Most companies already have a certain IT security structure in place. The constant threat of cyber attacks and the associated existential risks are well known. However, IT security is no longer just a question of technology - it is a legal obligation. A large number of new laws, regulations and directives are intended to encourage companies to make their digital and analog infrastructure more resistant to attacks and disruptions. This article provides an overview of the most important regulations and fields of action.
What does IT compliance mean? Meaning & legal requirements
IT compliance refers to adherence to legal, internal and contractual requirements in the area of IT security. Effective IT compliance is not only a legal necessity, but also an essential part of corporate risk prevention. However, many companies find it difficult to keep track of the current requirements. Violations can result in severe penalties.
Cybersecurity situation 2024: Why action is needed now
The German Federal Office for Information Security (BSI) describes the cyber security situation as "tense" in its latest situation report. The number of attacks, both by state-controlled actors and criminal organizations, is constantly increasing. The economic damage for affected companies can be immense: Business downtime, data loss, reputational damage, high fines and, last but not least, the threat of insolvency.
The current threat situation should be reason enough to put existing security measures to the test, compare them with the legal requirements and make any necessary adjustments. Anyone who believes that inadequate implementation of legal requirements has no consequences simply because there is no immediate threat of sanctions is mistaken.
IT security as a matter for the boss: personal liability of the management
Legislators have responded to the heightened threat situation with a large number of new security laws. The aim is to increase the level of cyber security throughout Europe - with a clear focus on prevention and a structured response to security incidents.
At the same time, responsibility for IT security is shifted to the highest corporate level: management and board members are held personally liable. Anyone who ignores IT compliance or acts negligently must expect severe sanctions. These include not only fines that could threaten a company's existence, but also personal consequences under civil and criminal law.
The most important IT security laws for companies at a glance
The following laws and directives have the broadest scope of application and are therefore relevant for most companies:
1 NIS2UmsuCG (The German NIS2 Implementation Act): New cyber security requirements
The European NIS 2 Directive aims to achieve a high, uniform level of cyber security. Companies that fall under the regulation must register, implement risk management measures and handle cyber security incidents professionally. Implementation is supervised by government agencies. National implementation in Germany is expected to be delayed until the end of 2025.
Recommendation for action:
- Check whether your company falls under the NIS2 regulation.
- Register your company early on the national registration portals
2nd KRITIS-DachG: Protection of critical infrastructures
The KRITIS Umbrella Act implements the European CER Directive and supplements the NIS2 requirements with specific requirements for the physical resilience of critical infrastructures. Companies must draw up risk and crisis management plans and fulfill reporting obligations.
Recommendation for action:
- Companies should draw up risk and crisis management plans.
- Fulfill reporting obligations and implement safety measures.
3rd AI Regulation (KI-VO): Rules for the use of AI
The European regulation on artificial intelligence governs the safe and legally compliant development and use of artificial intelligence. Particularly high requirements apply to "high-risk AI".
Recommendation for action:
- Develop internal AI guidelines to minimize liability risks.
- Train employees to use AI responsibly.
- Adapt employment contracts & company agreements.
4th General Data Protection Regulation (GDPR): Obligation for IT security
The GDPR stipulates that personal data must be adequately protected in technical and organizational terms. Companies must take into account the "state of the art" and regularly review their measures.
Recommendation for action:
- Data protection should be firmly integrated into the IT security strategy.
- Document all data security & compliance measures.
5th Product Safety Regulation (GPSR): New requirements for manufacturers & retailers
The new product safety regulation applies to economic operators in the entire supply chain who deal with consumer products, i.e. all products that are intended for consumers or could reasonably be used by them - regardless of whether they are new, used or repaired.
Recommendation for action:
- Check whether your products meet the new safety standards.
- Carry out safety checks throughout the entire product life cycle.
6 Cyber Resilience Act (CRA): IT security for digital products
The CRA is intended to strengthen the security of "products with digital elements" through a mandatory security certificate. Manufacturers must implement a security concept and guarantee the cyber security of their products throughout their entire life cycle.
Recommendation for action:
- Prepare for the requirements that will apply from 2027.
- Implement security by design in the development process.
7th EU Data Act: new rules on the control and use of data
The EU Data Act (from 12.09.2025) regulates the access and use of data from networked devices. Users will have more control over their data, while manufacturers and providers will be obliged to enable data sharing. Whether and to what extent a company is affected by these regulations must be examined on a case-by-case basis. There are also more extensive specific requirements for individual industries and sectors.
Recommendation for action:
- Check your technical interfaces & contract clauses.
- Prepare license agreements for data transfer in good time.
Whether and to what extent companies are affected by the above regulations must be examined on a case-by-case basis. There are also further specific requirements for individual industries and sectors.
Conclusion: IT compliance as a strategic necessity
The legal requirements for IT security are constantly increasing. Companies must continuously adapt their IT compliance strategy in order to remain legally compliant and competitive.
Important to-dos: ✅ Check and adapt security & compliance measures ✅ Train employees & managers on IT security risks ✅ Complete documentation & legal evaluation of compliance measures
📞 Get advice now! Our lawyers and specialist lawyers will help you with analysis, implementation & training for a secure and legally compliant IT compliance strategy.
