Skip to content

SMEs Under Pressure: Compliance Requirements from NIS2, DADG, and AI Regulation Accumulate

In a nutshell: Mid-sized enterprises must manage NIS2 requirements, DADG obligations, and EU AI Act compliance in parallel, which consolidates resources and expertise.

German SMEs are simultaneously facing multiple new regulatory requirements: NIS2, the General Data Protection Regulation, and EU provisions on AI regulation. This creates significant organizational and financial challenges for Chief Data Officers and compliance managers.

European mid-sized companies are confronted with an accumulation of compliance requirements. The NIS2 Directive obligates enterprises to implement technical and organizational measures in IT security, the new Data Protection Agreement Germany-United Kingdom (DADG) regulates data flows between markets, and the EU AI Act prescribes governance structures for AI systems.

For Chief Data Officers and compliance executives, this means parallel implementation across multiple levels: IT security measures must be integrated into existing data protection and AI governance. This requires updated policies, new technical control mechanisms, and often additional personnel resources that especially smaller and mid-sized enterprises have only limited access to.

The temporal overlap of these regulatory initiatives complicates a phased compliance strategy. Instead of implementing requirements sequentially, many mid-sized enterprises must simultaneously prioritize requirements that are often still being clarified. Missing technical and legal expertise as well as external consulting costs quickly accumulate into substantial burdens.


Source: news.google.com · Published 2 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.2.

Share on: