European Digital Compliance: Key Digital Regulation & Compliance Developments
European Digital Compliance: Key Digital Regulation & Compliance Developments
To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the final quarter of 2022.
In this issue, we note the adoption of the EU Digital Services Act and Digital Markets Act, which will be key elements of the digital regulatory regime in the EU. In the UK, the Online Safety Bill edges slowly forward. But the area in which there were more key developments is cybersecurity and resilience, with both the EU and the UK adopting and proposing new legislation – and so the post-Brexit gap (and additional regulatory burden for affected businesses) grows proportionately.
In November 2022, the EU Commission announced that it plans to evaluate whether additional action is needed to ensure an equal level of fairness to digital online trading as exists in the offline world. It has launched a public consultation to determine whether existing EU consumer laws are adequate for ensuring a high level of consumer protection in the digital environment. The consultation covers three directives:
The EU’s so-called Omnibus Directive (more formally, the “Enforcement and Modernization Directive” that came into effect in January 2020) has already brought several changes to these three directives, such as requirements for transparency of personalised pricing, ranking of search results, obligations on online marketplaces, and new GDPR-style, revenue-based fines for non-compliant providers. Considering the fast pace of technological progress and its impact on the consumer experience, the Commission intends to assess whether additional measures may still be needed to better address current and emerging needs.
The public consultation will run until February 2023. All stakeholders, including businesses with B2C products or services, may register and contribute to this consultation by submitting the Commission’s online questionnaire.
In addition to this public consultation, the Commission is conducting targeted consultations addressing, in particular, Member States’ authorities and European stakeholder organisations, such as consumer and business organisations.
The Commission will summarise the results of all consultation activities in a report and publish it in the second quarter of 2024. Depending on the conclusions that the Commission draws from the consultations and its further analysis, it may decide to propose additional modifications to these directives to address issues relating to B2C digital products and services.
Areas of further regulation may include a harmonization of rules on renewals and cancellation of subscriptions (currently governed by divergent local laws of the EU Member States) and may introduce specific requirements for new business models such as voice-assisted commerce, AR/VR, and metaverse offerings to the extent that current rules do not fit. However, as a new European Parliament and Commission will be elected in 2024, we do not expect a new legislative proposal before mid-2025.
On 16 November 2022, the EU’s Digital Services Act (DSA) entered into force. The DSA’s main purpose is to fight the spread of illegal content, online disinformation, and other societal digital risks. The DSA introduces a comprehensive regime of content moderation rules for a wide range of businesses operating in the EU, including all providers of hosting services and “online platforms”. See our separate DSA client alert for more details.
Online platforms now have until 17 February 2023 to report their number of average monthly active end users on their websites. Based on these user numbers, the EU Commission will assess whether a platform should be designated a “very large” online platform (VLOP).
The DSA’s main VLOP obligations will apply four months after the Commission’s VLOP notification. VLOPs must then, inter alia, carry out their first annual risk assessment and provide the Commission with the results.
On 17 February 2024, the DSA will fully apply to all (other) in-scope entities. This date is also the deadline for each EU Member State to establish its own Digital Services Coordinator – which will be the competent authority in each country responsible for supervising intermediary services established in their territory and enforcing DSA rules against non-VLOP entities. The European Commission itself is the enforcement authority under the DSA for VLOPs.
Individual Member States are also starting to work on creating any associated laws and regulations for when the DSA takes effect – see our article below about the progress being made in Germany.
Undertakings meeting the quantitative thresholds – annual turnover of €7.5 billion in the EU or market capitalization of €75 billion plus 45 million monthly active end users and 10,000 yearly active business users – must notify the Commission by 2 July 2023 at the latest.
The Commission then has until 1 September 2023 to finalise its designation decisions. The main obligations will apply six months after the designation decision, meaning they will apply from 1 March 2024 onwards at the latest.
These main obligations include data access and data use rules, prohibitions on self-preferencing and bundling, and interoperability obligations (see previous DMA Client Alert for more detail).
From 25 June 2023 onwards, the DMA will also be included in the EU Whistleblowing Directive and Representative Action Directive. This means that consumer class/representative actions under national law must be able to rely on the DMA and that anyone reporting violations of the DMA must be protected from reprisals if they first went through the appropriate internal and external channels.
The UK’s long-awaited Online Safety Bill (OSB) is showing signs of progress after a five-month delay (covered in our previous client alert – see European Digital Compliance: Key Digital Regulation & Compliance Developments). But there’s still a risk that – as it has become more bloated and ambitious in scope – it may fail to be adopted in this parliamentary session.
Below, we outline the key changes in the latest draft of the OSB, which was published in December 2022, as the UK government’s quest to heighten online safety for children and adults continues.
We are expecting answers from Michelle Donelan (Secretary of State for the Department for Digital, Culture, Media & Sport) after she invited online questions about the OSB in December 2022. The OSB is still due to undergo a third reading in the House of Commons before it can (supposedly) reach the House of Lords, when further amendments are expected to be proposed. These changes are expected to include the introduction of criminal offences for new types of illegal conduct, including controlling or coercive behaviour, so-called “epilepsy trolling”, sharing deep fake pornography, and encouraging self-harm.
The OSB must meet its revised deadline of Autumn 2023 (as must all of the other bills that have stalled during the course of this recently extended parliamentary session), otherwise the whole legislative drafting process will need to start again from scratch.
Companies that may be in-scope should keep an eye on the OSB’s progress through Parliament and, following a joint statement from Ofcom and the Information Commissioner’s Office, technology platforms should also prepare to comply with both the OSB and data protection laws. But, in an attempt to ease compliance concerns, the UK government has noted that it plans to adopt a phased approach to the duties of care in the OSB, with an initial focus on tackling illegal content to address the most serious harms as soon as possible.
The UK government has published a new code of practice, which sets out minimum security and privacy requirements for app store operators and app developers.
The Code of Practice for App Store Operators and App Developers (Code) was published in December 2022 by the Department for Digital, Culture, Media and Sport (DCMS) with input from the Information Commissioner’s Office.
The Code sets out recommended security and privacy practices, with the aim to protect digital users from malicious actors and vulnerable apps. While the Code is voluntary, some of its content is mandated through existing legislation, and the government hopes that companies will want to demonstrate their seriousness about app security and privacy by publicly affirming compliance with the Code.
The Code targets app store operators, app developers, and platform developers. It does not apply to business-to-business API providers because responsibility falls on the developers to understand such codes and services during app development.
The Code lists eight principles that should be followed.
Mainly applies to
There will be a nine-month period for app store operators and developers to implement the Code’s practices. From early 2023, the DCMS plans to arrange meetings with (and request confidential written reports from) app store operators, to review any steps that they have taken to adhere to the Code. For now, responsibility will also fall on app store operators to determine whether app and platform developers have implemented the relevant principles.
The Code is expected to be reviewed and possibly updated at least every two years.
In Q4 of 2022, the EU adopted and published its new Directive on measures for a high common level of cybersecurity across the EU (NIS2). NIS2 will replace the similarly titled Directive (EU) 2016/1148 (NIS1).
Compared to the existing NIS1 rules, NIS2 imposes stricter cybersecurity risk management requirements on more organisations and introduces tougher supervisory and enforcement measures.
After the EU institutions had reached a provisional agreement on the final NIS2 wording in Q2/2022 (see our previous Q2 2022 coverage), the Council of the EU and the European Parliament formally adopted the Directive in November with no further substantive changes. It was then published in the EU’s Official Journal in December as Directive (EU) 2022/2555.
Among other things, NIS2 sets the baseline for cybersecurity risk management measures and reporting obligations across all covered sectors, which includes energy, transport, chemical manufacturing, production and distribution, postal and courier services, healthcare, and digital infrastructure. It forms part of the EU’s wider effort to better protect critical national infrastructure from cybersecurity threats, including the heightened risk and critical vulnerabilities associated with networking and information systems, and digital supply chains.
See our full client alert for a more detailed review on substantive obligations and enforcement rules introduced by NIS2.
Since NIS2 is a Directive, it does not have any directly binding effect but, rather, must be implemented into the national laws of each EU Member State. Following the final adoption, the deadline for this implementation expires on 17 October 2024. We thus expect that national legislators across the EU will get working shortly to ramp up their implementation efforts, and some of them may well aim to finalise that work ahead of the deadline, as it was the case for NIS1.
Adoption of NIS2 also marks a further departure from harmonised digital regulatory compliance regimes in the EU and the UK. While the UK had implemented NIS1, it will not implement NIS2 in light of Brexit. Rather, the UK is working on its own revision of its national NIS regime (see next article).
The UK Government has published its response to a public consultation on proposals to amend the UK’s existing Network and Information Systems Regulations 2018 (NIS Regulations). This is one element of the UK government’s digital agenda to better protect the UK’s economy and critical national infrastructure from new and emerging cyber security threats.
Key changes that the UK is now expected to implement include:
The UK Government’s full response to the consultation.
The UK will now proceed with amending the NIS Regulations to give effect to the changes outlined above. While the original NIS Regulations were derived from EU law, the government has already confirmed that “there will be differences” between the EU’s equivalent rules and the new UK regime. These “differences” will likely be intensified as the EU amends its own NIS1 directive (see previous article) in parallel to the UK. However, until we see full details of the specific legislative amendments and supplementary guidance from the competent authorities, it is not yet clear how different the two regimes will be.
Meanwhile, Ofcom has been conducting its own consultation on its proposed changes to the NIS guidance, which will lower the reporting threshold under the NIS Regulations. Ofcom’s final statement and updated guidance are expected in spring 2023.
For more information regarding the EU’s equivalent NIS rules, read our separate client alert.
In parallel to its legislative proceedings on the NIS2 Directive (see above), the EU also concluded the legislative procedure for a new “Directive on the resilience of critical entities” (CER Directive). The CER Directive is designed to ensure the unobstructed provision of services that are essential to the maintenance of society and economy by laying down substantive obligations and procedural rules to enhance their resilience and supervision. In doing so, the Directive focuses on all topics other than cybersecurity – which will be governed by the NIS2 Directive.
After the EU institutions had reached a provisional agreement on the final CER wording in Q2 of 2022, the Council of the EU and the European Parliament formally adopted the Directive in November with no further substantive changes. It was then published in the EU’s Official Journal in December as Directive (EU) 2022/2557.
The CER Directive applies to “critical entities” across the sectors of energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and production, processing, and distribution of food. Each of these sectors is further broken down into subsectors and/or specific categories of relevant entities. However, companies active in these sectors will only be in-scope of the relevant rules upon specific identification as a critical entity by each Member State based on the relevant criteria set forth in the Directive.
Companies identified as “critical entities” will have to run recurring assessments of all internal and external risks that could disrupt the provision of their essential services and take resilience measures to mitigate these risks. Where incidents occur despite these measures, companies will have to report those to the competent national regulators.
As a Directive, the new CER rules will not have any directly binding effect but must rather be implemented into the national laws of each EU Member State. Following the final adoption, the deadline for this implementation expires on 17 October 2024 – i.e., in parallel to the NIS2 deadline. So, we expect that national legislators across the EU will combine their implementation efforts for both Directives. Based on their national rules, Member States will then have to identify “their” national critical entities by 17 July 2026.
The German government already kicked off the implementation process in early December 2022, shortly before the CER Directive was adopted, by publishing key points for its national CER rules. These key points suggest introducing recurring risk assessment obligations for operators of “critical infrastructures”, minimum requirements regarding physical security in addition to existing cybersecurity rules, and monitoring and reporting of security incidents. Further details will become available once the German government initiates consultations on an actual legislative draft.
In our Q4 2021 alert, we outlined the EU’s approach to enhancing the regulation of connectable products (see also our separate client alert) and the cybersecurity of digital products (see our Q2 2022 alert). In keeping with this theme, the UK has now passed the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act).
There are two main elements of the PSTI Act. Part 1 addresses the cybersecurity of consumer connectable products (also known as “Internet of Things devices” or consumer “smart” devices) made available in the UK (“Products”) to ensure they are “secure by default”; and Part 2 amends the UK’s electronic communications code to facilitate the accelerated deployment and expansion of advanced telecommunications networks across the UK.
PSTI Part 1 will affect manufacturers, importers, and distributors of in-scope Products and requires that they implement specified technical security requirements designed to enhance the cybersecurity of the Products. Obligations also include preparing statements of compliance, investigating and, if necessary, taking action in relation to potential compliance failures (including, notifying the enforcement authority (to be determined), distributors of the Products and, under certain conditions, consumers) and maintaining records of compliance failures and investigations for 10 years.
The enforcement authority may investigate compliance failures and issue:
We await regulations specifying the technical details of each security requirement, although the initial requirements are expected to align with the following:
Regulations will also specify the products and software relevant to (and excluded from) each security requirement, the designated enforcement authority, and the required form of compliance statement. The UK government has not provided a timeline on when these may be introduced.
The Federal Ministry of Digital Affairs and Transport recently announced that it is working on a bill to prepare the ground for when the DSA takes effect in Germany. The working title of the draft bill is “Digitale Dienstegesetz” (DDG), which oddly (and perhaps confusingly) translates to “Digital Services Act” – but it will in fact be national legislation rather than the EU-level law of the same name.
Considering that the DSA is directly applicable in all Member States, the DDG will create the necessary rules to enforce the DSA in Germany and amend several existing German laws that currently regulate areas that are also governed by or related to the DSA. The DDG will thus contain very few substantive obligations.
The Ministry aims to publish its proposal for the DDG in Q1 of 2023, so that the legislative process should conclude before the end of the 2023.
In September 2022, the German Ministry for Economics and Climate Action (FCO) published its proposal for a “Competition Enforcement Act” to amend national competition law (Act against Restraints of Competition, ARC).
The draft contains three major suggestions:
Once adopted by the government, the draft will enter parliamentary proceedings. This means that draft could enter into force in Q2 of 2023 at the earliest.
Back to Top
We are grateful to the following member of MoFo’s European Digital Regulatory Compliance team for their contributions: Harry Anderson (trainee solicitor).