The past five years has seen an explosion in the development of EU legal directives and regulations relating to data, cybersecurity and the digital field in general. Looking ahead, the development looks like continuing at the same rate. Below, Lindahl’s experts summarise some of the most important proposals to keep an eye on in this field.
In short, it may be said that the expansion of EU law in the digital field has a twofold purpose: on the one hand, to strengthen innovation and competitiveness within the EU and, on the other, to protect overall “European” values. It is a question of providing companies with a more level playing field, encouraging the use and commercialisation of data, while protecting personal privacy and safeguarding the principles of non-discrimination and fair competition. It is also a question of ensuring that a high level of cybersecurity is maintained and that sustainable development is promoted.
The legal instruments will have a major impact on business. Many people will remember the extensive preparations in connection with GDPR. The question is whether that work was merely a premonition of what is to come.
Some of the major EU legislation being prepared in the digital field includes:
- The Data Act
The Data Act focuses on IoT (“the Internet of Things”) and the data generated by users of connected products. The aim is to encourage broader but also fairer access to user data. As a user, you will have more control over your data and will be able to “take it with you” to other suppliers, for example. There are also rules on granting public authorities the right to user data in the event of a crisis. Possible sanctions for breaches of the regulation are equivalent to the ones we saw in the GDPR. The regulation is expected to enter into force in 2024.
- The Digital Governance Act
Applies from 23 September 2023 and supplements the Open Data Directive (which arrived in 2021). The aim is to expand access to data held by public authorities for research and innovation to also include data that is protected in some way, such as by copyright or confidentiality. The watchwords are non-discriminatory conditions and safe environments for data sharing.
- The Digital Services Act
Is fully in force from 17 February 2024. A form of marketing law for data intermediaries such as hosting services or online platforms. It is aimed at promoting growth and competition through uniform rules, while strengthening legal protection for users. Possible sanctions even exceed those that can be imposed under the GDPR.
- The Digital Markets Act
Will apply from 24 September 2024 and is focused on particularly large platforms. This is a question of so-called “gatekeepers” not being permitted to restrict their users’ business, for example by discriminating against them in relation to the gatekeeper’s own offerings. Possible sanctions in the event of repeated violations may amount to as much as 20% of annual sales at group level.
- The AI Act
Is aimed at promoting AI development, harmonising regulations and making them more effective while safeguarding rights and security. The regulation is based on a “risk-based approach” with new challenges for both suppliers and users of AI, specifically “high-risk AI”. The use of so-called prohibited AI systems can lead to fines up to a maximum of 30 million euro and 6 per cent of total global sales for the previous year. The regulations are also supplemented by a directive governing liability for damages relating to AI.
- The Cyber Security Act
The Cyber Security Act strengthens and provides the EU cybersecurity agency (ENISA) with a permanent mandate and establishes a framework for cybersecurity certification for products and services.
- The Cyber Resilience Act
Hardware and software are exposed to an increasing number of cyberattacks at an estimated cost of 5.5 trillion euro globally in 2021. The Cyber Resilience Regulation is at the draft stage and is aimed at more secure hardware and software products throughout their lifecycle. In short, it will apply to connected hardware and software products, with the exception of products such as vehicles, medical devices and use in national security. It is proposed that the Regulation will impose requirements on aspects such as development and production, self-assessment and CE labelling, as well as regular updates.
- The European Health Data Space
Another Regulation at the draft stage deals with health data and is aimed at improving and reinforcing both primary and secondary use of e-health data. The Regulation affects healthcare providers, health apps, patient record systems and users of health data (such as research companies). The draft includes clearer rights for patients and obligations for healthcare providers, requirements for certification of patient record systems, greater access to e-health data and support for disclosure of health data in accordance with the GDPR. Cross-border cooperation within the Union is also proposed, including through obligatory connection to the infrastructure for primary use of e-health data (MyHealth@EU) and the introduction of cross-border infrastructure for secondary use of e-health data (HealthData@EU).
- The NIS2 Directive
The NIS2 Directive has been adopted and will apply from 18 October 2024. The aim is to increase the level of cybersecurity throughout the Union. The Directive is of the utmost relevance in several sectors such as public administration, medical technology and pharmaceutical research. The Directive imposes requirements on risk management measures and reporting, as well as specific responsibilities for management bodies. The sanctions amount to a maximum of 10 million euro or 2 per cent of total sales. - The Regulation on Digital Operational Resilience for the Financial Sector (DORA)
The Regulation has been adopted and will apply from 17 January 2025 with the aim of achieving a high level of digital operational resilience. DORA affects the entire financial sector and IT suppliers in terms of requirements on ICT risk management, incident management, testing and ICT third-party risks.
Do you want to know more about how your business may be affected? You are welcome to contact one of our experts.
