How Startups Can Navigate Through the Digital and AI Law Maze in Europe

Technology rapidly advances in the realms of AI and cloud computing. With emerging innovations like quantum computing on the horizon, the legal landscape is evolving at an equally swift pace. The European Union adopted numerous laws, including on AI, data sharing, cyber resilience, information security and others. This might appear overwhelming, and you might wonder where to start without compromising speed and agility.

Here, we provide a structured overview on what we consider the most important new laws, if your company offers Internet of Things (IoT) devices, cloud services, or AI systems and models. Discover what this is all about, who it applies to, when it takes effect, and what actions you need to take if it applies to you.

AI Act

What Is It About?

The European AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive artificial intelligence act, creating a unified legal framework for AI systems across its Member States. The AI Act follows a risk-based approach and governs AI systems for three categories—prohibited AI practices, which are not allowed in the European Union at all, high-risk AI systems possessing a potential threat to personal safety or fundamental rights, and systems with minimal risk. It also governs general-purpose AI models, i.e., large language models, and sets transparency rules for AI-generated content.

To Whom and When Does It Apply?

The AI Act applies to developers, traders, and users of such systems. The first obligations —regarding AI literacy and prohibited AI systems—took effect in February 2025. Rules on general-purpose AI models will commence on 2 August 2025. Any other obligations, specifically those on high-risk AI systems, will be applied in part on 2 August 2026 and on 2 August 2027.

What To Do?

Because the implementation of the requirements will take some time, it is wise to plan now rather than start any implementation in a rush:

• Identify the team responsible for AI governance and compliance.
• Build an inventory for your organization's AI.
• Assess AI Act applicability and classify AI systems.
• Develop an AI governance framework.
• Foster AI knowledge and literacy across the organization.
• Start developing compliance measures that require a longer lead time.
• Do not forget that AI also triggers other laws, such as on IP, data protection, and antidiscrimination.

Data Act

What Is It About?

The European Data Act (Regulation (EU) 2023/2854) is designed to ensure fair access to and use of data. It seeks to enable cross-company utilization of machine-generated data, enhance data availability, dismantle market barriers, and empower users to access and share data from connected devices. Additionally, it addresses the challenge of switching between cloud services to mitigate vendor lock-in.

To Whom And When Does It Apply?

The Data Act applies primarily to:

• Manufacturers and providers of connected products and related services, including IoT devices such as connected cars, smart-home devices, medical devices, smart consumer goods, and industrial machinery, as well as data holders and recipients.
• Providers of cloud services (SaaS, PaaS, IaaS).
• Providers of edge services.

Micro-, small-, and medium-sized enterprises (MSMEs) are partially exempt from obligations as manufacturers and providers of connected products and related services. However, no such exemption exists for providers of cloud services.
The majority of obligations under the Data Act will take effect beginning on 12 September 2025, including those for cloud service providers. Obligations for manufacturers of connected products will commence on 2 September 2026.

What To Do?

As the Data Act will commence in the near future, it is advisable to start now and conduct the following actions:

• Assess as soon as possible whether and to what extend the Data Act will apply to your business.
• Cloud service providers should update their agreements to allow customers to initiate switching to another service provider, ensuring that the agreements comply with the detailed requirements in the Data Act.
• Companies providing connected products and/or related services should assess:
• The consequences for their businesses, e.g.:
• Developing technical means to allow data access in a comprehensive, structured, commonly used, and machine-readable format.
• Updating standards for data storage and structure and consider developing connected products in a way that allows users to access data directly.
• Implementing new functions into products and converting production processes.
• Companies will need to consider the effects with the responsible product owners and product development teams.
• The need to prepare a comprehensive data notice and consider including the requirements of the Data Act and the GDPR.
• Whether contractual terms provide for any terms that might be deemed unfair or void according to the Data Act.
• Whether its technical protection measures are sufficient against unauthorized use and disclosure of data.

Cyber Resilience Act

What Is It About?

The European Cyber Resilience Act (Regulation (EU) 2024/2847) is designed to protect consumers and businesses from cybersecurity risks associated with digital products and software. It establishes guidelines for developing secure products with digital elements, ensuring they have fewer vulnerabilities and that manufacturers prioritize security throughout the product life cycle. The act also promotes transparency, enabling users to consider cybersecurity when choosing and using digital products, such as by clarifying the support period for these products.

To Whom and When Does It Apply?

To address these aims, the act introduces mandatory cybersecurity requirements applying to all products connected to other devices or networks, with some exclusions such as open-source software and certain regulated services (e.g., medical devices, aviation, and cars).
The Cyber Resilience Act applies to manufacturers, importers, and distributors of products with digital elements. These are a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately. Products in this category could be, e.g., IoT devices, consumer electronics, or software applications—including cloud providers.
The Cyber Resilience Act will take effect on 11 December 2027. However, some provisions will enter into force earlier, starting 11 June 2026.

What To Do?

Even though the Cyber Resilience Act starts applying in more than two years, its implementation on the product level is one of the most challenging ones and should be considered in the early stages of product development or when it's time for a product update. The following should thus be considered:

• Conduct an assessment on what products with digital elements could fall under the Cyber Resilience Act.
• Undertake an assessment of the cybersecurity risks associated with a product with digital elements and account for the outcome during the planning, design, development, production, delivery, and maintenance phases of the product.
• Exercise due diligence when integrating components sourced from third parties in products to ensure that such components do not compromise the security of the product.
• Prepare necessary information and instructions for use, as well as documentation to support reporting requirements.

NIS 2 Directive

What Is It About?

The European NIS 2 Directive (Directive (EU) 2022/2555) aims to enhance cybersecurity across the European Union by setting common standards and requirements for both public and private entities. These entities shall adopt robust cybersecurity measures, report significant incidents, and cooperate with national and EU authorities to protect critical infrastructure and services from cyber threats. While the Cyber Resilience Act focuses on cybersecurity measures on the product level, the NIS 2 Directive focuses on enhancing the security of companies themselves.

To Whom and When Does It Apply?

The NIS 2 Directive applies to a wide range of public and private entities that are critical to the functioning of the economy and society within the European Union. These entities include those in sectors such as energy, transport, banking/finance, health, water, digital infrastructure, and public administration, among others. The directive specifically targets entities that qualify as medium-sized enterprises or larger, as well as certain smaller entities that provide essential services or whose disruption could have significant societal or economic impacts.
Because the directive does not apply directly, the Member States should have adopted implementing laws by 17 October 2024. As not all Member States have done so yet (overview), there is still time before the laws need to be fully implemented, at least in some Member States. However, it seems unlikely that Member States will grant any further grace period for implementation.

What To Do?

Even though the NIS 2 Directive has not yet been implemented in Germany, there are some reports that this will happen within a reasonable time after the new government has formed, which could mean that the law will be adopted by autumn or winter this year. Therefore, certain measures should have already be taken:

• Determine if your organization falls under the scope of the NIS 2 Directive.
• Assess the cybersecurity risk and implement risk management measures, including technical and organizational measures.
• Implement processes to ensure reporting requirements can be adhered to.
• Check whether your local law entails additional requirements.

Further Laws

But it does not stop there. There are other applicable laws, such as the following:

• Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). This act aims to establish comprehensive regulations for cybersecurity, ICT risks, and digital operational resilience in the financial sector.
• Digital Services Act (Regulation (EU) 2022/2065). The DSA regulates illegal content and activities online with a view toward protecting European users of online intermediary services. The DSA has a broad application, with obligations relevant to all online "hosts," although most obligations apply to "very large online platforms" and "very large online search engines."
• European Accessibility Act (Directive (EU) 2019/882). This directive aims to improve the functioning of the internal market for accessible products and services. It intends to give people with disabilities better access to products and services and is, inter alia, aimed at e-commerce and audiovisual media services.
• General Product Safety Regulation (Regulation (EU) 2023/988). The objective of this regulation is to protect consumers and their safety. The regulation applies to any product that is placed or made available on the EU market.

Learn More

Our Cyber, Privacy & Data Innovation Team is happy to provide you with further insights and help you assess to what extent the laws apply to your business and should influence your future decisions.

If you want to learn more about the above, please find further details in our insights under:

• The Artificial Intelligence Act of the European Union (AI Act)
• European Data Act: Harmonised Rules on Fair Access to and Use of Data
• The EU Cyber Resilience Act 6 Things You Need To Know
• NIS2: Where do European Countries Stand on Implementing Cybersecurity Strategies?
• 5 Things to Know About Germany's Draft Law Implementing the NIS2 Directive
• The European NIS-2 Directive: Does It Apply to You?