Data and Cybersecurity - European Union Legislation and Proposals

Who does it apply to?

The DSA applies to a wide range of online intermediaries (providers of information society intermediary services), including internet service providers, cloud service providers, messaging service providers, marketplaces, and social networks.

Specific due diligence obligations apply to hosting services, and in particular to online platforms, such as social networks, content-sharing platforms, app stores, online marketplaces, and online travel and accommodation platforms.

Online platforms and online search engines with at least 45 million monthly active users in the EU (representing 10% of the EU's population) are categorised as VLOPs and VLOSEs respectively. The first VLOPs and VLOSEs were designated on 25 April 2023, with the Commission identifying 17 VLOPS and 2 VLOSEs who currently reach the relevant monthly user threshold.

The most far-reaching rules in the DSA apply to VLOSEs and VLOPs.  These include:

• requirements to identify and remove illegal content,
• restrictions on the use of misleading user interfaces that hamper users from making free and informed decisions (for example, through the use of "dark patterns" and “nudging” practices that manipulate users' choices),
• requirements to enhance the transparency of online advertising (including provision of more information to users and the ability to opt-out from recommendation systems based on profiling),
• increased protection for children using these online services (including a ban on targeted advertising based on profiling), and
• requirements to carry out annual risk assessments and report these to the Commission.

Enforcement

EU member states are required to designate competent (national) authorities to be responsible for the supervision of intermediary service providers and to enforce the DSA. However, the European Commission (Commission) is the primary regulator for VLOPs and VLOSEs.

Designated regulators under the DSA have extensive investigatory and enforcement powers, with the Commission having the right to impose fines of up to 6% of the provider’s annual worldwide turnover in the preceding financial year for non-compliance with the DSA.

Timing

The DSA entered into force on 16 November 2022. The majority of its provisions apply to service providers from 17 February 2024. However, all online platforms, except micro and small ones (determined by staff headcount and turnover), were required to publish information about their average active service recipients by 17 February 2023. This was to enable the Commission to establish which service providers should be designated VLOPs and VLOSEs. VLOPs and VLOSEs must comply with their obligations under the DSA within four months of their designation, i.e. by 25 August 2023 for the first set of designated VLOPs and VLOSEs.

Further information

• Legislation
• Q&A

Who does it apply to?

The DMA applies to companies that are designated as “gatekeepers” for one or more of the “core platform services” (“CPSs”) listed in the DMA (for example, app stores, online search engines, social networking services, video-sharing platform services and cloud computing services).

There are three main, cumulative criteria that qualify a company as a “gatekeeper”:

1. A size that impacts the EU’s internal market. This is presumed where the company’s annual turnover in the EEA was at least EUR 7.5 billion in each of the last three financial years or its average capitalisation or fair value was at least EUR 75 billion in the last financial year, and it provides services in at least three EU member states.
2. The control of an important gateway for business users towards final consumers. This is presumed if the company operates a CPS that has more than 45 million monthly active EU end users and more than 10,000 yearly active EU business users in the last financial year; and
3. An entrenched and durable position. This is presumed if the company met the above criteria in each of the last three financial years. 

Companies that satisfy these criteria are presumed to be gatekeepers but can challenge the presumption and submit substantiated arguments to demonstrate that they should not be designated as a gatekeeper, despite meeting all the thresholds.

Conversely, the European Commission (“Commission”) may launch a market investigation to assess a given company’s specific situation and designate it as a gatekeeper on the basis of a qualitative assessment, even if it does not meet the quantitative thresholds.

Enforcement

The Commission will be the sole enforcer of the DMA (though there will be cooperation with national authorities) and the Commission has various enforcement powers under the act, including investigatory powers, and the ability to require remedies or to impose penalties to ensure compliance (including fines of up to 20% of a company’s worldwide annual turnover for repeated infringements). 

Third parties can also pursue gatekeepers for failure to comply with the DMA and seek damages for such infringements.

Timing

The DMA entered into force on 1 November 2022 and started to apply on 2 May 2023. By 3 July 2023, potential gatekeepers must notify their CPS(s) (core platform services) to the Commission if they meet the thresholds established by the DMA.

The Commission has 45 working days from receipt of such notification to make an assessment whether the company in question meets the thresholds and, if so, to designate them as a gatekeeper (6 September 2023 is the latest date for such a designation). Following their designation, gatekeepers will then have six months to comply with the requirements in the DMA, at the latest by 6 March 2024.

Further information

• Legislation
• Q&A
• 10 Things you need to know about the Digital Markets Act

Who does it apply to?

The DGA applies to public sector bodies that grant rights to re-use data, the recipients of such rights, providers of data intermediation services and recognised data altruism organisations.  Non-EU entities offering services into the EU which qualify as data altruism organisations or as data intermediaries under the DGA must appoint a legal representative in one of the Member States where those services are offered.

Enforcement

EU member states are required to appoint competent authorities to support the activities of public sector bodies allowing the re-use of data and also to monitor the compliance of data intermediation services providers and recognised data altruism organisations. Competent authorities are empowered to take certain actions in the event of infringement including, with respect to data intermediation services providers, requiring the suspension or cessation of data intermediation service or imposing financial penalties.

The level of financial penalties is not set out in the DGA and is left for individual member states to determine; however, the DGA requires them to be “proportionate, effective and dissuasive”.

Timing

The DGA entered into force on 23 June 2022 and applies from 24 September 2023.

Further information

• Legislation

Who does it apply to?

The Data Act applies to:

• manufacturers of connected products and suppliers offering related services (such as digital services or software which are incorporated into a connected product) in the EU;
• “data holders”, who have the right or obligation to make data from such products and services available; and
• business and public sector bodies to whom such data is made available, i.e. “data recipients”.

Enforcement

The Data Act will be enforced at a national level. Competent authorities will have investigatory powers and also the power to issue financial penalties. The level of such penalties will also be set at a national level.

Timing

The final text of the EU Data Act was adopted on 27 November 2023. The Data Act will enter into force on the 20th day following its publication in the Official Journal and will become applicable 20 months after its entry into force.

Further information

• Legislation
• Q&A
• Procedure tracker

Which businesses are now within scope of NIS2?

NIS2 covers entities in a wider variety of industries, focusing on entities in ‘sectors of high criticality’ and those operating in ‘other critical sectors’, such as:

• healthcare;
• manufacturing of pharmaceutical products or preparations, medicinal products or medical devices;
• energy and utilities;
• transport;
• financial institutions (save for those complying with the Information and Communication Technology (ICT) risk management aspects of the Digital Operational Resilience Act (DORA);
• digital infrastructure (including providers of cloud computing services);
• digital providers such as online marketplaces, online search engines and social networking services platforms
• business to business ICT service management;
• production of chemicals;
• production, processing and distribution of food;
• manufacture of motor vehicles, machinery and transport equipment;
• manufacture of computer, electronic and optical products;
• manufacture of electrical equipment; and
• research organisations.

New sectors have been added to the NIS1 list, based on their degree of digitalisation and interconnectedness and how crucial they are for the economy and society (with the complete list of high criticality sectors and other critical sectors set out in the Annex 1 and 2 of NIS2).  NIS2 also introduces a clear size threshold rule, such that all medium and large-sized companies in selected sectors will be included in the scope. EU Member States also have a discretion to identify smaller entities with a high security risk profile which must comply with NIS2.  The distinction between operators of essential services and digital service providers has also been removed. Entities are now classified based on their importance, and divided into two categories: essential and important entities, which are then subject to different supervisory regimes.

How does NIS2 work?

 If a company operates in one of the sectors listed above, it must then establish if it is an ‘essential entity’ or an ‘important entity’.  

Essential entities are those companies which:

• have more than 250 employees or 50 million euro of revenue and that are in one of the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration, or space; or
• are
  • Trust service providers
  • DNS service providers
  • Public electronic communication network providers
  • Public administration entities

• have been designated as critical entities under the Critical Entities Resilience Directive 2022/2557; or
• have been designated by a Member State as essential entities or operators of essential services.

Important entities are all other organizations that are not essential entities, and operate

• postal and courier services;
• waste management;
• manufacture, production and distribution of chemicals;
• production, processing and distribution of food;
• manufacturing;
• digital providers; and

Member States can also identify an entity as an ‘important entity’ if the entity:

• is the sole provider of a service which is essential for the maintenance of critical societal or economic activities;
• provides a service, which, if disrupted could have a significant impact on public safety, public security or public health or could induce a significant systemic risk; or
• is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.

Key obligations for entities in scope

• Cybersecurity risk-management measures – Article 21: Appropriate and proportionate technical, operational and organisational measures must be taken to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, these measures must ensure a level of security of network and information systems appropriate to the risks posed. When assessing proportionality of those measures, account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
• Governance and management responsibilities – Article 20: Management bodies of essential and important entities must oversee and approve the cybersecurity risk-management measures taken by those entities and senior personnel can be held personally liable for infringements of Article 20.
• Incident reporting – Article 23: Essential and important entities must notify, without undue delay, their competent computer security incident response teams (CSIRT) or, where applicable, the relevant regulator of any incident that has a significant impact on the provision of their services. Where appropriate, entities concerned shall notify, without undue delay, the recipients of their services of significant incidents that are likely to adversely affect the provision of those services. Information reported must include any information enabling the CSIRT or, where applicable, regulator to determine any cross-border impact of the incident. Where there is a cross-border or cross-sectoral significant incident, Member State regulators shall ensure that their single points of contact in other member states are provided in due time with the relevant information.
• Use of European cybersecurity certification schemes – Article 24: Essential and important entities may be required to use particular ICT products, ICT services and ICT processes, (developed in-house or procured from third parties) that are certified under European cybersecurity certification schemes.  

Sanctions for non-compliance

Companies that do not comply with the new NIS2 rules face specific penalties for non-compliance, including:

• Non-monetary remedies: compliance orders, binding instructions, security audit implementation orders and threat notification orders issued to customers.
• Administrative fines: ‘Essential entities’ can be fined up to a maximum of at least €10,000,000 or 2% of the global annual revenue, whichever is higher. ‘Important entities’ can be fined up to a maximum of at least €7,000,000 or 1,4% of the global annual revenue, whichever is higher.
• Criminal sanctions: new measures mean top management can be held personally liable if gross negligence causes a security incident.

Inter-relationship between NIS2 and ISO 27001

Note that voluntary compliance with the ISO 27001 standard will be seen separately from the NIS2 compliance picture as NIS2 is mandatory for entities operating within specific industry sectors. ISO 27001 should therefore be seen as a useful mechanism offering detailed approaches and procedures to fulfil NIS2’s requirements.

How NIS 2 has been implemented in EU member states ?

On 28 November 2024, the European Commission opened an infringement procedure and has issued formal notice to 23 Member States (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden) for failure to fully transpose the NIS2 Directive into national law. These states now have two months to respond and to complete transposition (and notify the Commission).

How is the UK approaching cyber security regulation?

 NIS2 does not apply in the UK as it was formulated after the end of the Brexit transition period.  However, the UK is separately making changes to its cybersecurity laws to update the UK’s Network and Information Systems Regulations (which implemented NIS1), with the issue of the long anticipated Cybersecurity and Resilience Bill (CS&R Bill). Although the wording of the Bill has not yet been released, initial indications as to what it will cover are available. One of the critical changes will be the expansion of sectors subject to cybersecurity regulation (mirroring the changes we are seeing at the EU level). The incident reporting framework is another key area where the UK’s CS&R Bill is expected to align with NIS2 reporting thresholds. Under NIS1, entities have 72 hours to report a cybersecurity incident. However, it appears that, in line with NIS2, the UK government plans to shorten this window, particularly for critical entities. There will also be a push for mandatory cybersecurity standards and measures. It is anticipated the new legislative provisions will set the baseline for cybersecurity risk management measures, operational resilience, and reporting obligations, across all relevant sectors.

Further information

• Legislation
• FAQs

Who does it apply to?

The CSA offers businesses the opportunity to certify that their products meet EU cybersecurity standards. While CSA certification is voluntary unless otherwise specified in national or EU law, several EU legislative proposals including the NIS 2 Directive, AI Act and Cyber Resilience Act require the EU Commission to specify the obligations for CSA certification under those laws.

Timing

The CSA was originally enacted on 27 June 2019, following which it became directly applicable in all EU member states.

Articles 58 (National cybersecurity certification authorities), 60 (Conformity assessment bodies), 61 (Notification), 63 (Right to lodge a complaint), 64 (Right to an effective judicial remedy) and 65 (Penalties) of the CSA came into force on 28 June 2021.

On 18 April 2023, the European Commission proposed an amendment to enable the future adoption of European certification schemes for “managed security services” covering areas such as security audits, incident response, penetration testing and consultancy. The European Parliament and the Council will now consider this targeted amendment to the CSA.

Further information

• Legislation
• FAQs

Who does it apply to?

The CRA proposes minimum cybersecurity requirements for (i) manufacturers, (ii) importers, and (iii) distributors of “products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”. Manufacturers will face the largest compliance burden.

A “product with digital elements” is “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed in the market separately”, or a product combining both software and hardware. Certain products (e.g. those developed for national security or military purposes), will be excluded. Also excluded are medical devices subject to the EU Medical Devices Regulation (2017/745).

In-scope products will need to satisfy essential security requirements (e.g. technical standards and additional governance obligations) when being placed on the market and thereafter. The essential security requirements will oblige manufacturers to account for cybersecurity throughout the product lifecycle (i.e. design, development and production), exercise due diligence on security aspects in the creation of their products, ensure transparency regarding cybersecurity factors that need to be known by customers, provide proportionate support on security (e.g. via software updates) and comply with the CRA’s vulnerability handling requirements.

A cybersecurity risk assessment must be completed to ensure cybersecurity “by design” from the outset, with identified risks being accounted for throughout the product lifecycle. In addition, manufacturers will be required to complete a conformity assessment to demonstrate whether specified requirements have been fulfilled, with products considered “critical” being subject to stricter assessment rules requiring the input of third party bodies.

Manufacturers must also draw up technical documentation as specified in the CRA and have a vulnerability handling process established before products with digital elements are made available on the EU market (for the lifespan of the product or a period of 5 years from the product being placed on the market, whichever is shorter), among other requirements.

Manufacturers will be subject to strict reporting obligations and must notify ENISA within 24 hours upon becoming aware of (i) any actively exploited vulnerability contained in the product with digital elements, and (ii) any incident having impact on the security of the product with digital elements. Manufacturers are also required to notify users of the product about the incident and, where necessary, any corrective measures that the user can deploy.

Importers and distributors that identify vulnerabilities are required to inform the manufacturer without undue delay.

Importers may only import products that comply with the CRA’s minimum obligations, and are required to take steps to verify this.

Distributors are subject to the less prescriptive requirement to act “with due care in relation to the requirements” of the CRA.

Enforcement

Entities that do not comply with the CRA may be subject to maximum fines of up to 15,000,000 EUR or, if the offender is an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Timing

The CRA will enter into force on December 10^th, 2024, and will apply 36 months after its entry into force, on December 11^th, 2027.  However, certain provisions will nevertheless apply earlier, including the manufacturer’s obligation to report any actively exploited vulnerabilities to the CSIRT and ENISA, which will apply 21 months after the CRA comes into force, on September 11^th, 2026.

Further information

Text of the CRA

BCLP briefing on the CRA