EU digital law 2025 – These innovations should be considered

The new year has begun. Many companies have largely completed their strategic planning for the 2025 financial year. But what can companies expect from a regulatory perspective in terms of digital law and what questions from their own customers can be expected on the subject of IT compliance? This article provides a brief overview, along with recommendations for implementation.

1. Product safety

The EU General Product Safety Regulation (GPSR) came into force a little over two weeks ago (December 13, 2024) and brings with it significant changes, for example for online retailers. This regulation aims to ensure the safety of products sold within the EU, including with regard to new technologies and online sales.

1.1 Requirements for online retailers

The GPSR applies, among others, to manufacturers, importers and fulfillment service providers, but also to online retailers. The latter must, for example, ensure that the products they sell are safe and meet EU safety standards. This includes providing technical documentation that demonstrates the safety of the products. This documentation must be based on an internal risk analysis by the manufacturer and must include a general description of the product, an analysis of the risks and the technical means used to mitigate these risks.

1.2 Digital provision of information

The regulation allows economic operators to additionally provide information on the identification of the product and the economic operators, as well as instructions and safety information, in digital form using electronic solutions such as QR codes or data matrix codes. This makes it easier for consumers and authorities to access important product information.

1.3 Traceability and responsibility

The GPSR also stipulates that online retailers must ensure that products or services are not offered as long as the required information is not complete. This means that online retailers must randomly check whether the products or services offered have been classified as illegal in official, freely accessible and machine-readable online databases or online interfaces.

1.4 Implementation

Affected companies, including online store operators, should promptly provide their product detail pages with all the necessary safety information, warnings and manufacturer information in the respective national language, as well as implement a systematic documentation management system for supply chain traceability. In addition, clear processes for product testing, recall management and the reporting of safety incidents must be established, with employees receiving appropriate training. For more information, see this article.

2. E-invoices

From January 1, 2025, all companies in the EU must be able to receive electronic invoices in a first step. This obligation arises from an amendment to § 14 of the German VAT Act based on the Growth Opportunities Act, which aims to improve efficiency and transparency in accounting and reduce administrative burdens. After a transition period (2026/2027), all outgoing invoices must also meet the new requirements; PDF invoices will no longer be sufficient.

2.1 Requirements for businesses

Businesses must ensure that their IT systems are able to receive electronic invoices in the prescribed format. This may require investment in new software or customization of existing systems. Businesses should also ensure that their employees are trained to deal with the new requirements.

2.2 Benefits of e-invoicing

The introduction of e-invoicing offers numerous advantages, including faster invoice processing, lower error rates and improved traceability. In addition, by automating the invoicing process, companies can save costs and increase the efficiency of their finance department.

2.3 Implementation

Companies should analyze their existing incoming invoice processes and ensure that they are technically and organizationally equipped to receive structured electronic invoices. The minimum requirement is the setup of an email inbox for receiving invoices, although larger companies should consider implementing an invoice receipt portal or automated invoice processing.

3. Information security in the financial sector

The Digital Operational Resilience Act (DORA) will apply from January 17, 2025 and aims to strengthen the digital operational resilience of financial companies, with the involvement of contracted ICT service providers. This regulation is a response to the increasing cyber threats and growing dependence on digital technologies in the financial sector.

3.1 Requirements for financial companies

Financial companies must, among other things, ensure that they have robust IT systems and processes in place to detect, prevent, and respond to cyber threats. This includes conducting regular risk assessments, implementing security measures, and training employees in cybersecurity.

3.2 Requirements for ICT service providers

ICT service providers that provide services to financial companies (such as managed services) must also ensure that their systems and processes meet the DORA requirements. This means that they must be able to detect and respond to cyber threats and that they must regularly audit and test their systems.

3.3 Collaboration and reporting requirements

Financial firms and ICT service providers must work closely together to ensure that they meet the requirements of DORA. In addition, they must report cyber incidents to the relevant authorities without delay and take measures to minimize the impact of such incidents.

3.4 Implementation

Financial firms must, among other things, implement comprehensive ICT risk management with regular testing and maintain a contract register for critical ICT service providers that includes exit strategies and minimum requirements for contracts. ICT service providers that are classified as critical must provide their services in accordance with strict DORA requirements and maintain appropriate incident reporting and contingency plans that must be tested regularly. In January 2025, financial companies will often already be in the final stages of implementing DORA. We are currently helping many ICT service providers to adapt their contracts to the new DORA requirements. You can find more information about DORA in this article.

4. Artificial Intelligence

The AI Act came into force in August 2024 and aims to regulate the development and use of artificial intelligence (AI) in the EU. This regulation lays down specific requirements for the development, deployment and monitoring of AI systems to ensure that they are safe and trustworthy.

4.1 Requirements for AI systems

AI systems must be designed and developed in a way that they meet the essential requirements of safety, transparency and fairness. In high-risk areas, this includes conducting risk assessments, implementing safeguards and providing clear and comprehensible information about how the AI system works.

4.2 Prohibited AI applications

The AI Act prohibits certain applications of AI that are considered particularly risky or harmful. These include, for example, AI systems used for subliminal influence, exploitation of weakness or emotion recognition in the workplace. Companies that develop or use such systems must find alternative solutions by February 2, 2025 (fines of up to €35 million are possible).

4.3 Promoting AI competence, implementation

The AI Act also promotes the development of AI skills in the EU. This includes supporting research and development in the field of AI and promoting training and further education programs. Users of AI systems must have developed the necessary AI competence in the company by February 2, 2025. We recommend the use of an AI policy tailored to the company and AI training for all relevant employees. We can provide legal support in both cases. You can find more information on this topic in this article.

5. Information security for important facilities (> 50 employees)

The NIS2 Implementation Act (NIS2UmsuCG) may still come into force this spring, provided that an agreement can be reached in the Bundestag. The law already affects companies with more than 50 employees that operate in one of the regulated sectors (energy, transport, banking, healthcare, drinking water, sewage, digital infrastructure, space economy, public administration, ICT service management, providers of important internet nodes, postal and courier services, waste management, chemicals, food industry, manufacturing industry – including mechanical engineering – digital services and research). In total, about 30,000 companies in Germany will be affected by the new regulations.

5.1 Requirements

All affected companies must register with the Federal Office for Information Security (BSI) within three months of the regulations coming into force. They are obliged to implement comprehensive risk management for their network and information systems and to report security incidents immediately. Companies must also set up encrypted communication channels and take appropriate measures to ensure the security of their personnel. Particularly important facilities are subject to regular official inspections, while important facilities are only inspected if there is suspicion of violations or after major security incidents.

5.2 Implementation

Affected companies should promptly implement an information security management system (ISMS) that includes technical and organizational measures to protect network and information systems, as well as register with the BSI and set up a reporting system for security incidents. Additional requirements include the introduction of encrypted communication channels, the development of business continuity plans and the regular training of employees, whereby the measures must be verifiable through appropriate documentation. We are currently providing particular support with impact analysis and legal advice on the introduction of the ISMS, as well as on the adaptation of our clients' contracts with suppliers and service providers. You can find more information on this topic in this article.

6. Energy labeling

The EU Energy Efficiency Directive has already been implemented in Germany. Starting June 20, 2025, the requirements for energy labeling will also apply to smartphones and tablets.

6.1 Requirements for companies

Companies that sell smartphones and tablets must ensure that these products are labeled with an energy label. This label must include information about the product's energy consumption and its energy efficiency class. Companies must also ensure that this information is available in all advertising material and on their website.

6.2 Implementation

From June 20, 2025, retailers must implement energy labeling for all newly marketed smartphones and tablets with the new EU energy label, which, in addition to the energy efficiency class (A-G), also includes information on battery life, drop resistance, reparability, and ingress protection. The labeling requirement applies to both specific product offers and advertising, whereby a QR code, trademark, model identifier and other specific product information must be provided, but not for used devices, unless they are imported from third countries.

7. Accessibility

The Accessibility Strengthening Act (BFSG) comes into force on June 28, 2025 and defines new requirements for the accessibility of websites and online services. The law aims to ensure that all people, including people with disabilities, have equal access to digital services.

7.1 Requirements for companies

Businesses that offer online services or websites with additional services (such as online shops, calendar functions) must ensure that these are accessible. This includes implementing measures to improve accessibility, such as providing text alternatives for images, using clear and understandable text, and ensuring that all website functions are accessible using a keyboard and screen reader.

7.2 Benefits of accessibility

Improving the accessibility of websites and online services offers numerous benefits, including greater reach and an improved user experience for all users. In addition, accessibility helps to minimize legal risks and ensure compliance with legal requirements.

7.3 Implementation

Companies should develop a comprehensive accessibility concept by June 2025 that includes technical measures (such as accessible websites and documents), organizational adjustments (such as employee training) and design changes, and appoint an accessibility officer if they employ more than 400 people. The specific implementation requires the integration of accessibility into all business processes, whereby digital offerings must be provided with alternative texts for images, a clear navigation structure must be implemented and keyboard accessibility must be ensured, while at the same time comprehensive documentation of all measures should be provided for subsequent regulatory audits. We provide support (if desired, with the involvement of specialized digital agencies) in implementing BFSG compliance. For more information on this topic, please refer to this article.

8. Data Act

The Data Act, which will apply from September 12, 2025, aims to regulate access to and use of data in the EU. This regulation sets out specific requirements for the collection, storage and use of data to ensure that it is done fairly and transparently.

8.1 Requirements for manufacturers of connected products

Manufacturers of connected products (including smartphones, smart appliances, and connected vehicles) must ensure that the data collected by their products is processed securely and transparently. They must also be able to provide their users with free and continuous data access. This includes implementing measures to ensure data security, providing clear and comprehensible information about data collection and use, and complying with applicable data protection regulations.

8.2 Requirements for users and data brokers

The Data Act strengthens the position of users by granting them free access to the data they generate themselves from networked devices and allowing them to decide freely whether to share it. For companies, especially SMEs, new business opportunities are opening up as so-called “data recipients” through improved access to previously unused industrial data and the opportunity to develop innovative business models.

8.3 Requirements for ICT service providers

ICT service providers that independently assume hosting obligations towards their customers may, as data processing service providers, have to implement extensive contractual, technical and organizational measures to enable customers to switch smoothly to other providers or to an on-premise infrastructure within 30 days, providing detailed information on switching procedures, data formats and interoperability specifications, and maintaining an online registry. In addition, they must publish up-to-date information on their websites about the jurisdiction of their ICT infrastructure, implement appropriate technical and organizational measures against unauthorized access by third countries, and may not charge switching fees after September 2027.

8.4 Advantages of the Data Act

The Data Act offers numerous advantages, including improved data security, greater transparency and improved use of data. In addition, the Data Act helps to increase consumer trust in data usage and ensure compliance with legal requirements.

8.5 Implementation

Affected companies must adapt their technical systems and contracts by September 2025 to provide users with free access to the data they generate and to enable the sharing of this data with third parties, with a particular focus on implementing standardized interfaces and secure transmission channels. ICT service providers as data processing services must simplify change processes, ensure interoperability and provide transparent information about their data storage, while all affected companies must revise their terms and conditions and establish processes for data requests. We are currently providing particular support to manufacturers of networked products with the GAP analysis and to ICT service providers with the adaptation of their contracts with a view to implementing the new change processes. You can find more information on this topic in this article.

9. Cyber Resilience Act

The Cyber Resilience Act (CRA) came into force on December 10, 2024. It will be implemented in stages, with conformity assessment bodies being able to check compliance from May 2026. The first incident reporting requirements will apply from August 2026, while all requirements must be fully met by December 11, 2027.

9.1 CRA requirements

Manufacturers of connected products (including machines) must carry out comprehensive cybersecurity risk assessments throughout the entire product development process. They are obliged to create a detailed software bill of materials and to provide security updates for a period of at least five years. Each compliant product must be CE marked. Security incidents must be reported within 24 hours, and users must also be informed about resolved vulnerabilities.

9.2 Requirements for other market participants

Retailers and importers are responsible for the CRA conformity of the products they sell. If non-conformity is detected, they must immediately take corrective action and, if necessary, withdraw the products from the market. The market surveillance authorities must be informed immediately in the event of significant risks.

9.3 Advantages of CRA

Retailers and importers are responsible for the CRA conformity of the products they sell. If non-conformity is detected, they must immediately take corrective action and, if necessary, withdraw the products from the market. The market surveillance authorities must be informed immediately in the event of significant risks.

9.4 Implementation

Manufacturers and importers of products with digital elements must implement comprehensive cybersecurity risk management that covers the entire product lifecycle, including CE marking, declaration of conformity, technical documentation and the provision of security updates for at least five years. Companies must also establish processes for reporting security incidents within 24 hours, create and maintain a software bill of materials (SBOM), and implement vulnerability management systems that enable a rapid response to discovered vulnerabilities. We are currently providing particular support with the gap analysis, i.e. the inventory for CRA compliance. You can find more information on this topic in this article.

10. Conclusion

The above contents are structured chronologically according to the temporal validity of the respective regulations. In summary, the following deadlines apply:

• 13.12.2024: Product safety (GPSR)
• 01.01.2025: E-invoices (readiness to receive, § 14 UStG)
• 17.01.2025: Information security in the financial sector (DORA)
• 02.02.2025: Artificial Intelligence (AI Competence)
• (if applicable) March 2025: Information Security for Critical Infrastructures (NIS-2)
• 20.06.2025: Energy Labeling (Smartphones, Tablets)
• 28.06.2025: Accessibility (BFSG)
• 12.09.2025: Data Act
• 11.12.2027: Cyber Resilience Act (CRA)

At the same time, other new requirements must also be observed, e.g. Digital Services Act, P2B Regulation, Data Governance Act, E-Evidence Regulation or European Health Data Space Act (about to come into force).

You are also welcome to attend a webinar on the topic of information security (NIS-2, DORA, CRA) on January 22, 2025, which we are conducting together with Thales S.A., one of the world's leading providers of encryption technologies. You can find more information here.

We have put together implementation packages for each of the above areas, some of them together with cooperation partners, where technical and organizational implementation measures are required. We also offer short introductory workshops, which we can also conduct via video conference. Please feel free to contact us.