Overhauling The European Digital Landscape

The wave of expansive new EU data, AI, and cyber laws promulgated by the European Union as part of its Digital Strategy Initiative, will set a comprehensive approach to regulating the data economy in Europe. These new laws (including the AI Act, Data Act, NIS 2 Directive, and Cyber Resilience Act) impose on a wide array of companies' novel requirements, for such matters as data sharing, risk assessments, and incident reporting, which extend beyond the protection and security of personal data, with significant penalties provided for noncompliance.

Jones Day advises clients on navigating these regulatory changes, offering strategic guidance to help our clients comply. Our lawyers excel in cross-practice and cross-office collaboration, bringing deep expertise and understanding of key business issues.

EMPOWERING EUROPE'S DATA ECONOMY: THE DATA ACT UNLEASHED

What is its purpose?

• Aims to make more data available for use, and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU

Why is this significant?

• Regulates access and use of non-personal data, including data generated by connected products (e.g., IoT, industrial machinery, medical and health devices, vehicles, etc.)
• Obligations to share data in B2B and B2C context
• Obligations to enable companies to switch (cloud) data service providers more easily

When is it applicable?

• It entered into force on January 11, 2024
• Most of its rules applicable as of September 12, 2025
• Obligation to make product data and service data accessible to user applicable as of September 12, 2026
• Rules on unfair contractual terms applicable as of September 12, 2025

Who does it apply to?

• Manufacturers of connected products and providers of related services placed on the market in the EU
• Users of connected products/related services
• Data holders
• Providers of data processing services offering services to customers in the EU
• Participants in data spaces and vendors of applications using smart contracts

What are the risks?

• Penalties determined at EU Member State level
• Fines by DPAs up to EUR 20 million or 4% of global annual turnover
• Investigations by competent EU Member State authorities
• Cost for compensation schemes related to data access
• Disputes associated with unfair contractual terms

How is it enforced?

• National authorities
• Data coordinator
• Data protection authorities

How to prepare for compliance?

• Assess the scope and applicability of the regulation
• Map non-personal data accurately
• Develop strategy and market positioning
• Design products for data access
• Review and adjust contract terms as necessary
• Implement robust processes for data access, sharing, and provider switching
• Allocate budget for fees related to certified dispute-settlement bodies (data holders)
• Implement measures to safeguard trade secrets and intellectual property rights
• Review mechanism for international data transfers

BOLSTERING CYBER RESILIENCE: DECODING THE NIS2 DIRECTIVE FOR COMPANIES

What is its purpose?

• The Network and Information Security Directive (“NIS 2”) of 14 December 2022 replaces the Network and Information Systems Directive of 2016 (“NIS 1”) to further strengthen cybersecurity and resilience of IT systems in the EU.

Why is this significant?

• NIS 2 extends the scope of both the sectors and entities covered under NIS 1;
• Strengthens requirements for cybersecurity risk management measures and reporting obligations, including by setting out minimum standards for basic cyber hygiene practices and requiring monitoring of risks within IT supply chains;
• Imposes upon management bodies of entities in scope approval and supervisory responsibilities in relation to cybersecurity risk management and establishes management liability for violations of NIS 2.

When is it applicable?

• Member States must adopt and publish the measures necessary to comply with NIS 2 by 17 October 2024. EU Member states shall establish a list of essential and important entities by 17 April 2025.

Who does it apply to?

• NIS 2 applies to medium-sized and large “essential and important” entities operating in highly critical sectors (e.g. energy, transport, finance, health, space, digital infrastructure such as cloud computing and ICT management) or other critical sectors (e.g. postal services, chemicals, foods, manufacturing of certain products such as medical devices, digital providers (such as social networks, search engines, online marketplaces);
• NIS 2 also applies to certain critical “essential and important” entities, irrespective of their size.

What are the risks?

• Non-compliance may result in fines imposed by national authorities;
• Managing directors may be held personally liable of violations of NIS 2 obligations;
• Administrative fines can be imposed, ranging up to EUR 10 million or 2% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is the higher.

How is it enforced?

• National authorities and regulatory bodies.

How to prepare for compliance?

• Assess the applicability of the NIS 2 Directive to your organization;
• Identify your organization's essential and/or important services and, if required, register before the relevant competent authority;
• Review and update your organization's risk and information security management system, including cybersecurity policies, procedures, IT supply chain security management system and incident response plans;
• Ensure staff awareness and training on compliance requirements.

BUILDING TRUST IN AI: COMPLIANCE AND CHALLENGES UNDER THE EU'S AI REGULATIONS

What is its purpose?

• The AI Act aims to establish a comprehensive legal framework on AI in the EU for fostering trustworthy AI in Europe and beyond, by ensuring that AI systems respect fundamental rights, safety, and ethical principles and by addressing risks of very powerful and impactful AI models

Why is this significant?

• Establishes obligations for AI based on its potential risks and level of impact (riskbased approach)
• Ban of certain AI applications that threaten citizens' rights
• Wide range of obligations for high-risk AI systems
• Transparency obligations for other AI systems and GPAI systems/models
• More powerful GPAI models will face additional requirements

When is it applicable?

• The AI act entered into force in August 2024
• Most of its provisions will apply 24 months after entry into force
• Rules on prohibited AI systems will apply after 6 months, rules on GPAI after 12 months, and rules on high-risk AI systems after 36 months.

Who does it apply to?

• Providers placing AI systems or GPAI systems/models on the market in the EU or putting them into service
• Deployers of AI systems that have their place of establishment in the EU
• Importers and distributors of AI systems into or within the EU
• Product manufacturer placing on the market or putting into service an AI system together with their product and under their own name or trademark
• Authorized representatives of providers, which are not established in the EU

What are the risks?

• Penalties determined at EU Member State level
• Fines ranging from EUR 35 million or 7% of global turnover to EUR 7.5 million or 1.5 % of global turnover, depending on the infringement and size of the company

How is it enforced?

• National authorities
• AI Office

How to prepare for compliance?

• Assess the scope and applicability of the AI Act
• Determine and document AI systems or GPAI systems/models developed or deployed
• Classify AI systems or GPAI systems/models according to the respective risk category and scope the intended use cases
• Conduct compliance gap and risk analysis
• Develop an AI strategy and a governance program
• Implement regular audits to review/update the internal governance program

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.