European Tech Regulations: What You Need to Know

9 minute read | March.24.2023

Europe is in the midst of a transformation of its regulatory strategy for digital technologies. The EU has passed or proposed a number of laws affecting digital service providers in a broad range of legal areas and sectors. The goal is an EU digital market that fosters fair competition and protects consumers and data.

The evolving regulatory landscape affects digital service providers serving hundreds of millions of people across Europe, including e-commerce services, online intermediaries, and online platforms, such as video- and other user-generated content sharing platforms, social media companies, search engines, online marketplaces, and gig economy platforms. The regulations also affect software and hardware creators.

To help you keep track of the numerous tech laws, regulations and directives that have been passed or proposed in Europe, we’ve provided an overview of major changes affecting online intermediaries and ecommerce, data, cybersecurity, telecom, infrastructure and artificial intelligence.

The EU’s Digital Decade policy program, which sets 2030 targets for a digital transformation, and the EU’s Digital Single Market strategy have driven tremendous change. These initiatives seek to:

Protect personal data, reform copyright rules, and foster the free flow of non-personal data.
Implement an EU AI strategy.
Tackle illegal online content and promote online safety.
Harmonize rules related to digital content, enforce consumer protection laws and end mobile roaming charges.
Ensure a fair platform economy and the portability of digital content.
Review and modify regimes relating to audio-visual services, cloud services and the EU’s cybersecurity strategy.

One reason the EU digital strategies are so significant is that they cover such a wide geographic area. By now, it is well known that people and businesses outside the EU may be subject to GDPR obligations. This is also the case with the Digital Markets Act, Digital Services Act, a proposed AI Act and other measures.

A number of proposed laws would establish regulatory bodies at the EU and member state level, with broad investigative and enforcement powers, including a European Artificial Intelligence Board to oversee the AI Act and a European Board for Digital Services responsible for the Digital Services Act.

Finally, the sanctions for non-compliance are potentially significant. They are frequently expressed as a percentage of annual global revenues (up to 10% in the case of the DMA, 6% under the DSA and draft AI Act, and 2.5% under the proposed Cyber Resilience Act). In addition, member states may set specific penalties, including non-monetary sanctions.

4 Things Companies Should Do

The pace and breadth of change poses a challenge to companies in and out of the EU. So do the overlapping obligations, including with existing and new national laws. Companies may need to review their business models, adopt or modify policies and processes to ensure compliance, adapt their services, review and modify their communications to customers (both consumers and businesses) and review supplier arrangements and agreements. We recommend that companies:

Determine which of the new and proposed laws may apply to your business
For laws already in force, you may know the scope of your obligations. For newly adopted or proposed laws, assess which may apply and what that means for your business. What changes will be required, including to product functionality? (Our DSA Readiness Assessment Tool can help you determine whether and how the Digital Services Act applies.)
Adopt a holistic approach to compliance
Mapping compliance obligations across different laws is important since several new regulations have complimentary or overlapping obligations, including with existing national laws. For instance, the Digital Services Act, Digital Content Directive and Platform to Business Regulation each require companies to provide certain information to customers in their online terms. Similarly, some new rules, including the proposed AI Act, the proposed Cyber Resilience Act and the GDPR, require goods and services to meet prescribed security standards. Finally, many new rules affect data governance. It typically costs less time and money to address all requirements at once.
Ensure appropriate allocation of internal resources
This is important not just within the legal department, but also with engineering or other teams responsible for making product changes to comply. Note that many of the new laws have compliance grace periods, a period between when the law takes effect and when companies must comply.
Consider indirect impacts

Some rules may apply to your suppliers. Will you need to amend contracts as a consequence? Alternatively, your business may provide services to or depend on the services of impacted companies; if so, you should anticipate knock-on effects that may occur.

Click here for an overview of laws affecting digital technology in Europe

Authors

Julia Apostle Partner, Technology Transactions, Cyber Privacy and Data Innovation

Parigi

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber Privacy and Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Parigi

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Natasha Ahmed Partner, Technology Transactions, Technology Companies Group

Londra

See my bio

D:+44 20 7862 4784
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Technology Companies Group
Cyber Privacy and Data Innovation
IP Counseling e due diligence
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Natasha Ahmed Partner

Londra

Before moving into private practice, Natasha spent five years in the in-house legal team of a global brand management company.

Kelly Hagedorn Partner, Cyber Privacy and Data Innovation, Global Compliance & Regulatory

Londra

See my bio

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

Londra

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Dr. Christian Schröder Partner, Cyber Privacy and Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber Privacy and Data Innovation, Technology Transactions

San Francisco; Londra

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber Privacy and Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; Londra

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.