Locations
In our July 2024 edition, we provide an update on key regulatory developments in the UK and EU across the topics of digital platforms, cyber, AI, data and more. Check below whether your business is in scope, and actions you may need to take before any obligations begin to apply.
Our update tracks the key tech-focused legislation passed as part of the UK Parliamentary "wash-up" process following the general election announcement, such as the Digital Markets, Competition and Consumers Act. Other laws we have been tracking, such as a new UK Data Protection Bill, failed to make the cut and have been dropped from the legislative agenda. Further highlights from our update include the cyber security rules for consumer smart devices in the UK and EU (see our short film on the UK regime here), and the approval of the EU's Artificial Intelligence Act.
Cyber
Product Security and Telecommunications Infrastructure (PSTI) Act (UK)
The PSTI Act came into force on 29 April 2024, along with the associated Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI Regulations).
Scope: In short, the PSTI Act applies to manufacturers, importers and distributors of consumer products that connect to the internet (with some exceptions). The Office for Product Safety & Standards (OPSS) is responsible for enforcing the PSTI Act and published its guidance on the PSTI Act in April (available here).
Next Steps: The obligations imposed by the PSTI Act are proving tricky for businesses to comply with, as they in effect require manufacturers, distributors and importers to seek assurances from each link in the supply chain with respect to the compliance of their consumer connectable products with the PSTI Act requirements. Despite its guidance, the OPSS's enforcement posture is also unclear at this stage, particularly with respect to the requirement for a Statement of Compliance "to accompany" each consumer connectable product put on the market in the UK. The OPSS guidance permits the use of digital Statements of Compliance but does not say whether these could be QR codes as some businesses are using or if a digital Statement of Compliance needs to be presented on the device itself when it is first activated by the consumer.
Cyber Resilience Act (EU)
The EU Cyber Reliance Act seeks to enhance the cybersecurity safeguards for consumers and businesses buying or using products or software, by imposing mandatory cybersecurity requirements. The Act is, in many respects, the EU's equivalent of the UK's Product Security and Telecommunications Infrastructure regime (see above). It is, however, much more expansive and wide-ranging.
Scope: A broad range of products will be caught: smart or connected household devices (such as smartphones, tablets, PCs, cameras, TVs, fridges, exercise equipment, etc.), toys, wearables and software products. The obligations will apply to manufacturers, their authorised representatives, importers and distributors.
Next steps: Although the requirements will not take effect for some time yet, businesses should start assessing which of their products will be in scope and what compliance measures will need to be taken by themselves, suppliers and other supply chain participants. Now is the time for businesses to start collaborating with suppliers and evaluating product lines to safeguard consumers' trust and to ensure compliance with these upcoming requirements.
Digital Operational Resilience Act (DORA) (EU)
DORA looks to harmonise approaches on tackling digital operational resilience and IT security across the EU financial services sector. Some of the specific obligations under DORA are left to be specified by the European Supervisory Authorities (EBA, EIOPA and ESMA – the "ESAs") who are required, via secondary legislation, to present regulatory technical standards ("RTSs") which give financial entities and their IT suppliers more guidance on how to comply with their DORA obligations.
In January, the ESAs delivered the first set of their draft RTSs, covering: (1) Approaches to harmonising ICT risk management tools, methods, processes and policies; (2) Guidance on classifying ICT related incidents, materiality thresholds for major incidents and significant cyber threats; (3) Drafting standard templates for the register of information required for contractual arrangements with ICT third-party service providers; and (4) Specifying the content of the required policy in relation to contractual arrangements for ICT services supporting critical or important functions.
In July, the ESAs will deliver the second set of their draft RTSs, covering: (1) Content, timelines and templates for major incident reporting; (2) Subcontracting of critical or important functions; (3) Oversight harmonisation; and (4) Threat-led penetration testing (TLPT).
Scope: DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions. A significant number of firms and their IT suppliers will therefore have to get to grips with the new regulation and incoming RTSs. Firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections. IT suppliers will need to improve their infrastructure and performance to stay in the market. Some "critical" providers will be directly regulated for the first time.
Next steps: DORA will apply from 17 January 2025. We are awaiting further guidelines on practical implementation, expected in July 2024. Financial entities and their IT suppliers have already begun to engage with the available regulation, and organisations that are proactive in taking steps to uplift their compliance will be placed at a significant competitive advantage.
Cybersecurity Act (EU)
In 2023, the European Commission issued a proposal to amend the Cybersecurity Act to also enable the future adoption of certification schemes for "managed security services" at an EU level. Some Member States have already begun adopting cybersecurity certification schemes for such services, and the amendment attempts to avoid fragmentation across the EU. In March 2024, the Council presidency and European Parliament’s negotiators reached a provisional agreement on the amendment to the Act.
Scope: The amendment to the Act now brings managed security services within scope in addition to the ICT products, services and processes that the Act already covers. Managed security services comprises of service providers of cybersecurity risk management, including incident response, penetration testing, security audits and consultancy.
Next steps: We are awaiting the amendment to be endorsed by the Council and the European Parliament. Once approved, the draft act will be submitted to a legal/linguistic review before being formally adopted by the co-legislators, published in the EU’s Official Journal, and entering into force 20 days after this publication.
NIS 2 Directive (EU)
New measures under the NIS 2 Directive include: (a) imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties where those are not complied with; (b) requiring all covered organisations to put in place cyber risk management measures; (c) acknowledging the importance of security at all levels in supply chains and supplier relationships; (d) clarifying and strengthening incident reporting requirements; (e) providing supervisory authorities with a greater ability to supervise companies; and (f) increasing the sanctions for non-compliance.
Scope: The Directive brings a large number of new industry sectors (and therefore, new types of entities) within scope of its obligations – namely, wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.
Next steps: EU Member States have until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State. Some territories, such as Belgium and Croatia, have already issued their implementing legislation. Conversely, the Dutch government has announced that the NIS 2 Directive will not be implemented in time in the Netherlands.
NIS Regulations (UK)
The UK implemented the EU's NIS 1 Directive into national law in 2018 in the form of the Network and Information Systems Regulations (UK NIS Regulations). Following the most recent review of the UK NIS Regulations, the UK Government released a proposal for extensive reforms in January 2022 and a response to public consultation on that proposal in November 2022.
Scope: The changes contemplated are wide-ranging. Managed service providers would be brought directly within the scope of the UK NIS Regulations for the first time. Critical relevant digital service providers (a type of entity regulated by the legislation) would be subject to a new proactive supervisory regime, in addition to the existing reactive regime. The UK Government would be empowered to update aspects of the UK NIS Regulations without parliamentary approval, including sectors regulated by the legislation. Incident reporting obligations would also be expanded beyond those affecting continuity of service to include those which significantly impact the security of network and information systems for essential services.
In its response to the public consultation in November 2022, the UK Government indicated that it intended to release draft legislation once parliamentary time allowed. However, this has not yet occurred and will not occur before the UK's general election in July.
Next steps: The next steps for the proposed amendments to the UK NIS Regulations will depend on the results of the general election. If the Government were to change following that election, it's possible that the changes described above will not be implemented or will be revised significantly (potentially to align them more closely with the EU's NIS 2 Directive).
Platform
Digital Markets, Competition and Consumers (DMCC) Act (UK)
The long-awaited DMCC Act received Royal Assent on Friday 24 May, marking a significant overhaul of the UK's competition and consumer law regimes.
Scope: The consumer law reforms will have the widest impact. Businesses offering subscription services, which host reviews or which operate in certain sectors (such as secondary ticketing) face significant new obligations. However, all business to consumer firms could be at risk of substantial penalties for breaching existing consumer laws. This materially heightens the risk profile of practices that may be deemed non-compliant. The competition law reforms will in practice affect businesses considering a merger or joint venture, or which going forward, face investigation by the CMA and need to understand the CMA's jurisdiction. The digital markets regime is the narrowest in its application, and will be of most immediate relevance to firms that consider they are likely to meet the SMS thresholds in respect of any their digital activities. This may only be a handful of businesses.
Next steps: Many provisions are expected to come into force in October 2024 so it's crucial for businesses to review their practices to ensure compliance and avoid substantial penalties.
Digital Markets Act (DMA) (EU)
The DMA imposes "pro-competitive" obligations on specified services of the seven designated gatekeeper firms: Alphabet (i.e. Google), Amazon, Apple, ByteDance, Booking.com, Meta and Microsoft.
Scope: Only the seven designated gatekeepers fall within direct scope, but this does not preclude additional firms from designation in the future.
Next steps: Apple has become the first gatekeeper to face charges from the European Commission for infringement of the DMA, having failed to introduce measures that go far enough to comply with the new obligations. It could face fines of up to 10% of global annual turnover if an infringement is found.
AI
Artificial Intelligence Act (EU)
The EU AI Act proposes comprehensive framework for AI regulation. It sets out a risk-based approach, whereby AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex ante conformity assessment; (c) permitted but subject to certain information and transparency obligations; or (d) permitted without restrictions.
Scope: Organisations developing AI and/or using / adopting AI.
Next steps: The Council of Ministers approved the EU AI Act on 21 May 2024 (following the European Parliament's approval back in March). The Act is set to be published in the Official Journal in July. It will enter into force twenty days after its publication in the Official Journal, and be fully applicable 24 months after its entry into force, except for: bans on prohibited practises, which will apply six months after the entry into force date; codes of practise (nine months after entry into force); general-purpose AI rules including governance (12 months after entry into force); and obligations for high-risk systems (36 months).
UK government approaches to AI
The UK's approach to AI under the Conservative Government was not by way of a new regulator or legislation, with the aim instead to establish key principles that existing regulators should consider as part of their remit. A White Paper on AI was published in March 2023, with the aim 'to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology'. In February 2024, the UK government published its response to consultation on the White Paper. Whilst no specific legislation was proposed by the Government, the door was left open for this to occur in the future.
Scope: Organisations developing AI and/or using/adopting AI.
Next steps: In its response to the White Paper consultation, the UK Government indicated that during 2024 it would continue developing its policy position on AI regulation, take action to promote AI opportunities and address risks, build out the central function, encourage AI adoption and support international cooperation on AI. The Conservative party manifesto contains no further substantive commitments on AI, aside from noting the UK's work on AI safety. The Labour party's proposals go somewhat further in terms of concrete plans, including a commitment to ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.
Data
Data Governance Act and Data Act (EU)
The Data Act (DA) is now in force and aims to set out a framework for sharing of data, ease the switching between providers of data processing services, introduce safeguards against unlawful data transfer and provide for the development of interoperability standards for data to be reused between sectors. The DA is closely interlinked with the Data Governance Act (DGA), also in force as of September 2023, with the objective of establishing a harmonised framework for data sharing and governance across sectors and Member States. The DGA specifically aims to encourage wider re-use of non-personal data held by public sector bodies, boost data sharing through the regulation of novel "data intermediaries" and encourage data sharing for altruistic purposes. It also establishes a new European Data Innovation Board which will develop guidelines and standards for data sharing with third parties, including businesses.
Scope: The DA applies to datasets – with or without personal data. Specifically, it applies to (a) manufacturers of connected products (e.g. smart devices such as medical devices and wearables etc) who offer their products to the EU market and providers of related services; (b) users (natural or legal persons) in the EU of connected products or related services; (c) public sector bodies, who may request access in exceptional circumstances; (d) providers of data processing services to customers in the EU (e.g. cloud service providers); and (e) participants in data spaces and vendors of applications or professionals using smart contracts. The DGA impacts primarily public sector bodies, data intermediation service providers (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data) and data altruism organisations.
Next steps: The DA will become applicable on 12 September 2025 (except for certain limited provisions that will be implemented at a later date). Compared to the attention on other areas of legislation, such as the EU AI Act, the DA has received much less attention despite the repercussions being equally as significant. We recommend clients understand as soon as possible whether they are caught by the DA to ensure compliance.
Read more: The European Commission recently published an overview of the DA. You can also read our Fieldfisher white paper on the DA for more information and view our webinar here. For more on the DGA, see here.
Data Protection and Digital Information (DPDI) Bill (UK)
The UK Parliament was dissolved on 30 May 2024. All unfinished parliamentary business fell; with all bills that have not received royal assent having been dropped, including the DPDI Bill (which had been introduced to lessen some of the UK GDPR obligations post-Brexit).
Keep up to date with the latest data protection updates on our monthly podcast.
Health Data Spaces Regulation (EHDS) (EU)
The EHDS is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework.
The new framework will empower individuals through increased digital access to and control of their electronic personal health data, at both national and EU-wide level as well as foster a single market for electronic health record systems, relevant medical devices and high risk AI systems. In addition, the EHDS will provide a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities. As part of this framework, the Commission will establish a central platform named MYHealth@EU to provide services to support and facilitate the exchange of health data between designated authorities in Member States. These authorities will act as joint controllers of the electronic health data on the platform, with the Commission acting as the processor.
The EHDS is a key pillar of the European Health Union and will build on the EU GDPR as well as NIS 2 Directive, the DA and DGA (see above).
Scope: This regulation will apply to (a) manufacturers and suppliers of electronic health records (EHR) systems and wellness applications placed on the market and put into service in the Union and the users of such products; (b) controllers and processors established in the EU processing electronic health data of EU citizens and third-country nationals legally residing in Member States; (c) controllers and processors established in a third country that have been connected to or are interoperable with the proposed MyHealth@EU platform; and (d) data users to whom electronic health data are made available by data holders in the EU.
Next steps: The Council will formally adopt the EHDS regulation which is expected to be published in the Official Journal in Autumn 2024.
Other
European Digital Identity Regulation (eID) (EU)
The rules on establishing a European Digital Identity entered into force in May 2024 and will pave the way for all EU citizens and residents to benefit from a personal European Digital Identity Wallet by 2026. The European Digital Identity Wallet will consist of a mobile app issued in each Member State which will allow EU citizens and residents to identify online in full security to access public and private online services all over Europe.
Scope: The wallets will enable all Europeans to access online services with their national digital identification without having to use private identification methods or unnecessarily sharing personal data.
Next steps: The Commission has launched four large-scale pilots, to test the EU Digital Identity Wallet in a range of everyday use-cases, and a second call for large-scale pilots to support the deployment of the wallets has since been published.
The European Accessibility Act 2025 (EAA) (EU)
The EAA aims to harmonize accessibility requirements for certain products and services across EU Member States. Originating from the UN Convention on the Rights of Persons with Disabilities, by 28 June 2022, every Member State was required to pass implement the resulting directive, and full compliance must be ensured by June 2025.
Scope: The EAA applies to, amongst other things, computers and operating systems, payment terminals and certain self-service terminals, and TV equipment related to digital television services. The legislation does not apply to pre-recorded time-based media (e.g., videos and slides) published before 28 June 2025, or to certain forms of online maps, and microenterprises providing services are exempt from compliance.
Next steps: Full compliance by businesses in scope must be ensured by June 2025.