Digital Decade
The EU digital decade affects every business
The European Union’s digital strategy aims to ensure that both people and businesses take full advantage of the digital technology that is radically changing our lives. This strategy includes more than 100 different types of laws and regulations, which are new, revised or already in place. These regulations impact virtually every sector and business within the EU. Businesses today cannot escape issues such as privacy and cybersecurity. Below is a brief overview of the most relevant regulations under the EU’s ‘digital decade’ strategy.
Artificial Intelligence Act (AIA)
- Core: Regulates AI systems by assessing risk from ‘minimal risk’ to ‘unacceptable risk’. Strict rules for high-risk applications such as facial recognition and medical devices.
- Target audience: Providers, deployers, importers, distributors, manufacturers, representative and users of AI systems in sectors such as healthcare, transport and government.
- Status: In force since 2 August 2024. Phased obligations: 6 months (prohibited systems), 12 months (GPAI), 24 months (high-risk Annex III).
Digital Services Act (DSA)
- Core: Ensures a safer online environment by holding platforms accountable for harmful content and regulates online marketplaces.
- Target audience: Online platforms (such as social media and e-commerce websites) and consumers.
- Status: In force since 16 November 2022. In force for ‘very large platforms’ and search engines for some time. For smaller platforms since 17 February 2024.
- Core: Sets requirements for accessibility of products and services (such as smartphones, websites, ATMs and e-commerce) for people with disabilities.
- Target audience: Companies offering digital products and services and users with disabilities.
- Status: In force since June 2022. National legislation to be updated no later than 28 June 2025.
- Core: Promotes fair access to and use of (especially non-personal) data, between companies and governments, driving innovation.
- Target audience: Companies that collect, share or use data, as well as governments and consumers.
- Status: In force since 11 January 2024. Obligations effective from 12 September 2025.
- Core: Improving cyber security in key sectors through stricter security requirements for businesses and government agencies.
- Target audience: Critical infrastructure sectors such as energy, transport, healthcare and digital service providers.
- Status: In force since 16 January 2023. To be transposed into national regulations by 18 October 2024. Currently, only a draft text of the Cybersecurity Act is available.
General Data Protection Regulation (GDPR)
- Core: Protects personal data with strict rules on data collection, processing and retention within the EU.
- Target audience: All organisations processing personal data, including companies, public authorities and non-profit organisations.
- Status: In force since 2018.
- Core: Creates a data sharing and management framework aimed at improving transparency and trust in data sharing systems.
- Target audience: Government agencies, companies and data mediation services.
- Status: In force since 2023.
- Core: Stimulates innovation and economic growth by opening up government data for reuse.
- Target audience: Governments, public institutions and companies using government data.
- Status: In force since 2021 and transposed into the Open Government Act in the Netherlands.
- Core: Focuses on producers’ liability for damages caused by defective products, with a special focus on technological developments such as smart products and AI.
- Target audience: Manufacturers of consumer goods, including AI-driven products.
- Status: Proposal for revision presented in September 2022, negotiations ongoing.
Other relevant regulations in the ‘Digital Decade Package’ are:
- AI Liability Directive;
- Cybersecurity Act (CSA);
- Cyber Resilience Act (CRA);
- Digital Operational Resilience Act (DORA);
- Digital Markets Act (DMA);
- E-Privacy Regulation; and
- Resilience of Critical Entities Directive (CER).
From AI to data use and from cybersecurity to consumer protection, the EU’s ‘digital decade’ strategy imposes a wide range of regulations affecting every sector. Companies need to respond (preferably proactively) to these changes to avoid penalties and strengthen their digital strategies.
Do you have questions about the impact of these regulations on your organisation or do you want to know how your company can prepare for compliance? Contact us.
Also take a look at our services for AI Act Compliance, Audits and Certification, Governance Advice and a Fundemental Rights Impact Assessment.