IT regulations: Which IT laws should you be aware of in 2026?

DORA: Digital Resilience in the Financial Sector  

What exactly does DORA regulate?

The Digital Operational Resilience Act responds to the financial system’s growing dependence on IT. Whilst NIS2 regulates cybersecurity across all sectors, DORA focuses on operational resilience within the financial sector.  

A key milestone is the end of the DORA Regulation’s transition period in the financial sector in 2026. By then at the latest, firms must have fully implemented the regulatory requirements.

Who does the regulation apply to?

DORA applies to banks, insurers, payment service providers and many other financial institutions, including their IT service providers.

What is the aim of the regulation?

DORA is designed to ensure that the financial sector remains operational even in the event of serious IT disruptions or cyber attacks. Financial systems are considered systemically important; their failure would have an immediate impact on the economy and society.

The aim of this is:

• ICT risk management: IT risks are given the same priority as financial risks. Financial firms must implement strategies covering the entire lifecycle of ICT systems, from identification and protection to recovery.
• Third-party oversight: A new feature of EU regulation is that large cloud providers (such as AWS, Azure and Google) can now be directly supervised by the European Supervisory Authorities (ESAs) if they are classified as critical to the sector. This makes dependencies on cloud providers transparent and manageable.
• Resilience testing: Contingency plans must be regularly tested using realistic scenarios. For significant players, DORA mandates advanced, threat-led penetration testing that goes beyond simple scans and simulates real-world attack scenarios.
• Recovery capability / KPI shift: Success is no longer measured solely by system availability, but by the ability to restore business operations within defined timeframes despite severe security incidents. Resilience thus becomes a measurable governance issue at board level.

DORA shifts the focus from ‘IT is up and running’ to ‘The organisation remains capable of acting even in the event of a crisis’.

Cyber Resilience Act (CRA): Security becomes a product feature  

What exactly does the Cyber Resilience Act regulate?

The Cyber Resilience Act (CRA) closes a regulatory gap and makes cybersecurity a prerequisite for market access for digital products. This affects manufacturers of:

• IoT devices
• software solutions
• connected industrial products

Who is affected by the regulation?

The CRA applies to manufacturers and suppliers of digital products containing software components, ranging from IoT devices to business software. A particularly important point for manufacturers is the reporting obligations under the Cyber Resilience Act, which come into force in September 2026. Companies must

• report actively exploited vulnerabilities
• within 24 hours

to the European Union Agency for Cybersecurity (ENISA).

What is the aim of the regulation?

The CRA aims to prevent unsafe products from entering the European market in the first place. Cybersecurity will therefore no longer be solely the responsibility of operators, but will become the responsibility of manufacturers throughout the entire product lifecycle.

The aim of this is:

• Security by Design: Security requirements are embedded right from the development stage. Features such as encryption must be enabled by default, and unnecessary attack surfaces (e.g. open ports) must be minimised.
• Vulnerability management: Vulnerabilities must be actively managed and reported throughout the entire product lifecycle. Manufacturers are obliged to actively patch security vulnerabilities for a period of up to five years (or the expected product lifecycle).
• Transparency: Customers are provided with clarity regarding the components contained in the software through software bills of materials (SBOMs). The SBOM is essential for immediately identifying which products within the organisation are affected when new vulnerabilities come to light.
• Update obligation: Security updates become a mandatory part of the product promise.
• Reporting obligation: Within 24 hours of becoming aware of them, manufacturers must report actively exploited security vulnerabilities to ENISA to enable an early warning to the entire market.

The CRA thus reduces systemic risks arising from widespread vulnerabilities and strengthens confidence in digital products in the long term. Furthermore, responsibility is shifted from operators to the manufacturers of digital products.

EU AI Act: Regulation of high-risk AI

What exactly does the EU AI Act regulate?

The EU AI Act is the world’s first comprehensive AI regulation. Its risk-based approach promotes innovation without hindering it through excessive bureaucracy.

Who is affected by the regulation?

The AI Act introduces a risk-based model and imposes particularly high requirements on so-called high-risk AI systems.

What is the aim of the regulation?

The aim is to combine innovation with the protection of fundamental rights, safety and transparency. AI should remain economically viable, but not at the expense of fairness, traceability or public trust.

The aim of this is:

AI systems are classified according to risk rather than being regulated across the board. The risk pyramid categorises systems as follows:

• Unacceptable risk: These AI systems are banned in the EU, such as social scoring or manipulative techniques.
• High risk: AI systems with a high potential for harm, such as AI-supported recruitment processes or autonomous vehicles, are subject to strict requirements.
• Limited risk: AI systems with limited risk that could be misused for manipulative purposes or deception. These include chatbots, AI-generated content and simple recommendation systems. It must be clearly apparent to users that they are interacting with an AI.
• Minimal risk: The lowest risk category, not specifically regulated due to its low potential for harm. This includes, for example, spam filters, automatic text suggestions or AI-assisted writing assistants.

The EU AI Act also includes the following provisions:

• Documentation requirements: Sensitive areas such as recruitment or lending are subject to strict audit and documentation requirements.
• Human oversight: Critical decisions made by AI must be subject to human review.
• Bias controls: Risks of discrimination are to be systematically reduced. For high-risk systems, training, validation and test datasets must therefore be checked for bias to prevent discrimination.
• Rules for General Purpose AI (GPAI): Specific rules apply to powerful foundational models that can be used for many purposes and pose systemic risks.

Under the EU AI Act, trustworthy AI becomes a clearly defined quality and compliance benchmark for businesses.

Existing regulations remain relevant

In addition to these current EU requirements, regulations that have been in place for some time also retain their central importance and often form the basis for new requirements:

• GDPR – remains the key framework for all matters relating to personal data, particularly in the context of AI systems and security incidents
• IT Security Act / BSIG & BSI Basic Protection – reference framework for many technical and organisational measures
• ISO/IEC 27001 – internationally recognised standard for information security management systems (ISMS)
• MaRisk / BAIT / VAIT (financial sector) – complement DORA at the national supervisory level
• Industry-specific security standards (B3S) for KRITIS operators

These frameworks ensure that new regulations do not emerge in a vacuum, but build upon existing security and governance structures.

Conclusion: Regulation as a navigation system, not a hindrance

After years of preparation, many key EU regulations will come into full effect in 2026. With the national implementation of NIS2 and the entry into force of further provisions under DORA, the Cyber Resilience Act and the EU AI Act, the transition period will come to an end. For businesses, this means that IT compliance will evolve from a project into an ongoing management task.

These new requirements are increasingly intertwined, forming a coherent system of digital resilience:

• Management responsibility: Cybersecurity becomes an explicit duty of corporate management.
• Product security: Digital products must meet verifiable security requirements throughout their entire lifecycle.
• Trustworthy AI: Clear risk categories and transparency obligations create binding framework conditions for the use of artificial intelligence.

In this way, European regulations define a common framework for how secure IT infrastructures, resilient organisations and trustworthy digital technologies should be designed in the future.

Companies that view regulation solely as a mandatory requirement will perceive it primarily as a burden. Those, on the other hand, who use it as a strategic framework can derive real added value from it – in the form of greater stability, clearer processes and increased trust among customers and partners. 

Further links on the topic of IT regulation 

• Mastering IT regulation
• Introduction to critical infrastructures
• “Buy European”: Unlocking the Economic Potential of Europe’s Cybersecurity Sector
• Open Forums 2025