The EU is not known for taking a hands-off approach to regulation and nowhere is that more evident than in the digital sector. If you work within the tech sphere, you have probably noticed that the EU has been on a bit of a regulatory spree lately. From artificial intelligence and digital services to cybersecurity and data sharing, new regulations are being rolled out at a speed that even makes the swiftest tech companies break a sweat. It all started in 2018 with the GDPR, and since then, Brussels has steadily expanded its regulatory framework as part of its Digital Decade 2020–2030 strategy. The result? An increasingly complex legal landscape that businesses operating in Europe must understand and comply with. This is not an easy task. The risk of substantial fines, reputational damage, and loss of trust in the event of non-compliance makes it an issue that businesses must urgently prioritize.
In this article, we will provide a brief overview of some of the most important new legal frameworks, focusing on who is affected and when these laws became or will become applicable.
AI Act
What is it about? – The AI Act takes a “risk-based approach”, categorizing AI systems based on their potential risks. Certain AI systems that are deemed to pose an unacceptable risk are prohibited. High-risk AI systems are subject to stringent regulatory requirements, including risk management, data governance, and human oversight. The regulation also imposes transparency obligations for specific AI applications and introduces special requirements for general-purpose AI models. If you want to learn more about the AI Act, we recommend reading our series Decoding the AI Act, published last year.
Who is covered? – The AI Act applies to various stakeholders across the AI value chain, including providers (developers of AI systems), deployers (users of AI systems), importers, distributors, and, under certain conditions, product manufacturers. Notably, the AI Act's reach extends beyond the EU, affecting providers and deployers outside the EU if their AI systems or outputs are used within the EU.
Current status – The regulation entered into force on 1 August 2024, but the application of its provisions is staggered, with the requirements on AI literacy within organizations and the prohibitions on certain AI systems applying from the 2 February 2025. From 2 August this year, the requirements on General Purpose AI Models will apply. In August next year, the requirements for high-risk AI will come into play.
Data Act
What is it about? – The Data Act is a regulation designed to enhance the EU's data economy by making data more accessible and usable, thereby fostering a competitive data market and encouraging data-driven innovation. It establishes provisions on various aspects in relation to data, including access to data generated through the use IoT products and related services ensuring that users have greater control over their own data. It also introduces mandatory data-sharing obligations, both between businesses as well as between businesses and government under certain conditions (such as during public emergencies). Additionally, the Data Act aims to protect businesses, particularly SMEs, from unfair contractual terms in data-sharing agreements and includes provisions to facilitate switching between data processing services (such as cloud services).
Who is covered? – The Data Act affects a wide range of actors, including providers of IoT products and related services and data processing service providers (including cloud service providers). Furthermore, it has an impact on all organizations that are considered as “data holders” under the act.
Current status – The Data Act will become applicable across the EU on 12 September 2025.
Data Governance Act (DGA)
What is it about? – The Data Governance Act, often referred to as the “DGA”, is a regulation aimed at enhancing trust in data sharing, strengthening mechanisms to increase data availability, and overcoming technical obstacles to the reuse of data. The DGA establishes a framework for the secure reuse of certain categories of data held by public sector bodies that are subject to the rights of others (IP, personal data, trade secrets, etc.) and fall outside the scope of the Open Data Directive. The regulation also creates a new framework to promote data intermediation services, providing a trustworthy environment where companies or individuals can share data. Additionally, the DGA introduces the concept of “data altruism”, defined as the voluntary sharing of data by individuals or organizations without financial reward, in order to serve objectives of general interest.
Who is covered? – The DGA primarily affects public sector bodies, entities seeking to become data intermediation service providers, and organizations engaging in data altruism.
Current status – The provisions of the DGA are applicable across the EU from 24 September 2023.
Digital Services Act (DSA)
What is it about? – The Digital Services Act (the “DSA”) aims to create a safer and more accountable online environment within the EU by addressing the spread of illegal content and disinformation. It seeks to enhance user safety, protect fundamental rights, and ensure a fair and open digital landscape. Among its key requirements, the Act inflicts online platforms to publish transparency reports detailing their content moderation activities and to notify users of content moderation decisions and provide mechanisms for users to appeal such actions.
Who is covered? – The DSA applies to a wide range of online intermediary services, with obligations that vary depending on the provider's role, size, and impact. Covered entities include online platforms (such as marketplaces, app stores, and social media platforms), hosting services (like cloud and web hosting providers), and intermediary services (that offer network infrastructure such as internet access providers). So-called Very Large Online Platforms and Search Engines (“VLOPs” and “VLOSEs”) are subject to the most stringent requirements. Examples of such includes Apple App Store, Booking, Facebook, Google, Instagram, LinkedIn, Shein, YouTube, Wikipedia, and Zalando.
Current status – The regulatory framework applicable to VLOPs and VLOSEs is applicable from 25 August 2023, while it is applicable to all other service providers from 17 February 2024.
Digital Markets Act (DMA)
What is it about? – The Digital Markets Act (the “DMA”) aims to promote fair and contestable markets in the digital sector by establishing a list of dos and don’ts for large online platforms designated as “gatekeepers”. This regulation supplements existing EU competition laws by directly addressing the market power of these platforms, ensuring they operate fairly and do not prevent competition.
Who is covered? – The DMA applies to providers of so-called core platform services that are designated as "gatekeepers" by the European Commission. As of September 6, 2023, the Commission has designated six companies as gatekeepers: Alphabet, Amazon, Apple, ByteDance (TikTok), Meta, and Microsoft.
Current status – The Act applies to designated gatekeepers from 6 March 2024.
NIS2 Directive
What is it about? – The NIS2 Directive aims to achieve a high common level of cybersecurity across the EU, thereby enhancing the overall resilience of critical entities information and network systems. NIS2 is a significant revision of the earlier and revoked NIS Directive, expanding its scope and strengthening requirements to better address evolving cyber threats. The NIS2 Directive mandates that covered entities implement several risk management measures and report incidents to the relevant supervisory authority.
Who is covered? – The NIS2 Directive is applicable to several sectors, including energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT (Information and Communication Technology) services, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research. Notably, covered entities must also ensure that their suppliers comply with the requirements of the NIS2 Directive, which means that the requirements stated in the NIS2 Directive are indirectly applicable to suppliers .
Current status - Member States are required to implement the NIS2 Directive into national law by 17 October 2024. In Sweden, the implementation will occur through the proposed Swedish Cybersecurity Act (Sw. Cybersäkerhetslagen). We have not yet seen the final preparatory work, but we expect the Swedish law to come into force later this year.
Digital Operation Resilience Act (DORA)
What is it about? – DORA is a regulation aimed at ensuring the operational resilience of the financial sector by creating a harmonized framework for managing risks related to Information and Communication Technology (ICT). Key requirements under DORA include implementing robust ICT risk management systems, establishing processes for reporting major ICT-related incidents, conducting regular stress testing of digital infrastructure, managing risks associated with third-party ICT service providers, and facilitating the sharing of information among financial entities.
Who is covered? – DORA directly applies to a broad range of financial entities, including banks, payment service providers, investment firms, and insurance companies.
Additionally, DORA has significant implications for ICT third-party service providers (which fall under the DORA definition of ICT Services), as financial entities are required to include specific contractual provisions with their ICT third-party suppliers to ensure compliance with DORA’s requirements. The financial entity is responsible for assessing and classifying whether the third-party service provider provides “Critical or Important ICT Functions” or if the services are non-critical. The contractual and regulatory requirements applicable to a supplier providing critical or important functions are stricter than those applicable to the suppliers of non-important functions. Lastly, DORA contains regulations regarding third-party suppliers’ subcontracting.
Current status – DORA became fully applicable across the EU on 17 January 2025.
Cyber Resilience Act (CRA)
What is it about? – The Cyber Resilience Act is a pioneering EU regulation that establishes mandatory cybersecurity standards for products that contain “digital elements”, aiming to enhance the overall security of connected devices within the EU market. It requires manufacturers to ensure that both hardware and software products meet specified cybersecurity requirements throughout their lifecycle. Compliance is demonstrated through conformity assessments, allowing products to bear the CE marking, indicating adherence to the regulation.
Who is covered? – The main focus of the CRA is manufacturers of goods, but also importers and distributors of goods with digital elements offered within the EU.
Current status – The regulation will be implemented gradually, with some provisions starting to apply in 2026 and all provisions being applicable by 11 December 2027.
Concluding remarks
If you had any doubts before, one thing should now be crystal clear - Brussels is on a mission to regulate tech and set the rules for the future digital economy. While this provides clarity on what is required and harmonizes rules across the EU, it also places a significant legal burden on affected businesses. With many of these laws already in effect or coming into force soon, and with the risk of substantial fines for non-compliance, businesses need to act now to stay compliant. The days of “we’ll deal with compliance later” are over. The good news? You don’t have to figure it all out on your own. Synch’s legal team specializes in EU tech regulations and can help you cut through the complexity, so you can focus on what you do best - running your business. Just get in touch if you have any questions about any of the above regulations!
