The future of IT security: what you need to know about the most important EU acts

In 2021, the European Commission presented its digital strategy. The program for the Digital Decade 2030 has set concrete goals to promote digital change in Europe that includes strengthening digital skills, expanding digital infrastructures, promoting innovation in companies, and digitizing public services. Below are the four overall goals expected by 2030: 

1. Digital skills: 20 million skilled workers in information and communication technology (in gender balance) are to be trained. In addition, at least 80% of the entire population should acquire basic digital skills. 
2. Secure and sustainable digital infrastructures: All households should have access to gigabit Internet connections and all populated areas should have access to 5G networks. In addition, the European share of the semiconductor market is to be doubled and 10,000 highly secure and climate-neutral data centers are to be built. 
3. Digitization of companies: 75% of companies in Europe are to be equipped with digital technologies such as cloud computing, big data, and artificial intelligence. There will be a special focus on promoting innovation and investment to double the number of start-ups with a billion-dollar valuation. More than 90% of SMEs will reach a basic level of digital intensity.  
4. Digitization of public services: Nationwide online access to essential public services (100%), including access to electronic patient records. In addition, a majority of citizens should be able to use a digital identity. 

https://ec.europa.eu/newsroom/repository/document/2022-4/DG_Connect_Bubbles_NEW2_Pyramid_isdHMwbjXGHTRyqe93KV1bpxwA_82713.png

Which standards and laws are part of the EU digital strategy?

To achieve these goals, corresponding standards and laws are required as part of the European digital strategy. The following six laws are also part of the complex set of regulations, but not all of them have yet come into force or are in the implementation phase:

Which laws have already come into force and what characterizes them?

The Digital Markets Act (DMA) is part of the EU’s efforts to make the digital market more open while also curbing the market power of large platforms. The Digital Markets Act contains regulations to promote competition, data protection, and interoperability to strengthen the digital single market and create fair access and competitive conditions for companies. The Act is intended to improve the situation of commercial users in relation to large platforms, the so-called “gatekeepers”.  

Above all, it aims to strictly regulate gatekeepers and impose new obligations on them. A gatekeeper is defined based on certain criteria set out in the DMA: 

1. An annual turnover of at least €6.5 billion over three consecutive financial years or a market value of at least €65 billion. 
2. Activity in at least three EU member states. 
3. A user base of at least 45 million active end users in the EU and at least 10,000 business users. 
4. These user numbers must have been achieved in the last three financial years. 

Currently, six large corporations fit these criteria: Alphabet (parent company of Google), Amazon, Apple, ByteDance (the company behind TikTok), Meta (formerly Facebook), and Microsoft.  The main obligations for gatekeepers include prohibiting the aggregation of data without user consent, prohibiting anti-competitive practices, and ensuring interoperability.  

The DMA came into force on November 1, 2022, and the first “gatekeepers” were designated on September 6, 2023. Compliance with the requirements of the DMA came into force on March 7, 2024.  

ByteDance, the Chinese parent company of TikTok, filed a lawsuit in November 2023 to have the decision declared null and void. However, this request was initially rejected in February 2024 by Marc van der Woude, President of the competent European Union Court of Justice (CFI).  

In addition to ByteDance, Meta had also filed an appeal against this decision for its Facebook Messenger and Marketplace. According to the US company, the two services are not part of an online intermediary service as defined in the DMA. A final ruling in the main proceedings is expected in the coming months. In any case, the market power of the gatekeepers defined to date is undisputedly high.  

The Data Governance Act (DGA) is another component of the European digital strategy. This EU regulation aims to promote the use and availability of data in the EU. The DGA includes regulations on the reuse of data from public bodies, data sharing through intermediary services and data cooperatives, and the promotion of data altruism. 

The most important points of the DGA are: 

• Reuse of data from public sector bodies: The DGA sets out conditions for the reuse of public sector data, including transparency, fairness, and access conditions. 
• Data sharing: The DGA facilitates the regulated exchange and access to data within the EU through intermediary services and data cooperatives. 
• Data altruism: Organizations can voluntarily provide data for the common good. The DGA sets out requirements for transparency, record-keeping obligations, and declarations of consent. 

The addressees of the DGA are public bodies, data brokerage services, and organizations that provide data altruistically and voluntarily. Regarding data protection, the DGA does not contain any privileges, but supplements the requirements of the GDPR. 

The Data Governance Act has been in force since September 24, 2023, and aims to promote data sharing and improve the availability of public sector data. 

The Digital Services Act (DSA) is one of the more recent regulations. This European law has been in force since February 17, 2024, and redefines fundamental rules for the digital world. It mainly affects intermediary services such as hosting providers, providers, and caching providers as well as online platforms. 

The key points of the Digital Services Act include:  

1. Liability rules: New liability rules are introduced for providers, which severely restrict the so-called “Stoererhaftung” (Breach of Duty of Care) (widely used in Germany). According to this, providers are not liable if they have no knowledge of legal infringements and act actively as soon as they are informed. 
2. Information obligations: Providers must fulfill new information obligations, including designating a contact point and providing a transparency report on content moderation. 
3. Reporting point for illegal content: An illegal content reporting body will be established, applicable to providers and online platforms. This office must assess the legality of content, report criminal offenses, and transparently explain to affected users why their content has been blocked. 
4. Complaints management system: Larger providers and platforms must set up an internal complaints management system that enables users to track and process complaints. 
5. Transparency of advertising and recommendation systems: Online platforms must be transparent about who advertisements come from, who pays for the advertisements, and on what basis recommendations are made. Profiling of minors is prohibited. 

Companies that fail to implement the measures or violate them could face fines of up to 6% of the previous year’s turnover. The legislative process has been completed and the regulation has already come into force.  

The extent of this law’s true consequences is illustrated by Amazon’s lawsuit, which was only dismissed by the European Court of Justice (ECJ) in mid-March 2024. The US company did not want to be classified as a very large online platform to avoid having to disclose detailed information about its ads. Ultimately, the online retailer must comply with the requirements of the Digital Services Act, as the interests of the legislator outweigh the potential damage.  

The Data Act aims to facilitate the access and use of data, determining that companies should be able to use and exchange data more easily. The EU regulation, which came into force on 11 January 2024, harmonizes regulations to better exploit the economic potential of data and promote a correspondingly competitive “data market”. 

It is primarily aimed at manufacturers of connected products, providers of connected services, users, data owners, and public authorities. There are measures to promote competitiveness, protect SMEs, and promote data and cloud interoperability. The most important obligations include data accessibility, information obligations, and rights of access and use.  

For companies, the Data Act means: 

1. Enhanced control over their data, including the right to data portability. 
2. Protection against unfair contract terms and the provision of model contracts 
3. Improved data and cloud interoperability to facilitate switching between services. 

The Data Act complements the GDPR and the ePrivacy Directive without weakening data protection. However, companies should prepare for the sometimes complex requirements by dealing with the provisions at an early stage and making the necessary adjustments to take advantage of the Data Act’s opportunities and ensure compliance. After the usual transition period, the regulation will apply from September 12, 2025. 

Which laws are currently being implemented and are not yet valid as a regulation?

In addition to the laws already briefly outlined, two other regulations are about to come into force or be implemented. These include the EU Commission’s Artificial Intelligence Act (AI Act for short), which was adopted by the European Parliament on March 13, 2024. The regulation will enter into force as soon as it is published in the Official Journal. The law is currently expected to come into force at the end of May or beginning of June 2024. This will be followed by a 36-month implementation period.  

The regulation on artificial intelligence (AI) represents a milestone in the regulation of this technology more widely. It was developed as part of the EU digital strategy and is intended to create clear guidelines for dealing with AI in research and business. 

The scope of application extends to providers and users of AI systems that are used in the EU, regardless of their location. The draft legislation defines the term AI quite broadly and includes various techniques such as machine learning, deep learning, logic, and knowledge-based concepts and statistical approaches. 

To take appropriate account of the various applications of AI, the AI Act divides AI systems into four groups depending on their risk: 

1. Minimal risk AI systems 
2. Low-risk AI systems 
3. High-risk AI systems 
4. Prohibited AI systems 

The requirements and regulations vary depending on the risk level. The regulations for high-risk AI systems, which are linked to high technical and organizational standards, are particularly strict. These include the establishment of a risk management system, transparent information obligations for users, human oversight, and the recording of processes and events. 

A key aspect of the Act is its relationship to the General Data Protection Regulation (GDPR). The AI Act supplements the GDPR for high-risk AI systems and remote identification systems. It requires modern security and data protection measures, including pseudonymization and encryption. Companies that use high-risk AI systems must provide users with the information required to carry out a data protection impact assessment. 

Bans on high-risk AI applications will take effect within six months of coming into force, while transparency and governance regulations will apply within one year. Overall, the AI Act provides comprehensive guidelines for companies that develop or use AI systems. This is intended to ensure safe and responsible use. 

The Cyber Resilience Act (CRA) is an initiative to improve the security of products and software with digital elements. The aim is to protect consumers and companies from the growing risks of the cyber world. With more and more connected IoT devices, such as baby monitors or smartwatches, it is crucial that they are secure and do not serve as potential gateways for cyberattacks. 

The main aim of the CRA is to introduce mandatory cybersecurity requirements for manufacturers and retailers. This is to ensure that products with digital elements are designed, developed and maintained securely from the outset. One of the key words here is “security by design”. These requirements cover the entire life cycle of the products and include aspects such as risk assessment, conformity testing, and continuous monitoring of cybersecurity. 

A uniform framework is created for the market access of products. If products comply with the new standards, they must bear the CE mark. This should enable consumers and companies to make more informed decisions, as they will be using products that meet the required cybersecurity standards. 

Manufacturers, importers, and distributors of products with digital elements will be faced with many new obligations. These include carrying out risk assessments, complying with cybersecurity standards, and notifying authorities and users immediately in the event of security incidents. 

Penalties for breaching the provisions of the CRA can be significant and range from fines to a percentage of the previous year’s global turnover for the companies concerned.  

The draft law was adopted by the European Parliament on March 12, 2024. Once the Council has also approved the CRA and this has been published in the Official Journal of the EU, the Cyber Resilience Act will enter into force 20 days after publication. Affected manufacturers and companies should implement the necessary measures in good time to be able to cope with the associated economic and bureaucratic effort.  

Be prepared for the future and make sure your company is ready for the new regulations. Contact us to see how we can help you strengthen your IT security and ensure compliance. 

Contact us now >>

Share this post