Digitalization, the global networking of people and things (IOT) and the disruptive development of artificial intelligence (AI) are increasingly influencing our working world and the reality of our lives. Cloud computing, digital communication, social media, digital working and shopping have become a natural part of our everyday lives. In addition to great benefits and many advantages, new risks and dependencies have emerged, as well as serious threats to critical infrastructures. This in turn leads to new laws and regulations with the purpose of regulating and controlling digital developments across national borders.
This article is intended to provide an initial overview of currently important IT regulations in the EU and Germany and to show for whom they are relevant.
1. Regulations on IT/Cyber-Security
1.1 NIS2 and NIS2UmsuCG
Increasing digitalization also means greater dependence on the resilience and availability of digital systems. Hacker attacks, data theft, the Covid pandemic and, last but not least, the Russian war of aggression against Ukraine have shown that member states, companies and institutions are still inadequately prepared for the most important threats and risks in the area of IT security. NIS2 is intended to remedy this situation. NIS2 is a new EU directive on network and information security that will apply from October 18, 2024. It repeals the previous NIS Directive from 2016 and takes into account more recent developments in the area of IT risks and technical dependencies, particularly in the area of so-called critical infrastructures (KRITIS). The directive is intended to oblige EU member states to create and implement a national cybersecurity strategy. In Germany, this includes the NIS2 Implementation Act (NIS2UmsuCG), which affects around 29,500 German commercial enterprises and is due to come into force in 2024. It standardizes minimum requirements for IT security and adapted reporting obligations for security-relevant incidents. A distinction is made between the categories "particularly important facilities" and "important facilities", each with their own requirements.
1.2 RCE/CER and KRITIS-DACHG
In addition to the aforementioned NIS2 Directive, which relates to a much larger economic sector, the RCE regulations of the EU (Resilience of Critical Entities) and the CER Directive (Critical Entities Resilience) focus primarily on the protection of critical infrastructure against cyber threats on the one hand, but also against natural disasters and terrorist attacks on the other. All infrastructures necessary or relevant for the maintenance and functioning of public and social life are classified as critical, namely all facilities and companies in the energy, drinking water and food supply, transportation, healthcare, public security and administration, banking and financial sectors, as well as aerospace and, last but not least, the provision of digital services in these areas.
In Germany, the KRITIS umbrella law is to be transposed into national law. As the name suggests, this law is intended to be an overarching and comprehensive set of regulations for the implementation of EU regulations on the protection of critical infrastructure that is important or indispensable for the community. It increases the security requirements for operators and introduces comprehensive reporting obligations and a reporting register for security-relevant incidents. The prerequisite for this is the introduction of qualified risk management systems for the affected institutions in order to be able to quickly identify and reliably counter threats.
1.3 Cyber Resilience Act (CRA)
The draft Cyber Resilience Act (CRA-E) was adopted by the EU on March 12, 2024. The regulation still requires the approval of the EU Council and is expected to apply from 2027. The purpose of the regulation is to standardize regulations on the cybersecurity of digital products. Their security level should meet high EU standards. The regulation supplements the EU GDPR and the NIS2 Directive, which have been in force since 2018. This therefore affects a large number of players and commercial enterprises across the EU. Experts assume that the provisions of the CRA may have far-reaching effects on legal issues relating to claims for defects and product liability.
1.4 Additional Regulations in the Financial Sector
a) For the financial sector (banks, insurance companies, investment firms, supervisory authorities, etc.), the new EU regulation Dora (Digital Operational Resilience Act) of 17.01.2023, applicable from 17.01.2025, contains extensive regulations on ICT security and ICT management. It affects almost all companies and institutions operating in the financial sector, with exceptions for certain intermediaries and smaller entities. Dora is intended to make a significant contribution to comprehensively arming the companies and authorities concerned against cyber risks in information and communication technology (ICT).
b) Special features for the cryptocurrency market are governed by the EU Regulation on Crypto-Assets, the Regulation of Markets in Crypto-Assets (MICA), which is to be applied in two stages (19.07.2023 and 30.12.2024). This regulation governs the rapidly growing market for digital currencies / means of payment across Europe. Its best-known representatives are probably the cryptocurrencies Bitcoin and the non-fungible tokens (NFTs) used, for example, for trading digital works of art. On the one hand, MICA is intended to make Europe-wide trading in cryptocurrencies less complicated and, on the other, to protect investors and consumers from abuse.
1.5 CSA Certifications
CSA certificates are a way for companies to provide standardized proof of compliance with high security standards and are helpful in implementing a sensible cybersecurity strategy. CSA stands for technical and industry standards originally developed by the Canadian Standards Association (now the CSA Group). In Europe, the CSA Group is represented by Frankfurt-based CSA Europe GmbH. CSA Certifications are available for a wide range of applications. CSA certificates confirm compliance with high quality standards in the form of the CSA criteria and thus create the basis for trusting cooperation. In the IT sector, CSA certifications are used, for example, for commercial e-mails in the field of e-mail marketing. This increases security for senders and recipients in automated email business transactions, such as newsletters, but also for digital orders and purchase transactions
2. Regulation and Protection of the EU Internal Market
The key aspects of EU economic policy include protecting the EU’s internal market and maintaining the competitiveness of EU member states. The protection of the data of natural persons as stakeholders and consumers also plays a significant role. The concentration of enormous economic power with the risk of market abuse by globally active digital companies such as (not exhaustive) Alibaba, Amazon, Apple, Bing, Facebook, Google, Instagram, Linkedin, Temu, Wikipedia, YouTube and others (in alphabetical order) has created the concept of platform capitalism.
2.1 EU-Regulations
Central EU regulations attempt to intervene here to regulate and protect the internal market. At the same time, not only market-dominant companies but also companies with significant digital operations are to be held responsible towards their users and consumers. This applies not only to their own business conduct but also as intermediaries of digital services in relation to illegal content of their users.
2.2 Digital Service Act (DSA) and the Digital Markets Act (DMA)
The EU regulations of the Digital Service Act (DSA) and the Digital Markets Act (DMA) were adopted for this purpose.
a) With the DSA, uniform EU-wide regulations for digital companies, now no longer limited to market-dominant players, on liability for illegal content and compliance with security regulations to protect the respective users have been in force since 17.02.2024. Concerns were expressed about this from the perspective of restricting freedom of expression and civil rights, as it cannot be the task of the companies concerned to discipline their users or delete their content.
b) As part of a package of laws on digital services, the DMA regulates legal issues arising from the restriction of access to an essentially free market by large, dominant companies as so-called "gatekeepers" in relation to smaller or economically weaker market participants. The catalog of measures and the sanction provisions of the DMA oblige dominant global players, for example, to establish interoperability. This should allow users to switch between providers without undue restrictions and enable competitors to keep their digital services and products marketable.
c) In Germany, these two EU regulations were implemented by the Digital Services Act (DDG).
3. Protection vs. availability of Data – DGA (Data Governance Act) and DA (Data Act)
The EU General Data Protection Regulation (GDPR) has created a set of rules for the protection of EU citizens’ personal data that already applies throughout the EU.
This is linked to the realization of the potential of data as an economic factor and commodity, as well as for the benefit of society as a whole or the individual. Not only commercial enterprises, but also the public sector, which holds a considerable volume of personal and company-related data, have an interest in exchanging data. The provisions of the DGA (Data Governance Act, applicable from 24.09.2023) and the DA (Data Act, applicable from 12.09.2025) are intended to regulate this.
For example, the rapid exchange of health data between service providers (doctors and health insurance companies) and science or medical research can help to effectively cure diseases, develop new treatment options or new drugs.
Businesses can develop new and innovative products based on the data they have from customers and users. It is precisely here and in the case of sensitive health data that the potential for conflict between the possibilities of data availability and the necessary restrictions to protect the data becomes apparent. Data protection and competition law continue to take precedence over the exchange and availability of data. The consent and voluntary nature of those whose data is to be used remain very important aspects. In practice, this can lead to considerable demarcation problems, ranging from genuine data altruism to de facto coercion due to the need to use certain products. At the same time, this is also a key aspect in counteracting the efforts of market-dominating companies to accumulate the largest possible amounts of data (big data).
4. AI (Artificial Intelligence)
The creation of so-called artificial intelligence (AI) is a topic that has been developing in the shadows for some time and has mainly been observed by experts. Cloud computing, global network structures and ever greater computing power have made it possible to develop algorithms that make the programming of artificial intelligence and corresponding language models appear tangible. At the latest with the publication and usability of versions 3.5 and 4 of the AI known as CHatGPT from the company OpenAI at the end of 2022 / beginning of 2023, which attracted a lot of media attention, this topic has also become the focus of a broader public.
Since then, the topic of AI has been the subject of lively and controversial debate. It is not so much the enormous personal and economic potential for individuals and markets, but above all the risks associated with the use and possible misuse of this new technology that are the main focus of the EU legislator’s deliberations. The current concerns and regulatory principles are now reflected in the EU regulation on artificial intelligence (AI Act), which came into force on August 1, 2024 after a five-year working period and will apply in several stages from February 2, 2025, mainly from August 2, 2006.
It is the first set of legal regulations that deals with the risks and dangers of artificial intelligence for the protection of its citizens. AI models are divided into different risk groups, from acceptable, risk-free areas of application (Ki for simple text applications) to unacceptable uses (e.g. social scoring based on the Chinese model). There are prohibitions of varying weighting and for different risk groups, which places high compliance requirements on the companies and professional groups involved in the development and use of AI. A planned European committee and adapted sanctioning options, some of which involve substantial fines at national level, are intended to enforce the AI Act.
5. Conclusion and outlook:
European and, subsequently, national legislators are anything but inactive in monitoring and regulating many areas of the digital economy and digital life. Almost every company, from global players to SMEs, is affected in one way or another by the regulations in the EU and Germany outlined here. It is not only sensible but also essential to deal with these developments and take them into account in corporate IT risk management. This article is intended as an initial overview. The basics have been carefully researched. However, no liability is accepted for any misjudgements. Please bear in mind that developments in all IT regulations are in flux and that this article does not constitute or replace legal advice in individual cases. Naturally, only an overview can be provided here, and due to the complexity of the topic, many things can only be touched on or outlined. Stay on the ball and keep yourself informed.
English 
German