Cybersecurity 2025: New EU Rules for IT Security | IT-Medienrecht

Learn how new EU Cybersecurity Rules in 2025 impact your tech business. Protect your SaaS, apps & data. Get expert legal insights!

As an IT lawyer with many years of experience advising technology start-ups and SaaS companies, I want to draw your attention to an important regulatory change. Effective August 2025, the EU is introducing new cybersecurity requirements that will significantly impact many of my clients. This tightening affects not only hardware manufacturers but also has far-reaching consequences for software developers, cloud services, and mobile applications.

EU Cybersecurity Tightening 2025: New Requirements for SaaS & App Developers from August

Key Aspects of the New Cybersecurity Requirements

The upcoming regulations introduce several crucial points for digital service providers:

  1. Network Protection: Manufacturers must implement functions to prevent damage to communication networks and ensure the functionality of websites or services. This means that devices and software must be designed not to cause unintentional disruptions or overloads in networks. For SaaS providers, this may require checking and optimizing their applications for potential negative effects on network infrastructures.
  2. Data Protection: Measures must be introduced to prevent unauthorized access to or transfer of user data. This goes beyond existing GDPR requirements and necessitates proactive technical solutions to protect personal data. App developers, for instance, may need to implement advanced encryption techniques and secure data transfer protocols. More broadly, managing a data leak in startup practice will become even more critical.
  3. Fraud Protection: Enhanced authentication mechanisms must be integrated to minimize the risk of fraud in electronic payments and money transfers. This could involve the introduction of multi-factor authentication, biometrics, or other advanced identity verification methods.

Impact on SaaS Developers and App Providers

The new regulations have extensive implications across the tech industry. Companies must re-evaluate their current practices and implement necessary changes.

API Security

SaaS applications and apps that communicate with other services via APIs must pay particular attention to the security of these interfaces. Key aspects include:

Data Protection During Transmission

Apps must ensure no unauthorized transmission of personal data occurs when communicating with devices or services. This requires:

Integrity Protection

Developers must implement measures to protect the integrity of their applications. This prevents them from being misused to disrupt networks or services. These measures include:

Extended Authentication

Robust authentication mechanisms are essential, especially for applications enabling payments or money transfers. This involves:

Cloud Security

SaaS providers must review and secure their cloud infrastructures. This ensures that all data stored and processed in the cloud remains protected. Specific steps include:

IoT Security

Developers of IoT applications face additional challenges to ensure security. This includes:

Legal Implications for Companies

From a legal perspective, these new cybersecurity requirements have several significant consequences:

Recommendations from a Legal Perspective

To navigate these changes successfully, I recommend the following proactive steps:

  1. Security Audit: Conduct a comprehensive analysis of your applications and APIs to identify potential vulnerabilities. Consider hiring external security experts for independent assessments.
  2. API Security Strategy: Develop a robust strategy to secure your APIs, including regular penetration tests and security updates. Implement an API management system for centralized control and monitoring.
  3. Data Protection Impact Assessment (DPIA): Review and update your DPIAs, taking into account the new security requirements. This is especially important for data transfer between apps and devices. Also consider scenarios for data breaches and their legal consequences.
  4. Training Courses: Sensitize and train your developer teams regarding the new legal requirements and technical implementations. Establish a continuous training program on cybersecurity topics.
  5. Contractual Protection: Check contracts with third-party providers and service providers to ensure they comply with the new security standards. Implement liability distribution and indemnification clauses. For instance, consider implications for cloud contracts for start-ups.
  6. Incident Response Plan: Develop a detailed plan for dealing with security incidents. This plan should account for legal, technical, and communication aspects.
  7. Compliance Monitoring: Establish a system to continuously monitor compliance with the new security requirements, including regular internal audits. This proactive approach aligns with upcoming regulations like NIS2 compliance 2025.
  8. Insurance Cover: Review your existing cyber insurance policies and adjust them if necessary to cover the new risks.

Conclusion and Outlook

The upcoming changes represent a significant challenge but also offer opportunities to enhance product safety and customer confidence. As a specialist IT lawyer, I strongly advise a proactive approach. Addressing the new requirements early enables companies to minimize potential legal risks and gain a competitive advantage.

While implementing the new security standards will involve costs and effort, it can lead to an improved market position in the long term. Companies that adapt early can use this as a differentiating factor and strengthen customer trust.

I would be happy to support you in the legally compliant implementation of the new cybersecurity requirements. From analyzing your current situation to drafting adapted contracts and supporting the implementation process, my law firm is at your side with in-depth expertise. We offer tailor-made solutions that consider both the legal and technical aspects of the new regulations.

Let us work together to ensure your company is optimally equipped for the regulatory challenges of the future. In an increasingly networked world, cybersecurity is becoming a decisive factor for business success. Seize this opportunity to position yourself as a pioneer in security and compliance.