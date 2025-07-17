Cybersecurity Network and Information Systems Directive 2022 NIS 2 was adopted in November 2022, came into force in January 2023, and Member States were required to transpose it into their national laws by October 17, 2024, after which NIS 2 replaced the preceding Network and Information Systems Directive (NIS 1). It establishes a unified legal framework to improve digital security and incident response across the EU.

Awareness and proper compliance with NIS 2 are particularly important as the regulation provides for the accountability and direct liability of an organization's management. NIS 2 applies to both public and private sector organizations and aims to uphold cybersecurity in 18 critical sectors across the EU. It especially targets organizations that can be categorized as "Essential Entities" or "Important Entities": Essential Entities: e.g., organizations operating in sectors such as energy, transport, banking, health, space, digital infrastructure and water supply that meet the relevant size threshold. This threshold varies by sector but generally requires a minimum of 250 employees and an annual turnover of €50 million or a balance sheet total of €43 million. If an organization does not meet the threshold, it may still be considered an "Important Entity" under NIS 2.

Important Entities: e.g., organizations operating in sectors such as postal services, waste management, chemical production, food processing and digital providers that meet the relevant size threshold. The threshold for Important Entities also varies by sector but generally requires a minimum of 50 employees and an annual turnover of €10 million or a balance sheet total of €10 million. Stay tuned for our publication focused on NIS 2, which will be available here. Digital Operational Resilience Act DORA was adopted in December 2022, came into force on January 16, 2023, and took full effect as of January 17, 2025. Since DORA does not provide for a transitional period, compliance oversight by the European Supervisory Authorities is set to begin as of 2025. DORA imposes significant cybersecurity risk management obligations on financial entities and regulates critical third parties. The new requirements include measures for protection, detection, containment, recovery and repair, as DORA aims to encompass all aspects of operational resilience, particularly with respect to Information and Communication Technology ("ICT") risks. The regulation also introduces strict oversight of critical third-party providers, such as cloud services, by the European Supervisory Authorities. DORA is a sector-specific regulation that applies to a wide range of financial entities as it aims to standardize their approach to ICT risks based on their size and risk profile, as well as the nature, scale and complexity of their services, activities and operations. This includes but is not limited to banks, insurance companies, investment firms, payment service providers, credit institutions and crypto-asset service providers. Stay tuned for our publication on DORA which will be available here.

Data Data Act The Data Act was adopted in December 2023, came into force on January 11, 2024, and will partially apply as of September 12, 2025. The Data Act aims to regulate access to and use of data generated through "connected products" and related services. It gives users greater control over the data they generate through such products. The Act also imposes specific obligations on cloud providers, such as requiring them to facilitate switching between providers and to ensure data portability and continuity of service. The Data Act will primarily apply to providers, suppliers, and users of IoT (Internet of Things) devices and related services, including providers and users of cloud services. Stay tuned for our publication on the Data Act which will be available here. Data Governance Act The Data Governance Act was adopted in May 2022, came into force on June 23, 2022, and took effect in September 2023. The Data Governance Act aims to enhance data sharing within the EU by establishing a framework for voluntary data sharing: Public sector bodies must allow the reuse of certain categories of protected data (such as personal or commercially confidential data) under specific conditions and safeguards.

Data intermediation services are subject to additional obligations under the Data Governance Act. In particular, these services must ensure transparency and neutrality in their operations while facilitating data sharing between data holders and data users.

are subject to additional obligations under the Data Governance Act. In particular, these services must ensure transparency and neutrality in their operations while facilitating data sharing between data holders and data users. Data altruism organizations must meet specific criteria for voluntary data sharing. The Data Governance Act applies to public sector bodies, companies providing data intermediation services and organizations engaging in data altruism. Stay tuned for our publication on the Data Governance Act which will be available here.

Platform and Content Digital Markets Act The DMA was adopted in September 2022, came into force on November 1, 2022, and took effect on May 3, 2023. The DMA aims to increase fairness and boost competition on digital platforms by imposing multiple obligations on companies designated as "gatekeepers." The Act notably prevents gatekeepers from using their core platform services to give an unfair advantage to their own products or services. The DMA also restricts how gatekeepers may use user data for purposes such as advertising. Overall, the Act is likely to significantly impact digital markets, and provide for strong enforcement mechanisms, including fines up to 10% of the gatekeeper's total worldwide annual turnover, or up to 20% in the case of repeated infringements. The DMA applies to core platform services provided or offered by "gatekeepers," such as search engines and social media. Stay tuned for our publication on the DMA which will be available here. Digital Services Act The DSA was adopted in October 2022, came into force on November 16, 2022, and took full effect in February 2024. The DSA provides new obligations and more accountability for online intermediaries and platforms that host content with the aim of preventing illegal and harmful activities online. Under the Act, they are required to, among other things: take measures to prevent the sharing of harmful content, including setting up mechanisms for users to easily report such content;

disclose content moderation practices, including how they detect, remove, or restrict access to content;

inform users when content is removed or access is restricted, and provide clear reasons and appeal mechanisms. The DSA also sets out additional obligations for large online platforms and search engines, such as performing risk assessments of systemic risks and conducting independent audits. The DSA applies to providers of intermediary services offered to recipients of the service that have their place of establishment or are located in the EU. It significantly impacts those hosting content as well as social media platforms, online marketplaces and search engines. Stay tuned for our bulletin on the DSA which will be available here.