There is a myriad of regulations, guidelines, and legislative initiatives at the EU and international levels aiming to boost resilience against cyber threats. Navigating this regulatory jungle, however, can be challenging.
The EU plans to bolster its infrastructures against various dangers through numerous regulations. This article aims to help you find your way through this legislative maze.
2024: A Year of Increased IT Security Regulations for Businesses
Driven by a growing number of threats such as cyberattacks and the need to secure digital infrastructures, 2024 sees an intensification of IT security regulations for companies. Below, we shed light on each regulation and clarify the regulatory landscape.
1. NIS 2
NIS 2 is the successor to the EU Directive NIS 1 and aims to establish a unified level of cybersecurity across member states, protecting critical infrastructures (CRITIS) from cyberattacks. Unlike NIS 1, NIS 2 clearly defines which sectors and companies are considered CRITIS, categorizing them into “essential” and “important” entities. Essential entities include energy suppliers, healthcare facilities, and digital infrastructures, while important entities encompass postal services, waste management, and chemical manufacturers.
NIS 2 applies to all critical facilities in the EU with at least 50 employees or an annual turnover of 10 million EUR. These entities must ensure their operations are maintained during cyberattacks and quickly address threats through risk analyses, crisis management plans, and IT security measures. NIS 2 has been in effect since January 16, 2023, and must be transposed into national law by October 17, 2024. In Germany, the Federal Cabinet has already initiated the NIS 2 implementation; however, the digital association Bitkom expects delays and highlights urgently needed adjustments.
2. CER Directive
The CER Directive (Critical Entities Resilience) strengthens the resilience of critical infrastructures in the EU against physical and digital threats. Unlike NIS 2, it also includes protection against natural disasters, terrorism, sabotage, and human error. The directive has been in force since January 16, 2023, and is implemented in Germany through the KRITIS-Dachgesetz (Critical Infrastructure Umbrella Act).
3. KRITIS-Dachgesetz
Virtual data rooms can help companies comply with regulations like the KRITIS-Dachgesetz. The KRITIS-Dachgesetz implements the EU CER directive in Germany and takes effect on January 1, 2026. It defines nationwide which facilities are considered critical infrastructures and strengthens their security against threats. The law covers sectors such as energy, transport, finance, healthcare, water supply, IT, telecommunications, and public administration.
Affected are facilities serving more than 500,000 residents. CRITIS operators must conduct risk analyses, develop resilience plans, and use technologies like virtual data rooms to protect data from unauthorized access.
4. DORA
The Digital Operations Resilience Act (DORA) is an EU regulation aimed at increasing the robustness of the financial sector against cyber threats. Its goal is to harmonize existing regulations and create a unified framework for managing cybersecurity risks in information and communication technology. DORA applies to payment and credit institutions, securities firms, insurance companies, and ICT service providers.
Companies subject to DORA must take measures to maintain their business operations during cyberattacks, including:
- Establishing robust IT systems
- Monitoring IT risk sources
- Implementing contingency plans
- Conducting penetration tests
- Documenting and reporting ICT incidents
DORA has been in effect since January 16, 2023, and is directly applicable in all EU member states. Adjustments to country-specific laws may be necessary. In Germany, the Financial Market Digitization Act (FinmadiG) supports the implementation of DORA. The regulation will be fully applicable from January 17, 2025.
5. Cyber Resilience Act
The Cyber Resilience Act (CRA) establishes a consistent legal framework within the EU to protect users of products with digital elements from cyberattacks. It covers hardware and software products with data processing or control functions, such as smartwatches or IoT devices.
Manufacturers, importers, and distributors must ensure cybersecurity throughout the product lifecycle, conduct regular security updates, and manage vulnerabilities. Security incidents must be reported to the European Union Agency for Cybersecurity (ENISA) and users.
The CRA took effect on March 12, 2024; manufacturers have 36 months to comply. From 2027, products without adequate security measures cannot be offered in the EU. Violations can result in fines of up to 15 million euros or 2.5% of global annual turnover, with severe cases potentially leading to market withdrawal.
6. Data Governance Act
The EU Data Governance Act (DGA) aims to facilitate data sharing within the EU to support altruistic projects like climate protection, healthcare, and transportation concepts. It enhances trust in voluntary data sharing and provides a secure framework for information sharing by removing technical barriers to reuse.
The DGA applies to data intermediaries, public authorities, and companies wishing to use public sector data. These must meet data protection and security requirements, respect third-party rights, and establish transparent processes for fair and secure information trading. The Act also regulates the activities of data intermediation services, enabling exchange between data holders and users.
7. EU Data Act
The EU Data Act, effective January 11, 2024, and applicable across the EU from September 12, 2025, aims for a fairer distribution of data generated by connected devices. It seeks to grant access to collected information to both data holders (typically product manufacturers) and users, as well as third parties.
The Data Act affects all companies in the EU collecting and using data from connected devices. It requires transparency and control over the data and mandates that data holders provide this information to consumers, third parties named by them, or authorities. Non-compliance may result in fines up to 20 million euros or 4% of global annual revenue, excluding small businesses with fewer than 50 employees and annual revenues under 10 million euros.
8. US CLOUD Act
The US CLOUD Act allows US authorities worldwide access to data stored by US companies and their subsidiaries, even if such data is held in data centers outside the US, such as in the EU. This also affects companies using services from US-based providers.
The CLOUD Act conflicts with the European General Data Protection Regulation (GDPR). Companies must therefore weigh compliance with the CLOUD Act against potential GDPR violations. Technologies like Confidential Computing can help ensure the protection of sensitive data and prevent access by US authorities. Data centers in countries with strong data protection laws, such as Germany, offer additional security.
