European regulations

The AI Act, Cyber Resilience & Co. can ensure a fairer playing field – or become a brake on innovation. However, many laws have not yet been transposed into national law.

Share this Post
IMAGE: Shutterstock | Photographer: pickyfox

Contact info

Silicon Saxony

Marketing, Kommunikation und Öffentlichkeitsarbeit

Manfred-von-Ardenne-Ring 20 F

Telefon: +49 351 8925 886

Fax: +49 351 8925 889

Contact person:

New rules from Brussels: A full work package awaits Saxony’s software forge

KI Act, Product Liability Directive and German Supply Chain Act, Data Act, Skilled Immigration Act, Cyber Resilience Act… Numerous directives, documentation requirements and laws from Brussels and Berlin partially overlap and pose growing challenges, especially for software companies in Saxony with strong international operations.

The EU AI Act in particular has recently divided opinion: while some see it as overregulation and a brake on innovation for the use of artificial intelligence (AI) in Europe, others see it as an opportunity for European software companies to create a level playing field and catch up with the large hyperscalers from the USA and China.

“The idea behind the AI Act is to create a level playing field, at least in Europe, so that a start-up from Saxony has the same opportunities as a software company in Poland or Lithuania,” says Managing Director Daniel Abbou from the German AI Association. However, experience shows that Germany is particularly “open to regulation”. In other words: “It remains to be seen how Germany will implement the AI Act in comparison to other EU countries.” Germany’s particularly strict interpretation of the General Data Protection Regulation must not be repeated with the AI Act – “otherwise there is a risk of migration”.

Americans and Chinese are also planning AI regulations

However, there is not entirely rule-free terrain for AI outside the EU: “The EU is certainly playing a pioneering role in the regulation of AI, but of course it is not alone,” explains Innovation Director Christoph Kögler from Infineon Dresden. “The USA and China are also working on their own regulatory provisions for this technology.”

In view of the newly inflamed public debates about the opportunities and risks of AI, one thing has become clear in many countries: “It won’t work without guidelines,” argues Technology Director Frank Schönefeld from Telekom MMS in Dresden with regard to the rapidly growing use of AI in the software industry. Major players such as Telekom and SAP recognized this years ago and therefore formulated their own “rule sets for dealing with AI”, at that time still within the company. However, politicians should not miss the mark when it comes to AI regulation: “There is a real danger that too many strict rules will paralyze innovation.”

“For the new EU Commission, the implementation of existing digital laws should take priority over major new regulatory projects,” demands Frank Termer, Head of Software at the German digital association Bitkom, in view of the numerous new rules: “The first priority is to guarantee legal certainty for companies and ensure the practicability of the new legal framework. Possible new legislative initiatives should particularly take into account the central importance of the open source ecosystem for innovation projects.”

Christoph Kögler from Infineon also warns: “Regulation is basically a good thing if it provides a clear legal framework and a level playing field. However, the flip side of the coin can be bureaucratic hurdles and unnecessary restrictions.”

Head of the capital office Patrick Häuser from the Bundesverband IT-Mittelstand (see interview) goes one step further: the medium-sized digital economy is “currently confronted with a multitude of new regulations that are increasingly becoming an obstacle to innovation”, he says and warns: “Many small and medium-sized companies have now reached the limits of their resilience due to ever new regulations.”

The practical implications for software SMEs

SMEs in the sector in particular will first have to adapt to the latest directives from Brussels, the resulting national legislation and, not least, the resulting case law. Because although the AI Act from Brussels, for example, is primarily aimed at hyperscalers: Even a small software company in Saxony can quickly slip into one of the new high-risk classes for the use of AI, warns Daniel Abbou from the German AI Association: “Anyone working on AI software for biometric ID systems, educational purposes, critical infrastructures or personnel management, for example, must expect high costs.” In addition, software SMEs should also keep an eye on the EU plans to adopt an “AI Reliable Act”, which should also provide for very specific corporate liability for AI errors.

There is hardly any time to get involved in the major international standardization processes that will have a lasting impact on the work of German software companies in a few years’ time. “These committees are mainly made up of the big players in the industry, the hyperscalers,” emphasizes Abbou. “The vast majority of start-ups in Saxony don’t even have the resources to assign someone to them.”

“The software industry is particularly affected by the requirements of the AI Act and the Cyber Resilience Act,” estimates Frank Termer from Bitkom. “Market access will be a particular challenge as, on the one hand, the necessary standards have to be written and, on the other, software products have so far only been subject to a conformity test in accordance with the New Legislative Framework in individual cases – for example medical products. In addition, software products are now included in the extended scope of the revised Product Liability Directive. The resulting increased liability risk for software developers may have considerable consequences for Europe’s role as a location for innovation, in addition to increasing prices for software.”

These new rules could also have an impact on the business models of software developers and cause additional costs. “This is because, for example, more careful monitoring and updating of software products is necessary to minimize liability risks,” explains the Bitkom expert. “In addition, software companies have to provide resources to meet the increased requirements – this is a challenge for small and medium-sized companies in particular, but also for start-ups.”

Overview of current regulations (selection):


Intended to ensure the safety and ethics of AI systems and defines 4 risk classes. These include prohibited AI systems (e.g. “social scoring” as in China or emotion recognition in the workplace), high-risk AI systems (e.g. facial recognition or the assessment of creditworthiness, large basic models), AI systems subject to regulation (e.g. personalization of advertising or for controlling machines) and AI systems with minimal risk.

👉 Further information on the EU AI Regulation 

👉 Podcast “Hallo Zukunft” on the EU AI Act (German)

Dates and deadlines: 20 days after publication in the Official Journal of the EU (expected in summer 2024), the AI Act will come into force, with many regulations only taking effect after two years. The bans and requirements for prohibited AI systems will come into force after just six months. The requirements for high-risk systems will only apply after three years.

Cyber Resilience Act (CRA)

Manufacturers must assess their products according to a risk-based procedure and ensure that they meet the requirements of the CRA. Compliant products are CE marked. Manufacturers must immediately report vulnerabilities in their products to the EU cybersecurity authority ENISA and provide security updates for their products for at least five years.

👉 Further information

Dates and deadlines: The CRA is expected to come into force in the first half of 2024. Companies will then have 36 months to comply with all requirements.

German Skilled Immigration Act

The latest amendment to the Skilled Immigration Act facilitates the immigration of non-academic skilled workers from non-EU countries. The minimum salary threshold for immigration with the “EU Blue Card” has been reduced from 56,400 to 43,992 euros per year. The recognition of professional qualifications from non-EU countries has been simplified. Anyone with at least two years of professional experience and a professional qualification recognized by the state in their country of origin can immigrate as a worker. In future, the professional qualification no longer needs to be recognized in Germany.

👉 To the legal text

Dates and deadlines: The first stage of the new regulations for skilled worker immigration came into force in November 2023. These include the Blue Card, the new regulations for residence permits for skilled workers with vocational training and skilled workers with an academic education. Since March 1, 2024: regulation for experienced professionals will be extended to all professions

Digital Services Act (DSA)

The DSA regulates the liability of online platforms and intermediaries. It aims to combat illegal content and disinformation on the internet while protecting freedom of expression. The DSA will influence the way software companies offer their services online and oblige them to take more responsibility for the content on their platforms.

Digital Markets Act (DMA)

The DMA aims to regulate large online platforms and create a level playing field in the digital market. It prohibits certain companies from abusing their market power and promotes competition through new market rules. The DMA will influence the business models of large software companies and oblige them to open up their platforms to competitors.

Data Act

The Data Act regulates the use and disclosure of data. It aims to improve access to data and strengthen users’ control over their own data. The Data Act will influence the way software companies collect and use data and will oblige them to give users more transparency and control over their data.

_ _ _ _ _


Heiko Weckbrodt, supported by Google-Gemini (controlled)

Bärensteiner Str. 12 | 01277 Dresden
T: +49 351-2819937 | M: +49 151 56016018 |

_ _ _ _ _

This article has been written exclusively for our magazine NEXT “In the spotlight: Software”.

👉 To the complete issue of the magazine

You may be interested in the following