On July 24, 2025, the European Parliament (EP) published a study entitled Artificial Intelligence and Civil Liability – A European Perspective. The study considers some of the EU’s existing and proposed liability frameworks, notably the revised Product Liability Directive (PLDr) and the AI Liability Directive (AILD), which was proposed by the European Commission only to be later withdrawn. The study concludes that neither instrument sufficiently addresses the full scope of product liability risks and defects uniquely posed by high-risk AI systems, as that concept is defined by the EU AI Act. Therefore, it calls for the creation of a dedicated strict liability framework, specifically designed to tackle the particular liability risks that these systems are said to give rise to. While it is too early to predict whether other key European stakeholders will support such a framework and bring it to fruition, this development is an important one to monitor closely for those creating or working with high-risk AI systems.Continue Reading European Parliament Study Recommends Strict Liability Regime for High-Risk AI Systems
European Parliament
European Parliament Committee Recommends Commission to Propose EU Directive on Algorithmic Management
On June 26, 2025, the European Parliament’s Committee on Employment and Social Affairs published a draft report (“Draft Report”) recommending that the Commission initiate the legislative process for an EU Directive on algorithmic management in the workplace. The Draft Report defines algorithmic management as the use of automated systems—including those involving artificial intelligence—to monitor, assess, or make decisions affecting workers and solo self-employed persons.
This Draft Report follows a Commission study published in March 2025 (“Commission Study”), which found that while existing EU legislation, such as the GDPR, addresses some risks to workers from algorithmic management, others remain. The Commission Study also recognizes that the AI Act does not establish specific rights for workers in the context of AI use, which is noted as a concern.
The Draft Report encloses the proposed text for a new Directive on algorithmic management in the workplace (“Proposed Directive”). The Draft Report has not yet been endorsed by the European Parliament.Continue Reading European Parliament Committee Recommends Commission to Propose EU Directive on Algorithmic Management
The Cyber Resilience Act is One Step Closer to Becoming Law
Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market. The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is available here.Continue Reading The Cyber Resilience Act is One Step Closer to Becoming Law
EU Parliament’s AI Act Proposals Introduce New Obligations for Foundation Models and Generative AI
On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative process: “trilogue” negotiations with the European Commission, Parliament and the Council, which adopted its own amendments in late 2022 (see our blog post here for further details). European lawmakers hope to adopt the final AI Act before the end of 2023, ahead of the European Parliament elections in 2024.
In perhaps the most significant change from the Commission and Council draft, under MEPs’ proposals, providers of foundation models – a term defined as an AI model that is “trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks” (Article 3(1c)) – would be subject to a series of obligations. For example, providers would be under a duty to “demonstrate through appropriate design, testing and analysis that the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development” (Article 28b(2)(a)), as well as to draw up “extensive technical documentation and intelligible instructions for use” to help those that build AI systems using the foundation model (Article 28b(2)(e)).Continue Reading EU Parliament’s AI Act Proposals Introduce New Obligations for Foundation Models and Generative AI
A Preview into the European Parliament’s Position on the EU’s AI Act Proposal
The EU’s AI Act Proposal is continuing to make its way through the ordinary legislative procedure. In December 2022, the Council published its sixth and final compromise text (see our previous blog post), and over the last few months, the European Parliament has been negotiating its own amendments to the AI Act Proposal. The European Parliament is expected to finalize its position in the upcoming weeks, before entering into trilogue negotiations with the Commission and the Council, which could begin as early as April 2023. The AI Act is expected to be adopted before the end of 2023, during the Spanish presidency of the Council, and ahead of the European elections in 2024.
During negotiations between the Council and the European Parliament, we can expect further changes to the Commission’s AI Act proposal, in an attempt to iron out any differences and agree on a final version of the Act. Below, we outline the key amendments proposed by the European Parliament in the course of its negotiations with the Council.Continue Reading A Preview into the European Parliament’s Position on the EU’s AI Act Proposal
Progress on the Pending EU ePrivacy Regulation
According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):…
Continue Reading Progress on the Pending EU ePrivacy Regulation
European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI
On 19 September 2019, the European Parliamentary Research Service (“EPRS”)—the European Parliament’s in-house research service—released a briefing paper that summarizes the current status of the EU’s approach to developing a regulatory framework for ethical AI. Although not a policymaking body, the EPRS can provide useful insights into the direction of EU policy on an issue. The paper summarises recent calls in the EU for adopting legally binding instruments to regulate AI, in particular to set common rules on AI transparency, set common requirements for fundamental rights impact assessments, and provide an adequate legal framework for facial recognition technology.
The briefing paper follows publication of the European Commission’s high-level expert group’s Ethics Guidelines for Trustworthy Artificial Intelligence (the “Guidelines”), and the announcement by incoming Commission President Ursula von der Leyen that she will put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within her first 100 days in office.Continue Reading European Parliamentary Research Service issues a briefing paper on implementing EU’s ethical guidelines on AI
European Parliament Publishes Study on Blockchain and the GDPR
By Dan Cooper on
On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law. The study also explores how blockchain technology can be used as a tool to assist with GDPR compliance. Finally, it recommends the adoption of certain policies to address the tension between blockchain and the GDPR, to ensure that “innovation is not stifled and remains responsible”. This blog post highlights some of the key findings in the study and provides a summary of the recommended policy options.
Continue Reading European Parliament Publishes Study on Blockchain and the GDPR
European Parliament Approves EU Cybersecurity Act
By Mark Young on
Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).
In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices. Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.
Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes. The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.
Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below).
Continue Reading European Parliament Approves EU Cybersecurity Act
European Data Protection Board Releases Report on the Privacy Shield
On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent Ombudsperson. But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.
The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU. The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield. The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.
Continue Reading European Data Protection Board Releases Report on the Privacy Shield