• Nine Riis, former assistant attorney and now PhD student at UCPH focusing on data contracts
• Emil Agerskov Thuesen, Certified IT-attorney at Plesner Law Firm
• Jesper Løffler Nielsen, PhD, Certified IT-attorney at Focus Advokater
Introduction: The EU’s new regulatory approach as a tidal wave of regulation
The EU has regulated digital technologies since the 1990s including in the form of the Personal Data Directive (1995), the E-Commerce Directive (2000), the ePrivacy Directive (2002), the eIDAS Regulation (2014), and the GDPR (2018). However, around 2020 a distinctive shift occurred in the EU’s regulatory approach as the EU began issuing legislative acts of increasing scope at rapid speed, a phenomenon that has been described as “a tidal wave of regulation”. The new regulatory approach is a part of the EU’s strategy “Europe’s Digital Decade” and can be seen as a way to ensure European digital sovereignty. The term “digital sovereignty” is defined in a paper from the European Parliamentary Research Service as:
“a means of promoting the notion of European leadership and strategic autonomy in the digital field. Strong concerns have been raised over the economic and social influence of non-EU technology companies, which threatens EU citizens’ control over their personal data, and constrains both the growth of EU high-technology companies and the ability of national and EU rule-makers to enforce their laws. In this context, ‘digital sovereignty’ refers to Europe’s ability to act independently in the digital world and should be understood in terms of both protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies).”
While the new regulatory approach can be explained as a way to ensure digital sovereignty the approach nevertheless poses a significant challenge for the many companies engaged in the provision of digital products and services. The challenge arises because of the overwhelming number of (proposed) legislative acts and policy documents. As illustration, the EU Legislative Train currently holds more than 50 different legislative initiatives, most of which are also further elaborated in the 82 pages long progress report “Identification and assessment of existing and draft EU legislation in the digital field” (2022). Finally, it is worth mentioning a comprehensive “dataset on EU legislation for the digital world” published by Bruegel.org (updated as per November 2023). In addition to hard legislation, companies are also increasingly encouraged to comply with technical standards which in some situations can be considered “soft law” i.e. non-binding rules.
This blog post does not provide a comprehensive overview of the 50+ legislative initiatives underway from the EU in the digital field; instead it, firstly, outlines the main legislative acts within three areas impacted by the new regulatory approach: (a) Cybersecurity (b) Data and (c) Trustworthy digital technologies, thereby providing companies with a lifeline to the wave of regulation. Secondly, it synthesises the main regulatory characteristics of the three areas and, lastly, juxtaposes these characteristics with the goal of obtaining European digital sovereignty. By doing so, the authors hope to offer a better understanding of how the EU is regulating digital technologies and why.
Regulation of cybersecurity
The EU expanded its regulation of cybersecurity by adopting the Cybersecurity Act (2019) and updating the EU Cybersecurity Strategy (2020). The Cybersecurity Act has two main purposes. The first purpose is the grant of a permanent mandate to the European Union Agency for Cybersecurity (ENISA) enabling ENISA to support the development and implementation of cybersecurity across the EU. Due to the rapid advancement of cyber threats a strong prevention scheme is necessary as such threats cannot be handled by the individual Member States on their own. The second purpose is the establishment of a framework for European cybersecurity certification. The certification framework is a tool enabling companies to document the cybersecurity of their products and services and the framework to a large extent incorporate technical standards (see e.g. art. 8(a) and art. 54(1)(c)). While the certification is voluntary, several other pieces of proposed cybersecurity legislation require companies to document that their products and services satisfy specific cybersecurity requirements (e.g. proposal for the Cyber Resilience Act art. 18(3) and the NIS2 Directive art. 24). Such requirements can be satisfied by obtaining a certification adopted pursuant to the Cybersecurity Act.
The following legislative acts are essential within the EU’s regulation of cybersecurity:
- Cybersecurity Act (2019)
- NIS2 Directive (2022)
- DORA (financial sector) (2022)
- Critical Entities Resilience Directive (2022)
- Proposal for the Cyber Resilience Act (2022 – political agreement December 2023)
Regulation of data
In 2020, the EU published “A European Strategy for Data” that revolves around two main themes. Firstly, the EU should become better at reaping the economic benefits of data, including by ensuring the availability of data (in contrast to data being exclusively possessed by a few large companies). Secondly, all processing of data should be in alignment with European values and fundamental rights.
To improve the possibilities for companies to reap the economic benefits of data, the EU has enacted and proposed several legislative acts that set out a mandatory duty to supply data under specific circumstances such as the Digital Markets Act art. 6(10) and the Data Act art. 4(1). By doing so, the EU particularly targets large companies locking in valuable data. Moreover, the EU is encouraging the creation of “data spaces”. A data space can be defined as a distributed system supported by a governance framework that enables transfers of data between data space participants (see Data Space Support Centre glossary). The governance framework can consist of contractual terms, policies, and codes of conduct. The overall goal is to offer an effective way to transfer data between a group of companies that all have a mutual interest in each other’s data, for example, if they are all active within the same sector. There is not yet an exact design for data spaces, but several initiatives are underway to further develop the concept e.g. the Data Space Support Centre. Participants of data spaces must comply with the interoperability requirements in art. 33(1) of the Data Act, which can be satisfied through compliance with specific technical standards.
To ensure that all processing of data is in accordance with European values and fundamental rights, the EU requires that processing of personal data satisfies the requirements in the GDPR. Moreover, input data used in high-risk AI systems shall satisfy specific quality criteria related to “data governance”, cf. the proposal for the AI Act art. 10.
The following legislative acts are essential within the EU’s regulation of data:
- The Open Data Directive (2019)
- Regulation on the free flow of non-personal data (2019)
- The Data Governance Act (2022)
- The Data Act (2024)
- Strategy and, provisionally, proposal for one regulation on the creation of 10 European Data Spaces (2022)
- Proposal for the Interoperable Europe Act (2022 – provisional agreement November 2023)
Regulation of trustworthy digital technologies
Several legislative acts proposed as part of the new regulatory approach specifically deal with the trustworthiness of digital technologies. Trustworthiness shall be understood as mitigation of the threat digital technologies pose for European fundamental rights. For example, the proposal for the AI Act stipulates specific design requirements for “high risk AI systems”. “High risk AI systems” shall be designed and developed in such way that they can (i) be effectively overseen by natural persons (art. 14) and (ii) achieve an appropriate level of accuracy, robustness and cybersecurity in light of their intended purpose (art. 15). Similarly, the Digital Services Act’s art. 34 and 35 oblige providers of large platforms and search engines to identify, analyse, and assess any systemic risks stemming from the design or functioning of their services and implement measures to mitigate these risks.
Thus, the EU’s regulation of trustworthy digital technologies require specific design mechanisms during the development phase and ongoing risks assessments to ensure that fundamental rights are respected.
The following legislative acts are essential within the EU’s regulation of trustworthy digital technologies:
- Digital Markets Act (2022)
- Digital Services Act (2022)
- Proposal for a Regulation on European Digital Identities (2021)
- Proposal for the AI Act (2021 – political agreement December 2023)
- Proposals for an Update of the Product Liability Directive (2022 – provisional agreement December 2023) and the Artificial Intelligence Liability Directive (2022)
Synthesising the main characteristics of the EU’s new regulatory approach
The analysis of the three areas of technology regulation allows for the synthesis of two main characteristics of the EU’s new regulatory approach, namely the increased use of (i) “By design” requirements and (ii) co-regulation.
“By design”-requirements
The EU is increasingly stipulating specific requirements for the design of digital technologies, which must be taken into account during the development phase (often referred to as “by design”-requirements). “By design”-requirements indicate a future where developers must consider legal requirements throughout the development phase and continually during the provision of the digital products and services. Consequently, increased communication between lawyers and developers are required from the earliest stages of the development process. Therefore, lawyers can no longer limit themselves to dealing with the law, but must also become familiar with the technologies themselves.
Co-regulation
The EU has intensified the use of “co-regulation” which can be defined as:
“the mechanism whereby a Community legislative act entrusts the attainment of the objectives defined by the legislative authority to parties which are recognised in the field (such as economic operators, the social partners, non-governmental organisations, or associations)“ (see Interinstitutional agreement on better lawmaking 2003/C 321/01).
The use of co-regulation is reflected in the way the EU supplements the hard law with technical standards such as in the Cybersecurity Act, NIS2, DORA, the Data Act and the proposals for the AI Act, Cyber Resilience Act and Interoperable Europe Act. Technical standards are a tool for easing the burden of the mandatory requirements for companies and ensure engagement with industry players as these participate in the development of technical standards. Moreover, the development of technical standards in the EU supports the goal of digital sovereignty. In the press release for the EU’s new Standardisation Strategy Internal Market Commissioner Thierry Breton stated that: “Europe’s technological sovereignty, ability to reduce dependencies and protection of EU values will rely on our ability to be a global standard-setter.”
On the way to European digital sovereignty
The legislative acts within cybersecurity, data, and trustworthy digital technologies all reflect the EU’s desire to ensure digital sovereignty. While the tidal wave of regulation, in particular its “by design”-requirements, is a challenge for many companies engaged in the provision of digital products or services, it must not be perceived narrowly as a burden of compliance. Instead, the wave of regulation must be understood as a tool employed by the EU to ensure digital sovereignty. Moreover, the EU is trying to ease the pressure off the companies through the use of co-regulation, thus engaging with market actors. While the EU’s ambitions to achieve digital sovereignty can be criticised (a recent report by the Atlantic Council states that there is a risk that EU is heading in a protectionist direction), such ambitions are a part of the global battle to regulate technology, which the EU is intent on participating in on its own terms.