Regulating Data: EU Data Act & More - December Edition

Welcome to the fourth edition of Regulating Data: EU Data Act & More.

The EU’s digital regulatory landscape is evolving at unprecedented speed, creating both new compliance challenges and strategic opportunities for businesses operating in Europe. Staying informed and proactive is essential to ensure your organisation remains competitive and compliant. In this edition, we highlight several important developments that could directly affect your business:

• Data Act Implementation Laws: An up-to-date overview of how Member States are progressing with national implementation, including enforcement authorities and sanction regimes.
• NIS 2 Implementation in Germany: Key provisions of Germany’s NIS 2 implementation law, with a focus on the expanded scope and impact on cloud service providers.
• EU Cloud and AI Development Act (EPRS Briefing): Insights into the EU’s legislative plans to strengthen digital infrastructure and reduce reliance on non-EU cloud providers.

For more information, including the EU Commission’s Digital Omnibus Proposal, please check out the previous edition of our newsletter.

1. Data Act Implementation Laws

Several EU Member States are progressing at different speeds with the implementation of the Data Act, adopting diverse approaches regarding competent authorities and sanction regimes. While a few countries have already enacted national laws and designated specific enforcement bodies, others are still in the consultation or drafting phase, and many have not yet made any substantial progress regarding the national implementation of the Data Act. Notably, maximum penalties and the structure of responsible authorities vary significantly across Member States, reflecting a fragmented landscape in the early stages of the Data Act’s national implementation.

Besides the implementation status in Germany, that we analysed in detail in the previous edition of our newsletter, noteworthy examples of Member States that have made progress in implementing the Data Act are:

1.1 Netherlands

The Netherlands has adopted the implementation legislation of the Data Act, appointing the Authority for Consumers and Markets (ACM) as the main enforcement body and data coordinator. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) oversees personal data compliance. The ACM may impose fines of up to 1,030,000 euros or 10% of annual turnover, whichever is higher.

1.2 Finland

Finland has confirmed its adoption of the national implementation of the Data Act. From 1 January 2025, the main responsible authority for enforcing the provisions of the Data Act will be the Finnish Transport and Communications Agency (Traficom). Traficom cooperates closely with the Finnish Consumer Ombudsman, the Finnish Competition and Consumer Authority, and the Data Protection Ombudsman. The implementation laws foresee fines of up to – depending on the breach – 4% or 2% of a company’s EU-wide turnover from the previous financial year.

1.3 Malta

Malta has also adopted its implementation law, assigning responsibilities to three authorities: the Malta Digital Innovation Authority (MDIA) for most Data Act provisions, the Malta Communications Authority (MCA) for Articles 23–31, 34–35 DA, and the Information and Data Protection Commissioner (IDPC) for personal data oversight. Sanctions include a maximum administrative fine of up to 5% of annual turnover for significant market effects. In all other cases, sanctions may reach up to 350,000 euros per infringement and/or 12,000 euros per day of non-compliance.

1.4 Czech Republic

The Czech Republic government has proposed a framework law that, among other things, governs the national implementation of the Data Act. The draft sets out the designation of competent authorities and sanctions, with enforcement responsibilities distributed among the Czech Telecommunications Office (ČTÚ), the Data Protection Authority (ÚOOÚ), and the Digital and Information Agency (DIA). Sanctions for breaches of the Data Act may reach up to 20 million euros or 4% of global annual turnover.

1.5 France

France has not yet adopted a specific national law for the Data Act, although national legislation on data processing services has pre-empted some Data Act provisions since May 2024. The competent authorities are the Data Protection Authority and the Electronic Communications Authority, with maximum penalties reaching up to 3% of worldwide turnover, or 5% in the case of repeated breaches.

2. Strengthening Cybersecurity in Germany: NIS 2 Implementation Act

On 6 December 2025, the German implementation law of Directive (EU) 2022/2555, known as “NIS 2”, entered into force. This legislative measure represents a decisive step in Germany’s efforts to modernise its cybersecurity framework in accordance with EU-requirements. Approximately 29,500 entities, including cloud computing service providers, are in-scope and supervised by the Federal Office for Information Security (BSI) – more than six times as many as the approximately 4,500 entities which were covered by the respective cybersecurity law before that.

2.1 Background

The implementation law transposes the NIS 2 Directive, which was adopted by the European Union in December 2022. The directive aims to establish a high common level of cybersecurity across Member States by introducing stricter security obligations, broader reporting requirements, and enhanced enforcement mechanisms. Germany’s implementation extends the regulatory framework previously established by the IT Security Act and IT Security Act 2.0 – mainly extending the scope and depth for cybersecurity requirements.

2.2 Strategic Rationale

According to the Germany’s Government, the European Commission has identified the security of critical infrastructure against physical and cyberattacks as one of the four main risks to the EU economy. Strengthening the resilience of the economy against attacks by criminals or states is therefore considered a key responsibility for state, industry and society. The explanatory memorandum of the governmental draft further notes that previous governance instruments, largely based on sub-statutory regulations, have proven insufficient to achieve a consistently high level of information security across the federal administration.

2.3 Impact on Cloud Computing Service Providers

The BSIG explicitly includes cloud computing service providers within its scope, transforming the scope of NIS 2 into binding national law:

According to Article 2 of the NIS 2 Directive, the directive “applies to public or private entities of a type referred to in Annex I or II”. “Cloud computing service providers are listed in Annex I under No. 6.1.4. The thresholds for classification as an in-scope entity are comparatively low: providers are covered if they employ at least 50 people or have an annual turnover and balance sheet total of more than 10 million euros (sec. 28 (2) No. 4 CSIG). According to Recital 33 of the NIS 2 Directive, cloud computing services include, among other things, IaaS, PaaS, SaaS and NaaS.

2.4 Key Provisions

The implementation of NIS-2 introduces several important regulatory changes. Some of the most notable developments include the following:

• Expansion of Regulatory Scope
  In Germany, NIS-2 will affect approximately 29,500 companies. It introduces two new categories of regulated entities (sec. 28 BSIG): “particularly important” and “important” entities. These categories encompass a wide range of sectors, including energy, healthcare, finance, transport and digital infrastructure.
  In terms of Germany’s Federal Administration, the scope results from sec. 29 BSIG. The covered authorities meet most obligations as particularly important companies (sec. 29 (2) BSIG).

• Three-Stage Incident Reporting Regime
  The law replaces the previously applicable single-step notification model with a structured three-stage reporting system (sec. 32 BSIG). By doing so, the bureaucratic burden on institutions should be minimised.

  • The first stage requires an initial alert to be submitted to the BSI within 24 hours of detecting a significant incident, indicating whether there is suspicion that the significant security incident is attributable to unlawful or malicious acts or could have cross-border implications.
  • The second stage involves a report within 72 hours. This report must contain a confirmation or actualisation of the initial report. Furthermore, the report shall contain a first assessment of the significant incident. It enables the BSI to evaluate the severity of the incident and initiate mitigation measures where necessary.
  • The third and final stage requires a final report to be submitted within one month. This report shall include a detailed description of the incident, a root cause analysis, a description of the mitigation measures taken and where applicable, the cross-border implications of the security incident.

• Supervisory Powers
  Under sec. 61-62 BSIG, the BSI is granted a wide range of possible measures. These include amongst others the power to order independent audits and certifications and to impose necessary measures to prevent security incidents or in response to security incidents.

  Additionally, the BSI is entitled to impose fines under sec. 65(5)-(7) BSIG. For certain infringements, these fines can reach up to 2% of the company’s global turnover in the previous year for particularly important entities with a global turnover of more than 500 million euros and up to 1.4% of the global turnover in the previous year for important entities with a global turnover of more than 500 million euros. In all other cases, the maximum possible fines vary from 100.000 euros to 7 million euros (important facilities), respectively 10 million euros (particularly important facilities), also depending on the concrete infringement.

  The BSI’s role is further strengthened by its involvement in the newly introduced incident reporting regime as mentioned above.

• Coordinator in Federal Administration
  Within the federal administration, sec. 48 BSIG establishes the role of a Chief Information Security Officer (CISO), exercised by the management of the BSI under the supervision of the Ministry for Digital Affairs and State Modernisation. The CISO coordinates operational information security management across the federal administration, monitors the implementation of programmes to ensure the information security of the federal government and supports federal authorities in implementing the requirements for information security management.

2.5 Conclusion

The adoption of the NIS-2 Implementation Act marks a significant milestone in Germany’s cybersecurity strategy. By expanding the regulatory scope, strengthening supervisory powers, and introducing a structured three-stage incident reporting regime, the law establishes a more robust and enforceable framework for both private-sector entities and federal administration. With the creation of the Federal Chief Information Security Officer and enhanced governance mechanisms, Germany is positioning itself to meet the growing challenges of cyber threats and to ensure a high level of resilience across critical infrastructure and public services.

3. EU Cloud and AI Development Act (EPRS Briefing)

The European Parliamentary Research Service (EPRS) has published a briefing on the forthcoming EU Cloud and AI Development Act (CADA), a legislative initiative designed to strengthen the EU’s technological autonomy and digital infrastructure – areas increasingly vital for AI innovation and EU’s digital competitiveness. The CADA is intended to complement the Data Act, which – according to the EPRS – “laid down rules for cloud services providers”, such as provisions on cloud switching and safeguards against unlawful transfers of non-personal data to third countries.

3.1 Challenges

The briefing identifies several pressing challenges: the EU’s high dependency on non-EU cloud providers (primarily US companies), insufficient data centre capacity, and a lack of secure, EU-based cloud solutions for critical use cases. Currently, the EU lags behind the United States in both data centre capacity and cloud market share, underscoring the urgency of action.

3.2 Pillars of the CADA

The CADA is structured around three main pillars:

• First, it aims to advance research and innovation by supporting resource-efficient, high-performance data processing infrastructure, including energy optimisation and decentralised computing.
• Second, it seeks to create the right conditions for investment in and deployment of data centres. The Act address investment and deployment barriers by streamlining permitting processes, reducing high energy costs, and overcoming capital barriers, with the ambitious goal of tripling EU data centre capacity within five to seven years.
• Third, the Act focuses on ensuring highly secure, EU-based cloud (and AI) computing capacity for critical use cases such as public administration, defence programmes and critical infrastructure. The briefing includes possible examples about the definition of “a highly secure EU-based cloud capacity” and the appropriate role of non-EU providers in the European cloud market.

3.3 Next steps and conclusion

The European Commission has already held a public consultation on the CADA, gathering stakeholder input on regulatory consistency, investment needs, and sovereignty requirements. The next steps will involve further consideration of this feedback as the legislative process moves forward. The CADA represents a significant step towards reducing the EU’s reliance on foreign cloud providers, fostering a competitive and innovative European cloud industry, and ensuring secure, sovereign digital infrastructure for the EU’s most critical applications.