10 minute read | June.25.2025
Technology rapidly advances in the realms of AI and cloud computing. With emerging innovations like quantum computing on the horizon, the legal landscape is evolving at an equally swift pace. The European Union adopted numerous laws, including on AI, data sharing, cyber resilience, information security and others. This might appear overwhelming, and you might wonder where to start without compromising speed and agility.
Here, we provide a structured overview on what we consider the most important new laws, if your company offers Internet of Things (IoT) devices, cloud services, or AI systems and models. Discover what this is all about, who it applies to, when it takes effect, and what actions you need to take if it applies to you.
The European AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive artificial intelligence act, creating a unified legal framework for AI systems across its Member States. The AI Act follows a risk-based approach and governs AI systems for three categories—prohibited AI practices, which are not allowed in the European Union at all, high-risk AI systems possessing a potential threat to personal safety or fundamental rights, and systems with minimal risk. It also governs general-purpose AI models, i.e., large language models, and sets transparency rules for AI-generated content.
The AI Act applies to developers, traders, and users of such systems. The first obligations —regarding AI literacy and prohibited AI systems—took effect in February 2025. Rules on general-purpose AI models will commence on 2 August 2025. Any other obligations, specifically those on high-risk AI systems, will be applied in part on 2 August 2026 and on 2 August 2027.
Because the implementation of the requirements will take some time, it is wise to plan now rather than start any implementation in a rush:
The European Data Act (Regulation (EU) 2023/2854) is designed to ensure fair access to and use of data. It seeks to enable cross-company utilization of machine-generated data, enhance data availability, dismantle market barriers, and empower users to access and share data from connected devices. Additionally, it addresses the challenge of switching between cloud services to mitigate vendor lock-in.
The Data Act applies primarily to:
Micro-, small-, and medium-sized enterprises (MSMEs) are partially exempt from obligations as manufacturers and providers of connected products and related services. However, no such exemption exists for providers of cloud services.
The majority of obligations under the Data Act will take effect beginning on 12 September 2025, including those for cloud service providers. Obligations for manufacturers of connected products will commence on 2 September 2026.
As the Data Act will commence in the near future, it is advisable to start now and conduct the following actions:
The European Cyber Resilience Act (Regulation (EU) 2024/2847) is designed to protect consumers and businesses from cybersecurity risks associated with digital products and software. It establishes guidelines for developing secure products with digital elements, ensuring they have fewer vulnerabilities and that manufacturers prioritize security throughout the product life cycle. The act also promotes transparency, enabling users to consider cybersecurity when choosing and using digital products, such as by clarifying the support period for these products.
To address these aims, the act introduces mandatory cybersecurity requirements applying to all products connected to other devices or networks, with some exclusions such as open-source software and certain regulated services (e.g., medical devices, aviation, and cars).
The Cyber Resilience Act applies to manufacturers, importers, and distributors of products with digital elements. These are a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately. Products in this category could be, e.g., IoT devices, consumer electronics, or software applications—including cloud providers.
The Cyber Resilience Act will take effect on 11 December 2027. However, some provisions will enter into force earlier, starting 11 June 2026.
Even though the Cyber Resilience Act starts applying in more than two years, its implementation on the product level is one of the most challenging ones and should be considered in the early stages of product development or when it's time for a product update. The following should thus be considered:
The European NIS 2 Directive (Directive (EU) 2022/2555) aims to enhance cybersecurity across the European Union by setting common standards and requirements for both public and private entities. These entities shall adopt robust cybersecurity measures, report significant incidents, and cooperate with national and EU authorities to protect critical infrastructure and services from cyber threats. While the Cyber Resilience Act focuses on cybersecurity measures on the product level, the NIS 2 Directive focuses on enhancing the security of companies themselves.
The NIS 2 Directive applies to a wide range of public and private entities that are critical to the functioning of the economy and society within the European Union. These entities include those in sectors such as energy, transport, banking/finance, health, water, digital infrastructure, and public administration, among others. The directive specifically targets entities that qualify as medium-sized enterprises or larger, as well as certain smaller entities that provide essential services or whose disruption could have significant societal or economic impacts.
Because the directive does not apply directly, the Member States should have adopted implementing laws by 17 October 2024. As not all Member States have done so yet (overview), there is still time before the laws need to be fully implemented, at least in some Member States. However, it seems unlikely that Member States will grant any further grace period for implementation.
Even though the NIS 2 Directive has not yet been implemented in Germany, there are some reports that this will happen within a reasonable time after the new government has formed, which could mean that the law will be adopted by autumn or winter this year. Therefore, certain measures should have already be taken:
But it does not stop there. There are other applicable laws, such as the following:
Our Cyber, Privacy & Data Innovation Team is happy to provide you with further insights and help you assess to what extent the laws apply to your business and should influence your future decisions.
If you want to learn more about the above, please find further details in our insights under: