Compliance Roadmap 2025: An overview of important information

2025 is the year of compliance and cybersecurity.

Numerous IT security-related regulations, such as NIS-2, DORA and the EU Data Act, are on the roadmap for this year. They will pose major compliance challenges for companies and institutions.

This article gives you a compact overview of 5 important security regulations, their requirements and specific tips for implementation. This is how you stay on course — legally secure and future-oriented.

Compliance roadmap overview

1. NIS-2 — cybersecurity for more companies

The NIS 2 Directive (Network and Information Security Directive) aims to harmonise the cybersecurity of companies and institutions in the EU. In Germany, the law is expected to come into force in March 2025.

That's important to know:

Expanded scope: From wastewater to logistics companies to digital service providers, NIS-2 affects a wide range of sectors and company sizes that were previously not covered by the Directive.
Stricter requirements: Issues such as risk management, reporting security incidents and business continuity are moving into focus.
Management liability: Management has more responsibility for compliance with the requirements.

How to prepare for NIS-2:

Identify security gaps and risks in your organization.
Review and improve your reporting and response processes for security incidents
Implement technical and organizational security measures, such as network monitoring, access controls, and multi-factor authentication.
Train employees regularly to promote safety awareness.

Tip: Use security solutions such as Bare.ID to efficiently implement access controls.

More about this: Learn more about NIS-2 and how Bare.ID can help you comply here.

2. DORA — IT security for the financial sector

With the DORA regulation, the EU is strengthening the digital resilience of the financial sector. Since January 17, 2025, DORA has been in force in Germany. Banks, insurance companies, investment firms, payment service providers and rating agencies are affected, among others.

The key requirements:

ICT risk management (information and communication technology): Regular risk analyses and appropriate measures to minimise risks.
Reporting IT incidents: Serious IT security incidents must be reported within 24 hours.
Continuous monitoring and testing: Regular reviews of IT systems.
Management of third-party providers: Contracts with IT service providers must include clear security requirements. 5. Business continuity: Robust recovery plans are mandatory.

How to prepare for DORA:

• Check whether your IT systems already meet BaFin's requirements. Often, these provide a basis for DORA compliance. • Implement monitoring tools to identify and report IT incidents in real time • Develop specific emergency plans to minimize business disruptions.

Tip: By integrating security measures at an early stage, you can avoid costly adjustments later on.

More about this: Find out more about DORA and how Bare.ID can help you comply here.

3. EU Data Act — Better use and protect data

The EU Data Act is revolutionizing the access and use of corporate data. It contains regulations for the use of data between companies, between companies and consumers and between companies and authorities. It has been in force since January 2024 and is mandatory to apply from September 12, 2025.

Who does the Data Act affect?

manufacturers and users of connected devices (e.g. cars, household appliances, machines).
providers of data processing services, such as cloud providers.
Any company that needs to share data with government agencies.

Key requirements:

Strengthening user rights: Consumers and companies have more control over the data they generate.
Fair competition: The Data Act is intended to prevent large companies from monopolizing data and to give smaller companies better access to data.
Data portability: Switching between cloud providers should be made easier.

How to prepare for the Data Act:

Companies should prepare for the new requirements early on, as the deadline of September 2025 is tight.

• Review your data management and adjust processes to ensure data portability and fair access • Verify that your IT infrastructure supports the new standards, particularly with regard to interoperability. The Data Act can be found at eur-lex.europa.eu.

4th Cyber Resilience Act — Security for Digital Products

The Cyber Resilience Act (CRA) ensures greater cybersecurity for products with digital elements. The regulation has been in force since December 2024, but there are transition periods until the end of 2027.

Products with digital elements are defined in CRA as products that can be connected to a device or a network. They include both hardware products with networked functions and pure software products.

What is in store for manufacturers of digital products?

CE marking: In future, connected products must bear the CE mark, which confirms compliance with cybersecurity requirements.
Mandatory security updates: Manufacturers must continuously fix vulnerabilities.
Reporting incidents: IT security incidents must be reported centrally.

Here's how to prepare for the Cyber Resilience Act:

• Establish “security by design” in product development • Establish a process to identify and fix vulnerabilities • Train your development teams on CRA security requirements.

This is particularly a challenge for small and medium-sized enterprises (SMEs), as it requires financial, human and technical resources to meet the extensive security requirements. Compliance with the CRA can therefore involve significant costs and organizational effort for SMEs.

On the BSI website you can find further information to the CRA.

5th AI Act — guidelines for artificial intelligence

The AI Act regulates the development and use of artificial intelligence in the EU. The aim is to promote trustworthy AI systems and minimize risks. The AI Act has been in force since August 2024 and is currently being implemented into national law by Member States.

The AI Act follows a so-called risk-based approach. This means that the higher the risk is estimated during the application, the stricter are the requirements.

Here is an overview of the risk levels:

Minimal risk: Many AI applications, such as spam filters or AI-based video games, are not subject to any special requirements.
Specific Transparency Risk: AI-generated content (e.g. chatbots) must be marked as such.
High risk: Strict requirements for AI in areas such as medicine or human resources.
Unacceptable Risk: AI systems that enable “social scoring” by governments or companies are seen as a clear threat to people's fundamental rights and are therefore prohibited.

Here's how to prepare for the AI Act:

The member states of the EU are now required to implement the AI Act into national law. The legal requirements are currently being specified in various places. Companies developing and using AI should nevertheless prepare for implementation now.

• Analyze the requirements for your specific AI application at an early stage • Document your AI systems in detail to meet transparency requirements • Pay attention to ethical standards to minimize risks.

The full AI Act can be found in Official Journal of the European Commission.

This is how Bare.ID can help you with many of the new regulations

The upcoming regulations not only present challenges, but also offer opportunities.

Companies that act in good time can not only minimize compliance risks, but also position themselves as future-proof partners for customers and investors. In this complex regulatory environment, a robust authentication platform such as Bare.ID can play a key role.

Bare.ID helps companies to efficiently meet many of the new requirements — from implementing strict access controls including multi-factor authentication in accordance with NIS-2 to ensuring data portability in accordance with the EU Data Act. Those who underpin their compliance strategy with advanced technology solutions not only create the conditions for legal compliance, but also for sustainable growth in a digitalized business world.