The new pieces of legislation and legislative updates are part of the EU’s digital strategy 2019-2024 ‘A Europe fit for the digital age’. CIO Platform Nederland (CIOPN) voices the interest associations of business users of digital technologies on these dossiers. CIOPN collaborates on these topics with the CIO associations of France (Cigref), Belgium (Beltug) and Germany (Voice). This memo points out the developments on ten of the legislative acts and legislative updates that are most relevant to business users of digital technology:

Legislative process finalised

• Data Act – entry into force late 2023
• Data Governance Act (DGA) – entered into force and applies as from 24 September 2023
• Digital Markets Act (DMA) – entered into force, applies in full, gatekeepers designated
• Digital Service Act (DSA) – entered into force and applies partially
• Cybersecurity Act (CSA) – entered into force and applies in full
• NIS2 Directive – entered into force and needs to be transposed by 17 October 2024

Legislative process ongoing

• Artificial Intelligence Act (AIA)
• Cyber Resilience Act (CRA)
• Product Liability Directive (PLD)
• AI Liability Directive (AILD)

Finalised legislation

Data Act

Content

On June 27th, 2023, the EU Council and European Parliament agreed on the final text of the Data Act. The aim of the Data act is to ensure fairness in the allocation of value derived from data among actors in the data economy and to foster access to and use of data. The three main topics of the Data Act are: data sharing, facilitating switching between cloud services, and setting up of interoperability standards for data spaces.

In more detail, the data sharing relates to business to business, business to government and business to consumer data sharing. This concerns data generated by – in short – the use of Internet of Things (IoT) devices and related services; smart products such as medical devices, smart agricultural equipment or smart fridges. On data sharing the Data Act establishes:

1. An obligation for data-holders to make data generated by the use of products and related services accessible;
2. Rules on how data-holders can use the data (note that the Data Act limits data holders in their use of the data they obtain);
3. A right for users to access and use data generated by products or related service;
4. A right for users to share data with third parties;
5. Obligations for third parties who receive data at the request of the user; and
6. An obligation to share data with public bodies upon request in cases of exceptional need. Exceptional need covers public emergencies, a public body needing specific data to fulfil a legally mandated and specific task in public interest, as well as a public body having exhausted all other options to obtain data that it needs.

On the switching between cloud services, the Data Act stipulates that providers of such services must remove commercial, technical, contractual and organisational obstacles which inhibit customers to switch to cloud services of another provider, resulting in decreased vendor lock-in. 

Legislative process
The EU institutions reached an agreement on the text of the Data Act during the trilogue negotiations of June 27th. The Council has formalised its position on the text. The European parliament is set to do so early September. The Data Act is expected to enter into force early Q4 2023. The transition period is 20 months, so the Data Act will apply as from mid-2025.

The final text of the Data Act can be found here. Information about the Data Act is available here and the initial Commission proposal here. The legislative process is outlined here.

Data Governance Act (DGA)
Content
The DGA entered into force in June 2022. The Data Governance Act (DGA) aims to increase trust in data sharing. For that purpose, the DGA creates rules on three main topics.

Firstly, the DGA creates a mechanism for re-using categories of data by public sector bodies. The DGA provides a set of basic conditions under which the re-use of such data may be allowed (e.g. the requirement of non-exclusivity). The DGA does not create any obligation on public sector bodies to allow re-use of such data. Secondly, the act establishes EU rules on the neutrality of data marketplaces for B2B and B2C sharing of personal and non-personal data.

Providers of data sharing services are prohibited to use the data exchanged for any other purpose. This rule requires a structural separation between the data sharing service and other services they provide.

Thirdly, the DGA facilitates data altruism, which is data voluntarily made available by individuals or companies for purposes of general interest. Organisations that collect data for a general interest, e.g. in the field of medical research, may be listed in a register of recognised data altruism organisations. This should encourage individuals to donate their data to these organisations and will make it easier for organisations to use data for societal good.

Legislative process
The DGA will apply as from 24 September 2023. The final text of the DGA is available here. An overview of the legislative process is outlined here.

The DGA is a regulation and as such, it does not need national transposition. However, it often does require national implementation, for example to appoint the national competent authority. The Dutch competition authority (ACM) will be appointed as the competent authority, likely as of 24 September 2023. Read more about the Dutch implementing act here.

Digital Markets Act (DMA)
Content
The Digital Markets Act (DMA) establishes rules for large online platforms-so-called ‘gatekeepers’ -such as search engines and e-commerce platforms. The gatekeeper-status is assigned if specific criteria are met regarding the magnitude or economic position of platforms.

The DMA defines and prohibits unfair practices by gatekeepers, like treating services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform. The act also labels the practice of preventing users from uninstalling any pre-installed software as unfair. Furthermore, the new law will allow users to freely choose their browser, virtual assistant and search engine.

On 6 September 2023, the European Commission designated six gatekeepers pursuant to article 3 of the DMA: Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. In total, 22 core platform services provided by gatekeepers have been designated. Notably, no cloud service has been designated. 



Legislative process
The DMA has entered into force and fully applies as of June 25th, 2023. The final text of the DMA is available here and an overview of the legislative process is outlined here. Read more about the designation of gatekeepers here.

Digital Services Act (DSA)
Content
The Digital Services Act (DSA) aims to create a safer and trusted online environment by defining rules for online intermediary services. The DSA applies to multiple types of online intermediary services (i.e., intermediary services offering network infrastructure, hosting services, online platform services, and very large online platforms services). The act stipulates basic obligations applicable to all providers of intermediary services, for example regarding transparency. For hosting services, online platform services, and very large online platforms services the DSA establishes more specific and cumulative requirements.

On 25 April 2023, the European Commission designated 17 very large online platforms (VLOPs) and two very large online search engines (VLOSEs) that will have to abide by the rules set by the DSA.

Legislative process
A first selection of DSA articles applies as of November 26th, 2022. The act will apply in full as of February 17th, 2024. The final text of the DSA is available here. An overview of the legislative process is outlined here. Read more about the designated VLOPs and VLOSEs here.

Cybersecurity Act (CSA)
Content
The Cybersecurity Act (CSA) introduces a voluntary EU certification framework for ICT security products. Additionally, it foresees in a permanent mandate for the European Union Agency for Network and Information Security (ENISA) in order to fulfil its tasks under the NIS2 Directive, amongst others.

Legislative process
The CSA already applies in full. The final text is available here and an overview of the legislative process is outlined here.

The CSA has been implemented into Dutch law, insofar as necessary (here, here and here). The Dutch competent authority is the Authority for Digital Infrastructure (RDI). 

NIS2 Directive
Content
The NIS2 Directive aims to address the deficiencies of the previous NIS Directive and to make it future proof. On the basis of the NIS2 Directive, entities are automatically designated as essential or as important, if they are active in sectors designated by the NIS2 Directive and if the entities are of a certain size.

The scope of the previous NIS Directive is extended by adding new sectors based on their criticality for the economy and society, and by introducing a clear size cap – meaning that all medium and large companies in selected sectors will be included in the scope. The NIS2 Directive also eliminates the distinction between operators of essential services and digital service providers.

The NIS2 Directive strengthens security requirements for essential and important entities as well as for entities designated under the CER Directive, by imposing a risk management approach providing a minimum list of basic security elements that have to be applied. NIS2 establishes basic security requirements for companies and introduces more precise obligations on incident reporting. In addition, the Directive requires individual companies to address cybersecurity risks in supply chains and supplier relationships. NIS2 also includes supervisory measures and accountability of company management for compliance with cybersecurity obligations. The Dutch Cyber Security Centre (NCSC) suggests that organisations can prepare for NIS2 and protect themselves by implementing measures such as identifying alternative supply chains and creating business continuity plans. 

Legislative process
The NIS2 Directive entered into force on January 16th, 2023. The final text is available here. The legislative process is outlined here.

Member States have until October 17th, 2024, to transpose the Directive into national law. National legislation will cover the transposition of the duty of care and the duty to report, as well as the designation of the national competent authority. The consultation on the Dutch transposition act is likely to start in Q3 2023. 

Proposed legislation - legislative process ongoing
Artificial Intelligence Act (AIA)
On 21 April 2021, the European Commission published the proposal for the Regulation on Artificial Intelligence, or Artificial Intelligence Act (AIA).

Content
The AIA lays down harmonised rules for the development, placement on the market and use of AI systems. It sets out obligations for providers of AI systems as well as for (business) users and other participants across the AI value chain. Please note that these roles are not fixed: it depends on the involvement of your organisation in the specific application of an AI-system what your obligations will be.

The purpose of the AIA is to foster the development, use and uptake of AI while providing a high level of protection of public interests. The EU aims to become a global leader in the development of secure, trustworthy, and ethical AI.

The AIA follows a risk-based approach based on the intended purpose of the AI system. It differentiates between uses of AI that create (i) an unacceptable risk, (ii) a high risk, and (iii) low or minimal risk. AIsystems that pose an unacceptable risk are prohibited. High-risk AI systems are permitted on the EU market as long as they comply with requirements related to data and data governance, documentation and recording keeping, transparency and provision of information to users, human oversight, robustness, accuracy, and security. To low-risk AI systems, only minimum transparency obligations apply. If an AI system does not fall in one of the three categories, no obligations apply. The AIA promotes the drawing up of codes of conduct that aim to voluntary apply high-risk requirements to non-high-risk AI systems. 

The act mainly covers rules for high-risk AI systems. AI systems can be classified as high-risk in two ways: 1) the AI system is used in a specific area set out by the Regulation1 , or 2) the AI system is (a component of) a product that needs to undergo a third-party conformity assessment under other EU legislation2.

For high-risk AI systems a conformity assessment is required. Depending on the system, the conformity assessment can be performed either through internal control or by a notified body. The assessment can be part of the conformity assessment of the products of which the AI system is a component (e.g., machinery and medical devices). Both the Council and the European Parliament have proposed amendments to the AIA-text that aim to regulate throughout the value chain.

Legislative process
The AIA is currently being negotiated by the Council and the European Parliament in the trilogues. The first trilogue, dated July 18th, 2023, finalised the text on obligations for high-risk providers, procedures for the conformity assessment bodies and the provisions on technical standards. More contentious topics such as the regulatory sandbox and fundamental rights impact assessment are still subject to debate.

The next trilogue meeting is scheduled for October 3rd. A third, and potentially final, trilogue meeting is expected in Q4 of 2023, meaning the final text could be agreed on by the end of this year. The AI Act will apply 24-36 months after the Council and European Parliament formalise their agreement.

Information about the AIA is available here and the text of the Commission proposal here. The legislative process is outlined here.

The European Parliament text is available here. The Council text is available here.

Cyber Resilience Act (CRA)
On September 15th , 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA).

Content
The purpose of the CRA is twofold: 1) to ensure that hardware and software products are placed on the market with fewer vulnerabilities and to ensure that manufacturers take security seriously throughout a product’s life cycle, and 2) to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

The CRA aims to address the problem that in a connected environment, a cybersecurity incident in one product can severely affect an entire organisation or even a whole supply chain. The act lays down cybersecurity rules and requirements for the design, development, production and placing on the market of products with digital elements, demanding a higher degree of security-by-design. Additionally, the act sets out requirements for the vulnerability handling processes throughout the life cycle of a product.

* 1The initial AIA proposal mentions the following eight areas in Annex III (NB the AIA is still under negotiation and this list might be subject to change): 1) biometric identification and categorisation of natural persons; 2) management and operation of critical infrastructure; 3) education and vocational training; 4) employment, workers management and access to self-employment; 5) access to and enjoyment of essential private services and public services and benefits; 6) law enforcement; 7) migration, asylum and border control management; 8) administration of justice and democratic processes. 2 Annex II to the initial AIA proposal lists 19 pieces of legislation. Examples include the new Machinery Regulation, the Medical Device Regulation, and the Regulation on Civil Aviation. 

With its horizontal and compulsory nature, the CRA complements the Cybersecurity Act and the NIS2 Directive (see above under ‘Finalised legislation’).

Legislative process
Currently, the CRA is on its way to the trilogue negotiations. The Council has adopted its general approach on July 19th , 2023. After lead committee ITRE voted in favour of the draft report July 19th, the European Parliament is set to adopt its position after the summer. The Spanish presidency aims to finish the trilogue negotiations with the European Parliament during its presidency, eyeing a possible deal in early 2024 and application 36 months thereafter, except for article 11 that will apply as of 12 to 18 months earlier. Article 11 covers the obligation for manufacturers to report exploited vulnerabilities to the relevant authorities and relevant third parties.

Information about the CRA is available here and the text of the proposal by the Commission is available here. The legislative process is outlined here. The ITRE text is available here and the Council text is available here.

Update Product Liability Directive (PLD)
On September 28th , 2022, the European Commission has published its proposal to update the existing Product Liability Directive (PLD), in parallel with the AI Liability Directive.

Content
The PLD will be revised in order to cover damages suffered by malfunctioning of digital products (standalone software and AI) and physical products supported by software or AI. Examples include a cleaning robot or a medical health app. The PLD enables victims to hold product manufacturers liable for material losses resulting from death, personal injury, damage to property and loss or corruption of data. Product manufacturers include hardware manufacturers, software providers and providers of digital services that affect how the product works.

Manufacturers will remain responsible for damages caused by, for example, software updates or failure to address cybersecurity risks. Additionally, the PLD lays down five scenarios in which the causal link (a key element for establishing liability) between defectiveness and damage is presumed, for example if it is impossible to prove the causal link due to complexity of the product.

Legislative process
The Council finalised its position June 14th, 2023, when COREPER confirmed member states reached an agreement at technical level. In the EP, the IMCO and JURI committees prepare the draft report of the PLD. A vote is scheduled for September 19th , 2023. Subsequently, the European Parliament will vote on the text during a plenary session likely in early Q4 2023.

The trilogue negotiations are set to begin late Q4 2023, early Q1 2024. After agreement, the EU member states will have 12 months to transpose the revised PLD into national legislation.

Information about the update of the PLD is available here and the Commission proposal here. The legislative process is outlined here.

The Council text is available here. The European Parliament text is available here.

AI Liability Directive (AILD)
On September 28th , 2022, the European Commission has published their proposal for the AI Liability Directive (AILD). The proposal was published in parallel with the proposal to update the Product Liability Directive (see above).

Content
The AILD covers national liability claims based on the fault of any person, with a view of compensating any type of damage (material damage, fundamental rights breaches), for any type of victim. The Directive introduces two main (procedural) safeguards that facilitate victims in seeking compensation for damage due to an AI system.

First, the AILD introduces a rebuttable presumption of causality. This should lower barriers for victims to prove the required causality between harm and a fault/omission in which an AI system was involved. Second, the Directive introduces a right of access to evidence, meaning victims will have the possibility to access the information that needs to be recorded on high-risk AI systems pursuant to the AI Act.

Legislative process
The Council and the European Parliament have started to form their positions on the proposal. However, the AI Liability Directive is strictly linked to the AI Act. Due to the cross-references on key aspects such as the definition of AI, the work on the AILD has been put aside until the AIA is agreed on.

Information about the AILD is available here and the text of the Commission proposal here. The legislative process is outlined here. When ultimately finished, the Directive has to be transposed into national law.