9 minute read | March.24.2023
Europe is in the midst of a transformation of its regulatory strategy for digital technologies. The EU has passed or proposed a number of laws affecting digital service providers in a broad range of legal areas and sectors. The goal is an EU digital market that fosters fair competition and protects consumers and data.
The evolving regulatory landscape affects digital service providers serving hundreds of millions of people across Europe, including e-commerce services, online intermediaries, and online platforms, such as video- and other user-generated content sharing platforms, social media companies, search engines, online marketplaces, and gig economy platforms. The regulations also affect software and hardware creators.
To help you keep track of the numerous tech laws, regulations and directives that have been passed or proposed in Europe, we’ve provided an overview of major changes affecting online intermediaries and ecommerce, data, cybersecurity, telecom, infrastructure and artificial intelligence.
The EU’s Digital Decade policy program, which sets 2030 targets for a digital transformation, and the EU’s Digital Single Market strategy have driven tremendous change. These initiatives seek to:
One reason the EU digital strategies are so significant is that they cover such a wide geographic area. By now, it is well known that people and businesses outside the EU may be subject to GDPR obligations. This is also the case with the Digital Markets Act, Digital Services Act, a proposed AI Act and other measures.
A number of proposed laws would establish regulatory bodies at the EU and member state level, with broad investigative and enforcement powers, including a European Artificial Intelligence Board to oversee the AI Act and a European Board for Digital Services responsible for the Digital Services Act.
Finally, the sanctions for non-compliance are potentially significant. They are frequently expressed as a percentage of annual global revenues (up to 10% in the case of the DMA, 6% under the DSA and draft AI Act, and 2.5% under the proposed Cyber Resilience Act). In addition, member states may set specific penalties, including non-monetary sanctions.
4 Things Companies Should Do
The pace and breadth of change poses a challenge to companies in and out of the EU. So do the overlapping obligations, including with existing and new national laws. Companies may need to review their business models, adopt or modify policies and processes to ensure compliance, adapt their services, review and modify their communications to customers (both consumers and businesses) and review supplier arrangements and agreements. We recommend that companies:
For laws already in force, you may know the scope of your obligations. For newly adopted or proposed laws, assess which may apply and what that means for your business. What changes will be required, including to product functionality? (Our DSA Readiness Assessment Tool can help you determine whether and how the Digital Services Act applies.)
Mapping compliance obligations across different laws is important since several new regulations have complimentary or overlapping obligations, including with existing national laws. For instance, the Digital Services Act, Digital Content Directive and Platform to Business Regulation each require companies to provide certain information to customers in their online terms. Similarly, some new rules, including the proposed AI Act, the proposed Cyber Resilience Act and the GDPR, require goods and services to meet prescribed security standards. Finally, many new rules affect data governance. It typically costs less time and money to address all requirements at once.
This is important not just within the legal department, but also with engineering or other teams responsible for making product changes to comply. Note that many of the new laws have compliance grace periods, a period between when the law takes effect and when companies must comply.
Some rules may apply to your suppliers. Will you need to amend contracts as a consequence? Alternatively, your business may provide services to or depend on the services of impacted companies; if so, you should anticipate knock-on effects that may occur.