As the regulatory landscape for digital services evolves, various legislative measures are being implemented across the European Union, which encompass critical areas such as online safety, market fairness, data governance, and cybersecurity. The BCLP Data Privacy & Security team is meticulously monitoring developments in these areas as they shape the future of business operations within the EU.
The Digital Services Act (DSA) is a key legislative initiative that aims to create a safer online environment while establishing a level playing field for companies. The DSA, which entered into force on 16 November 2022, comes with a range of obligations tailored to different types of online service providers. Providers of information society intermediary services, including social networks, cloud services, and marketplaces, are impacted by this regulation. Notably, “very large online platforms” (VLOPs) and “very large online search engines” (VLOSEs), identified based on their user base, face the most stringent requirements, including obligations to identify and remove illegal content and enhance transparency in online advertising.
Under the DSA, online platforms with a user base exceeding 45 million in the EU must comply with specific obligations by 25 August 2023 if designated as VLOPs or VLOSEs. Enforcement falls primarily to the European Commission, which retains authority to impose significant fines for non-compliance.
In parallel to the DSA, the Digital Markets Act (DMA) seeks to address competitive fairness in the digital sector, targeting platforms referred to as "gatekeepers." These platforms, which play a crucial role in connecting businesses and consumers, are prohibited from employing unfair practices such as self-preferencing their services. The DMA commenced its application on 2 May 2023, and potential gatekeepers were required to notify their core services to the Commission by 3 July 2023. Following assessment, designated gatekeepers must comply with the DMA’s requirements by 6 March 2024.
Concurrently, the Data Governance Act (DGA) aims to foster the data economy by encouraging public sector data sharing and promoting "data altruism." Implemented from 24 September 2023, the DGA provides a framework for public sector bodies and data intermediaries while establishing conditions for data reuse.
In a significant move towards unifying data access, the Data Act has been proposed, which aims to clarify who can derive value from data and under what conditions. This regulation targets manufacturers of connected devices, ensuring that users have access to the data generated by these devices, thereby fostering innovation and competitive services in an increasingly data-centric marketplace.
The NIS2 Directive, an evolution of the original NIS Directive, is projected to come into effect on 18 October 2024, widening its scope to cover more industries critical to the economy and society. Under NIS2, businesses operating in certain sectors, such as healthcare, energy, and digital infrastructure, must implement stringent cybersecurity measures.
Complementing these regulations, the Cybersecurity Act (CSA) establishes a European cybersecurity certification framework aimed at ensuring that ICT products, services, and processes meet the necessary security standards. This framework supports the overarching goal of enhancing cybersecurity infrastructure across EU member states.
Finally, in 2024, the Cyber Resilience Act (CRA) is set to introduce new cybersecurity requirements for products with digital elements, mandating manufacturers to ensure that cybersecurity considerations are integrated throughout the product lifecycle.
These initiatives form a comprehensive strategy designed to adapt to the rapid technological advancements and challenges posed by an increasingly digital economy. The BCLP Data Privacy & Security team continues to keep stakeholders informed about these critical developments in EU legislation, allowing businesses to navigate the complex landscape of digital compliance.
Source: Noah Wire Services