2023 was the year of artificial intelligence — and 2024 is already shaping up to be more (much more) of the same. The European Union’s legislative bodies passed the AI Act earlier this month, and although the text has yet to be finalised on the world’s first comprehensive AI law, the hype around it already feels unstoppable. That hype will turn into hard work over the next 12 months, as organisations grapple with understanding their obligations under the Act and putting in a governance framework that meets those obligations. Needless to say, it will not be an easy task.
However, the almost singular focus on AI this year has risked overshadowing the rest of the EU’s digital legislative agenda. A graphic by European Parliamentary assistant Kai Zenner shows the scale of that agenda: nearly 40 digital sector laws are currently in negotiation or planned as a legislative initiative. That is in addition to the 60-odd laws that are already, or soon to be, in effect. Zenner’s graphic is available here.
I’d like to draw your attention to three of those laws. The first will come into force in late 2024, the next in early 2025, and the third later that year. That may feel like far enough away so as not to worry, but I would urge you to (i) assess the extent to which one or more of these laws will apply to your business, and (ii) start your preparations as soon as possible next year.
I’ve been banging this drum for a while now, but some combination of these laws — and/or the Data Act and the Data Governance Act — will have a more concrete impact than AI on many businesses in 2024 and beyond. In addition to the information set out below, my key takeaway is that many of the laws require the board/C-suite to have ultimate responsibility — and liability for driving risk, security and compliance standards at their organisations. With that in mind, the next 12 months should be used to educate and engage senior management on the steps their organisations need to take to ensure they are compliant. Civil and criminal liability and/or banning orders for board members are features of some of the laws, and that should also help you to focus the minds of your executives.
NIS2 Directive
- NIS2 repeals and replaces the NIS1 Directive and is designed to harmonise the approach to cybersecurity among EU member states. NIS2 broadens the scope of the previous Directive, including by applying to a wider range of organisations, tightening incident reporting obligations, and requiring in-scope entities to flow down security obligations to their supply chains. It will come into force on 17 October 2024.
- NIS2 will apply to (1) entities in “essential” and “important” sectors, in certain cases regardless of the organisation’s size, and (2) medium and large entities (i.e., those with less than 250 employees and an annual turnover below €50 million) in those sectors. Small entities — those with less than 50 employees and annual turnover below €10 million — are largely exempt, unless the entity is important to the functioning of the EU member state.
- NIS2 introduces a range of new and enhanced obligations, including those relating to (i) cybersecurity (organisations must take appropriate technical, organisational and operational measures to manage cybersecurity risks faced by their network systems); (ii) governance (boards of directors and other senior officers must approve and oversee, and can be liable for, the cybersecurity risk management measures taken by their organisations); and (iii) incident management (NIS2 streamlines incident reporting obligations by differentiating between “incidents” and “cyber threats”, and entities are required to make an initial report of significant incidents to the relevant Computer Security Incident Response Team or other competent authority within 24 hours).
- NIS2 will be enforced by national supervisory authorities, whose remit differs for “essential” and “important” entities. For a breach of its reporting obligations, an essential organisation can receive a maximum fine of the greater of €10 million or 2% of worldwide annual turnover for the previous financial year, while fines for important entities can be up to the greater of €7 million or 1.4% of worldwide annual turnover. Members of the management at essential entities can also be temporarily banned from managerial functions if their organisation does not meet a supervisory authority’s deadlines.
Digital Operational Resilience Act
- DORA is part of the EU’s Digital Finance Package, which is a bloc-wide cybersecurity regulatory initiative for the financial services sector. It will come into force on 17 January 2025.
- DORA applies to a very wide range of financial and financial-adjacent institutions and entities, as well as to “critical” third-party ICT providers (to be determined, among other things, on the basis of their potential systematic impact in the case of large-scale failures and how easily they can be replaced).
- DORA’s core obligations can be grouped into four main buckets: (i) governance and controls (the board bears responsibility for and must maintain an active role in managing the organisation’s approach to ICT risk); (ii) ICT risk management (organisations must have an appropriate and documented IT risk management framework in place); (iii) incident reporting (including staggered reporting timelines); and (iv) third-party contracting (arrangements with third parties must meet prescriptive requirements, appear on information registers and be reported at specific intervals.)
Cyber Resilience Act
- The CRA seeks to establish EU-wide cybersecurity compliance standards for digitised products that are manufactured and sold in the EU. The law was agreed by the EU legislative bodies in November 2023; it will likely be passed early next year and take effect in 2025.
- The CRA places (i) requirements on manufacturers to protect European consumers against cybersecurity risks and report product/system vulnerabilities with 24 hours, and (ii) obligations on manufacturers, importers and distributors to ensure that products meet high cybersecurity standards. These include (for manufacturers) undertaking risk and conformity assessments, (for importers) diligencing the products that they import, including for compliance with technical and conformity assessment requirements, and (for distributors) ensuring that products bear CE markings and contain other transparency information.
- Penalties under the CRA are GDPR-like. A manufacturer that doesn’t meet its obligations in respect of essential cybersecurity requirements can be subject to a fine of up to the higher of €15 million or 2.5% of total worldwide annual turnover. Other infringements can lead to a fine of up to the higher of €10 million or 2% of global annual revenue. If incorrect, incomplete or misleading information is given to notified bodies and market surveillance authorities in response to a request, a fine of up to the higher of €5 million or 1% of global annual revenue can be issued.