EU technology & regulatory law

Regulation, read by someone who has built the systems being regulated.

Find the legal risk in a digital product while it can still be designed out, not after it ships. Nexura Law advises businesses and institutions across the EU on the regulation that governs software, read by a technologist of twenty years who has built the systems being regulated.

Compliance lawyer conducting a technical inspection in a data centre
The differentiator A lawyer at the rack, not only at the desk
Scroll
Not a compliance checkbox vendor. A specialist who understands regulatory collisions: where two or more regimes hit the same product at once.

Most technology law is written by people who have never deployed to production, and most production systems are built by people who have never read a regulation to its definitions. The interesting problems live in the gap between them. A single product can fall under cybersecurity governance, product security law, data protection and financial resilience simultaneously, and the obligations rarely agree with one another.

Nexura Law works at that intersection. Two decades of building production systems across retail and banking sit behind every opinion, so the advice holds up in both the architecture review and the regulator's inbox.

Why now

The obligations are not waiting for the queue to clear

The European technology rulebook is arriving on a fixed schedule, and the dates that matter for products on the market are inside the next two years. The work that protects a launch happens well before the deadline, not after it.

Now DORA in force Operational resilience obligations for financial entities and their critical ICT providers already apply.
Sep 2026 CRA reporting begins Manufacturers must report actively exploited vulnerabilities and severe incidents, including for products already on the market.
Aug 2026 AI Act enforcement starts The bulk of the Act applies and enforcement begins, with transparency duties live and the high-risk regime phasing in from late 2027.
Dec 2027 CRA in full Security-by-design, conformity assessment and CE marking apply to every new product with digital elements placed on the EU market.
Scope of practice

Five regimes, one product, and the friction between them

The offering is organised around the regulatory regimes that govern digital products in Europe, together with the contract and advisory work that sits on top of them. Each is handled with genuine technical depth, not as a template exercise.

01
GDPR · Data protection

Data protection that survives the build

Lawful cross-border architecture, pseudonymisation that actually holds, and anonymisation before inference for AI workflows. Advice grounded in how the data moves through the system, informed by the evolving case law on when pseudonymous data is personal data at all.

Cross-border transfersPseudonymisationAI data flows
02
NIS2 · Cybersecurity governance

Cybersecurity as organisational governance

Obligations for in-scope and essential entities, framed where they belong: at board level, as a question of governance rather than a checklist for the IT team. Practical, proportionate advisory for SMEs working out whether and how the regime reaches them.

Scope assessmentGovernanceSME advisory
03
CRA · Cyber Resilience Act

Security for products with digital elements

Conformity obligations, incident reporting under the Act, and the open-source steward category that so many projects misread. Where software is placed on the market, the CRA reshapes the duties of everyone in the supply chain, and the licence you chose years ago suddenly matters.

ConformityIncident reportingOSS steward status
04
DORA · Operational resilience

Digital operational resilience for finance

Resilience and third-party risk for financial entities and their critical ICT providers, drawing directly on years spent building banking systems. The regulatory text reads differently when you have lived inside the systems it governs.

ICT riskThird-party oversightBanking depth
05
AI Act · Artificial intelligence regulation

The AI Act, where it meets the rest of the stack

Risk classification, prohibited practices and the obligations that attach to providers and deployers of AI systems. The Act rarely applies on its own: it lands on top of data protection, product security and the systems that already ship, which is exactly where the difficult questions sit. Advice here covers the classification itself and the place where AI obligations meet GDPR data flows and CRA product duties, so the answer to one regime does not breach another.

Risk classificationProhibited practicesProvider & deployer dutiesAI × GDPR × CRA
NIS2 × CRA
CRA × AI Act
CRA × Export controls
GDPR × Everything

The differentiator is the intersection, not the statute in isolation.

These laws do not arrive one at a time. They land on the same product together, and their definitions, timelines and reporting duties pull in different directions. Handling that overlap, deciding which obligation governs when they conflict, is where the real work is and where most advice falls short. A forthcoming Cyber Cloud and Development Act is already on the horizon, and the practice is preparing for it now.

Typical engagements

Concrete pieces of work, with a clear deliverable

Most engagements begin as one of these, scoped to a fixed outcome so you know what you are getting before it starts. Each can stand alone or open into wider advisory.

CRA

CRA Readiness Review

Where a product stands against the Cyber Resilience Act before it reaches the market, including conformity duties, incident reporting and whether open-source steward status applies.

Open source

Open Source Licence Audit

A map of licence-conflict and dependency risk in what actually ships, with SBOM and licence inventory in the build pipeline and a clear view of obligations and remediation.

AI Act

AI Act Risk Classification

Where an AI feature lands under the Act, what that triggers for provider and deployer, and how the obligations sit against the data protection and product duties already in play.

NIS2

NIS2 Board Briefing

A focused session that puts cybersecurity where it belongs, at board level: whether the regime reaches the organisation, what it demands, and who carries the responsibility.

Signature

Regulatory Collision Assessment

The flagship piece. When two or more regimes hit the same product at once, this works out which obligation governs where they conflict, so one answer does not quietly breach another.

Contracts

Technology Contract Review

Drafting and review for technology, licensing, data and SaaS agreements, read by someone who understands both the commercial terms and the systems they describe.

Not sure which one fits? Describe the situation and the right starting point becomes clear quickly.

Flagship capability
MIT · BSD · ApachePermissive
LGPL · MPL · EPL · EUPLWeak copyleft
GPL · AGPLStrong copyleft
BSL · SSPL · Elastic · RSALSource-available
Freedom to combineObligation to share
Open-source licensing

The text no one reads, and the risk it carries

Every commercial product ships other people's code, and every licence is a contract most teams never open. Nexura Law treats open-source licensing as a signature discipline: licence-conflict and transitive-dependency risk in products shipped to customers, SBOM and automated licence inventory in the build pipeline, and the regulatory consequences of the licence you picked, including CRA steward status and public-procurement eligibility.

This is unusually defensible territory. The relicensing era, from Terraform to OpenTofu and Redis to Valkey, turned licence choice into a question of community trust and commercial survival. Advising on it well means speaking to dynamic versus static linking, and to AGPL as a network trigger, without hand-waving.

Advisory meeting reviewing documents
How the work is done

Engineering discipline, applied to the law

I

Read the system, then the statute

Advice begins with how the product actually works. A security design review here is a genuine technical exercise, not a questionnaire, drawing on real architecture experience including VPN and network design on live projects.

II

Hold the whole regulatory picture

A single opinion accounts for every regime in scope at once, so the answer to one obligation does not quietly breach another. The collisions are mapped before the memo is written.

III

Write to be understood

Counsel that an engineering team and a board can both act on. Plain, precise, and specific to the decision in front of you, with the published thinking to back it.

Where the practice works

A cross-border practice, built outward from the Nordics

Rooted in Sweden and the wider Nordic market, extending across common-law and EU-institutional Europe. Swedish builds trust at home; the regulatory thinking is done in English and reaches the whole single market.

Primary base

The Nordics

Sweden first, then the wider Nordic market. A Swedish-language entry point for the clients who want one.

Common-law fit

Ireland

A natural home for an England and Wales solicitor, and one of Europe's principal technology hubs.

EU corridor

Benelux

Belgium and the Netherlands, the institutional and technology corridor at the centre of EU regulation.

Institutions

EU bodies

Advisory toward bodies such as ENISA and EUIPO, realistically via framework holders and subcontracting.

Portrait of the principal of Nexura Law
Nexura Law Technology & regulatory counsel
The practitioner

A technologist who became a regulatory lawyer

The credibility behind Nexura Law is simple and rare. Twenty years were spent building production systems across retail and banking, in environments where regulation is not an abstraction but a daily constraint on what ships. That work ran from Rails through to React, Java and Spring, with the observability and data tooling that modern systems demand.

The move into law was deliberate, not a second act. Alongside a master's in computer science came formal legal training, five years advising on commercial law, intellectual property and the commercialisation of research at an university innovation office, and a postgraduate qualification in law from the University of London, with qualification as a Solicitor of England and Wales now underway.

The thinking is shared in public, not kept in a drawer. That includes guest lecturing on the Cyber Resilience Act and open-source licensing, speaking on cybersecurity regulation for small and medium-sized businesses, and an ongoing journal on EU digital regulation and the places where these regimes collide.

The practice operates as Nexura Law, the legal brand of Skipbug AB, an established Swedish consultancy, and is preparing to stand as its own company. What ties it all together is the ability to move fluently between the engineering and the regulatory worlds, and to be taken seriously in both.

Foundation MSc Computer Science
Twenty years in systems development
Legal training PgCert in Laws, University of London
Swedish paralegal qualification
Sectors Retail & banking
Regulated production environments
Languages Swedish & English
Some Spanish

Work is currently provided as technology and regulatory advisory through Skipbug AB. Qualification as a Solicitor of England and Wales is underway, and the protected title will be used once registration is complete.

How we work

Three ways to bring the practice in

The right shape depends on the problem. A bounded question wants a project; a team that needs to understand a regime wants a session; an organisation living with these obligations wants someone on call.

I

Defined project

A scoped review or analysis with a fixed deliverable and timeline, one of the typical engagements above or something shaped to your situation. Clear start, clear output.

II

Workshop or briefing

A focused session for a board, leadership team or engineering group that needs to understand a regime and what it means for them, built around your products rather than generic slides.

III

Ongoing advisory

A retained arrangement for organisations that need regulatory and technology counsel on call as products and obligations evolve, rather than reaching out only when something breaks.

Enquiries

Start a conversation

Whether the question is a single contract, a regulatory gap analysis, a security design review or an open-source licence audit, the first step is the same. Describe the situation, and you will hear back directly.

Practice
Nexura LawThe legal practice of Skipbug AB · Knäred, Sweden
Reach
Nordics · Ireland · Benelux · EUCross-border, remote-first

No tracking, no third-party analytics. Your message is sent directly and held in confidence.