As an IT lawyer with many years of experience advising technology start-ups and SaaS companies, I want to draw your attention to an important regulatory change. Effective August 2025, the EU is introducing new cybersecurity requirements that will significantly impact many of my clients. This tightening affects not only hardware manufacturers but also has far-reaching consequences for software developers, cloud services, and mobile applications.
EU Cybersecurity Tightening 2025: New Requirements for SaaS & App Developers from August
Key Aspects of the New Cybersecurity Requirements
The upcoming regulations introduce several crucial points for digital service providers:
- Network Protection: Manufacturers must implement functions to prevent damage to communication networks and ensure the functionality of websites or services. This means that devices and software must be designed not to cause unintentional disruptions or overloads in networks. For SaaS providers, this may require checking and optimizing their applications for potential negative effects on network infrastructures.
- Data Protection: Measures must be introduced to prevent unauthorized access to or transfer of user data. This goes beyond existing GDPR requirements and necessitates proactive technical solutions to protect personal data. App developers, for instance, may need to implement advanced encryption techniques and secure data transfer protocols. More broadly, managing a data leak in startup practice will become even more critical.
- Fraud Protection: Enhanced authentication mechanisms must be integrated to minimize the risk of fraud in electronic payments and money transfers. This could involve the introduction of multi-factor authentication, biometrics, or other advanced identity verification methods.
Impact on SaaS Developers and App Providers
The new regulations have extensive implications across the tech industry. Companies must re-evaluate their current practices and implement necessary changes.
API Security
SaaS applications and apps that communicate with other services via APIs must pay particular attention to the security of these interfaces. Key aspects include:
- Implementation of secure authentication mechanisms, such as OAuth 2.0 or JWT.
- Encryption of data transmission using current standards (e.g., TLS 1.3).
- Regular security audits of API endpoints.
- Implementation of rate limiting and anomaly detection.
- Use of API gateways for central management and monitoring.
Data Protection During Transmission
Apps must ensure no unauthorized transmission of personal data occurs when communicating with devices or services. This requires:
- End-to-end encryption for sensitive data.
- Implementation of data masking and tokenization.
- Strict control of data access rights within the application.
- Regular review and cleansing of databases.
Integrity Protection
Developers must implement measures to protect the integrity of their applications. This prevents them from being misused to disrupt networks or services. These measures include:
- Implementation of code signing and integrity checks.
- Regular security updates and patch management.
- Use of web application firewalls (WAF) and intrusion detection systems (IDS).
- Carrying out penetration tests and vulnerability analyses.
Extended Authentication
Robust authentication mechanisms are essential, especially for applications enabling payments or money transfers. This involves:
- Implementation of multi-factor authentication.
- Use of biometric procedures (e.g., fingerprint, facial recognition).
- Behavior-based authentication and anomaly detection.
- Compliance with the PSD2 directive for strong customer authentication.
Cloud Security
SaaS providers must review and secure their cloud infrastructures. This ensures that all data stored and processed in the cloud remains protected. Specific steps include:
- Implementation of zero-trust architectures.
- Encryption of data at rest and during transmission.
- Regular safety audits and compliance checks.
- Use of Cloud Access Security Brokers (CASB).
IoT Security
Developers of IoT applications face additional challenges to ensure security. This includes:
- Secure firmware updates and patch management.
- Implementation of device authentication and authorization.
- Network segmentation and isolation of IoT devices.
- Monitoring and anomaly detection in IoT networks.
Legal Implications for Companies
From a legal perspective, these new cybersecurity requirements have several significant consequences:
- Extended Liability: SaaS providers and app developers could face increased liability for security incidents. This applies if incidents are caused by a lack of implementation of the new security standards, potentially leading to higher claims for damages and reputational harm.
- Documentation Requirements: Comprehensive documentation of compliance with security requirements will be essential. This is particularly true for API security and data protection measures, necessitating detailed logging and reporting systems.
- Contract Amendments: Terms & Conditions and terms of use need revision to cover the new security features and obligations. This may also involve adapting Service Level Agreements (SLAs) and data protection agreements.
- Certification Requirements: It is likely that new certification standards will be introduced to demonstrate compliance with cybersecurity requirements. Companies must prepare for complex certification processes.
- Cross-Border Data Transfers: The new requirements could impact the permissibility of data transfers to third countries. This will necessitate a review and possible adaptation of existing data transfer agreements.
Recommendations from a Legal Perspective
To navigate these changes successfully, I recommend the following proactive steps:
- Security Audit: Conduct a comprehensive analysis of your applications and APIs to identify potential vulnerabilities. Consider hiring external security experts for independent assessments.
- API Security Strategy: Develop a robust strategy to secure your APIs, including regular penetration tests and security updates. Implement an API management system for centralized control and monitoring.
- Data Protection Impact Assessment (DPIA): Review and update your DPIAs, taking into account the new security requirements. This is especially important for data transfer between apps and devices. Also consider scenarios for data breaches and their legal consequences.
- Training Courses: Sensitize and train your developer teams regarding the new legal requirements and technical implementations. Establish a continuous training program on cybersecurity topics.
- Contractual Protection: Check contracts with third-party providers and service providers to ensure they comply with the new security standards. Implement liability distribution and indemnification clauses. For instance, consider implications for cloud contracts for start-ups.
- Incident Response Plan: Develop a detailed plan for dealing with security incidents. This plan should account for legal, technical, and communication aspects.
- Compliance Monitoring: Establish a system to continuously monitor compliance with the new security requirements, including regular internal audits. This proactive approach aligns with upcoming regulations like NIS2 compliance 2025.
- Insurance Cover: Review your existing cyber insurance policies and adjust them if necessary to cover the new risks.
Conclusion and Outlook
The upcoming changes represent a significant challenge but also offer opportunities to enhance product safety and customer confidence. As a specialist IT lawyer, I strongly advise a proactive approach. Addressing the new requirements early enables companies to minimize potential legal risks and gain a competitive advantage.
While implementing the new security standards will involve costs and effort, it can lead to an improved market position in the long term. Companies that adapt early can use this as a differentiating factor and strengthen customer trust.
I would be happy to support you in the legally compliant implementation of the new cybersecurity requirements. From analyzing your current situation to drafting adapted contracts and supporting the implementation process, my law firm is at your side with in-depth expertise. We offer tailor-made solutions that consider both the legal and technical aspects of the new regulations.
Let us work together to ensure your company is optimally equipped for the regulatory challenges of the future. In an increasingly networked world, cybersecurity is becoming a decisive factor for business success. Seize this opportunity to position yourself as a pioneer in security and compliance.