News & Blog
Important current EU digital legislation
As part of its digital strategy, the EU is currently working on various legislative initiatives. The legislative program is broad and covers numerous topics: from the use of non-personal data to the legal requirements for systems in the financial sector and the regulation of artificial intelligence.
To give you a better overview, we have compiled a list of the current legislation and legislative procedures at the EU level with data protection and IT security relevance. The overview includes not only the laws which are already in force, such as the Digital Services Act (DSA), but also those that are still in the draft phase, such as the Cyber Resilience Act (CRA). For each individual directive and regulation, we have summarized the key facts – key regulatory aspects, who the provisions will apply to, impact on companies, data protection relevance and the current status.
We will update the overview regularly to inform you about the latest developments.
Last update: November 30, 2024.
A. Applicable legislation
Key Regulatory Aspects
The FFOD is intended to facilitate the transfer of non-personal data across national borders within the European Union. Prior to the regulation, the transfers of such data were subject to Member State law, sometimes accompanied by data localization requirements and lock-in practices preventing further flow of data to other Member States. The regulation applies to all electronic data other than personal data and regulates:
- Data localisation requirements (i.e., obligations which impose the processing of data in the territory of a specific Member State) and their prohibition
- Availability of data to competent authorities
Porting of data for (professional) users of data processing services (e.g., cloud computing services).
Provisions Apply to
- Users of data processing services
- Authorities
Data Protection Relevance
The FFOD and the GDPR are mutually exclusive, as the former applies to electronic non-personal data and the latter applies to any personal data.
Impact on Companies / Public Bodies
The direct impact on companies and public bodies is rather small. The regulation serves to facilitate the creation of a single European data space and contains corresponding general requirements for the Commission and the Member States. The latter are aimed at eliminating or adjusting existing data localisation requirements. However, it should also be emphasized that the Commission wants to create codes of conduct for cloud service providers in order to facilitate switching between (European) cloud providers.
Current Status
Final
Last Published Version
Final text of the regulation from November 14, 2018 (link).
Next Step
Legislative procedure is completed.
Entry into Force/ Applicability
The regulation is applicable since May 29, 2019.
Key Regulatory Aspects
Similar to the US laws, the PSI Directive allows re-use of “open data” from “public sector documents” in the European Union for private or commercial purposes. According to the directive’s objective, public sector bodies and public undertakings “shall make their documents available in any pre-existing format or language and, where possible and appropriate, by electronic means, in formats that are open, machine-readable, accessible, findable and re-usable, together with their metadata”. What exactly is meant by “documents” and “open data” follows from the Data Use Act (Datennutzungsgesetz) in Germany.
Provisions Apply to
- Public sector bodies
- Public undertakings (where public sector bodies hold at least the majority of the capital or control the majority of the votes)
Data Protection Relevance
Decisions on the scope and conditions for the re-use of public sector documents containing personal data, for example in the health sector, may require data protection impact assessment in accordance with Art. 35 GDPR. PSI Directive also mentions anonymisation of personal data. GDPR is applicable without prejudice to the PSI Directive, as the latter does not affect the processing of personal data.
Impact on Companies / Public Bodies
Especially public sector bodies face major challenges related to the implementation of the PSI Directive requirements, as “open data” must be made available by them. In this relation, the limitations resulting from the GDPR, intellectual property laws and trade secret protection are particularly challenging. Together with the Digital Governance Act, the PSI Directive creates opportunities for private companies to make data from the public sector bodies more easily usable, thus compensating competition disadvantages vis-à-vis non-European companies, which have long been able to access public information in their countries.
Current Status
Final.
Last Published Version
Final text of the directive from June 20, 2019 (link).
Next Step
The directive has been transposed into German law.
Entry into Force / Applicability
The directive was implemented in Germany with the Gesetz vom zur Änderung des E-Government-Gesetzes und zur Einführung des Gesetzes für die Nutzung von Daten des öffentlichen Sektors (in German) on July 22, 2021.
Key Regulatory Aspects
The directive creates a harmonized regulatory framework for the distribution of digital services and content and is a part of the European strategy to create the Digital Single Market. At the same time, the directive limits its scope of application to consumer contracts, thus strengthening consumer protection. Main subject of the directive are contracts for the supply of digital content or digital services. This includes, for example, software purchases or the use of streaming services. The directive also includes provisions on the obligations in the event of termination as well as on remedy for the failure to supply.
Provisions Apply to
- Businesses offering digital content or service
- Consumers (comprehensive consumer protection provisions)
Data Protection Relevance
The directive allows (Recital 24, Art. 3(1) Directive 2019/770) the consumer to provide or undertake to provide personal data instead of money, thus including this already existing business model into the legal framework. This puts the directive into a tense relationship with the core idea of the GDPR, according to which the protection of personal data is a priority, and the data subjects are provided with defensive rights in order to ensure that. In the event of conflict between the provisions of this directive and the GDPR, the latter prevails (Art. 3(8) Directive 2019/770). The Gathering of Independent Federal and State Data Protection Authorities (“DSK”) has been dealing with the effects of the new consumer provisions (implementation of the directive) in the German Civil Code on the data protection law and has clarified, that the GDPR principles continue to apply even if personal data is provided as part of a contract. A legal basis is still required for data processing and the use of cookies must be in accordance with the requirements in Section 25 TTDSG.
Impact on Companies / Public Bodies
As a result of the transposition of the directive into German law and the amendments to the Sections 327 et seq. of the German Civil Code, consumer protection provisions now apply to consumer contracts for digital content or services. Businesses have to comply with regulations on conformity and liability. In addition, the burden of proof is on the trader (business) in the majority of cases.
Current Status
Final.
Last Published Version
Final text of the directive from May 20, 2019 (link).
Next Step
The directive has been transposed into German law.
Entry into Force / Applicability
In Germany, the directive was implemented with the Gesetz zur Umsetzung der Richtlinie über bestimmte vertragsrechtliche Aspekte der Bereitstellung digitaler Inhalte und digitaler Dienstleistungen on June 30, 2021. The law entered into force on January 1, 2022.
Key Regulatory Aspects
With the directive on certain aspects concerning contracts for the sale of goods, the European legislator aims to achieve a higher level of consumer protection. This directive replaces the Directive 1999/44/EC and contains stricter harmonization provisions to prevent fragmentation (compared to the predecessor). The directive is considered to be complimentary to the Digital Content and Digital Services Directive, which was published on the same day. One the one hand, it covers contracts for the sale of goods and on the other hand sales of goods with digital elements. This refers to any tangible movable items that incorporate or are inter-connected with digital content or a digital service in such way, that the absence of the digital content or digital service would prevent the goods form performing their functions.
Provisions Apply to
- Businesses offering digital products
- Consumers (comprehensive consumer protection provisions)
Data Protection Relevance
The directive does not affect the existing data protection law.
Impact on Companies / Public Bodies
During the implementation, Section 434 and Sections 474 et. seq. of the German Civil Code were amended. Some provisions of sales law have been adjusted in favour of the consumer. Among other things, businesses are subject to stricter formal requirements in terms of burden of proof in sales contracts, providing that the lack of conformity shall be presumed to have existed at the time of delivery if it becomes apparent within one year (formerly: 6 months). Regarding the goods with digital elements, an updating obligation was introduced, according to which the seller is required to supply updates.
Current Status
Final.
Last Published Version
Final text of the directive from May 20, 2019 (link).
Next Step
The directive has already been transposed into German law.
Entry into Force / Applicability
In Germany, the directive was implemented with the Gesetz zur Regelung des Verkaufs von Sachen mit digitalen Elementen und anderer Aspekte des Kaufvertrags. The law entered into force on January 1, 2022.
Key Regulatory Aspects
The NIS 2 Directive is intended to address the growing threats posed by cyberattacks. It replaces the NIS 1 Directive and has a broader scope and higher harmonization requirements compared to it to ensure a common level of cyber resilience in the European single market. The NIS 2 Directive requires member states to adopt a national cybersecurity strategy and create a EU-wide network to manage cybersecurity incidents. It also imposes requirements and obligations on public and private entities to share cybersecurity information and requires the implementation of cybersecurity risk management.
Provisions Apply to
- Member States
- Public and private entities (e.g., electronic communications networks providers, domain name registration services; energy sector companies, digital service providers)
Data Protection Relevance
The NIS 2 Directive is without prejudice to the GDPR. It refers at several points to the provisions of the GDPR on the protection of personal data. For example, when using innovative technologies (including AI), the data protection requirements and the principles of privacy by design and default are to be observed. Recital 121 also mentions various lawful bases of Art. 6 GDPR for the processing of personal data for security purposes.
Impact on Companies / Public Bodies
For the directive to be applicable, it must first be transposed into national law.
The institutions addressed by the directive are subject to reporting obligations and requirements for cybersecurity risk management. This requires them to take technical, operational and organizational measures to minimize risks to the security of network and information systems. These include, among other things, security concepts, training and compliance with reporting obligations in the event of cybersecurity incidents.
Last Status
Final
Last Published Version
Final text of the directive from December 14, 2022 (link).
Next Step
Transposition of the requirements into national law.
Entry into Force / Applicability
The directive entered into force on January 16, 2023.
The Member States must transpose the directive’s requirements into national law until October 2024.
Key Regulatory Aspects
The DMA is intended to impose additional obligations under competition and antitrust law on the providers of core platform services (the so-called gatekeepers). The obligations for gatekeepers are strongly influenced or inspired by the ongoing or already completed proceedings of the European competition authorities.
A detailed overview of the DMA can be found here on our website (in German).
Provisions Apply to
- Providers of core platform services (Gatekeeper)
- Business users and competitors of the gatekeeper
Data Protection Relevance
The DMA is without prejudice to the GDPR. However, due to the DMA, gatekeepers will be required to provide description of the consumer profiling to data protection supervisory authorities. In addition, gatekeepers will be required, among other things, to provide certain data to business users regarding the platform, which could also involve transfers of personal data.
Impact on Companies / Public Bodies
In the long term, the DMA will lead to the European Commission taking tougher and more frequent action against digital sector companies that exploit their dominant position in an anti-competitive manner. The DMA will make it much easier for the Commission to impose fines, since once a company has been designated as a gatekeeper, the need for an individual assessment of its market position in each case will no longer be needed.
At the same time, the DMA will make it much easier to access the existing markets, as many of the gatekeepers' obligations are aimed at ensuring contestable and fair markets (e.g., in relation to app stores).
Current Status
Final.
Last Published Version
Final text of the Act from September 14, 2022 (link).
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The DMA entered into force on November 1, 2022.
Starting May 2nd, 2023, gatekeepers are obliged to disclose their gatekeeper status to the European Commission.
The first gatekeepers were designated by the Commission on September 6, 2023: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. These designated gatekeepers must comply with the requirements of the DMA since March 7, 2024, as the key obligations apply 6 months after designation as a gatekeeper
Key Regulatory Aspects
The DSA contains regulatory requirements for the providers of online platforms and marketplaces regarding illegal content and supplements the E-Commerce Directive (Directive 2002/31/EC) in this respect in order to keep pace with the new technical realities of everyday digital life. To ensure a uniform regulatory standard, the European legislator has opted for the legal instrument of the regulation, which will be directly applicable in all Member States when it comes into force. In particular, the DSA imposes a large number of obligations on the major tech companies that provide services to users within the European Union in order to take more effective action against illegal content and to better protect and inform users.
Provisions Apply to
- Intermediary services (“mere conduit”, “caching” and hosting services)
- Social networks
- Online marketplaces
- Search engines
Data Protection Relevance
The DSA is without prejudice to the GDPR. However, the explicit prohibition of dark patterns, which will protect the users from interfaces which are designed to deceive, manipulate or otherwise impair the decision ability of a user, will affect the design of cookie banners.
Impact on Companies / Public Bodies
The DSA provides for a differentiated system of obligations, depending on the type of service and the number of users. The companies concerned will have to deal with an increased documentation and administrative effort. For example, T&Cs and community standards must be adapted and a contact point for electronic communication with authorities and users must be established. Hosting service providers and online platforms will also have to introduce reporting and “notice and action” procedures so that they can be notified by users and third parties about illegal content. The latter must also include an internal complaint-handling system on the platform so that users can lodge a complaint against unauthorized removal and suspension of content. In addition, platforms must provide more transparent information about advertising. Very large online platforms with more than 45 million monthly users are required, among other things, to conduct annual risk assessments.
If the measures are not implemented or the DSA is breached, companies face fines of up to 6% of the total worldwide annual turnover in the preceding financial year.
Current Status
Final.
Last Published Version
Final text of the Act from October 19, 2022 (link).
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The DSA applies in full since February 17, 2024.
The DSA will be implemented in Germany by the “Digitale-Dienste-Gesetz”, which came into force on 14 May 2024.
Key Regulatory Aspects
DGA is aimed at allowing and improving the conditions for data sharing between sectors and Member states of the European Union. Especially datasets held or processed by public sector bodies must become easier and safer to re-use.
Provisions Apply to
- Public bodies
- Data intermediation services (e.g., data marketplaces, services offering datasets on commercial basis)
- Data altruism organisations (registered organisations aimed at facilitating consent-based data sharing in, e.g., the field of research)
Data Protection Relevance
The DGA is without prejudice to the GDPR and does not contain any privileges with regard to its requirements. On the contrary, when providing data, public sector bodies may provide additional protection requirements for re-use of the data. For example, a public sector body may require that the data is only processed in an anonymized form.
From the data protection perspective, it is also worth highlighting that in the context of the DGA, the European Commission will provide a modular data altruism consent form (Art. 25(1) DGA). This form is also intended to ensure that the requirements of the GDPR are fulfilled. It seems possible that this form could also be used in other cases as a consent form approved by the Commission.
Impact on Companies / Public Bodies
The regulation will primarily improve the availability of data from public sector bodies. Very relevant in this context will be the single information points that shall be established by the Member States and will not only accept enquiries and requests for the re-use of data but will also provide an asset list of all available data resources, as specified by the DGA. This should make it much easier for companies to find potentially relevant and available datasets and make them usable.
The DGA is therefore likely to be of particular interest to bodies working with health data, mobility data, environmental data, and agricultural data. Especially in the area of research, the flexible and consent-based exchange of data facilitated by data altruism organisations could be very useful.
Current Status
Final.
Last Published Version
Final text of the Act from May 30, 2022 (link).
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The DGA is applicable since September 24, 2023.
B. Legislation not yet applicable
Key Regulatory Aspects
The Data Act is intended to facilitate access and use of data generated or obtained by the use of products or related services. It covers all types of data, not just personal data. The Proposal aims to ensure and facilitate access to data which individuals or companies generate when using different products or services. The Data Act also includes the right to share data with third parties. In addition, the Data Act Proposal is aimed at facilitating switching between different services, e.g., switching from one cloud service to another. Since such process requires the data to be compatible, the Data Act Proposal includes provisions on interoperability.
Provisions Apply to
- Users (of products or services)
- Data holders
- Companies
- Public sector bodies
Data Protection Relevance
The relationship between the GDPR and the Data Act is tense. While the GDPR is aimed at ensuring the most comprehensive protection of personal data, the aim of the Data Act is ensuring a fair access and use of data. The Data Act is intended to complement the GDPR and the ePrivacy Directive and no provision in the Data Act should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data (Recital 7 DA). Regarding the access and sharing personal data, the principles of data minimization and data protection by design and by default must be complied with. Whether it is possible to implement this requirement is unclear and contested by the authorities.
Impact on Companies / Public Bodies
The Data Act imposes extensive obligations on companies, in particular with regards to enabling access to data and data sharing with third parties. According to the DA, the companies (depending on the product or service type) are required to adjust their processes in order to allow for data access, sharing and especially interoperability. The Data Act provides that in case of violation, penalties shall be effective, proportionate, and dissuasive.
Current Status
Final.
Last Published Version
Text of the ordinance dated December 13, 2023 (link).
Next Step
The legislative process has been completed.
Entry into Force / Applicability
The regulation came into force on January 11, 2024. It will apply from September 12, 2025.
Key Regulatory Aspects
The ePrivacy Regulation is intended to replace the current ePrivacy Directive, which is the basis for German regulations on telecommunications and telemedia (TKG and TTDSG). In particular, the Regulation includes provisions on:
- Confidentiality of communications (secrecy of telecommunications)
- Processing of electronic communications data (previously only traffic data)
- Storing and accessing the information stored in terminal equipment (e.g., Cookies)
- Direct marketing communications
Negotiations between and within the various EU institutions (Council, Parliament and Commission) have already been going on for five years.
Provisions Apply to
- Providers of electronic communications services
- Website and app operators
- Companies (especially in context of direct marketing)
Data Protection Relevance
To the extent that obligations under ePrivacy Regulation Proposal exist, no additional obligations under GDPR apply (Art. 95 GDPR in conj. with Art. 27(2) ePrivacy Regulation Proposal).
Impact on Companies / Public Bodies
It is still unclear what the final form of the ePrivacy Regulation will be, as the version provided by the European Council differs fundamentally from the Parliament’s proposal in some respects. However, the provisions of the ePrivacy Regulation are likely to have a significant impact on marketing and tracking. Compared to the existing legal framework, it is likely that there will be additional obligations or changes to the existing ones.
Current Status
Trilogues started in May 2021.
Last Published Version
Council’s proposal from February 10, 2021 (link).
Next Step
Finalising the text.
Entry into Force / Applicability
After the Regulation enters into force following the trilogue negotiations, there will still be a 24-months transition period until the provisions apply.
The requirements of the regulation are therefore not expected to become relevant until 2025.
Key Regulatory Aspects
The directive is primarily intended to improve the conditions of employees and self-employed people who offer their services via digital labour platforms. In addition to regulations to prevent false self-employment, the draft directive also contains a number of provisions regarding data protection for employees. For example, special requirements are introduced regarding transparency, data subjects’ rights and accountability obligations if the work of employees is organized with the use of algorithms.
A detailed overview of the Proposed Directive can be found here on our website (in German).
Provisions Apply to
The directive will not apply to all platform operators, but only to operators of so-called digital labour platforms. This refers to platforms that are used to organize work of employees or self-employed people upon request of third parties (the actual recipients of the service). Recital 20 of the directive mentions, for example, transport of persons or goods as services.
Data Protection Relevance
With reference to Art. 88 GDPR in Recital 32 of the directive, the Chapter III of the directive contains some specific requirements for the processing of employee data in systems which are used to monitor, supervise or evaluate the work performance of the workers and automated decision-making systems which are used to take or support decisions that significantly affect the workers’ working conditions.
Impact on Companies / Public Bodies
For most companies, the directive will have no impact. For digital labour platforms, however, the directive could have a major impact.In the context of a national implementation of the ddirective, the question also arises as to whether the German legislator will include universally binding data protection obligations for the automated processing of employee data in the course of directive implementation. Given the fact that the specification of employee data protection was already announced in the coalition agreement, this seems at least possible.
Current Status
Final.
Last Published Version
Legislative process has been completed.
Next Step
Trilogue negotiations.
Entry into Force / Applicability
Once the directive has been published promptly in the Official Journal of the EU, member states have two years to implement the provisions nationally.
Key Regulatory Aspects
The CRA aims to introduce horizontal cybersecurity requirements for products with digital elements and eliminate the legislative patchwork in the field of cybersecurity. This should minimize cybersecurity risks and ensure safe use for businesses and consumers in the European single market.
Provisions Apply to
- Manufacturers
- Importers
- Distributors
Data Protection Relevance
The Proposed CRA is without prejudice to the GDPR and its provisions, both laws can be applicable in parallel. However, the regulation also aims to increase the security of personal data by protecting the confidentiality, integrity, and availability of information in products with digital elements.
Impact on Companies / Public Bodies
As far as a product with digital elements (software, hardware, individual component) is concerned, a large number of obligations to implement cybersecurity requirements are imposed on manufacturers, distributors and importers (including risk and conformity assessment as well as testing, verification and documentation obligations). Failure to implement these obligations can result in market surveillance authorities imposing fines of up to 15 million euros or 2.5% of total worldwide annual turnover for the preceding financial year, depending on the violation and the actor.
Manufacturers of products with digital elements must expect a high level of additional economic and bureaucratic effort during the development process.
Current Status
Final.
Last Published Version
The CRA was published in the Official Journal on 20 November 2024 (link).
Next Step
Legislative process has been completed.
Entry into Force / Applicability
The CRA is comes into force on December 10,2024. Chapter 4 of the CRA (Notification of conformity assessment bodies) applies from June 2026. From September 2026 Article 14 of the CRA (notification obligation for manufacturers) will apply and from December 2027 the CRA will apply to new products.
Key Regulatory Aspects
The DORA includes harmonized legal requirements for the security of network and information system infrastructures of companies in the financial sector to minimize the growing risk of cyber threats.
You can find a detailed overview of DORA here on our website (in German).
Provisions Apply to
- Credit institutions
- Payment institutions
- Account information service providers
- Investment firms
- Crypto-asset service providers
- Insurance and reinsurance undertakings
- Other financial sector companies
- ICT third-party service providers (e.g., cloud computing services, software, data analysis services and providers of data centre services)
Data Protection Relevance
Several parts of the regulation reference existing data protection framework. For example, the exchange of cyberthreat information and intelligence must comply with Union data protection rules, in particular the GDPR. Furthermore, the European Insurance and Occupational Pensions Authorities as well as the European Securities and Markets Authority (known collectively as “European Supervisory Authorities” or “ESAs”) and other supervisory authorities must observe the Regulation (EU) 2018/1725 as well as the GDPR when processing personal data. In addition to that, the contractual agreements between ICT service providers and financial entities must include provisions on protection of data, including personal data, as required in Art. 30(2)(c) DORA. Another relevant provision for the practice is Art. 28(7)(c) DORA, which requires financial entities to terminate their contractual arrangements with ICT service providers when the provider demonstrates evidenced weakness in relation to the protection of personal data.
Impact on Companies / Public Bodies
DORA imposes a variety of risk management obligations on financial entities. For example, they must implement measures for the sound management of ICT third-party risk and, depending on the size of the company, document and review it at least once a year. In this respect, financial companies face greater administrative, documentation and audit burdens.
Current Status
Final
Last Published Version
Regulation text from December 14, 2022 (link).
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The regulation entered into force on January 16, 2023. It shall apply from January 17, 2025.
Key Regulatory Aspects
The AI Act has its focus on:
- Laying down a uniform legal framework for the development, deployment, and use of artificial intelligence systems
- Prohibiting certain artificial intelligence practices
- Setting out the legal requirements for high-risk AI systems and their providers
- Imposing transparency obligations on AI systems
AI systems are divided into four groups depending on the risk they create:
- AI systems with minimal risk
- AI systems with low risk
- High-risk AI systems
- Prohibited AI practices
Primary subject of the regulation are high-risk AI systems. They are subject to high technical and organizational standards. For example, using high-risk AI systems requires establishing a risk management system, post marketing monitoring and documentation. Additionally, human oversight as well as compliance with transparency and instructions obligations is mandatory. The term artificial intelligence is deliberately kept technology-neutral so that the regulation is future-proof and takes into account the rapid developments in AI technology and the market.
Penalties include administrative fines of up to 30 000 000 Euro or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Provisions Apply to
- Providers (e.g., developers) of AI systems (including natural or legal persons, public authorities, agencies)
- Users of AI systems
- Distributors
Data Protection Relevance
The AI Act is without prejudice to and complements the GDPR with a set of rules applicable to certain high-risk AI systems and remote biometric identification systems. For example, the proposed regulation explicitly mentions, that the high-risk AI systems may be subject to “state-of-the-art security and privacy-preserving measures” including encryption and pseudonymisation, “where anonymization may significantly affect the purpose pursued”.
Users of high-risk AI systems shall use the information provided under Article 29(6) of the AI Act in order to carry out a data protection impact assessment (Art. 35 GDPR). This leads to a significant „enhancement“ of data protection information, the quality of which varies greatly in our experience. The GDPR will certainly play an important role in the use of AI systems in the future.
Impact on Companies / Public Bodies
Especially when using high-risk AI systems, companies should not underestimate the assessment and documentation effort. A key element in this respect is the implementation of a conformity assessment procedure and declaration for providers of AI systems.
Finally, it is also important to note that providers of AI systems in third countries are not exempt from the requirements of the AI Act, if they place their AI systems on the EU market or put them into service in the Union. Given the possible fines, this is of high relevance.
Current Status
Final.
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The regulation comes into force on August 1, 2024. Implementation deadlines of 6, 12, 24 and 36 months after its entry into force are provided for.
Key Regulatory Aspects
The AI Liability Directive contains rules on presumption of causal link and access to the evidence, applicable to providers of AI systems. The directive is intended to ensure the protection of consumers without hampering innovation. In particular it takes into account the fact that it may be excessively difficult to prove the person liable for a specific AI input as well as conditions for a claim for damages.
Provisions Apply to
- Providers, operators and users of AI systems.
Data Protection Relevance
The AI Liability Directive does not contain any explicit provisions on data protection. However, the directive aims to ease the burden of proof for victims of damage caused by AI systems with regard to liability under national or European law. In this regard, the directive is likely to have impact on the burden of proof for damages claims under Art. 82 GDPR if the data subjects suffer damage in the context of data processing by AI systems.
Impact on Companies / Public Bodies
The burden of proof rules are eased for consumers, so that it is already sufficient to demonstrate the non-compliance with a duty of care and the existence of a causal link to the AI performance. In this context, consumers can, for example, request disclosure of relevant evidence about high-risk AI systems in court. The defendant will, however, have the right to rebut the presumption.
Current Status
On September 28, 2022, the European Commission has adopted the directive proposal.
Last Published Version
Proposal text from September 28, 2022 (link).
Next Step
Adoption by the European Parliament and the European Council.
Entry into Force / Applicability
The directive enters into force on the 20th day following that of its publication in the Official Journal of the European Union. Member states must transpose the provisions into the national law 21 months after the directive’s entry into force at the latest.
Key Regulatory Aspects
The e-Evidence Regulation sets out the conditions under which EU judicial authorities may issue cross-border production and preservation orders against communication and digital service providers. The regulation would enable a Hungarian law enforcement agency, for example, to order a German internet provider to hand over data for the purpose of criminal prosecution without involving the German authorities in the proceedings.
Among other things, production orders may cover the identity of the owner of an IP address, communication content or traffic data (when, how and with whom communication took place).
Provisions Apply to
Judicial authorities of the EU member states
Companies providing communication and digital services in the EU, i.e.:
- Traditional providers of telecommunications services (Telekom, Vodafone, Telefonica, etc.),
- Online communication services, such as messaging, internet and video telephony services and e-mail services,
- Providers of domain names and IP addresses,
- Provider of digital services (the term can be understood relatively broadly, and according to the case law of the CJEU, this can include, for example, social media or intermediary services such as Airbnb) via which
- users can communicate or
- have data processed or stored
Data Protection Relevance
The e-Evidence Regulation imposes direct legal obligations on the above-mentioned companies, which also apply to the processing of personal data. Both service providers and judicial authorities must ensure that personal data is only processed if the requirements of the regulation are met.
Impact on Companies
Companies must note that they will face sanctions if they do not provide the requested information to the judicial authorities. Due to the very short deadline for transmission in some cases (usually within 10 days, in case of emergency within 8 hours), companies have to prepare for possible production orders. Wrongful refusal to submit the requested data may result in pecuniary sanctions of up to 2% of the total worldwide annual turnover of the preceding financial year. However, a wrongful disclosure may also constitute a violation of the GDPR and be punishable by a fine of up to 4% of the worldwide annual turnover.
Current Status
Final.
Last Published Version
Final text of the Regulation from July 12, 2023 (link).
Next Step
Legislative procedure is completed.
Entry into Force / Applicability
The regulation entered into force on August 18, 2023. A transition period of three years is planned. Thus, it shall apply from August 18, 2026.
Key Regulatory Aspects
The Cyber Solidarity Act aims to improve coordinated actions to detect, prepare and effectively respond to cybersecurity threats and incidents in the EU. To this end, in particular, a European Cyber Shield and a Cyber Emergency Mechanism are to be introduced.
As part of the Cyber Shield, so-called Security Operations Centres (SOCs, previously designated national authorities) gather insights on cyber threats and are points of contact for public and private organizations.
The Cyber Emergency Mechanism provides for precautionary measures, such as testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities.
In addition, the creation of an EU Cybersecurity Reserve is envisaged, consisting of incident response services from trusted providers contracted in advance to intervene at the request of Member State or Union bodies in the event of a cybersecurity incident.
Provisions Apply to
- EU bodies
- EU Member States
- Indirectly companies from critical sectors that can be tested for potential vulnerabilities
- Indirectly companies eligible for participation in the EU Cybersecurity Reserve.
Data Protection Relevance
Information sharing among participants of the Cyber Shield must be carried out in compliance with Union (GDPR) and Member State data protection law (Recital 22 Cyber Solidarity Act). For example, insofar personal data is processed, TOMs must be implemented. Personal data must be deleted when it is no longer necessary for the stated purpose.
Impact on Companies / Public Bodies
Companies from sectors with high criticality (the Regulation refers to Annex I of the NIS-2 Directive) can be tested for potential vulnerabilities.
Companies eligible to participate in the EU Cybersecurity Reserve must meet certain selection criteria and conclude respective contracts.
Member states must designate national authorities as SOCs, which will then perform tasks under the Cyber Shield. These authorities must be able to act as a point of contact for public and private organizations regarding cybersecurity threats and incidents. They should be equipped with the latest technology and contribute to the cross-border network of SOCs.
Current Status
On March 6, 2024, the Council and the European Parliament reached a provisional agreement on the Cyber Solidarity Law.
Last Published Version
Draft of the preliminary agreement of March 20, 2024 (link).
Next Step
Now the draft legislative acts are being revised by the legal-linguistic experts before they are formally adopted by the two legislative bodies.
Entry into Force / Applicability
It is not yet foreseeable when the legislative process will be completed. The Regulation enters into force on the 20th day following that of its publication in the Official Journal of the European Union.
Key Regulatory Aspects
E-Evidence Act serves to increase the efficiency of law enforcement in the Federal Republic of Germany and in the European Union. It is intended to implement Directive (EU) 2023/1544 and enable the implementation of Regulation (EU) 2023/1543 (e-Evidence Regulation). Specifically, the law enforcement authorities will be able to access service providers directly. To this end, in future there will be a “production order” to obtain electronic evidence directly and a “preservation order” to ensure that the data is not deleted.
The term “electronic evidence” has a wide range:
- Participant data: Data relating to the identity of the data subject, such as name, date of birth, address and other contact details, as well as data relating to the type and duration of the service.
- Traffic data: Data relating to the service provided, such as the origin and destination of the message, the location of a device, the format or protocol used and other metadata relating to communication via a service.
- Content data: All other data available in a digital format, such as texts, videos and images.
However, the data of persons subject to professional secrecy, such as lawyers or doctors, enjoy special protection.
Provisions Apply to
- Service providers within the meaning of Art. 2 No. 1 of the e-Evidence Regulation: This includes all providers of electronic communications services, internet domain name and IP numbering services and other information society services that enable their users to communicate with each other or that store or otherwise process data for their users where the storage of data is an integral part of the service. There is no size limit or exception for small and micro-enterprises. There is a geographical limitation insofar as the services must be offered in the EU. Indications are, for example, a branch in the EU, the availability of applications in national app stores, local advertising, or the availability of customer service locally or in the language of the member state.
Data Protection Relevance
The service provider acting merely as a processor within the meaning of Art. 28 GDPR, but not as a controller, must inform the controller of the data disclosure. However, the data subjects may only be informed by the issuing authority.
Impact on Companies / Public Bodies
Service providers must have authorized representatives in the EU ready to receive the orders. If a service provider does not comply with an order addressed to it, an enforcement procedure is provided for. However, it is possible to raise objections to the execution of the order based on a catalog of grounds. In addition to formal aspects such as the lack of jurisdiction of the issuing authority, these include immunities and privileges as well as freedom of the press.
If the service providers' objections to the request are not valid, they face fines of up to 500,000 euros or, in the case of companies with high turnover, a fine of up to two percent of the total annual turnover achieved.
The Federal Office of Justice is the central authority responsible for monitoring compliance with the obligations arising from this law. Although it is not responsible for enforcement in individual cases, it will intervene, if a service provider is systematically uncooperative.
Current Status
Draft of the Federal Ministry of Justice of October 28, 2024.
Last Published Version
Draft of the Federal Ministry of Justice of October 28, 2024 (link – in German).
Next Step
The draft was sent to the federal states and associations. They can comment on the draft until December 6, 2024.
Entry into Force / Applicability
It is not yet foreseeable when the legislative process will be completed.
C. Changelog
October 28, 2024: Draft of the German E-Evidence Act (link).
October 10, 2024: The CRA was passed (link).
October 2, 2024: The Directive on Platform Work was passed (link).
July 12, 2024: The AI Act was published in the Official Journal and enters into force on August 1, 2024.
May 21, 2024: The Council has adopted the AI Act (link).
May 14, 2024: The German “Digitale-Dienste-Gesetz” has come into force.
March 21, 2024: The draft legislation on the “Digitale-Dienste-Gesetz” was introduced by the German Federal Government as an implementing law for the DSA (link).
March 13, 2024: The European Parliament adopted the AI Act.
March 12, 2024: The European Parliament adopted the CRA.
March 7, 2024: The first gatekeepers appointed by the Commission must meet the requirements of the DMA.
February 17, 2024: Digital Services Act now applies in full.
January 11, 2024: The Date Act has entered into force. The regulation will apply from September 12, 2025.
December 27, 2023: Proposal directive on Platform Work: Parliament and Council have reached a compromise. The Member States did not agree.
December 6, 2023: AI Regulation-E: the Council and the European Parliament have reached an agreement on the proposal.
November 30, 2023: CRA: The Parliament and the Council have reached political agreement on the CRA (link).
November 27, 2023: DA: The Data Act was adopted by the Council of the European Union (link).
November 9, 2023: DA: The Data Act was formally adopted by the European Parliament (link).
September 24, 2023: DGA: The DGA applies from September 24, 2023.
August 18, 2023: e-Evidence Regulation: The regulation entered into force on August 18, 2023. It shall apply from August 18, 2026.
July 19, 2023: CRA: The Council of the EU adopted its negotiating position on the CRA (link).
June 27, 2023: DA: The European Parliament and the Council of the EU have reached political agreement on the DA (link).
June 14, 2023: AI Act: The European Parliament adopted its negotiating position on the AI Act (link).
June 13, 2023: e-Evidence-Regulation: The e-Evidence-Regulation was adopted by the European Parliament (link).
June 7, 2023: Directive on Platform Work: The Council adopted its position (Link).
May 24, 2023: Proposed regulation on the EU Cyber Solidarity Act (Cyber Solidarity Act): The overview now includes information of the Cyber Solidarity Act.
May 22, 2023: e-Evidence Regulation: The overview now includes information of the e-Evidence Regulation.
May 11, 2023: Proposed AI Act: The Internal Market Committee and the Civil Liberties Committee adopted a draft negotiating mandate (link).
May 2, 2023: DMA: Starting May 2, 2023, platforms which meet the criteria are required to disclose their gatekeeper status to the European Commission.
March 24, 2023: DA: The Council of the EU has adopted its position on the draft legislation (link).
March 14, 2023: DA: The European Parliament has adopted its position on the draft legislation (link).
February 2, 2023: Directive on Platform Work: Parliament has adopted its negotiating position and approved the decision to start negotiations with Council (link).
February 1, 2023: DSA: The Commission has published Guidance on the requirement to publish user numbers (link).
January 23, 2023: The Digital Operations Resilience Act (DORA) is in force since January 16, 2023. Provisions will be applicable from January 17, 2025.
We cannot guarantee that the table reflects the current state of proceedings regarding every single legislative document at all times. We used subjective criteria to determine which laws we consider "important". It is therefore possible that a law that is important to you is not included.