EU regulatory framework: where we stand

Table of contents

On a global level, Europe is the ecosystem that can boast a leadership in the regulatory field, such as to hypothesize that other countries take it as a model. In fact, the European regulatory framework now consists of numerous laws that unravel the different fields and facets of this new economy and society that is increasingly liquid, increasingly digital and, soon, artificial. On the one hand, the scenario could “suffocate” companies, forced to adopt such a large amount of laws, perhaps causing investments to “flee” to the continent and thus triggering a slowdown in the economy and also in innovation; On the other hand, the package could foster Europe’s potential for innovation and competitiveness, protecting small and medium-sized enterprises against multinationals and users in the use of the technologies they offer.

The DSA

The Digital Service Act (DSA) was published in the Official Gazette on 27 October 2022 and entered into force on 16 November 2022. The DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024, whichever is later, after entry into force. The DSA covers all platforms, search engines, social media, e-commerce, marketplaces operating in the travel, cloud and hospitality sectors, and therefore obliges them to disclose the number of users and their algorithms. As for online platforms, they had to publish their number of active users by 17 February 2023. If the platform or a search engine has more than 45 million users (10 % of the population in Europe), the Commission would designate the service as a very large online platform or a very large online search engine. These services will have 4 months to comply with the obligations of the DSA, which includes carrying out and providing the Commission with their first annual risk assessment. EU member states will have to appoint digital service coordinators by 17 February 2024, when platforms with less than 45 million active users will also have to comply with all DSA rules.

The DMA

As of 12 October 2022, the Digital Market Act (DMA) was published in the Official Journal and entered into force on 1 November 2022. Before 3 July 2023, companies had to provide the Commission with information on their number of users so that the Commission could designate them by 6 September 2023 as “gatekeepers”: “gatekeepers” of the access doors to the connection between retailers and consumers, for their function as intermediaries with the final consumer, capable of giving them boundless power: It is precisely Big Tech that is given the power to decide and convey the contact between producer/retailer and consumer, manipulating the relationship. Gatekeepers will then have until March 2024 to ensure that they comply with the DMA’s obligations.

The Data Act

On 28 June 2023, a political agreement was reached between the European Parliament and the Council of the EU on the Data Act. The law was then subject to approval by Parliament in November and published in the Official Journal of the European Union in December. After 20 days of its publication, it finally came into force this week. It will become applicable after 20 months, i.e. from 12 September 2025. The Data Act establishes certain mandatory data sharing requirements for industrial processes. It is therefore a law that aims at transparency and sharing of these through the obligation to companies in favor of other companies, governments and users. We’ve delved into it in this article.

The Data Governance Act

The Data Governance Act (DGA) came into force on June 23, 2022, and after a grace period of 15 months, it is applicable from September 2023. The DGA is a basic piece of legislation that establishes a general framework for data governance in the European Union. The legislation applies to all data, both personal and non-personal, and sets out a number of rights and obligations for companies that process data. Together with the Data ACT, it is part of the European Data Strategy. The difference lies in the fact that the Data Act is more specific because it focuses on the sharing of data between businesses.

The Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is an EU regulation that came into force on January 16, 2023 and will apply from January 17, 2025. As the financial sector increasingly relies on technology and technology companies to provide financial services, with DORA, financial firms will follow the rules for protection, detection, containment, recovery, and remediation capabilities against ICT risk-related incidents. DORA makes explicit reference to ICT risk and establishes rules on ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk monitoring. This regulation recognises that ICT incidents and lack of operational resilience can jeopardise the soundness of the entire financial system, even if there is capital allocated to traditional risk categories. The aim is to strengthen the cybersecurity of banks, insurance companies and investment firms, and to ensure that the European financial sector remains resilient in the event of major operational disruptions.

The AI Act

In June 2023, the European Parliament approved its position in view of the AI Act negotiations by a very large majority. Last December, the political agreement was reached by the co-legislators. The political agreement will have to receive the consent of the European Parliament and the Council, and will therefore enter into force 20 days after its publication in the Official Journal. The AI Act will become applicable two years after its entry into force, except for some specific provisions: bans will apply as early as 6 months, while rules on AI for general purposes will apply after 12 months. For the transitional period before the general application, the Commission will launch the
AI Pact
, which is aimed at all AI developers globally who voluntarily commit to implementing the obligations of the legislation before its application. We had explored it in depth in this article.

Conclusions

As with the DMA (e.g. hefty penalties for violating the rules), there are also concerns about the Data Act for foreign companies to comply with these laws. The same restrictions on data flows, data governance and size, and cloud services risk undermining international data transfers and could lead to market foreclosures against service providers. The concern is therefore not only about a slowdown in the economy, but also about innovation. Of course, the implementation of the new laws, including the DMA, AI Act, DSA, and Data Act, will be very challenging. Regulatory coherence between them will also be difficult. But it is obvious that states feel increasingly threatened by such a disruptive technological innovation, which unbalances not only markets, but also social classes, culture and, above all, consciences, if we focus on the implications of the ethical issue that is facing the future scenarios of AI on humans. And for this reason, it is good that they try to regulate the use of such disruptive technologies, which can change the basis of geopolitics, feeling crushed by the digital power of companies. When it comes to regulations, we’re always talking about geopolitics. At the moment, one could hypothesize that Europe can compete in innovation, having a much smaller market than the US and lacking in such disruptive technologies, through the “charter” of legislation. Yet we should look at some companies that are based in Europe, that are only there and that serve these technologies and their organizations so much. For example, companies that are part of the AI production chain, not software, but hardware (ASML, Infineon Technologies, NXP Semiconductors, STMicroelectronics), without which not even American companies could outrun China. And perhaps, being the first and only ones to regulate, would strengthen this power even more. This will be the subject of further investigation in the next investigation: digital geopolitics. (Photo by Antoine Schibler on Unsplash)

ALL RIGHTS RESERVED ©

    Subscribe to the newsletter