Skip to content

EU Digital Regulation Round-up

Read the latest updates on the progress of legislation and regulation in the EU relating to technology, data, digital markets and cybersecurity.

Visit any of the sections on this page by clicking the relevant heading below.

We are delighted to present our view of the most important developments in EU digital market regulation. We present our perspective on those developments as a snapshot of the current state of regulatory progress, and it will evolve in time as the regulations pass through the process of enactment in Brussels. While it does not cover all developments, it is a valuable overview that will have relevance to you and your business.

Technology regulation 

EU Artificial Intelligence Act (Regulation)

Aim

The world’s first concrete proposal for regulating artificial intelligence (AI). The regulation aims to set up a regulatory framework for AI systems, including specific rules for high risk AI and prohibited practices. It is likely to profoundly affect the debate on AI and ultimately the way that companies, startups, tech giants, governments and law enforcement agencies can use AI. 

The regulation prohibits a limited number of AI systems, including real-time remote biometric identification. It mainly introduces a large number of risk management obligations for high-risk AI systems. There is a long list of high risk systems, but some examples are AI uses in the health, transport, credit scoring and HR sectors. Many low risk AI systems are not regulated at all, but some low risk AI systems are subject to limited transparency obligations.

Who will the regulation affect?

In essence, the AI Regulation will affect any company which uses an AI system or its output in the EU, including:

  • Providers and developers of AI systems who commercially supply or put an AI system into service in the EU, irrespective of where they are located.
  • Importers and distributors who make AI systems available in the EU.
  • Providers and professional “users” located outside the EU, if the output produced by the system is used in the EU.
  • Professional “users” under whose authority the AI system is operated in the EU.

Next step

The Council of the European Union and the Parliament have struck a deal on the AI Act on 8 December 2023. The AI Act is expected to be published in the Official Journal by Q1 2024, enter into force on the twentieth day following publication and become applicable two years after the date of entry into force for most of its provisions.

What it means for business

  • Potential additional risk management, cybersecurity, conformity assessment and transparency obligations on companies that provide or develop high risk AI systems.
  • Transparency obligations on certain lower risk systems (e.g. chatbots).
  • Prohibition of certain AI practices. 

EU perspective

Artificial intelligence act: Council and Parliament strike a deal on the first rules for AI in the world

Our perspective

The EU Artificial Intelligence Act

The AI Liability Directive and the updated Product Liability Directive are not included in the snapshot but have been covered in our article European Commission proposes AI Liability Directive and modernised Product Liability Directive.

 

EU Chips Act (Regulation)

Aim

The EU Chips Act seeks to set up an investment and development programme for the semiconductor industry. It contains provisions intended to enable the EU to double its market share in semiconductors by 2030, building capacity to design, manufacture and package advanced chips. The Act is intended to mobilise EUR43 billion of public and private funds in an effort to prevent, anticipate and respond to future supply chain disruptions.

Who will the regulation affect?

All players in the Semiconductor industry – chip manufacturers in the EU and, internationally, users of semiconductors, SMEs, Member State governments, and public research centres.

Next steps

The Chips Act was adopted on 25 July 2023. It has been published in the Official Journal of the European Union on 18 September 2023 and entered into force on 21 September 2023.

What it means for business

  • Opportunities for public-private consortia, manufacturers and related industries to strengthen European semiconductor production facilities.
  • Funding opportunities for construction of production facilities.
  • Funding opportunities for semiconductor R&D.
  • Monitoring of the supply chain with a crisis response mechanism that may be triggered by the European Commission in the event of significant shortages.

EU perspective

Digital Sovereignty: European Chips Act enters into force today 

Regulation (EU) 2023/1781 of the European Parliament and of the Council of 13 September 2023 establishing a framework of measures for strengthening Europe’s semiconductor ecosystem and amending Regulation (EU) 2021/694 (Chips Act)  

Our perspective

The EU Chips Act

Back to top

 

Data regulation

EU Data Governance Act (Regulation)

Aim

The Data Governance Act (DGA) promotes the sharing of data across the EU, facilitates the reuse of public sector data and assists businesses with the development of new data-rich products and services, including those based on artificial intelligence. The act:

  • Encourages data sharing in the EU, including access to public sector data;
  • Sets up rules regarding the provision of data sharing services; and
  • Sets up conditions for the international transfer of non-personal data.

Who will the regulation affect?

  • Public sector bodies in the EU.
  • Providers of data intermediation services (entities creating a commercial relationship between data subjects and data holders on the one hand and data users on the other).
  • Data altruism organisations.
  • Companies who use or reuse data from a public sector body.

Next step

The DGA has been adopted and was published in the Official Journal of the European Union on 3 June 2022. It is applicable since 24 September 2023. Organisations providing data intermediation services on 23 June 2022 benefit from a transition period and are required to comply with data intermediation services obligations by 24 September 2025.

What it means for business

  • The act imposes additional obligations on the providers of data intermediation services (entities creating a commercial relationship between data subjects and data holders on the one hand and data users on the other hand). 
  • Conditions for and removing barriers to sharing data held by public bodies apply, such as prohibition of exclusive arrangements for the reuse of such data but the grant of exclusive rights is permitted in case of general interest for maximum 12 months. 
  • Specific measures are set up to protect against an unlawful transfer of non-personal data to non-EU countries. 

EU perspective

European strategy for data: Data Governance Act becomes applicable

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on the European data governance and amending Regulation (EUà 2018/1724 (Data Governance Act)

Our perspective

EU- Data Govervance Act becomes applicable

 

EU Data Act (Regulation)

Aim

A wide-ranging, sector neutral proposal, the EU Data Act looks to unlock the untapped value of data across the EU. It aims to: 

  • Facilitate access to and the use of data by consumers and businesses;
  • Provide access to public sector bodies to data held by the private sector where there is an exceptional need;
  • Facilitate switching between cloud and edge services;
  • Safeguard against unlawful data transfer without notification by cloud service providers;
  • Provide for the development of interoperability standards for reuse of data; and
  • Set up conditions for international transfer of non-personal data.

Who will the regulation affect?

  • Manufacturers of connected products and providers of related services on the market in the EU.
  • Business and individual users of those connected products and related services.
  • Data holders who have a right, obligation or ability to make certain data available to data recipients in the EU.
  • Providers of “data processing services” to customers in the EU, including cloud service providers.

Next step

The Data Act was adopted on 13 December 2023 and published in the Official Journal of the EU on 22 December 2023. It entered into force on 11 January 2024 and will apply from 12 September 2025.

What it means for business

  • Transparency obligations on IoT manufacturers and data holders regarding data generated by connected products.
  • Obligation on manufacturers and data holders to provide access to data generated by products to users or third parties on request, including via API. 
  • The Act includes contractual obligations that will apply to data sharing agreements between data holders and data recipients. These include FRAND terms and conditions, and the prohibition of unfair terms when contracting unilaterally with SMEs.
  • Data processing service providers, including cloud and edge service providers, will have to facilitate switching and data portability while maintaining a minimum functionality of the service. This may require a review of their contractual provisions with their customers.
  • The European Commission will develop model contractual terms on data access, and standard contractual clauses for cloud computing. 
  • Obligation to provide data to public sector authorities if requested in the case of exceptional need, such as a public emergency.

EU perspective

European Data Act enters into force, putting in place new rules for a fair and innovative data economy 

Our perspective

The EU Data Act

 

European Health Data Space (Regulation)

Aim

The European Health Data Space sets up rules regarding the primary and secondary use of health data. It looks to support individuals in taking more control of their own health data. It seeks to use health data for better healthcare delivery, better research, innovation and policy making.

The Data Space introduces compliance requirements for Electronic Health Record (EHR) systems manufacturers, importers and distributors.

Who will the regulation affect?

  • Electronic health data holders - public bodies and private companies.
  • Data users of electronic health data for secondary uses including scientific health research or development of health products.
  • Manufacturers, importers, distributors, suppliers of EHR systems and wellness applications on the EU market, as well as the users of such systems.
  • Patients and healthcare professionals.

Next step

The Council has adopted its position on the European Health Data Space on 6 December 2023 with a mandate for negotiations with the Parliament. The Parliament has adopted its position on 13 December 2023. Negotiations between the Parliament and the Council are planned to begin on 14 December 2023. 

What it means for business

  • Manufacturers of EHR systems will have to meet interoperability requirements and additional compliance requirements.
  • Health data holders in the EU may have to make their broadly defined electronic health data and associated metadata available for secondary use for a fee, and in accordance with authority-issued permit.
  • Data users may use the electronic health data in accordance with the permit but will be subject to conditions including the requirement to make public any results or output of such secondary use within 18 months.

EU perspective

European Health Union: A European Health Data Space for people and science

Our perspective

The European Health Data Space

 

ePrivacy Regulation

Aim

The e-Privacy Regulation will set out privacy and confidentiality requirements around electronic communications in the EU. It will regulate:

  • The provision of electronic communications services;
  • The processing of electronic communications data, metadata and content and end users' terminal equipment information;
  • The transmission of direct marketing communications; and
  • Publicly available directories of end users of electronic communications services in the EU.

Who will the regulation affect?

Companies operating in the digital economy, electronic communications services providers, over-the-top service providers and organisations using cookies, tracking technologies or engaged in direct marketing.

Next steps

The Council of the EU, the European Parliament and the European Commission are proceeding with trilogue negotiations about the final text of the ePrivacy Regulation. The Commission published a first draft of its text in 2017. The fact that no agreement has been reached thus far indicates that there are significant differences on how Member States and the Parliament see this regulation.

What it means for business

The new ePrivacy regulation seeks to replace the existing ePrivacy Directive. Businesses within the scope of the regulation may need to review the ways it collects, processes and maintains data, metadata and content data. They may be subject to obligations such as, but not limited to:

  • The confidentiality of electronic communications;
  • Rules regarding data retention; and
  • A harmonisation of currently diverging rules on cookies and similar technologies.

EU perspective

Commission proposes high level of privacy rules for all electronic communications and updates data protection rules for EU institutions

Our perspective

ePrivacy regulation

Back to top

 

Digital markets regulation

EU Digital Services Act (Regulation)

Aim

The EU Digital Services Act (DSA) aims to limit the spread of illegal content online, with the aim of creating a secure and safe online environment for all. It modernises liability rules of online intermediaries and introduces a new set of obligations regarding transparency requirements and the removal of illegal content.

Who will the regulation affect?

Online intermediaries and service providers regardless of their place of establishment, including:

  • Providers of mere conduit services, such as ISP, VPNs, domain name systems, VoIP.
  • Providers of caching transmission services, such as content delivery networks, content adaptation proxies or reverse proxies.
  • Online hosting providers and platforms such as cloud service providers, online marketplaces, social media, and app stores that offer services in the EU.
  • Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), with at least 45 million average monthly active users in the EU.

Next step

The DSA was published in the Official Journal on 27 October 2022. It came into force on 16 November 2022 and apply from 17 February 2024 in relation to most articles. The DSA apply to VLOP and VLOSEs four months after their designation as such, if that happened before 17 February 2024. For the 19 services that the European Commission has designated as VLOP and VLOSE on 25 April 2023, the DSA apply since 25 August 2023. Certain requirements apply since 16 November 2022. These include provisions regarding transparency reporting for online platforms, the provision regarding the supervisory fee for VLOPs and VLOSE and certain provisions regarding delegated acts the Commission may adopt. The Commission has already published a guidance on the identification and counting of average monthly active recipients and has adopted an implementing act on the conduct of inspections and monitoring actions. 

What it means for business

Depending on the type of online intermediary services provided, additional obligations regarding complaint handling and redress mechanisms, transparency, due diligence, reporting, specific privacy, safety and security protection for minors, advertising transparency, systemic risk mitigation and crisis management may be applicable. The penalties for non-compliance are steep, in some cases up to 6% of an organisation’s annual global turnover, so the obligations it imposes are onerous and must be adhered to.

EU perspective

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)

Our perspective

The EU Digital Services Act

 

EU Digital Markets Act (Regulation)

Aim

The Digital Markets Act (DMA) requires large online platforms which act as “gatekeepers” in digital markets to comply with wide-ranging obligations. Its objective is to ensure that digital markets are fair and contestable.

Who will the regulation affect?

Core platform services providers designated as 'gatekeepers', according to the criteria set out in the DMA. These include:

  • Online intermediation services, online search engines, online social networking services;
  • Video-sharing platform services;
  • Number-independent interpersonal communications services;
  • Operating systems; 
  • Web browsers;
  • Virtual assistants; 
  • Cloud computing services; and 
  • Online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services - only if they are also offered by platforms providing any of the other core platform services listed above.

Next step

The DMA was adopted and published in the Official Journal on 12 October 2022. It entered into force on 1 November 2022 and became applicable on 2 May 2023. There are some exceptions which apply since 1 November 2022, including provisions concerning European Commission powers to adopt delegated acts, implementing acts or guidelines. Other exceptions are applicable since 25 June 2023 including provisions concerning representative actions brought against infringements by gatekeepers, and concerning the reporting of breaches and the protection of reporting persons.

The Commission has designated 6 gatekeepers on 6 September 2023 and has published on 9 October 2023 the template for the compliance report they will have to submit by 7 March 2024.  

What it means for business

Additional obligations for companies designated as 'gatekeepers' and ‘emerging gatekeepers’ include limitations on their ability to process and use personal user data, determine the ranking of their own and related third parties’ products and service offerings and impose certain access and other restrictions on end users. They will need to ensure that their operations comply with the provisions of the DMA.

EU perspective

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)

Our perspective

Digital Markets Act enters into force: a roadmap for “gatekeeper” digital.

Back to top

 

Cybersecurity regulation

EU NIS 2 (Directive)

Aim

The Network and Information Security (NIS) Directive, adopted in 2016 (NIS 1 Directive), was the first piece of EU-wide legislation on cybersecurity, and aimed to achieve a high common level of cybersecurity across EU Member States.

NIS 2 repeals the NIS 1 Directive and

  • Extends the scope of the NIS 1 Directive beyond the covered entities defined as “operators of essential services” and “digital services providers” (DSPs) in NIS 1;
  • Strengthens the cybersecurity requirements;
  • Increases the incident reporting obligations; and
  • Extends the supervision and enforcement regime. 

There will be two supervision and enforcement regimes: a lighter one for Important Entities and a more stringent one for Essential Entities.

Who will the regulation affect?

The NIS 2 Directive applies to medium and large enterprises in the listed sectors (with some exceptions, see below the list of essential entities). The national designation requirement is no longer applicable: any entity exceeding the size-cap in the listed sector will be subject to the new rules.

Essential Entities: 

  • Entities exceeding the medium size ceiling active in the following sectors: Energy, Transport, Banking, Financial market infrastructures, Health, Drinking and Waster Water, Digital infrastructure, certain Public administration, ICT service management (B2B) and Space.
  • Critical entities under the Resilience of Critical Entities Directive (the RCE), regardless of their size.
  • Entities designated as essential by EU Member States, regardless of their size. 
  • “Providers of public electronic communications networks or of publicly available electronic communications services which qualify as medium-size enterprises”. 

Important Entities: 

  • Any entity in the essential entities sectors that does not qualify as an “essential entity” and 
  • Any entities in the following sectors: Postal services, Waste management, Chemical manufacture, production and distribution, Food production, processing and distribution, Manufacturing and Digital providers (e.g. online marketplaces, online search engines, social networks). 

Next step

NIS 2 was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will apply from 18 October 2024.

What it means for business

The NIS 2 Directive extends the scope of the NIS 1 Directive to more entities, and imposes the following obligations.

It requires the relevant entities to

  • Obtain approval from their management bodies for their cyber risk management measures based on an “all hazard” approach, who may then be held liable for breaches of the NIS 2 Directive and will have to undertake training;
  • Adopt cyber risk management measures such as, but not limited to, ensuring business continuity and supply chain security, handling incidents, having basic cyber hygiene practices and cybersecurity training in place and relevant policies and procedures; and
  • Report significant incidents to the CSIRT or competent authority in a layered approach: early warning within 24 hours, followed by an incident notification within 72 hours, an intermediary report if requested and a final report no later than one month after incident notification or the handling of the incident.

EU Member States may require essential and important entities to use particular ICT products, services or processes certified under EU cybersecurity certification schemes and the EU Commission may specify categories of essential and important entities that must be certified.

NIS 2 determines administrative fines applicable for a breach of the cyber risk management and the reporting obligations. Those fines are of “a maximum of at least”

  • EUR 10 million or 2% of their annual worldwide turnover in the preceding year (whichever is higher) for Essential Entities, and
  • EUR 7 million or 1.4% of their annual worldwide turnover in the preceding year (whichever is higher) for Important Entities. 

EU perspective

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union

Our perspective

The EU NIS 2 Directive

 

EU Resilience of Critical Entities (Directive)

Aim

The Resilience of Critical Entities Directive imposes obligations for Member States to develop a strategy to strengthen the resilience of critical entities. It sets out obligations for critical entities to enhance their resilience in the face of non-cyber risks. The directive establishes rules for Member States to use to identify critical entities and sets up market surveillance rules.

Who will the regulation affect?

The RCE Directive affects critical entities designated by EU Member States in the listed sectors, in the listed sectors, which are aligned to the designations included in NIS 2, namely Energy, Transport, Banking, Financial markets infrastructure, Health, Drinking and Waste water, Digital infrastructure, certain aspects of Public administration, Food production, processing and distribution, and Space.

Next step

The directive was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will apply from 18 October 2024.

What it means for business

  • Only companies designated as a critical entity will fall under the scope of the directive.
  • Companies that fall within the scope of the directive as critical entities will be subject to additional technical and organisational measures to boost resilience obligations, and required to describe measures taken in a resilience plan or in an equivalent document, carry out risk assessments and report disruptive incidents to national authorities, as per the directive, as well as national laws.
  • Enhanced supervision applies to "critical entities of particular European significance", meaning those entities that are providing essential services to six or more Member States.

With respect to cybersecurity measures, obligations and notifications, the RCE Directive refers back to the NIS 2 Directive.

EU perspective

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities

Our perspective

The Resilience of Critical Entities Directive

 

EU Cyber Resilience Act (Regulation)

Aim

The EU Cyber Resilience Act aims to protect consumers from insecure digital products by introducing common security and vulnerability handling rules that will apply to manufacturers of products with digital elements. It also sets up a conformity assessment procedure, and market surveillance rules with heavy fines for breaches.

Who will the regulation affect?

  • Hardware manufacturers, software developers, distributors and importers of any product with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
  • Providers of certain remote data processing solutions relating to a product with digital elements.

Certain categories of products are excluded from the scope of application of the regulation, such as medical devices or motor vehicles.

Next step

A proposal on the European cybersecurity resilience act was published on 15 September 2022. The Council and the Parliament reached a provisional agreement on the CRA on 30 November 2023. A final CRA should be adopted and published by end 2023 or Q1 2024.

What it means for business

  • Companies may have to obtain a mandatory EU cybersecurity certificate to show they are meeting basic cyber safety requirements.
  • Manufacturers will need to comply with essential requirements regarding the security of their products and vulnerability handling. The scope of these requirements include product design, development and production, and vulnerability handling throughout its whole life cycle.
  • Products and vulnerability handling processes will be subject to conformity assessment procedures.
  • Products will have to bear a CE marking and have a declaration of conformity. 
  • Manufacturers have to notify the EU Cybersecurity Agency (ENISA) of any actively exploited vulnerabilities, and report security incidents within 24 hours of becoming aware of any breach.
  • High fines for non-compliance. 

EU perspective

Cyber resilience act: Council and Parliament strike a deal on security requirements for digital products 

Our perspective

The EU Cyber Resilience Act

 

EU DORA (Regulation)

Aim

The Regulation on digital operational resilience for the financial sector (DORA) establishes a detailed and comprehensive regulatory framework for EU financial entities. It introduces a homogeneous system across all EU Member States, where financial system participants need to make sure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats, including cyber threats. In addition, DORA establishes a direct oversight framework of critical ICT third-party service providers.

Who will the regulation affect?

  • Financial entities
    • Banking and payments sector: credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers (as authorised under MiCA), and issuers of asset-referenced tokens
    • Markets infrastructure: central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, and data reporting service providers.
    • Investment funds sector: AIFMs, UCITS management companies
    • Insurance sector: insurance and reinsurance undertakings, institutions for occupational retirement pensions, and insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
    • Miscellaneous: credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories
  • ICT third-party service providers, including cloud platforms and data analytics services

Next step 

DORA was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will apply from 17 January 2025.

Between now and then, the European Supervisory Authorities (ESAs) are mandated to develop various delegated acts and technical standards that supplement DORA.

On 4 January 2023, the EBA published a letter and accompanying provisional call for advice from the European Commission requesting technical advice from the ESAs on delegated acts to be adopted under DORA further specifying the details aimed at shaping-up the designation criteria for critical ICT third-party service providers, as well as the elements which are needed in the specification of the amount of fees to be levied on these providers, and the way and methods in which such fees are to be paid. DORA requires the European Commission to adopt the delegated acts by 16 January 2024, twelve months from the entry into force of DORA. Accordingly, the deadline for the ESAs to respond is 30 September 2023.

On 19 June 2023, the ESAs launched four public consultations on the first batch of draft technical standards under DORA. These include: (i) RTS on an ICT risk management framework and RTS on a simplified ICT risk management framework for certain financial entities; (ii) RTS on criteria for the classification of ICT-related incidents; (iii) ITS to establish the templates for the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers; and (iv) RTS to specify the policy on the contractual arrangements regarding on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. The ECB has also published an introductory note that sets out further information on the draft technical standards. The deadline for all comments is 11 September 2023. The ESAs expect to submit the draft technical standards to the European Commission by 17 January 2024.

What it means for business

Financial entities

Financial entities will be required to address, among other things:

  • ICT risk management: have in place an internal governance and control framework that ensures an effective and prudent management of all ICT risks. Financial entities must also have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system which enables them to address ICT risk quickly, efficiently and comprehensively. The management body shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework;
  • ICT-related incident reporting: establish an ICT-related incident management process to detect, manage and notify ICT-related incidents. Financial entities must report major ICT-related incidents to the relevant competent authority within strict time frames;
  • Digital operational resilience testing: establish, maintain and review a sound and comprehensive digital operational resilience testing programme and regularly test their ICT tools, systems and processes;
  • Managing of ICT third-party risk: manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework, including by undertaking appropriate due diligence on potential and existing ICT third-party service providers, and by introducing a number of requirements in contracts with ICT third-party service providers;
  • Information-sharing: notify competent authorities of their participation in information-sharing arrangements with other financial entities relating to cyber threats and intelligence.
Critical ICT third-party service providers
  • ICT third-party service providers designated as ‘critical’ will become subject to direct oversight by the ESAs. The ESAs will designate the ICT third-party service providers that are ‘critical’ for financial entities, taking into account certain criteria. One of the ESAs will be appointed as Lead Overseer for each critical ICT third-party service provider. The ESAs will also establish and maintain a list of critical ICT third-party service providers at EU level. In addition, a third-country critical ICT third-party service provider to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented. The purpose of this oversight regime is to monitor, minimise and control the risks that critical ICT third-party service providers may pose to the financial industry. While DORA does not subject critical ICT third-party service providers to substantial requirements regarding their operations, DORA does grant far-reaching inspection powers to the Lead Overseer, which can be expected to have an impact on the business of critical ICT third-party service providers.

EU perspective

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector

Our perspective

DORA

Beyond DORA, the EU Digital Finance Package has not been covered. You will find more information thereon at the following link: EU Digital Finance Package

Back to top

 

  1. This overview relates solely to European legislative proposals providing a regulatory framework for technology, data, digital markets and cybersecurity. Other European legislative proposals that may complement these initiatives, such as the Artificial Intelligence Liability Directive and the Product Liability Directive, are not included.
  2. The section What it means for business is a non-exhaustive list of obligations that may apply. For more details, please refer to the linked articles.
  3. The Next steps section is indicative.

Contributors: Edward TaelmanEmma KeelingJane LavinAnna van der LeeuwThomas DeclerckAgnieszka Kolasinska, Maxime Leleu, Anna Lewis-Martinez.

Related expertise

Recommended content