Mastering IT regulation: Your compass for laws & standards

The digital transformation is increasing the complexity of IT security requirements. Companies must not only be aware of laws, guidelines and standards, they must actively manage them. This page provides orientation - and makes it clear that compliance is a strategic success factor, not a chore.

To the IT Talk: Regulation & Standards

Person working at a computer with digital icons representing law and data protection floating above the keyboard.

Mastering IT regulation: Your compass for laws & standards

To the IT Talk: Regulation & Standards

Current regulatory hotspots

south_east

Non-Compliance: Consequences

south_east

it-sa365 Community

south_east

Regulation in IT security:
Understanding the framework

What does regulation mean in the context of IT security?
Regulation in the field of IT security encompasses all legal requirements, regulations and standards that oblige companies to effectively protect their IT systems, data and digital processes. They specify which security measures must be taken and adhered to at all times.

The aim is to ensure the confidentiality, integrity and availability of information, minimize cyber risks and strengthen trust in digital services. These guidelines range from basic security principles to detailed technical and organizational requirements.

Man works focused on a laptop, with a screen showing EU stars in the foreground.

Complexity & the EU framework: Directives as a driver

The regulatory landscape is dynamic and complex. A key driver is the European Union, which creates a harmonized framework for the member states through directives (such as NIS-2) and regulations (such as GDPR, DORA, CRA). While EU regulations are directly and immediately applicable in all member states, directives must first be transposed into national law. This leads to a certain degree of complexity, as the specific national laws must be observed, even if the impetus comes from Brussels.

Two business professionals review documents in an office with an EU flag background.

National implementation: country-specific laws and compliance

The transposition of EU directives into national law (e.g. the IT Security Act 2.0 or the upcoming NIS 2 Implementation Act in Germany) specifies the requirements for companies in the respective country. Compliance therefore means fulfilling the specific national laws, which are often based on EU requirements but may have national characteristics. Organizations must actively deal with the national laws relevant to them and ensure and document their compliance.

Two IT specialists analyze data on a large touchscreen while a colleague works in the background.

Industry-specific requirements:
No “one size fits all”

In addition to the general requirements, special, often stricter regulations apply in many sectors. For example, the financial sector (e.g. through DORA), operators of critical infrastructures (KRITIS as part of NIS-2), the healthcare sector (with special requirements for the protection of patient data) and the telecommunications industry are each subject to their own compliance requirements. There is no one-size-fits-all solution - each company must know, evaluate and implement the regulations that apply to its industry.

Notes on global companies and their obligations

For globally active companies, the complexity continues to increase. They must not only comply with the regulations of the EU and the respective country of domicile, but also the regulations of the countries in which they operate or whose citizens' data they process (e.g. GDPR requirements when processing EU citizens' data by a US company). For international data transfers, specific instruments such as standard contractual clauses (SCCs) or adequacy decisions by the EU Commission are essential to ensure legal compliance.

From theory to practice

You've gained an overview, now it's time for the details?

The free IT Security Talk: Regulation & Standards offers expert knowledge on concrete implementation - especially for SMEs and with a view to legal pitfalls.

Join us on Tuesday, May 27th, 2025, from 9:30 AM to 11:00 AM.

More information about the webinar

Current regulatory hotspots:
What matters now and what's next

The regulatory landscape is constantly changing. Here is an overview of the currently most important topics and an outlook on upcoming developments:

NIS-2 Directive

Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS-2) is the successor to the first NIS Directive and has already entered into force at EU level.

The EU member states were obliged to transpose the requirements into national law by October 17, 2024 and have been applying them since October 18, 2024. NIS-2 introduces stricter security and reporting obligations for a significantly expanded group of sectors and companies (so-called “essential” and “important” facilities).

Key points are a risk-based approach with concrete minimum measures, stricter supervision, more uniform and potentially high sanctions, supply chain security requirements and explicit management responsibility for the implementation and monitoring of cybersecurity measures.

Relevant for: Admins (implementation of technical and organizational measures), DPOs (proof of compliance, processes for reporting obligations), management (overall responsibility, liability).

Cyber Resilience Act (CRA)

This planned EU legislation aims to increase the security of products with digital elements (hardware and software) throughout their entire life cycle. Manufacturers will be obliged to implement “security by design”, vulnerability management, security updates and transparency. The CRA will have far-reaching implications for manufacturers, importers and retailers. Relevant for: Manufacturers of IoT devices, software developers, admins (selection of secure products), users (higher basic security). The regulation came into force on December 10, 2024, the main obligations will apply from December 11, 2027

DORA (Digital Operational Resilience Act)

This EU regulation creates a uniform legal framework for digital operational resilience in the financial sector (banks, insurance companies, investment firms, but also important ICT third-party service providers). It has been in force since January 2025 and requires comprehensive measures in areas such as ICT risk management, ICT-related incident management, digital operational resilience testing and ICT third-party risk management. Relevant for: Financial companies (admins, DPOs, risk managers), IT service providers for the financial sector.

GDPR & Article 32

The General Data Protection Regulation remains a perennial issue. In particular, Article 32 GDPR requires “appropriate technical and organizational measures (TOMs)” to protect personal data. This requires a continuous assessment of the risks and adaptation of the security measures to the “state of the art”. TOMs are the practical basis for data protection and are often closely linked to the requirements of other IT security regulations. Relevant for: DPOs (central task), admins (implementation of TOMs), users (handling of data).

Digital scales of justice in blue light on a screen with floating binary numbers in the front.

5/2/2025

Trump puts transatlantic data transfer at risk

A secure transfer of data to the USA is crucial for companies. In many cases, European companies ...

4/3/2025

Critical infrastructure umbrella act, NIS-2 and Cyber Resilience Act

Holger Berens has been advising international companies and critical infrastructures in all areas...

9/18/2023

KRITIS Dachgesetz (CER law) brings new duties, measures and consequences

The German KRITIS-Dachgesetz (CER law) imposes new obligations on operators of critical infrastru...

8/10/2023

EU AI regulation as a pioneer

Low-risk, limited-risk, too-risky, or prohibited - software systems from providers are to be clas...

Harbour with cranes and containers, the water reflects the harbour lights at dusk.

9/18/2023

KRITIS-Dachgesetz (CER law) aims to improve security - and throws up surprises

The Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Informa...

Forecast: What's coming up to 2025 and beyond?

🔷 Implementation: The next few years will be dominated by the national implementation and practical application of NIS-2 and DORA.
🔷 CRA: Following its adoption, preparations will begin for the application of the Cyber Resilience Act.
🔷 AI Act: The regulation of artificial intelligence will also entail security requirements, especially for high-risk AI systems.
🔷 Supply chain security: NIS-2, DORA and CRA are bringing supply chain security increasingly into the focus of regulation.
🔷 Cloud security: Specific requirements and certifications for cloud services (e.g. EUCS - European Union Cybersecurity Certification Scheme) will continue to gain in importance.

Four people discussing in front of a wall with IT icons – focus on cybersecurity and digitalization.

Exchange at eye level? Join our it-sa365 community

Network with peers & experts on IT security. Discuss current regulatory topics with like-minded people.

Non-compliance:
The far-reaching consequences

Failure to comply with IT security regulations is not a trivial offense, but carries considerable risks for companies. The specific consequences depend heavily on the law in question, the severity of the breach and the industry. If companies ignore their obligations, it is not only financial losses that are at risk.

Personal fines

Many regulations provide for high fines. The GDPR allows fines of up to 20 million euros or 4% of annual global turnover. NIS-2 also provides for severe penalties to be determined nationally, which could be based on the GDPR. DORA also allows for significant fines.
Personal liability of the management

NIS-2 in particular emphasizes the responsibility of the management level for the implementation and monitoring of cybersecurity measures. In cases of gross negligence or willful misconduct, managing directors or board members may face personal liability.
Operational restrictions and official measures

Supervisory authorities can order measures that go beyond fines. These include instructions to implement specific security measures, regular audits, the temporary or permanent prohibition of data processing or, in extreme cases, even the suspension of business activities.
Reputational damage and loss of trust

A security incident or compliance breach that becomes public knowledge can massively damage the trust of customers, partners and the public. Rebuilding this reputation is often a lengthy and costly process.
Exclusion from contracts and business partnerships

Many companies and, in particular, public sector clients require their suppliers and partners to provide proof of compliance with relevant security standards and regulations (e.g. ISO 27001 certification, proof of NIS 2 compliance). Non-compliance can lead to exclusion from tenders or termination of contracts.
Risk of civil lawsuits

Data subjects (in the event of data protection breaches) or injured business partners can sue for damages, leading to further financial burdens and legal disputes.

Conclusion:
Why compliance is a strategic necessity

Complying with IT security regulations is much more than just avoiding penalties. Proactive compliance management is a strategic necessity and offers tangible benefits:

✔️ Risk minimization: reduces the likelihood and impact of security incidents.
✔️ Resilience: Strengthens the company's resilience to cyber attacks and operational disruptions.
✔️ Trust: Builds trust with customers, partners and employees and strengthens market position.
✔️ Competitive advantage: Enables participation in tenders and creates differentiation in the market.
✔️ Efficiency: Optimizes IT processes through structured security processes (e.g. through an ISMS).

Investing in compliance is an investment in the future viability and security of your company.