Digital regulation in the European Union – latest developments & upcoming challenges (…and chances!)

The European Union is currently very active (among others) in the area of “digital regulation” with relevance in particular for innovative data driven products and services. Besides the usual increase of bureaucratic efforts required from corporations getting in touch with such developments (i.e. practically every company working with modern technology), there are also certain opportunities arising out of the introduction of innovative technology regulation, such as the AI Act or the Data Act.

The purpose of this overview is to provide a short form of basic guidance on important European rules which have recently been adopted and which are affecting companies’ data management and/or digital (product) sales initiatives significantly. Given the amount of current legislative proceedings, the idea is to focus on most current regulation with the potentially most crucial impact on digital processes as well as business cases.

The AI Act – the first comprehensive effort to create a regulatory framework for the No. 1 future technology

What does it regulate?

The AI Act – which has just (i.e. on March 13th 2024) passed the European Parliament – is the first comprehensive binding regulatory approach to set legal rules on how to deal with artificial intelligence within practical use cases.

What does it cover?

There are various requirements relating in particular to IT security measures as well as other legal obligations such as providing sufficient transparency on how an “AI system” actually works. How strict such requirements are basically depends on the criticality of a specific “AI system’s” use case; the AI Act differs as follows:

There are various requirements relating in particular to IT security measures as well as other legal obligations, such as providing sufficient transparency on how an “AI system” actually works. How strict such requirements are basically depends on the criticality of a specific “AI system’s” use case; the AI Act differs as follows:

  • “Prohibited AI Practices”, Art. 5 AI Act: These AI use cases are deemed unjustifiable from an ethical-moral standpoint and thus not permissible at all (e.g. establishing some kind of “social scoring” system based on comprehensive behavior surveillance).
  • “high-risk AI systems”, Art. 6 et seqq.: These “AI systems” are deemed to be particularly “risky” due to their sensitive nature (e.g. when dealing with biometric categorization). Putting such an “AI system” into practice thus inter alia requires the establishment of a “Risk management system” in accordance with Art. 9 as well as detailed and transparent technical documentation in the sense of Art. 11. Also, requirements on data accuracy as well as cyber security are increased significantly in those cases (cf. Art. 15).
  • Other AI systems, Art. 50: For “certain” other less invasive “AI systems”, the AI Act contains more general rules and requirements like informing directly involved addressees about the fact that they are actually interacting with an “AI system”. Art. 51 et seq. hold specific rules for the currently very popular General-Purpose AI models such as ChatGPT etc.

What should I do?

Before launching an AI solution, there should be a detailed risk analysis of whether it falls under the AI Act – and if so, under which category of an “AI system”. After that, an action plan (including priorities) should be drafted within which fulfilling applicable requirements is being specified in more detail. When this implementation works out satisfactorily, there should be nothing standing in the way of (lawfully) launching a successful innovative AI tool.

The Data Act – the European Union’s effort to create a European single market for data.

What does it regulate?

The Data Act is an important digital regulation which has just recently become effective on January 11th, 2024. It contains the approach of the European Commission to form a “European single market” for data in order to enhance the development of innovative data driven products and services.

What does it cover?

The data act contains various rather fundamental obligations for providers of “connected products” and “related services”:

  • Data Access by the user and third parties, Art. 4 et seqq. Data Act: The key regulation of the data act obliges “data holders” to “make accessible” “readily available data” including “relevant meta data” to the “user” of a “connected product” or “related service”. The Data Act only provides very rare and well-hidden indication on what specifically shall be covered by this obligation (e.g. in recital 15 when speaking of data in its “raw form”). According to Art. 5, such data shall also be made available to “third parties” upon request of the user.
  • “Data Access by design”, Art. 3: According to Art. 3 Data Act, “connected products” and “related services” need to be designed in such a way that the provision of data to the user and third parties (see above) may be carried out “easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly”. These – pretty strict – requirements should be considered early within development procedures as those may have significant impact on the structure of data driven products and services.
  • Service “switching” requirements, Art. 23 et seqq.: The Data Act further contains certain operational as well as contractual requirements when it gets to “switching” between providers of “data processing services”. For instance, the “switching period” (from a technical perspective) and the termination period (from a contractual view) may not exceed 90 days in total (see Art. 25 para. 2 lit. a, d) – which may be an obstacle for companies used to establish long contract terms due to the commercial set-up of their business model.

What should I do?

Dealing with the Data Act adequately in particular should include drafting of a “Data Access Concept” (comparable to a process on how to deal with data subject requests under the GDPR) which specifies what to do when Data Act claims are actually being brought. Creating such a concept will usually require a certain “Data Due Diligence” in order to assess (i) which data is being generated, (ii) which data you would provide to users and/or third parties upon request (and which data you would not provide ) and – last but not least – (iii) the data that could be useful for your own digital business! Further, adjustments (in particular) to the existing contract template landscape and development processes should be considered.

Cyber Resilience Act – strengthening cyber security (requirements) in Europe.

What does it regulate?

The Cyber Resilience Act is also a “brand-new” regulation having just passed the European Parliament on March 12th, 2024. It contains certain IT security related requirements referring to “products with digital elements”.

What does it imply?

The Cyber Resilience Act is distinguishing – comparable to the AI Act (see above) – according to the criticality of affected products as follows:

  • The consolidated basic requirement comes with Art. 6 Cyber Resilience Act which is referring to “essential requirements” for “products with digital elements” being provided in Annex 1 of the regulation as well as “processes put in place by the manufacturer” which may be found in Annex 2. Annex 1 does indeed point out rather basic requirements such as not making available products with known vulnerabilities or implementing “mitigation measures” against denial-of-service attacks. Annex 2 mainly contains basic information obligations towards the user.
  • Art. 7 sets stricter requirements for “important” products which are specified within Annex 3 – basically referring to “products with digital elements” for sensitive use cases with higher security exposure such as password management or network equipment. Such products in particular need to be made subject to the “conformity assessment procedures” as described in Art. 32.
  • Art. 8 holds even stricter requirements for “critical” products as defined within Annex 4; those are products with very high IT security relevance such as smart meter gateways and comparable devices. The European Commission may require a certificate proving an at least “substantial” level of security for such products via delegated acts.
  • The Cyber Resilience Act further contains several other obligations with IT security relevance; such as reporting obligations in terms of vulnerabilities (Art. 14) or providing adequate security related documentation (Art. 31).

What should I do?

Overall, the Cyber Resilience Act does contain fairly little that is really new – in any event, it is the first comprehensive IT security regulation which is directly applicable in all member states. Companies should take the chance to evaluate whether their current IT security management system covers all of its requirements, while in particular having in mind the differentiation between specific “risk classes” according to the Cyber Resilience Act.

Dr. Peter Schneidereit
Partner - IT Contracts and Data Protection
Spencer West Partner Dr. Peter Schneidereit