to the point: technology & digitalisation | January 2026

As we step into a new year, January offers a rare pause between reflection and anticipation. In digital law, however, that pause is brief. 2026 is set to be a year in which regulatory expectations move decisively from planning to practice – and, for many organisations, from theory to enforcement.

Looking ahead, 2026 will be marked by several important regulatory milestones that signal a shift from legislative ambition to operational reality. Across the EU, the focus will increasingly be on the implementation and early enforcement of the AI Act, the Data Act and the Cyber Resilience Act, with guidance, delegated acts and initial supervisory actions expected throughout the year. For businesses, this means navigating overlapping regimes, aligning internal processes and preparing for closer supervisory scrutiny.

A further central development this year is the new GDPR Procedural Regulation. While the GDPR itself has been in force for several years, its cross-border enforcement has often been criticised as slow and fragmented. The new procedural framework is designed to change that.

Cybersecurity remains another defining theme for 2026. With the NIS2 Directive now being transposed into Austrian law, the scope of regulated entities expands significantly. The Austrian implementation underscores a clear message: cybersecurity is not only a technical issue, but a legal and organisational responsibility. Boards and managing directors are squarely in the spotlight.

Taken together, these developments point in one direction: digital regulation in 2026 is less about reacting to abstract legal texts and more about embedding compliance into day-to-day operations. However, keeping track of developments in digital law at both the EU and Member State levels is becoming an increasing challenge.

To assist you in meeting this challenge, we created the Digital Law Monitor. You can subscribe to the Digital Law Monitor by signing up for Schoenherr's Legal Insights or the Schönherr Datenschutzmonitor.

We wish you a successful and resilient 2026!

The EU's digital rulebook continues to move from paper to practice in 2026. Across devices, data, AI, cybersecurity and liability, this year's calendar compresses years of legislative work into concrete obligations for manufacturers, software providers, platforms and data users.

31 July – Right to Repair Directive: national transposition deadline

By the end of July, Member States must complete the transposition of the Right to Repair Directive (EU) 2024/1799, establishing a new baseline for repairability and post-sale service for consumer goods such as household appliances, mobile phones and e-bikes. It mandates consumer rights to repair, standardised information on repair options and an expansion of access to spare parts, tools and repair documentation for independent repairers. For manufacturers, this shifts lifecycle planning from a "sell-and-replace" model toward demonstrable durability, repair support and transparent repair pricing. For retailers and service networks, the directive creates opportunities for new after-market offerings built on predictable parts availability and clear disclosures.

2 August – AI Act: most requirements apply

The Artificial Intelligence Act (Regulation (EU) 2024/1689) enters its main application phase in early August, moving the market from preparation to enforcement. Providers of high-risk systems will need to implement documented risk management, data governance, technical documentation, logging, transparency, human oversight and post-market monitoring, all aligned with harmonised standards, as they move to finalise. Deployers must perform use-context diligence, implement human oversight and manage downstream risks. The forthcoming "Digital Omnibus" may introduce changes in the timeline, but companies should plan against the current clock and update promptly if the Omnibus alters dates or scope.

11 September – Cyber Resilience Act: vulnerability and incident reporting begins

Under the Cyber Resilience Act (Regulation (EU) 2024/2847), manufacturers of "products with digital elements" must begin reporting actively exploited vulnerabilities and significant incidents within short, fixed timelines starting in mid-September. This shifts product security from "best practice" to baseline compliance: secure‑by‑design engineering, coordinated vulnerability disclosure, software bills of materials (SBOMs) where supported by standards and end‑to‑end patch management become enforceable expectations.

12 September – Data Act: direct data access obligations bite

From mid-September, the Data Act (Regulation (EU) 2023/2854) requires that users of connected products and related services can directly access and use the data they generate, including real-time access, in a usable format. Data holders must design access pathways, define fair, reasonable and non-discriminatory (FRAND) terms for sharing, and implement safeguards for trade secrets. For IoT manufacturers and service providers, this is a product and contract redesign moment: human-centric data dashboards, standardised export APIs, tiered third-party access under use control and template FRAND terms are set to become competitive differentiators.

9 December – Product Liability Directive: national transposition deadline

Member States must complete the transposition of the new Product Liability Directive (EU) 2024/2853 by early December, modernising strict liability for a digital era. Coverage extends to software (including standalone and updates), AI-enabled products and digital components, and clarifies defectiveness in the context of cybersecurity and updates. For manufacturers and software publishers, this expands litigation exposure beyond physical defects, elevating the importance of update policies, security practices, quality management systems and documentation that evidences state-of-the-art design and diligence. Expect tighter alignment between product safety, cybersecurity, AI governance and litigation defence strategies.

What this means for 2026 planning

Taken together, these measures push organisations to operationalise "compliance by design" across the product lifecycle: secure development and patching, transparent documentation, disciplined AI governance, interoperable data access and robust post-market monitoring. The commercial upside is real. Companies that treat these rules as product features will not only reduce compliance risks but also earn customer trust. The risk of waiting is equally clear: enforcement is staged but real, liability paths are broader and market partners will prefer suppliers who can demonstrate conformity with evidence, not promises.

On 26 November 2025, "Regulation (EU) 2025/2518 of the European Parliament and of the Council of 26 November 2025 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679" (GDPR Procedural Regulation) was published in the EU's official journal, OJ L 2025/2518.

The GDPR Procedural Regulation aims to improve enforcement of the GDPR in cases concerning cross-border processing. It will apply to both investigations in complaint-based cases and ex officio cases, but only if data is processed across borders. In other words, it will regulate the cooperation between supervisory authorities in more detail than the GDPR and will also grant certain procedural rights to data subjects (complainants) and to controllers and processors (parties under investigation).

The GDPR Procedural Regulation consists of 68 recitals and 37 Articles. It lays down new or more detailed rules for:

§  the lodging of complaints (Article 4 of the Regulation);

§  an early resolution of complaints which concern the exercise of the rights of the data subjects (Article 5 of the Regulation);

§  the cooperation between the lead supervisory authority and the other supervisory authorities concerned (Article 60 GDPR), including a simple cooperation procedure and rules for the treatment of confidential information (Articles 6 to 26 of the Regulation);

§  dispute resolution by the European Data Protection Board (EDPB) pursuant to Article 65 GDPR (Articles 27 to 30 of the Regulation); and

§  the urgency procedure for the adoption of provisional measures pursuant to Article 66 GDPR (Articles 31 to 33 of the Regulation).

The Regulation's procedural rules address, among other things, minimum standards for lodging complaints, time limits and the allocation of competences between supervisory authorities. They also clarify the cases in which a request to the controller is a prerequisite for lodging a complaint.

With the new rules for the treatment of confidential information, the Regulation aims to protect trade secrets – as defined in Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) – and other confidential information. The party under investigation must contribute to the protection of confidential information by clearly identifying such information at the time of its submission (Article 25(3) of the Regulation). The protection of confidential information is strengthened by the provision that information regarded as confidential under the national law of the supervisory authority to which it is submitted must continue to be treated as confidential information by any receiving supervisory authority (Article 25(8) of the Regulation).

The goal of "early resolution" is to reduce the burden on supervisory authorities and thereby accelerate data protection cases concerning cross-border processing. At the same time, it could provide a significant benefit for parties under investigation. Although the early resolution of a case will be without prejudice to the lead supervisory authority's exercise of its powers under Article 58 of the GDPR, including its power to impose fines, it appears that the lead supervisory authority will be enabled to exercise those powers ex officio. After the resolution of the complainant's case, the complainant will no longer need to remain a party to the proceedings. This could significantly reduce the lead supervisory authority's inclination to impose fines. Thus, parties under investigation will have an incentive to comply with complaints lodged by data subjects to reduce their compliance risks. While this is in accordance with Austrian law, it may be novel in many jurisdictions.

The GDPR Procedural Regulation will become applicable from 2 April 2027 (Article 37 of the Regulation). Transitional provisions will further delay its applicability to ex officio investigations and cases referred to dispute resolution (Article 36 of the Regulation). Nonetheless, legislators and supervisory authorities should take note now. The Regulation emphasises the principle of procedural autonomy of Member States while also reflecting the EU legislators' view on the right to good administration and the rights of defence as enshrined in the Charter of Fundamental Rights of the EU. Among other things, the right to be heard includes the right to be informed about the preliminary findings of the lead supervisory authority (Article 19(4) of the Regulation). These preliminary findings must include, among other elements, the facts, the legal assessment, the corrective measures the lead supervisory authority is considering, the potential amount of any fine, and the aggravating or mitigating factors intended to be taken into account in calculating that fine (Article 19(2) of the Regulation). The preliminary findings define the scope of the investigation. The final decision may not allege that the party under investigation has committed infringements other than those referred to in the preliminary findings (recital 47 of the Regulation). Moreover, the parties under investigation must be given an appropriate time-limit no shorter than three weeks and no longer than six weeks to express their views on the preliminary findings (Article 19(5) of the Regulation). These defence rights could and should also be granted in the applicable national procedural laws.

Recital 50 of the GDPR Procedural Regulation is noteworthy, as it emphasises that the parties under investigation and the complainant are not in the same procedural situation. It is therefore essential to safeguard the rights of defence of the party under investigation.

With the recent promulgation of the Network and Information System Security Act 2026 (NISG 2026) in the Austrian Federal Law Gazette, the legislative process for the national transposition of Directive (EU) 2022/2555 (NIS 2) has been formally concluded. NISG 2026 introduces far‑reaching changes and significantly tightened requirements for affected companies compared to the previous legal framework.

Broadened scope of application and entry into force

The scope of application of NISG 2026 has been substantially expanded compared to the previous legal situation. Going forward, many more sectors and companies will be subject to statutory requirements, including energy, healthcare, the financial market, drinking water, waste management, digital infrastructure and the space sector. While previously only a few dozen operators of critical infrastructure were covered, several thousand companies will fall within the scope of the Act in the future. For the first time, NISG 2026 distinguishes between essential entities and important entities.

This classification is determined in particular by company size, criticality and sector, and it also determines the intensity of regulatory supervision. Essential entities are subject to stricter, proactive oversight, whereas important entities are primarily supervised on an event‑driven (ex post) basis. There is no general exemption for intra‑group IT service providers, meaning that in‑house group service companies can also fall within the scope of the Act. The Act enters into force on 1 October 2026. From that date, affected companies will have three months to register with the newly established cybersecurity authority.

New and tightened obligations for companies

NISG 2026 introduces a wide range of new or tightened obligations with a clear focus on information and cybersecurity. Companies in the covered sectors are required to implement and permanently maintain a comprehensive risk management system. The catalogue of minimum technical and organisational measures is now explicitly laid down in the statute and includes, among other things, measures for handling cybersecurity incidents, arrangements to ensure business continuity, and requirements on supply chain security.

A self‑declaration is also newly introduced: within 12 months of the onset of the registration obligation, essential and important entities must submit to the authority, in particular, information on the risk management measures they have implemented. In addition, essential and important entities must, within two years of being requested by the authority, provide proof that the technical, operational and organisational risk management measures have been duly implemented. As a rule, this proof must be provided through an audit by an independent body and must not be older than two years. For operational and organisational implementation, the proof may alternatively be furnished by relevant, valid certifications.

Stricter deadlines apply to essential entities: they must be able to demonstrate the organisational and operational implementation of their risk management measures within two months of the authority's request. Incident notification obligations are also significantly tightened: significant cybersecurity incidents must be reported without delay and no later than 24 hours after becoming aware. Short statutory deadlines apply to both initial and follow‑up notifications. Particularly noteworthy is the explicit responsibility assigned to the management body.

Members of the management board and managing directors are directly obliged to ensure compliance with cybersecurity measures and to monitor their implementation. Supervisory boards are no longer considered a "management body" within the meaning of the Act, so primary compliance responsibility lies with executive management. Nevertheless, oversight bodies should remain closely engaged, as a broad interpretation could give rise to indirect monitoring or participation duties.

Supervision, enforcement and sanctions

To enforce the new requirements, NISG 2026 establishes a central cybersecurity authority – the newly created Federal Office for Cybersecurity at the Ministry of the Interior. This authority consolidates supervisory powers and, depending on the classification of the entity, has far‑reaching powers, including on‑site inspections, security scans and ad hoc event‑driven reviews. Breaches of statutory obligations will be sanctioned much more strictly going forward. NISG 2026 provides for a tiered enforcement and sanctions regime. As a first step, the authority will regularly issue formal requests, where appropriate in the form of an administrative decision.

In addition, the authority also has more far‑reaching and intrusive measures at its disposal, such as ordering that persons potentially affected by a significant cyber threat be informed, publicly disclosing certain facts, or, in the case of essential entities, appointing a monitoring officer within the entity, suspending certain authorisations, or temporarily removing managerial responsibilities from members of executive management.

Non‑compliance also exposes entities to substantial administrative fines. The fining ranges are aligned with the NIS 2 Directive and have been significantly increased compared to the previous law. For essential entities, fines of up to EUR 10m or 2 % of the worldwide turnover of the preceding financial year – whichever is higher – are possible. For important entities, the maximum fine is EUR 7m or 1.4 % of the preceding year's turnover. A separate sanctions regime applies to public bodies: instead of fines, a breach is formally established by the authority and – if no remedial action is taken – made public ("naming and shaming") to exert effective pressure to comply with cybersecurity standards in the public sector as well.

Conclusion and recommendation

NISG 2026 represents a fundamental paradigm shift in cybersecurity compliance. Never before have so many companies been subject to stringent statutory requirements, while regulatory supervision has simultaneously been considerably intensified. Although the Act does not enter into force until late 2026, affected companies would be well advised to take action now. An early assessment of whether one's own company falls within the (expanded) scope of application, along with timely adjustment of internal security and governance structures, is strongly recommended. Given the short implementation periods, extensive evidentiary obligations and significant sanction risks, proactive action with sufficient lead time is essential. Expert legal and technical support in implementing the NISG 2026 requirements can make a key contribution to minimising liability risks and ensuring a smooth transition to the new compliance regime.