Our Autumn 2024 edition sets out the key EU / UK regulatory developments in online safety, digital platforms, cyber, AI and data. Check below whether your business is in scope, and actions you may need to take before any obligations begin to apply.
Highlights of our update include the race to bring provisions of the UK Digital Markets, Competition and Consumers Act (DMCCA) and Online Safety Act (OSA) into force, the first indications of the policy direction of the new UK Government on AI, and the long-awaited application of several new cyber security initiatives in the EU.
Platform
DMCCA (UK)
The DMCCA:
- Introduces a digital markets regime. The Act allows the Competition and Markets Authority (CMA) to impose unique obligations on firms deemed to hold Strategic Market Status (SMS), similar to the obligations on the core platform services of gatekeepers under the EU Digital Markets Act.
- Implements key competition law reforms. The Act reforms the general competition law framework with amended merger control thresholds and broader powers for the CMA to enforce against anti-competitive conduct.
- Overhauls consumer law and consumer enforcement. The Act introduces new consumer protection measures targeting auto-renewing subscriptions, fake reviews and purported hidden costs in online purchases. It also brings the CMA's consumer law enforcement powers to the same level as the competition enforcement regime, with the CMA able to fine businesses up to 10% of their global turnover for infringing UK consumer law.
Scope: The digital markets regime applies to SMS firms only; the consumer law reforms to all b2c businesses; and the competition law reforms universally.
Next steps: The Government aims to commence the digital markets and competition law regimes in December 2024 or January 2025. The CMA is expected to launch the first SMS investigations shortly afterwards. In April 2025, the government expects to commence the consumer law reforms.
Read more in our short guides, which cover the key parts of the Act and what actions businesses should take:
Digital Markets Act (DMA) (EU)
The DMA imposes "pro-competitive" obligations on specified services of the seven designated gatekeeper firms: Alphabet (i.e. Google), Amazon, Apple, ByteDance, Booking.com, Meta and Microsoft. The gatekeepers could face fines of up to 10% of global annual turnover if an infringement is found.
Scope: Only the seven designated gatekeepers fall within direct scope, but this does not preclude additional firms from designation in the future.
Next steps: In October 2024, the European Commission concluded that the social network "X" should not be designated under the DMA. This decision followed an in-depth market investigation launched in May 2024.
AI
Artificial Intelligence Act (EU)
The EU AI Act entered into force on 1 August 2024, setting out a risk-based approach where AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex-ante conformity assessment; (c) permitted but subject to certain information and transparency obligations; or (d) permitted without restrictions.
Scope: Organizations developing AI and/or using / adopting AI.
Next steps: From 2 February 2025 the bans on prohibited AI practices will apply, followed by rules on general purpose AI, governance, and sanctions on 2 August 2025. Most of the remainder of the Act (including obligations relating to AI systems classed as high-risk under Annex III) becomes applicable on 2 August 2026, save for a couple of specific exceptions (including the obligations relating to AI systems classed as high-risk under Annex I, which are postponed to 2 August 2027).
UK approaches to AI
The new Labour government has not yet proposed any specific legislation on AI. However, on 9 September 2024, Lord Clement-Jones proposed the Public Authority Algorithmic and Automated Decision-Making Systems Bill – a new Private Member's Bill (a proposed law that is introduced by Members of Parliament and Lords, as opposed to the Government). If it became law, it would introduce new obligations for public authorities to conduct and publish impact assessment and publish transparency records which report on human oversight of the AI system and how the AI system is used in automate decision-making.
Scope: Possible new law affecting public sector organisations. Other new regulation is likely to cover developers of AI systems.
Next steps: The next step for the Public Authority Algorithmic and Automated Decision-Making Systems Bill is the second reading in the House of Lords.
CNIL Guidelines on AI systems (France)
The French data protection authority (the "CNIL") has published a second set of Guidelines on the interplay between the GDPR and the use of AI. The Guidelines focus on legitimate interest as legal basis of AI system development, data annotation, data subjects' rights and information, as well as open-source AI models.
Online safety
OSA (UK)
The OSA imposes duties on a range of online service providers to keep users safe. These fall into three pillars: illegal harms duties (such as removing terrorism content and child sexual exploitation and abuse from online services); child safety duties; and additional duties including transparency and user empowerment. Ofcom is the regulator for online safety in the UK and has been granted new investigatory and enforcement powers. Fines of up to 10% of qualifying worldwide revenue can be levied on services in breach of the OSA.
Scope: Providers of internet services where content is generated, uploaded or shared by users ("user-to-user services"); or providers of a search engine ("search services"). To be in scope, services must have a significant number of UK users, or the UK must form one of the service's target markets. There are some limited exceptions covering internal business services, emails, SMS, and one-to-one aural communications.
Next steps: In July, Ofcom published draft guidance for categorised services who are required to produce annual transparency reports, as well as draft guidance on Ofcom's information gathering powers. Final guidance is expected to be published early in 2025. In August, Ofcom sent an open letter to online service providers operating in the UK about the increased risks of illegal content on their platforms as a result of the riots in the UK.
Looking ahead, Ofcom is expected to submit its illegal harms codes for parliamentary approval in Q4 2024, following which they will come into force, with a 3-month time limit for completion by businesses of illegal content risk assessments. The remaining codes being prepared by Ofcom are expected to be submitted for approval in 2025. The key actions for businesses are therefore to (a) complete illegal harms risk assessments; (b) take and implement safety measures to mitigate against the risks.
Ofcom has also signalled that "small but risky" online services – such as online forums – will be a priority area. It has developed early plans to take action against services which fall within this definition to achieve enhanced protections on the greatest areas of harm to users, particularly children.
Finally, Ofcom has published its Making Sense of Media Annual Plan 24/25 (ofcom.org.uk). In addition to updating on its work over the last year it sets out how it will engage with platforms over the next year including expectations relating to work by services on media literacy for users.
Digital Services Act (DSA) (EU)
The DSA creates a single set of rules for increased safety and consistency across digital services in the EU. It imposes new obligations relating to illegal content, content moderation, advertising, transparency reporting, terms and conditions, dark patterns and online marketplaces.
Scope: Digital businesses including hosting providers and online platforms, whether b2c or b2b. Businesses caught include cloud service providers, social media platforms, app stores, online marketplaces, messaging and email services, online forums, games business, dating websites and many others.
Next Steps: As of February 17, 2024, the DSA is applicable to all intermediary services falling within its scope. Over the last few months, the Commission has started exercising its powers under the DSA, requesting information from a number of online platforms and marketplaces on DSA compliance measures and launching investigations against a number of VLOPs. The European Commission has also opened infringement procedures against a number of Member States for delays in the designation or empowerment of Digital Services Co-ordinators (see here and here).
SREN Law (France)
The "SREN" Law (Law to Secure and Regulate the Digital Space) covers a wide range of topics relating to the digital space, including online content moderation, the implementation of several provisions of the DSA, regulation of the cloud computing sector and new obligations relating digital sovereignty.
Key obligations include, inter alia: (a) prompt notification by hosting service providers to competent authorities of any illegal content reported to them, (b) regulation of cloud computing credits, data transfer fees and switching fees, (c) prohibition of French administrations from using cloud computing service providers that do not offer sufficient guarantees of robustness and immunity to extraterritorial laws, (d) criminalisation of pornographic deepfakes generated by AI systems. The SREN Law entered into force on 22 May 2024.
Data
Data Governance Act and Data Act (EU)
The Data Act (DA) aims to set out a framework for data-sharing, ease the switching between providers of data processing services, introduce safeguards against unlawful data transfer and provide for the development of interoperability standards for data to be reused between sectors. The DA is closely interlinked with the Data Governance Act (DGA), with the objective of establishing a harmonised framework for data sharing and governance across sectors and Member States. The DGA specifically aims to encourage wider re-use of non-personal data held by public sector bodies, boost data sharing through the regulation of novel "data intermediaries" and encourage data sharing for altruistic purposes.
Scope: The DA applies to datasets – with or without personal data. Specifically, it applies to (a) manufacturers of connected products (e.g. smart devices such as medical devices and wearables etc) who offer their products to the EU market and providers of related services; (b) users (natural or legal persons) in the EU of connected products or related services; (c) public sector bodies, who may request access in exceptional circumstances; (d) providers of data processing services to customers in the EU (e.g. cloud service providers); and (e) participants in data spaces and vendors of applications or professionals using smart contracts. The DGA impacts primarily public sector bodies, data intermediation service providers (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data) and data altruism organisations.
Next steps: The DA will become applicable on 12 September 2025 (except for certain limited provisions that will be implemented at a later date). On 6 September 2024, the Commission published non-binding FAQs on the DA (here) which are designed to assist stakeholders in the implementation of the Act. We recommend clients understand as soon as possible whether they are caught by the DA to ensure compliance ahead of September 2025.
Health Data Spaces Regulation (EHDS) (EU)
The EHDS is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework. As part of this framework, the European Commission will establish a central platform named MYHealth@EU to provide services to support and facilitate the exchange of health data between designated authorities in Member States. These authorities will act as joint controllers of the electronic health data on the platform, with the Commission acting as the processor.
Scope: The EHDS will apply to (a) manufacturers and suppliers of electronic health records (EHR) systems and wellness applications placed on the market and put into service in the EU and the users of such products; (b) controllers and processors established in the EU processing electronic health data; (c) controllers and processors established in a third country that have been connected to or are interoperable with the proposed MyHealth@EU platform; and (d) data users to whom electronic health data is made available by data holders in the EU.
Next steps: The European Council will formally adopt the EHDS regulation which is expected to be published in the Official Journal this autumn.
Cyber
Digital Operational Resilience Act (DORA) (EU)
DORA looks to harmonise approaches on tackling digital operational resilience and IT security across the EU financial services sector. Some of the specific obligations under DORA are left to be specified by the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) who are required, via secondary legislation, to present regulatory technical standards (RTSs) which give financial entities and their IT suppliers more guidance on how to comply with their DORA obligations.
On 26 July, the ESAs delivered their final draft RTS, specifying how to determine and assess the conditions for subcontracting ICT services that support critical or important functions. This followed the published of various sets of RTSs over the course of the year.
Scope: DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.
Next steps: DORA will apply from 17 January 2025. A significant number of firms and their IT suppliers will have to get to grips with the new regulation and various RTSs, which greatly expand on the requirements contained in DORA itself. Firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections. IT suppliers will need to improve their infrastructure and performance to stay in the market. Some "critical" providers will be directly regulated for the first time.
Many financial entities and their IT suppliers are already proactively engaging with DORA and the various RTS by taking steps to uplift their compliance. These organisations will be placed at a significant competitive advantage compared to their peers.
Cybersecurity Act (EU)
The Cybersecurity Act is in the process of being amended to bring "managed security services" within scope in addition to the ICT products, services and processes that the Act already covers.
Scope: Managed security services comprise service providers of cybersecurity risk management, including incident response, penetration testing, security audits and consultancy.
Next steps: The draft amendment to the Act was adopted by the European Parliament plenary on 24 April 2024. The amendment, when finalised, will be published in the EU's Official Journal, and enter into force 20 days after publication.
NIS 2 Directive (EU)
New measures under the NIS 2 Directive include: (a) imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties where those are not complied with; (b) requiring all covered organisations to put in place cyber risk management measures; (c) acknowledging the importance of security at all levels in supply chains and supplier relationships; (d) clarifying and strengthening incident reporting requirements; (e) providing supervisory authorities with a greater ability to supervise companies; and (f) increasing the sanctions for non-compliance.
Scope: The Directive brings a large number of new industry sectors (and therefore, new types of entities) within scope of its obligations – namely, wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.
Next steps: EU Member States had until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State. The status of implementing legislation is currently varied – for instance, the Dutch government has announced that the NIS 2 Directive will not be implemented in time in the Netherlands.
Cyber Resilience Act (EU)
The EU Cyber Reliance Act seeks to enhance the cybersecurity safeguards for consumers and businesses buying or using products or software, by imposing mandatory cybersecurity requirements.
Scope: A broad range of products will be caught: smart or connected household devices (such as smartphones, tablets, PCs, cameras, TVs, fridges, exercise equipment, etc.), toys, wearables and software products. The obligations will apply to manufacturers, their authorised representatives, importers and distributors.
Next steps: The European Council has now officially adopted the Act. It will enter into force 20 days after its publication in the Official Journal and will apply 36 months after its entry into force (albeit with some provisions to apply at an earlier stage).
Cyber Security and Resilience Bill and NIS Regulations (UK)
As part of the King's Speech on 17 July 2024, the UK's new Government announced the Cyber Security and Resilience Bill. In its announcement, the Government flagged that the country's Network and Information Systems Regulations (NIS Regulations), which were introduced in 2018 based on the EU's now superseded NIS 1 regime, require urgent update to ensure the UK's infrastructure and economy are not comparatively vulnerable. The previous Government conducted a review of the NIS Regulations and subsequently released a proposal for extensive reforms in 2022. However, these reforms were never legislated.
Scope: A draft of the Cyber Security and Resilience Bill is yet to be released but the Government's announcement gave some indication as to its scope. The Bill will expand the remit of the existing NIS Regulations to protect more digital services and supply chains. It will also give greater powers to regulators, including cost recovery mechanisms and the ability to proactively investigate potential vulnerabilities. In addition, the Bill will mandate increased incident reporting (including where organisations have been held to ransom), in order to give the UK government access to more data on cyber attacks. These changes are similar to some of those included in the previous government's proposal to update the NIS Regulations. However, we will need to wait for a draft of the Bill to fully assess the level of overlap and divergence.
Next steps: The next step is likely to be the release of a draft form of the Cyber Security and Resilience Bill. However, there has not yet been any indication of when this will occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.