The European Union is entering a new phase of digital regulation. With the AI Act, NIS 2 Directive, Digital Services Act, Digital Markets Act, Data Act and Cyber Resilience Act, the EU is fundamentally reshaping the legal landscape for technology, data, and digital markets.
These regulations address the exponential growth of data, the complexity of digital services, and the need for robust governance, security, and fair competition. For companies this means that compliance obligations are no longer abstract, they are being enforced, and national supervisory authorities are ramping up oversight.
This shift is already tangible in the market: major clients and public sector bodies increasingly require solid compliance documentation (e.g. for AI governance, GDPR, or accessibility). Companies unable to provide such evidence are at a significant disadvantage in tenders and transactions. Digital Compliance is now a decisive factor for business success and deal-making.
What is changing?
AI Act
The AI Act introduces a risk-based regulatory framework for artificial intelligence, aiming to ensure safety, transparency, and accountability. It applies to providers and users of AI systems, with particular focus on “high-risk” AI systems and General Purpose AI (GPAI) models. After entering into force on 1 August 2024, the Act’s first prohibitions, targeting “unacceptable risk” systems, became effective on 2 February 2025. Governance rules for GPAI models followed in August 2025, and companies must achieve full compliance with most high-risk requirements by 2 August 2026. However, it should be noted that these deadlines may shift as part of the EU Digital Omnibus package, which could link the application of certain obligations to the availability of harmonised standards. In Germany, a draft implementation law (KI-Marktüberwachungs- und Innovationsförderungsgesetz) was published on 12 September 2025, designating the BNetzA as the central national market surveillance authority.
NIS 2 Directive
NIS 2 strengthens cybersecurity across critical and digital infrastructure sectors, expanding the scope to 18 industries. The Directive entered into force on 16 January 2023, and Germany adopted its national implementing act (NIS2UmsuCG) in November 2025, with the law taking effect on 6 December 2025. It imposes binding requirements for risk management, incident reporting, and supply chain security. Companies must establish comprehensive IT security measures and reporting structures, as national authorities ramp up inspections and oversight. These obligations apply immediately to approximately 29,000 companies in Germany, provided they meet the relevant thresholds (≥50 employees or ≥€10 million turnover or ≥€10 million balance sheet). Certain providers, such as trust services, are in scope regardless of their size.
Digital Services Act (DSA)
The DSA sets new standards for online platforms and intermediary services, focusing on risk management, transparency, and user protection. Fully applicable since 17 February 2024, the DSA introduces obligations for handling illegal content, protecting user rights, and ensuring platform accountability. Large platforms/search engines (VLOPs/VLOSEs) face enhanced scrutiny, with national coordinators, such as the BNetzA in Germany, designated in May 2024, now overseeing enforcement. The Data Access Portal has been operational since October 2025. EU enforcement ramped up in 2025, with proceedings against TikTok, AliExpress, and various platforms regarding the protection of minors. The first fines are expected in 2026.
Digital Markets Act (DMA)
The DMA targets “gatekeepers”, i.e., dominant digital platforms, to promote fair competition and prevent abusive practices. In force since 2 May 2023, the DMA sets out clear rules against self-preferencing, mandates data access and interoperability, and requires gatekeepers to support business users. The first enforcement wave began in 2025, led by the European Commission and supplemented by national authorities. In 2025, Apple was fined €500 million and Meta €200 million under the DMA. Investigations against Alphabet/Google are ongoing, with potential fines of up to 10% of global annual turnover (20% for repeat infringements). Parallel national enforcement is ongoing under §19a GWB, for example against Amazon.
Cyber Resilience Act (CRA)
The CRA introduces binding cybersecurity requirements for products with digital elements, covering hardware and software throughout their lifecycle. Entering into force on 12 December 2024, the CRA requires manufacturers, importers, and distributors to ensure products are secure against cyberattacks and vulnerabilities, from development through to end-of-life. Mandatory vulnerability reporting begins on 11 September 2026, and most substantive obligations will apply from 11 December 2027. Early implementation of technical compliance is essential as enforcement ramps up.
Data Act
The Data Act aims to remove legal, technical, and economic barriers to data access and use, fostering a cross-industry data economy. Published in the Official Journal of the EU and in force since 11 January 2024, the Regulation provides a grace period until 12 September 2025 to allow for appropriate implementation. It covers data generated by connected products and related services, including IoT devices and essential software. The Data Act establishes user rights to access and share data, mandates fair, reasonable, and non-discriminatory (FRAND) terms for third-party access, and introduces new rules for data license agreements in B2B contexts. Companies must ensure trade secret protection, adapt contracts, and prepare for obligations to disclose data to public sector bodies in exceptional circumstances. It also facilitates cloud switching and interoperability, requiring providers to support seamless transitions and open interfaces. In Germany, the national implementation act (DADG) is expected to enter into force by mid-2026.
What needs to be done?
The EU’s digital regulations mark a paradigm shift: compliance is now a strategic imperative. Companies should: (i) review and adapt products, services, and contracts to meet new regulatory requirements; (ii) implement robust compliance, security, and reporting processes; (iii) assign clear responsibilities across Legal, IT, Product, Compliance, and Security teams; (iv) monitor national implementation and guidance from supervisory authorities; and (v) engage proactively with regulatory consultations and fitness checks to help shape future rules. Failure to comply can result in severe fines and reputational risks. Early action ensures not only regulatory adherence but also positions companies to leverage new opportunities in Europe’s evolving digital landscape.
YPOG stands for You + Partners of Gamechangers – forward-thinking legal and tax advice. Supporting companies that are focused on emerging technologies, YPOG embraces change as an opportunity to develop cutting-edge solutions. The YPOG team offers comprehensive expertise in the areas of Funds, Tax, Transactions, Corporate, Banking, Regulatory + Finance, IP/IT/Data Protection, Litigation, and Corporate Crime + Compliance + Investigations. YPOG is one of the leading law firms in Germany for venture capital, private equity, fund structuring, and the implementation of distributed ledger technology (DLT) in financial services. Both the firm and its partners are regularly recognized by renowned national and international publications such as JUVE, Best Lawyers, Chambers and Partners, Leaders League, and Legal 500. YPOG is home to more than 180 experienced attorneys, tax advisors and tax specialists as well as a notary, working across offices in Berlin, Cologne, Hamburg, Munich, Cambridge and London.
Further information: www.ypog.law/en/ and www.linkedin.com/company/ypog
