Before embarking on any New Year’s resolutions, it is worth starting with a moment of reflection on the year gone by. In the EU, 2022 brought a number of new regulations in the new technology market, so let’s take a closer look at them. The following is our selection of the most important developments and legislative initiatives to emerge in 2022, which will significantly influence further international and national IP/IT regulations.
DORA – digital operational resilience for financial entities
The specific geopolitical situation has brought the concept of cyber security to prominence in 2022. On 27 December, the Digital Operational Resilience Regulation (DORA) was published in the Official Journal of the European Union, setting up a harmonised regulatory framework to strengthen the ICT security of financial entities. Its objective is to achieve a high common level of digital operational resilience across all EU Member States, aiming to prevent and mitigate cyber threats and ensure that businesses can withstand, respond and recover from all types of ICT-related disruptions and threats. DORA will enter into force on 16 January 2023 and will apply from 17 January 2025. The European supervisory authorities have been tasked with developing technical standards applicable to all financial entities covered by DORA.
The entities subject to DORA are encouraged to start preparing for its application by identifying any gaps in their governance and ICT processes. They should also consider which of their service providers may be considered critical and review their testing and recovery protocols against the standards set out in the new Regulation.
We discuss the main DORA provisions here: What DORA is all about – a shift in cyber security awaiting the financial sector and here.
NIS II – cyber security for network and information systems
Second, a new Network and Information Security Directive (NIS II), which will enter into force on 16 January 2023, was also published in the Official Journal of the European Union on 27 December 2022. The adoption of NIS II not only broadened the scope of the NIS Directive, but also enabled the harmonisation of cyber security requirements and the implementation of cyber measures across Member States. To achieve this, it sets out minimum rules for a regulatory framework and establishes mechanisms for cooperation between the relevant authorities in each Member State. NIS II is to be transposed into national law by 17 October 2024, with EU Member States required to apply its provisions from 18 October 2024.
DSA / DMA – digital services and markets in the EU
Third, Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services, i.e. the Digital Services Act (DSA), and Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector, i.e. the Digital Markets Act (DMA), entered into force in 2022. They both constitute a comprehensive regulatory framework for digital services, including social media and online platforms operating in the European Union.
The aim of the DMA is to ensure that the digital sector is fair with equitable access to digital services for all users. The DMA will apply to undertakings that are considered to be gatekeepers, defined in the Regulation as entities having a significant impact on the internal market; providing a core platform service which serves as an important access point for business users to reach end-users; or having an entrenched and durable position in their operations or expected to foreseeably enjoy such a position in the near future.
In contrast, the main objective of the DSA is to combat illegal services, content or goods on the Internet, in particular laying down the obligations of service providers operating as online intermediaries, e.g. Internet access providers, domain registrars or web hosting providers.
Most of the DSA provisions will come into force on 17 February 2024, with online platform operators other than micro- or small enterprises being required to publish information on the number of active users as early as 2023. Most of the DMA provisions will take effect on 2 May 2023.
For more information on the DSA, click here.
MiCA – a response to the cryptoasset market crisis
We should also not forget the regulations concerning cryptocurrencies. The year 2022 was a hard year for the cryptocurrency market as a progressive decline in the value of coins, the problems of FTX and the collapse of trust, are all raising questions about the future of crypto. The declaration of bankruptcy by FTX, the third largest cryptocurrency exchange, caused an earthquake in the industry. The primary lesson to be learned from recent events is that there is a need for greater financial transparency for cryptocurrency service providers.
The answer to this need is market regulation, and here, the Markets in Crypto Assets (MiCA) regulation could provide some answers to these problems. MiCA is part of the European Union’s larger digital finance package. Its objectives include:
- Creating a single legal framework for the cryptocurrency market in the EU
- Introducing uniform rules for crypto service providers (including exchange operators) and crypto issuers,
- Ensuring market stability and protecting investors from risk.
MiCA will create a harmonised European cryptocurrency market ensuring legal certainty across the EU through clear asset classification and transparent guidelines for service providers and issuers. If the regulations are widely accepted, more institutional investors and more assets may be expected to enter the market, which could help its further development.
In addition to this, due to the scale of the European single market, MiCA could follow in the footsteps of the Data Protection Regulation (GDPR) and also contribute to the formation of similar regulations in other parts of the world. The European Parliament is expected to vote on the draft in February this year and MiCA is likely to enter into force in Q3 2024.
Read more about MICA here: MiCA, or how the European Union intends to regulate the cryptocurrency market.
Artificial Intelligence – a strategic area of interest for the European Union
Legislative excitement is also unabated in the field of AI, with the expected entry into force of the most important piece of AI legislation – the AI Act, a Regulation of the European Parliament and of the Council establishing harmonised rules on artificial intelligence. The aim of this regulation is to develop safe, reliable and ethical artificial intelligence processes in the European Union. The AI Act will divide AI systems by risk categories. The Act specifies which AI applications will be considered unacceptable and has created a category of high-risk AI systems, the operators of which will be subject to a number of obligations.
The year 2022 brought further amendments, bringing us closer to the final wording of the document. At the beginning of December, the Council adopted a common position on the act, and the next step will be for the Parliament to also adopt a common position. The exact date when the AI Act will come into effect is not yet known, but estimates place it around early 2024.
AI is central to the EU’s strategy for creating a digital single market, so in parallel to work on the AI Act, other aspects of AI are also under discussion. In September 2022, the European Commission adopted two proposals leading to the regulation of AI liability. One concerns the modernisation of existing rules on the strict liability of manufacturers for defective products, whereas the other proposes a new, separate directive on AI liability. The Commission’s proposals now need to be adopted by the European Parliament and the Council.
Read more about the new draft AI liability regulations here.
This concludes our regulatory review and we look ahead to 2023. If the acts described in this article apply to your company, you will need to bring your operating model in compliance with the new obligations. Even if the effective dates of the acts are still unknown or appear remote, it is worth analysing how the regulations may affect your business and what changes you may have to make in your operation.
If you have any questions, we will be happy to help.
Contact the authors:
See also:
A difficult time for cryptocurrencies
The Digital Services Act (DSA) – the “Constitution of the Internet” has now entered into force
New liability rules for artificial intelligence in the European Union
