Cyber Law

Cyber Law operates at the intersection of digital innovation, regulation and cyber risk. We help organisations navigate this complexity by combining legal expertise with deep security and risk insight.

Our actionable guidance strengthens organisational resilience by embedding integrated compliance and strategic governance, providing clear direction, reducing regulatory risk, and supporting sustainable growth.

Cyber Law

Your partner in navigating digital regulation with clarity and confidence.

Digitalisation drives growth, innovation and competitive advantage, but it also brings increasing regulatory demands and cyber risk. From data protection and digital regulation to preparedness and governance, organisations face a complex and rapidly evolving legal landscape.

Our Expertise

We help organisations navigate digital regulation with clarity and confidence by integrating regulatory requirements across strategy, governance and operations.

Our Cyber Law team combines deep legal expertise in cyber, digital and data regulation with practical insight from information security and risk domain. This enables us to translate complex regulatory requirements into clear governance, defensible processes and proportionate controls that work in practice.

Cyber Security Regulation & Frameworks​

We help clients align regulatory requirements and controls with practical security governance advisory and legal support under NIS2, DORA, CRA and other relevant cyber security frameworks. 

We build on existing processes and governance structures, embedding legal requirements in a practical and proportionate manner and building upon synergies across regulatory frameworks.

Privacy & Data Protection & Privacy​

We help you ensure compliance with GDPR and other privacy laws through pragmatic and hands-on support in managing data privacy risks, governance and accountability.

We make privacy an integrated and sustainable part of operations, by building privacy governance frameworks, conducting risk and impact assessments and embedding data protection into core business processes. By protecting personal data and strenghtening accountability, we help organisations to build trust.

AI & Emerging Technologies​

We provide practical legal guidance on the AI Act and emerging technology laws – helping clients balance innovation, risk, and compliance.

We support in assessing legal impact of AI, risk assessments, data and transparency requirements, supply chain and contractual considerations, and the integration of AI compliance into organisation’s governance and risk management structures.

Data Laws ​

We provide guidance on data laws, including e.g., Data Act, DataGovernance Act, Digital Services Act, to help clients stay compliant, accountable and prepared for change.

This includes advising on data access and sharing obligations, contractual and cross-border arrangements, governance and accountability frameworks, platform and intermediary responsibilities, and the alignment of data regulation with existing privacy, cyber and risk management structures.

Governance & Third-Party Risk​

By integrating legal and risk perspectives into enterprise governance we help clients strengthen accountability, compliance and decision-making in digital operations. This also includes advisory on third-party and supply chain risks to limit contractual, compliance and liability exposure in complex digital ecosystem.

For further information on our full range of Cyber & Digital Risk services, please click here.

Who We Help

We work with boards, executives, legal and technology leaders to embed integrated compliance and effective governance, ensuring cyber risk is managed as a strategic enterprise issue, not a siloed technical concern.

Board & Executive

Strategic direction & oversight
We help you navigate cyber and digital regulation into clear governance structures, oversight models and decision-making frameworks aligned with enterprise risk and long-term strategy.

Cyber risk is no longer only a technical matter; it is a resilience, liability, and reputational issue, with an increased responsibility for the board and executive management.

• Governance and accountability strategy and models
• Regulatory reporting, assurance, and management information, including risk analysis
• Decision frameworks linking cyber risk into strategy and capital allocation

Technology & Security

Operational embedding & resilience
Technology and security teams are at the center of regulatory execution. We help you operationalise compliance into daily operations by embedding regulatory requirements into business processes, risk management, product security, AI governance and business continuity.

• Embedding legal requirements into risk and security processes and controls
• Driving change and helping with compliance program implementation
• Operational control implementation, risk assessments and reporting

Digital & Operational

Transformation & resilient operating models
Digital transformation, connected products and AI-driven services are directly impacted by evolving EU cyber and data laws. We help you embed compliance into innovation and operational change, ensuring regulatory requirements are addressed by design and across product and data lifecycle.

  • Governance and risk management embedded in digital transformation
  • Resilient operating and product lifecycle models
  • Privacy, regulatory compliance and security by design across digital services and connected environments
Risk, Compliance & Legal

Governance & compliance integration
Risk, compliance and legal functions must ensure that cyber and digital regulation is translated into effective policies and controls. We help you understand applicability of overlapping regulatory frameworks, identifying key risks and prioritizing practical next steps through tailored assessments and gap analyses.

  • Gap analysis, action plans and roadmap
  • Policy and framework alignment with supervisory expectations
  • Control design, documentation, and evidence structures

Insights & Events

NIS2 | Assessing the Scope

This article provides practical guidance on assessing whether your organisation falls within the scope of the NIS2 Directive. It explains the key criteria, including sector, organisation size, and group structures, while highlighting common misconceptions and the implications for subsidiaries. By understanding these requirements, organisations can establish a sound foundation for compliance and avoid costly regulatory risks.

AI Governance | The Strategic Capability for Scalable Value

This article explores how AI governance enables organisations to move beyond experimentation and scale AI with confidence. It outlines the key principles of effective AI governance, showing how board-level oversight, clear accountability, and practical governance frameworks help manage risk, build trust, and create sustainable business value beyond compliance.

Avoid Costly NIS2 Mistakes & Build Business Resilience

Our NIS2 Playbook takes you beyond the surface of NIS2 compliance. It explains the most frequent pitfalls, explores the reasons behind them, and offers clear, actionable ways to strengthen your organisation’s resilience.

For boards, executives, and leaders in compliance and cybersecurity, this guide provides a clear framework to enhance oversight, define accountability, and embed resilient governance across the organisation.

CE Marking Under the CRA (Cyber Resilience Act)

This article explains how the Cyber Resilience Act (CRA) changes the role of CE marking for products with digital elements. It outlines what manufacturers need to do to demonstrate ongoing compliance, when existing products may require reassessment, and why cybersecurity must now be embedded throughout the product lifecycle rather than treated as a one-off certification exercise.

The Swedish NIS2 Implementation – Cybersäkerhetslagen

This webinar provides practical guidance on current requirements, key priorities, and effective incident response, with a focus on the two most business-critical areas of NIS2: incident management and third-party risk management. Drawing on concrete lessons learned from DORA implementation, we highlight what works in practice and how to apply those insights under NIS2.

Recorded: February 2026
Duration: 45 min
Language: Swedish

FAQ

How can we unify all requirements into one workable approach?

EU regulation is no longer siloed. Frameworks like GDPR, NIS2, DORA, the AI Act, the CRA, and the Data Act all create overlapping expectations across governance, risk management, incident handling, supply chain oversight, documentation, and lifecycle control.

The real challenge isn’t identifying obligations. It is translating them into one coherent operating model across legal, risk, security, IT, and the business. Those fragmented approaches increase cost, duplication, and regulatory exposure, and they tend to break down precisely when they are needed most: during an incident, an audit, or a regulatory enquiry.

We help organisations align these requirements into a unified, workable framework. This means clear ownership, consistent controls, and defensible evidence that holds across multiple regulatory regimes.

Under NIS2, entity classification depends on sector, size thresholds, and criticality. Under DORA, even indirect ICT providers may fall under scrutiny. The AI Act requires formal risk classification and documentation logic. The CRA applies based on “products with digital elements,” which demands technical-legal interpretation. Scope must be documented in a defensible position paper, not assumed.

We conduct structured applicability assessments that withstand supervisory review and board scrutiny.

How do we manage risk in digital ecosystems?

Cloud and SaaS environments shift risk from direct control to shared responsibility, layered dependencies, and limited visibility. Regulations like the GDPR, NIS2, DORA, and the Data Act all introduce expectations around data protection, security measures, third-party risk, and control over data access and cross-border transfers.

The challenge goes beyond assessing vendors at onboarding. It is important to understand how data, responsibilities, and risks flow across the entire environment: through configuration, integration, subcontracting chains, and lifecycle changes that often happen without formal review.

In practice, risks often emerge over time rather than at the start.

We help organisations take a structured, end-to-end view of these environments, embedding privacy and security into design, onboarding, and change processes. This includes clear accountability and evidence that stands up to regulatory scrutiny.

How does the CRA change product lifecycle responsibilities?

The Cyber Resilience Act (CRA) shifts an organisation’s responsibility from point-in-time compliance to full lifecycle accountability for products with digital elements. Security is no longer limited to design or release.

That includes development, testing, deployment, maintenance, vulnerability management, and even end-of-life. The CRA also reinforces expectations around secure-by-design practices, continuous risk assessment, coordinated vulnerability disclosure, and ongoing monitoring during the period a product is supported.

In practice, the real challenge is operationalising these responsibilities across product, engineering, legal, and support functions. Often, in organisations where these teams have never had to work this closely together.

We help organisations embed lifecycle governance models that align product development with regulatory expectations and build the continuous control needed to demonstrate compliance over time.

How do we establish clear data and AI accountability?

Clear ownership of data cannot be assumed anymore; it must be actively defined across the entire value chain. Regulations like GDPR, the Data Act, DORA, and the AI Act each reinforce accountability across how data is accessed, shared, processed, and governed, both internally and with external partners.

In practice, this spans ownership of data rights and transparency obligations under GDPR; control over data access, portability, and cloud switching under the Data Act; supply chain accountability and audit readiness under DORA; and defined roles for AI system governance and risk monitoring under the AI Act.

The challenge is bringing all of this together into something that works day to day.

We help organisations build governance models that translate these obligations into clear decision rights, practical responsibilities, and meaningful oversight across the full data and AI ecosystem. Not just on paper, but in how the organisation operates.

Critical ICT third-party arrangements must be documented in detailed registers and subject to oversight. Boards remain accountable for outsourcing risk.

The challenge is operationalising DORA without paralysing innovation.

We assist financial institutions in integrating DORA obligations into procurement, vendor governance, and operational resilience frameworks.

How do we govern third-party cyber risk?

Third-party risk is now a regulated lifecycle, not a procurement step. Frameworks like GDPR, NIS2, DORA, the Data Act, and the AI Act all impose structured expectations on how organisations select, contract, and oversee providers, particularly where services are business-critical, data-intensive, or embedded in automated decision-making.

In practice, many of the biggest risk often materialises before a contract is signed: in assumptions made during selection, gaps left in due diligence, and obligations that never make it into the agreement. For example, DORA sets out particularly detailed requirements for financial entities, including mandatory contractual elements and ongoing oversight of critical ICT providers.

We support organisations in building governance, policies, and processes that make third-party risk manageable, transparent, and regulator-ready, at every stage of the relationship.

How do we govern AI responsibly?

In practice, the AI Act requires organisations to treat AI as a structured risk and governance topic, recognising that not all AI systems carry the same level of risk. Use cases must be differentiated, with governance obligations intensifying as systems move from experimentation into production and begin to affect decisions, individuals, or critical operations.

This means AI systems must be classified, assessed, documented, and continuously monitored. For high-risk applications, such as those covering areas such as employment, critical infrastructure, credit, and biometric identification, the Act introduces mandatory conformity assessments and human oversight requirements. In many cases, conformity assessments are also required before such systems can be placed on the market or put into service.

At the same time, effective AI governance goes beyond regulatory compliance. Many organisations are also aligning with international standards and frameworks, such as ISO/IEC 42001, ISO/IEC 23894, and the NIST AI Risk Management Framework, to build more robust and future-proof approaches.

We help organisations build practical, scalable governance models that support sound decision-making today while keeping pace with regulatory expectations as they evolve.

How do we demonstrate regulatory accountability?

Demonstrating accountability requires more than having controls in place; it requires being genuinely audit-ready. Across frameworks like GDPR, NIS2, DORA, the AI Act, and the CRA, the expectation is that organisations can show, clearly and under pressure, how decisions are made, how risks are managed, and how incidents are handled in practice, not just documented in policies.

This means clear accountability mapping, structured and retrievable evidence, tested incident reporting workflows, coherent crisis communication, and the ability to coordinate across borders when it matters. Regulators and auditors are increasingly assessing response maturity and governance substance, assessing response capability, traceability, and consistency, rather than just the existence of documentation.

We support organisations in building the readiness to demonstrate structured, proportionate, and defensible governance when it counts.

How do DORA and NIS2 reshape risk and incident governance?

DORA and NIS2 elevate cyber risk from a technical issue to an enterprise-wide governance responsibility. Both frameworks require structured risk management, clear accountability, and the ability to manage and report incidents in a consistent, timely, and defensible way.

NIS2 strengthens expectations on senior management oversight and accountability, including potential consequences for serious compliance failures. DORA introduces similarly robust governance requirements for financial entities, with a strong focus on operational resilience and third-party risk.

This reshapes how organisations identify critical services, assess dependencies, and coordinate response across business, technology, and third parties. Incident governance becomes more formalised, with defined escalation paths, strict reporting timelines, 24 hours for initial notification under both frameworks, and cross-functional coordination that most organisations have not yet stress-tested.

The core challenge is integrating these requirements into existing risk and operational models without creating parallel structures that fail under pressure. We help organisations do exactly that.

EU Cyber & Digital Laws

The European regulatory landscape is tightening rapidly across cybersecurity, digital resilience, and AI governance. These regulations represent more than compliance checkpoints. They reshape governance expectations, executive accountability, and operational resilience across industries.

Our team of experts support organisations in understanding, implementing, and operationalising key data and cyber security regulations, ensuring not only compliance, but stronger resilience, governance maturity, and long-term value creation.

DORA

The Digital Operational Resilience Act (DORA) harmonises ICT risk management requirements for the EU financial sector. In force since January 2023 and applicable from 17 January 2025, it mandates resilience testing, incident reporting, and third-party risk oversight to ensure operational continuity.

Read more here.

NIS2

The NIS2 Directive strengthens EU cybersecurity requirements for essential and important entities. In force since 16 January 2023 and transposed nationally by October 2024, it increases executive accountability, incident reporting obligations, and supply chain security to reinforce organisational resilience.

Read more here.

AI Act

The EU AI Act establishes a risk-based framework for artificial intelligence. Entered into force in 2024, with phased obligations through 2026–2027, it requires transparency, risk management, and governance, particularly for high-risk AI systems, to ensure compliant, trustworthy, and responsible deployment across the EU.

Read more here.

CRA

The Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements in the EU. Entered into force in 2024, with main obligations applying from 2027, it enforces security-by-design, vulnerability management, and lifecycle accountability for manufacturers and distributors.

Read more here.

GDPR

The GDPR establishes EU-wide rules for processing personal data, strengthening individual rights and organisational accountability. Applicable since 25 May 2018, it requires lawful processing, transparency, data protection governance, and breach notification. GDPR non-compliance carries significant fines and reputational risk across all sectors operating in the EU.

Read more here.

Contact Us

Submit your contact request and our Cyber Law team will get back to you shortly.