Security

Regulations

EU Cyber Resilience Act

The EU Cyber Resilience Act (CRA) is a product-focused regulation that was adopted in December 2024 and will apply to new products with digital elements placed on the EU market after 10 December 2027 and to existing products with digital elements that are substantially modified after that date. The CRA is a broad-reaching regulation that not only addresses the obligations of product “manufacturers” (highlighted in the Barracuda e-Book below), but also establishes obligations of importers and distributors. Companies that manufacture, import, or distribute products with digital elements into the EU should immediately begin the process to understand how the CRA affects their business and undertake the necessary measures to be ready.

Note to author: Below is the container controlled by the "Read more" button above.

Barracuda is actively engaged in assessing its own compliance with CRA obligations, including, among other things, determining the classification of its products under the CRA, reviewing its product support processes and any need for updates to comply with the CRA, and creating the necessary processes to meet security reporting requirements starting in September 2026. Barracuda will update information about its products and information for importers and distributors as part of this effort.

Additional Resources

CRA e-Books

English

French

German

Italian

Portuguese

Spanish


Links to CRA Websites

CRA Overview

CRA Official Text

EU Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union regulation that came into force on 17 January 2025. It requires financial organisations to strengthen their cybersecurity resilience to help them stay protected as the financial services sector shifts to the increasing use of digital technologies. DORA also contains obligations that apply to financial organisations’ third-party ICT service providers, so it’s relevant to a wide range of organisations.

Note to author: Below is the container controlled by the "Read more" button above.

Additional Resources

DORA e-Books

English

French

German

Italian

Portuguese

Spanish

DORA Article 30 Amendment

Request Barracuda Essential Suppliers List


Links

DORA Overview

DORA Official Text

EU Network and Information Security Directive 2 (NIS2)

The Network and Information Security Directive 2 (NIS2) is a European Union directive that came into force for EU member states as of 17 October 2024, the deadline for member states to enact legislation. Under Article 26, Barracuda Networks, Inc. is subject to the jurisdiction of Austrian NIS2 authorities. Austria enacted its NIS2 legislation in December 2025, so Barracuda is actively working to prepare to register when that process is made available by the Austrian authorities in the Fall 2026. Barracuda’s preparations include identifying its products and services that are subject to NIS2 and reviewing the company’s policies and procedures to confirm that they meet the requirements of NIS2.

Note to author: Below is the container controlled by the "Read more" button above.

Additional Resources

NIS2 e-Books

English

French

German

Italian

Portuguese

Spanish


Links

NIS2 Directive Overview

NIS2 Official Text

EU AI Act

In August 2024, the European Union’s AI Act (Act) entered into force — a first of its kind legislation that regulates the development, provision, deployment, and importation of Artificial Intelligence (AI) systems into the EU. The Act separates AI risks into four categories and sets out different rules for each risk level.

The aim of the Act is to regulate AI to ensure that these risks are properly managed, minimised, and remediated. The Act will be fully enforceable August 2026. However, some parts of the Act will apply sooner.

Note to author: Below is the container controlled by the "Read more" button above.

What do I need to do to comply?

The most important next step, if you have not already started to prepare for the Act, is to check which risk category your company’s products or services fall under. Most businesses will fall under the limited or minimal risk categories.

Prohibited AI

Prohibition of ‘unacceptable risk’ AI systems took effect on 2 February 2025. Chapter 5 discusses prohibited AI practices.

High risk

Companies that develop and deploy high-risk AI systems need to ensure that their systems are compliant with the requirements set out in Chapter 3, Section 2 of the EU AI Act, titled ‘Requirements for High-Risk AI Systems’. This section of the Act sets out the obligations for businesses that fall in the category, including risk management, record keeping, and maintaining human oversight.

Limited risk

Businesses that develop or deploy limited-risk AI systems are required to provide users with transparency disclosures to ensure that users are aware that they are interacting with or consuming content from an AI system. Article 50 of the AI Act includes more detail on the transparency obligations for these kinds of AI systems.

Minimal risk

Be certain that your AI system falls into the minimal, unregulated category. Keep an eye out for any developments that might affect your business.

If you’re not sure which category your business fall into, you can complete this questionnaire on the official EU AI Act website to find out.

What about Barracuda’s products?

Barracuda Products

Barracuda products and services containing AI fall into the “minimal risk” category. Barracuda includes information regarding the use of AI in the Product and Service Descriptions on the Product Guide.

Find out more about the EU’s AI Act, the risk categories, and what you need to do to comply in our e-book, Getting ready for the EU AI Act.


Additional Resources

AI Act e-Books

English

French

German

Italian

Portuguese

Spanish


Links to AI Act Websites

European Parliament Overview

In-depth Discussion

AI Act Official Text

EU Data Act

The EU Data Act came into force as of 11 January 2024 and applies to companies that operate in the EU as of 12 September 2025. The Data Act, among other things, seeks to give EU customers access to telemetry data about their use of connected products. Barracuda collects telemetry data from its hardware products and related services for use in supporting and improving those products. Barracuda calls this data “Systems Data" and owns this data. Barracuda addresses its collection and use of Systems Data in its Legal Terms and Conditions. Barracuda is continuing to assess the Data Act and will provide an update when more information is available. For hardware products, Barracuda will provide more information about the telemetry data it collects in each applicable Product Guide document. Questions about Barracuda and the Data Act can be sent to legal@barracuda.com.

U.S. 2018 CLOUD Act

Barracuda is committed to protecting its customers’ data in accordance with our Global Data Processing Addendum, Privacy Notice, and with applicable laws. Below are some FAQs to help customers and partners understand more about the 2018 Clarifying Lawful Overseas Use of Data (CLOUD) Act, its purpose and Barracuda’s process for handling requests for information under this law.

Note to author: Below is the container controlled by the "Read more" button above.

What is the CLOUD Act?

The purpose of the 2018 U.S. federal CLOUD Act is to help U.S. law enforcement obtain data stored abroad in cross-border investigations involving serious crimes, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime.

Among other things, the CLOUD Act enables the U.S. to enter into reciprocal executive agreements with trusted foreign partners to obtain access to electronic evidence for investigations of serious crimes. These agreements create limited exceptions to U.S. disclosure restrictions so providers can comply with foreign legal orders, subject to strict safeguards. Thus far, the U.S. has only entered into reciprocal agreements with the U.K. and Australia. Negotiations are pending with other jurisdictions.

To whom does the CLOUD Act apply?

The CLOUD Act applies to communication service providers (CSPs), which include cloud service providers. Under the CLOUD Act, the U.S. government may compel CSPs to turn over data if U.S. courts have authority over that company, regardless of where the communications are stored.

This law also extends to companies based outside of the U.S. that have U.S.-based offices or other significant business ties to the U.S. In short, any CSPs with headquarters outside the U.S. and with operations in the U.S. are also subject to the CLOUD Act.

What process must the U.S. government go through before it can get someone’s communications under the CLOUD Act?

The U.S. government may require disclosure of communications through search warrants, subpoenas, or court orders. Whether the U.S. government can obtain communications under the CLOUD Act will depend on several factors, including:

  • Warrants issued based on probable cause that the communications are evidence of a crime
  • Government to prove that U.S. courts have authority over the CSP
  • CSP actually controls the communications at issue

A CSP can ask a court to reject or narrow that demand in certain situations.

What is Barracuda’s process for dealing with CLOUD Act requests?

Barracuda provides Legal Process Guidelines for how the U.S. government can seek access to customer data from Barracuda. As indicate in these Guidelines, and consistent with the CLOUD Act, Barracuda requires that the government present a validly issued court order such as a subpoena to Barracuda before the company will provide any customer data. Unless prohibited by a validly issued Nondisclosure Order, Barracuda will notify the affected customer that it is providing its data to the government.

Certain Barracuda SaaS services, such as Cloud-to-Cloud Backup and Barracuda Cloud Archive Service, allow customers to store back-up copies of data in a cloud environment. Other Barracuda SaaS services may store customer email data for a limited time in connection with providing the service and then delete the data. In the latter instances, Barracuda likely does not have the data that the government seeks. Customers can read more about the data retention process for Barracuda SaaS services on the Product Guide.

Do other countries have anything like the CLOUD Act?

Yes, other countries have laws that require companies to provide data to law enforcement in connection with cross-border investigations involving serious crimes. For example, the United Kingdom’s (U.K.) Crime (Overseas Production Orders) Act allows U.K. law enforcement agencies to obtain stored electronic data located outside of the U.K. in connection with a criminal investigation.

U.S. Financial Industry Regulatory Authority ("FINRA")

The Financial Industry Regulatory Authority (“FINRA”) is a non-governmental organization that sets regulations for broker-dealers and exchange markets in the United States. Barracuda’s financial industry customers subject to FINRA regulations depend on Barracuda products and services to protect their business, including obligations to retain immutable backup copies of certain data.  Please review specific Barracuda product information for more details about how products store data.

Request for Barracuda Essential Suppliers List

Select one

Download Barracuda Essential Suppliers List

By downloading the Barracuda Essential Suppliers List, you acknowledge and agree that this list is Barracuda Confidential Information and must be treated as such to the maximum extent possible under applicable law.

DOWNLOAD PDF

Company Information

Products & Solutions

Contact Us

Our Websites

Legal

© 2003 – 2026 Barracuda Networks, Inc. All rights reserved.