The European Commission (EC) is busy pushing forward its European data strategy, leading to the fast-passed enactment of a plethora of new data laws and regulations. With its mandate set to expire in Spring 2024, the EC has just two years to enact its digital policy into law, and it will try to conclude as many acts as possible.

Although organisations are still coming to terms with the GDPR, another wave of legislation is poised to sweep over Europe and make a significant impact already this year.

The GDPR is just the tip of the iceberg in the larger context of the digital environment in the EU:

The Digital Services Act (DSA), Digital Markets Act (DMA), Data Governance Act (DGA), Data Act, e-Privacy Regulation, Network and Information Security Directive (NIS II) – and other tech regulation affecting digital platforms, digital services, online marketing, data intermediaries and more – combined with Artificial Intelligence Regulation (AI Act), will necessarily affect decision making processes, as more requirements will arise for organisations.

The Data Governance Act (DGA) is the first in a package of measures comprising the European Data Strategy and establishes a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). It aims to safely enable the sharing of sensitive data held by public bodies as well as to regulate data sharing by private actors.

The Data Act will govern the fundamental rights on the access to and use of data (specifically the use of databases), seeking to strike the right balance between the incentives for organisations to invest in data and the rights to access and use these data.

The Digital Services Act (DSA), which will apply to the entire digital ecosystem, seeks to modernise the e-Commerce Directive regarding illegal content, transparent advertising, and disinformation by introducing organisation transparency and responsibility rules.

The Digital Markets Act (DMA) targets the lack of competition in digital markets by imposing prior obligations on the most prominent technology corporations, which play a gatekeeper role in the internet economy.

When the e-Privacy Regulation comes into force, it will also have additional impacts on organisations’ electronic marketing and the use of cookies.

The revised version of the Network and Information Security Directive (NIS2) will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks. The proposed expansion of the NIS2 scope will effectively oblige more entities and sectors to comply with cybersecurity requirements.

We further expect to see a greater use of sector-specific regulations, such as the proposed Digital Operational Resilience Act (DORA), reinforcing data breach reporting requirements, risk management processes and security controls for the financial services sector (complementing existing laws such as the NIS Directive and the GDPR).

The Proposal for an Artificial Intelligence Act (AIA) marks the first comprehensive regulatory initiative on AI and aspires to promote the development and adoption of safe AI across the EU while fostering the fundamental rights of EU citizens. As the discussions on the Proposal continue, we foresee that 2022 will be the year of AI regulation. Organisations across sectors developing, using, or planning to use AI should prepare a robust and futureproof AI Governance.

This complex digital framework will be coupled with the GDPR and will grow alongside it, affecting privacy and data protection in unprecedented ways.

 

Challenges:

  • In what concerns data protection and security in the current digital environment, organisations will have to deal with a vast and complex legislative web that goes beyond compliance with the GDPR.

Actions:

  • Focus on ensuring a certain threshold of compliance with the GDPR as a starting point for the fulfilment of the other regulatory requirements.