technology Tag

by AMST Legal

Six New EU Regulations – like the AI Act – Explained

1. Introduction – Why are these EU laws relevant?

A lot of new EU regulations will become relevant this year and next years. To make these six new EU regulations easier to understand, the International Association of Privacy Professionals (IAPP) have shared helpful resources on their website. You can find good summarizes and explanations there.

To provide a simple way of getting acquainted with these new regulations, we wrote this article ´Six New EU Regulations – like the AI Act – Explained´. We did it to raise awareness of the IAPP and their resources as well. Why is this important? These six new EU regulations are not only relevant for legal professionals. It is important for anyone working with data, be it in engineering, management or in commercial teams. Keep reading to learn more about IAPP, the short charts they developed and additional comments about these new EU Regulations.

The IAPP inspired us to write this Article to give you more information about these new (and one already existing from 2022) EU Regulations.

2. What is the IAPP?

The IAPP is a large global information privacy community with the aim to help define, promote and improve the privacy profession on a global scale. On their website you will find many helpful tools that are available for free, like the comprehensive explanations of the newest EU regulation regarding data.

3. The evolving landscape of technology and data

It is no surprise that everything revolving around data and technology is constantly updating. New technology appears, new solutions are thought of and used, which affects our everyday lives. Together with this exciting evolution of technology and many areas of data usage, a need for extensive regulation is needed to keep up with the developments. This will unfortunately mean additional work from organizations to be compliant with these regulations.

Knowledge of these regulations is not only important to avoid heavy fines, but also to be able to show customers and partners that you are taking this serious. Even if it takes a while before these regulations will be fully implemented, it is important to get to know the impact, especially if you are developing or deploying AI. We have already noticed while negotiating and drafting commercial contracts, that companies expect to discuss steps taken towards compliance. One way to start understanding the basics of the new EU regulations is by studying the IAPP’s 101 Charters on New EU Data Regulation and this article ‘Six New EU Regulations – like the AI Act – Explained’.

4. Six New EU Regulations – like the AI Act – Explained

Now, let´s give you more details about the six new regulations, like the AI Act, Digital Markets Act and the NIS 2 Directive. See this link to learn the differences between an EU Regulation and a Directive.

AI Act

Applicability details

Entry into force: 1 August 2024. From 2 February 2025 certain prohibitions will apply. Full applicability: 2 August 2026. For detailed timeline: See here for updates within the EU, here for Swedish updates and here for updates in the Netherlands.

Comments

One of the most discussed regulations from the EU is the AI Act. After numerous discussions and proposals, the first AI Act ultimately entered into force 1 August 2024. As AI technology continues to evolve, and organizations use AI on a larger scale, the AI Act will play a big role in the near future. How it will play out exactly is hard to foresee, as the regulation only has been valid for a short time.

According to the EU, it has developed the AI Act in line with its values and principles to protect citizens from unacceptable risks. AI is a great tool for a wide range of possibilities. However there is uncertainty of its development and it can be used in disadvantageous ways. Therefore, using AI safely and in a regulated way will be the future in the EU.

Short summary of the AI Act: “The AI Act lays down a comprehensive legal framework for the development, marketing and use of AI in the EU in conformity with EU values. It promotes the uptake of human-centric and trustworthy AI while ensuring a high level of protection of health, safety and fundamental rights, including democracy, the rule of law and environmental protections”.

For more information on the AI Act, see here.

NIS 2 Directive

Applicability details

Deadline for EU Member States to implement: 17 October 2024.

Comments

Next, it is important to mention the NIS 2 Directive replacing the NIS 1 Directive. As tech usage and data breaches increase for many companies, data security and cybersecurity should be a high priority. If your company handle data, that is especially important. Unfortunately, cyber threats are more common now, why it is important to prepare and improve the EU’s cybersecurity. The NIS2 Directive is an important part of this initiative. The NIS 2 Directive aims to achieve a high common level of cybersecurity across the EU.

Three main points of the NIS2 Directive are to ensure that:

• The Member States are prepared by being appropriately equipped with e.g. a Computer Security Incident Response Team etc,
• A Cooperation Group is set up, making cooperating and information sharing among EU-member states easy, and
• An overall security culture is incorporated into vital sectors of the EU-member states.

The NIS2 Directive is applicable to many medium to large companies that are involved in the handling of data. See the links below to check if your company is required to take appropriate security measures and notify relevant national authorities of serious incidents for example.

The IAPP explains the broad effect of the NIS2 Directive as follows “This chart explores the NIS2 Directive on measures for a high common level of cybersecurity across the EU, which further improves the resilience and incident response capacities of the public and private sectors, and the EU as a whole”.

See further information from IAPP on NIS2 Directive, via this link.

For information about the NIS2 Directive in the Netherlands (in Dutch: Cyberbeveiligingswet (NIS2-richtlijn)), see the official explanation by the Dutch government here. For information about the NIS2 Directive in Sweden (in Swedish: Cybersäkerhetslagen), see the official explanation by the Swedish government here.

Data Act

Applicability details

Entry into force: 11 January 2024. Applicable from: September 2025.

Comments

The Data Act is a complimentary Act to the below discussed Data Governance Act (DGA). The main goal with the Data Act is to:

• Enhance Legal Certainty for the use and sharing of data,
• Protection Against Unfair Contracts,
• Public Sector Access to Private Data, e.g. in case of emergencies, and
• Make it easier for customers to switch between data-processing service providers.

Knowledge of the Data Act is therefore especially valuable for organizations that access and use data in the EU, which includes most organizations. Using and accessing data while keeping the market competitive is in line with numerous countries’ national legislation and now also on an EU level. Ensuring free flow of data opens opportunities that otherwise could have been lost.

Short summary of the Data Act: “The Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to all users”.

For more information on the Data Act, see links here: the IAPP, the European Commission and the Swedish government.

Data Governance Act (DGA)

Applicability details

Entry into force: 23 June 2022. Applicable from: September 2023.

Comments

The next part of the EU Data Regulation is the DGA. It is important to mention the DGA even though it has entered into force already. The DGA aims to increase trust and ease when sharing data while maintaining EU values and principles.

The method to achieve the aim of the DGA is through:

• better access to certain data from the public sector and data from citizens and business for society’s benefit, so called data altruism,
• easier ways to share date across borders,
• while ensuring ways of trustworthy data sharing.

The IAPP describes the DGA as follows: “The DGA seeks to foster public sector information reuse; to create a supervisory framework for the provision of data sharing services; and to establish a framework for voluntary registration of entities which collect and process data made available for altruistic purposes”.

Follow this link for further information from the IAPP on the DGA. See this link for explanations from the EU, this link for an explanation by the Dutch Government and this link for an explanation by the Swedish government.

Digital Markets Act (DMA)

Applicability details

Entry into force: 4 October 2022. Applicable from: 2 May 2023.

Comments

The previous new EU regulations, apart from the AI Act, focus on generallt promoting free flow of data. The DMA is different. It forces larger technology platforms, like Alphabet, Amazon, Meta etc, to allow smaller businesses to advertise on and use data gained from large technology platforms. Smaller businesses and consumers, as they are provided more options of better and cheaper services to choose from, receive more benefits from the DMA. As part of the “Digital Services Package” with the below discussed Digital Services Act (DSA), the two main goals are to:

• create a safer digital space where users’ fundamental rights are protected, and
• establish an even market in the EU and globally.

Most of the provisions in the DMA apply from 2 May 2023, but some has ben applicable since 1 November 2022. If you are involved in digital services within your business, it is important that you ensure compliance with the DMA.

Precisely like the IAPP lays it out, the DMA aims to do the following: “The DMA creates new obligations for big technology platforms acting as “gatekeepers providing core platform services” to create a fairer environment for business users that rely on gatekeepers, and to ensure consumers have access to better services and can easily switch providers”.

Follow this link for further information from IAPP on DMA.

Digital Services Act (DSA)

Applicability details

Entry into force: 8 November 2022. Applicable from: 17 February 2024

Comments

Hand in hand with the DMA, both constituting “the Digital Services Package”, the DSA aims to regulate online intermediaries and platforms, like marketplaces, social networks etc.

The special focus of the DSA is:

• preventing illegal and harmful activities,
• preventing the spread of disinformation while protecting the users’ safety and fundamental rights.

• strengthening of consumer rights online.

Along with the DMA, the DSA is intended to create a good online environment for both citizens and businesses. This became applicable from 17 February 2024. Thus, the DSA comes with regulation applicable for businesses that provide digital services to citizens in the EU.. However, this is only applicable for online platforms that have more than 45 million users per month in the EU.

The IAPP describes the DSA as follows: “The DSA aims to harmonize conditions for the provision of intermediary services and increases transparency requirements for online intermediaries”.

Read here for further information from IAPP on DSA and here for information from the Swedish government.

Final comments

Major changes are ahead as these regulation are applicable to all companies, private or public, that handle data. Staying compliant and being on track with these changes is important if you are affected. Hopefully this Article ´Six New EU Regulations – like the AI Act – Explained´ was helpful to you.

For further information about these regulations, contact us via lowa@amstlegal.com or visit the IAPP website or the links below for specific information on each EU Regulation.

Resources:

by reggers.robby

Tip 9: Use general terms & conditions where possible

𝗨𝘀𝗲 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗧𝗲𝗿𝗺𝘀 & 𝗖𝗼𝗻𝗱𝗶𝘁𝗶𝗼𝗻𝘀 (𝗧&𝗖’s) 𝘄𝗵𝗲𝗿𝗲 𝗽𝗼𝘀𝘀𝗶𝗯𝗹𝗲

𝗜𝘀𝘀𝘂𝗲: it takes a lot of time to get your company’s customer contracts (B2B) signed, even if you have great templates.

Do you constantly need to go back and forth with your customers to make small changes to your contract template, which leads to delays because e.g. both the commercial team and legal team need to amend the client contract manually?

𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻: Consider making T&C’s instead and add these to your website.

Next step is to create a great 𝗢𝗿𝗱𝗲𝗿 𝗙𝗼𝗿𝗺 with:
– details of the customer and company;
– pricing;
– products list;
– …,
with a references to these T&C’s.

Make sure to perform a legal and commercial analysis depending on your company to determine that all important clauses are added to the Order Form.

This is a very common practice for B2C companies, but for B2B there is still a lot of work to do. Software/tech companies are leading the way in this way of contracting.

𝗥𝗲𝘀𝘂𝗹𝘁:
– the Order Form can be completed by the Sales/Commercial Team without involvement of Legal.
– there is no need to complete the customer contract so you can share the customer contract in a very early stage of the sales process.
– if the client has no comments, the Legal Team does NOT need to be involved.
– if the client has comments, the Legal Team can negotiate the T&Cs, but only under certain conditions (e.g. approval management, volume and/or strategic importance).
– contracts are signed quicker.

Make sure that all your clients have read and approved the T&Cs. Only mentioning the link to the T&Cs is not sufficient.

𝗕𝗮𝗰𝗸𝗴𝗿𝗼𝘂𝗻𝗱: In the past month I noticed with three clients (all tech companies) that, next to their Order Form, they also had to complete and send out specific customer contracts (traditional customer/client contracts). Traditional contract meaning: manually add name and details parties on the first page, specific contract wording follows where further specific information needs to be added. Of course perfectly fine in a more traditional setting, but when handling with tech/SaaS clients this not very ideal. I advised all three clients to change the contract setup from traditional contracts to Order Forms with a link to T&Cs. They all implemented this approach with great success and very good feedback from the Management and Sales teams.

𝗜𝗠𝗣𝗢𝗥𝗧𝗔𝗡𝗧: this approach does not work for all companies, but is especially helpful in technology companies (SaaS / CPAAS / Fintech / MedTech / ConstruTech / … ). Please discuss with your legal counsel / lawyer how to implement this in your company (and if it would be suitable at all).

Contact me if you want to have a chat about this.