Home / Security & compliance: new legislation puts B2B SaaS on edge

About us

Blinqx is a provider of software solutions that empower service professionals in their growth and success.

Find out more about us

Sectors

Blinqx develops B2B SaaS solutions for financial and business service providers in selected niches.

Find out how we can help you

Insights

Stay up to date on what's going on at Blinqx: awards, acquisitions, knowledge, cases. You can find it here!

Search

NVGA COngres website

Security & compliance: New legislation puts B2B SaaS on edge

In the third episode of Business TalQX – the podcast, many topics related to digital security were discussed. Terms like DORA, the Data Act, and NIS 1 and 2 were mentioned. But what do they actually mean?

In this blog, we explain exactly what the laws entail, how companies can comply with them, and what impact they will have on the cyber security practices of B2B SaaS companies.

 

Digital Operations Resilience Act (DORA).

Digital Operational Resilience Act (DORA) is a new European law that takes effect in 2025 for the financial sector and their ICT service providers including many B2B SaaS companies. This law sets high standards that banks and insurance companies must meet to properly protect their computer systems and data. The goal is to make these organizations more resilient to cyber attacks, disruptions and data breaches.

Restrictions

A key requirement of DORA is that these financial institutions must only work with IT vendors that meet the same strict security standards.

This means that as of 2025, many B2B SaaS providers providing services to banks/money lenders will need to implement comprehensive cybersecurity measures and risk management, and train their staff in cybersecurity.

If B2B SaaS vendors do not meet these DORA requirements, financial institutions will not be allowed to do business with them from 2025 because of the high risks. With the potential risk of losing some of their customer base.

 

European Data Act

The European Data Act is a new European law that sets rules for the sharing and use of data by businesses and consumers (applicable Sep. 2025). The main goal is to make the data economy in the EU fairer and more competitive.

Until now, mostly large tech companies had control over and access to much of consumers’ and businesses’ data. But this new law gives consumers and businesses more control over their own generated data. The Data Act aims to make it easier to share data and switch digital service providers. This should lead to benefits for Europe’s data economy. By making it easier to share data and switch services, new and smaller companies will have more opportunities.

More benefits

The idea is that consumers and businesses can benefit more from the valuable data they generate. At the same time, governments will get more data for public interests such as security and innovation. Under the new law:

  • Manufacturers should give consumers and businesses access to the data of their own products
  • Businesses and consumers can more easily share this data with others
  • Governments get access to corporate data for public purposes under certain circumstances

Network and Information Security (NIS) 1 and 2.

NIS 1 is the Network and Information Security Directive that went into effect in 2018. This law sets requirements for digital security for organizations operating in critical sectors such as energy, transportation, banking and healthcare.

NIS 2 is a new, stricter European law that will replace NIS 1. The biggest difference is that NIS 2 (as our General Counsel Edger mentioned in the podcast) has a much broader scope. Indeed, NIS 2 covers not only critical industries, but also many more “important entities” such as cloud and hosting providers, security companies, social media and even hardware and software manufacturers.

Important entities

This means that many B2B SaaS companies that provide business software and cloud services will fall under the NIS 2 legislation as a “significant entity” (this refers to medium and large organizations operating in certain sectors considered important to the economy and society.). For these B2B SaaS companies, NIS 2 brings with it a number of obligations:

  • They must conduct a risk analysis and take appropriate security measures
  • They should promptly report ICT incidents to the regulator
  • Their supply chain also falls under NIS 2 supervision.

So in essence, NIS 2 forces more companies, including many B2B SaaS providers, to get their digital security and incident response in order according to the new stricter requirements and notification obligations.

Impact of this new legislation

These new laws require B2B SaaS companies to improve their digital security and compliance even more. Only if they meet the strict rules will they be allowed to continue operating in Europe. Companies that fall behind risk losing customers and revenue.

Curious to learn more?

Discover practical examples of how to maintain compliance and security in B2B SaaS in this podcast.