Security + privacy regulations in the European Union
The EU leads global privacy and security regulation, and it's accelerating. GDPR (Regulation 2016/679) applies extraterritorially to any service offered to EU residents — your solo SaaS from Sydney is in scope the moment a French customer signs up. Penalties theoretically reach 4% of global revenue or €20M, whichever is higher; in practice, Data Protection Authorities have been willing to warn small-business first-time offenders rather than fine immediately. The EU AI Act (Regulation 2024/1689) entered force August 2024 with a phased enforcement schedule. Prohibitions hit February 2025. General-Purpose AI (GPAI) obligations hit August 2025. High-risk system requirements and most downstream-use obligations hit August 2026 — that's the big wave for AI-built apps. Full administrative-penalty enforcement is being phased in through 2027, with fines up to 7% of global turnover for prohibited-AI violations. The Cyber Resilience Act requires CE marking for digital products sold in the EU by 2027 — every SaaS, every IoT device, every library released commercially. NIS2 Directive extends cybersecurity obligations to 'essential' and 'important' entities across most industries. DORA (Digital Operational Resilience Act, in force January 2025) imposes strict operational-resilience requirements on financial services and their critical third-party providers (which means your B2B SaaS if you sell to EU banks). For a startup, the pragmatic priority is GDPR compliance first (weekend of work with templates), then EU AI Act readiness if you ship AI features (model card + human-oversight docs), then ISO 27001 when selling to EU enterprise.
Key laws + frameworks
GDPR
General Data Protection Regulation. The global gold standard for privacy.
EU AI Act
Risk-tiered AI regulation. High-risk AI systems face extensive obligations. Limited-risk (most chatbots) only need transparency.
Cyber Resilience Act (CRA)
CE marking required for digital products sold in EU by 2027.
NIS2 Directive
Network + Information Security Directive for essential + important entities. Member-state implementation 2024-2025.
DORA
Digital Operational Resilience Act for financial services (in force Jan 2025). Extends to critical third-party providers.
ePrivacy Directive
Cookies + electronic-marketing consent. ePrivacy Regulation has been in negotiation for years and may eventually replace it.
ISO 27001
De facto international security standard for EU enterprise procurement.
- Data Protection Authorities (per-country, ~28 total)
- European Data Protection Board (EDPB)
- ENISA (cybersecurity agency)
- AI Office (for AI Act)
- European Banking Authority (DORA)
GDPR: notification to the lead supervisory authority within 72 hours of becoming aware of a personal-data breach posing risk to rights and freedoms; notification to affected individuals if high risk. NIS2: within 24 hours for essential entities (with follow-up reports at 72h and one month). DORA has separate timelines for ICT incidents.
Data transfer out of the EU requires one of: (a) an adequacy decision for the destination country (UK, Switzerland, Japan, South Korea, US via DPF, etc.), (b) Standard Contractual Clauses + a Transfer Impact Assessment, (c) Binding Corporate Rules for intra-group transfers, (d) explicit consent of the data subject. Schrems II invalidated the previous EU-US Privacy Shield; EU-US Data Privacy Framework replaced it in July 2023 but faces ongoing legal challenges.
Priority stack for EU-facing SaaS: (1) GDPR-compliant Privacy Policy + DPA + cookie banner + Article 30 register of processing activities; (2) EU AI Act: publish an AI Bill of Materials / model card if you ship any AI feature, and document human-oversight procedures for high-risk uses; (3) ISO 27001 when you start selling to EU enterprise (complementary to SOC 2); (4) NIS2 and DORA only apply if you're in an essential/important sector or serve one as a critical supplier.