IT Regulations: 4 IT Laws You Should Be Aware of in 2026

Index

• NIS2: Cybersecurity becomes a management responsibility
• DORA: Digital Resilience in the Financial Sector
• Cyber Resilience Act (CRA): Security becomes a product feature
• EU AI Act: Regulation of high-risk AI
• Further insights into the topic of regulation

2026 marks an important milestone: Many EU regulations must be implemented by now, or are reaching the end of their transition periods.

Key topics include:

• NIS2 Implementation Act Germany 2026 – Deadlines for businesses
• DORA Regulation for the financial sector – Transition period ends in 2026
• Cyber Resilience Act – Reporting obligations from September 2026
• EU AI Act – Requirements for high-risk systems from 2026

For businesses, compliance is no longer a one-time project but an ongoing organizational task. Learn more about EU regulations, compliance requirements, and their practical implementation in the IT Regulation section of it-sa 365.

NIS2: Cybersecurity is now a management responsibility  

What exactly does NIS2 regulate?

With the European NIS2 Directive and its national implementation (link in German), the era in which cybersecurity could be delegated as a purely IT-related issue is coming to an end. Digital security is now  an explicit organizational responsibility of senior management, setting specific deadlines for companies that need to adapt their security structures, reporting processes and governance models. A key operational step in this process is registering on the BSI reporting portal in accordance with NIS2 (link in German).  

Who is affected by the regulation?

The NIS2 directive significantly expands the scope of affected organizations and tightens requirements regarding risk management, reporting obligations, and security measures. The directive distinguishes between ‘critical’ and ‘important’ facilities. In addition to traditional operators of critical infrastructure, the following sectors are now also affected:

• Food production
• Waste management
• Digital services
• Public administration

What is the purpose of the regulation?  

NIS2 aims to systematically enhance the resilience of critical and important infrastructure against cyberattacks. It is a response to the current threat landscape, where attacks on supply chains, energy, healthcare, and digital services can quickly lead to macroeconomic consequences.

The goal of NIS2

NIS2 aims to systematically increase cyber resilience in Europe.

• Management responsibility: Cybersecurity is being elevated from the IT department to the management level. Managers must complete cybersecurity training and, in cases of gross negligence, they can be held directly liable for failings in risk management.
• Verifiable security measures: Companies must implement structured security concepts. Many organizations use an IT compliance checklist for SMEs 2026 to systematically address regulatory requirements.
• Government oversight and sanctions: The directive introduces harmonized sanction rules which, similar to the GDPR, provide for fines of up to €10 million or 2% of global turnover.
• Early detection and reporting obligations: Incidents must be detected at an early stage and reported more quickly.
• Supply chain security: The scope explicitly includes supply chain security. Companies must actively assess the security of their suppliers and service providers, securing this relationship contractually to prevent cascading effects in the event of attacks.

Thus, NIS2 shifts the focus from isolated technical measures towards organizational security maturity. 

DORA: Digital resilience in the financial sector  

What exactly does DORA regulate?

The Digital Operational Resilience Act addresses the growing dependence of the financial system on IT. While NIS2 regulates cybersecurity across all sectors, DORA focuses on operational resilience within the financial sector.  

A key milestone is the end of DORA’s transition period in the financial sector in 2026. By then at the latest, firms must have fully implemented the regulatory requirements.

Who is affected by the regulation?

DORA applies to banks, insurers, payment service providers and many other financial institutions, including their IT service providers.

What is the purpose of the regulation?

DORA is designed to ensure the continued operation of the financial sector in the event of serious IT disruptions or cyberattacks. Financial systems are considered systemically important, and their failure would immediately impact the economy and society.

The goal of DORA

• ICT risk management: IT risks are given the same priority as financial risks. Financial firms must implement strategies that cover the entire lifecycle of ICT systems, from identification and protection to recovery.
• Third-party oversight: A new feature of EU regulation is that large cloud providers (such as AWS, Azure and Google) can now be directly supervised by the European Supervisory Authorities (ESAs) if they are deemed critical to the sector. This makes dependencies on cloud providers transparent and manageable.
• Resilience testing: Contingency plans must be regularly tested using realistic scenarios. For significant players, DORA mandates advanced, threat-led penetration testing that goes beyond simple scans and simulates real-world attack scenarios.
• Recovery capability / KPI shift: Success is no longer measured solely by system availability, but by the ability to restore business operations within defined timeframes despite severe security incidents. Resilience thus becomes a measurable governance issue at the board level.

DORA shifts the focus from ‘IT is up and running’ to ‘The organization remains capable of acting even in the event of a crisis’.

Cyber Resilience Act (CRA): Security becomes a product feature  

What exactly does the Cyber Resilience Act regulate?

The Cyber Resilience Act (CRA) closes a regulatory gap by making cybersecurity a prerequisite for market access for digital products. This affects manufacturers of:

• IoT devices
• software solutions
• connected industrial products

Who is affected by the regulation?

The CRA applies to manufacturers and suppliers of digital products containing software components, icluding everything from IoT devices to business software. One important aspect for manufacturers is the reporting obligations under the CRA, which will come into force in September 2026. Companies must

• report actively exploited vulnerabilities
• within 24 hours

to the European Union Agency for Cybersecurity (ENISA).

What is the purpose of the regulation?

The CRA aims to prevent unsafe products from entering the European market. Cybersecurity will therefore no longer be solely the responsibility of operators, but rather, it will become the responsibility of manufacturers throughout the entire product lifecycle.

The goal of CRA

• Security by Design: Security requirements are embedded right from the development stage. Features such as encryption must be enabled by default, and unnecessary attack surfaces (e.g. open ports) must be minimized.
• Vulnerability management: Vulnerabilities must be actively managed and reported throughout the entire product lifecycle. Manufacturers are obliged to actively patch security vulnerabilities for a period of up to five years (or the expected product lifecycle).
• Transparency: Customers must be provided with clarity regarding the components contained in the software through software bills of materials (SBOMs). SBOMs are essential for immediately identifying which products within an organization are affected when new vulnerabilities are discovered.
• Update obligation: Security updates are a mandatory part of the product promise.
• Reporting obligation: Within 24 hours of becoming aware of them, manufacturers must actively report security vulnerabilities to ENISA to enable an early warning to the entire market.

The CRA thus reduces systemic risks arising from widespread vulnerabilities and strengthens confidence in digital products in the long term. Furthermore, responsibility shifts from operators to the manufacturers of digital products.

EU AI Act: Regulation of high-risk AI

What exactly does the EU AI Act regulate?

The EU AI Act is the world’s first comprehensive AI regulation. Its risk-based approach promotes innovation without hindering it with excessive bureaucracy.

Who is affected by the regulation?

The AI Act introduces a risk-based model that imposes particularly high requirements on so-called high-risk AI systems.

What is the purpose of the regulation?

The aim is to balance innovation with the protection of fundamental rights, safety and transparency. AI should remain economically viable, but not at the expense of fairness, traceability or public trust.

The goal of the EU AI Act

Rather than being regulated across the board, AI systems are classified according to risk. The risk pyramid categorizes systems as follows:

• Unacceptable risk: These AI systems are banned in the EU, including social scoring and manipulative techniques.
• High risk: These are AI systems with a high potential for harm, such as AI-supported recruitment processes or autonomous vehicles. They are subject to strict requirements.
• Limited risk: These are AI systems with limited risk that could be misused for manipulative purposes or deception. This category includes chatbots, AI-generated content and simple recommendation systems. Users must clearly be aware that they are interacting with an AI.
• Minimal risk: The lowest risk category is not specifically regulated due to its low potential for harm. Examples include spam filters, automatic text suggestions, and AI-assisted writing assistants.

The EU AI Act also includes the following provisions:

• Documentation requirements: Sensitive areas such as recruitment or lending are subject to strict audit and documentation requirements.
• Human oversight: Critical decisions made by AI must be subject to human review.
• Bias controls: The risk of discrimination must be systematically reduced. For high-risk systems, training, validation and test datasets must therefore be checked for bias to prevent discrimination.
• Rules for General Purpose AI (GPAI): Specific rules apply to powerful foundational models that can be used for many purposes and pose systemic risks.

According to the EU AI Act, trustworthy AI is a clearly defined quality and compliance benchmark for businesses.

The bigger picture: How these regulations work together

NIS2, DORA, the Cyber Resilience Act and the EU AI Act work together to form a European architecture for digital resilience. The division of roles:

While the NIS2 Directive aims to systematically enhance the overall resilience of businesses and critical infrastructure against cyberattacks, DORA specifically targets the financial sector to ensure the stability of this systemically important sector even in the event of severe IT disruptions.

Meanwhile, the Cyber Resilience Act (CRA) shifts responsibility towards manufacturers by making security a mandatory product design feature. Finally, the EU AI Act provides the framework for the technological future, enabling innovation in the field of artificial intelligence while ensuring the protection of fundamental rights.

Together, these regulations represent a paradigm shift from reactive IT security to strategic cyber resilience.

Existing regulations remain relevant

In addition to the current EU requirements, longstanding regulations also retain their central importance and often form the basis for new requirements:

• The GDPR remains the key framework for all matters relating to personal data, particularly in the context of AI systems and security incidents.
• The IT Security Act / BSIG & BSI Basic Protection is a reference framework for many technical and organizational measures.
• ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS).
• MaRisk / BAIT / VAIT (financial sector) complement DORA at the national supervisory level.
• Industry-specific security standards (B3S) are for KRITIS operators.

These frameworks ensure that new regulations are build upon existing security and governance structures, rather than emerging in a vacuum.

Conclusion: Regulation as a navigation system, not a hindrance

After years of preparation, many key EU regulations will come into full effect in 2026. The transition period will end with the national implementation of NIS2 and the entry into force of further provisions under DORA, the Cyber Resilience Act and the EU AI Act. For businesses, IT compliance will evolve from a one-time project to an ongoing management task.

These new requirements are increasingly intertwined, forming a coherent system of digital resilience.

• Management responsibility: Cybersecurity becomes an explicit duty of corporate management.
• Product security: Digital products must meet verifiable security requirements throughout their entire lifecycle.
• Trustworthy AI: Clear risk categories and transparency obligations establish a binding framework for the use of artificial intelligence.

In this way, European regulations establish a common framework for designing secure IT infrastructures, resilient organizations, and trustworthy digital technologies in the future.

Companies that view regulation solely as a mandatory requirement will primarily perceive it as a burden. Those, on the other hand, who use regulation as a strategic framework can derive real added value from it – in the form of greater stability, clearer processes and increased trust among customers and partners. 

Further links on the topic of IT regulation 

• Mastering IT regulation
• Introduction to critical infrastructures
• “Buy European”: Unlocking the Economic Potential of Europe’s Cybersecurity Sector
• Open Forums 2025