Key EU Directives and Regulations in IT, Web Development, AI, and Data Protection

Recently, I was involved in coverage of specific rules and regulations that web pages or applications in the EU must adhere to. I thought it might be interesting for others as well to know the most important EU legal rules for IT and web developers.

Sometimes these Directives and Regulations sets only the basic framework and have many implementing technical regulations as you can learn bellow.

Directive on Privacy and Electronic Communications

• Current consolidated version: Cookie Directive

• Implementing regulations and judicial precedents: link

• Full title: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

• Also known as: Cookie Directive, ePrivacy Directive

• Who should be concerned?

  • Any service that uses cookies (other than strictly necessary cookies) or similar tracking technologies, and companies providing electronic communications services

• Caveats:

  • Cookies other than strictly necessary ones stored on a user’s device require the user's consent

General Data Protection Regulation

• Current consolidated version: GDPR

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

• Also known as: GDPR, Data Protection Regulation

• Who should be concerned?

  • Anyone who collects or processes personal data, regardless of their form, size, or sector

• Caveats:

  • Cases when you send personal data outside the EU (this may include the full user IP address to Google, Vercel, etc.)

Artificial Intelligence Act

• Current consolidated version: AI Act

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)

• Also known as: AI Act, Artificial Intelligence Act

• Who should be concerned?

  • Developers or providers of AI systems, especially those classified as high-risk or unacceptable risk
  • Companies across various sectors that utilize AI technologies for decision-making, customer interaction, or operational efficiency

• Caveats:

  • Severe penalties for non-compliance, including fines up to €35 million or 7% of global annual turnover

Digital Services Act

• Current consolidated version: DSA

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)

• Also known as: DSA, DSA Regulation

• Who should be concerned?

  • Online platforms and very large online platforms (VLOPs)

• Caveats:

  • FAANG (Facebook, Amazon, Apple, Netflix, Google) or MAMAA (Meta, Apple, Microsoft, Amazon, Alphabet)

Digital Markets Act

• Current consolidated version: DMA

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)

• Also known as: DMA, DMA Regulation

• Who should be concerned?

  • Gatekeeper platforms

• Caveats:

  • Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta (Facebook) and Microsoft

Directive on Measures for a High Common Level of Cybersecurity

• Current consolidated version: NIS 2

• Implementing regulations and judicial precedents: link

• Full title: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

• Also known as: NIS 2, NIS 2 Directive

• Who should be concerned?

  • Companies in essential sectors such as energy, transport, healthcare, cloud computing services, internet service providers (ISPs), financial services, food production and distribution, chemicals production

• Caveats:

  • Organizations must report significant incidents not only to national authorities but also to affected service recipients without undue delay
  • entities are required to assess the cybersecurity posture of their suppliers

Cyber Resilience Act

• Current consolidated version: CRA

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)

• Also known as: CRA, CRA Directive

• Who should be concerned?

  • manufacturers, importers and distributors of products with digital elements having data connection to a device or network

• Caveats:

  • Organizations involved in developing open-source software intended for commercial use must implement cybersecurity policies and procedures

Regulation on Digital Operational Resilience

• Current consolidated version: DORA

• Implementing regulations and judicial precedents: link

• Full title: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

• Also known as: DORA, DORA Regulation

• Who should be concerned?

  • Financial Institutions and their IT services providers

• Caveats:

  • Financial institutions must establish rigorous oversight mechanisms and ensure that their vendors comply with DORA
  • Financial institutions have to report their key IT vendros to regulators

So, if you are asked to deliver IT services to a financial institution in the EU, and the project includes AI models for customers' payment terminal data, including an accompanying web app, as well as servers and database hosted outside of the EU, God bless you.