IT regulatory landscape in 2025: an interview with Prof. Dr. Kipker

Regulatory compliance is a constant yet necessary headache for businesses. Regulations are not set in stone—just because a business met the criteria of one framework or another two years ago does not mean it’ll be sufficient a year from now. In 2025, as we see new technologies like AI emerge, businesses must adapt and prepare to meet new regulatory standards.

So, what do businesses need to know as new regulations roll in and evolve? Prof. Dr. Dennis-Kenji Kipker, member of NordPass Advisory Board, answered some of the most pressing questions about the current cybersecurity landscape in the EU, what AI risks new regulations aim to prevent, and how businesses can prepare for compliance policies that will come into force in 2025.

Kipker is a Professor of IT Security Law at the University of Applied Sciences Bremen and the Scientific Director of the cyberintelligence.institute in Frankfurt. He’s one of the leading cybersecurity experts in the world, acting as an advisor to the European Commission and the German Federal Government. Kipker’s research focuses on cyberlaw, international IT law, and IT consumer protection.

New and updated regulations come into effect every year. What are the major EU regulations coming into force in 2025 that businesses should be aware of?

This year we’ll see several key regulations taking effect. These include the Digital Operational Resilience Act (DORA) for financial institutions, the AI Act, the European Accessibility Act (EAA), and the NIS2 Directive. All these regulations have varying requirements but altogether aim to enhance digital security, compliance, and ethical AI deployment in the EU.

Let’s start with the Digital Operational Resilience Act (DORA). What can you tell us about its impact on financial institutions and IT service providers?

The DORA went into effect earlier this year, on January 17. Its aim is to strengthen the IT security of various financial entities and ensure they’re prepared for potential operational disruption. So, here we’re talking about banks, insurance companies, and the like.

More specifically, DORA requires financial entities to implement stronger cybersecurity frameworks, conduct regular risk assessments, and ensure third-party ICT providers meet security standards. It impacts the overall standards of financial cybersecurity in the EU.

The Network and Information Security Directive 2 (NIS2) entered into force in October 2024. Nevertheless, it’s still a relatively recent legislation for businesses. What have been the key changes stepping away from NIS1 and into NIS2?

Compared to the earlier framework, NIS2 expands the scope of cybersecurity obligations beyond critical infrastructure to include more sectors, such as healthcare, manufacturing, and cloud service providers. It also mandates a faster incident reporting timeframe—businesses must relay this information within 24 hours of an incident occurring.

The NIS2 also introduced stronger risk management policies and established that every EU member state must follow uniform criteria to enforce cybersecurity measures and determine which entities must adhere to them. If an organization fails to meet the NIS2 requirements, its managing bodies are held liable.

AI prevails as one of the most pressing topics, and the EU Artificial Intelligence Act is set to become one of the world’s first AI regulations. What does it aim to achieve?

The AI Act is really the first comprehensive regulation of this kind—it entered into force in August 2024, and its first requirements started to be applied in February. Firstly, it classifies AI systems based on their risk level: that means banning harmful AI, setting strict requirements for high-risk AI in fields like healthcare or law enforcement, and mandating transparency for AI-generated content—think deepfakes.

The first stage of application encompasses prohibitions and AI literacy obligations specifically, broader application is due in August this year. This will be the biggest implementation, covering governance, confidentiality, and penalties, among other requirements. The final applications will be enacted in August 2026 and August 2027.

What kinds of AI applications will be banned under the AI Act? How will companies deploying AI in the EU need to comply with the new rules?

The banned AI applications list includes AI systems that can manipulate human behavior, exploit vulnerabilities, and employ government-led social scoring.

As for companies that use AI in high-risk sectors, they’ll have to conduct risk assessments, maintain detailed documentation, ensure human oversight, and register their AI systems in an EU database.

The European Accessibility Act (EAA) is coming into effect in June this year. How will it impact tech companies? What are the penalties for companies that fail to comply with the new accessibility rules?

The EAA mandates that digital services, such as websites, apps, and e-commerce platforms, must be accessible to people with disabilities. For instance, businesses must redesign user interfaces and offer assistive technology support, like alt text for images. Overall, the EAA follows four key principles of accessibility:

• Perceivability, meaning that all information of the service must be presented in a way that users can perceive regardless of their disability;

• Operability, or how the user interacts with the interface and how accessible the navigation is;

• Understandability, which requires all information to be easy to understand without unnecessary complexities;

• Robustness, meaning all content must work on different devices and platforms, including assistive technology.

Companies that fail to comply will certainly face penalties which will vary in different EU countries. However, we know that financial fines will vary from €1,000—the lowest fine rate in Malta—to €500,000—the highest fine rate in Germany. Other penalties include legal action and bans on selling non-compliant products or services in the EU.

Finally, what’s your advice for businesses preparing for these upcoming regulations?

Firstly, companies should conduct compliance audits. Some frameworks issue official certifications of compliance. It’s important for businesses to be self-initiative in terms of compliance frameworks and analyze the requirements themselves. That said, working with external consultants can help answer some individual questions regarding compliance.

Updating risk management strategies is also essential. For instance, with the new NIS2 requirements, it’s essential for businesses to have a system in place to react to incidents in a timely manner.

Investing in cybersecurity and AI governance is another recommendation. As the next application stage for the EU AI Act is in August, it gives time for organizations to review what AI governance services they use now and what they plan to use in the future.

And, of course, employee training is always key. Ensuring employees are familiar with and understand the new regulatory requirements can help ensure that the right practices are upheld in an organization.