CLOSE

CLOSE

EN

Your 2026 digital compliance playbook: What are the key laws affecting cyber security and data protection?

Data Use and Access Act - VinciWorks
Recommended
Your 2026 digital compliance playbook: What are the key laws affecting cyber security and data protection?

Your 2026 digital compliance playbook: What are the key laws affecting cyber security and data protection?
Awaab’s Law: What property professionals need to know by 27 October 2025

Awaab’s Law: What property professionals need to know by 27 October 2025
Varengold Bank’s AML failures: A cautionary tale for Europe’s financial sector

Varengold Bank’s AML failures: A cautionary tale for Europe’s financial sector

The compliance landscape for cyber security and data protection in 2026 is a complex array of regulations. New and forthcoming laws across the UK and EU are transforming how cloud and digital service providers must manage data, security, and consumer rights. From the EU’s far-reaching Artificial Intelligence Act to the UK’s evolving data and online safety regime, the next year will be defined by a fundamental shift towards accountability, transparency, and resilience.


Every company must understand these laws are enforceable, extra-territorial, and often come with multi-million-euro fines for non-compliance. Even suppliers based outside the EU or UK are caught if their systems, data, or users touch those regions. Here, we break down the most significant laws now shaping digital compliance — and what each means for any business delivering services in the cloud.


 

The Data Landscape: AI, Access and Accountability

The EU AI Act

The EU Artificial Intelligence Act is the world’s first comprehensive AI law, categorising AI systems by risk — from unacceptable to minimal. Systems deemed to pose an “unacceptable risk” such as social scoring or predictive policing have been prohibited since February 2025. High-risk systems, including those used in recruitment, education, and healthcare, are subject to strict oversight which began August 2025. Limited-risk and minimal-risk systems will follow in 2026.


The AI Act applies not only to EU-based providers but also to any business whose AI outputs are used within the EU. Providers of general-purpose AI (GPAI) models, deployers of AI systems, and manufacturers incorporating AI into products are all caught by its provisions. Non-EU businesses must appoint an EU representative to ensure compliance.


This means reviewing how AI models are embedded within their platforms, whether for analytics, automation, or customer engagement. Compliance now extends beyond GDPR to include transparency, explainability, and accountability for algorithmic outcomes. Breaches can result in fines of up to €35 million or 7% of annual global turnover.

 

The EU Data Act

Effective from September 2025, the EU Data Act is equally transformative. It establishes new rights for individuals and organisations to access and share data generated by connected devices; everything from smart machinery to industrial IoT systems. Crucially, it compels SaaS and cloud providers to eliminate barriers that prevent customers from switching platforms.


Under the Act, contracts must now guarantee that customers can terminate agreements on two months’ notice, export their data within 30 days, and have it deleted promptly thereafter. From 2027, switching services must be provided free of charge. Providers must also promote interoperability and ensure that data portability follows recognised standards such as ISO/IEC 19941:2017.


For compliance teams, this means updating contracts, rewriting data handling clauses, and designing exit strategies that meet regulatory expectations. The Act’s extra-territorial scope and emphasis on “data sharing by design” signal a new era of customer control and supplier transparency. Failing to adapt could face fines of up to 4% of global turnover.

 

The UK Data (Use and Access) Act 2025

The UK’s counterpart to the Data Act, the Data (Use and Access) Act, or DUAA, is gradually overhauling the UK’s data protection regime. Certain provisions are already in force, including changes to the Privacy and Electronic Communications Regulations (PECR), which now cover all calls and communications, even those not successfully delivered.


The law also introduces new flexibilities, such as reduced consent requirements for statistical cookies and certain charitable marketing activities. Future changes, expected to be phased in through secondary legislation, will tackle issues such as data subject access requests, automated decision-making, legitimate interests, and international data transfers.


With PECR fines now aligned to GDPR levels — up to £17.5 million — organisations must review their data governance, marketing practices, and privacy notices. The European Commission has only extended the UK’s adequacy decision until December 2025, meaning cross-border data flows could soon face renewed scrutiny.

 

Cyber Resilience and Security Obligations

The EU NIS2 Directive

The NIS2 Directive is the EU’s updated cyber security framework, extending beyond critical infrastructure to include sectors such as digital services, manufacturing, and research. It differentiates between “essential” and “important” entities, both of which are subject to strict cyber risk management and reporting requirements.


Even non-EU entities fall within its reach if they have a significant presence or provide services into the EU market. SaaS companies supporting digital infrastructures, marketplaces, or financial services must expect heightened scrutiny. Each EU Member State is responsible for implementing NIS2 into national law, meaning the precise obligations and penalties vary, but non-compliance will carry severe financial and reputational risks.


The Digital Operational Resilience Act (DORA)

Financial institutions regulated under DORA must ensure that all their ICT providers meet resilience and contractual requirements. Since January 2025, DORA clauses must be incorporated into all relevant service contracts.


For many companies this creates a dual compliance challenge: meeting DORA standards themselves while also managing their own subcontractors and dependencies. Providers must assess whether they deliver “critical” or “important” services and negotiate contract terms carefully to avoid taking on liabilities intended for regulated financial institutions.


The Cyber Resilience Act (CRA)

The CRA, now in its implementation phase across the EU, imposes baseline security standards on all products with digital elements, from consumer smart devices to complex industrial systems. It mandates secure design, vulnerability management, and clear update obligations.


SaaS providers that integrate with or support such products must ensure their systems align with CRA expectations, especially where software vulnerabilities could impact safety or data integrity. Fines can reach €15 million or 2.5% of annual global turnover.


The Critical Entities Resilience Directive (CER)

Complementing NIS2, the CER focuses on the physical and operational resilience of critical entities across eleven sectors, from energy to healthcare. Its goal is to protect against all hazards, not just cyber threats. Companies identified as “critical entities” by a Member State will face compliance obligations around continuity planning, risk management, and incident response by mid-2026.


The UK PSTI Act

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act targets the security of consumer-connected devices, everything from smart speakers to cameras. While it’s primarily a consumer protection measure, its definition of “connected products” is broad enough to capture B2B use cases.


Manufacturers, distributors, and retailers must implement minimum security standards, such as banning universal default passwords and mandating clear vulnerability disclosure policies. SaaS providers developing or integrating with UK consumer IoT ecosystems should expect compliance requests from partners and customers.

 

Online Platforms, Consumers and Digital Accountability

The EU Digital Services Act (DSA)

The DSA modernises the EU’s rules for online intermediaries. While its most stringent requirements target “very large online platforms” and search engines, smaller providers offering hosting or user content services are not immune.


Obligations include mechanisms for reporting illegal content, transparency about automated decision-making, and regular accountability reporting. Non-compliance can lead to fines of up to 6% of global turnover, and all non-EU entities serving EU users must appoint an EU representative.


The EU Accessibility Directive (EAA)

Accessibility is now a compliance issue, not just a design choice. The EAA requires certain digital products and services — including online banking and ticketing systems — to be accessible to disabled people. Any provider with at least ten employees and €2 million in turnover must comply by June 2025 for new services and by 2030 for all products.


Conformance with Web Content Accessibility Guidelines (WCAG) remains the benchmark. Providers that fail to meet accessibility requirements risk exclusion from public sector contracts and enforcement by national authorities.


The UK Online Safety Act (OSA)

The UK’s Online Safety Act takes a more interventionist approach than the DSA, focusing on user-generated content and child protection. It applies to search engines, social media platforms, and any service enabling users to share content.


Following Ofcom’s Children’s Safety Code of Practice offers a recognised route to compliance, though organisations may use alternative measures if they can demonstrate equivalent protection. Companies hosting collaborative or user-content environments should assess whether their platforms fall within scope.


The UK Digital Markets, Competition and Consumers Act (DMCC)

The DMCC, in force since 2024, expands consumer protections around pricing, subscriptions, and online fairness. It targets practices such as fake reviews, misleading pricing, and automatic renewals without proper consent.


The law applies extra-territorially and introduces heavy fines of up to 10% of global turnover for breaches. Providers offering subscription-based services to UK consumers will need to comply with new contract and cancellation rules due in spring 2026.


The Revised EU Product Liability Directive (PLD)

Coming into effect in December 2026, the updated Product Liability Directive extends strict liability to software, firmware, and AI systems. Any defect, such as a cybersecurity flaw, could trigger liability if it causes harm.


Software will be treated like any other product. Security, patching, and quality assurance will become legal obligations, not just best practices.


What this means for compliance teams

Across the board, these developments demand proactive compliance planning. Contracts must be rewritten to reflect new rights and obligations. Data governance frameworks must evolve to manage portability, sharing, and switching. AI usage must be transparent, explainable, and ethically defensible. Cyber resilience must be embedded into product lifecycles and vendor relationships.


The common theme is accountability. Regulators are closing gaps that once allowed cloud providers to operate with limited oversight. Whether it’s the EU’s Data Act, the UK’s DUAA, or the web of security directives, the expectation is clear: compliance is not a checkbox, but a continuous operational discipline.


Cyber security and data protection 2026 checklist

AI & Data

  • Map all AI systems and classify them under the EU AI Act (unacceptable, high, limited, minimal).

  • Appoint an EU Representative if any AI output is used in the EU.

  • Update SaaS contracts to include Data Act switching and portability clauses.

  • Implement data export and deletion processes (30-day completion, standard formats).

  • Review DUAA and PECR updates — ensure marketing and cookie practices align with UK changes.

  • Audit cross-border data transfers before UK adequacy decision expires (Dec 2025).


Cybersecurity & Resilience

  • Identify whether your company qualifies as an “essential” or “important” entity under NIS2.

  • Implement mandatory cyber risk management and incident reporting processes.

  • For financial-sector clients, integrate DORA clauses into all ICT service contracts.

  • Align software security measures with Cyber Resilience Act requirements.

  • Conduct resilience and continuity assessments if classified as a critical entity (CER).


Online Platforms & Consumer Protection

  • If hosting user content, implement DSA-style content reporting and moderation procedures.

  • Ensure services meet accessibility standards (WCAG 2.1) to comply with the EAA.

  • Assess whether your platform falls under UK OSA or must comply with Ofcom’s Code.

  • Update consumer subscription flows for DMCC Act (Spring 2026) — clear renewals, easy cancellations.

  • Review product liability exposure — software vulnerabilities can trigger PLD claims from 2026.


Governance & Oversight

  • Establish a compliance register tracking applicable laws and implementation status.

  • Review and refresh privacy policies, vendor agreements, and internal data-handling procedures.

  • Train staff on new AI, data, and cybersecurity obligations.

  • Engage legal counsel to ensure multi-jurisdictional coverage for EU and UK requirements.