AGIDAT – Datenschutz | Informationssicherheit

Laws & Regulations

GDPR, BDSG, NIS2, EU AI Act — the key laws shaping data protection and cybersecurity.

An overview of the most important data protection and cybersecurity regulations affecting organizations in Germany and the EU. This is a summary for informational purposes — for legal advice specific to your situation, consult a qualified professional.

GDPR

General Data Protection Regulation (EU) 2016/679

Primary EU data protection law, in force since 25 May 2018.

The GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. It establishes rights for data subjects and obligations for controllers and processors, including documentation requirements, security measures, data subject rights, breach notification, and in some cases appointment of a Data Protection Officer.

Official text →
BDSG

Bundesdatenschutzgesetz (Federal Data Protection Act)

German national data protection law supplementing the GDPR.

The BDSG implements and supplements GDPR in Germany. It governs specific areas where member states retain discretion, including employee data protection, data protection in public authority contexts, and the specifics of DPO appointment thresholds in Germany (20+ persons regularly processing personal data).

Official text →
NIS2

NIS2 Directive (EU) 2022/2555

EU cybersecurity directive significantly expanding mandatory security obligations.

NIS2 dramatically expands the scope of mandatory cybersecurity requirements across the EU compared to the original NIS Directive. It covers "essential" and "important" entities across 18 sectors (including energy, transport, health, banking, digital infrastructure, manufacturing, food, and public administration). Obligations include risk management measures, incident reporting (within 24/72 hours), supply chain security, and management accountability. Germany transposed NIS2 into the NIS2UmsuCG.

Official text →
EU AI Act

EU Artificial Intelligence Act (Regulation (EU) 2024/1689)

First comprehensive AI regulation, fully in force from 2026.

The EU AI Act establishes a risk-based framework for AI systems, classifying them as unacceptable risk (prohibited), high risk (stringent requirements), limited risk (transparency obligations), or minimal risk (no specific requirements). High-risk AI applications in employment, education, healthcare, law enforcement, and critical infrastructure face significant documentation, transparency, and conformity assessment requirements. Organizations using AI tools — including off-the-shelf solutions — may have compliance obligations.

Official text →
ePrivacy

ePrivacy Directive 2002/58/EC (Cookie Directive)

Governs cookies, electronic marketing, and confidentiality of communications.

Currently implemented in Germany through the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz). Requires informed consent for non-essential cookies and governs direct electronic marketing (including email newsletters and SMS). The long-anticipated ePrivacy Regulation to replace the Directive remains in negotiation.

Official text →