The EU sees the digital transition as essential for the economic development and strategic autonomy of the EU. To this end, the Digital Strategy was drafted from which a large number of Regulations flow. In this blog, we provide an overview of all the Regulations that affect the protection of personal data and the use of data. And we list when each European Regulation comes into force. The entry into force of a Regulation does not mean that rights can be derived from it. This is only possible after the law has been declared "applicable". The reason for the delay between "entry into force" and "applicable" is that Member States, but also other parties affected by the new law, have time to prepare themselves.
Every regulation, when declared applicable, has direct effect: the rules apply to all member states. A so-called implementing law allows national member states to flesh out the Regulation themselves.
Digital Market Act (DMA).
It became applicable last May. The Regulation sets rules for large online platforms, the so-called gatekeepers: search engines, social networks, Cloud and computing services. These have such a market position that business and end users can hardly ignore these platforms. The goal of the DMA is to better protect users of those platforms and ensure better functioning digital markets.
The Dutch implementation law for the DMA is in the legislative process at the time of writing this blog
Digital Governance Act (DGA).
This Regulation, which came into effect on Sept. 24, contains rules for data and data sharing and aims to:
- data can be shared with confidence
- more data will be made available
- data are technically easy to reuse.
A framework is used to create a secure data sharing environment so that new business models can be developed.
In addition, there will be a national registry of recognized "data altruists." These are organizations that collect data for a public interest, such as data needed for medical scientific research. The Registry provides assurance that data are in good hands.
At the time of writing this blog, the Cabinet is working on the implementation of this Regulation.
Network and Information Security Act (NIS2).
The Network and Information Security Regulation, or NIS2 Regulation, is the successor to the NIS Directive. It aims to improve cybersecurity and resilience of essential services in EU member states. The NIS2 applies to more sectors and sets stricter security standards and incident reporting requirements.
The NIS2 will be applicable in October 2024. The implementing law is currently being worked on.
Digital Operational Resilience Act (DORA).
DORA applies specifically to the financial sector. The purpose of the DORA legislation is to harmonize the requirements for managing ICT risks and so that the continuity of critical processes is ensured.
Insurance and reinsurance companies, insurance intermediaries, investment institutions, management companies, banks, crypto-asset service providers, institutions for occupational retirement provision and providers of ICT services to these sectors will be affected by this Regulation.
By January 2025, DORA will become applicable.
Digital Service Act (DSA).
The DSA is the twin brother of the DMA. It regulates the obligations that digital service providers have for their role as links between consumers on the one hand and providers of goods, services and content on the other. So it affects connectivity services, Content Delivery Networks, hosting providers and online platforms. But publishers and advertisers will also be affected by the DSA. It places an obligation on them to provide access to tools that measure ad performance.
A key obligation is that online platforms must provide clear and unambiguous information with each ad in real time to each individual website visitor. This must make it clear:
- That the user sees an advertisement
- On whose behalf the ad is displayed.
- What parameters are used to display an ad to a user.
In addition, visitors should be able to easily change the order of posts or videos themselves. Now YouTube, Facebook and other platforms do that by default via recommendation algorithms based on users' personal preferences.
Interesting from a privacy perspective, the DSA in recital 52 lists only "consent" and no "legitimate interest" as the legal basis for ads.
The Data Act is expected to take effect in mid-2024. It regulates that users become partial co-owners of the data generated by the Internet of Things. Users should be able to access the data generated by e.g. smartphones, smart doorbells and lights at any time without making a request.
In addition, the regulation allows for a third party to access the data to add value.
Online services and services should also be set up in such a way that they can properly share data among themselves so that you can more easily switch from e.g. a cloud service.
In a previous blog (1), we wrote about the AI Act, regulations for the development and application of Artificial Intelligence. In June 2023, the European Parliament voted in favor of this regulation. This means that representatives of the European Parliament will negotiate the text with the Council of Ministers.
The Regulation is expected to be adopted in the spring of 2024. That is also when the effective and applicability dates will be known.