Thought Leadership
Companies are currently facing a wave of new regulations in the area of IT security. These developments are a reaction to the increasing threats posed by cyber attacks and the growing importance of securing networks and infrastructures.
Numerous regulations, directives and legislative initiatives have been introduced at EU level to strengthen the resilience of companies and (critical) institutions to digital threats. However, given the complexity and diversity of these regulations, it is difficult to keep track of them all. In this article, we shed light on the most important regulations and offer guidance through the dense body of rules.
1. NIS2
NIS2, the successor directive to NIS1, aims to create a uniform level of cyber security in the EU and to better protect critical infrastructures (CRITIS) from hacker attacks. For the first time, it clearly defines which sectors and companies belong to KRITIS and divides them into “essential” (e.g. energy suppliers, healthcare facilities) and “important” facilities (e.g. postal services, waste management).
NIS2 applies to all critical facilities in the EU with at least 50 employees or an annual turnover of EUR 10 million or more and requires comprehensive cyber security measures. The directive has been in force since January 16, 2023 and must be transposed into national law by October 17, 2024 and must be transposed into national law. In Germany, the Federal Cabinet has already initiated the implementation of NIS2, but the digital association Bitkom expects delays.
2. CER Directive
The Critical Entities Resilience (CER) Directive aims to strengthen the resilience of critical infrastructure in the EU against physical and digital threats. Unlike NIS2, it also includes protection against natural disasters, acts of terrorism and sabotage as well as human error. The directive has been in force since January 16, 2023 and is being transposed into national law in Germany by the KRITIS Umbrella Act.
3. KRITIS Umbrella Act
The KRITIS Umbrella Act implements the EU’s CER Directive in Germany. It comes into force on January 1, 2026 and not only defines once again which facilities are considered “critical infrastructures”, but also strengthens their security against threats. The law affects facilities in certain sectors that serve more than 500,000 inhabitants. KRITIS operators must carry out risk analyses, draw up resilience plans and use modern technologies (such as virtual data rooms) to protect data from damage, loss or unauthorized access.
4. DORA
The Digital Operations Resilience Act (DORA) is an EU regulation that aims to make the financial sector more resilient to cyber threats by harmonizing existing regulations and creating a uniform framework for cybersecurity. Payment and credit institutions, investment firms, insurance companies and ICT service providers are affected. Companies covered by DORA must take measures to ensure the continuity of their business operations even in the event of a cyberattack.
This includes setting up stable IT systems, implementing emergency plans and carrying out penetration tests. The regulation has been in force since January 16, 2023 and will be fully applicable from January 17, 2025 fully applicable. In Germany, the Financial Market Digitization Act supports the implementation of DORA.
5. Cyber Resilience Act
The Cyber Resilience Act (CRA) creates a consistent legal framework within the EU to protect users of products with digital elements against cyber attacks. Hardware and software products with data processing or control functions, such as smartwatches or IoT devices, are affected.
Manufacturers, importers and distributors must ensure cyber security throughout the entire product life cycle, carry out regular security updates and manage vulnerabilities. Security incidents must be reported to the European Cybersecurity Agency (ENISA) and users.
The CRA came into force on March 12, 2024; manufacturers have 36 months to meet the requirements. From 2027, products without appropriate safety aspects may no longer be offered in the EU. Violations can lead to fines of up to 15 million euros or 2.5 percent of global annual turnover; in serious cases, the product in question may also be withdrawn from the market.
6. Data Governance Act
The EU Data Governance Act (DGA) is intended to facilitate data sharing within the EU in order to promote altruistic projects such as climate protection, healthcare and transport concepts. The aim of the DGA is to strengthen trust in the voluntary exchange of data and provide a secure framework for sharing information.
The Data Governance Act affects public bodies and companies that wish to use public sector data. They must meet certain data protection and data security requirements, protect the rights of third parties and establish transparent processes for secure and fair information trading. The DGA also regulates the activities of data brokerage services that facilitate the exchange between data owners and users.
7. EU Data Act
The EU Data Act came into force on January 11, 2024 and will apply across the September 12, 2025 throughout the EU. Its aim is to achieve a fairer distribution of the data generated by connected devices by giving manufacturers, users and third parties access to this information.
The Data Act affects all companies in the EU that collect and use data from connected devices. It requires transparency and control over this data and obliges data owners to make it accessible to the end user, a third party designated by the end user or public authorities.
Violations of the Data Act can result in fines of up to 20 million euros or 4 percent of annual global turnover. Micro-enterprises with fewer than 50 employees and an annual turnover of less than 10 million euros are exempt.
Conclusion: forward-looking action is required.
Companies should keep a close eye on the new and updated security regulations and take early action to minimize risks and avoid penalties. Innovative technologies such as confidential computing and virtual data rooms help to meet compliance requirements and ensure a high level of data security.
