The EU's new data and cybersecurity law

Stefan Hessel

The EU's new data and cybersecurity law

When it comes to data in the context of EU regulations and directives, people usually think of data protection and the General Data Protection Regulation (GDPR). This is hardly surprising: At the latest with the application of the GDPR as of 25 May 2018, data protection issues have become a focus of the general public and a key compliance issue.

From an economic perspective, however, it is not only the personal data protected by the GDPR that is of interest. Data without personal references have a high degree of economic relevance, especially in the development of new technologies and innovative services. Distinct from personal data, non-personal data are data that do not relate to an identified or identifiable living person, such as data on the maintenance needs of machinery, aggregated and anonymised data in the context of big data, or data related to precision agriculture for the purpose of monitoring and optimising the use of pesticides and water.

The European Commission has also recognised that these data are of great economic value to companies and government players, and that the exchange, reuse and processing of these data are essential for technical innovations and digitization. With a total of eight legal acts, the Commission wants to shape data law within the EU, creating numerous new regulations, for example for the commercial exchange of data, the regulation of large online platforms and the use of artificial intelligence.

With the ever-increasing economic importance of data and the progressive networking of products (keyword: Internet of Things (IoT)) crime is also on the rise in this area. Almost every day there are reports of major cyberattacks, the use of ransomware and leaked data sets. The Commission has also recognised this: "If everything is networked, everything can be hacked," said EU Commission President von der Leyen in her September 2021 state of the European Union address. Three legal acts are therefore intended to arm the EU against the numerous threats posed by cybercrime.

The following is a brief overview of the legal acts already in force and the new ones, their objectives and the measures planned in each case.

1. The Network and Information Systems (NIS) Directive

The 2016 Directive "concerning measures for a high common level of security of network and information systems across the Union" (NIS Directive) aims to create a uniform legal framework for cybersecurity, leading to greater cooperation among EU member states in this regard.

In the course of this Directive, which was implemented in Germany in 2017, member states were required to introduce appropriate technical and organisational measures and to secure their respective networks and information systems. At the same time, minimum requirements and security incident reporting obligations were introduced for operators of essential services and digital service providers. The Directive, which is aimed in particular at the finance and insurance, health, transport and traffic, energy, water and food sectors, but also at digital infrastructure, is to be revised as part of NIS 2.0 and adapted to new challenges.

2. The Free Flow of Data (FFD) Regulation

Already adopted in November 2018, this regulation aims to facilitate the free flow of non-personal data within the EU in order to promote the European data industry and the development of cross-border technologies.

One of the most important measures of the Regulation is the removal of so-called "data localisation requirements", national provisions of the member states that prevent certain data from being transferred abroad. This is because that national administrative and judicial authorities have a strong interest in ensuring that data remain within their sphere of control. In return, however, the requirements prevent the transfer of data and thus also the use of the cloud, for example. The FFD Regulation has resolved this conflict by means of regulatory control with national authorities retaining access to data even if they are located in another member state.

3. The Cybersecurity Act

This legal act, which came into force in June 2019, is intended to help ensure that IT products, services and processes must take cybersecurity requirements into account and implement them at the development stage.

To this end, the role of the European Union Agency for Cyber Security (ENISA) is to be strengthened and given a permanent mandate. In addition to the EU institutions, it is intended to support the member states in improving cyber security. The Cybersecurity Act moreover introduces a European certification framework for cybersecurity, which classifies IT products, services and processes into defined "low," "medium" and "high" security levels.  

4. The Open Data and Public Sector Information (OD-PSI) Directive

Also adopted in June 2019, this Directive aims to improve the availability of public sector data and introduce Europe-wide rules for the re-use of these data. The public sector produces a wide variety of data, such as meteorological data, digital maps, statistics, environmental information, and mobility data, but accessing or using these data is often not possible for both technical and legal reasons.

This problem is to be remedied by obligating member states to make documents re-usable and by defining and identifying "high-quality data sets". By "high-quality datasets", the EU Commission means data whose reuse is associated with important benefits for society, the environment and the economy, particularly because of their suitability for the creation of value-added services, applications and jobs. The use of standard licenses is simultaneously to be promoted.

5. The Digital Content Directive

The main objective of this Directive, which has already been adopted but not yet transposed, is to improve access to digital content and services for consumers and to standardise them throughout Europe. This is intended to achieve a "true digital single market" while ensuring a high level of consumer protection.

The Digital Content Directive focuses on consumer contracts aimed at the provision of digital content or services. For example, the Directive introduces, among other things, new rules for the provision of digital products and new types of contracts for the German Civil Code, requiring the provision of updates. Defect rights for digital content are also to be adjusted.

6. The Data Governance Act (DGA)

This piece of legislation, which is currently in the draft stage, aims to facilitate the exchange and availability of data (especially agricultural, environmental and health data) between private individuals, companies and the public sector. Research, innovation and the creation of statistics are to be improved.

This is to be accomplished through the provision of public sector data for reuse, the sharing of data by companies in return for payment, and the deployment of neutral data trustees and data brokers for the use of personal data. At the same time, data use for "altruistic reasons" is also to be made possible. This is intended to allow individuals and companies to voluntarily provide data for the public good.

7. The Digital Services Act (DSA)

Also in the deliberation stage is the Digital Services Act. The DSA is intended to create sound conditions for the provision of innovative services in the Single Market and to contribute to online security.

This legal act primarily targets providers of intermediary services (especially online platforms such as social media and marketplaces), which are to take stronger action against illegal content, create an appeal option for users and, in addition to more transparency, also improve cooperation with authorities. For enforcement purposes, fines of up to 6% of total annual turnover are to be imposed.

8. The Digital Markets Act (DMA)

The Digital Markets Act is one of the many legislative bills. The goals of the DMA are to create a higher level of competition in digital markets, prevent abuse of market power by large companies, and facilitate market entry for new companies.

This is to be accomplished by, among other things, prohibiting the combination of data from different online services. Accordingly, Facebook, Instagram and WhatsApp, for example, which belong to the Facebook Group, would no longer be allowed to link and combine data. To enforce this, fines of up to 10% of the total annual turnover are to be imposed.

9. The Artificial Intelligence Act (AIA)

With the increasing importance of artificial intelligence (AI) for businesses, calls for legal regulation of this field are also growing louder. The EU Commission intends to address this issue by way of the Artificial Intelligence Act, which is also still in the deliberation stage, creating a legal framework for the use of AI.

For this purpose, AI is to be classified in terms of risk classes: The higher the risk, the more extensive the obligations to be imposed on the respective company. In the event of an unacceptable risk, it will even be possible to ban the use of a product altogether. Fines of up to 6% of total annual turnover are intended to have a disciplinary effect in this regard.

10. The Data Act (DA)

The Data Act, which is still in the consultation and approval phase, aims to facilitate access to and use of data. Databases are furthermore to be better protected by law.

To this end, measures enabling the equitable distribution of the benefits and value of data among data industry stakeholders are to be put in place.

11. The Cyber Resilience Act

The aim of this legal act, which has so far only been announced, is to establish uniform cybersecurity standards for networked devices. In conjunction with the NIS 2.0 Directive, the objective is to increase the EU's collective resilience against cyberattacks by establishing a Joint Cyber Unit.

Measures to be taken include developing a "doctrine for cyberattacks" and enhancing capabilities to track attacks.


The EU Commission has recognised the importance and economic value of data. With a comprehensive package of measures, it wants to create a legal framework for European data and cybersecurity law. In addition to protection, the main focus is on the exchange and usability of data.

It remains to be seen to what extent any conflicts with data protection law, in particular the GDPR, will arise and how such conflicts will be handled. However, it is clear that companies should address the new regulations at an early stage as part of their compliance management in order to avoid violations after the new requirements come into force and to be able to benefit quickly from new advantages.

[November 2021]