Europe must be prepared for the digital age. This is the backdrop for the EU's digital strategy, which will guide Europe's digital transformation towards 2030. The strategy aims to empower both businesses and citizens for a sustainable digital future. The EU's digital ambitions for 2030 must be realised through investments, political initiatives and legislative measures. The legislative measures alone may seem immense and confusing. On this page, we will therefore present and summarise new legislation and proposals in the digital area.

The EU's digital strategy has an ambitious focus on data, technology and infrastructure and will bring a new and changing legal landscape for your business to navigate. The EU's strategic focus can be divided into four subcategories, which each has different legislative measures. This can be illustrated as follows:

1357530a.jpg

Cybersecurity

Regulation 2019/881 of 17 April 2019 on cybersecurity

  • Primarily of relevance to ENISA, relevant local authorities, certification actors and providers of ICT products, services and processes;
  • The objective of the Regulation is to increase cybersecurity in the EU as part of the digital development of society;
  • The Regulation establishes, among other things, a common European framework for cybersecurity certification of ICT products, services and processes;
  • Status: The Regulation has entered into force;
  • Read the Regulation here.

Directive 2022/2555 of 14 December 2022 (NIS 2 Directive)

  • The Directive is relevant for particularly critical entities and critical entities and key digital service providers, including, e.g., energy companies, transport companies, financial institutions, financial market infrastructures, etc;
  • The objective of the Directive is to further strengthen and standardise cybersecurity against potential cyber threats;
  • The Directive imposes a number of requirements on the companies and public entities covered, such as risk management, security measures, notification, supervision, etc;
  • Status: The Directive must be implemented into Danish law by 17 October 2024;
  • Read the Directive here.

Directive 2022/2557 of 14 December 2022 on the resilience of critical entities

  • The Directive is relevant for "critical entities", which are entities providing one or more essential services;
  • The objective of the Directive is to oblige Member States to take measures to ensure that services which are essential for the maintenance of vital societal functions are provided. The Directive also lays down obligations on critical entities to enhance their resilience;
  • Status: The Directive must be implemented into Danish law by 17 October 2024;
  • Read the Directive here.

Proposal for a Regulation on horizontal cybersecurity requirements for products (COM (2022) 454 final)

  • The Regulation is relevant for manufacturers, importers and distributors of products with digital elements and software and certain specifically regulated products;
  • The objective of the Regulation is to enhance the resilience against cyber threats of products connected to the internet throughout the service life of the product;
  • In its present form, the Regulation will, among other things, contribute to enhancing the transparency of security properties of products;
  • Status: The Commission's proposal was published on 15 September 2022;
  • Read the proposal for the Regulation here.

Regulation 2022/2554 of 14 December 2022 on digital operational resilience (DORA)

  • The Regulation is relevant for traditionally regulated entities in the financial sector, including banks and fintech entities;
  • The objective of the Regulation is to enhance the operational resilience to cybersecurity in the financial sector and to enable information sharing between financial entities;
  • The Regulation allows, among other things, financial sector supervisors to supervise critical ICT third-party providers, including cloud service providers;
  • Status: The Regulation has entered into force;
  • Read the Regulation here.

Processing of data

Regulation 2016/679 of 27 April 2016 on data protection (GDPR)

  • The Regulation is relevant for everyone who processes personal data and individuals who have their personal data processed;
  • The objective of the Regulation is to harmonise data protection across the EU, to give individuals more control over their personal data and to simplify the regulatory framework by harmonising legislation;
  • The Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free flow of personal data;
  • Status: The Regulation has entered into force;
  • Read the Regulation here.

Proposal for a Regulation on data protection in electronic communications (ePrivacy, COM (2017) 10 final)

  • The Regulation is relevant for providers of electronic communications services, website and app operators and a number of other businesses (particularly in relation to direct marketing);
  • It is mainly an update of the current legislation (Directive 2002/58/EC, ePrivacy Directive) to bring it into compliance with the rules of the GDPR Regulation;
  • The objective of the Regulation is to protect the privacy of online users by standardising the privacy controls of providers of electronic communications services;
  • Status: The proposal has not yet been adopted;
  • Read the proposal for the Regulation here.

Directive 2019/1024 of 20 June 2019 on open data

  • Relevant for public sector bodies (and those wishing to obtain data from them);
  • The objective of the Directive is, among other things, to ensure fair competition and easy access to public sector information;
  • The Directive implies that public data can be re-used for commercial or non-commercial purposes without unnecessary restrictions;
  • Status: The Directive has entered into force and has been implemented into Danish law;
  • Read the Directive here;
  • Read the Danish act here.

Proposal for a Data Regulation (COM (2022) 68 final)

  • Relevant for providers and users of products that record, generate or collect data and providers and users of related services and data processing services (e.g. cloud infrastructure);
  • The objective of the Regulation is to make data sharing compulsory, thereby ensuring fairness in the allocation of value from data among actors in the data economy and facilitate access to and the use of data;
  • Status: The proposal has not yet been adopted;
  • Read the proposal here.

Regulation 2022/868 of 30 May 2022 on Data Governance (Data Governance Act)

  • Primarily of relevance to public sector bodies, but also to providers of data intermediation services and organisations dealing with data altruism;
  • The objective of the Regulation is to make more data accessible by regulating the re-use of publicly held and protected data, by facilitating data sharing through the regulation of new providers of data intermediation services and by facilitating the exchange of data for altruistic purposes;
  • Status: The Regulation has entered into force;
  • Read the Regulation here.

Artificial Intelligence

Proposal for a Regulation on Artificial Intelligence (AI Act, COM (2021) 206 final)

  • The Regulation is relevant for manufacturers, distributors and users of AI systems used or placed on the Union market;
  • The objective of the Regulation is to protect fundamental rights and to enhance the positive aspects of AI through the harmonisation of AI regulation in the EU;
  • The Regulation takes a risk-based approach, depending, among other things, on the purpose of the use of the artificial intelligence;
  • Status: The proposal has not yet been adopted;
  • Read the proposal for the Regulation here.

Proposal for an amended Directive on liability for defective products (COM (2022) 495 final)

  • The Directive is relevant for manufacturers, distributors and users of AI systems, among others;
  • The objective of the amendment of the Directive is to allow injured persons to also claim compensation on the basis of a "no-fault liability" principle if defective products with software or AI systems cause damage;
  • The Directive is therefore adapted to the digital age by covering categories of products arising from the new digital technologies, such as artificial intelligence;
  • Status: The proposal has not yet been adopted;
  • Read the proposal for the Directive here.

Proposal for a Directive on AI liability (AI Liability Directive, COM (2022) 496 final)

  • The Directive is relevant for manufacturers, distributors and users of AI systems;
  • The objective of the Directive is, among other things, to ensure that victims of damage caused by AI obtain equivalent protection to victims of damage caused by products in general;
  • The Directive therefore seeks to harmonise certain rules outside the scope of the Product Liability Directive;
  • Status: The proposal has not yet been adopted;
  • Read the proposal for the Directive here.

Platforms

Regulation 2022/2065 of 19 October 2022 on digital services (Digital Services Act)

  • The Regulation is relevant for providers and users of online intermediary services (network infrastructure services, online marketplaces, cloud hosting service providers, etc.);
  • The objective of the Regulation is, among other things, to lay down harmonised rules for a safe, accessible, predictable and trusted online environment and to facilitate a high level of consumer protection;
  • The Regulation implies that obligations may be imposed on online platforms to share certain information on their algorithms, just as the platforms by this Regulation are obliged to remove illegal goods and illegal content quickly and take action against users spreading disinformation;
  • Status: The Regulation has partially entered into force, but some obligations will not enter into force until 17 February 2024;
  • Read the Regulation here.

Regulation 2022/1925 of 14 September 2022 on digital markets (Digital Markets Act)

  • The Regulation is relevant for gatekeepers providing core platform services to business users established in the Union or end users established or located in the Union, irrespective of the place of establishment or residence of the gatekeepers;
  • Core platform services are defined in the Regulation as online intermediation services, online search engines, social networking services, video sharing platforms, etc;
  • The objective of the Regulation is to contribute to the proper functioning of the internal market by laying down harmonised rules to ensure contestable and fair markets for all businesses, to the benefit of business users and end users;
  • Status: The Regulation has entered into force.
  • Read the Regulation here.

Regulation 2019/1150 of 20 June 2019 on P2B

  • The Regulation is relevant for providers and users of online intermediary services (network infrastructure services, online marketplaces, cloud hosting service providers, etc.);
  • The objective of the Regulation is to ensure that business users of online intermediation services and corporate website users in relation to online search engines are granted appropriate transparency, fairness and effective redress possibilities;
  • The Regulation implies, among other things, that platforms must set up an internal system for handling complaints for business users and that this system must be easily accessible and free of charge. Moreover, the platform must process all complaints within a reasonable timeframe and communicate the outcome to the complainant in an individualised manner;
  • Status: The Regulation has entered into force;
  • Read the Regulation here.

Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets

  • The Regulation is relevant for persons involved in the issuance of certain crypto-assets or providing services related to certain crypto-assets in the EU;
  • Among other things, the Regulation aims to establish transparency and disclosure requirements in connection with the issuance of crypto-assets and their admission to trading;
  • The Regulation is part of a digital finance package to help support the potential of digital finance in terms of innovation and competition while mitigating risks;
  • Status: The Regulation has been adopted, but the provisions will enter into force on successive dates, the first time on 29 June 2023 and the last time on 30 December 2024;
  • Read the proposal here.

Originally published 04 May 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.