IT Regulations: 4 IT Laws You Should Be Aware of in 2026

DORA: Digital resilience in the financial sector  

What exactly does DORA regulate?

The Digital Operational Resilience Act addresses the growing dependence of the financial system on IT. While NIS2 regulates cybersecurity across all sectors, DORA focuses on operational resilience within the financial sector.  

A key milestone is the end of DORA’s transition period in the financial sector in 2026. By then at the latest, firms must have fully implemented the regulatory requirements.

Who is affected by the regulation?

DORA applies to banks, insurers, payment service providers and many other financial institutions, including their IT service providers.

What is the purpose of the regulation?

DORA is designed to ensure the continued operation of the financial sector in the event of serious IT disruptions or cyberattacks. Financial systems are considered systemically important, and their failure would immediately impact the economy and society.

The goal of DORA

• ICT risk management: IT risks are given the same priority as financial risks. Financial firms must implement strategies that cover the entire lifecycle of ICT systems, from identification and protection to recovery.
• Third-party oversight: A new feature of EU regulation is that large cloud providers (such as AWS, Azure and Google) can now be directly supervised by the European Supervisory Authorities (ESAs) if they are deemed critical to the sector. This makes dependencies on cloud providers transparent and manageable.
• Resilience testing: Contingency plans must be regularly tested using realistic scenarios. For significant players, DORA mandates advanced, threat-led penetration testing that goes beyond simple scans and simulates real-world attack scenarios.
• Recovery capability / KPI shift: Success is no longer measured solely by system availability, but by the ability to restore business operations within defined timeframes despite severe security incidents. Resilience thus becomes a measurable governance issue at the board level.

DORA shifts the focus from ‘IT is up and running’ to ‘The organization remains capable of acting even in the event of a crisis’.

Cyber Resilience Act (CRA): Security becomes a product feature  

What exactly does the Cyber Resilience Act regulate?

The Cyber Resilience Act (CRA) closes a regulatory gap by making cybersecurity a prerequisite for market access for digital products. This affects manufacturers of:

• IoT devices
• software solutions
• connected industrial products

Who is affected by the regulation?

The CRA applies to manufacturers and suppliers of digital products containing software components, icluding everything from IoT devices to business software. One important aspect for manufacturers is the reporting obligations under the CRA, which will come into force in September 2026. Companies must

• report actively exploited vulnerabilities
• within 24 hours

to the European Union Agency for Cybersecurity (ENISA).

What is the purpose of the regulation?

The CRA aims to prevent unsafe products from entering the European market. Cybersecurity will therefore no longer be solely the responsibility of operators, but rather, it will become the responsibility of manufacturers throughout the entire product lifecycle.

The goal of CRA

• Security by Design: Security requirements are embedded right from the development stage. Features such as encryption must be enabled by default, and unnecessary attack surfaces (e.g. open ports) must be minimized.
• Vulnerability management: Vulnerabilities must be actively managed and reported throughout the entire product lifecycle. Manufacturers are obliged to actively patch security vulnerabilities for a period of up to five years (or the expected product lifecycle).
• Transparency: Customers must be provided with clarity regarding the components contained in the software through software bills of materials (SBOMs). SBOMs are essential for immediately identifying which products within an organization are affected when new vulnerabilities are discovered.
• Update obligation: Security updates are a mandatory part of the product promise.
• Reporting obligation: Within 24 hours of becoming aware of them, manufacturers must actively report security vulnerabilities to ENISA to enable an early warning to the entire market.

The CRA thus reduces systemic risks arising from widespread vulnerabilities and strengthens confidence in digital products in the long term. Furthermore, responsibility shifts from operators to the manufacturers of digital products.

EU AI Act: Regulation of high-risk AI

What exactly does the EU AI Act regulate?

The EU AI Act is the world’s first comprehensive AI regulation. Its risk-based approach promotes innovation without hindering it with excessive bureaucracy.

Who is affected by the regulation?

The AI Act introduces a risk-based model that imposes particularly high requirements on so-called high-risk AI systems.

What is the purpose of the regulation?

The aim is to balance innovation with the protection of fundamental rights, safety and transparency. AI should remain economically viable, but not at the expense of fairness, traceability or public trust.

The goal of the EU AI Act

Rather than being regulated across the board, AI systems are classified according to risk. The risk pyramid categorizes systems as follows:

• Unacceptable risk: These AI systems are banned in the EU, including social scoring and manipulative techniques.
• High risk: These are AI systems with a high potential for harm, such as AI-supported recruitment processes or autonomous vehicles. They are subject to strict requirements.
• Limited risk: These are AI systems with limited risk that could be misused for manipulative purposes or deception. This category includes chatbots, AI-generated content and simple recommendation systems. Users must clearly be aware that they are interacting with an AI.
• Minimal risk: The lowest risk category is not specifically regulated due to its low potential for harm. Examples include spam filters, automatic text suggestions, and AI-assisted writing assistants.

The EU AI Act also includes the following provisions:

• Documentation requirements: Sensitive areas such as recruitment or lending are subject to strict audit and documentation requirements.
• Human oversight: Critical decisions made by AI must be subject to human review.
• Bias controls: The risk of discrimination must be systematically reduced. For high-risk systems, training, validation and test datasets must therefore be checked for bias to prevent discrimination.
• Rules for General Purpose AI (GPAI): Specific rules apply to powerful foundational models that can be used for many purposes and pose systemic risks.

According to the EU AI Act, trustworthy AI is a clearly defined quality and compliance benchmark for businesses.

Existing regulations remain relevant

In addition to the current EU requirements, longstanding regulations also retain their central importance and often form the basis for new requirements:

• The GDPR remains the key framework for all matters relating to personal data, particularly in the context of AI systems and security incidents.
• The IT Security Act / BSIG & BSI Basic Protection is a reference framework for many technical and organizational measures.
• ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS).
• MaRisk / BAIT / VAIT (financial sector) complement DORA at the national supervisory level.
• Industry-specific security standards (B3S) are for KRITIS operators.

These frameworks ensure that new regulations are build upon existing security and governance structures, rather than emerging in a vacuum.

Conclusion: Regulation as a navigation system, not a hindrance

After years of preparation, many key EU regulations will come into full effect in 2026. The transition period will end with the national implementation of NIS2 and the entry into force of further provisions under DORA, the Cyber Resilience Act and the EU AI Act. For businesses, IT compliance will evolve from a one-time project to an ongoing management task.

These new requirements are increasingly intertwined, forming a coherent system of digital resilience.

• Management responsibility: Cybersecurity becomes an explicit duty of corporate management.
• Product security: Digital products must meet verifiable security requirements throughout their entire lifecycle.
• Trustworthy AI: Clear risk categories and transparency obligations establish a binding framework for the use of artificial intelligence.

In this way, European regulations establish a common framework for designing secure IT infrastructures, resilient organizations, and trustworthy digital technologies in the future.

Companies that view regulation solely as a mandatory requirement will primarily perceive it as a burden. Those, on the other hand, who use regulation as a strategic framework can derive real added value from it – in the form of greater stability, clearer processes and increased trust among customers and partners. 

Further links on the topic of IT regulation 

• Mastering IT regulation
• Introduction to critical infrastructures
• “Buy European”: Unlocking the Economic Potential of Europe’s Cybersecurity Sector
• Open Forums 2025