Cyber race

IT security and data protection pose enormous challenges for companies. Technical dependency is growing. Cyber attacks and data protection incidents can threaten the existence of companies. In addition, the timely implementation of regulatory requirements often causes headaches.

Aitava supports you in preparing your company for the current challenges and regulatory requirements and in efficiently minimizing damage risks.

Legal regulations


  • Applicability as of 25.05.2018
  • Any processing of personal data is subject to high requirements (including purpose limitation, data minimization), is otherwise prohibited.
  • Numerous documentation, information, notification, testing and deletion obligations for processors.
  • Obligation to take appropriate technical and organizational IT security measures (Art. 32 GDPR).
  • Extensive rights of data subjects
  • Fines of up to EUR 20 million or 4% of the previous year’s global turnover

The German IT Security Act 2.0

  • Numerous requirements to be implemented by 01.05.2023
  • Strengthening the role of the Federal Office for Information Security (BSI)
  • Expansion of the BSI Act scope of application to include, among others, companies in the special public interest
  • Expanded obligations for the operation of critical infrastructures, e.g., registration with the BSI, systems for attack detection, restricted use of critical components
  • Introduction of a uniform IT security label
  • Fines of up to EUR 20 million

NIS 2 Directive

  • To be implemented in national law by the German legislature by October 17, 2024.
  • Extension of the scope of application to companies with at least 50 employees or more than EUR 10 million in annual sales or annual balance sheet total; in addition, special cases independent of size.
  • Enormous catalog of obligations for taking measures, also with regard to the supply chain
  • Cybersecurity as a task of the company management; management can be held personally responsible for violations
  • Fines of up to EUR 10 million or 2% of the previous year’s global turnover

Cyber Resilience Act

  • Commission draft of 15.09.2022
  • Scope: products with digital elements. Obligated persons: Manufacturers, distributors and importers
  • High cybersecurity requirements when products are launched on the market.
  • Monitoring of digital products throughout their life cycle
  • Provision of free updates
  • Reporting of cyber incidents to the EU cybersecurity authority ENISA
  • Mandatory compliance procedure for critical products
  • Fines of up to 15 million euros or 2.5% of the previous year’s turnover

Digital Operational Resilience Act (DORA)

  • To be implemented by the financial sector by 17.01.2025.
  • Financial companies and so-called ICT third-party providers (e.g. cloud providers) are obligated to comply.
  • Numerous obligations that go far beyond the previous BaFin requirements (MaRisk, BAIT, KAIT, ZAIT, VAIT, etc.). In particular: ICT risk management, reporting obligations, audit of operational stability.
  • New requirements for outsourcing contracts
  • Direct enforcement by BaFin on third-party ICT providers

… and many other requirements. Horizontal and sectoral.

Aitava brings clarity into the thicket and supports all questions around IT security and data protection.

We remove stumbling blocks and drive the development of best practices. We can draw on many years of technical and legal consulting experience in the regulated IT environment.

Cyber security is a management task. Cyber risks can jeopardize the company's core business.

Cyber risk prevention

Drafting contracts

Contractual regulations are intended to allocate IT security risks (including liability, compliance, and evidentiary risks) and reduce legal uncertainties in the internal relationship between two or more contracting parties. A particular challenge is often the tension between individual (possibly regulatory) customer requirements and standardized processes and contractual terms of the IT service provider.

Aitava supports all agreements around IT security and data protection. From one-pager to 250-pages. And beyond.

IT security standards

The “state of the art” is the central concept in IT security law. This must be determined by technical standards (including ISO / IEC 27001). Depending on the application, industry-specific security standards (B3S) and official notices must also be observed. Identifying and auditing the relevant IT security standards poses technical and legal challenges.

Aitava helps you. Interdisciplinary. From a single source.


Aitava offers company-specific training at the highest level. We provide you with the competencies appropriate for your company in compact, customized units. We give you important impulses and show you best practices that you can implement and further develop 1:1 on your own.

We focus on your individual needs: From introductory workshops to in-depth training on special topics. On-site and virtual. Very much interactive. With passion for the subject matter.

Emergency preparation

Good preparation is half the battle. Companies should position themselves in such a way that the relevant people, especially in management and also in the supply chain, are optimally prepared for an emergency. So that everyone knows what to do. This applies equally to cyber attacks and data protection incidents.

Aitava provides comprehensive support in developing, testing and following up on an emergency plan. A contingency plan is only as good as its actual implementation. Through our years of practical experience on cyber risk issues, we know the day-to-day organizational, technical and legal pitfalls. We provide you with important impulses. Pragmatically and personally.

Support in emergencies

Whether it’s a hacker attack or a data breach – action often has to be taken very quickly. Depending on the emergency, this involves

  • Identification and defense against acute threats
  • Protection of backups
  • Comprehensive preservation of evidence
  • Preservation of business-critical processes
  • Timely notification of authorities, among others
  • Crisis communication internally and externally, in particular coordination with police, insurance and contractual partners
  • Measures against attackers
  • Assertion of claims

Aitava supports you comprehensively in emergencies. So that all concretely necessary crisis measures are taken at the right time. Without losing the overall view.

We are here for you.

We support you in questions around IT security and data protection.

We also advise on:

IT Projects

Aitava combines years of comprehensive expertise in complex IT projects. We represent both service providers and customers. From startups to large enterprises.

Learn more

Cloud Computing / SaaS

Cloud computing is the new standard. Aitava understands the commercial and technological pitfalls to consider with cloud tools, in addition to the legal challenges.

Learn more

Platforms and Digital Business Models

The mega-success of digital platforms is putting legislators on notice. This is often accompanied by actionism. Aitava brings product and law to a common denominator.

Learn more

IT Conflict Resolution

With forward-looking contract drafting and negotiated solutions, escalation can often be avoided in practice. If necessary, we go the last mile and conduct contentious proceedings.

Learn more