A tsunami of EU legislation
A tsunami of EU legislation is on the horizon for organizations. How are you preparing for it?
- Bring it on - we're actively preparing
- We're aware, but believe there's ample time
- What regulation?
If you chose (1), congratulations are in order. You likely have a vigilant compliance team keeping the organization up-to-date with coming new requirements.
For those who chose (2), I strongly recommend an immediate evaluation. New regulation is a 'grey rhino' risk - large, apparent, and approaching, yet often disregarded as distant and non-urgent.
This post specifically addresses response (3). I'll provide a high-level overview of what's coming to motivate you to start preparing. Read on to understand the implications of these categories and how they might affect your organization.
EU legislation schedule
Below, you'll find a snapshot of new or impending EU legislation. I've categorized them into three groups: Security & Safety, Data, Digitalization & Privacy, and Artificial Intelligence. While I've grouped these based on each law's primary focus, it's important to note that most of these laws intersect across several areas.
Take note of the distinction between regulations and directives. A regulation is a binding legislative act that must be implemented in full across the EU. In contrast, a directive is a legislative act that establishes a goal for EU countries to achieve. However, the method of achieving these goals is left to the individual countries, which can craft their own laws accordingly.
Below, you'll find a very brief explanation of each regulation and directive mentioned in the above image. For comprehensive details, visit the EUR-Lex site, which is a database of European Union law available in all EU languages.
Selected legislation in brief
NIS2: EU directive 2022/2555 on measures for a high common level of cybersecurity across the Union
The Network and Information Systems 2 Directive is an update to NIS1 focused on improving cybersecurity. It introduces tougher rules to tackle emerging cyber threats and digital challenges. The directive now covers additional sectors, demanding that organizations report major incidents and follow stricter risk management and reporting guidelines. This aims to boost cyber defenses, especially in key sectors.
CER: EU directive 2022/2557 on the resilience of critical entities
The Critical Entities Resilience Directive is designed to strengthen the protection of vital infrastructure in the EU against threats like natural disasters, terrorism, internal threats, and sabotage. It requires EU countries to pinpoint crucial organizations that deliver key services vital for society and the economy.
DORA: EU regulation 2022/2554 on digital operational resilience for the financial sector
The Digital Operational Resilience Act focuses on increasing the digital robustness of the EU's financial sector. It establishes a detailed set of rules for handling digital risks in financial markets. DORA applies to many financial entities like banks, payment services, investment firms, and insurance companies. Its purpose is to make sure these organizations can manage and endure different types of digital threats effectively.
eEvidence: EU regulation 2018/0108 on electronic evidence in criminal proceedings
The eEvidence Regulation simplifies how law enforcement agencies in the EU can access electronic evidence for criminal probes. It introduces new tools for quicker and more efficient access to digital data (like emails and texts) across borders. The regulation also sets out clear guidelines for member states on managing data access requests, especially those involving private companies, during investigations.
RED: EU delegated regulation 2022/30 to increase cybersecurity and privacy for wireless devices
The Radio Equipment Directive provides a regulatory framework for the marketing of radio equipment. It aims to create a single market for radio equipment by setting essential requirements for safety, health, electromagnetic compatibility, and efficient radio spectrum use. RED was revised to include Article 3.3, which now addresses the security of radio interfaces. This revision mandates that all radio equipment placed on the EU market must comply with this updated regulation to achieve CE marking, signifying conformity with health, safety, and environmental protection standards.
GPSR: EU regulation 2021/0170 on general product safety
The General Product Safety Regulation is set to become a significant component of the EU's product safety legal framework, replacing the current General Product Safety Directive and the Food Imitating Product Directive. Its goal is to improve the internal market's functioning while ensuring a high level of health, safety, and consumer protection. This is achieved by setting fundamental safety standards for consumer products sold in the EU market.
CRA: EU regulation on horizontal cybersecurity requirements for products with digital elements
The Cyber Resilience Act focuses on establishing uniform cybersecurity standards for products with digital components. Its main objective is to safeguard cyber and data security throughout the entire lifespan of such products. This applies to any product designed for use with a data connection, either physical or logical, to a device or network. The Act mandates that manufacturers must offer security support and software updates to fix known vulnerabilities.
CSA: EU regulation to strengthen preparedness to cybersecurity threats and incidents
The EU Cyber Solidarity Act is designed to improve the EU's preparedness, detection, and response to cybersecurity incidents. This Act aims to create a "European cybersecurity shield" and comes with a significant budget to strengthen EU-wide efforts against cybersecurity threats. The Act focuses on improving threat detection, increasing awareness of cybersecurity situations, and strengthening the preparedness and response strategies for major and large-scale cyber threats and attacks.
Data Act: EU regulation on harmonized rules on fair access to and use of data
The Data Act is aimed at creating harmonized rules for fair access to and use of data generated within the EU. Its primary objectives are to promote fairness, enhance competition, and encourage data-driven innovation. This Act includes regulations on data sharing, access, reuse, and portability. It also encompasses guidelines for data sharing agreements, provisions for accessing data during public emergencies, and obligations for transitioning between cloud services.
DMA: EU regulation 2022/1925 on contestable and fair markets in the digital sector
The Digital Markets Act Regulation is designed to promote a fairer and more contestable digital economy. The DMA targets the regulation of activities of companies, particularly large platforms, in the digital sector, introducing specific prohibitions and obligations for these 'big tech' companies to ensure competition and fairness. This regulation is part of the EU's effort to address and manage the dominance of large tech companies and to create a level playing field in the digital market.
DGA: EU regulation 2022/868 on European data governance
The Data Governance Act sets out regulations for the re-use of public sector data. It aims to create a unified market in the EU for data mediation services and the processing of data for altruistic reasons. The DGA's main focus is on easing the sharing of data within the EU and across various sectors.
DSA: EU regulation 2022/2065 on a single market for digital services
Digital Services Act updates the Electronic Commerce Directive 2000 and focuses on illegal content, transparent advertising, and disinformation. It establishes a framework for regulating digital services within the EU, amending previous directives to address the current digital market. It outlines the responsibilities of digital services, particularly those acting as intermediaries, to connect consumers with goods, services, and content, aiming to create a safer and more accountable online environment.
CSRD: EU directive 2022/2464 regarding corporate sustainability reporting
The Corporate Sustainability Reporting Directive (CSRD) requires more companies to provide detailed reports on their environmental and social impact. It aims to make businesses more transparent about how they affect society and the environment.
ePrivacy: EU regulation on privacy and electronic communications
The ePrivacy Regulation will succeed the ePrivacy Directive of 2002. This regulation is an extension of the GDPR and is specifically focused on cookies and other tracking technologies, with a promise of even more stringent protection of internet user privacy. Aimed at companies in the digital economy, the ePrivacy imposes additional requirements related to the processing of personal data.
AI Act: EU regulation on laying down harmonised rules on artificial intelligence
The EU Artificial Intelligence Act is designed to strengthen rules concerning data quality, transparency, human oversight, and accountability. It also addresses ethical questions and implementation challenges across various sectors. The AI Act would classify AI systems according to their risk level and establish specific development and usage requirements for these systems.
AI Liability: EU directive on civil liability rules to artificial intelligence
The AI Liability Directive seeks to establish uniform rules for non-contractual civil liability regarding damage caused by AI systems. It introduces a 'presumption of causality' that would make it easier for victims to prove damages inflicted by AI-powered software or products. This directive would enable victims to hold providers, developers, or users of AI technology accountable for harm to health, property, or fundamental rights, such as privacy. The directive aligns with the AI Act.
Be compliant out there!
As you can see, there's a substantial amount to review. It's crucial to assess your current situation and plan for compliance accordingly. The recurring themes in these regulations appear to be thorough risk management, the responsibility of leadership, and significant sanctions in the event of non-compliance.
I strongly recommend that you begin assessing the impact of these upcoming regulations on your organization.