As an IT lawyer with many years of experience in advising technology start-ups and SaaS companies, I would like to draw your attention to an important regulatory change that will come into force from August 2025. The EU is introducing new cybersecurity requirements that will have a significant impact on many of my clients. This tightening not only affects hardware manufacturers, but also has far-reaching consequences for software developers, cloud services and mobile applications.
Key points of the new requirements
- Network protection: Manufacturers must implement functions that prevent damage to communication networks and do not impair the functionality of websites or services. This means that devices and software must be designed in such a way that they do not cause unintentional disruptions or overloads in networks. For SaaS providers, this could mean that they need to check and optimize their applications for potential negative effects on network infrastructures.
- Data protection: Measures must be introduced to prevent unauthorized access to or transfer of user data. This goes beyond the existing GDPR requirements and requires proactive technical solutions to protect personal data. For app developers, this may mean implementing advanced encryption techniques and secure data transfer protocols.
- Fraud protection: Integration of improved authentication mechanisms to minimize the risk of fraud in electronic payments and money transfers. This could require the introduction of multi-factor authentication, biometrics or other advanced identity verification methods.
Impact on SaaS developers and app providers
The new regulations have far-reaching implications for the entire tech industry:
- API security: SaaS applications and apps that communicate with other services via APIs must pay particular attention to the security of these interfaces. This includes:
- Implementation of secure authentication mechanisms, such as OAuth 2.0 or JWT
- Encryption of data transmission with current standards (e.g. TLS 1.3)
- Regular security audits of the API endpoints
- Implementation of rate limiting and anomaly detection
- Use of API gateways for central management and monitoring
- Data protection during transmission: Apps must ensure that no unauthorized transmission of personal data takes place when communicating with devices or services. This requires:
- End-to-end encryption for sensitive data
- Implementation of data masking and tokenization
- Strict control of data access rights within the application
- Regular review and cleansing of databases
- Integrity protection: Developers must implement measures to protect the integrity of their applications and prevent them from being misused to disrupt networks or services. These include:
- Implementation of code signing and integrity checks
- Regular security updates and patch management
- Use of web application firewalls (WAF) and intrusion detection systems (IDS)
- Carrying out penetration tests and vulnerability analyses
- Extended authentication: Robust authentication mechanisms must be integrated, especially for applications that enable payments or money transfers. This includes:
- Implementation of multi-factor authentication
- Use of biometric procedures (e.g. fingerprint, facial recognition)
- Behavior-based authentication and anomaly detection
- Compliance with the PSD2 directive for strong customer authentication
- Cloud security: SaaS providers must review and secure their cloud infrastructures:
- Implementation of zero-trust architectures
- Encryption of data at rest and during transmission
- Regular safety audits and compliance checks
- Use of Cloud Access Security Brokers (CASB)
- IoT security: There are additional challenges for developers of IoT applications:
- Secure firmware updates and patch management
- Implementation of device authentication and authorization
- Network segmentation and isolation of IoT devices
- Monitoring and anomaly detection in IoT networks
Legal implications for companies
From a legal perspective, this has the following consequences:
- Extended liability: SaaS providers and app developers could be held liable for security incidents caused by a lack of implementation of the new security standards. This could lead to increased claims for damages and reputational damage.
- Documentation requirements: It will be necessary to comprehensively document compliance with security requirements, particularly in relation to API security and data protection measures. This requires the introduction of detailed logging and reporting systems.
- Contract amendments: T&Cs and terms of use need to be revised to cover the new security features and obligations. This may also involve adapting service level agreements (SLAs) and data protection agreements.
- Certification requirements: It is likely that new certification standards will be introduced to demonstrate compliance with cybersecurity requirements. Companies must prepare for complex certification processes.
- Cross-border data transfers: The new requirements could have an impact on the permissibility of data transfers to third countries, requiring a review and possible adaptation of existing data transfer agreements.
Recommendations from a legal perspective
- Security audit: Conduct a comprehensive analysis of your applications and APIs to identify potential vulnerabilities. Hire external security experts for independent assessments.
- API security strategy: Develop a robust strategy to secure your APIs, including regular penetration tests and security updates. Implement an API management system for centralized control and monitoring.
- Data protection impact assessment: Review and update your DPIAs taking into account the new security requirements, particularly with regard to data transfer between apps and devices. Also consider scenarios for data breaches and their legal consequences.
- Training courses: Sensitize and train your developer teams regarding the new legal requirements and technical implementations. Establish a continuous training program on cybersecurity topics.
- Contractual protection: Check contracts with third-party providers and service providers to ensure that they also comply with the new security standards. Implement liability distribution and indemnification clauses.
- Incident Response Plan: Develop a detailed plan for dealing with security incidents that takes legal, technical and communication aspects into account.
- Compliance monitoring: Establish a system to continuously monitor compliance with the new security requirements, including regular internal audits.
- Insurance cover: Check your existing cyber insurance policies and adjust them if necessary to cover the new risks.
Conclusion and outlook
The upcoming changes pose a significant challenge, but also offer opportunities to improve product safety and customer confidence. As a specialist IT lawyer, I strongly advise a proactive approach. Dealing with the new requirements at an early stage enables companies to minimize potential legal risks and gain a competitive advantage, and while implementing the new security standards will involve costs and effort, it can lead to an improved market position in the long term. Companies that adapt at an early stage can use this as a differentiating factor and strengthen the trust of their customers.I would be happy to support you in the legally compliant implementation of the new cybersecurity requirements. From analyzing your current situation to drafting adapted contracts and supporting the implementation process – my law firm is at your side with in-depth expertise. We offer tailor-made solutions that take into account both the legal and technical aspects of the new regulations, and let us work together to ensure that your company is optimally equipped for the regulatory challenges of the future. In an increasingly networked world, cybersecurity is becoming a decisive factor for business success. Take the opportunity to position yourself as a pioneer in security and compliance.
