MiCA, DSA, DMA, DGA. Are you puzzled about all the new EU Regulations in the digital field? We got you covered. In this blogpost, we decode new and upcoming EU regulations impacting the digital sector, clarifying their applicability and obligations. Let’s dive into the substance of these regulations, focusing on their implications for your business.
Data and AI: How EU Data and AI regulations will shape the industry
Navigating the digital realm demands a keen understanding of the new data and AI regulatory updates. This section explains the new EU data- and AI-related norms that are applicable to data driven companies:
The Regulation on the free flow of non-personal data democratizes data across the EU. It applies specifically to companies that handle non-personal data, such as those in cloud services, data analytics, and IT sectors. The regulation defines rules relating to:
- The free movement of non-personal data across borders: every organization should be able to store and process data anywhere in the EU
- Easier switching between cloud service providers for professional users
- The availability of data for regulatory control
The Data Governance Act (DGA) elevates the importance of data sharing while safeguarding privacy. It covers entities involved in personal and non-personal data sharing, such as public sector bodies, data intermediaries, and companies across various sectors utilizing data. This act lays conditions for:
- the re-use, within the Union, of certain categories of data held by public sector bodies
- a set of rules for providers of data intermediation services (so-called data intermediaries, such as data marketplaces)
- a voluntary registration of entities which collect, and process data made available for altruistic purposes
Entities subject to it must establish clear consent mechanisms for data use, secure data sharing platforms, and comply with the actβs governance standards to ensure the trusted sharing of data.
The Data Act is aimed at unlocking the value of data generated by IoT products among others. It affects manufacturers of IoT devices, digital service providers, and data processing entities, compelling them to make data available. For example, new measures are:
- clear rules on the permissible use of data and the associated conditions, including model contractual clauses
- enabling public sector bodies to access and use data held by the private sector for specific public interest purposes
- setting the framework for customers to effectively switch between different providers of data-processing services
Therefore, smart device manufacturer must establish transparent, fair data-sharing mechanisms in accordance with the Act, ensuring clear terms of use and accessibility of data where necessary.
The upcoming European Health Data Space Regulation (EHDS) focuses on health data, a critical asset in the digital age. This Regulation, when in force, will be applicable to manufacturers and suppliers of health records systems and wellness applications, as well as controllers and processors established in the EU that process electronic health data or that are connected with MyHealth@EU, and data users to whom electronic health data is made available by data holders in the Union.
It seeks to provide for rules, common standards and practices, infrastructures and a governance framework for the primary and secondary use of electronic health data, enhancing healthcare delivery and research. For example, it aims to strengthen the rights of natural persons concerning the availability and control of their electronic health data and to regulate the placing on the market of electronic health records systems. The EU legislators have reached a provisional agreement on the EHDS Regulation, which now waits formal adoption by the European Parliament and Council before it can become law which is expected to occur this year.
The NIS 2 Directive broadens cybersecurity obligations in the digital sector laying down measures for a high common level of cybersecurity across the EU. This Directive applies to a wide range of entities, including essential and important entities across various sectors like energy, transport, banking, and digital infrastructure. Specifically, it targets digital service providers such as cloud computing services, online marketplaces, and search engines. To these entities, the Directive enshrines:
- the need to adopt cybersecurity risk-management measures as well as reporting obligations, cybersecurity hygiene and training
- rules and obligations on cybersecurity information sharing
- more stringent supervisory measures for national authorities and stricter enforcement requirements
The upcoming Regulation on the Harmonization of GDPR Enforcement tries to harmonize enforcement mechanisms to ensure that the GDPR is applied consistently across all EU member states. This is especially important for handling cross-border cases, where data processing activities affect individuals in multiple countries. The Parliament and the Council are in the process of assessing the proposal and working on their respective positions.
The Artificial Intelligence Act (AI Act) represents the first law concerning the deployment of artificial intelligence and General Purpose AI within the EU. This legislative framework addresses, among others, manufacturers, providers, and users of AI systems. It
- classifies and regulates AI systems according to its risks with a special focus on applications that present a high risk to society and individuals
- ensures that end-users are aware that they are interacting with AI
- regulates General Purpose AI to, for example, provide technical documentation and comply with copyright laws
The Artificial Intelligence Liability Directive proposal concerns entities involved in the design, development, and supply of AI systems, focusing on high-risk applications such as those in healthcare, transportation, and public services. Companies will need to ensure their AI systems are secure and fair, minimizing damages to their users. This directive addresses the complexities associated with assigning liability for harm or damage caused by artificial intelligence systems and establishes a common legal framework for liability related to AI.
Product and Digital Services: New EU Rules Elevating Digital Product and Service Standards
In this section, we delve into new rules on product and digital services, an important aspect for companies in the digital landscape. These frameworks are pivotal for ensuring that digital services and content meet the highest standards of fairness, transparency, and quality, thereby safeguarding your company’s reputation and fostering consumer confidence.
The Digital Content Directive is a Directive that regulates contracts on the provision of digital content and services. This Directive applies to any entity that provides digital content or digital services to consumers in the EU, regardless of whether the consumer pays with money or provides personal data in exchange. For example, it covers companies ranging from those offering downloadable software, cloud services, and social media platforms to streaming services for music and videos. The Directive, for example
- requires companies to provide detailed information on the functionality of the product, including necessary updates and support
- strengthens the rights of consumers to terminate contracts if the digital content or service is not as described or fails to function properly
The Digital Services Act is a Regulation that aims at creating a safer digital space. This Act is applicable to online intermediaries and platforms, including social networks, online marketplaces, and content-sharing platforms operating within the EU. For example, it mandates these platforms to:
- remove illegal content in a timely manner
- report on their content moderation activities
- provide clear terms of use
The Act also requires transparency in advertising and the algorithms used for recommendations. The entities it applies to range from small startups to major tech companies that host user-generated content or sell goods, services, or content online.
The Digital Markets Act applies primarily to large online platforms and search engines considered as “gatekeepers” due to their significant impact on the EU internal market. It prohibits certain practices deemed unfair, such as self-preferencing and data monopolization. Big companies are required to ensure open market access for competitors, prevent data monopolization, and maintain transparency in advertising and content algorithms.
The Platform Work Directive Proposal addresses the evolving nature of digital platform work. On the 11th March 2024, a provisional agreement has been reached between the European Parliament and the Council of the EU, leading the way to the formal adoption by both bodies and to its entry into force, still expected to happen this year.
The proposal applies to digital labour platforms organising platform work performed in the EU, irrespective of their place of establishment. It aims to regulate the working conditions of persons performing platform work (e.g. taxi drivers, food delivery drivers) by:
- introducing a rebuttable legal presumption of employment in contrast to current formal self-employed status
- create new rules for the use of algorithms for human resource management
- clarifying obligations to declare work to national authorities
The Product Liability Directive Proposal is a piece of legislation that requires companies to be accountable for the safety of their products. This Proposal is currently waiting for the formal approval by the Council before it comes into force, something that we expect to happen this year. It will apply to all manufacturers within the EU, regardless of the size or sector, emphasizing the importance of product safety across a wide range of industriesβfrom electronics to smart devices, software and automotive products. The proposal will, for example:
- add digital manufacturing files and software to the scope of product liability
- change the definition of βdamageβ to include loss or corruption of data
- introduce several new legal presumptions for the burden of proof regarding the defectiveness of products
The Cyber Resilience Act is a Regulation proposal aiming to ensure that digital products and services meet specific security standards before hitting the market. The text of the proposal has been provisionally agreed upon by the EU legislators and awaits formal adoption by the Council before it can enter into force, something that we predict happening during the course of this year.
After entering into force, this Regulation will apply to products with digital elements whose use includes a direct or indirect data connection to a device or network. It will mandate essential requirements for the design, development and production of these products, and obligations for economic operators with respect to cybersecurity. For a tech company producing or supplying digital products, this might mean implementing secure coding practices and conducting regular security audits of software products.
Fintech and Blockchain: EU Regulations redefining Fintech and Blockchain
In this final stretch, we have the financial frameworks that shape the digital sector’s backbone. This section unravels the layers of compliance, security, and transparency essential for fintech and digital finance companies to thrive.
The Digital Operational Resilience Act (DORA) sets the stage for operational robustness. This Regulation applies to all financial entities in the EU, including banks, insurance companies, and investment firms. Its goal is to ensure a consistent level of maturity in terms of cybersecurity and operational resilience. The DORA requires companies to put a comprehensive information and communications technology (ICT) risk management in place including:
- establishing ICT systems and tools
- continuously monitoring all sources of ICT risks to identify abnormal activities
- introducing business continuity guidelines and contingency plans
DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.
The Markets in Crypto-assets Regulation (MiCA) clarifies the regulatory landscape for crypto-assets, affecting entities engaged in the issuance, offer to the public and admission to trading of crypto-assets or that provide services related to crypto-assets. It also applies to companies outside the EU, if they wish to do business in any EU member state.Β
MiCA introduces transparency and disclosure requirements for the issuance, offer to the public and admission of crypto-assets to trading on a trading platform for crypto-assets. It also provides for requirements for the protection of clients of crypto-asset service providers and measures to prevent insider dealing, unlawful disclosure of inside information and market manipulation.
The Financial Data Access Regulation Proposal (FiDA) addresses the need for open finance. It is currently being evaluated by the Council. This Regulation Proposal is aimed at financial institutions, fintech companies, and other service providers operating in the EU financial sector. It establishes rules on the access, sharing and use of certain categories of customer data in financial services, as well as rules concerning the authorisation and operation of financial information service providers. For example under FiDA
- customer data must be made available without undue delay and in real-time
- data holders must provide customers with a permission dashboard so they can manage permissions granted to share data
- permissions will be reversible and limited
The Payment Services Directive Proposal (PSD3) updates rules for payment service providers and is currently being evaluated by the Council that will need to prepare its position on it. This Directive aims to, for example
- Combat and mitigate payment fraud by enabling payment service providers to share fraud-related information
- Improve consumer rights for example by more transparent information on ATM charges and the possibility to access cash services in shops
- Level the playing field between banks and non-banks by allowing non-bank payment service providers access to all EU payment systems
In addition, the European Commission prepared a draft Payment Services Regulation (PSR) which addresses rules concerning PSP activities and embed some requirements concerning technical standards for customer authentication.
Conclusion
As we navigate the landscape of EU regulations, it is essential for businesses in the digital sector to stay informed and proactive. The new frameworks outlinedβfrom MiCA to the Cyber Resilience Actβdemonstrate a clear trajectory towards enhanced transparency, security, and operational resilience. These regulations are not merely compliance requirements but opportunities to enhance your business practices, build trust with consumers, and gain a competitive edge.
To thrive under these new rules, businesses must prioritize understanding and integrating these regulations into their operations. Start by evaluating which regulations directly impact your services and products. Implement robust systems for data management and cybersecurity, and consider how changes in data governance can unlock new opportunities for innovation and service improvement.
Remember, staying ahead in compliance is not just about avoiding penalties but also about leveraging regulatory changes to foster innovation and customer trust. Consider seeking expert advice to navigate these complexities efficiently and effectively.