Below is a summary of the following data security laws, the EU Network and Information Systems Directive 2, the EU Digital Operational Resilience Act, the EU Cyber Resilience Act, the EU Critical Entities Resilience Directive and the UK Product Security and Telecommunications Infrastructure Act that will impact SaaS suppliers and SaaS customers in 2025. Some of these laws apply extra-territorially, meaning the laws apply even when a SaaS supplier is not located in the UK or the EU (respectively).
It is important to be aware of these new laws in order to assess whether or not they apply to your particular SaaS business, products and services.
The EU Network and Information Systems Directive 2 (NIS2)
NIS2 applies to “in-scope entities” that operate in, or have critical infrastructure located in the EU. This EU directive only comes into effect in each EU Member State once each EU Member State passes their own national law implementing the directive. This mean that the laws in each EU Member State under NIS2 will differ.
To date only around 5 EU Member States have implemented NIS2 into their national laws. France and Germany for example have not implemented their new draft laws yet.
In-Scope Entities
NIS2 makes a distinction between “essential” and “important” entities based on:
- The size of the entity; and
- The sector in which they operate.
Essential Entities
Essential entities are large entities operating in highly critical sectors (as listed in Annex I of NIS2), summarised below:
- Health;
- Energy;
- Transport;
- Digital infrastructures;
- Drinking water;
- Banking;
- Financial markets;
- Waste water;
- Space;
- ICT service management; and
- Public administration.
These entities are subject to more active regulatory oversight and stricter penalties for non-compliance.
Important Entities
Important entities are other medium and large entities operating in critical sectors (as listed in Annex II of NIS2), summarised below:
- Digital providers of market places, search engines or social networking platforms;
- Waste management;
- Manufacturing;
- Chemicals manufacture and distribution;
- Postal services;
- Food production and distribution; and
- Research.
These entities are subject to regulatory interest if authorities become aware of non-compliance.
Exempted Entities
Small businesses (i.e. businesses with fewer than 50 employees and an annual turnover of less than 10m Euros) are exempted from NIS2, unless they operate in certain high critical sectors.
NIS2 is extra-territorial in relation to entities who have a significant presence, such as a trading legal entity, facilities, operations, or staff, in an EU country, or provide services to the EU market.
Non-EU entities subject to NIS2 must appoint an EU Representative.
ENISA has published voluntary technical guidance to support Member States and in-scope entities in implementing the technical and methodological requirements for cyber security risk management measures applying to critical entities under NIS2.
The EU Digital Operational Resilience Act (DORA)
Since the 17th of January 2025, DORA provisions must be included in contracts entered into between financial services entities subject to DORA and their third party providers of ICT Services. As SaaS suppliers are third party providers of digital and data services on an ongoing basis they will be third party providers of ICT services where their SaaS customers are regulated by DORA.
Both the SaaS customer and the SaaS supplier must comply with their applicable mandatory obligations under DORA.
How to assess DORA compliance
Where a SaaS supplier provides ICT services to any SaaS customers regulated by DORA, SaaS suppliers need to:
- Identify whether or not they provide any “critical” or “important” services to such SaaS customers; and
- Amend the terms of existing SaaS agreements with such SaaS customers, to include the relevant DORA provisions.
SaaS suppliers should ensure that any new obligations Customers try to add to SaaS agreements are limited to the mandatory requirements set out in DORA. Any obligations applicable to “critical” or “important” services, as these are defined by DORA, should not be added unless the SaaS supplier itself (not the SaaS customer) provides “critical” or “important” ICT services.
The EU Cyber Resilience Act (CRA)
The Cyber Resilience Act establishes a minimum level of cyber security for all connected products available on the EU market. This new law applies in all EU Member States and will be implemented gradually.
Products covered by the CRA
All products sold in the EU that contain “digital elements” must meet the essential requirements of the CRA. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems. “Products with digital elements” are defined in the CRA as products that can be connected to a device or a network and include both hardware products with networked functions (e.g. smartphones, laptops, smart home products, smart watches, internet connected toys, but also microprocessors, firewalls and smart meters) and pure software products (e.g. accounting software, computer games, mobile apps).
Non-commercial open source software products are exempt from the CRA and therefore do not have to fulfil the requirements of the CRA.
Manufacturers can be fined up to 15 million Euros or 2.5% of their total annual worldwide turnover, whichever is higher, for a breach.
The EU Critical Entities Resilience Directive (CER)
The CER applies to all critical entities that operate (e.g. provide services to individuals) within the EU, across 11 sectors. Member States must identify critical entities operating within their borders and designate a competent authority for enforcement of the CER by the 17th of July 2026.
The CER operates alongside NIS2 to enhance the resilience of critical entities in the EU to address the resilience of critical entities in respect of all hazards, going beyond cyber security to anticipate other natural, man-made, accidental, or intentional risks.
The CER does not differentiate between “essential” and “important” entities, using instead the general terminology of “critical entities” for providers of essential services.
Each EU Member State will determine penalties, which must be effective, proportionate, and dissuasive.
The CER does not apply to a SaaS supplier until they are identified as a critical entity by a Member State.
UK Product Security and Telecommunications Infrastructure (PSTI) Act – 29th April 2024
This UK law governs the security of consumer connectable devices used or made available to UK consumers. The security measures of the PSTI apply to manufacturers, retailers, importers and distributors of connectable products and smart devices. The telecommunications infrastructure measures apply to network operators and infrastructure providers.
The PSTI outlines the types of products that may be “relevant connected products” which include:
- “internet-connectable products” which means a product that is capable of connecting to the internet; and
- “network-connectable products” which means a product that is: (i) capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) is not an internet-connectable product; and (iii) meets the first or second connectability condition.
“UK consumer connectable products”, are defined in clause 54 of the PSTI as a relevant connectable product which either:
- Captures a product that is, or has been, available to UK consumers and has not been supplied by a relevant person to any customer (whether in the UK or not) at any time before being made so available (i.e. is not used at the point at which it is made available to customers) (Condition A); or
- Is, or has been made available, to customers in the UK who are not consumers which has not been supplied by a relevant person to any customer (whether in the UK or not) at any time before being made so available (i.e. is not used at the point at which it is made available to customers) and where products identical to it meet Condition A (Condition B).
A product may therefore meet the definition of a UK consumer connectable product even if it is solely aimed at business customers. For example: if a smart camera is advertised to business users but not to consumers in the UK because the distributor is selling the camera only to businesses. However, if products identical to the smart camera (e.g. a smart camera of the same make and model) have been advertised (i.e. made available) to consumers in the UK by another distributor, the product would be considered a UK consumer connectable product, when made available by the distributor.
Actions to Take Now
There are a lot of new EU and UK laws now in force, coming into force in stages or into force in the next 18 months that could affect SaaS Suppliers.
After considering the above summary, SaaS suppliers need to consider which of the above laws do, could, or may, apply to their products and services that they supply or the sectors in which they their business operates. This will depend upon numerous different factors for each law, such as:
- The location of the SaaS supplier;
- The location of customers, suppliers, data holders;
- Whether services are provided BTB or BTC;
- The global turnover of the SaaS supplier;
- The sector in which the SaaS supplier operates;
- The types of services being provided by the SaaS supplier;
- The sector in which the SaaS customer operates;
- Whether or not IoT services are provided; and
- The specific EU country in which the SaaS supplier, its customers or the services are being made available.
Each of the above laws will need to be assessed separately to determine if, and how, they apply. SaaS suppliers need to take action now to ensure their compliance with the above laws, as there are no grace periods for non-compliance.
rene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here