EU Digital Strategy

Data-driven companies face the challenge of adapting their business models to both technological changes and strict data regulatory requirements. As part of the EU Digital Strategy, the EU is working on various legislative procedures or has already implemented them. These laws go beyond the processing of personal data and also address topics such as artificial intelligence and cybersecurity. These laws have a direct or indirect relation to IT security measures or data protection.


WHAT SETS US APART?

  • Experience and Trust: With over 1,000 customers and 400+ certifications across various industries, we are your reliable partner. 
  • Tailored Solutions: We develop pragmatic solutions that are tailored to the needs of your business. 
  • In-depth Expertise: Our team consists of experienced data protection experts, computer scientists, lawyers, and compliance specialists who provide you with individual and personalized advice.

OUR SERVICES

We offer you comprehensive consulting and expertise to optimally leverage the various EU directives and regulations on data regulation. These include, among others, the Data Governance Act (DGA), the Data Act (DA), the Digital Services Act (DSA), the Digital Markets Act (DMA), the AI Act (AIA), and the NIS-2 Directive.

AI Act

The AI Act is the world's first comprehensive framework for regulating the use of Artificial Intelligence (AI). The goal of this law is to enhance trust in this technology by establishing clear guidelines and regulations. The AI Act aims to create a legal framework for the development and use of AI within the European Union, with a focus on transparency, safety, and ethical standards. The following areas are particularly addressed

  • Classification of AI Systems: AI systems are categorized into four levels of risk to society: unacceptable risk, high risk, limited risk, and minimal risk. These categories are subject to different regulatory measures.
  • Regulation and Oversight: High-risk AI systems are subject to strict regulations, including the requirement to conduct risk assessments and regular audits.
  • Transparency Obligations: Providers of AI systems must ensure that users are informed about interactions with AI and understand how these systems make decisions.
  • Accountability and Liability: Clear rules are established regarding the accountability and liability of AI system providers and users.

Artificial Intelligence describes the capability of machines to autonomously perform tasks based on algorithms, mimicking the problem-solving and decision-making abilities of the human mind.

Data Act

The EU Data Act is part of the EU Digital Strategy and aims to facilitate data access and data usage within the European Union. It encompasses not only personal data but all types of data. Many data are generated through the use of products and services, and access to this data should be made easier for individuals and businesses. The Data Act also regulates the interoperability of data, for instance, when a customer switches cloud providers.

The Data Act aims to harness the previously untapped potential of data in the EU. It establishes the conditions under which data can be used and by whom.

What are the new measures?

  • Increase legal certainty for businesses and consumers
  • Reduce the misuse of contractual imbalances
  • Regulations that enable public authorities to access data from the private sector and use it for specific public interest purposes
  • New rules that establish the framework for effectively switching between different data processing service providers, to unlock the EU cloud market.

Digital Services Act

The Digital Services Act (DSA) has been fully in effect since February 2024 and sets new requirements for a safer and more responsible environment on online platforms. The law facilitates the removal of illegal content and protects the fundamental rights of users. Large online platforms and search engines with at least 45 million monthly active users are subject to specific due diligence obligations, such as conducting risk assessments and minimizing risks. This aims to improve the fight against illegal content on these platforms.

All online intermediaries operating in the internal market must comply with the new regulations, regardless of whether they are based inside or outside the EU. These online providers include, among others, internet service providers, hosting services such as cloud and web hosting, online marketplaces, app stores, and social media platforms. Very large online platforms and search engines are subject to special regulations because they pose a higher risk for the dissemination of illegal content and societal harm.

Digital Markets Act

Der Digital Markes Act sieht eine Reihe an Kriterien für die Einstufung von großen Online-Plattformen vor, die als sog. „Gatekeeper“ gelten. Der DMA legt diesen „Gatekeepern“ zusätzliche wettbewerbs- und kartellrechtliche Pflichten auf.

Diese Kriterien sind erfüllt, wenn folg. Voraussetzungen für ein Unternehmen gelten: 

  • eine starke wirtschaftliche Position mit erheblichen Auswirkungen auf den Binnenmarkt innehat und in mehreren EU-Ländern aktiv ist,
  • über eine starke Vermittlungsposition verfügt, d. h. eine große Nutzerbasis mit einer großen Anzahl von Unternehmen verbindet,
  • eine gefestigte und dauerhafte Position auf dem Markt hat (oder bald haben wird). Als über längere Zeit stabil gelten Unternehmen, wenn sie die beiden vorgenannten Kriterien in jedem der letzten drei Geschäftsjahre erfüllt haben.

Data Governance Act

The Data Governance Act (DGA) has been in effect since September 2023 following its transition period. Unlike the GDPR, the DGA includes both personal and non-personal data. The goal of this new regulation is to strengthen the voluntary data exchange between companies and individuals by having neutral third parties or intermediaries provide the necessary infrastructure. By regulating new data intermediaries and the exchange of data for altruistic purposes, the DGA aims to make more data available.

The core provision of the DGA is the data intermediation service. According to the DGA, a data intermediation service is "a service that aims to establish a business relationship between data subjects or data holders on the one hand and data users on the other hand, to enable the shared use of data." The data intermediation service must fulfill a series of obligations in addition to the GDPR, including: neutrality, insolvency protection, fraud prevention, data security, and fair and non-discriminatory access.

The DGA imposes additional obligations on all data intermediation services and subsequently grants certain privileges only to those pursuing altruistic and non-commercial purposes. Commercial data intermediation services are subject to additional obligations and the strict requirements of the GDPR.

NIS-2 Directive

The NIS-2 Directive must be implemented by October 2024. The directive sets new requirements for information security and cybersecurity for companies operating in critical infrastructure sectors. These sectors include energy, transport/traffic, finance and insurance, healthcare, water/wastewater, food, medical devices, automotive, digital services, chemicals, and space.

The directive aims to enhance cybersecurity within the EU. Violations of NIS-2 requirements can be punished with high fines. The fines can be up to €10 million or 2% of the worldwide annual turnover.

Important steps for NIS-2 compliance:

  • Guidelines: Creation of IT security policies and review processes
  • Governance: Establish responsibilities, security by design, and risk assessments
  • Employees: Security checks for applicants and IT security in employment contracts
  • Data: Classification and labeling of data, policies for data handling
  • Access: User management and policies for system access
  • Cryptography: Guidelines for the use of cryptographic measures, key management
  • Physical security, incident handling, operational security, systems, suppliers, etc.

Do you have questions or recommendations for us?

We are glad to receive your comments.