Regulatory Systems and Updates

Here you will find regularly updated information on the latest legal regulations and developments in the field of customer identity and access management (CIAM). Find out what regulations companies in Europe have to comply with, how digital identities are protected and what role European regulatory authorities play in ensuring cyber security and data protection.

Current Developments in IAM Regulations

Europe is characterized by rapid technological developments, strict regulations and a growing demand for advanced security solutions. For instance, the United Kingdom has developed its own regulatory standards in the wake of Brexit. Although based on the General Data Protection Regulation (GDPR), they are evolving in an increasingly independent direction.

At the same time, data protection laws are undergoing constant refinement, while the security requirements for companies in critical infrastructures are being tightened – comparable to the requirements of the NIS2 Directive.

Although these developments pose challenges, they also offer new opportunities. Secure, trustworthy processes establish the basis for strengthening customer confidence while offering a smooth, seamless user experience. In this way, companies can not only fulfil the increased security requirements but also improve customer loyalty in the long term.

On this page we regularly inform you about the latest regulations, changes and updates in the area of IAM that are important for companies.

DORA

DORA, the Digital Operational Resilience Act, is an EU regulation that aims to strengthen the cybersecurity and operational resilience of financial institutions. It is a response to growing digital risks and the increase in cyberattacks on financial systems. DORA harmonises cybersecurity requirements across the EU and enforces standards such as mandatory risk management, cyber incident reporting and regular penetration testing. Financial institutions are obliged to introduce robust IT security measures, monitor third-party providers and implement clear contingency plans for operational disruptions by January 2025.

NIS2

The NIS2 Directive (Network and Information Security) significantly expands the scope of the original NIS Directive and requires companies – particularly those in critical infrastructures – to take increased security precautions. This affects sectors such as financial services, transport, energy and healthcare – all of which require strong identity and access management to meet the new requirements.

PSD3

As the next stage in the development of the European Payment Services Directive, PSD3 aims to further modernize the digital financial market. It is intended to close gaps in PSD2, for example, with stronger authentication (SCA) and better regulate the handling of new technologies such as crypto-assets and “Buy Now Pay Later” (BNPL). Further changes concern APIs and third-party access to promote competition and enhance consumer protection – above all by utilising clearer rules on liability and security in payment transactions.

RevDSG

The revised Swiss Data Protection Act (revDSG), which comes into force in September 2023, aligns Swiss data protection regulations with the EU GDPR. The focus is on protecting the personal data of natural persons. New regulations include the expansion of information and disclosure obligations, the protection of genetic and biometric data and strict requirements for profiling. Moreover, data breaches must be reported and fines may be imposed for offences. Companies must adapt their data protection measures as the law takes effect.

eIDAS

The introduction of eIDAS v2 (European Electronic Identification, Authentication and Trust Services) is set to revolutionise the market for digital identities in Europe. eIDAS v2 will involve mandatory ID verification – a central element of CIAM solutions and onboarding processes. This creates a new requirement whereby organisations must not only ensure that their users are authentic but also that they carry out legally compliant identity checks.