News & Blog

Important current EU digital legislation

As part of its digital strategy, the EU is currently working on various legislative initiatives. The legislative program is broad and covers numerous topics: from the use of non-personal data to the legal requirements for systems in the financial sector and the regulation of artificial intelligence.

To give you a better overview, we have compiled a list of the current legislation and legislative procedures at the EU level with data protection and IT security relevance. The overview includes not only the laws which are already in force, such as the Digital Services Act (DSA), but also those that are still in the draft phase, such as the Cyber Resilience Act (CRA). For each individual directive and regulation, we have summarized the key facts – key regulatory aspects, who the provisions will apply to, impact on companies, data protection relevance and the current status.

We will update the overview regularly to inform you about the latest developments.

Last update: March 21st, 2024.

A. Applicable legislation

Key Regulatory Aspects

The FFOD is intended to facilitate the transfer of non-personal data across national borders within the European Union. Prior to the regulation, the transfers of such data were subject to Member State law, sometimes accompanied by data localization requirements and lock-in practices preventing further flow of data to other Member States. The regulation applies to all electronic data other than personal data and regulates:

  • Data localisation requirements (i.e., obligations which impose the processing of data in the territory of a specific Member State) and their prohibition
  • Availability of data to competent authorities

Porting of data for (professional) users of data processing services (e.g., cloud computing services).

Provisions Apply to

  • Users of data processing services
  • Authorities

Data Protection Relevance

The FFOD and the GDPR are mutually exclusive, as the former applies to electronic non-personal data and the latter applies to any personal data.

Impact on Companies / Public Bodies

The direct impact on companies and public bodies is rather small. The regulation serves to facilitate the creation of a single European data space and contains corresponding general requirements for the Commission and the Member States. The latter are aimed at eliminating or adjusting existing data localisation requirements. However, it should also be emphasized that the Commission wants to create codes of conduct for cloud service providers in order to facilitate switching between (European) cloud providers.

Current Status

Final

Last Published Version

Final text of the regulation from November 14, 2018 (link).

Next Step

Legislative procedure is completed.

Entry into Force/ Applicability

The regulation is applicable since May 29, 2019.

Key Regulatory Aspects

Similar to the US laws, the PSI Directive allows re-use of “open data” from “public sector documents” in the European Union for private or commercial purposes. According to the Directive’s objective, public sector bodies and public undertakings “shall make their documents available in any pre-existing format or language and, where possible and appropriate, by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable, together with their metadata”. What exactly is meant by “documents” and “open data” follows from the Data Use Act (Datennutzungsgesetz) in Germany.

Provisions Apply to

  • Public sector bodies
  • Public undertakings (where public sector bodies hold at least the majority of the capital or control the majority of the votes)

Data Protection Relevance

Decisions on the scope and conditions for the re-use of public sector documents containing personal data, for example in the health sector, may require data protection impact assessment in accordance with Art. 35 GDPR. PSI Directive also mentions anonymisation of personal data. GDPR is applicable without prejudice to the PSI Directive, as the latter does not affect the processing of personal data.

Impact on Companies / Public Bodies

Especially public sector bodies face major challenges related to the implementation of the PSI Directive requirements, as “open data” must be made available by them. In this relation, the limitations resulting from the GDPR, intellectual property laws and trade secret protection are particularly challenging. Together with the Digital Governance Act, the PSI Directive creates opportunities for private companies to make data from the public sector bodies more easily usable, thus compensating competition disadvantages vis-à-vis non-European companies, which have long been able to access public information in their countries.

Current Status

Final

Last Published Version

Final text of the directive from June 20, 2019 (link).

Next Step

The directive has been transposed into German law.

Entry into Force / Applicability

The directive was implemented in Germany with the Gesetz vom zur Änderung des E-Government-Gesetzes und zur Einführung des Gesetzes für die Nutzung von Daten des öffentlichen Sektors (in German) on July 22, 2021.

Key Regulatory Aspects

The Directive creates a harmonized regulatory framework for the distribution of digital services and content and is a part of the European strategy to create the Digital Single Market. At the same time, the Directive limits its scope of application to consumer contracts, thus strengthening consumer protection. Main subject of the directive are contracts for the supply of digital content or digital services. This includes, for example, software purchases or the use of streaming services. The Directive also includes provisions on the obligations in the event of termination as well as on remedy for the failure to supply.

Provisions Apply to

  • Businesses offering digital content or service
  • Consumers (comprehensive consumer protection provisions)

Data Protection Relevance

The Directive allows (Recital 24, Art. 3(1) Directive 2019/770) the consumer to provide or undertake to provide personal data instead of money, thus including this already existing business model into the legal framework. This puts the Directive into a tense relationship with the core idea of the GDPR, according to which the protection of personal data is a priority, and the data subjects are provided with defensive rights in order to ensure that. In the event of conflict between the provisions of this Directive and the GDPR, the latter prevails (Art. 3(8) Directive 2019/770). The Gathering of Independent Federal and State Data Protection Authorities (“DSK”) has been dealing with the effects of the new consumer provisions (implementation of the Directive) in the German Civil Code on the data protection law and has clarified, that the GDPR principles continue to apply even if personal data is provided as part of a contract. A legal basis is still required for data processing and the use of cookies must be in accordance with the requirements in Section 25 TTDSG.

Impact on Companies / Public Bodies

As a result of the transposition of the directive into German law and the amendments to the Sections 327 et seq. of the German Civil Code, consumer protection provisions now apply to consumer contracts for digital content or services. Businesses have to comply with regulations on conformity and liability. In addition, the burden of proof is on the trader (business) in the majority of cases.

Current Status

Final

Last Published Version

Final text of the directive from May 20, 2019 (link).

Next Step

The directive has been transposed into German law.

Entry into Force / Applicability

In Germany, the directive was implemented with the Gesetz zur Umsetzung der Richtlinie über bestimmte vertragsrechtliche Aspekte der Bereitstellung digitaler Inhalte und digitaler Dienstleistungen on June 30, 2021. The law entered into force on January 1, 2022.

Key Regulatory Aspects

With the Directive on certain aspects concerning contracts for the sale of goods, the European legislator aims to achieve a higher level of consumer protection. This Directive replaces the Directive 1999/44/EC and contains stricter harmonization provisions to prevent fragmentation (compared to the predecessor). The Directive is considered to be complimentary to the Digital Content and Digital Services Directive, which was published on the same day. One the one hand, it covers contracts for the sale of goods and on the other hand sales of goods with digital elements. This refers to any tangible movable items that incorporate or are inter-connected with digital content or a digital service in such way, that the absence of the digital content or digital service would prevent the goods form performing their functions.

Provisions Apply to

  • Businesses offering digital products
  • Consumers (comprehensive consumer protection provisions)

Data Protection Relevance

The Directive does not affect the existing data protection law.

Impact on Companies / Public Bodies

During the implementation, Section 434 and Sections 474 et. seq. of the German Civil Code were amended. Some provisions of sales law have been adjusted in favour of the consumer. Among other things, businesses are subject to stricter formal requirements in terms of burden of proof in sales contracts, providing that the lack of conformity shall be presumed to have existed at the time of delivery if it becomes apparent within one year (formerly: 6 months). Regarding the goods with digital elements, an updating obligation was introduced, according to which the seller is required to supply updates.

Current Status

Final

Last Published Version

Final text of the directive from May 20, 2019 (link).

Next Step

The directive has already been transposed into German law.

Entry into Force / Applicability

In Germany, the directive was implemented with the Gesetz zur Regelung des Verkaufs von Sachen mit digitalen Elementen und anderer Aspekte des Kaufvertrags. The law entered into force on January 1, 2022.

Key Regulatory Aspects

The NIS 2 Directive is intended to address the growing threats posed by cyberattacks. It replaces the NIS 1 Directive and has a broader scope and higher harmonization requirements compared to it to ensure a common level of cyber resilience in the European single market. The NIS 2 Directive requires member states to adopt a national cybersecurity strategy and create a EU-wide network to manage cybersecurity incidents. It also imposes requirements and obligations on public and private entities to share cybersecurity information and requires the implementation of cybersecurity risk management.

Provisions Apply to

  • Member States
  • Public and private entities (e.g., electronic communications networks providers, domain name registration services; energy sector companies, digital service providers)

Data Protection Relevance

The NIS 2 Directive is without prejudice to the GDPR. It refers at several points to the provisions of the GDPR on the protection of personal data. For example, when using innovative technologies (including AI), the data protection requirements and the principles of privacy by design and default are to be observed. Recital 121 also mentions various lawful bases of Art. 6 GDPR for the processing of personal data for security purposes.

Impact on Companies / Public Bodies

For the directive to be applicable, it must first be transposed into national law.

The institutions addressed by the directive are subject to reporting obligations and requirements for cybersecurity risk management. This requires them to take technical, operational and organizational measures to minimize risks to the security of network and information systems. These include, among other things, security concepts, training and compliance with reporting obligations in the event of cybersecurity incidents.

Last Status

Final

Last Published Version

Final text of the directive from December 14, 2022 (link).

Next Step

Transposition of the requirements into national law.

Entry into Force / Applicability

The directive entered into force on January 16, 2023.

The Member States must transpose the directive’s requirements into national law until October 2024.

Key Regulatory Aspects

The DMA is intended to impose additional obligations under competition and antitrust law on the providers of core platform services (the so-called gatekeepers). The obligations for gatekeepers are strongly influenced or inspired by the ongoing or already completed proceedings of the European competition authorities.

A detailed overview of the DMA can be found here on our website (in German).

Provisions Apply to

  • Providers of core platform services (Gatekeeper)
  • Business users and competitors of the gatekeeper

Data Protection Relevance

The DMA is without prejudice to the GDPR. However, due to the DMA, gatekeepers will be required to provide description of the consumer profiling to data protection supervisory authorities. In addition, gatekeepers will be required, among other things, to provide certain data to business users regarding the platform, which could also involve transfers of personal data.

Impact on Companies / Public Bodies

In the long term, the DMA will lead to the European Commission taking tougher and more frequent action against digital sector companies that exploit their dominant position in an anti-competitive manner. The DMA will make it much easier for the Commission to impose fines, since once a company has been designated as a gatekeeper, the need for an individual assessment of its market position in each case will no longer be needed.

At the same time, the DMA will make it much easier to access the existing markets, as many of the gatekeepers' obligations are aimed at ensuring contestable and fair markets (e.g., in relation to app stores).

Current Status

Final

Last Published Version

Final text of the Act from September 14, 2022 (link).

Next Step

Legislative procedure is completed.

Entry into Force / Applicability

The DMA entered into force on November 1st, 2022.

Starting May 2nd, 2023, gatekeepers are obliged to disclose their gatekeeper status to the European Commission.

The first gatekeepers were designated by the Commission on September 6th, 2023: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. These designated gatekeepers must comply with the requirements of the DMA since March 7th, 2024, as the key obligations apply 6 months after designation as a gatekeeper

 

Key Regulatory Aspects

The DSA contains regulatory requirements for the providers of online platforms and marketplaces regarding illegal content and supplements the E-Commerce Directive (Directive 2002/31/EC) in this respect in order to keep pace with the new technical realities of everyday digital life. To ensure a uniform regulatory standard, the European legislator has opted for the legal instrument of the regulation, which will be directly applicable in all Member States when it comes into force. In particular, the DSA imposes a large number of obligations on the major tech companies that provide services to users within the European Union in order to take more effective action against illegal content and to better protect and inform users.

Provisions Apply to

  • Intermediary services (“mere conduit”, “caching” and hosting services)
  • Social networks
  • Online marketplaces
  • Search engines

Data Protection Relevance

The DSA is without prejudice to the GDPR. However, the explicit prohibition of dark patterns, which will protect the users from interfaces which are designed to deceive, manipulate or otherwise impair the decision ability of a user, will affect the design of cookie banners.

Impact on Companies / Public Bodies

The DSA provides for a differentiated system of obligations, depending on the type of service and the number of users. The companies concerned will have to deal with an increased documentation and administrative effort. For example, T&Cs and community standards must be adapted and a contact point for electronic communication with authorities and users must be established. Hosting service providers and online platforms will also have to introduce reporting and “notice and action” procedures so that they can be notified by users and third parties about illegal content. The latter must also include an internal complaint-handling system on the platform so that users can lodge a complaint against unauthorized removal and suspension of content. In addition, platforms must provide more transparent information about advertising. Very large online platforms with more than 45 million monthly users are required, among other things, to conduct annual risk assessments.

If the measures are not implemented or the DSA is breached, companies face fines of up to 6% of the total worldwide annual turnover in the preceding financial year.

Current Status

Final

Last Published Version

Final text of the Act from October 19, 2022 (link).

Next Step

Legislative procedure is completed.

Entry into Force / Applicability

The DSA applies in full since February 17th, 2024.

The DSA will be implemented in Germany by the “Digitale-Dienste-Gesetz”. The corresponding legislative proposal has been introduced by the German government and is expected to be adopted by March or April 2024.

Key Regulatory Aspects

DGA is aimed at allowing and improving the conditions for data sharing between sectors and Member states of the European Union. Especially datasets held or processed by public sector bodies must become easier and safer to re-use.

Provisions Apply to

  • Public bodies
  • Data intermediation services (e.g., data marketplaces, services offering datasets on commercial basis)
  • Data altruism organisations (registered organisations aimed at facilitating consent-based data sharing in, e.g., the field of research)

Data Protection Relevance

The DGA is without prejudice to the GDPR and does not contain any privileges with regard to its requirements. On the contrary, when providing data, public sector bodies may provide additional protection requirements for re-use of the data. For example, a public sector body may require that the data is only processed in an anonymized form.

From the data protection perspective, it is also worth highlighting that in the context of the DGA, the European Commission will provide a modular data altruism consent form (Art. 25(1) DGA). This form is also intended to ensure that the requirements of the GDPR are fulfilled. It seems possible that this form could also be used in other cases as a consent form approved by the Commission.

Impact on Companies / Public Bodies

The regulation will primarily improve the availability of data from public sector bodies. Very relevant in this context will be the single information points that shall be established by the Member States and will not only accept enquiries and requests for the re-use of data but will also provide an asset list of all available data resources, as specified by the DGA. This should make it much easier for companies to find potentially relevant and available datasets and make them usable.

The DGA is therefore likely to be of particular interest to bodies working with health data, mobility data, environmental data, and agricultural data. Especially in the area of research, the flexible and consent-based exchange of data facilitated by data altruism organisations could be very useful.

Current Status

Final

Last Published Version

Final text of the Act from May 30, 2022 (link).

Next Step

Legislative procedure is completed.

Entry into Force / Applicability

The DGA is applicable since September 24, 2023.

 

B. Legislation not yet applicable

DA-Update

Key Regulatory Aspects

The Data Act Proposal is intended to facilitate access and use of data generated or obtained by the use of products or related services. It covers all types of data, not just personal data. The Proposal aims to ensure and facilitate access to data which individuals or companies generate when using different products or services. The Proposal also includes the right to share data with third parties. In addition, the Data Act Proposal is aimed at facilitating switching between different services, e.g., switching from one cloud service to another. Since such process requires the data to be compatible, the Data Act Proposal includes provisions on interoperability.

Provisions Apply to

  • Users (of products or services)
  • Data holders
  • Companies
  • Public sector bodies

Data Protection Relevance

The relationship between the GDPR and the Data Act Proposal is tense. While the GDPR is aimed at ensuring the most comprehensive protection of personal data, the aim of the Data Act is ensuring a fair access and use of data. The Data Act is intended to complement the GDPR and the ePrivacy Directive and no provision in the Proposal should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data (Recital 7 DA). Regarding the access and sharing personal data, the principles of data minimization and data protection by design and by default must be complied with. Whether it is possible to implement this requirement is unclear and contested by the authorities.

Impact on Companies / Public Bodies

The Data Act Proposal imposes extensive obligations on companies, in particular with regards to enabling access to data and data sharing with third parties. According to the DA, the companies (depending on the product or service type) are required to adjust their processes in order to allow for data access, sharing and especially interoperability. The current Proposal provides that in case of violation, penalties shall be effective, proportionate, and dissuasive.

Current Status

Final.

 

Last Published Version

Text of the ordinance dated December 13, 2023 (link).

Next Step

The legislative process has been completed.

Entry into Force / Applicability

The regulation came into force on January 11, 2024. It will apply from September 12, 2025.

 

Key Regulatory Aspects

The ePrivacy Regulation is intended to replace the current ePrivacy Directive, which is the basis for German regulations on telecommunications and telemedia (TKG and TTDSG). In particular, the Regulation includes provisions on:

  • Confidentiality of communications (secrecy of telecommunications)
  • Processing of electronic communications data (previously only traffic data)
  • Storing and accessing the information stored in terminal equipment (e.g., Cookies)
  • Direct marketing communications

Negotiations between and within the various EU institutions (Council, Parliament and Commission) have already been going on for five years.

Provisions Apply to

  • Providers of electronic communications services
  • Website and app operators
  • Companies (especially in context of direct marketing)

Data Protection Relevance

To the extent that obligations under ePrivacy Regulation Proposal exist, no additional obligations under GDPR apply (Art. 95 GDPR in conj. with Art. 27(2) ePrivacy Regulation Proposal).

Impact on Companies / Public Bodies

It is still unclear what the final form of the ePrivacy Regulation will be, as the version provided by the European Council differs fundamentally from the Parliament’s proposal in some respects. However, the provisions of the ePrivacy Regulation are likely to have a significant impact on marketing and tracking. Compared to the existing legal framework, it is likely that there will be additional obligations or changes to the existing ones.

Current Status

Trilogues started in May 2021.

Last Published Version

Council’s proposal from February 10, 2021 (link).

Next Step

Finalising the text.

Entry into Force / Applicability

After the Regulation enters into force following the trilogue negotiations, there will still be a 24-months transition period until the provisions apply.

The requirements of the regulation are therefore not expected to become relevant until 2025.

Key Regulatory Aspects

The Proposed Directive is primarily intended to improve the conditions of employees and self-employed people who offer their services via digital labour platforms. In addition to regulations to prevent false self-employment, the draft directive also contains a number of provisions regarding data protection for employees. For example, special requirements are introduced regarding transparency, data subjects’ rights and accountability obligations if the work of employees is organized with the use of algorithms.

A detailed overview of the Proposed Directive can be found here on our website (in German).

Provisions Apply to

According to the proposal, the directive will not apply to all platform operators, but only to operators of so-called digital labour platforms. This refers to platforms that are used to organize work of employees or self-employed people upon request of third parties (the actual recipients of the service). Recital 18 of the Proposed Directive mentions, for example, transport of persons or goods as services.

Data Protection Relevance

With reference to Art. 88 GDPR, the Chapter III of the Proposed Directive contains some specific requirements for the processing of employee data in systems which are used to monitor, supervise or evaluate the work performance of the workers and automated decision-making systems which are used to take or support decisions that significantly affect the workers’ working conditions.

Impact on Companies / Public Bodies

For most companies, the directive will have no impact. For digital labour platforms, however, the directive could have a major impact.

In the context of a national implementation of the draft directive, the question also arises as to whether the German legislator will include universally binding data protection obligations for the automated processing of employee data in the course of directive implementation. Given the fact that the specification of employee data protection was already announced in the coalition agreement, this seems at least possible.

Current Status

Based on the Commission’s proposal, the Parliament (link) and the Council (link) adopted their amendments to the proposal.

The Council and Parliament were able to agree on a compromise. It was not possible to reach an agreement with the Member States.

Last Published Version

Commission’s proposal from December 9, 2021 (link).

Parliament’s proposal (link).

Council’s position (link).

 

Next Step

Trilogue negotiations.

 

Entry into Force / Applicability

It is not clear yet when and in what form the directive will enter into force.

CRA - Update

Key Regulatory Aspects

The Proposed CRA aims to introduce horizontal cybersecurity requirements for products with digital elements and eliminate the legislative patchwork in the field of cybersecurity. This should minimize cybersecurity risks and ensure safe use for businesses and consumers in the European single market.

A detailed overview of the Proposed CRA can be found here on our website (in German).

Provisions Apply to

  • Manufacturers
  • Importers
  • Distributors

Data Protection Relevance

The Proposed CRA is without prejudice to the GDPR and its provisions, both laws can be applicable in parallel. However, the regulation also aims to increase the security of personal data by protecting the confidentiality, integrity, and availability of information in products with digital elements.

Impact on Companies / Public Bodies

As far as a product with digital elements (software, hardware, individual component) is concerned, a large number of obligations to implement cybersecurity requirements are imposed on manufacturers, distributors and importers (including risk and conformity assessment as well as testing, verification and documentation obligations). Failure to implement these obligations can result in market surveillance authorities imposing fines of up to 15 million euros or 2.5% of total worldwide annual turnover for the preceding financial year, depending on the violation and the actor.

Manufacturers of products with digital elements must expect a high level of additional economic and bureaucratic effort during the development process.

Current Status

Parliament adopted the CRA on March 12th, 2024.

Last Published Version

Commission’s proposal from September 15, 2022 (link).

Next Step

The Council is expected to adopt the rating agency at the end of March and publish it in the EU Official Journal.

Entry into Force / Applicability

The CRA enters into force 20 days after its publication in the EU Official Journal. After its entry into force, a transitional period of 36 months applies. This does not include the obligation for manufacturers to report safety incidents, which comes into force after 21 months, as well as 18 months later for the establishment of national conformity assessment bodies.

Key Regulatory Aspects

The DORA includes harmonized legal requirements for the security of network and information system infrastructures of companies in the financial sector to minimize the growing risk of cyber threats.

You can find a detailed overview of DORA here on our website (in German).

Provisions Apply to

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Investment firms
  • Crypto-asset service providers
  • Insurance and reinsurance undertakings
  • Other financial sector companies
  • ICT third-party service providers (e.g., cloud computing services, software, data analysis services and providers of data centre services)

Data Protection Relevance

Several parts of the regulation reference existing data protection framework. For example, the exchange of cyberthreat information and intelligence must comply with Union data protection rules, in particular the GDPR. Furthermore, the European Insurance and Occupational Pensions Authorities as well as the European Securities and Markets Authority (known collectively as “European Supervisory Authorities” or “ESAs”) and other supervisory authorities must observe the Regulation (EU) 2018/1725 as well as the GDPR when processing personal data. In addition to that, the contractual agreements between ICT service providers and financial entities must include provisions on protection of data, including personal data, as required in Art. 30(2)(c) DORA. Another relevant provision for the practice is Art. 28(7)(c) DORA, which requires financial entities to terminate their contractual arrangements with ICT service providers when the provider demonstrates evidenced weakness in relation to the protection of personal data.

Impact on Companies / Public Bodies

DORA imposes a variety of risk management obligations on financial entities. For example, they must implement measures for the sound management of ICT third-party risk and, depending on the size of the company, document and review it at least once a year. In this respect, financial companies face greater administrative, documentation and audit burdens.

Current Status

Final

Last Published Version

Regulation text from December 14, 2022 (link).

Next Step

Legislative procedure is completed.

Entry into Force / Applicability

The regulation entered into force on January 16, 2023. It shall apply from 17 January 2025.

Key Regulatory Aspects

The proposed AI Act has its focus on:

  • Laying down a uniform legal framework for the development, deployment, and use of artificial intelligence systems
  • Prohibiting certain artificial intelligence practices
  • Setting out the legal requirements for high-risk AI systems and their providers
  • Imposing transparency obligations on AI systems

AI systems are divided into four groups depending on the risk they create:

  • AI systems with minimal risk
  • AI systems with low risk
  • High-risk AI systems
  • Prohibited AI practices

Primary subject of the regulation are high-risk AI systems. They are subject to high technical and organizational standards. For example, using high-risk AI systems requires establishing a risk management system, post marketing monitoring and documentation. Additionally, human oversight as well as compliance with transparency and instructions obligations is mandatory. There is still no common position as to what technologies will fall under the term “AI”. In order to distinguish the “classical” simpler software systems from AI, the Council has proposed to narrow down the definition to systems developed through machine learning approaches and logic- and knowledge-based approaches. The Council’s draft includes a possibility for the Commission to adopt implementing acts to further specify the terminology.

Penalties include administrative fines of up to 30 000 000 Euro or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

A detailed overview of the AI act is available here on our website (in German).

Provisions Apply to

  • Providers (e.g., developers) of AI systems (including natural or legal persons, public authorities, agencies)
  • Users of AI systems
  • Distributors

Data Protection Relevance

The AI act is without prejudice to and complements the GDPR with a set of rules applicable to certain high-risk AI systems and remote biometric identification systems. For example, the proposed regulation explicitly mentions, that the high-risk AI systems may be subject to “state-of-the-art security and privacy-preserving measures” including encryption and pseudonymisation, “where anonymization may significantly affect the purpose pursued”.

Users of high-risk AI systems shall use the information provided under Article 13 of the Proposed AI Act in order to carry out a data protection impact assessment (Art. 35 GDPR). This would lead to a significant „enhancement“ of data protection information, the quality of which varies greatly in our experience. The GDPR will certainly play an important role in the use of AI systems in the future.

Impact on Companies / Public Bodies

Especially when using high-risk AI systems, companies should not underestimate the assessment and documentation effort. A key element in this respect is the implementation of a conformity assessment procedure and declaration for providers of AI systems.

Finally, it is also important to note that providers of AI systems in third countries are not exempt from the requirements of the Proposed AI Act, if they place their AI systems on the EU market or put them into service in the Union. Given the possible fines, this is of high relevance.

Current Status

The European Parliament adopted the text of the regulation on March 13.

Last Published Version

European Commission’s draft, April 21, 2021 (link).

General Approach of the European Council, December 6, 2022 (link).

Negotiating position of the European Parliament (link).

Next Step

The AI Act is submitted to the European Council for approval. It will then be published in the EU Official Journal.

Entry into Force / Applicability

Entry into force is expected at the end of May/beginning of June 2024. An implementation period of 36 months after its entry into force is envisaged.

Bans on high-risk AI are expected to apply within 6 months and transparency and governance provisions within one year of entry into force.

Key Regulatory Aspects

The AI Liability Directive contains rules on presumption of causal link and access to the evidence, applicable to providers of AI systems. The Directive is intended to ensure the protection of consumers without hampering innovation. In particular it takes into account the fact that it may be excessively difficult to prove the person liable for a specific AI input as well as conditions for a claim for damages.

Provisions Apply to

  • Providers, operators and users of AI systems.

Data Protection Relevance

The AI Liability Directive does not contain any explicit provisions on data protection. However, the Directive aims to ease the burden of proof for victims of damage caused by AI systems with regard to liability under national or European law. In this regard, the directive is likely to have impact on the burden of proof for damages claims under Art. 82 GDPR if the data subjects suffer damage in the context of data processing by AI systems.

Impact on Companies / Public Bodies

The burden of proof rules are eased for consumers, so that it is already sufficient to demonstrate the non-compliance with a duty of care and the existence of a causal link to the AI performance. In this context, consumers can, for example, request disclosure of relevant evidence about high-risk AI systems in court. The defendant will, however, have the right to rebut the presumption.

Current Status

On September 28, 2022, the European Commission has adopted the directive proposal.

Last Published Version

Proposal text from September 28, 2022 (link).

Next Step

Adoption by the European Parliament and the European Council.

Entry into Force / Applicability

The Directive enters into force on the 20th day following that of its publication in the Official Journal of the European Union. Member states must transpose the provisions into the national law 21 months after the directive’s entry into force at the latest.

Key Regulatory Aspects

The e-Evidence Regulation sets out the conditions under which EU judicial authorities may issue cross-border production and preservation orders against communication and digital service providers. The regulation would enable a Hungarian law enforcement agency, for example, to order a German internet provider to hand over data for the purpose of criminal prosecution without involving the German authorities in the proceedings.

Among other things, production orders may cover the identity of the owner of an IP address, communication content or traffic data (when, how and with whom communication took place).

Provisions Apply to

Judicial authorities of the EU member states

Companies providing communication and digital services in the EU, i.e.:

  • Traditional providers of telecommunications services (Telekom, Vodafone, Telefonica, etc.),
  • Online communication services, such as messaging, internet and video telephony services and e-mail services,
  • Providers of domain names and IP addresses,
  • Provider of digital services (the term can be understood relatively broadly, and according to the case law of the CJEU, this can include, for example, social media or intermediary services such as Airbnb) via which
    • users can communicate or
    • have data processed or stored

Data Protection Relevance

The e-Evidence Regulation imposes direct legal obligations on the above-mentioned companies, which also apply to the processing of personal data. Both service providers and judicial authorities must ensure that personal data is only processed if the requirements of the regulation are met.

Impact on Companies

Companies must note that they will face sanctions if they do not provide the requested information to the judicial authorities. Due to the very short deadline for transmission in some cases (usually within 10 days, in case of emergency within 8 hours), companies have to prepare for possible production orders. Wrongful refusal to submit the requested data may result in pecuniary sanctions of up to 2% of the total worldwide annual turnover of the preceding financial year. However, a wrongful disclosure may also constitute a violation of the GDPR and be punishable by a fine of up to 4% of the worldwide annual turnover.

Current Status

Final.

Last Published Version

Final text of the Regulation from July 12, 2023 (link).

Next Step

Legislative procedure is completed.

Entry into Force / Applicability

The regulation entered into force on August 18, 2023. It shall apply from 18 August 2026.

Key Regulatory Aspects

The Cyber Solidarity Act aims to improve coordinated actions to detect, prepare and effectively respond to cybersecurity threats and incidents in the EU. To this end, in particular, a European Cyber Shield and a Cyber Emergency Mechanism are to be introduced.

As part of the Cyber Shield, so-called Security Operations Centres (SOCs, previously designated national authorities) gather insights on cyber threats and are points of contact for public and private organizations.

The Cyber Emergency Mechanism provides for precautionary measures, such as testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities.

In addition, the creation of an EU Cybersecurity Reserve is envisaged, consisting of incident response services from trusted providers contracted in advance to intervene at the request of Member State or Union bodies in the event of a cybersecurity incident.

Provisions Apply to

  • EU bodies
  • EU Member States
  • Indirectly companies from critical sectors that can be tested for potential vulnerabilities
  • Indirectly companies eligible for participation in the EU Cybersecurity Reserve.

Data Protection Relevance

Information sharing among participants of the Cyber Shield must be carried out in compliance with Union (GDPR) and Member State data protection law (Recital 22 Cyber Solidarity Act). For example, insofar personal data is processed, TOMs must be implemented. Personal data must be deleted when it is no longer necessary for the stated purpose.

Impact on Companies / Public Bodies

Companies from sectors with high criticality (the Regulation refers to Annex I of the NIS-2 Directive) can be tested for potential vulnerabilities.

Companies eligible to participate in the EU Cybersecurity Reserve must meet certain selection criteria and conclude respective contracts.

Member states must designate national authorities as SOCs, which will then perform tasks under the Cyber Shield. These authorities must be able to act as a point of contact for public and private organizations regarding cybersecurity threats and incidents. They should be equipped with the latest technology and contribute to the cross-border network of SOCs.

Current Status

On April 18, 2023, the European Commission published a proposal for a regulation (link).

Last Published Version

Draft of the European Commission, April 18, 2023 (link).

Next Step

Adoption by the European Parliament and the European Council.

Entry into Force / Applicability

It is not yet foreseeable when the legislative process will be completed. The Regulation enters into force on the 20th day following that of its publication in the Official Journal of the European Union.

C. Changelog

March 21st, 2024: The draft legislation on the “Digitale-Dienste-Gesetz” was introduced by the German Federal Government as an implementing law for the DSA. (link)

March 13th, 2024: The European Parliament adopted the AI Act.

March 12th, 2024: The European Parliament adopted the CRA.

March 7th, 2024: The first gatekeepers appointed by the Commission must meet the requirements of the DMA.

February 17th, 2024: Digital Services Act now applies in full.

January 11th, 2024: The Date Act has entered into force. The regulation will apply from September 12, 2025.

December 27th, 2023: Proposal Directive on Platform Work: Parliament and Council have reached a compromise. The Member States did not agree.

December 6th, 2023: AI Regulation-E: the Council and the European Parliament have reached an agreement on the proposal.

November 30th, 2023: CRA: The Parliament and the Council have reached political agreement on the CRA (link).

November 27th, 2023: DA: The Data Act was adopted by the Council of the European Union (link).

November 9th, 2023: DA: The Data Act was formally adopted by the European Parliament (link).

September 24th, 2023: DGA: The DGA applies from September 24, 2023.

August 18th, 2023: e-Evidence Regulation: The regulation entered into force on August 18, 2023. It shall apply from 18 August 2026.

July 19th, 2023: CRA: The Council of the EU adopted its negotiating position on the CRA (link).

June 27th, 2023: DA: The European Parliament and the Council of the EU have reached political agreement on the DA (link).

June 14th, 2023: AI Act: The European Parliament adopted its negotiating position on the AI Act (link).

June 13th, 2023: e-Evidence-Regulation: The e-Evidence-Regulation was adopted by the European Parliament (link).

June 7th, 2023: Directive on Platform Work: The Council adopted its position (Link).

May 24th, 2023: Proposed regulation on the EU Cyber Solidarity Act (Cyber Solidarity Act): The overview now includes information of the Cyber Solidarity Act.

May 22nd, 2023: e-Evidence Regulation: The overview now includes information of the e-Evidence Regulation.

May 11th, 2023: Proposed AI Act: The Internal Market Committee and the Civil Liberties Committee adopted a draft negotiating mandate (link).

May 2nd, 2023: DMA: Starting May 2, 2023, platforms which meet the criteria are required to disclose their gatekeeper status to the European Commission.

March 24th, 2023: DA: The Council of the EU has adopted its position on the draft legislation (link).

March 14th, 2023: DA: The European Parliament has adopted its position on the draft legislation (link).

February 2nd, 2023: Directive on Platform Work: Parliament has adopted its negotiating position and approved the decision to start negotiations with Council (link).

February 1st, 2023: DSA: The Commission has published Guidance on the requirement to publish user numbers (link).

January 23rd, 2023: The Digital Operations Resilience Act (DORA) is in force since January 16, 2023. Provisions will be applicable from January 17, 2025.

We cannot guarantee that the table reflects the current state of proceedings regarding every single legislative document at all times. We used subjective criteria to determine which laws we consider "important". It is therefore possible that a law that is important to you is not included.