An ECM system is an integrated software and methodology framework that governs the lifecycle of all unstructured content in an organisation. The AIIM definition — the dominant industry standard, consolidated in German by Kampffmeyer (PROJECT CONSULT) — names five core components: Capture, Manage, Store, Preserve and Deliver.
In practice we have drawn the boundary between ECM and a pure DMS (document management system) where compliance pressure begins: a DMS manages documents, an ECM manages legally revisable business objects with their workflows. Gartner rebranded the market in 2017 as "Content Services Platforms (CSP)". In the DACH Mittelstand, "ECM system" remains the term buyers actually search and procure under, though the underlying architecture is shifting towards API-first CSP services.
From our experience three characteristics are non-negotiable for a practicable ECM: first, a GoBD-compliant, immutable storage layer as required by the BMF GoBD letter of 14 July 2025. Second, workflow engines that mirror ERP document chains without media breaks. Third, a permission matrix that simultaneously satisfies GDPR and the German NIS-2 Implementation Act (NIS2UmsuCG).
Why ECM matters for the Mittelstand in 2026
Three regulatory waves arrive simultaneously in 2026: NIS-2 (in force since 6 December 2025), the GoBD update of 14 July 2025, and eIDAS 2.0 with the EUDI wallet obligation by end-2026. At the same time only around 11 percent of Mittelstand companies operate enterprise-wide ECM according to Bitkom.
Three regulatory waves hit the Mittelstand simultaneously in 2026. First, the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) entered into force on 6 December 2025. Roughly 29,500 companies across 18 sectors must register with Germany's BSI by 6 March 2026 — no transition period. For ECM this means retention and logging processes become audited controls.
Second, Germany's Ministry of Finance amended the GoBD a second time with the BMF letter of 14 July 2025. The structured XML file of an e-invoice is now the official archived original; the human-readable PDF is no longer sufficient. Companies that have been receiving e-invoices since 1 January 2025 (mandatory for domestic B2B) and only store the PDF are archiving the wrong format.
Third, eIDAS 2.0 (Regulation (EU) 2024/1183) entered into force on 20 May 2024. By 31 December 2026 every EU member state must issue an EUDI wallet and accept it across all public bodies. The concrete implication for ECM: qualified electronic seals and signatures become the standard verification path for contracts — a vendor that does not support the wallet protocol will drop out of 2026 procurement shortlists.
The adoption gap is dramatic at the same time. The Bitkom Digital Office Index shows only around 11 percent of Mittelstand companies operate enterprise-wide digital document management, against 81 percent of large enterprises. In our projects across 2024 and 2025 we have observed that this gap is turning into a 2026 regulatory cliff — companies that have not started will face BSI audits with no clean evidence trail.
Practical example: ECM-ERP integration at a Mittelstand kitchen manufacturer
At a kitchen manufacturer with roughly 320 employees we documented in 2024 that ECM product selection completed in eight weeks while clean document linkage between ECM and ERP took another five months. Seven data fields were the recurring fracture point.
We have observed across our projects with Mittelstand companies in the DACH region — more than 400 projects across over 30 years — that as soon as ECM rollouts touching 250 employees or more enter scope, the real risk shifts from the ECM module to the ECM-ERP integration layer.
In the kitchen-manufacturer case, seven data fields routinely fracture: document number, posting period, tax key, cost centre, creditor/debtor, delivery-note reference and contract classification. From our experience, the failure point is not capture — OCR and AI-assisted ingestion now work reliably — but bidirectional field reconciliation. ERP often lacks version logic, ECM often lacks accounting logic.
The result: average inbound-invoice processing time dropped from 11.5 to 3.2 minutes, the cash-discount realisation rate rose from 62 to 91 percent, and audit preparation for the annual statement shrank from four weeks to one and a half. The integration-layer investment was roughly double the ECM licence cost. At a Dreher selection project the rule has held for years: if the integration budget is smaller than the licence budget, the project has not been understood. From our experience a dedicated "ECM-ERP integration owner" role for the first twelve months after go-live is the most reliable lever against creeping field divergence between the two systems.
What most ECM consultancies won't tell you
Three points appear almost nowhere in top-10 search results for "enterprise content management": the concrete NIS-2 impact since 6 December 2025, the GoBD update of 14 July 2025 with its XML-archive obligation, and eIDAS-2.0 wallet readiness as a 2026 selection criterion.
1. NIS-2 turns ECM into a compliance mandate, not an IT choice
The most-read ECM wiki articles in the DACH market are silent on the concrete impact of the NIS2UmsuCG in force since 6 December 2025. That is striking: NIS-2 explicitly requires traceable retention of security-relevant logs, gap-free access trails and documented deletion and locking processes. In a 300-employee company this cannot be demonstrated without an ECM. We have observed in our projects in 2025 and 2026 that NIS-2 has moved ECM budgets out of the IT debate and into the management-board decision.
2. The 14 July 2025 GoBD update devalues existing archives
Most wiki sources still quote the 2019 GoBD version. In reality, since the second amendment in the BMF letter of 14 July 2025, the structured XML of an e-invoice is the archived original. Existing ECM archives that only retain the PDF lose their evidentiary weight. From our experience fewer than 20 percent of Mittelstand ECM installations had addressed this point by the end of 2025.
3. eIDAS 2.0 readiness is a hard selection criterion in 2026
No top-10 DACH wiki result names eIDAS-2.0 wallet acceptance as an ECM selection criterion. With Regulation (EU) 2024/1183 and the EUDI wallet obligation by end-2026, this becomes a procurement hygiene factor. In practice we have seen vendors without a documented wallet roadmap dropped from selection processes.
Our take
ECM in 2026 is not a software purchase for the Mittelstand; it is a combined compliance and integration decision. Companies that fail to encode the NIS-2, GoBD and eIDAS-2.0 axis into their requirements document end up selecting the wrong product.
How we approach ECM selection methodically
We do not start at the vendor; we start at the document flow. Business objects, compliance constraints and retention periods are mapped first. Only then do the requirements document and shortlist emerge — methodically documented with our SCOReX® evaluation framework for vendor selection.
ECM selection in the Mittelstand does not start with the vendor; it starts with the document flow. We first map every inbound and outbound document type, the matching ERP business objects, the compliance constraints (GoBD, GDPR, NIS-2, sector-specific) and the retention periods. Only then do the requirements document and vendor shortlist take shape.
In over 400 projects we have learned that a feature comparison between ECM vendors yields very little real insight on its own. The decisive ten criteria sit beyond the feature list: document-volume scalability, multi-tenant capability, ERP connectors, migration path from legacy stores, eIDAS-2.0 wallet readiness, NIS-2 logging capability, cloud sovereignty (BSI C5:2025), seven-year total cost of ownership, exit strategy and vendor roadmap.
We weight ECM selection methodically against business goals, not against vendor brochures. The outcome: project duration up to 35 percent shorter, post-rollout process efficiency up to 40 percent higher. At a Dreher selection project the vendors are the second decision — clarifying business goals and integration requirements is the first.
Common mistakes in ECM rollouts
Five failure patterns from our project practice: treating ECM as a pure IT project, planning migration too late, continuing to archive the PDF only, deploying AI capture without four-eyes control, and cloud sourcing without a sovereignty review.
Mistake 1 — treating ECM as an IT project. Starting ECM without process owners from finance, sales, HR and legal produces an archive nobody fills. ECM is an organisational project with an IT share — not the other way round.
Mistake 2 — planning legacy migration too late. Migrating historical content from file servers, mail archives and predecessor systems is 30 to 50 percent of the effort. We recommend specifying migration in parallel with vendor selection — not after contract signature.
Mistake 3 — archiving the PDF only. Since the GoBD update of 14 July 2025 the e-invoice XML is the original. Staying on the PDF means archiving the wrong file.
Mistake 4 — AI capture without four-eyes control. The Bitkom AI study 2026 and the EU AI Act implementation timeline require documented human oversight for high-risk applications.
Mistake 5 — cloud sourcing without sovereignty review. An ECM hosted in a US public cloud without a BSI C5:2025 attestation or equivalent will not survive a serious NIS-2 audit question. In practice we have corrected the sourcing decision mid-project more than once.
Frequently asked questions
What is the difference between ECM and DMS?
A DMS (document management system) manages documents; an ECM system additionally orchestrates workflows, records management, archiving and collaboration across the full content lifecycle. Put concretely: if storage alone matters, a DMS is enough. As soon as retention periods, approval flows and ERP integration come into play, you need an ECM. In the DACH Mittelstand the boundary is blurred in marketing — in our requirements documents we draw it sharply by compliance and process needs.
Do we need ECM if our ERP system already stores documents?
Most ERP systems handle document storage functionally, but GoBD depth, full-text search, archival lifespan and audit trails are typically insufficient. We have observed in our projects that at the latest by 100,000 inbound documents per year, or under a NIS-2 mandate, a dedicated ECM becomes the more economical option — the ERP-internal store then hits performance and compliance ceilings, particularly with retention periods exceeding ten years.
Cloud ECM or on-premise — which suits the Mittelstand in 2026?
Both remain valid in 2026; the choice depends on the sourcing logic: BSI C5:2025 attestation, NIS-2 auditability, data location and exit strategy. From our experience around two-thirds of DACH Mittelstand companies choose hybrid models in 2026 — critical document classes on-premise or in a sovereign cloud, collaborative content in a public cloud with data-residency guarantees. The architecture follows the compliance profile, not the trend.
Next steps
If you are planning an ECM rollout or a vendor replacement in 2026, the first step is not the vendor enquiry — it is a documented document and process analysis, reconciled with your compliance obligations under NIS-2, the GoBD update of 14 July 2025 and eIDAS 2.0. More on our methodology on independent ERP consulting and in our overview of digitalisation services.
30 minutes with Dr Dreher
A structured assessment of your ECM and compliance landscape, three prioritised fields of action and a clear recommendation on whether a pre-project makes sense — vendor-independent.
