Our annual "What's Another Year?" bulletin is a snapshot of the key legal and regulatory developments which we can expect over the course of 2024, across a range of sectors and practice areas.

ARTIFICIAL INTELLIGENCE

Since the European Commission tabled its proposal for an EU regulatory framework on artificial intelligence (AI Act) in April 2021, regulation of AI has remained a focus for legislators across the globe. On 9 December 2023, the European Parliament and the Council reached political agreement on the AI Act. Work will continue at a technical level in the coming weeks to finalise the details of the new regulation. The presidency will submit the compromise text to the member states' representatives for endorsement once ready. The entire text will need to be confirmed by both institutions and undergo legal-linguistic revision before formal adoption.

For more information on preparing for AI, please see our briefing for Irish Compliance Quarterly: Developing a Responsible Governance Framework for AI

CYBERSECURITY

Network and Information Systems: The Network and Information Systems Directive (EU) 2022/2555 (NIS2) aims to ensure a high level of cybersecurity of services provided by essential and important entities and will apply to an expanded scope of entities, to include ICT managed service providers, ICT managed security service providers and trust service providers who issue qualified certificates and signatures for the purposes of the eIDAS Regulation.

EU Member States are required to adopt and publish the transposing measures of NIS2 by 17 October 2024 and apply its measures from 18 October 2024. For more information on NIS2, and on the Digital Operational Resilience Act, see our briefing on key considerations for fintech providers here.

Cyber-Resilience: The EU cybersecurity framework comprises several pieces of legislation covering aspects linked to cybersecurity from different angles; products, services, crisis management, and crimes.

In September 2022, the European Commission presented a legislative proposal for the EU Cyber-Resilience Act (CRA). This proposed Regulation introduces mandatory cybersecurity requirements for products with digital elements and would complement existing legislation, specifically NIS2. The proposal introduces cybersecurity by design and by default principles and imposes a duty of care for the lifecycle of products. Negotiations between the Council, Parliament and Commission on the file are ongoing. Once adopted it is currently intended that the CRA will apply 24 months following the entering into force of the Regulation, except for Article 11 (Reporting obligations of manufacturers), which applies 12 months after the Act has entered into force.

EUROPEAN STRATEGY FOR DATA

The EU has developed a series of legislative initiatives aimed at ensuring data becomes more widely available for use in the economy and society. The Data Governance Act and the Data Act are key pillars of this "European strategy for data". We discuss the Data Governance Act, which applied in full from September 2023, in our briefing here.

The European Commission's proposal for a regulation laying out harmonised rules on fair access to and use of data (Data Act) has recently been approved by the Council and the new regulation will be published in the EU's official journal in the coming weeks. It establishes rules on the sharing of data generated through use of connected products or related services and allows users to access the data they generate. It also provides for public sector bodies to access and use data held by the private sector in certain limited exceptional circumstances. The new rules will likely become enforceable around mid-2025 to give industry time to adjust.

DIGITAL SERVICES

The Digital Services Act (DSA) is set to overhaul the rules relating to intermediary liability for internet companies doing business in the EU and transform the way individual users and businesses interact with providers of online platforms and other core platform services. It does so by introducing various tiers of obligations that will apply to different categories of "intermediary service" providers. From 17 February 2024, its comprehensive new rules will apply to all providers of information society services within its scope.

Please see our extensive video series and briefings below:

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.