In order to shape Europe’s digital future, the European Commission has prepared and enacted a large number of legal regulations that form the legal framework for the digital transformation. They will have far-reaching effects on everyday business life. As a prelude to our series ‘Digital Transformation‘, we would like to give you an overview of the most important innovations and then provide you with more detailed information on the individual topics in the coming weeks. Please feel free to contact us.
European Data Act
The Data Act was enacted on 11 January 2024 and will come into force in September 2025.
The new rules establish the right of access to industrial data and regulate its use and exchange. Manufacturers of networked products (Internet of Things ́ e.g. machines, sensors, components, household appliances or vehicles) are obliged to share data obtained in this way with users (companies or consumers), authorities and also third parties (data sharing). The regulations affect manufacturers and data holders as well as users of networked devices and providers of data processing services.
Networked products must be designed according to the requirements of the Data Act (“Access by Design”). The law also requires data owners to make the data available on an ongoing basis. This will have far-reaching implications for sensitive data and trade secrets of companies, which must be adequately protected. Conversely, access to third-party data can incentivize data-driven innovation.
In addition, data licensing agreements are required with all users in order to be able to use generated data in future.
In the future, data owners will no longer be free to use and share data without restriction.
You should prepare and implement the complex contractual and technical requirements as early as possible. It’s best to do it now!
European Artificial Intelligence Regulation (AI Act)
The possibilities of using artificial intelligence (“AI”) are constantly increasing and leading to serious changes in everyday working life. The EU Commission has developed a regulatory framework that enables the use of AI, but at the same time sets limits to it. As things stand at present, the regulation is to come into force in mid-2024. After a transitional period of 24 months, it would then apply throughout Europe. It affects all manufacturers and users of AI (image, speech and text recognition, HR systems, smart home, autonomous driving, industrial applications, connected devices).
The regulation distinguishes between four risk classes for AI applications.
There are separate rules for each risk class, which even go as far as prohibiting its use. In any case, a mandatory quality and risk management system as well as detailed transparency obligations are envisaged. A data protection impact assessment is also likely to become mandatory. Both manufacturers and users of AI systems should consider the legal requirements at an early stage and make preparations both internally (integrated company policy, works agreement) and externally (classification and documentation). We would recommend dealing with the AI Act now in order to bring the current use of digital systems in line with the new regulations.
At the same time, a new European AI Office will be set up to oversee enforcement of the new rules on AI models. Like the GDPR, the AI Act also provides for draconian penalties in the event of a violation.
Digital Services Act
The Digital Services Act aims to create a safer digital space for users of online services and aims in particular to combat illegal content. The Digital Services Act has already entered into force and has been applicable to digital service providers since February 2024.
Online intermediaries and platforms, such as online marketplaces, social networks, app stores and online travel platforms, are obliged to detect, flag and remove illegal content.
Digital Markets Act
The Digital Markets Act, which came into force on 1 November 2022, is intended to ensure that access to and conditions in digital markets are fair and on equal terms and that companies that control market access (‘gatekeepers’ e.g. Google, Apple, Microsoft, Meta) do not use their position to disadvantage third parties.
General Data Protection Regulation (GDPR)
Many companies have now implemented the requirements of the GDPR, which came into force in 2018, and integrated them into their everyday business. In light of the new EU laws, various decisions of the EU Commission and new judgements, a review and revision of internal processes is to be recommended. The GDPR will continue to play an important role in digitalization. It’s best if all requirements have already been implemented.
Cyber Resilience Act
The EU Commission’s proposal for a regulation on cybersecurity requirements for products with digital elements is intended to ensure the security of products that can be connected to each other or to the Internet (“security by design”) and includes numerous obligations for manufacturers and importers. As things stand at present, the Act is to be adopted in 2024 and will enter into force after a transitional period of 36 months.