The entry into force this February 2026 of Section 138 of the Data Use and Access Act (DUAA), alongside the Cyber Resilience Act (CRA) and the NIS2 Directive, transforms device management into a pillar of critical governance where technical negligence carries direct legal and civil implications.
In this new scenario, at Applivery we understand that security and compliance are not external layers, but core functions of our SaaS, designed to ensure that every endpoint is an audited asset under absolute sovereignty.
This legal framework marks the end of “optional” cybersecurity, forcing organizations to demonstrate total control over the lifecycle of their assets. Failing to adapt to these changes implies not only vulnerabilities to attacks but also the real risk of being excluded from the European market due to regulatory non-compliance. To successfully navigate this transition, fleet management must be now sovereign, auditable, and secure by design, turning compliance into a competitive advantage.
Key regulatory taxonomy for 2026
- Contractual sovereignty: a legal principle where the jurisdiction of the provider’s headquarters is binding, regardless of where data is physically stored.
- Sovereignty-by-design: the architectural approach of building software that inherently complies with EU data residency and security standards.
- Critical product status: a designation under the CRA for software—like MDM/UEM—that handles essential identity and access functions, requiring rigorous third-party validation.
What does the Cybersecurity Package actually imply?
The 2026 regulatory landscape has shifted from a “best practices” suggestion to a mandatory framework for total control over the data and device lifecycle. This package demands a level of transparency and speed that legacy management systems simply cannot provide.
| 2026 Challenge | Previous Status | Requirement under DUAA / NIS2 | Applivery Solution |
|---|---|---|---|
|
Sovereignty |
Only server location mattered. |
Contractual location is now binding. |
100% EU-based Provider (Spain).
|
|
Deadlines |
Reactive reporting. |
Critical incident notification in <24 hours. |
Real-time telemetry & Immutable logs. |
|
Software Status |
MDM as a basic IT tool. |
MDM classified as a “Critical Product”. |
Security-by-Design & ENS Compliance. |
To understand the full scope of these changes, we must look at the specific requirements that now fall under the responsibility of IT and Security departments:
- Supply chain responsibility (NIS2): organizations are now legally responsible for the security posture of their software vendors. If you use an endpoint management tool that lacks robust security controls, your organization assumes the legal burden in the event of an incident.
- Contractual vs. geographical sovereignty (DUAA): under the DUAA, the “contractual location” of the provider takes precedence. If your provider is headquartered in a non-adequate jurisdiction (such as certain non-EU countries), you are performing a restricted data transfer, regardless of where the servers are physically located.
- Mandatory incident reporting: NIS2 mandates notifying authorities of serious breaches within 24 hours. Without advanced, real-time telemetry from your endpoints, identifying and reporting the scope of a breach within this window is virtually impossible.
- Categorization of “critical” products (CRA): the EU now classifies UEM/MDM and Identity Providers (IdP) as critical products. These systems must undergo strict third-party conformity assessments to ensure they meet the highest “security-by-design” standards to operate on European soil.
For a deeper dive into how these regulations impact your specific infrastructure, you can download our full Whitepaper: Digital Sovereignty.
The risks of non- compliance: beyond the fine
Failing to comply with the 2026 regulations is no longer just a financial risk; it is an existential risk for the company:
- Massive economic sanctions and liability: following the GDPR model, new regulations contemplate fines that can reach a significant percentage of global turnover. Furthermore, DUAA and NIS2 increase executive liability, allowing for legal action against directors for negligent infrastructure management.
- Disqualification from public and critical contracts: under the ENS (National Security Scheme) in Spain and similar EU frameworks, companies without certified compliance are excluded from public tenders and from operating in essential sectors like energy, finance, and healthcare.
How Applivery resolves this need for compliance
At Applivery, security and regulatory compliance are the core of our API-first architecture. We resolve these requirements as follows:
- European sovereignty and data residency: we are a Spanish company with infrastructure in Madrid (GCP europe-southwest1). This ensures full compliance with both geographical and contractual sovereignty required by the DUAA.
- Immutable audit evidence: We generate Audit Trails and Device Logs inmutables that record every command or policy change. This traceability is essential for meeting ISO 27001, SOC 2, and ENS controls.
- Perimeter protection with Zero Trust: we integrate advanced telemetry so that the device’s security posture (encryption, patching, health) feeds directly into Conditional Access decisions via IdPs like Entra ID or Okta.
- Real-time incident response: Our Automation Rules allow the system to react instantly to non-compliant devices, isolating them or forcing patches without waiting for manual intervention, meeting the immediate mitigation requirements of NIS2.
Our architecture is built to exceed these standards. Explore the technical blueprints in our Whitepaper Digital Sovereignty
Moving forward: from management to sovereignty
The legal framework of 2026 has transformed cybersecurity into a pillar of operational resilience. It is no longer a question of “if” the device is managed, but whether that management is sovereign, auditable, and resilient.
At Applivery, we are ready to help you navigate this transition, ensuring your infrastructure is fully compliant with European standards.
Frequently Asked Questions (FAQ)
How can I respond to a NIS2 incident in less than 24 hours?
To meet the NIS2 deadline, you need automated telemetry. Applivery provides real-time alerts and immutable logs that allow security teams to identify the scope of a breach instantly, facilitating immediate reporting to authorities.
Does it matter if my servers are in the EU if my provider is non-EU?
Yes, it matters. Under the DUAA, "Contractual Sovereignty" means that if your provider is subject to non-adequate foreign jurisdictions, you are performing a restricted transfer regardless of server location. Applivery solves this by being a 100% EU-registered entity.
What is the penalty for using non-certified "Critical Products"?
Using an MDM or IdP that does not meet CRA standards can lead to fines and disqualification from operating within critical infrastructure or government-related projects.
Can Applivery help with ENS (Esquema Nacional de Seguridad) certification?
Absolutely. Applivery provides the audit-ready reporting and standard configurations required to meet ENS measures, simplifying evidence collection for Spanish public sector requirements.
