In the final quarter of 2024, there have been significant developments in the EU cybersecurity legal landscape. Most prominently, the EU institutions adopted the Cyber Resilience Act and mid-October marked the deadline for Member States to transpose the NIS2 Directive into national law. Most Member States failed to meet the NIS2 transposition deadline, which resulted in the European Commission sending a formal notice to 23 Member States, urging them to transpose the Directive. These 23 Member States have been given two months to respond. (For more information on the Cyber Resilience Act and NIS2 Directive, see our blog posts here and here.)Continue Reading Three Recent Developments in the EU Cyber Landscape
European Union
NIS2 Deadline Today
Today, October 18, is the deadline for Member States to start to apply “NIS2” under national laws. NIS2 is the new cybersecurity law that builds on requirements under the prior NIS Directive. As previously reported, key elements of NIS2 include:
- Broader scope of application – it covers a wide range
Five key takeaways from recent EU developments on the GDPR’s “legitimate interests” legal basis
In the past few weeks, there have been significant developments relating to the “legitimate interests” legal basis under Article 6(1)(f) of the GDPR:
- On 4 October 2024, the Court of Justice of the EU (“CJEU”) handed down its judgment in a case relating to the Royal Dutch Lawn
EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space
On October 3, 2024, the European Commission published a report evaluating the effectiveness of existing EU consumer protection laws in protecting consumers in the digital space. More specifically, the report assesses the effectiveness of the following three consumer protection laws: (i) the Unfair Commercial Practices Directive (“UCPD”); (ii) the Consumer Rights Directive (“CRD”); and (iii) the Unfair Contract Terms Directive (“UCTD”). It also identifies and analyses the main provisions in the DSA, DMA, Data Act, and AI Act that are of particular relevance for protecting consumers in the digital environment. The report is the result of the 2022 public consultation we mentioned in our previous blog post.Continue Reading EU Commission Publishes Report Assessing EU Consumer Laws and Paves Way for New and Stronger EU Consumer Law for the Digital Space
The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation
Now that the EU Artificial Intelligence Act (“AI Act”) has entered into force, the EU institutions are turning their attention to the proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (the so-called “AI Liability Directive”). Although the EU Parliament and the Council informally agreed on the text of the proposal in December 2023 (see our previous blog posts here and here), the text of the proposal is expected to change based on a complementary impact assessment published by the European Parliamentary Research Service on September 19.Continue Reading The EU Considers Changing the EU AI Liability Directive into a Software Liability Regulation
EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022. The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR
Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices
On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog…
Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical DevicesEU Artificial Intelligence Act Published
On 12 July 2024, EU lawmakers published the EU Artificial Intelligence Act (“AI Act”), a first-of-its-kind regulation aiming to harmonise rules on AI models and systems across the EU. The AI Act prohibits certain AI practices, and sets out regulations on “high-risk” AI systems, certain AI systems that pose transparency risks, and general-purpose AI (GPAI) models.Continue Reading EU Artificial Intelligence Act Published
NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.
Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.
The IR is open for feedback via the Commission’s Have Your Say portal until July 25.Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents
Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.
The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code. The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.
We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research