Last June, EU citizens were called to participate in the election of 720 members of the new European Parliament. After the elections, the Members of the European Parliament assessed the candidates and voted for the new European Commission and its President. Through this new administration, legislative priorities for regulating the evolving digital landscape are expected to be implemented.
One of the main areas of focus will be the adoption and enforcement of new legislation under the EU's data strategy. This includes significant acts such as the Artificial Intelligence Act (AI Act), the Data Governance Act (DGA), the Digital Services Act (DSA), and the critically important NIS2 Directive for networks and information systems. Each of these legislative frameworks aims to provide information security and privacy professionals with a comprehensive framework for managing data with security and innovation.
Securing the EU's Cyberspace and Defining Legislative Priorities
Artificial Intelligence Act: A Landmark Regulation
A cornerstone of the EU's digital strategy is the AI
Act. This regulation establishes a comprehensive legal and
regulatory framework for AI within the EU and aims to promote AI
development, marketing, and use in alignment with EU values. It
emphasizes ensuring human-centric and trustworthy AI, with a high
level of protection for health, safety, fundamental rights,
democracy, the rule of law, and environmental protection. It
directly involves providers, importers, and distributors of AI
systems or general-purpose AI models. The Act will come into effect
on August 1, 2024, with its provisions being gradually enforced
over the next 6 to 36 months. This legislation represents a
significant step toward establishing a unified approach, ensuring
that AI technologies developed and used in the EU are safe,
ethical, and aligned with core values.
Data Governance Act: Facilitating Data Sharing and
Usage
The DGA aims to promote and facilitate data sharing within
the European Economic Area. Its primary goal is to ensure legality
in the distribution of value derived from data, while also
fostering a competitive market, creating opportunities for
innovation, and making data more accessible to all users. The DGA
applies to manufacturers of connected devices, suppliers of related
services, and their users. It also covers, among others, data
holders and recipients. In doing so, it seeks to establish a robust
framework that supports data sharing, driving innovative economic
development.
Digital Services Act: Modernizing Digital
Regulations
The DSA is one of the key regulations in EU law. It is
designed to update the 2000 E-Commerce Directive. It aims to
harmonize the conditions for providing intermediary services and
increase transparency requirements for online intermediaries. The
DSA applies (with exceptions) to internet access providers, domain
name registrars, cloud services, web hosting services, a range of
online marketplaces, social networks, and other platforms that
reach more than 10% of EU consumers.
Strengthening Cybersecurity Resilience
The NIS2 Directive represents the most significant advancement in the EU's efforts to strengthen cybersecurity. Building on the original NIS Directive adopted in 2016, NIS2 aims to further improve resilience and incident response capabilities across the EU, in both the public and private sectors. This is achieved through a combination of risk management measures and mandatory reporting requirements.
One of the most important changes introduced by NIS2 is the redefinition of covered entities, which will increase the number of critical and important infrastructures in Cyprus from 70 to 700 under the new directive. This provision also broadens the list of sectors and activities subject to EU-level cybersecurity legal obligations, safeguarding medium and large entities that now fall under the new scope. NIS2 also modifies breach notification requirements while introducing voluntary coordinated vulnerability disclosures for entities within its scope. These changes are designed to enhance transparency and improve the overall security posture of covered entities.
All of the above highlight the urgent need for the new European Commission and EU legislative bodies to finalize discussions and swiftly implement these critical regulations. Moving into 2025, the Digital Operational Resilience Act (DORA) is expected to come into force on January 17, while the full implementation of the Data Act is anticipated by September 12, 2025. By early 2026, the AI Act is set to be fully operational, followed by the e-Evidence regulation, which will take effect on August 18, 2026.
The EU Strengthens Cybersecurity
As the EU continues to navigate the complexities of cybersecurity, a proactive and holistic approach is essential. By aiming to reduce cyber threats through information sharing, implementing measures, and enhancing security, the EU can significantly strengthen its stance. The NIS2 Directive now plays a critical role in this strategy, improving the EU's resilience and incident response capabilities. With its expanded scope and stringent compliance requirements, NIS2 ensures that the EU remains at the forefront of digital innovation and security, creating a safer and more resilient digital environment for all its citizens.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.