GDPR Is Just The Beginning

When the General Data Protection Regulation (GDPR) was first enacted, technology companies scrambled to be compliant. They rewrote privacy policy, added notices to websites, and created new procedures to handle GDPR requests. Over the years, EU regulatory compliance has become more challenging. Beyond the GDPR, a suite of European Union (EU) regulations impacts technology companies operating within its borders or handling EU citizens' data. These regulations address diverse aspects of the digital landscape, from market competition and content moderation to data access, artificial intelligence (AI), and cybersecurity. Understanding and complying with this evolving legal framework is essential for technology companies seeking to operate successfully and responsibly in the EU market. These regulations include the Digital Markets Act (DMA), the Digital Services Act (DSA), the Data Act, the AI Act, the ePrivacy Directive, the NIS2 Directive, and the Digital Operational Resilience Act (DORA).

Digital Markets Act (DMA)

The DMA targets large online platforms designated as "gatekeepers," aiming to ensure fair competition in digital markets by preventing these gatekeepers from abusing their market power. Critical compliance points include obligations related to interoperability, data portability, and prohibitions on self-preferencing. Noncompliance can result in fines of up to 10% of the gatekeeper's total worldwide turnover in the preceding financial year, and up to 20% for repeated infringements. A significant challenge for non-EU companies is adapting their global business practices to comply with these specific requirements for their EU operations, potentially requiring significant technical and operational adjustments.

Digital Services Act (DSA)

The DSA focuses on online content moderation and aims to create a safer online environment for users by addressing the spread of illegal content, disinformation, and other online harms. Key compliance points include obligations for online platforms to implement content moderation systems, provide transparency reports, and cooperate with national authorities. Penalties for noncompliance can reach up to 6% of the provider's global turnover. For non-EU companies, a challenge lies in understanding and implementing diverse content moderation standards across different EU member states, as well as navigating complex reporting requirements.

Data Act

The Data Act aims to unlock the value of industrial data by promoting data sharing and interoperability while ensuring fairness and protecting data rights, fostering a data-driven economy in the EU. Key compliance points involve obligations related to data access, data portability, and restrictions on unfair contractual terms. Noncompliance can result in fines of up to €20 million or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher. Non-EU companies may face challenges in adapting their data governance frameworks to meet the EU's specific requirements for data sharing and access, especially when dealing with data generated by connected devices and services.

AI Act

The proposed AI Act establishes a harmonized legal framework for artificial intelligence systems, classifying them based on risk levels to promote trustworthy AI while mitigating potential risks to fundamental rights and safety. Critical compliance points vary depending on the risk level of the AI system, ranging from transparency obligations to strict conformity assessments. Fines for non-compliance can reach up to €30 million or, if the offender is a company, up to 6% of its total worldwide annual turnover for the preceding financial year, whichever is higher. A primary challenge for non-EU companies is navigating the complex risk-based classification system and ensuring their AI systems meet the EU's stringent requirements, potentially requiring significant modifications to their AI development and deployment processes.

ePrivacy Directive

The ePrivacy Directive complements the GDPR by focusing specifically on the confidentiality of electronic communications to protect user privacy in electronic communications, including areas such as cookies, electronic marketing, and traffic data. Key compliance points involve obtaining user consent for cookies and other tracking technologies, as well as ensuring the confidentiality of communications data. While the ePrivacy Directive itself does not specify penalties, it is implemented through national laws, and penalties vary by member state, often aligning with GDPR levels (up to €20 million or 4% of annual global turnover). Non-EU companies must adapt their online tracking and marketing practices to comply with the EU's strict consent requirements, which can differ significantly from practices in other jurisdictions.

NIS2 Directive

The NIS2 Directive aims to enhance cybersecurity across essential and important sectors in the EU to improve the overall resilience of critical infrastructure and digital services to cyber threats. Key compliance points include implementing cybersecurity risk management measures, reporting significant incidents, and ensuring supply chain security. Penalties for noncompliance can reach up to €10 million or 2% of global annual turnover, depending on the type of infringement. Non-EU companies operating in or providing services to these sectors in the EU must align their cybersecurity practices with the directive's requirements, which may involve significant investments in security infrastructure and processes.

Digital Operational Resilience Act (DORA)

The DORA focuses specifically on the financial sector, intending to strengthen its resilience to ICT-related disruptions. Key compliance points include ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. Penalties for non-compliance can reach up to 1% of the average daily worldwide turnover of the preceding business year for continued or systematic infringements. Non-EU financial entities operating in the EU must implement robust operational resilience frameworks aligned with DORA’s requirements, potentially necessitating substantial changes to their existing ICT and risk management practices.

Ensuring EU Compliance

Navigating the EU's complex regulatory landscape requires diligent attention from all technology companies, especially those based outside the EU. Beyond the well-known GDPR, regulations such as the DMA, DSA, Data Act, AI Act, ePrivacy Directive, NIS2, and DORA impose significant obligations with substantial penalties for noncompliance. Proactive engagement with these regulations, including thorough assessments of business practices and necessary adaptations to technical and operational processes, is not merely a matter of legal compliance but a strategic imperative for any technology company seeking to operate successfully and responsibly within the European Union. Tools and services from companies like Vanta, Drata, Sprinto, and Netwrix can make the process a bit easier.