How Regulation is Redefining the Internet Industry

With rising geopolitical tensions, an evolving security landscape, and an ever-deepening economic and societal dependence on digital connectivity, an increasing number of companies across Europe are now recognized as operators of critical infrastructure, and with that status comes increasing regulatory pressure.

New frameworks such as the NIS2 Directive, the Cyber Security Act (CSA), and the Cyber Resilience Act (CRA) illustrate how rapidly expectations are shifting. Requirements around resilience, redundancy, and cybersecurity are no longer optional – they are imperatives. Moreover, regulation is no longer driven solely by legislators: customers now expect compliance as a given, a trend amplified by the “trickle-down” effect of broader regulatory ecosystems.

These developments are transforming operations and positioning core Internet infrastructure companies as key players in digital sovereignty efforts. And, importantly, as Internet companies adapt to their new role as operators of critical infrastructure and regulated entities, this classification could also bring strategic advantages.

The changing landscape

Over the past few years, the digital landscape has undergone change. Regulatory pressure has intensified across nearly every digital sector, while growing geopolitical tensions have added new layers of complexity and uncertainty. At the same time, the IT and cybersecurity environment has evolved dramatically, becoming more challenging than ever before. Together, these shifts have deepened the economic and societal reliance on digital connectivity, making resilient and secure digital infrastructure increasingly critical.

Regulatory frameworks on the rise

Modern societies depend on stable, resilient, and secure Internet interconnection. Sectors such as logistics, energy, healthcare, education, and payments rely on it as a foundational layer of daily operations. When disruptions occur, they are no longer inconveniences but systemic failures that pose significant risk. As a result, governments increasingly classify core Internet infrastructure and services as part of a nation’s critical infrastructure.

This shift is now reflected in public policy. In Europe, a steadily expanding regulatory framework has emerged. Operators of what are defined as systemically important critical infrastructures are subject to a growing number of legal and regulatory obligations. These requirements place a strong emphasis on cybersecurity, resilience, and redundancy to ensure continuity and stability.

Cybersecurity and resilience

The debate on IT security and the protection of critical infrastructures has become significantly more relevant in Europe and Germany in recent years and continues to evolve. IT and cybersecurity are increasingly shaped by coordinated national and European regulations aimed at ensuring a consistently high level of security. The European NIS2 Directive provides the overarching framework for cybersecurity at EU level.

In addition, the German national KRITIS regulations (KRITIS, KRITIS-VO, KRITIS umbrella law) define the requirements for the protection of critical infrastructures and are expanded by NIS2, particularly with regard to cross-sector security requirements. The EU Cybersecurity Act also creates uniform technical standards for the certification of IT products and services at the European level. In Germany, specific obligations also apply to the telecommunications sector, particularly with regard to the development and implementation of security concepts. Overall, these regulations aim to sustainably increase and continuously develop the level of security through close cooperation and coherent integration of the requirements.

New expectations

For a long time, implementing basic cybersecurity measures and meeting requirements was considered sufficient. That is no longer the case. Today, security, resilience and compliance have become baseline expectations – a minimum prerequisite for doing business.

Regulatory pressure is increasingly moving down the supply chain and becoming part of the value proposition itself. This form of “regulation by proxy” is not driven solely by laws or technical standards, but by contracts, procurement criteria, and customer audits. As a result, compliance is embedded directly into commercial relationships.

This dynamic now affects a growing number of industries and sectors. Internet companies, in particular, must closely consider their customers’ requirements while also anticipating regulatory developments and emerging frameworks at an early stage. Even when an Internet Service Provider is not explicitly addressed by a specific regulation, it will still feel its effects through the broader regulatory ecosystem. Compliance is no longer optional. It is expected as a given, reinforced by the ongoing trickle-down of regulatory obligations. As a result, regulatory expectations now extend across entire supply chains and directly affect service providers.

In industries such as finance and automotive, frameworks like DORA and TISAX play a particularly important role. Service providers, especially in the IT and digital infrastructure space, need to be aware of these requirements and factor them into their operations. The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening IT security and operational resilience within the financial sector, covering banks, insurance companies, and investment firms. TISAX, based on ISO 27001, is specifically adapted to the needs of the automotive industry and focuses on securing the exchange of sensitive information between manufacturers and suppliers.

Turning regulatory pressure into opportunity

As governments and regions pursue greater digital sovereignty, the ability to operate digital infrastructure and services independently, securely and resiliently is becoming increasingly critical. While regulation is often perceived as a burden bringing additional reporting requirements, audits, bureaucracy, and cost, it also presents a meaningful opportunity to create value and unlock new possibilities.

Strong compliance can strengthen trust and credibility in the market, opening the door to new customer segments and long-term relationships. Demonstrating compliance early and proactively can become a strategic advantage. Particularly for customers in highly regulated sectors such as finance or automotive, compliance can increasingly serve as a differentiating factor and a source of competitive advantage. In this context, the role of service providers is evolving – they are no longer seen merely as suppliers, but as trusted partners. Most importantly, compliance should not be viewed solely as an obligation. It is a strategic lever that can differentiate organizations and drive sustainable growth.

Henning Lesch joined DE-CIX in 2025 as Head of Public Policy and Government Affairs. Before that, he spent two decades at eco – Association of the Internet Industry, as the Head of the Capital Office and the Policy, Law, and Regulation division. A qualified attorney with specialized qualifications in information technology, telecommunications, and media law, Lesch’s core identity is that of a caretaker, problem solver, strategist, and solution finder – driven by purpose, not just credentials. For him, the Internet is his constituency.