The EU’s new data and cyber­se­cu­ri­ty law

The EU’s new data and cyber­se­cu­ri­ty law

When it comes to data in the con­text of EU regu­la­ti­ons and direc­ti­ves, peo­p­le usual­ly think of data pro­tec­tion and the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). This is hard­ly sur­pri­sing: At the latest with the appli­ca­ti­on of the GDPR as of 25 May 2018, data pro­tec­tion issues have beco­me a focus of the gene­ral public and a key com­pli­ance issue.

From an eco­no­mic per­spec­ti­ve, howe­ver, it is not only the per­so­nal data pro­tec­ted by the GDPR that is of inte­rest. Data wit­hout per­so­nal refe­ren­ces have a high degree of eco­no­mic rele­van­ce, espe­ci­al­ly in the deve­lo­p­ment of new tech­no­lo­gies and inno­va­ti­ve ser­vices. Distinct from per­so­nal data, non-personal data are data that do not rela­te to an iden­ti­fied or iden­ti­fia­ble living per­son, such as data on the main­ten­an­ce needs of machi­nery, aggre­ga­ted and anony­mi­sed data in the con­text of big data, or data rela­ted to pre­cis­i­on agri­cul­tu­re for the pur­po­se of moni­to­ring and opti­mi­sing the use of pesti­ci­des and water.

The Euro­pean Com­mis­si­on has also reco­g­nis­ed that the­se data are of gre­at eco­no­mic value to com­pa­nies and govern­ment play­ers, and that the exch­an­ge, reu­se and pro­ces­sing of the­se data are essen­ti­al for tech­ni­cal inno­va­tions and digi­tiza­ti­on. With a total of eight legal acts, the Com­mis­si­on wants to shape data law within the EU, crea­ting num­e­rous new regu­la­ti­ons, for exam­p­le for the com­mer­cial exch­an­ge of data, the regu­la­ti­on of lar­ge online plat­forms and the use of arti­fi­ci­al intel­li­gence.

With the ever-increasing eco­no­mic importance of data and the pro­gres­si­ve net­wor­king of pro­ducts (key­word: Inter­net of Things (IoT)) crime is also on the rise in this area. Almost every day the­re are reports of major cyber­at­tacks, the use of ran­som­wa­re and lea­k­ed data sets. The Com­mis­si­on has also reco­g­nis­ed this: “If ever­y­thing is net­work­ed, ever­y­thing can be hacked,” said EU Com­mis­si­on Pre­si­dent von der Ley­en in her Sep­tem­ber 2021 sta­te of the Euro­pean Uni­on address. Three legal acts are the­r­e­fo­re inten­ded to arm the EU against the num­e­rous thre­ats posed by cyber­crime.

The fol­lo­wing is a brief over­view of the legal acts alre­a­dy in force and the new ones, their objec­ti­ves and the mea­su­res plan­ned in each case.

1. The Net­work and Infor­ma­ti­on Sys­tems (NIS) Directive

The 2016 Direc­ti­ve “con­cer­ning mea­su­res for a high com­mon level of secu­ri­ty of net­work and infor­ma­ti­on sys­tems across the Uni­on” (NIS Direc­ti­ve) aims to crea­te a uni­form legal frame­work for cyber­se­cu­ri­ty, lea­ding to grea­ter coope­ra­ti­on among EU mem­ber sta­tes in this regard.

In the cour­se of this Direc­ti­ve, which was imple­men­ted in Ger­ma­ny in 2017, mem­ber sta­tes were requi­red to intro­du­ce appro­pria­te tech­ni­cal and orga­ni­sa­tio­nal mea­su­res and to secu­re their respec­ti­ve net­works and infor­ma­ti­on sys­tems. At the same time, mini­mum requi­re­ments and secu­ri­ty inci­dent report­ing obli­ga­ti­ons were intro­du­ced for ope­ra­tors of essen­ti­al ser­vices and digi­tal ser­vice pro­vi­ders. The Direc­ti­ve, which is aimed in par­ti­cu­lar at the finan­ce and insu­rance, health, trans­port and traf­fic, ener­gy, water and food sec­tors, but also at digi­tal infra­struc­tu­re, is to be revi­sed as part of NIS 2.0 and adapt­ed to new challenges.

2. The Free Flow of Data (FFD) Regulation

Alre­a­dy adopted in Novem­ber 2018, this regu­la­ti­on aims to faci­li­ta­te the free flow of non-personal data within the EU in order to pro­mo­te the Euro­pean data indus­try and the deve­lo­p­ment of cross-border technologies.

One of the most important mea­su­res of the Regu­la­ti­on is the rem­oval of so-called “data loca­li­sa­ti­on requi­re­ments”, natio­nal pro­vi­si­ons of the mem­ber sta­tes that pre­vent cer­tain data from being trans­fer­red abroad. This is becau­se that natio­nal admi­nis­tra­ti­ve and judi­cial aut­ho­ri­ties have a strong inte­rest in ensu­ring that data remain within their sphe­re of con­trol. In return, howe­ver, the requi­re­ments pre­vent the trans­fer of data and thus also the use of the cloud, for exam­p­le. The FFD Regu­la­ti­on has resol­ved this con­flict by means of regu­la­to­ry con­trol with natio­nal aut­ho­ri­ties retai­ning access to data even if they are loca­ted in ano­ther mem­ber state.

3. The Cyber­se­cu­ri­ty Act

This legal act, which came into force in June 2019, is inten­ded to help ensu­re that IT pro­ducts, ser­vices and pro­ces­ses must take cyber­se­cu­ri­ty requi­re­ments into account and imple­ment them at the deve­lo­p­ment stage.

To this end, the role of the Euro­pean Uni­on Agen­cy for Cyber Secu­ri­ty (ENISA) is to be streng­the­ned and given a per­ma­nent man­da­te. In addi­ti­on to the EU insti­tu­ti­ons, it is inten­ded to sup­port the mem­ber sta­tes in impro­ving cyber secu­ri­ty. The Cyber­se­cu­ri­ty Act moreo­ver intro­du­ces a Euro­pean cer­ti­fi­ca­ti­on frame­work for cyber­se­cu­ri­ty, which clas­si­fies IT pro­ducts, ser­vices and pro­ces­ses into defi­ned “low,” “medi­um” and “high” secu­ri­ty levels. 

4. The Open Data and Public Sec­tor Infor­ma­ti­on (OD-PSI) Directive

Also adopted in June 2019, this Direc­ti­ve aims to impro­ve the avai­la­bi­li­ty of public sec­tor data and intro­du­ce Europe-wide rules for the re-use of the­se data. The public sec­tor pro­du­ces a wide varie­ty of data, such as meteo­ro­lo­gi­cal data, digi­tal maps, sta­tis­tics, envi­ron­men­tal infor­ma­ti­on, and mobi­li­ty data, but acces­sing or using the­se data is often not pos­si­ble for both tech­ni­cal and legal reasons.

This pro­blem is to be reme­di­ed by obli­ga­ting mem­ber sta­tes to make docu­ments re-usable and by defi­ning and iden­ti­fy­ing “high-quality data sets”. By “high-quality data­sets”, the EU Com­mis­si­on means data who­se reu­se is asso­cia­ted with important bene­fits for socie­ty, the envi­ron­ment and the eco­no­my, par­ti­cu­lar­ly becau­se of their sui­ta­bi­li­ty for the crea­ti­on of value-added ser­vices, appli­ca­ti­ons and jobs. The use of stan­dard licen­ses is simul­ta­neous­ly to be promoted.

5. The Digi­tal Con­tent Directive

The main objec­ti­ve of this Direc­ti­ve, which has alre­a­dy been adopted but not yet trans­po­sed, is to impro­ve access to digi­tal con­tent and ser­vices for con­su­mers and to stan­dar­di­se them throug­hout Euro­pe. This is inten­ded to achie­ve a “true digi­tal sin­gle mar­ket” while ensu­ring a high level of con­su­mer protection.

The Digi­tal Con­tent Direc­ti­ve focu­ses on con­su­mer con­tracts aimed at the pro­vi­si­on of digi­tal con­tent or ser­vices. For exam­p­le, the Direc­ti­ve intro­du­ces, among other things, new rules for the pro­vi­si­on of digi­tal pro­ducts and new types of con­tracts for the Ger­man Civil Code, requi­ring the pro­vi­si­on of updates. Defect rights for digi­tal con­tent are also to be adjusted.

6. The Data Gover­nan­ce Act (DGA)

This pie­ce of legis­la­ti­on, which is curr­ent­ly in the draft stage, aims to faci­li­ta­te the exch­an­ge and avai­la­bi­li­ty of data (espe­ci­al­ly agri­cul­tu­ral, envi­ron­men­tal and health data) bet­ween pri­va­te indi­vi­du­als, com­pa­nies and the public sec­tor. Rese­arch, inno­va­ti­on and the crea­ti­on of sta­tis­tics are to be improved.

This is to be accom­plished through the pro­vi­si­on of public sec­tor data for reu­se, the sha­ring of data by com­pa­nies in return for pay­ment, and the deploy­ment of neu­tral data trus­tees and data bro­kers for the use of per­so­nal data. At the same time, data use for “altru­i­stic reasons” is also to be made pos­si­ble. This is inten­ded to allow indi­vi­du­als and com­pa­nies to vol­un­t­a­ri­ly pro­vi­de data for the public good.

7. The Digi­tal Ser­vices Act (DSA)

Also in the deli­be­ra­ti­on stage is the Digi­tal Ser­vices Act. The DSA is inten­ded to crea­te sound con­di­ti­ons for the pro­vi­si­on of inno­va­ti­ve ser­vices in the Sin­gle Mar­ket and to con­tri­bu­te to online security.

This legal act pri­ma­ri­ly tar­gets pro­vi­ders of inter­me­dia­ry ser­vices (espe­ci­al­ly online plat­forms such as social media and mar­ket­places), which are to take stron­ger action against ille­gal con­tent, crea­te an appeal opti­on for users and, in addi­ti­on to more trans­pa­ren­cy, also impro­ve coope­ra­ti­on with aut­ho­ri­ties. For enforce­ment pur­po­ses, fines of up to 6% of total annu­al tur­no­ver are to be imposed.

8. The Digi­tal Mar­kets Act (DMA)

The Digi­tal Mar­kets Act is one of the many legis­la­ti­ve bills. The goals of the DMA are to crea­te a hig­her level of com­pe­ti­ti­on in digi­tal mar­kets, pre­vent abu­se of mar­ket power by lar­ge com­pa­nies, and faci­li­ta­te mar­ket ent­ry for new companies.

This is to be accom­plished by, among other things, pro­hi­bi­ting the com­bi­na­ti­on of data from dif­fe­rent online ser­vices. Accor­din­gly, Face­book, Insta­gram and Whats­App, for exam­p­le, which belong to the Face­book Group, would no lon­ger be allo­wed to link and com­bi­ne data. To enforce this, fines of up to 10% of the total annu­al tur­no­ver are to be imposed.

9. The Arti­fi­ci­al Intel­li­gence Act (AIA)

With the incre­asing importance of arti­fi­ci­al intel­li­gence (AI) for busi­nesses, calls for legal regu­la­ti­on of this field are also gro­wing lou­der. The EU Com­mis­si­on intends to address this issue by way of the Arti­fi­ci­al Intel­li­gence Act, which is also still in the deli­be­ra­ti­on stage, crea­ting a legal frame­work for the use of AI.

For this pur­po­se, AI is to be clas­si­fied in terms of risk clas­ses: The hig­her the risk, the more exten­si­ve the obli­ga­ti­ons to be impo­sed on the respec­ti­ve com­pa­ny. In the event of an unac­cep­ta­ble risk, it will even be pos­si­ble to ban the use of a pro­duct altog­e­ther. Fines of up to 6% of total annu­al tur­no­ver are inten­ded to have a disci­pli­na­ry effect in this regard.

10. The Data Act (DA)

The Data Act, which is still in the con­sul­ta­ti­on and appr­oval pha­se, aims to faci­li­ta­te access to and use of data. Data­ba­ses are fur­ther­mo­re to be bet­ter pro­tec­ted by law.

To this end, mea­su­res enab­ling the equi­ta­ble dis­tri­bu­ti­on of the bene­fits and value of data among data indus­try stake­hol­ders are to be put in place.

11. The Cyber Resi­li­ence Act

The aim of this legal act, which has so far only been announ­ced, is to estab­lish uni­form cyber­se­cu­ri­ty stan­dards for net­work­ed devices. In con­junc­tion with the NIS 2.0 Direc­ti­ve, the objec­ti­ve is to increase the EU’s coll­ec­ti­ve resi­li­ence against cyber­at­tacks by estab­li­shing a Joint Cyber Unit.

Mea­su­res to be taken include deve­lo­ping a “doc­tri­ne for cyber­at­tacks” and enhan­cing capa­bi­li­ties to track attacks.


The EU Com­mis­si­on has reco­g­nis­ed the importance and eco­no­mic value of data. With a com­pre­hen­si­ve packa­ge of mea­su­res, it wants to crea­te a legal frame­work for Euro­pean data and cyber­se­cu­ri­ty law. In addi­ti­on to pro­tec­tion, the main focus is on the exch­an­ge and usa­bi­li­ty of data.

It remains to be seen to what ext­ent any con­flicts with data pro­tec­tion law, in par­ti­cu­lar the GDPR, will ari­se and how such con­flicts will be hand­led. Howe­ver, it is clear that com­pa­nies should address the new regu­la­ti­ons at an ear­ly stage as part of their com­pli­ance manage­ment in order to avo­id vio­la­ti­ons after the new requi­re­ments come into force and to be able to bene­fit quick­ly from new advantages.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.