EU legislative initiatives under the strategies on data, AI & cybersecurity


Author: Madalina Vasile

Data Governance Act

  • became Regulation (EU) 2022/868
  • applicable as of 24 September 2023
  • sets framework enabling/facilitating:
    • safe re-use of certain categories of data held by public sector bodies
    • data intermediation services providing safe environment for companies and individuals to share data
    •  “data altruism”, meaning the voluntary sharing of data to be used in the general interest
  • establishes a European Data Innovation Board
  • Member States shall lay down the rules on penalties applicable in case of infringements
  • see our article on key points on the Data Governance Act here
Data Act

  • legislative procedure ongoing
  • personal and non-personal data in scope
  • applies to actors in the IoT chain, particularly on product manufacturers and suppliers of related services, data holders and consumer or business user (who owns, rents or leases a product or receives a service)
  • provides rules on designing and manufacturing products and related services to allow users of IoT devices to gain access to data generated by them and to share such data with third parties
  • right to data portability extended
  • requires correlation with the GDPR, for instance, in respect of: personal data concept, data minimization and transparency requirements, qualification of data holders, users and data recipients as controllers, joint controllers or processors
European Health Data Space

  • legislative procedure ongoing
  • allows individuals taking control over their health data, including to access the data in electronic form and free of charge
  • improves the use of health data for research, innovation and policymaking. Certain actors (like researchers or innovators) will have access, subject to strict conditions, to large amounts of health data, to develop life-saving treatments, vaccines or medical devices and ensuring better access to healthcare and more resilient health systems
  • enables the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data
Digital Services Act

  • became Regulation (EU) 2022/2065
  • applicable as of 17 February 2024, except for certain provision that apply as of 16 November 2022
  • applies to providers of intermediary services, such as online marketplaces, social media, very large online platforms and very large online search engines
  • bans advertising based on profiling using minors’ personal data and special categories of personal data
  • provides rules on combating online sale of illegal products and services and on identifying and removal of illegal content
  • bans practices aimed at misleading, including dark patterns
  • additional transparency requirements on top of those under the GDPR
Digital Markets Act

  • became Regulation (EU) 2022/1925
  • applicable as of 2 May 2023, except for cerain provisions that apply as of 1 November 2022 some and of 25 June 2023 others
  • applies to EU core platform services (e.g., online intermediation services, online advertising service, search engines, social networking services, video-sharing, platforms) provided by gatekeepers
  • requires end user’s consent for many processing activities such as:
    • providing online advertising services by using personal data of data subjects using services of third parties that make use of core platform services of the gatekeeper
    • combining personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or by a third-party
    • cross-using personal data from the relevant core platform service in other services provided separately by the gatekeeper
NIS 2 Directive

  • adopted, publication published in the Official Journal of the European Union awaited
  • Member States will have 21 months from its entry into force to transpose it in the national legislation
  • will repeal the existing directive on security of network and information systems – NIS Directive (EU) 2016/1148
  • introduces a size threshold rule for identifying the entities falling under its scope as opposed to the old NIS Directive where Member States were responsible for determining which entities would meet the criteria to qualify as operators of essential services
  • widens the scope of the rules covering entities from more sectors
  • provides stricter rules for cybersecurity
  • amends the incident reporting requirements
  • strengthens the power of national authorities and imposes stricter enforcement requirements
  • strengthens cybersecurity risk and incident management
AI Regulation

  • legislative procedure ongoing
  • will apply to:
    • providers that offer AI systems in the EU, regardless of whether they are located in or outside the EU
    • users of AI systems in the EU
    • providers and users of AI located outside of the EU, insofar the AI outputs are used in the EU.
  • follows a risk based approach
  • prohibits certain AI practices (e.g., using an AI system that exploits any of the vulnerabilities of a specific group of persons due to their age, physical or mental disability, in order to materially distort the behavior of a person pertaining to that group in a manner that causes or is likely to cause that person or another person physical or psychological harm)
  • the classification of an AI system as “high-risk” under the AI Regulation will trigger a presumption of “high-risk” under the GDPR
  • provides additional transparency requirements on top of those under the GDPR