EU data, AI, and cybersecurity regulation: What companies need to prepare for

Q: What is the EU Data Act mainly about?

The EU Data Act sets rules for access to and use of data, especially data generated by connected products and related services. It also includes rules that make it easier for customers to switch between cloud and data processing services.

Q: Why does the AI Act focus on use cases?

The AI Act classifies risk based largely on how an AI system is used. The same tool may create limited obligations in one context and high-risk obligations in another, such as when it supports recruitment decisions, employee assessment, or safety-related functions in certain critical infrastructure contexts.

Q: What is the Digital Omnibus package?

The Digital Omnibus package is a proposed EU initiative to simplify parts of digital regulation. It may affect the AI Act, Data Act, GDPR, and cybersecurity-related rules, including possible changes to timelines and certain obligations.

Q: What cybersecurity rules should companies follow most closely?

The most relevant rules depend on the company’s sector and activities. Many organizations should monitor NIS2, DORA, the Cyber Resilience Act, the Critical Entities Resilience Directive, and cybersecurity requirements linked to high-risk AI systems.

Q: How can contract management help with regulatory readiness?

Contract management helps teams find and manage obligations, supplier commitments, data processing terms, renewal dates, termination rights, audit clauses, and security requirements. Better contract visibility makes it easier to act before regulatory or commercial risks become urgent.

Risk & compliance

Data, AI, and cybersecurity regulation in the EU are no longer topics that only legal teams can follow from a distance. It now affects how companies buy software, manage supplier relationships, use AI tools, share data, switch cloud services, and prepare for security incidents.

In a recent Zefort webinar, I gave a practical update on where EU data, AI, and cybersecurity regulation stand now. The discussion focused on the EU Data Act, the AI Act, the Digital Omnibus package, and the growing body of cybersecurity regulation that companies need to track.

The core message is clear: many rules are already in force or close to application, but several important details are still changing. Companies should not wait for every interpretation to settle before they start preparing.

In this article, you’ll learn:

What the EU Data Act means for connected products, data access, and cloud switching
How the AI Act changes the way organizations need to assess AI use cases
Why the Digital Omnibus package may shift timelines and obligations
What cybersecurity regulation means for suppliers, products and critical entities
How legal, procurement and business teams can prepare in practice

Why EU digital regulation now needs a joined-up approach

Many organizations used to treat data protection, cybersecurity, AI governance, and supplier contracts as separate workstreams. That approach is becoming harder to maintain.

The current EU regulatory landscape ties these areas more closely together. A company that uses AI may also need to assess personal data processing, supplier commitments, cybersecurity requirements, and contractual controls. A company that provides cloud services may need to review data portability, termination rights, customer information duties, and migration support. A company that manufactures connected products may need to understand what product data it must make available, to whom, and under which conditions.

This is why a fragmented response creates risk. Legal, procurement, IT, security, product, and leadership teams need a shared view of which rules apply, which obligations are already active, and which changes may arrive next.

The EU Data Act is already relevant for contracts and service models

The EU Data Act is one of the most important pieces of current data regulation for companies that work with connected products, related services or cloud services.

For connected products and related services, the Data Act focuses on access to data generated by those products and services. In practical terms, users gain stronger rights to understand what data connected products and related services generate, and to access that data.

That can create complex situations. The third party receiving the data could even be a competitor of the product manufacturer or service provider. Companies, therefore, need to understand what data they hold, what must be shared, what may be protected, and how to manage trade secrets and other sensitive business information.

The Data Act also creates important obligations around cloud switching. The goal is to remove technical, contractual, and financial barriers that prevent customers from moving from one data processing service to another or bringing services in-house.

This has direct contract implications. Companies that provide services within the scope of the rules may need to update customer contracts, review termination rights, prepare data transfer mechanisms, and support customers during migration. In some cases, the regulation may affect business models by changing the way certain fees for switching or data transfer are allowed.

Open questions remain under the Data Act

Although the Data Act is already part of the regulatory reality, not every practical question has a clear answer.

One key issue is the role of the data holder. In many cases, this may be the manufacturer of a connected product or the provider of a related service. But the answer can become less obvious when data is stored or managed through another provider, or when several parties control different parts of the data environment.

Another difficult question concerns the scope of data processing services, especially cloud services. The definition is broad, and some parts of it still leave room for interpretation. This creates uncertainty for companies trying to decide whether they fall within scope and what changes they need to make.

The practical answer is not to ignore the issue until every authority has published detailed guidance. Companies should map their services, identify likely areas of exposure, and prepare for contract and process changes where the regulation may apply.

The AI Act makes AI use case assessment essential

The EU AI Act takes a risk-based approach. The most important point for many organizations is that the risk category depends on the intended use of the AI system, not only on the tool itself.

A familiar AI tool may be low-risk in one context and high-risk in another. For example, using an AI assistant for internal drafting or information support may not create any regulatory obligations. Using an AI system to support recruitment decisions, employee evaluation, or other sensitive decision-making may move the use case into a high-risk category.

This makes AI governance highly practical. Organizations need to know which AI tools they use, and what people use them for. Without that visibility, it becomes difficult to decide whether the organization acts as a deployer, provider, or another regulated role under the AI Act and what risk category the intended use falls into.

Companies should also remember that the AI Act does not replace GDPR. When AI systems process personal data, data protection rules continue to apply. In some cases, AI adoption may require data protection impact assessments, updated supplier terms, or stronger internal controls.

AI governance should start before the deadline

Some AI Act obligations are already in force, while other requirements have application dates that may still shift.* The Digital Omnibus package will likely delay certain high-risk AI requirements, partly because organizations need clearer guidance and standards before they can comply effectively.

But a possible delay should not become an excuse to do nothing.

Many AI compliance tasks are easier to build at the start than to fix later. If a company adopts an AI system without understanding its purpose, data flows, supplier commitments, human oversight model, and risk category, it may face expensive rework later.

Practical preparation starts with a few basic questions:

Which AI systems does the organization already use?
Who uses them and for what purpose?
Do any use cases involve recruitment, employee assessment, education, critical infrastructure, safety components in products subject to third party pre-market evaluation, or other higher-risk areas?
What personal data is processed?
Do supplier contracts support the organization’s compliance needs?
Who owns AI governance internally?

For legal and procurement teams, this also means AI-related contract terms matter more. Supplier agreements should clarify responsibilities, documentation, support for compliance, data use, security, auditability, and change management.

The Digital Omnibus package may simplify rules, but uncertainty remains

The Digital Omnibus package aims to simplify parts of EU digital regulation. It includes proposed changes related to AI and data regulation, cybersecurity, and GDPR.

For AI, one of the most closely watched proposals concerns the timing of high-risk AI obligations. The idea is to push certain requirements back so that guidance and standards can catch up before enforcement begins in full.

For the Data Act, the package may consolidate several data-related rules into a broader framework. It may also adjust rules on trade secret protection, public-sector data requests, cloud switching, and smart contracts.

However, these proposals are not final. Some parts are likely to be heavily debated, especially those involving GDPR and cybersecurity changes. Companies should monitor the process, but they should also prepare in line with the rules already in force and the direction of travel.

The direction is clear enough: companies will need better control, documentation, risk management, and accountability around digital services, AI, and data.

Cybersecurity regulation is expanding across sectors and products

Cybersecurity regulation is no longer limited to a narrow set of heavily regulated industries. The EU has introduced and continues to develop rules that affect financial services, critical infrastructure, digital products, AI systems, and supply chains.

Key regulatory areas include NIS2, DORA, the Cyber Resilience Act, the Critical Entities Resilience Directive, and cybersecurity-related obligations under the AI Act.

The Cyber Resilience Act is especially relevant for products with digital elements. It introduces cybersecurity requirements for product design, development, and vulnerability management. In practice, this pushes companies toward security-by-design and stronger vulnerability-reporting processes.

The Critical Entities Resilience Directive focuses on the resilience of critical infrastructure. In Finland, national implementation will determine which organizations are identified as critical entities and what requirements apply to them. For affected organizations, the rules may create new obligations around physical and operational resilience.**

Even companies that are not directly regulated may still feel the impact through customer requirements and supplier assessments. Larger customers, regulated industries, and critical entities often pass requirements through contracts. This makes cybersecurity readiness a commercial issue as well as a compliance issue.

What legal, procurement, and business teams should do now

The practical challenge is not only understanding each regulation. It is turning that understanding into manageable work.

Legal teams should review which laws may apply, what contracts need updates, and where responsibilities sit between the company and its suppliers. Procurement teams should improve supplier questions around AI, data access, cloud switching, cybersecurity, and incident handling. Product and IT teams should understand how requirements affect design, documentation, data flows, and technical controls.

For contract management, the impact is clear. As regulations become more detailed, companies need a better grasp of supplier agreements, customer commitments, data processing terms, termination rights, audit clauses, security requirements, and responsibilities around AI use.

Contracts are often where regulatory readiness becomes concrete. If a company cannot find the right agreement, check the relevant clause, or understand what a supplier has committed to, compliance becomes much harder to manage in practice.

This does not mean every company needs to rebuild its entire contract process at once. But it does mean contracts should be part of the regulatory readiness work from the beginning. Legal, procurement, IT, security, and business teams need a shared way to identify which agreements are affected, what needs to be updated, and where supplier commitments may need closer review.

How to prepare without overcomplicating the work

Companies do not need to solve every open regulatory question at once. But they do need a clear starting point.

A practical first step is to define the scope. Which products, services, AI tools, contracts, suppliers, and parts of the organization may be affected? After that, assign ownership. Someone needs to coordinate the work across legal, IT, security, procurement, and the relevant business teams.

Next, run a gap analysis. Compare current practices against the requirements that are already in force or likely to apply. Look at contract templates, supplier terms, AI governance policies, cybersecurity processes, data transfer mechanisms, and incident response procedures.

For cybersecurity, companies should pay special attention to risk management, incident detection, incident handling, reporting, and supplier security. For AI, they should build visibility into which AI systems they use, what they are used for, and who is responsible for governance. For data regulation, they should review data access, data sharing, and cloud switching requirements.

The best time to start was earlier. The second-best time is now.

🔑 Key takeaways

EU data, AI, and cybersecurity regulations now affect legal, procurement, IT, security, and business teams.
The Data Act creates practical obligations around connected product data, data access, third-party sharing, and cloud switching.
Cloud service providers may need to update contracts, migration processes, customer information, and data transfer mechanisms.
The AI Act requires organizations to assess AI systems based on how they are used, not just the tools they use.
High-risk AI timelines are shifting under the Digital Omnibus package, but companies should still prepare early.
Cybersecurity regulation is expanding from NIS2, DORA to the Cyber Resilience Act, and critical entity rules.
Supplier contracts and contract visibility can play an important role in managing regulatory obligations.
Companies should start with scope, ownership, gap analysis, and practical governance rather than waiting for every detail to settle.

The webinar is available on demand in Finnish. Watch it here.

*Update: Since this webinar was recorded, the Council and Parliament have reached a provisional political agreement on changes to the high-risk AI timeline. Under the agreement, rules for stand-alone high-risk AI systems would apply from 2 December 2027, while rules for high-risk AI systems embedded in products would apply from 2 August 2028. The agreement still needs formal adoption.

**Clarification: In Finland, ministries are responsible for identifying critical entities. According to Finland’s Ministry of the Interior, ministries must finalize their first list of critical entities by 17 July 2026. The Ministry also states that critical entities must prepare for risks that could disrupt critical services, including natural hazards, accidents, and sabotage or terrorism.

FAQs

What is the EU Data Act mainly about?

Why does the AI Act focus on use cases?

What is the Digital Omnibus package?

What cybersecurity rules should companies follow most closely?

How can contract management help with regulatory readiness?

Subscribe to Zefort Insight

Arttu Ruukki

Senior Legal Counsel & AI and Data Economy Lead, Fondia

Table of contents

Subscribe to Zefort Insight

This article was last updated on25.05.2026

Get started with Zefort

Talk to sales

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-100866936-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_lfa	2 years	This cookie is set by the provider Leadfeeder to identify the IP address of devices visiting the website, in order to retarget multiple users routing from the same IP address.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__adroll	1 year 1 month	This cookie is set by AdRoll to identify users across visits and devices. It is used by real-time bidding for advertisers to display relevant advertisements.
__adroll_fpc	1 year	AdRoll sets this cookie to target users with advertisements based on their browsing behaviour.
__adroll_shared	1 year 1 month	Adroll sets this cookie to collect information on users across different websites for relevant advertising.
__ar_v4	1 year	This cookie is set under the domain DoubleClick, to place ads that point to the website in Google search results and to track conversion rates for these ads.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
B	1 year	This Cookie is used by Yahoo to anonymously store data related to user's visits, such as the number of visits, average time spent on the website and what pages have been loaded. This data helps to customize website content to enhance user experience.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
c	1 year	This cookie is set by Rubicon Project to control synchronization of user identification and exchange of user data between various ad services.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
i	1 year	This cookie is set by OpenX to record anonymized user data, such as IP address, geographical location, websites visited, ads clicked by the user etc., for relevant advertising.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	1 year	The tuuid cookie, set by BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	1 year	This cookie, set by BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_gaexp_rc	past	No description available.
_lfa_test_cookie_stored	past	No description
_te_	session	No description
1e5a17c8ab	session	No description available.
A3	1 year	No description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

EU data, AI, and cybersecurity regulation: What companies need to prepare for

Why EU digital regulation now needs a joined-up approach

The EU Data Act is already relevant for contracts and service models

Open questions remain under the Data Act

The AI Act makes AI use case assessment essential

AI governance should start before the deadline

The Digital Omnibus package may simplify rules, but uncertainty remains

Cybersecurity regulation is expanding across sectors and products

What legal, procurement, and business teams should do now

How to prepare without overcomplicating the work

🔑 Key takeaways

FAQs

Subscribe to Zefort Insight

Arttu Ruukki

Subscribe to Zefort Insight

Read next

Five reasons why now is the perfect time to implement CLM – even if you’re busy with other projects

Zefort adds secure, signable digital forms – a major step toward being a full CLM solution

Basic and strong eSignature authentication – which one should I use?

Get started with Zefort

Schedule a demo