# CYBER RESILIENCE & CYBERSECURITY

Cyber resilience and cybersecurity are essential for companies in all industries. In the European Union, the Cyber Resilience Act (CRA), the NIS2 Directive, the AI Act, the New Product Liability Directive and the DORA Regulation place particularly high demands on IT security and risk management. Violations can have serious consequences, including heavy fines and liability risks for companies and their managers. Your company could be affected by the following regulations:

Cyber Resilience Act

Leupold Legal supports manufacturers of products with digital elements, such as smart home appliances, smartphones, smartwatches, smart toys and computer games, in

  • ensuring compliance with the legal requirements for the cyber security of their products, which must be ensured already in the design phase if they are to be placed on the market from 2027,
  • complying with their documentation, information and reporting obligations,

Fulfilling their obligations to provide regular updates and disclose vulnerabilities in their products.

NIS2 Directive

Leupold Legal advises the management bodies of essential and important entities on fulfilling their legal risk management and reporting obligations under the NIS2 directive. The number of obligated entities has increased from 1,900 to around 30,000, including but not limited to entities in the following sectors:

  • Energy
  • Transport
  • Banking
  • Healthcare
  • Digital infrastructure (e.g. cloud service providers).

Companies can use the online check provided by the Federal Office for Information Security (BSI) to determine whether they are affected by the NIS2 directive. However, this is only an initial guide. The BIS recommends that affected companies seek external advice if necessary to identify any need for action.

AI Act

The EU’s AI Act also imposes cybersecurity requirements. Leupold Legal tells you what needs to be done to comply.

Product Liability Directive

Products that do not meet the relevant cybersecurity requirements can, under the new EU Product Liability Directive, trigger strict liability on the part of the manufacturer, importer and other economic operators for resulting damages.

This is of particular importance for software-as-a-service (SaaS) products, whose cybersecurity must be established for the entire duration of their use.

Leupold Legal will tell you what you need to do to achieve this and how you can avoid product liability in other cases by taking the right measures

DORA

Leupold Legal advises financial companies on compliance with their special IT security obligations under the European Digital Operational Resilience Act (DORA), which has been applicable since 17 January 2025. This includes, in particular, advice on the DORA requirements for

  • establishing comprehensive ICT risk management,
  • handling, classifying and reporting (serious) ICT-related incidents,
  • testing digital operational resilience
  • monitoring third-party service providers
  • the emergency strategy for maintaining ICT business continuity.

Leupold Legal supports you in complying with your cyber resilience and cybersecurity obligations with

  • Advice on implementing regulatory requirements and on the compliance obligations of management and their personal liability
  • Development of cybersecurity and resilience strategies
  • Legal support in certification and compliance procedures
  • Drafting contracts with (third-party) service providers and cloud providers, in particular to ensure compliance with appropriate information security standards and to avoid ‘lock-in’ effect
  • Preparation for official inspections and audit
  • Advice on how to respond to reportable cyber incidents and how to avoid heavy fines and reputational damage.

Protect your company from cyber threats and legal risks.

T +49(0) 89 64 95 65 63