Data Privacy and Cybersecurity in 2025: EU Data Act and Cybersecurity Frameworks

What makes the EU Data Act more difficult to implement than the other EU Digital Package regulations, and how should companies prepare for compliance?

The Data Act is particularly challenging for companies to implement due to its complex scope of application.

First, the regulation is divided into several chapters, and their interplay is not always clear. Certain chapters appear to be autonomous and apply to different categories of stakeholders. A company could therefore fall within the scope of a specific chapter of the Data Act (e.g., Chapter VI “Switching between data processing services”) without being affected by the others. Similarly, it is arduous for companies to determine which category of stakeholders they belong to, as certain definitions vary from one chapter to another. For instance, the term “data holder” refers to both natural and legal persons under any chapter of the text, except for Chapter V, which applies only to legal persons.

Additionally, more so than other EU Digital Package regulations, the Data Act must interlock with various other texts, especially the General Data Protection Regulation and the ePrivacy Directive. This means that companies covered by chapters relating to connected devices and related services (i.e., Chapters II and III) must identify whether some of the data generated by the device could qualify as “personal data.” To do so, companies are expected to create a data library based on a triage mechanism and monitor the evolution of the data lifecycle of the connected product or related service to keep the library updated.

Finally, the Data Act provides different timelines for different obligations and according to various criteria. This is another challenging area for companies subject to the law.

As a first step towards Data Act compliance, companies should perform an in-depth audit of their activities based on the abovementioned topics to determine if they fall within the scope of application of the text and, if so, on what grounds.

What are the main challenges you see clients encounter in implementing the EU Data Act, and how do you help overcome them?

Our clients generally struggle with:

1. Listing the exact data their connected device and/or related service generate.
2. Classifying such data, particularly identifying whether some of it falls within the exemptions provided by the Data Act (e.g., inferred or derived data and content data).
3. The technical means to make the data available, including triage between non-personal data and personal data.
4. The possibility of invoking trade secrets to deny access to data.
5. The different timelines which may overlap depending on the concerned obligation.
6. The scope of the “provider of data processing service” which can be defined as a natural or legal person who provides data processing services (i.e., not the one who relies on the services provided by another).

To help clients overcome the abovementioned issues, we suggest the following action plan:

1. Providing training sessions to ensure that relevant teams are entitled to cope with the various obligations stemming from the Data Act.
2. Conducting an analysis of the company’s activity to determine whether it falls within the scope of the Data Act and on what grounds.
3. If relevant, performing a high-level audit of the existing data flows and channel mechanisms.
4. If relevant, designing the data library from a legal perspective and assessing the most appropriate triage mechanism in case of personal data access.
5. Drafting appropriate internal procedures and transparency notices.
6. Analyzing existing cloud services contracts and adjusting them accordingly.

How does compliance differ across the three EU cybersecurity frameworks (the Network and Information Security 2 (NIS2) Directive, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act)?

All three frameworks have the same functionality, which is to improve cybersecurity posture in different digital areas. While NIS2 provides baseline requirements for networks and information systems of essential and important businesses active in a broad range of sectors (from energy to health and digital infrastructure, among others), DORA focuses on financial entities and their service providers. The Cyber Resilience Act applies to a wide range of products with digital elements (both software and hardware).

Entities that comply with DORA are exempt from the equivalent NIS2 requirements on cybersecurity risk-management measures and incident notification (and related enforcement and supervision). The Cyber Resilience Act complements NIS2 and is not intended to overlap. Similarly to the DORA-NIS2 relationship, compliance with relevant sectoral legislation may (partially) exclude application of the Cyber Resilience Act.

Member States will decide the level of fines applicable to each framework. NIS2 sets a minimal highest fine level (at least EUR 7 million/10 million or 1.4%/2% of the total worldwide annual turnover in the preceding financial year of the group, whichever is higher, depending on whether entity is important or essential). The Cyber Resilience Act sets maximum fines levels as well (up to EUR 15 million or up to 2.5% of the total worldwide annual turnover in the preceding financial year of the group, whichever is higher, in case of the most serious breaches, with lower thresholds applicable to less serious violations).

Both NIS2 and DORA allow for personal liability of management bodies (and other responsible individuals) for infringements under both frameworks. Such liability may take the form of civil, criminal, or administrative penalties, depending on local law.

What are the common questions your clients have about the EU cybersecurity frameworks, and how do you address them?

Client inquiries are mostly focused on NIS2 and DORA. This makes sense because both statutes are fully applicable, whereas the Cyber Resilience Act will only apply from the end of 2026.

One of the preliminary NIS2 questions many clients ask is, “Does NIS2 apply to me?” This is because, compared to its predecessor, the scope of application of NIS2 is much broader and encompasses more businesses. Some clients are surprised to discover that they are now fully covered by it. For example, the manufacturing sector is now covered and includes many types of devices, from electric equipment to machinery, motor vehicles, trailers, and many others.

Companies that must comply with NIS2 often ask for help to bring themselves into compliance. For example, NIS2 imposes an obligation for covered entities to register with local regulators, and we have supported clients in preparing such registrations. We have also assisted clients in preparing cybersecurity training for boards of directors, which is mandatory. Another area where companies need support is in relation to cybersecurity controls and reporting incidents. NIS2 has triggered the need to create or update standard operating procedures to manage and notify cybersecurity incidents. Finally, jurisdictional issues are a common challenge for many clients. A recurrent query is to help companies understand which of the 27 Member States have jurisdiction over the company and/or its affiliates, including whether NIS2 also applies to entities not established in the EU but offering services in the EU.

Questions regarding the application of DORA come from financial entities as well as service providers of financial entities within the scope of DORA. Depending on whether such service providers are essential or third-party providers, the service agreements with the financial entities must contain certain contractual safeguards, such as provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data.  We often help providers determine their status (essential versus third-party provider) and prepare or negotiate DORA amendments to service contracts.