Recently, I was involved in coverage of specific rules and regulations that web pages or applications in the EU must adhere to. I thought it might be interesting for others as well to know the most important EU legal rules for IT and web developers.
Sometimes these Directives and Regulations sets only the basic framework and have many implementing technical regulations as you can learn bellow.
The most important EU regulations and directives that may affect development are:
- Directive on Privacy and Electronic Communications
- General Data Protection Regulation
- Artificial Intelligence Act
- Digital Services Act
- Digital Markets Act
- Cyber Resilience Act
- Directive on Measures for a High Common Level of Cybersecurity
- Regulation on Digital Operational Resilience
Directive on Privacy and Electronic Communications
- Current consolidated version: Cookie Directive
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
Also known as: Cookie Directive, ePrivacy Directive
-
Who should be concerned?
- Any service that uses cookies (other than strictly necessary cookies) or similar tracking technologies, and companies providing electronic communications services
-
Caveats:
- Cookies other than strictly necessary ones stored on a userβs device require the user's consent
General Data Protection Regulation
- Current consolidated version: GDPR
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Also known as: GDPR, Data Protection Regulation
-
Who should be concerned?
- Anyone who collects or processes personal data, regardless of their form, size, or sector
-
Caveats:
- Cases when you send personal data outside the EU (this may include the full user IP address to Google, Vercel, etc.)
Artificial Intelligence Act
- Current consolidated version: AI Act
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
Also known as: AI Act, Artificial Intelligence Act
-
Who should be concerned?
- Developers or providers of AI systems, especially those classified as high-risk or unacceptable risk
- Companies across various sectors that utilize AI technologies for decision-making, customer interaction, or operational efficiency
-
Caveats:
- Severe penalties for non-compliance, including fines up to β¬35 million or 7% of global annual turnover
Digital Services Act
- Current consolidated version: DSA
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
Also known as: DSA, DSA Regulation
-
Who should be concerned?
- Online platforms and very large online platforms (VLOPs)
-
Caveats:
- FAANG (Facebook, Amazon, Apple, Netflix, Google) or MAMAA (Meta, Apple, Microsoft, Amazon, Alphabet)
Digital Markets Act
- Current consolidated version: DMA
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)
Also known as: DMA, DMA Regulation
-
Who should be concerned?
- Gatekeeper platforms
-
Caveats:
- Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta (Facebook) and Microsoft
Cyber Resilience Act
- Current consolidated version: CRA
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)
Also known as: CRA, CRA Directive
-
Who should be concerned?
- manufacturers, importers and distributors of products with digital elements having data connection to a device or network
-
Caveats:
- Organizations involved in developing open-source software intended for commercial use must implement cybersecurity policies and procedures as well
Directive on Measures for a High Common Level of Cybersecurity
- Current consolidated version: NIS 2
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
Also known as: NIS 2, NIS 2 Directive
-
Who should be concerned?
- Companies in essential sectors such as energy, transport, healthcare, cloud computing services, internet service providers (ISPs), financial services, food production and distribution, chemicals production
-
Caveats:
- Organizations must report significant incidents not only to national authorities but also to affected service recipients without undue delay
- entities are required to assess the cybersecurity posture of their suppliers
Regulation on Digital Operational Resilience
- Current consolidated version: DORA
- Implementing regulations: link
- Judicial precedents: link
Amendments and corrections: link
Full title: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
Also known as: DORA, DORA Regulation
-
Who should be concerned?
- Financial Institutions and their IT services providers
-
Caveats:
- Financial institutions must establish rigorous oversight mechanisms and ensure that their vendors comply with DORA
- Financial institutions have to report their key IT vendros to regulators
So, if you are asked to deliver IT services to a financial institution in the EU, and the project includes AI models for customers' payment terminals data, including an accompanying web app and phone app, as well as servers and database hosted outside of the EU, God bless you.
Top comments (0)