Compliance Digital Compliance: Overview of EU IT Security Regulations

In recent years, several new EU regulations have been introduced that impose requirements on organisations' IT security. Get a comprehensive overview of GDPR, NIS2, the AI Act, CRA, Data Act and DORA.

Get an overview of EU digital compliance regulations: GDPR, NIS2, AI Act, CRA, Data Act and DORA. See the requirements and find links to the legislation.

In recent years, several new EU regulations have been introduced that share a common focus on imposing requirements on organisations' IT security.

These regulations have been implemented to enhance security across the EU and to harmonise legislation in this area across member states, ensuring a level playing field for all.

To help you navigate this landscape, we have created this article that outlines the essence of various regulatory frameworks, with links to the regulations so you can read more about them.

GDPR

GDPR is an EU regulation that governs the processing of personal data. The GDPR rules require all organisations that process personal data for purposes other than their own personal affairs to comply with the GDPR requirements.

To give you a quick insight into the rules, here are some of the most significant requirements in the GDPR:

Data protection principles
Documentation requirements
You must have a legal basis under GDPR for any processing of personal data, e.g. consent, contract, etc.
Data subject rights
Records of processing activities (Article 30)
Risk assessment of all processing of personal data
Implementation of technical and organisational measures
Data processing agreement
Data Protection Officer
Appropriate safeguards for transfers of personal data to third countries
Notification of personal data breaches

You can find the GDPR text here.

GDPR infographic with key requirements and principles

NIS2

NIS2 is an EU directive that imposes cybersecurity requirements on organisations and businesses considered critical to society. Therefore, not all organisations are covered by the NIS2 rules.

NIS2 covers organisations in sectors such as energy, transport, health, digital infrastructure and many other sectors, as well as suppliers to organisations in these sectors. You can see all sectors in NIS2 Annex I and Annex II.

The key requirements in NIS2 are:

Policies for risk analysis and information system security, ensuring management involvement in decision-making
Effective incident handling
Business continuity, including backup management, disaster recovery and crisis management
Supply chain security, including security-related aspects concerning relationships between the entity and its direct suppliers or service providers
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures for assessing the effectiveness of cybersecurity risk management measures
Basic cyber hygiene practices and cybersecurity training for staff
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies and asset management
Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

You can read the NIS2 Directive here.

AI Act

The AI Act is an EU regulation that governs how artificial intelligence (AI systems) is developed, used and marketed. The purpose of the legislation is to ensure that AI systems are trustworthy and respect EU citizens' fundamental rights.

The rules apply to both 'providers' and 'deployers' of AI systems in the EU, regardless of whether the AI system was developed within or outside the EU.

Unlike many other regulatory frameworks, the AI Act does not have a set of minimum requirements that everyone must comply with. Instead, the AI Act takes a risk-based approach to AI systems, with requirements depending on the AI systems used, their purpose and the risk to individuals and society.

However, some requirements apply across most organisations, particularly as AI systems become more widespread and are used by more organisations:

All 'providers' and 'deployers' of AI systems must ensure AI literacy for all employees, suppliers, etc. involved in the development, operation or use of the AI system. This applies to organisations developing new AI systems as well as organisations simply using 'standard software' with integrated artificial intelligence. This could include using a CRM system with an AI chatbot or using ChatGPT to perform work tasks.
If you implement AI systems that your users interact with, there is also a requirement that it must be clear to users that they are interacting with an AI system, not a human.
Certain types of AI systems are prohibited under the regulation, typically AI systems that manipulate human behaviour or are used to score individuals and their behaviour.
A significant part of the AI Act focuses on high-risk AI systems with requirements for safety measures, documentation, quality assurance, monitoring and much more.

If you work with or are considering using AI in your organisation, it is important to start with the following:

Gain an overview of AI use in all systems and work processes
Classify the systems and work processes according to what the AI systems actually do and for what purpose
Conduct a risk assessment to determine whether their use could pose a risk to human rights

Once you have mapped the risks associated with AI systems, you have the foundation for identifying which elements of the AI Act your organisation must comply with.

You can find the complete AI Act here.

Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is an EU regulation aimed at improving cybersecurity in all products with digital elements, i.e. products containing software, apps, such as smart devices. The CRA therefore applies to products with digital elements, which can be both hardware and software, delivered either physically or digitally to the user. Pure online services such as SaaS are not covered if the platform can only be accessed via a browser and is not installed locally on a computer.

What does the regulation require in practice?

The regulation requires cybersecurity to be considered throughout the product's lifecycle, from development to maintenance. The aim is to protect both consumers and businesses and make it easier for them to choose secure products that document their security in accordance with EU requirements.

The requirements apply to all manufacturers, importers or distributors of digital products in the EU, who are therefore responsible for ensuring products are secure. The CRA does not apply to products with digital elements in sectors dealing with medical devices, automotive production, aviation and marine equipment, as these areas are already covered by more specific EU rules.

Products must be delivered with user-friendly documentation so users can clearly understand how to secure and configure the product correctly. Furthermore, products may only be sold in the EU if they meet the requirements and bear the CE marking as proof. If serious vulnerabilities are discovered, the supplier must report them to authorities within 24 hours of discovery.

Some types of products assessed as having particular significance for cybersecurity are subject to stricter requirements, such as operating systems, firewalls and password managers.

Read about the Cyber Resilience Act here.

Data Act

The Data Act is an EU regulation aimed at ensuring fair and transparent access to user-generated data. The rules have a particular focus on data created through the use of connected products, typically known as IoT (Internet of Things). This could be a refrigerator with built-in sensors and computer, or industrial machinery and agricultural equipment, if these collect data and are connected to the internet.

The purpose of the legislation is to support data-driven innovation.

Under the Data Act, both businesses and individuals gain the right to access and share the data they create when using their products. For example, you can access a machine's operational data and choose to share data with a third party, such as an independent repairer, who can use this data to perform repairs more effectively. Therefore, businesses must also inform users about the content, methods and frequency of data collection, making it easy for users to request access to data.

The regulation also sets the framework for when businesses must share data with each other, even if they are competitors. At the same time, it protects businesses against unfair contract terms, especially in situations where one party has a strong market position.

Read more about the Data Act's many requirements here.

DORA

The EU regulation DORA (Digital Operational Resilience Act) imposes requirements on how businesses in the financial sector must handle IT security. The rules aim to ensure that financial entities can withstand, respond to and recover from IT incidents, such as cyber attacks, system failures or data breaches.

The rules cover several actors in the financial sector, including banks, insurance companies, investment firms, pension funds and selected IT providers to these entities.

Under DORA, businesses are required to:

Establish an IT security strategy that includes clear roles and responsibilities for IT security
Conduct ongoing risk assessments
Test their IT preparedness through penetration testing, among other methods
Register IT incidents and notify authorities and stakeholders, as well as have an effective contingency plan
Control the supply chain, e.g. third-party providers delivering critical IT services, and enter into contracts with them regarding cybersecurity and incident handling

DORA places significant requirements on the financial sector, and the complete EU regulation can be read here.

Compliance with multiple regulatory frameworks

Today, it is rarely sufficient to comply with GDPR alone, as many organisations are covered by multiple compliance frameworks, such as NIS2 for critical infrastructure and DORA in the financial sector.

Therefore, many organisations need to manage multiple compliance frameworks simultaneously, and here a compliance platform can help by consolidating everything in one place.

The compliance platform from .legal, with its 'Frameworks' module, gives you an overview of requirements, guides you through risk assessments, documentation and vendor management, and helps with ongoing follow-up and reporting, making it easier to ensure your processes and technical measures comply with regulations across the board.

Book a demo and see how .legal can help your organisation manage multiple compliance frameworks.

Frequently Asked Questions about Digital Compliance

What is digital compliance?

Digital compliance covers the EU regulations that impose requirements on organisations' IT security and data handling. This includes GDPR, NIS2, the AI Act, CRA, Data Act and DORA. These regulations have been introduced to enhance security across the EU and harmonise legislation between member states.

Which EU regulations must my organisation comply with?

It depends on your organisation. GDPR applies to everyone who processes personal data. NIS2 applies to critical sectors with 50+ employees. The AI Act applies to everyone who develops or uses AI systems. CRA applies to manufacturers of digital products. Data Act applies to IoT manufacturers. DORA applies to the financial sector.

What is the difference between GDPR and NIS2?

GDPR focuses on protecting personal data and applies to all organisations that process personal information. NIS2 focuses on cybersecurity for critical infrastructure and only applies to organisations in specific sectors such as energy, transport, health and digital infrastructure with over 50 employees.

What is the AI Act?

The AI Act is an EU regulation that governs the development, use and marketing of AI systems. It takes a risk-based approach, where requirements depend on the AI system's risk to individuals and society. Everyone who uses AI must ensure AI literacy among employees.

What is the Cyber Resilience Act (CRA)?

CRA is an EU regulation that imposes cybersecurity requirements on products with digital elements such as smart devices and software. Manufacturers, importers and distributors must ensure products are secure throughout their lifecycle and bear the CE marking.

What is the Data Act?

The Data Act ensures fair and transparent access to user-generated data, particularly from IoT products. Users gain the right to access and share data they create when using products, for example with independent repairers.

What is DORA?

DORA (Digital Operational Resilience Act) imposes IT security requirements on the financial sector. Banks, insurance companies and other financial businesses must have IT security strategies, conduct risk assessments, test IT preparedness and control the supply chain.

How do I manage multiple compliance frameworks?

Many organisations are covered by multiple compliance frameworks simultaneously. A compliance platform can help by consolidating everything in one place, providing an overview of requirements, guiding through risk assessments and documentation, and helping with ongoing follow-up across legislation.

When do the new EU regulations come into effect?

GDPR has been in effect since 2018. NIS2 must be complied with from October 2024. The AI Act is being phased in gradually from 2024-2027. CRA and Data Act have different implementation deadlines. DORA applies from January 2025. Check the specific regulations for precise dates.

What happens if I do not comply with the regulations?

Sanctions vary between regulatory frameworks. GDPR can result in fines up to 4% of global turnover. NIS2 can result in fines up to EUR 10 million or 2% of turnover. The AI Act has fines up to EUR 35 million. Additionally, there is potential damage to reputation and customer trust.