Data and Cybersecurity - European Union Legislation and Proposals

Who does it apply to?

The DSA applies to a wide range of online intermediaries (providers of information society intermediary services), including internet service providers, cloud service providers, messaging service providers, marketplaces, and social networks.

Specific due diligence obligations apply to hosting services, and in particular to online platforms, such as social networks, content-sharing platforms, app stores, online marketplaces, and online travel and accommodation platforms.

Online platforms and online search engines with at least 45 million monthly active users in the EU (representing 10% of the EU's population) are categorised as VLOPs and VLOSEs respectively. The first VLOPs and VLOSEs were designated on 25 April 2023, with the Commission identifying 17 VLOPS and 2 VLOSEs who currently reach the relevant monthly user threshold.

The most far-reaching rules in the DSA apply to VLOSEs and VLOPs.  These include:

• requirements to identify and remove illegal content,
• restrictions on the use of misleading user interfaces that hamper users from making free and informed decisions (for example, through the use of "dark patterns" and “nudging” practices that manipulate users' choices),
• requirements to enhance the transparency of online advertising (including provision of more information to users and the ability to opt-out from recommendation systems based on profiling),
• increased protection for children using these online services (including a ban on targeted advertising based on profiling), and
• requirements to carry out annual risk assessments and report these to the Commission.

Enforcement

EU member states are required to designate competent (national) authorities to be responsible for the supervision of intermediary service providers and to enforce the DSA. However, the European Commission (Commission) is the primary regulator for VLOPs and VLOSEs.

Designated regulators under the DSA have extensive investigatory and enforcement powers, with the Commission having the right to impose fines of up to 6% of the provider’s annual worldwide turnover in the preceding financial year for non-compliance with the DSA.

Timing

The DSA entered into force on 16 November 2022. The majority of its provisions apply to service providers from 17 February 2024. However, all online platforms, except micro and small ones (determined by staff headcount and turnover), were required to publish information about their average active service recipients by 17 February 2023. This was to enable the Commission to establish which service providers should be designated VLOPs and VLOSEs. VLOPs and VLOSEs must comply with their obligations under the DSA within four months of their designation, i.e. by 25 August 2023 for the first set of designated VLOPs and VLOSEs.

Further information

• Legislation
• Q&A

Who does it apply to?

The DMA applies to companies that are designated as “gatekeepers” for one or more of the “core platform services” (“CPSs”) listed in the DMA (for example, app stores, online search engines, social networking services, video-sharing platform services and cloud computing services).

There are three main, cumulative criteria that qualify a company as a “gatekeeper”:

1. A size that impacts the EU’s internal market. This is presumed where the company’s annual turnover in the EEA was at least EUR 7.5 billion in each of the last three financial years or its average capitalisation or fair value was at least EUR 75 billion in the last financial year, and it provides services in at least three EU member states.
2. The control of an important gateway for business users towards final consumers. This is presumed if the company operates a CPS that has more than 45 million monthly active EU end users and more than 10,000 yearly active EU business users in the last financial year; and
3. An entrenched and durable position. This is presumed if the company met the above criteria in each of the last three financial years. 

Companies that satisfy these criteria are presumed to be gatekeepers but can challenge the presumption and submit substantiated arguments to demonstrate that they should not be designated as a gatekeeper, despite meeting all the thresholds.

Conversely, the European Commission (“Commission”) may launch a market investigation to assess a given company’s specific situation and designate it as a gatekeeper on the basis of a qualitative assessment, even if it does not meet the quantitative thresholds.

Enforcement

The Commission will be the sole enforcer of the DMA (though there will be cooperation with national authorities) and the Commission has various enforcement powers under the act, including investigatory powers, and the ability to require remedies or to impose penalties to ensure compliance (including fines of up to 20% of a company’s worldwide annual turnover for repeated infringements). 

Third parties can also pursue gatekeepers for failure to comply with the DMA and seek damages for such infringements.

Timing

The DMA entered into force on 1 November 2022 and started to apply on 2 May 2023. By 3 July 2023, potential gatekeepers must notify their CPS(s) (core platform services) to the Commission if they meet the thresholds established by the DMA.

The Commission has 45 working days from receipt of such notification to make an assessment whether the company in question meets the thresholds and, if so, to designate them as a gatekeeper (6 September 2023 is the latest date for such a designation). Following their designation, gatekeepers will then have six months to comply with the requirements in the DMA, at the latest by 6 March 2024.

Further information

• Legislation
• Q&A
• 10 Things you need to know about the Digital Markets Act

Who does it apply to?

The DGA applies to public sector bodies that grant rights to re-use data, the recipients of such rights, providers of data intermediation services and recognised data altruism organisations.  Non-EU entities offering services into the EU which qualify as data altruism organisations or as data intermediaries under the DGA must appoint a legal representative in one of the Member States where those services are offered.

Enforcement

EU member states are required to appoint competent authorities to support the activities of public sector bodies allowing the re-use of data and also to monitor the compliance of data intermediation services providers and recognised data altruism organisations. Competent authorities are empowered to take certain actions in the event of infringement including, with respect to data intermediation services providers, requiring the suspension or cessation of data intermediation service or imposing financial penalties.

The level of financial penalties is not set out in the DGA and is left for individual member states to determine; however, the DGA requires them to be “proportionate, effective and dissuasive”.

Timing

The DGA entered into force on 23 June 2022 and applies from 24 September 2023.

Further information

• Legislation

Who does it apply to?

The Data Act applies to:

• manufacturers of connected products and suppliers offering related services (such as digital services or software which are incorporated into a connected product) in the EU;
• “data holders”, who have the right or obligation to make data from such products and services available; and
• business and public sector bodies to whom such data is made available, i.e. “data recipients”.

Enforcement

The Data Act will be enforced at a national level. Competent authorities will have investigatory powers and also the power to issue financial penalties. The level of such penalties will also be set at a national level.

Timing

The final text of the EU Data Act was adopted on 27 November 2023. The Data Act will enter into force on the 20th day following its publication in the Official Journal and will become applicable 20 months after its entry into force.

Further information

• Legislation
• Q&A
• Procedure tracker

Who does it apply to?

NIS 2 broadens the scope of NIS and applies to all “essential” and “important” entities, i.e. those operating, respectively, in a high criticality sector or other critical sector (as set out in the table below), which meet the size-cap rule and provide their services, or carry out their activities, within the EU.

High criticality sectors (essential entities)

• Energy 
• Transport 
• Banking
• Financial market infrastructures 
• Health 
• Drinking water
• Waste water 
• Digital infrastructure
• ICT service management (B2B) 
• Public administration 
• Space

Other critical Sectors (important entities)

• Postal and courier services 
• Waste management
• Manufacture, production and distribution of chemical products 
• Production, processing and distribution of food 
• Manufacturing
• Digital providers 
• Research

Avoiding overlap with sector-specific acts

The relevant provisions of NIS 2 will not apply to entities who are already subject to sector-specific EU legal acts (for example, the Regulation on digital operational resilience for the financial sector (“DORA”)) where these require in-scope entities to adopt cybersecurity risk management measures or to notify regulators of significant incidents, and such requirements are at least equivalent in effect to the obligations laid down in NIS 2. 

Impact on out of scope entities

The enhanced requirements under NIS 2 for in-scope entities to address risks in their ICT supply chains, mean that some businesses outside the direct scope of NIS 2 will also be impacted by it.  This is likely to be seen in relation to the due diligence and contractual requirements that such suppliers are subjected to when engaging with in-scope entities.

Enforcement

NIS 2 provides competent national authorities with greater powers to supervise and sanction in-scope entities. These apply differently depending on whether an entity is an “essential” or “important” entity.

Essential entities are subject to a proactive supervisory regime, with national authorities empowered to carry out random inspections, regular and ad hoc audits, and security scans to check for vulnerabilities, as well as having the ability to request certain information and evidence of compliance.

Important entities, on the other hand, are only subject to supervisory action in the event of evidence or indications of non-compliance.

NIS 2 imposes an obligation on member states to ensure that competent national authorities are given specific, minimum enforcement powers, including on-site inspection, off-site supervision and audit rights, and uniform fine thresholds for breaches, up to a maximum of EUR 10 million or 2% of global annual turnover for essential entities and EUR 7m or 1.4% of global annual turnover for important entities.

Timing

NIS 2 came into force on 16 January 2023 and EU member states have until 17 October 2024 to transpose NIS 2 into national law. NIS 2 is a directive, and requires implementation into each member state’s national law in order to have effect. This can be contrasted with the various European Commission acts referred to on this page (which have direct effect).

Further information

• Legislation
• FAQs

Who does it apply to?

The CSA offers businesses the opportunity to certify that their products meet EU cybersecurity standards. While CSA certification is voluntary unless otherwise specified in national or EU law, several EU legislative proposals including the NIS 2 Directive, AI Act and Cyber Resilience Act require the EU Commission to specify the obligations for CSA certification under those laws.

Timing

The CSA was originally enacted on 27 June 2019, following which it became directly applicable in all EU member states.

Articles 58 (National cybersecurity certification authorities), 60 (Conformity assessment bodies), 61 (Notification), 63 (Right to lodge a complaint), 64 (Right to an effective judicial remedy) and 65 (Penalties) of the CSA came into force on 28 June 2021.

On 18 April 2023, the European Commission proposed an amendment to enable the future adoption of European certification schemes for “managed security services” covering areas such as security audits, incident response, penetration testing and consultancy. The European Parliament and the Council will now consider this targeted amendment to the CSA.

Further information

• Legislation
• FAQs

Who does it apply to?

The CRA proposes minimum cybersecurity requirements for (i) manufacturers, (ii) importers, and (iii) distributors of “products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”. Manufacturers will face the largest compliance burden.

A “product with digital elements” is “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed in the market separately”. Certain products (e.g. those developed for national security or military purposes), will be excluded. Also excluded are medical devices subject to the EU Medical Devices Regulation (2017/745).

In-scope products will need to satisfy essential security requirements (e.g. technical standards and additional governance obligations) when being placed on the market and thereafter. The essential security requirements will oblige manufacturers to account for cybersecurity throughout the product lifecycle (i.e. design, development and production), exercise due diligence on security aspects in the creation of their products, ensure transparency regarding cybersecurity factors that need to be known by customers, provide proportionate support on security (e.g. via software updates) and comply with the CRA’s vulnerability handling requirements.

A cybersecurity risk assessment must be completed to ensure cybersecurity “by design” from the outset, with identified risks being accounted for throughout the product lifecycle. In addition, manufacturers will be required to complete a conformity assessment to demonstrate whether specified requirements have been fulfilled, with products considered “critical” being subject to stricter assessment rules requiring the input of third party bodies.

Manufacturers must also draw up technical documentation as specified in the CRA and have a vulnerability handling process established before products with digital elements are made available on the EU market (for the lifespan of the product or a period of 5 years from the product being placed on the market, whichever is shorter), among other requirements.

Manufacturers will be subject to strict reporting obligations and must notify ENISA within 24 hours upon becoming aware of (i) any actively exploited vulnerability contained in the product with digital elements, and (ii) any incident having impact on the security of the product with digital elements. Manufacturers are also required to notify users of the product about the incident and, where necessary, any corrective measures that the user can deploy.

Importers and distributors that identify vulnerabilities are required to inform the manufacturer without undue delay.

Importers may only import products that comply with the CRA’s minimum obligations, and are required to take steps to verify this.

Distributors are subject to the less prescriptive requirement to act “with due care in relation to the requirements” of the CRA.

Enforcement

Entities that do not comply with the CRA may be subject to maximum fines of up to 15,000,000 EUR or, if the offender is an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Timing

The proposal is currently being reviewed by the EU Parliament and the Council, as part of the EU’s legislative process. Once adopted, economic operators and member states will have a transitional two year period to comply with the CRA’s requirements and undertake the necessary conformity assessments.

Further information

• Proposal