Artificial Intelligence (AI)

The AI Act is now at the final stage of the EU legislative process, and will likely be formally approved before the European elections in Spring 2024. The AI Act has a broad scope, and it will impose market access and post-market monitoring obligations to actors across the AI value chain, both in the EU and beyond. The AI Act is complemented by the AI Liability and the Revised Product Liability Directives, which ease the evidence conditions for claiming non-contractual liability caused by AI systems, and provide for a broad list of potential liable parties for harm caused by AI systems, respectively.

Some years may elapse before any enforcement actions take place under the AI Act, however we can expect some enforcement actions will take in place in 2024 regarding compliance with AI systems, notably generative AI systems, with the General Data Protection Regulation (GDPR). Moreover, we can anticipate further clarification on regulators' position on AI as data protection authorities as well as other regulators are increasingly issuing AI-related guidelines.

Cookies and other tracking technologies – Targeted advertising

We can expect important developments this year regarding the rules related to cookies and other tracking technologies, and notably their use for targeted advertising. While the draft Proposal for an ePrivacy Regulation has not made any progress over the past years and will likely be withdrawn by the next incumbent European Commission, the latter has attempted to overcome the political bottleneck with the adoption of a draft Cookie pledge, which lays down principles to better empower consumers regarding tracking-based advertising models. Further, the enforcement of the Digital Services Act, which imposes new rules on advertising, will start from February 17, 2024. Eventually, a pending case before the Court of Justice of the European Union (CJEU) should cast some light in that respect.

Cybersecurity

The NIS2 Directive will start to apply on October 18, 2024. It imposes cybersecurity risk-management measures and incident reporting obligations across the value chain, both to entities that are considered critical for the EU economy and society and to their suppliers. Similarly, the Cyber Resilience Act, whose formal adoption is anticipated within 2024, imposes cybersecurity requirements on the design, development, production, and through the whole lifecycle of products with digital elements. Last but not least, the European Common Criteria-based Cybersecurity Certification scheme is expected to be adopted within 2024. Inter alia, it will be relevant for compliance with the NIS2 Directive and the Cyber Resilience Act.

Digital Services Act

From February 17, 2024, the Digital Services Act (DSA) will apply to all intermediary service providers, including online platforms and search engines. It already applies to some Very Large Online Platforms and Search Engines. The European Commission has been very active in its enforcement towards the latter, making it very likely that enforcement actions against all the actors that fall in the DSA's scope will start soon after its application.

Data Act

The Data Act entered into force in January 11, 2024. It introduces significant changes to the legal framework governing data sharing, and it specifies who is entitled to use connected products or related services data, under which conditions and on what basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.