Read the latest updates on the progress of legislation and regulation in the EU relating to technology, data, digital markets and cybersecurity.

Visit any of the sections on this page by clicking the relevant heading below.

We are delighted to present our view of the most important developments in EU digital market regulation. We present our perspective on those developments as a snapshot of the current state of regulatory progress, and it will evolve in time as the regulations pass through the process of enactment in Brussels. While it does not cover all developments, it is a valuable overview that will have relevance to you and your business.

Technology regulation

• EU Artificial Intelligence Act
• EU Chips Act

Data regulation

• EU Data Governance Act
• EU Data Act
• EU Health Data Space
• ePrivacy Regulation

Digital markets regulation

• EU Digital Services Act
• EU Digital Markets Act

Cybersecurity regulation

• EU NIS 2 (Security of Network and Information Systems)
• EU Resilience of Critical Entities
• EU Cyber Resilience Act
• EU DORA (Digital Operational Resilience for the Financial Sector)

Technology regulation

EU Artificial Intelligence Act (Regulation)

Aim

The world’s first concrete proposal for regulating artificial intelligence (AI). The draft regulation aims to set up a regulatory framework for AI systems, including specific rules for high risk AI and prohibited practices. It is likely to profoundly affect the debate on AI and ultimately the way that companies, startups, tech giants, governments and law enforcement agencies can use AI.

The draft regulation prohibits a limited number of AI systems, including real-time remote biometric identification. It mainly introduces a large number of risk management obligations for high-risk AI systems. There is a long list of high risk systems, but some examples are AI uses in the health, transport, credit scoring and HR sectors. Many low risk AI systems are not regulated at all, but some low risk AI systems are subject to limited transparency obligations.

Who will the regulation affect?

In essence, the AI Regulation will affect any company which uses an AI system or its output in the EU, including:

• Providers and developers of AI systems who commercially supply or put an AI system into service in the EU, irrespective of where they are located.
• Importers and distributors who make AI systems available in the EU.
• Providers and professional “users” located outside the EU, if the output produced by the system is used in the EU.
• Professional “users” under whose authority the AI system is operated in the EU.

Next step

The European Parliament will adopt its position on the AI Act by the end of 2022/early 2023.

What it means for business

• Potential additional risk management, cybersecurity, conformity assessment and transparency obligations on companies that provide or develop high risk AI systems.
• Transparency obligations on certain lower risk systems (e.g. chatbots).
• Prohibition of certain AI practices.

EU perspective

Europe fit for the Digital Age: Commission proposes new rules and actions for excellence and trust in Artificial Intelligence

Our perspective

The EU Artificial Intelligence Act

The AI Liability Directive and the updated Product Liability Directive are not included in the snapshot but have been covered in our article European Commission proposes AI Liability Directive and modernised Product Liability Directive.

EU Chips Act (Regulation)

Aim

The EU Chips Act seeks to set up an investment and development programme for the semiconductor industry. It contains provisions intended to enable the EU to double its market share in semiconductors by 2030, building capacity to design, manufacture and package advanced chips. The proposed Act is intended to mobilise EUR43 billion of public and private funds in an effort to prevent, anticipate and respond to future supply chain disruptions.

Who will the regulation affect?

All players in the Semiconductor industry – chip manufacturers in the EU and, internationally, users of semiconductors, SMEs, Member State governments, and public research centres.

Next steps

The European Parliament will adopt its position on the Chips Act in early 2023.

What it means for business

• Opportunities for public-private consortia, manufacturers and related industries to strengthen European semiconductor production facilities.
• Funding opportunities for construction of production facilities.
• Funding opportunities for semiconductor R&D.
• Monitoring of the supply chain with a crisis response mechanism that may be triggered by the European Commission in the event of significant shortages.

EU perspective

Digital sovereignty: Commission proposes Chips Act to confront semiconductor shortages and strengthen Europe's technological leadership

Our perspective

The EU Chips Act

Back to top

Data regulation

EU Data Governance Act (Regulation)

Aim

The Data Governance Act (DGA) promotes the sharing of data across the EU, facilitates the reuse of public sector data and assists businesses with the development of new data-rich products and services, including those based on artificial intelligence. The act:

• Encourages data sharing in the EU, including access to public sector data;
• Sets up rules regarding the provision of data sharing services; and
• Sets up conditions for the international transfer of non-personal data.

Who will the regulation affect?

• Public sector bodies in the EU.
• Providers of data intermediation services (entities creating a commercial relationship between data subjects and data holders on the one hand and data users on the other).
• Data altruism organisations.
• Companies who use or reuse data from a public sector body.

Next step

The DGA has been adopted and was published on 3 June 2022. It will be generally applicable from 24 September 2023. Organisations providing data intermediation services on 23 June 2022 benefit from a transition period and are required to comply with data intermediation services obligations by 24 September 2025.

What it means for business

• The act imposes additional obligations on the providers of data intermediation services (entities creating a commercial relationship between data subjects and data holders on the one hand and data users on the other hand).
• Conditions for and removing barriers to sharing data held by public bodies apply, such as prohibition of exclusive arrangements for the reuse of such data but the grant of exclusive rights is permitted in case of general interest for maximum 12 months.
• Specific measures are set up to protect against an unlawful transfer of non-personal data to non-EU countries.

EU perspective

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on the European data governance and amending Regulation (EUà 2018/1724 (Data Governance Act)

Our perspective

EU Data Governance Act (Regulation)

EU Data Act (Regulation)

Aim

A wide-ranging, sector neutral proposal, the EU Data Act looks to unlock the untapped value of data across the EU. It aims to:

• Facilitate access to and the use of data by consumers and businesses;
• Provide access to public sector bodies to data held by the private sector where there is an exceptional need;
• Facilitate switching between cloud and edge services;
• Safeguard against unlawful data transfer without notification by cloud service providers;
• Provide for the development of interoperability standards for reuse of data; and
• Set up conditions for international transfer of non-personal data.

Who will the regulation affect?

• Manufacturers of connected products and providers of related services on the market in the EU.
• Business and individual users of those connected products and related services.
• Data holders who have a right, obligation or ability to make certain data available to data recipients in the EU.
• Providers of “data processing services” to customers in the EU, including cloud service providers.

Next step

The European Parliament is expected to adopt its position on the Data Act in Q1 2023.

What it means for business

• Transparency obligations on IoT manufacturers and data holders regarding data generated by connected products.
• Obligation on manufacturers and data holders to provide access to data generated by products to users or third parties on request, including via API.
• The Act includes contractual obligations that will apply to data sharing agreements between data holders and data recipients. These include FRAND terms and conditions, and the prohibition of unfair terms when contracting unilaterally with SMEs.
• Data processing service providers, including cloud and edge service providers, will have to facilitate switching and data portability while maintaining a minimum functionality of the service. This may require a review of their contractual provisions with their customers.
• The European Commission will develop model contractual terms on data access, and standard contractual clauses for cloud computing.
• Obligation to provide data to public sector authorities if requested in the case of exceptional need, such as a public emergency.

EU perspective

Data Act: Commission proposes measures for a fair and innovative data economy

Our perspective

The EU Data Act

European Health Data Space (Regulation)

Aim

The European Health Data Space sets up rules regarding the primary and secondary use of health data. It looks to support individuals in taking more control of their own health data. It seeks to use health data for better healthcare delivery, better research, innovation and policy making.

The Data Space introduces compliance requirements for Electronic Health Record (EHR) systems manufacturers, importers and distributors.

Who will the regulation affect?

• Electronic health data holders - public bodies and private companies.
• Data users of electronic health data for secondary uses including scientific health research or development of health products.
• Manufacturers, importers, distributors, suppliers of EHR systems and wellness applications on the EU market, as well as the users of such systems.
• Patients and healthcare professionals.

Next step

There has been a period of public consultation which ended on 28 July 2022. The European Council and Parliament are set to adopt their positions on the European Health Data Space by the end of 2022 or early 2023.

What it means for business

• Manufacturers of EHR systems will have to meet interoperability requirements and additional compliance requirements.
• Health data holders in the EU may have to make their broadly defined electronic health data and associated metadata available for secondary use for a fee, and in accordance with authority-issued permit.
• Data users may use the electronic health data in accordance with the permit but will be subject to conditions including the requirement to make public any results or output of such secondary use within 18 months.

EU perspective

European Health Union: A European Health Data Space for people and science

Our perspective

The European Health Data Space

ePrivacy Regulation

Aim

The e-Privacy Regulation will set out privacy and confidentiality requirements around electronic communications in the EU. It will regulate:

• The provision of electronic communications services;
• The processing of electronic communications data, metadata and content and end users' terminal equipment information;
• The transmission of direct marketing communications; and
• Publicly available directories of end users of electronic communications services in the EU.

Who will the regulation affect?

Companies operating in the digital economy, electronic communications services providers, over-the-top service providers and organisations using cookies, tracking technologies or engaged in direct marketing.

Next steps

The Council of the EU, the European Parliament and the European Commission are proceeding with trilogue negotiations about the final text of the ePrivacy Regulation. The Commission published a first draft of its text in 2017. The fact that no agreement has been reached thus far indicates that there are significant differences on how Member States and the Parliament see this regulation.

What it means for business

The new ePrivacy regulation seeks to replace the existing ePrivacy Directive. Businesses within the scope of the regulation may need to review the ways it collects, processes and maintains data, metadata and content data. They may be subject to obligations such as, but not limited to:

• The confidentiality of electronic communications;
• Rules regarding data retention; and
• A harmonisation of currently diverging rules on cookies and similar technologies.

EU perspective

Commission proposes high level of privacy rules for all electronic communications and updates data protection rules for EU institutions

Our perspective

ePrivacy regulation

Back to top

Digital markets regulation

EU Digital Services Act (Regulation)

Aim

The EU Digital Services Act (DSA) aims to limit the spread of illegal content online, with the aim of creating a secure and safe online environment for all. It modernises liability rules of online intermediaries and introduces a new set of obligations regarding transparency requirements and the removal of illegal content.

Who will the regulation affect?

Online intermediaries and service providers regardless of their place of establishment, including:

• Providers of mere conduit services, such as ISP, VPNs, domain name systems, VoIP.
• Providers of caching transmission services, such as content delivery networks, content adaptation proxies or reverse proxies.
• Online hosting providers and platforms such as cloud service providers, online marketplaces, social media, and app stores that offer services in the EU.
• Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), with at least 45 million average monthly active users in the EU.

Next step

The DSA was published in the Official Journal on 27 October 2022. It will come into force on 16 November 2022 and will, in relation to most articles, apply from 17 February 2024. The DSA will apply to VLOP and VLOSEs four months after their designation as such, if that happens before 17 February 2024. Certain requirements will apply from 16 November 2022. These include provisions regarding transparency reporting for online platforms, the provision regarding the supervisory fee for VLOPs and VLOSE and certain provisions regarding delegated acts the Commission may adopt.

What it means for business

Depending on the type of online intermediary services provided, additional obligations regarding complaint handling and redress mechanisms, transparency, due diligence, reporting, specific privacy, safety and security protection for minors, advertising transparency, systemic risk mitigation and crisis management may be applicable. The penalties for non-compliance are steep, in some cases up to 6% of an organisation’s annual global turnover, so the obligations it imposes are onerous and must be adhered to.

EU perspective

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)

Our perspective

The EU Digital Services Act

EU Digital Markets Act (Regulation)

Aim

The Digital Markets Act (DMA) requires large online platforms which act as “gatekeepers” in digital markets to comply with wide-ranging obligations. Its objective is to ensure that digital markets are fair and contestable.

Who will the regulation affect?

Core platform services providers designated as 'gatekeepers', according to the criteria set out in the DMA. These include:

• Online intermediation services, online search engines, online social networking services;
• Video-sharing platform services;
• Number-independent interpersonal communications services;
• Operating systems;
• Web browsers;
• Virtual assistants;
• Cloud computing services; and
• Online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services - only if they are also offered by platforms providing any of the other core platform services listed above.

Next step

The DMA was adopted and published in the Official Journal on 12 October 2022. It will enter into force 20 days after publication on 1 November 2022 and become applicable on 2 May 2023. There are some exceptions which will apply from 1 November 2022, including provisions concerning European Commission powers to adopt delegated acts, implementing acts or guidelines. Other exceptions will apply from 25 June 2023 including provisions concerning representative actions brought against infringements by gatekeepers, and concerning the reporting of breaches and the protection of reporting persons.

What it means for business

Additional obligations for companies designated as 'gatekeepers' and ‘emerging gatekeepers’ include limitations on their ability to process and use personal user data, determine the ranking of their own and related third parties’ products and service offerings and impose certain access and other restrictions on end users. They will need to ensure that their operations comply with the provisions of the DMA.

EU perspective

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)

Our perspective

The EU Digital Markets Act

Back to top

Cybersecurity regulation

EU NIS 2 (Directive)

Aim

The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity, and its aim was to achieve a high common level of cybersecurity across Member States.

NIS 2 seeks to:

• Extend the scope of the regulations beyond the covered entities defined as “operators of essential services” and “digital services providers” (DSPs) in NIS 1;
• Strengthen cybersecurity requirements;
• Increase incident reporting obligations; and
• Extend supervision and enforcement.

There will be two supervision and enforcement regimes, a lighter one for important entities and a more stringent one for essential entities.

Who will the regulation affect?

• The new Directive covers medium and large enterprises in the listed sectors. The national designation requirement is no longer applicable: any entity exceeding the size-cap in the listed sector will be subject to the new rules.
• Essential entities: Energy, Transport, Banking, Financial market infrastructures, Health, Water services, Digital infrastructure, certain Public administration, ICT service management (B2B) and Space.
• Important entities: Postal services, Waste management, Chemical manufacture, production and distribution, Food production, processing and distribution, Manufacturing and Digital providers (eg online marketplaces, online search engines, social networks).

Next step

On 13 May 2022, the European Parliament and EU Member States reached a provisional agreement on the Directive. The Parliament approved the final text on 10 November 2022 and the Council on 28 November 2022. The adopted final text is expected to be published in the Official Journal by the end of 2022 or in Q1 2023. It will be in force 20 days after the publication, and Member States will have 21 months to transpose NIS2 into national law.

What it means for business

• NIS 2 extends the scope of the Directive to more entities, increasing cybersecurity management requirements, addressing the security of supply chains, increasing incident reporting obligations, introducing more stringent supervisory measures and extending enforcement (including administrative fines), including harmonised sanctions across the EU.
• Covered entities need to be cognisant of their obligations and be prepared to meet them when the Directive becomes law.

EU perspective

EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation

Our perspective

The EU NIS 2 Directive

EU Resilience of Critical Entities (Directive)

Aim

The Directive seeks to set up obligations for Member States to develop a strategy to strengthen the resilience of critical entities. It sets out obligations for critical entities to enhance their resilience in the face of non-cyber risks. The directive establishes rules for Member States to use to identify critical entities and sets up market surveillance rules.

Who will the regulation affect?

Critical entities designated by member states in the listed sectors, which are aligned to the designations included in NIS 2: Energy, Transport, Banking, Financial markets, Health; Drinking and Waste water, Digital infrastructure, certain aspects of Public administration, Food production, processing and distribution, and Space.

Next step

Political agreement was reached in June 2022. The Parliament has approved the final text on 22 November 2022. The adopted final text is expected to be published in the Official Journal by end of 2022 or Q1 2023. The Directive will be in force 20 days after the publication and Member States will have 21 months to transpose RCE into national law.

What it means for business

• Only companies designated as a critical entity will fall under the scope of the directive.
• Companies that come under the scope of the directive as critical entities will be subject to additional technical and organisational measures to boost resilience obligations, will need to carry out risk assessments and report disruptive incidents to national authorities, as per the directive, as well as national laws.
• Enhanced supervision applies to "critical entities of particular European significance", meaning those entities that are providing essential services to six or more Member States.

EU perspective

European Parliament legislative resolution of 22 November 2022 on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

Our perspective

The Resilience of Critical Entities Directive

EU Cyber Resilience Act (Regulation)

Aim

The EU Cyber Resilience Act aims to protect consumers from insecure digital products by introducing common security and vulnerability handling rules that will apply to manufacturers of products with digital elements. It also sets up a conformity assessment procedure, and market surveillance rules with heavy fines for breaches.

Who will the regulation affect?

• Hardware manufacturers, software developers, distributors and importers of any product with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
• Providers of certain remote data processing solutions relating to a product with digital elements.

Certain categories of products are excluded from the scope of application of the regulation, such as medical devices or motor vehicles.

Next step

A proposal on the European cybersecurity resilience act was published on 15 September 2022. The Parliament and the Council are expected to adopt their position over the coming year.

What it means for business

• Companies may have to obtain a mandatory EU cybersecurity certificate to show they are meeting basic cyber safety requirements.
• Manufacturers will need to comply with essential requirements regarding the security of their products and vulnerability handling. The scope of these requirements include product design, development and production, and vulnerability handling throughout its whole life cycle.
• Products and vulnerability handling processes will be subject to conformity assessment procedures.
• Products will have to bear a CE marking and have a declaration of conformity.
• Manufacturers have to notify the EU Cybersecurity Agency (ENISA) of any actively exploited vulnerabilities, and report security incidents within 24 hours of becoming aware of any breach.
• High fines for non-compliance.

EU perspective

New EU cybersecurity rules ensure more secure hardware and software products

Our perspective

The EU Cyber Resilience Act

EU DORA (Regulation)

Aim

The Regulation on digital operational resilience for the financial sector (DORA) establishes a detailed and comprehensive regulatory framework for EU financial entities. It introduces a homogeneous system across all EU Member States, where financial system participants need to make sure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats, including cyber threats. In addition, DORA establishes a direct oversight framework of critical ICT third-party service providers.

Who will the regulation affect?

• Financial entities
  • Banking and payments sector: credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (as authorised under MiCA), and issuers of asset-referenced tokens
  • Markets infrastructure: central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, and data reporting service providers.
  • Investment funds sector: AIFMs, UCITS management companies
  • Insurance sector: insurance and reinsurance undertakings, institutions for occupational retirement pensions, and insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • Miscellaneous: credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories
• ICT third-party service providers, including cloud platforms and data analytics services

Next step

The European Parliament adopted DORA at first reading on 10 November 2022 and the Council on 28 November 2022. Publication in the Official Journal is expected to be by the end of 2022 or in Q1 2023. DORA will enter into force 20 days after its publication in the Official Journal, and it will apply with direct 24 months after its entry into force. Therefore, DORA is expected to apply from late 2024 or Q1 2025.

What it means for business

Financial entities

Financial entities will be required to address, among other things:

• ICT risk management: have in place an internal governance and control framework that ensures an effective and prudent management of all ICT risks. Financial entities must also have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system which enables them to address ICT risk quickly, efficiently and comprehensively. The management body shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework;
• ICT-related incident reporting: establish an ICT-related incident management process to detect, manage and notify ICT-related incidents. Financial entities must report major ICT-related incidents to the relevant competent authority within strict time frames;
• Digital operational resilience testing: establish, maintain and review a sound and comprehensive digital operational resilience testing programme and regularly test their ICT tools, systems and processes;
• Managing of ICT third-party risk: manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework, including by undertaking appropriate due diligence on potential and existing ICT third-party service providers, and by introducing a number of requirements in contracts with ICT third-party service providers;
• Information-sharing: notify competent authorities of their participation in information-sharing arrangements with other financial entities relating to cyber threats and intelligence.

Critical ICT third-party service providers

• ICT third-party service providers designated as ‘critical’ will become subject to direct oversight by the European Supervisory Authorities (“ESAs”). The ESAs will designate the ICT third-party service providers that are ‘critical’ for financial entities, taking into account certain criteria. One of the ESAs will be appointed as Lead Overseer for each critical ICT third-party service provider. The ESAs will also establish and maintain a list of critical ICT third-party service providers at EU level. In addition, a third-country critical ICT third-party service provider to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented. The purpose of this oversight regime is to monitor, minimise and control the risks that critical ICT third-party service providers may pose to the financial industry. While DORA does not subject critical ICT third-party service providers to substantial requirements regarding their operations, DORA does grant far-reaching inspection powers to the Lead Overseer, which can be expected to have an impact on the business of critical ICT third-party service providers.

EU perspective

Digital finance: Council adopts Digital Operational Resilience Act

Our perspective

DORA

Beyond DORA, the EU Digital Finance Package has not been covered. You will find more information thereon at the following link: EU Digital Finance Package

Back to top

1. This overview relates solely to European legislative proposals providing a regulatory framework for technology, data, digital markets and cybersecurity. Other European legislative proposals that may complement these initiatives, such as the Artificial Intelligence Liability Directive and the Product Liability Directive, are not included.
2. The section What it means for business is a non-exhaustive list of obligations that may apply. For more details, please refer to the linked articles.
3. The Next steps section is indicative.