as a cost factor only works as long as regulators give in. Once precedents have been set – such as the Uber ban or high GDPR fines – the risks increase exponentially. From a business perspective, those who understand legal compliance as part of their quality and risk management strategy and thus pursue stable growth paths will be more sustainable.

E-scooter rental start-ups are a clear example of this balancing act. From 2018, providers such as Bird and Lime flooded various major cities with electric scooters virtually overnight, without first obtaining permits or complying with existing traffic regulations. The concept worked for a short time – users enthusiastically accepted the offer and the companies’ valuations skyrocketed. However, the reaction from city councils was swift: in some cities, the scooters were collected again and local bans or strict operating conditions were imposed. Eventually, many municipalities introduced licensing systems in which only selected providers with a limited number of vehicles were allowed to operate. The flash-scaled advantage fizzled out and the companies had to submit to the regular procedures. This case underlines that a ‘first create a fait accompli, then ask for permission’ approach in the public sector can quickly backfire. The previously celebrated growth turned into costs for legal disputes, lobbying and adapting to regulations – a lesson that high-speed expansion without backing in the regulatory environment remains economically risky.

Interim conclusion: From an entrepreneurial perspective, flash scaling offers great opportunities for market leadership and investor money, but is associated with considerable risks. Without a minimum of stable structures and legal safeguards, these business models are at risk of failing due to their own growing pains. Especially in Germany and Europe, where authorities are taking a closer look, blind “growth at any price” is economically short-sighted.

Investment law framework

One aspect of aggressive startup strategies that is often overlooked is the investment law implications. “Investment law” can mean two things here: firstly, the legal conditions for raising capital (through investors, IPOs, ICOs, etc.) and secondly, the protection of investors, which is to be guaranteed by certain laws. Flash-scaling companies are sometimes treading on thin ice in both areas.

Raising capital and financing: In order to finance hyper-fast growth, start-ups require considerable funds. Traditionally, this comes from venture capitalists or, in later phases, via the stock exchange. Aggressive growth companies have sought new ways – such as initial coin offerings (ICOs) in the crypto sector or crowdinvesting platforms – to circumvent the regulatory hurdles of traditional capital markets. However, these areas are now also regulated: Anyone who raises capital publicly is subject to securities or asset investment law above certain thresholds. For example, the EU Prospectus Regulation requires a prospectus to be drawn up and approved for public offerings of securities over EUR 1 million (with some exceptions and higher thresholds depending on the member state). Section 32 of the German Banking Act (KWG), for example, requires written permission from BaFin for banking transactions – anyone who accepts deposits or grants loans on a commercial basis without this permission, for example, is not only acting in violation of regulations, but is even liable to prosecution under Section 54 KWG. A FinTech that plays poker here risks not only official injunctions but also personal consequences for those responsible. Start-ups that believe they can circumvent the prospectus requirement or license requirement through clever constructions run the risk of becoming liable to prosecution. Binance provided a precedent here: in 2021, the crypto exchange offered so-called “share tokens” that synthetically replicated real shares such as Tesla – but without a prospectus and without the usual capital market supervisory procedures. The German BaFin sounded the alarm and found that this violated the German Securities Prospectus Act. Binance was threatened with fines of up to €5 million or 3% of turnover. Trading in these tokens was subsequently suspended. The lesson for start-ups: even if you create innovative financial products that do not formally fit into any box, the authorities will check carefully to see whether they are not a financial instrument subject to regulation. Legislators have also reacted in the area of crowdfunding – by means of the European Crowdfunding Regulation and national barriers (e.g. the Asset Investment Act in Germany, which permits financing of up to €6 million under simplified conditions). The windows of opportunity for unregulated capital raising are closing rapidly.

Investor protection and liability risks: Aggressive business models that operate on the edge of legality pose a risk not only to consumers or the public, but also to their own backers. Venture capital investors take risks into account, but if a business model turns out to be illegal from the outset, this can lead to legal disputes between founders and investors. In Germany, for example, shareholders have a right to information and control, and serious breaches of duty by management can even trigger claims for damages. There are examples where investors have subsequently held the management liable. In legal terms, this is referred to as the management’s duty of legality: the management must ensure that the company acts in accordance with the law. If a managing director disregards this duty, for example by operating an unlawful business model, they can be accused of breaching their duty of care (Section 43 GmbHG for GmbHs). The consequence may be claims for damages against the managing director personally – whether from the company itself or from shareholders (especially if the conduct ruined the company).

Founders often deliberately choose legal forms with limited liability (UG, GmbH) in order to protect their private assets. However, this barrier does not hold in all cases: If violations of the law are involved, there may be a threat of recourse liability under certain circumstances – for example, if a court classifies a business model as immoral or judges it to be an illegal circumvention, contracts could be null and void and claims could be made directly against the persons acting. Managing directors are not immune from criminal law either: for example, anyone who systematically withholds social security contributions (deliberately conceals bogus self-employment) or continues to operate despite official prohibitions may be personally liable to prosecution. Investors will therefore take a close look during due diligence to see whether the business model is viable from a regulatory perspective and whether the management is acting in a legally “clean” manner before providing capital.

Regulatory barriers can also apply when investors enter the market. In some sensitive sectors, the state examines foreign investments for security reasons (in accordance with the Foreign Trade and Payments Act, AWG). A flash-scaling start-up that innovates in the fields of armaments, IT security or critical infrastructure, for example, could trigger a review process for financing rounds with investors from third countries. If this review is not successful, the investment may be prohibited – which would bring growth to an abrupt halt. In addition, sectoral regulations require notification or approval for significant changes in shareholdings (in the financial sector, for example, every acquisition of more than 10% of shares must be approved by the supervisory authority, Section 2c KWG). Start-ups should therefore not blindly accept every investment, but should be aware of the investment law requirements.

Tokenization and new financial products: In recent years, many flash scaling models have emerged from the crypto sector. Attempts have been made to circumvent traditional regulation with utility tokens, stablecoins and DeFi products. However, the EU has responded with MiCA (Markets in Crypto-Assets Regulation), which will apply gradually from 2024/25. It introduces a licensing requirement for crypto trading platforms and issuers of certain tokens. This means that the era of the largely unregulated Wild West in the crypto investment market is coming to an end. A startup that still raises a lot of money today with gray-zone tokens must bear in mind that it will have to meet verification obligations, white papers, minimum capital and compliance requirements tomorrow in order to be allowed to continue operating. Investors, on the other hand, are paying more attention to legal due diligence: during financing rounds, they check whether the business model is compatible with the existing and foreseeable legal framework. A quick exit via an initial public offering (IPO) will only succeed if prospectus liability and audits are passed – a company with an unlawful core business would fail.

In summary, the investment law perspective warns that long-term access to capital for start-ups is only guaranteed if they operate in legal waters. The spectacular initial valuation of a “regulatory pirate” can quickly collapse if supervisory authorities intervene – and thus also destroy the investments. Potential investors (whether on the stock exchange or private VCs) increasingly reward founders who do not hide risks but actively manage them. There are also counterexamples that show that compliance can pay off: Berlin-based FinTech Trade Republic, for example, decided early on to take the strictly regulated route (as a securities trading bank with a BaFin license), and as a result gained the trust of hundreds of thousands of customers in a short space of time, without any significant regulatory setbacks. This example illustrates that it is possible to scale at lightning speed even if all requirements are met – growth is more likely to be promoted if the legal foundations are solid.

Interim conclusion: The various industry examples underline the fact that every disruptive business model ultimately collides with existing legal matters – be it financial regulations, data protection, trade law, copyright or the protection of minors. No innovation operates in a complete legal vacuum. Those who deliberately violate or circumvent standards may gain a short-term advantage, but the risk of an abrupt stop or subsequent sanctions is high.

For smaller start-ups in particular, the potential consequences are almost impossible to shoulder: an official ban on activities, an injunction under competition law or a fine in the millions can have a devastating impact on a young company. In contrast to financially strong corporations, start-ups often lack the “war chest” to endure years of legal disputes or simply pay fines. The great role models could only afford their confrontational strategy because they had enormous resources at their disposal. Founders should not succumb to the illusion that they can play the same game without getting burned.

However, innovation can certainly provide the impetus to rethink outdated rules – but ideally in cooperation with regulation and not single-handedly against it. Ultimately, it is clear that the legal system often has flexible instruments for integrating new things, but it also sets red lines that are extremely dangerous for start-ups if they are deliberately crossed.

Legal pitfalls in various industries

While the focus so far has been on general considerations, an analysis of the legal pitfalls in specific sectors that are particularly in the focus of flash-scaling models now follows. For start-ups in Germany and the EU, it is essential to know the relevant areas of law in order to implement innovations in a legally compliant manner (or at least with conscious consideration). The following section looks at the FinTech, artificial intelligence, sharing economy (marketplaces/platforms), social networks, streaming services, gaming and app models as well as hardware start-ups. This shows that each sector has its own regulatory priorities – from financial supervision and data protection to the protection of minors and product safety – which can have serious consequences if they are circumvented.

FinTech and cryptocurrencies: Innovation vs. financial supervision

The financial industry is one of the most heavily regulated sectors of all. FinTech start-ups are trying to challenge traditional banks, payment services and investment advisors with clever technologies. However, they immediately come up against dense regulatory networks: the German Banking Act (KWG) for banking transactions, the German Payment Services Supervision Act (ZAG) for payment services and e-money, the German Securities Trading Act (WpHG) for brokerage services, to name but a few. Flash scaling in the FinTech sector often means initially circumventing the strict licensing regime – for example, by operating throughout Europe with a foreign e-money license (EU passporting) or acting as a “technology platform” while a licensed partner handles the regulated transactions in the background. For example, the banking app Revolut has long operated throughout the EU with a Lithuanian banking license without applying for a separate license in each country. Such structures are legal, but are borderline, as the substance of the business is actually carried out in the target country. BaFin and the European Central Bank are now taking stricter measures to ensure that letterbox licenses do not lead to the circumvention of German/European supervision.

Strict money laundering prevention also applies in the financial sector: the German Money Laundering Act (GwG) also obliges FinTechs to identify customers and monitor suspicious transactions. If start-ups neglect this, they face strict requirements. In 2021, for example, BaFin ordered N26 to slow down its rapid customer growth until it had improved its internal control systems – including the appointment of a special officer and a fine for failure to report. A clear signal that supervisory authorities are also cracking down on newcomers when financial integrity appears to be at risk.

Regulatory requirements also apply beyond traditional banking transactions. Even enabling payment services (e.g. a wallet app that allows transfers) requires a license under the Payment Services Supervision Act (ZAG) or at least a connection to a licensed payment service provider. Many FinTech models are based on cooperation – for example, the startup formally acts only as an intermediary, while a partner institution carries out the actual financial transaction with permission. Such models are legal, but finely balanced; exceeding the role (if the startup actually carries out the financial transaction itself) would again trigger a licensing requirement. BaFin is keeping a close eye on whether unauthorized banking transactions are actually taking place behind upstream FinTech interfaces.

An even more blatant example of attempted circumvention of the law was provided by the now insolvent German company Wirecard. Although no longer a classic start-up at the time of the scandal, Wirecard showed how a company with a FinTech image expanded globally and used regulatory arbitrage – including through subsidiaries in legally lax jurisdictions. In the end, reality caught up with them: in addition to accounting fraud, the circumvention of effective controls was also a factor that led to the collapse. This episode alarmed the financial supervisory authorities in Germany and contributed to a change in culture at BaFin: they are now taking proactive action against compliance failures at young financial companies before they can become system-critical. The example of N26 has already been mentioned – the imposition of a customer growth limit in order to be able to comply with banking supervisory obligations (in particular anti-money laundering under the GWG) was a novelty. The bonus that Wirecard may have enjoyed no longer exists; on the contrary, the industry is now under increased scrutiny and any conspicuous behavior is sanctioned more quickly.

For a long time, start-ups saw the cryptocurrency sector as a loophole to escape the regulated financial system. The spectrum ranged from Bitcoin trading platforms to initial coin offerings and decentralized finance apps (DeFi). In Germany, however, the following has been expressly applicable since 2020: crypto custody business requires a license (Section 1 (1a) KWG), and the offering of tokens can be considered a financial instrument or securities transaction depending on the structure. BaFin has conducted a number of proceedings against operators without a license, in some cases with criminal charges. Although Binance, the largest global player, did not obtain a German license, it does de facto conduct business here – this is only tolerated up to a certain point. For example, BaFin prohibited Binance from advertising certain futures transactions to private customers. For a startup without Binance’s market power, such an approach would quickly end in a complete ban on activities. In addition, the European MiCA regulation will come into force from 2025, forcing crypto service providers to obtain a license and imposing strict requirements (e.g. for stablecoins). Any FinTech/crypto startup that is counting on being faster than the regulation will therefore find that loopholes in the law will be closed as soon as they are obviously exploited.

In addition to licensing requirements, consumer protection and civil liability in FinTech must be taken into account. An aggressive business model that sells high-risk investments to inexperienced people via an app, for example, could violate investor protection regulations (e.g. MiFID II suitability test requirements). There is also the threat of claims for damages if customer losses occur and there is a breach of the duty of disclosure. The seemingly cool start-up app quickly moves into the sphere of standard banking obligations. Ultimately, FinTech is a prime example of the fact that trust is the currency of the financial market – and trust requires compliance with the law. Hardly any customer will put money in the hands of a provider who is obviously circumventing regulation and thus risking the security of their investment in the long term. A start-up may benefit from a “Wild West” image in the short term, but as soon as larger sums are involved, reliability and regulatory compliance become crucial.

Artificial intelligence: between progress and regulation

Among the innovative fields, artificial intelligence (AI) is perhaps the one with the greatest momentum – and now also with the first targeted regulatory approaches. AI start-ups are scaling at lightning speed by rapidly training machine learning systems, rolling them out in various applications and collecting enormous amounts of data. For a long time, AI development operated more or less in a legal vacuum, but this is currently changing: in 2024, the EU will be the first in the world to adopt a comprehensive AI Act. Although a transitional period of two years is expected to apply, specific requirements and bans will come into effect for AI systems from 2025/26, depending on the risk class. A startup that treads aggressive paths here must anticipate this.

Of course, cross-sectional laws already apply to AI applications, in particular data protection law. Many AI models are based on the mass analysis of personal data – be it direct user data or indirectly scraped material from the internet. The GDPR sets clear limits here: Processing is only permitted with a legal basis, sensitive data (e.g. biometric data for facial recognition) requires explicit consent, and data subjects have rights of access and erasure. Some AI companies initially ignored these principles. The best-known negative example is Clearview AI: a US start-up that extracted publicly available photos (e.g. from social networks) to build a facial recognition database for law enforcement. This business model blatantly violated European data protection law – there was no legal basis for processing the millions of faces. As a result, data protection authorities in several EU countries imposed the maximum fines (France €20 million, Italy €20 million, Netherlands €30 million) and prohibited further data processing. Clearview AI had to withdraw from Europe. This case shows that AI start-ups that rely on data theft or privacy arbitrage have no sustainable ground in the EU. Innovation must not be used as an excuse to undermine fundamental rights.

The AI chatbot ChatGPT is a recent example of how regulators can crack down on highly innovative services: in spring 2023, the Italian data protection authority imposed a temporary ban on the use of ChatGPT in Italy because the service had violated the GDPR (insufficient information, lack of legal basis, no protection of minors). OpenAI, the operator, had to make hasty improvements – such as introducing an age filter system and improving data protection notices – in order to have the ban lifted again. This process made headlines around the world and shows that authorities are prepared to stop even popular AI services if fundamental rights violations are suspected. AI start-ups should learn from this that “beta testing” does not protect against legal liability: Experimental offerings must also respect the applicable standards or face sensitive reactions.

Another legal minefield for AI is anti-discrimination law and product liability law. If an AI system is used in personnel recruitment, for example, and systematically discriminates against applicants on the basis of protected characteristics (gender, ethnic origin, etc.), this can both violate employment law prohibitions on discrimination (AGG in Germany) and lead to damage to the company’s image and liability. AI developers are faced with the task of designing their training data and algorithms in such a way that bias and discrimination are minimized – an ethical and legal duty that has often been neglected in the race for market advantages. In future, the EU AI Act intends to classify precisely such cases as “high-risk AI” and impose strict requirements (such as risk analyses, transparency reports, conformity assessments). It should be emphasized that certain AI applications will be categorically prohibited in the future – such as AI systems for the mass evaluation of social behavior (“social scoring”) or for the real-time biometric identification of people in public spaces (facial recognition on street surveillance cameras), except for state-legitimized purposes. A startup that develops such a product would no longer have a legal market window in the EU once the AI Act comes into force. Other systems that are classified as “high-risk” (e.g. AI for personnel recruitment, credit scoring, medical diagnostics) may be offered, but are subject to extensive requirements: transparency and information obligations, risk and quality management and, if necessary, prior official inspection. The development costs of such compliance measures are considerable – those who ignore them risk a subsequent marketing ban or product recalls, which can destroy the entire business model. AI start-ups should therefore clarify at an early stage which risk class their system could fall into and what obligations are associated with it. For safety-critical AI products in particular, certification in accordance with the relevant standards (e.g. CE marking as a medical device) is recommended in order to be on the safe side legally.

In addition to hard laws, there are also soft law instruments such as ethical guidelines for AI (such as the Ethical Guidelines for Trustworthy AI formulated by an EU expert group in 2019). Although they are not legally binding, they set standards for responsible AI development. Start-ups that follow these guidelines (keywords: transparency, fairness, traceability of decisions) can set a moral example on the one hand and anticipate possible future regulations on the other. Such guidelines are often later incorporated into legislation.

Sharing economy: mobility and living in the gray area

Sharing economy platforms such as Uber (mobility) or Airbnb (private vacation rentals) are prototypes of how start-ups were able to grow rapidly thanks to legal loopholes – and were then caught up by regulation. Both examples are instructive for German start-ups, even if their own business model is different: they show mechanisms for circumventing the law and their limits.

Uber and passenger transportation law: In Germany, the transportation of passengers for a fee is subject to strict requirements, regulated in the Passenger Transportation Act (PBefG). Cabs require a license, drivers need a passenger transport license; for rental cars with drivers, there is an obligation to return to the place of business after each trip. Uber attempted to circumvent this legal framework by presenting itself purely as a ride broker – with independent drivers and without its own vehicles. De facto, however, it offered a fully-fledged transport service, just without a license. German cab companies sued this model for unfair competition (Section 3a UWG: violations of the law that give the offender a competitive advantage are unfair). The courts ruled in favor of the plaintiffs: as early as 2015, the Frankfurt Regional Court banned UberPop nationwide, followed later by further bans against variants such as UberX. The highlight was a ruling by the Higher Regional Court of Frankfurt a.M. (judgment of 16.06.2021 – 6 U 3/21), which found that Uber violated central regulations through its brokerage practice – this judgment has been legally binding since April 2022, as the Federal Court of Justice rejected the appeal in its ruling of 21.04.2022. This clarifies that Uber may only work with licensed car rental companies in Germany and must comply with all PBefG requirements. The consequence: a business model that was based on circumventing national law had to be adapted and lost its original cost advantage. Although Uber had a temporary market advantage, the primacy of the law ultimately prevailed – an important signal to other start-ups. It is worth noting that Uber tried for years to create facts by litigating and delaying (“suspensive effect”). Over 100 court cases in Germany have revolved around Uber. However, this aggressive legal strategy is risky: it requires enormous financial resources and can put a lasting strain on relationships with supervisory authorities. A small start-up could hardly survive such a marathon.

It should be noted that the German legislator did react to the pressure to innovate in 2021 and reformed passenger transport law: since then, there has been a legal basis for new mobility services such as ride-pooling and a somewhat modernized regulation for rental car agencies. However, the barriers were not simply lifted – rather, central protective mechanisms (such as the obligation to return a rental car without a passenger) remained in place. The adjustments show: The law is moving some way towards innovative models, but in careful doses to prevent abuse. Uber & Co. will therefore have to fit into a tight corset even after the reform.

Airbnb and the misappropriation of living space: Airbnb is similarly paradigmatic in the housing sector. The business model – providing private accommodation to tourists – initially ran outside existing regulations for hotels or rental apartments in many places. In Berlin, for example, the law prohibiting misappropriation came into force in 2014, which prohibits short-term rentals without a permit in order to protect housing for the population. Many hosts on Airbnb ignored this; the platform itself only saw itself as an intermediary and shifted the responsibility onto the users. However, the authorities reacted: fines were imposed (Berlin raised the limit to €500,000 for violations) and Airbnb was also pressured to hand over landlords’ data. Legal disputes followed all the way up to the European Court of Justice. In 2019, the ECJ initially ruled that Airbnb, as a platform, is fundamentally an information society service and cannot be more strictly regulated as a real estate agent (Case C-390/18). This gave Airbnb a tailwind. At the same time, however, the ECJ confirmed in another case in 2020 that member states may introduce licensing requirements for short-term rentals to protect the housing market – a key clarification that general interest objectives can take precedence over the freedom to provide services (judgment of 22/09/2020, C-724/18, C-727/18). In the fight against the urban housing shortage, the ECJ therefore allows EU states to create regulations that protect access to housing. The bottom line is that Airbnb must comply with the local rules in each city, e.g. registration requirements for landlords, maximum rental periods per year, etc. In Paris and other major cities, such rules have been approved by the highest court. For start-ups, this means that local regulations are crucial in the platform business. A digital platform model may be globally scalable, but local law can pull the plug when it comes to core resources such as housing or transportation.

The EU is now also working on standardized rules: A proposed regulation by the EU Commission from 2022 aims to oblige short-term rental platforms to report data on bookings to cities and support registration procedures for landlords. This is intended to create a balance that both enables platform operation and provides cities with the means to curb excessive misappropriation. Airbnb itself has started to cooperate in many major cities – for example by introducing registration numbers in the listings and blocking offers that do not provide proof of approval. This shows that When regulatory pressure increases, the platforms also adapt and integrate the rules that were once circumvented into their system.

In general, the sharing economy shows that the principle of “platform as mere intermediary” does not provide unlimited legal protection. As soon as a startup is involved in the organization of the core service (algorithms control supply/demand, platform sets prices, mediates payments), courts and legislators increasingly see it as jointly responsible. For example, brokerage platforms have recently been required to report rental turnover to the tax authorities in accordance with Section 24c UStG in order to combat tax evasion by Airbnb landlords. Platform liability law has become stricter: according to the Digital Services Act (DSA), intermediaries above a certain size must act more transparently and investigate illegal offers quickly. In short: the initial regulatory loophole has been plugged.

Social networks and data platforms: Growth at any price?

Social media and digital platforms that work with user data are another area in which startups have been able to grow exponentially – often in defiance of traditional media and communication laws. Although Facebook has long been a tech giant, it began as a lightning-fast campus startup that quickly went global without worrying about national regulations (data protection, youth protection, media law). There are lessons to be learned from this.

For a long time, data protection and the monopolization of user data was a key area of legal conflict. Facebook’s business model was based on combining as many data sources as possible (Facebook, Instagram, web tracking, etc.) in order to optimize personalized advertising. In Germany, the Federal Cartel Office issued a much-noticed ruling in 2019 prohibiting Facebook from engaging in this practice without the voluntary consent of users – on the grounds that a dominant company abuses its position if it forces users to collect data across the board (a novel combination of competition law and data protection principles). After years of legal disputes and a stopover before the Federal Court of Justice (decision of 23.06.2020 – KVR 69/19), Meta (Facebook) finally relented in 2023/24 and now allows its users to largely object to data aggregation. This example shows: Data is the oil of the digital age, but its uninhibited siphoning off can no longer be legally justified so easily, at least not in Europe. Start-ups that are flash-scaling data-driven business models need to consider the GDPR from the outset. Violations can be sanctioned not only with fines (Art. 83 GDPR), but – as the Facebook case shows – even with prohibitions under competition law.

Another aspect is content control and media regulation. Although social media platforms enjoy the exclusion of liability for third-party content under the German Telemedia Act (Section 10 TMG, now further developed by the DSA), this has been supplemented in Germany by the Network Enforcement Act (NetzDG): operators of large networks must quickly remove criminal content and submit transparency reports, otherwise they face fines of up to €50 million. Facebook and YouTube have had to increase their staffing levels accordingly (content moderation teams) after initially ignoring the problem of hate speech and illegal propaganda. According to the NetzDG, obviously illegal content must be deleted within 24 hours, other reported criminal content within 7 days. An up-and-coming network startup should not assume that it can circumvent such obligations – the NetzDG applies to 2 million users or more in Germany, and even below that, an injunction can force it to block certain content (e.g. defamation, copyright infringements). The YouTube model – grow first, worry later – is more dangerous today than ever.

Youth media protection also applies: platforms must ensure that content that is harmful to development (violence, pornography) is only accessible to adults. Large platforms have integrated age verification or youth protection programs here. A start-up that launches a new video app, for example, could run into problems if it does not take any precautions and it becomes known that unprotected content is available from the age of 13 that should actually be 18+. The Commission for the Protection of Minors in the Media (KJM) can impose sanctions. In the area of live streaming, for example, there was a case where a popular YouTube gaming channel was classified as broadcasting due to round-the-clock streaming and required a license.

The issue of competition law/cartels also catches up with successful platforms: as soon as a start-up becomes very large with its marketplace or network, there is a threat of abuse control proceedings (in accordance with Art. 102 TFEU or Sections 19, 20 ARC). Google, Amazon, Facebook – all have faced such proceedings. Initially not an issue for small start-ups, but relevant if the intended business model is aimed at a gatekeeper position. With the new Digital Markets Act (DMA), the EU has also created an ex-ante catalog of rules for large platforms. For example, gatekeepers may not give preference to their own services, must guarantee interoperability, etc. The thresholds for gatekeepers are high (e.g. 45 million end users per month), but ambitious founders should be aware of this: The regulatory environment becomes more demanding, not more lax, with increasing success. Last but not least, the limits of antitrust law should be mentioned: if a startup actually becomes a dominant player with its new model, rules will also apply here. The prohibition of abuse of market power (Art. 102 TFEU, Sections 19, 20 ARC) applies regardless of the business model. For example, a large platform operator that crowds out competitors and then dictates prices or discriminates against partners risks the intervention of the antitrust authorities. Although the EU’s Digital Markets Act, which recently came into force, is primarily aimed at established tech giants, it shows that platform operators are subject to tighter reins in the event of unfair behavior. Founders should therefore always consider their expansion plans from the perspective of “What happens if we are too successful?” – because market success entails regulation.

In addition to data protection and content obligations, labor law issues are also becoming the focus of regulation: the EU is currently discussing a platform labor directive that is intended to prevent brokerage platforms from permanently outsourcing regular employment relationships to pseudo self-employment. In future, providers such as Uber, Deliveroo & Co. could be required to employ their drivers permanently if they essentially act like employees (criteria include a lack of price autonomy, performance monitoring by the app, etc.). Such a regulation would significantly change the cost model of the gig economy. Although the directive is not yet in force, the trend is clear – and national courts have already drawn “social guardrails” in individual cases (see UK Supreme Court ruling 2021, which granted Uber drivers employee rights). Startups should follow these developments closely and not rely on being able to circumvent social obligations permanently.

Another aspect is the consistent enforcement of data protection: In May 2023, the competent Irish authority imposed a fine of 1.2 billion euros on Meta (Facebook) for transferring user data to the USA in violation of the GDPR without ensuring adequate protection there. This record sum – the highest since the GDPR came into force – underlines the financial explosive force that infringements can have. For a startup, even 1% of such amounts would threaten its existence. It is therefore not an abstract risk, but a bitter reality: data protection compliance can sometimes make or break a data platform business.

Streaming services: Digital content and rights

Streaming services for video, music or live gaming are an integral part of modern media consumption. Initially, start-ups in this area often did not see themselves as media companies – until it was made clear to them that copyright and media law also apply online.

Napster is an instructive historical example: at the turn of the millennium, the peer-to-peer platform enabled the mass exchange of music files and grew explosively. However, the model was based entirely on copyright infringements. The music industry sued – courts in the USA banned Napster in 2001, whereupon the start-up went bankrupt. The message was unmistakable: a content business model based on systematic infringement is not sustainable.

The MegaUpload platform, which enabled users to store and share large files online, experienced a similar fate somewhat later. In practice, it was used millions of times for the illegal distribution of films and software. In 2012, MegaUpload was broken up in an international operation; the operators faced criminal charges. This extreme case shows that authorities cooperate globally to take down even seemingly untouchable online services as soon as large-scale infringements occur.

From the ruins of such offerings, legal models such as iTunes, Spotify or Netflix eventually emerged, which remunerate the rights holders and can therefore survive in the long term. A modern start-up in the field of video streaming (e.g. user-generated content or new platforms) has to clarify the licensing issues. YouTube, which initially also hosted many unlicensed clips, only managed to avoid billions in liability with difficulty and expensive license agreements. Today, Art. 17 of the EU Copyright Directive obliges upload platforms to remove copyrighted content or prevent its distribution if no license is available. Ignorance is no defense here: the rights industry (music, film, publishing) is well-tested in lawsuits and will immediately take aim at a new “Napster”.

In addition to copyright law, media regulatory law also applies in the streaming sector. In Germany, a rough distinction is made between telemedia (on-demand offerings, e.g. Netflix, YouTube) and broadcasting (linear programs). Anyone who operates a linear streaming service (e.g. 24/7 web radio or live TV on the internet) can be classified as broadcasting and would need a license under the Interstate Media Treaty – unless they remain below certain thresholds (low influence on opinion-forming or under 20,000 simultaneous users). Some gaming live stream channels had to learn this painfully: in 2017, the state media authority decided that a popular YouTube gaming stream should be classified as broadcasting, whereupon the operators (PietSmiet) had to apply for a license or cease 24-hour operations. Since the new Interstate Media Treaty (2020), the rules have been modernized somewhat, but streaming start-ups should be aware of this: Media law obligations apply above a certain size (licensing, protection of minors, advertising regulation).

On the subject of advertising and content: Streaming services, especially if they are aimed at consumers, are also subject to unfair competition law (UWG) and special regulations, e.g. on the prohibition of surreptitious advertising and the labeling of advertising (such as influencer marketing). If a new streaming portal attempts aggressive monetization through advertising, it must not show any unmarked product placements, for example – otherwise there is a risk of warnings.

Media law structural requirements should not be forgotten: At EU level, the Audiovisual Media Services Directive (AVMSD) now also obliges streaming providers to meet certain quotas and obligations. For example, large video-on-demand services must have at least 30% European content in their catalog and also display it visibly. In addition, some countries (including Germany) require streaming providers to pay levies to promote films in order to support local content. While a young start-up with a small portfolio is practically unaffected by this, such requirements become relevant as the reach grows and may require investments in content that were not originally planned. Anyone who is flash-scaling in the entertainment sector should therefore develop a content diversity strategy at an early stage in order to comply with regulatory requirements.

Live streaming platforms such as Twitch and YouTube Gaming were also increasingly forced to take the protection of intellectual property seriously. For a long time, streamers were able to play any music they wanted in the background – until the rights industry filed massive copyright complaints. In recent years, millions of clips with protected music have therefore been deleted and tools implemented to prevent future infringements. This change only happened under considerable pressure and shows that initial successes based on the acquiescence or ignorance of rights holders are not a solid foundation. A new streaming startup should learn from this and pursue clear licensing strategies early on (whether by using freely licensed content or concluding license agreements) to avoid being surprised by retroactive claims.

Gaming platforms and scaling apps: protection of minors and consumer law

The gaming industry comprises video game platforms (app stores, online marketplaces such as Steam, Epic Store) on the one hand and the games themselves, often as apps with free-to-play or microtransaction models, on the other. Lightning scaling is often virally driven here – a game conquers millions of users in a short space of time. But there are also legal aspects lurking here.

The protection of minors is essential in gaming. Germany has a strict youth protection system for games – the Entertainment Software Self-Regulation Body (USK) issues age ratings in accordance with the German Youth Protection Act (JuSchG). Online platforms that sell games must ensure that no indexed or “18+” games reach minors without age verification. Steam, for example, came under fire because until recently, German users were able to download uncut versions of games that were indexed in this country via detours. A startup in the gaming sector must consider such mechanisms from the outset, otherwise there is a risk of indexing or regulatory orders. In the area of apps (mobile games), age classifications are often handled via the app store systems – but this does not release developers from their responsibility to identify content that is harmful to minors and restrict access.

Loot boxes (virtual boxes with random content for a fee) are a much-discussed topic – effectively gambling elements in games. Some countries have classified this as illegal gambling (Belgium banned loot boxes, the Netherlands imposed fines in certain cases). In Germany, loot boxes are not expressly prohibited, but the 2021 amendment to the Youth Protection Act now allows the USK to take such mechanisms into account when rating games. From 2022, the USK has expanded its test criteria to include cost traps and gambling features. It is fitting that the German Youth Protection Act was modernized in 2021. The amendment enables the USK to also take so-called “interaction risks” into account when age rating a game. This includes elements such as chats (with a risk of bullying), but also purchase incentives and loot boxes. This means that a game that is actually family-friendly can be given a higher age rating due to aggressive in-game purchases – in extreme cases USK 18 solely due to the business model component. The German authorities are thus sending a clear signal that monetary game incentives that border on gambling are considered relevant to the protection of minors. Game manufacturers such as Electronic Arts were criticized because popular titles (e.g. the FIFA series) generated high revenues with virtual “packs” whose content is random-based. Although there is (still) no legal ban on loot boxes in Germany, the reputational damage and the risk of indexing or 18+ approval have a disciplinary effect. Some manufacturers have voluntarily increased transparency (displaying the probability of winning) or made adjustments for certain countries.

In terms of contract law, the courts also made concessions to consumer protection in games. A number of end user license agreements (EULAs) and general terms and conditions have been put to the test. One exemplary dispute concerned the question of whether the resale of digital games must be permitted – the European Court of Justice ruled in 2012 (Case C-128/11, Oracle/UsedSoft) that the principle of exhaustion also applies to software purchased online. As a result, platforms such as Steam had to examine concepts for (limited) resale. In addition, the Federal Court of Justice in Germany clarified in 2014 (case no. I ZR 8/13 – “Fee for PayTV receiver”) that providers of digital content must grant consumers a functioning right of withdrawal unless an exception applies. Such decisions force the industry to offer fair contractual solutions. A startup would do well to ensure that its terms of use are legally compliant from the outset – this prevents costly warnings from consumer protection agencies. In fact, German consumer protection organizations have already filed several lawsuits against gaming apps, e.g. when children were given frivolous incentives to buy or terms and conditions clauses inadmissibly restricted user rights. In cases of doubt, the courts tend to take a consumer-friendly approach.

A related area is online gambling. For a long time, offering online casinos and sports betting without a German license was prohibited in Germany. Nevertheless, some platforms operated in a legal gray area for years, sometimes with EU licenses from Malta or Gibraltar – a classic arbitrage pattern. However, the 2021 Interstate Gambling Treaty created a licensing system, and providers without a German license are now actively blocked. For gaming start-ups that integrate elements of betting or gambling, for example, this means that they must carefully check whether they fall within the scope of gambling law. If this is the case, there is no way around an official permit. The authorities are aware of the previous loopholes and are consistently closing them.

Another rather formal, but important point: it goes without saying that digital offerings must also fulfill the general legal obligations – such as the obligation to provide a legal notice in accordance with Section 5 TMG (provider identification on the website/app) and, in the case of consumer transactions, the provision of correct revocation instructions and general terms and conditions. It may sound trivial, but flash-scaling start-ups in particular often fail to comply with these supposed formalities at the beginning. This can lead to warnings from competitors (UWG) and unnecessarily burden the company. The same applies here: compliance from day one – basic legal information obligations should be complied with from the start in order to minimize areas of attack.

Hardware start-ups and product safety: innovation with a seal of approval

Not all start-ups operate purely in digital realms – many are launching physical products onto the market at a rapid pace, from IoT devices to health gadgets and mobility offerings. This is where another area of law comes into play: product safety and liability regulations. In Europe, only products that meet basic safety requirements (Section 3 ProdSG) may be placed on the market (such as CE marking in accordance with the Product Safety Act and relevant EU directives such as the Machinery Directive or EMC Directive). A flash-scaling hardware start-up that skips or shortcuts these certifications is treading on thin ice. If unsafe products are sold, there is a risk of official sales bans, product recalls and, in the event of damage, even strict liability under the German Product Liability Act (ProdHaftG) and tortious liability under Section 823 of the German Civil Code (BGB). One example from practice is the so-called “hoverboards” (self-balancing e-scooters): In the initial phase, masses of devices were imported without tested charging electronics, leading to fires and injuries – authorities responded with import bans and safety warnings.

Especially when it comes to innovative hardware with potential health or safety risks (drones, medical wearables, autonomous vehicles), start-ups must pay strict attention to compliance with approval procedures. Medical devices, for example, are subject to the MDR (Medical Device Regulation) throughout the EU, which requires conformity tests before market entry. A young company may be tempted to “speed up” these processes, but breaking the rules in this way can not only mean legal sanctions, but also a devastating loss of reputation. Consumers only trust their lives and health to products that are demonstrably safe. The following therefore applies in particular: care before speed. Speed scaling is only successful in the hardware world if it keeps pace with quality controls and compliance.

Preventive measures and recommendations for start-ups

In view of the areas of tension described above, the question arises: How can startups grow innovatively and quickly without running into the open knife of regulation? Some practical recommendations can be derived:

1. early legal advice and compliance strategy: A legal review should take place as early as the conception phase of a business model. Founders often underestimate how many areas of law are involved. An experienced startup lawyer can help to identify red lines and, if necessary, point out alternative paths. Legal compliance is not a luxury that can only be afforded at maturity, but should be part of the business plan – especially in regulated areas. This is where a legal risk assessment pays off early on: Where are there licensing requirements? What is prohibited, what is only gray? What contractual clauses are needed with users and partners in order to manage liability? Anticipating these questions creates room for maneuver.

2. see regulation as an opportunity: Instead of seeing regulation only as an obstructive burden, startups can also use it strategically. Those who conform where competitors slip up score points with customers and authorities with their seriousness. In the FinTech world, it has been recognized that a BaFin license, for example, also creates trust among customers and can be more beneficial in the long term than constant workarounds. Conscious compliance with data protection can also become a USP (unique selling point) – keyword “privacy by design”. Startups from Germany can advertise with the message that they comply with European standards, unlike some US competitors. This creates a marketing advantage and protects against later abrupt changes if the laws are enforced.

3. dialog with regulators and associations: Many authorities today are more open to new ideas than founders think. Instead of going into confrontation, early dialog can help. In Germany, for example, there are regulatory sandboxes (sandbox programs) in the financial and energy industries where innovation can be tested under supervision. Industry associations or chambers of industry and commerce also arrange discussions with regulators. Anyone with a new AI tool, for example, can proactively approach the data protection officer to dispel any concerns – better than being banned later. The German BaFin, for example, has set up a FinTech contact form and emphasizes the principle of “same business, same risks, same rules” – the same transactions with the same risks are subject to the same rules, regardless of whether they are analogue or digital. In this way, the authority is signaling that support and advice will be provided, but not special treatment outside of the legal framework. This cooperative approach signals goodwill and can even lead to more favorable legal conditions (sometimes exceptions or transitional periods are granted if you act transparently).

4. scaling compliance in parallel with growth: Just as server capacities and personnel must grow with the company, the compliance department should also be scaled. In the start-up phase, a single person responsible for legal/data protection may be sufficient. But when user numbers increase exponentially, processes need to be automated and teams need to be expanded (e.g. build a content moderation team before the network is worth millions). International rollouts in particular require local legal checks – a launch in the USA, for example, can harbor product liability risks, in China completely different regulations, etc. Successful scale-ups therefore invest specifically in regulatory affairs, i.e. people who keep an eye on changes in the law and ensure that the company is legally future-proof.

5. realistically assess the limits of the model: Founders with disruptive ideas should ask themselves whether their concept is viable if the offensively exploited legal loophole is closed. Can the business model be adapted without losing the core value proposition? If not, you are sitting on a ticking bomb. It can make sense to prepare plan B: Uber, for example, had switched to licensed UberX after UberPop was banned in Germany – if you have prepared this adaptation, you can quickly change tack and continue to operate in the event of headwinds. Without an alternative concept, on the other hand, a court decision often means the end. The business and legal teams should therefore work through scenarios together.

6. promote an ethical corporate culture: As the moral consideration showed, the internal attitude should not be underestimated. If founders clearly communicate that they will not walk over dead bodies (or laws) at any price, employees are encouraged to point out grievances (keyword: internal whistleblowing ). This creates a culture of responsibility in which mistakes are corrected rather than covered up. This ultimately protects against scandals. A prominent negative example was Uber under its founder Travis Kalanick: a hyper-growth culture without ethical guardrails that led to numerous scandals (harassment cases, breach of law, public relations disaster) and ultimately to Kalanick’s dismissal. A rethink towards more compliance and stakeholder dialogue was necessary to stabilize Uber in the long term. Start-ups can learn from this that sustainability – also in the sense of legal and social sustainability – is a success factor.

7. use external advice and monitoring: No startup can keep an eye on all legal developments worldwide while focusing on its core business. It is therefore advisable to involve external experts, be it specialized law firms that carry out an annual legal audit, for example, or tech tools that support compliance (e.g. data protection management software). Investors are also increasingly relying on such audits prior to investments (due diligence). Those who are prepared here will pass audits with confidence and convince investors. In case of doubt, strong legal advice can also intervene with the authorities if a dispute does arise – but at least then you are arguing on a solid basis.

8. communicate risks openly: Finally, founders should also be transparent with their funders and partners about regulatory risks. Instead of concealing problem areas, open communication about existing uncertainties (and the plan to deal with them) can create trust. Many investors appreciate it when a founding team proactively addresses legal challenges – it shows professionalism and foresight. This allows unrealistic expectations to be managed and all stakeholders to pull together to steer the business model in the right direction.

Conclusion

Innovation and law are by no means irreconcilably opposed – but they must be balanced. Rapidly scaling and aggressive business models have undoubtedly turned the economic wheel of progress and revolutionized existing services. At the same time, the spectacular examples of Uber, Airbnb and Facebook have shown that deliberately breaking or circumventing laws is not a sustainable foundation for a company. Legislators are now reacting faster and in a more targeted manner to new developments: With laws such as the Digital Services Act, the AI Act and MiCA, the EU is creating a framework in which certain Wild West practices are no longer tolerated.

For start-ups in Germany, this means that forward-looking action is required. The complexity of the matter discussed here makes it clear that sound legal advice for startups is not a dispensable luxury, but an essential investment in the company’s success. An experienced startup lawyer can help find creative solutions within the legal framework so that young companies can realize their vision without falling into legal traps. This makes the balancing act between innovation and compliance feasible. In fact, a number of formerly radical disruptors have adjusted their course over time: Uber now works with licensed drivers in many countries and complies with local laws, Airbnb cooperates with cities to comply with housing regulations, and even Facebook is now calling for clear rules on topics such as digital content or cryptocurrency. This development makes it clear: in the end, the legal framework will prevail – smart entrepreneurs recognize this and make a virtue out of necessity by setting the course for compliance early on.

Ultimately, starting up in a strictly regulated environment can even be a locational advantage: start-ups that meet the high requirements of the German/European market have a quality feature that can open doors for them internationally. Strict regulations train the eye for risks and force companies to develop robust business models. If this process is embraced, innovative companies will emerge – agile and creative, but with a stable legal foundation. This mixture should prove to be a sustainable recipe for success. Those who take the aspects outlined here into account can set up their company in a legally secure manner without losing their innovative spirit. The trick is to find creative solutions that do justice to both the market and the law. In this sense, start-ups are well advised to act as ‘legal entrepreneurs’ – in other words, to help shape the legal framework as part of the business model from the outset.

Courage and determination are the hallmarks of every startup – when combined with legal awareness and a sense of responsibility, they become the recipe for sustainable success in the digital age.