Three important EU laws that we should look out for in 2024
Article by: Constantinos Michael, Director – Legal Services , Baker Tilly South East Europe
Considering that 2023 was the “year of AI”, it seems now that 2024 is already moving to be quite similar. There is great hype about envisaged and proposed legislation at EU level for these matters, and organisations are already working on understanding their current (and forthcoming) obligations under these acts, putting in the necessary governance frameworks to meet such obligations which does not seem to be an easy task to handle.
In a nutshell and according to the EU’s legislative agenda, it seems that nearly forty digital sector laws are still in negotiation or planned as initiatives.
We are putting emphasis on three of these laws which seem, based on intense legal writings across the paper and digital worlds, to be considered as having heavy impact on many businesses from 2024 onwards.
NIS2 Directive
The NIS2 directive, or the Network and Information Systems Directive 2, is a European Union directive aimed at enhancing the cybersecurity and resilience of critical infrastructure and digital services. NIS2 repeals and replaces the NIS1 Directive and is designed to harmonise the approach to cybersecurity among EU member states. Some important points of the directive (coming into force in October 2024), which broadens the scope of the previous Directive, include:
Scope: It applies to operators of essential services (OES) in sectors such as energy, transport, banking, financial market infrastructures, health, water supply, and digital infrastructure, as well as to digital service providers (DSPs) such as cloud computing services, online marketplaces, and search engines. In certain cases (in the “essential” and “important” sectors) it will apply regardless of the organization’s size, and it will also apply to medium and large entities (i.e., those with less than 250 employees and an annual turnover below €50 million) in those sectors. Small entities — those with less than 50 employees and annual turnover below €10 million — are largely exempt, unless the entity is important to the functioning of the EU member state.
Obligations: OES and DSPs are required to implement risk management measures, report incidents to national authorities, and adhere to security and incident notification requirements. New enhanced obligations will relate to cybersecurity, governance and incident management.
Cooperation and coordination: Member States are encouraged to cooperate and coordinate with each other to ensure effective implementation and response to cybersecurity incidents.
Supervisory authorities: Each Member State is required to designate one or more competent national authorities to oversee compliance with the directive and handle incident response. For a breach of its reporting obligations, an essential organization could receive a maximum fine of the greater of €10 million or 2% of worldwide annual turnover for the previous financial year, while fines for important entities can be up to the greater of €7 million or 1.4% of worldwide annual turnover.
DORA
The Digital Operational Resilience Act (DORA) is part of the EU’s Digital Finance Package, which is a bloc-wide cybersecurity regulatory initiative for the financial services sector and aimed to come into force early 2025.
Scope: DORA applies to a wide range of entities, including credit institutions, investment firms, central counterparties, central securities depositories, data providers, cloud computing service providers, and more. It covers both financial entities and digital service providers.
Objectives: DORA aims to ensure the continued provision of critical services in the digital sector and enhance the overall operational resilience of financial entities. It focuses on preventing and mitigating cyber incidents, ensuring robust incident response capabilities, and enhancing coordination among relevant authorities. Its main obligations can be grouped in (a) governance and controls, (b) ICT risk management, (c) incident reporting and (d) third party contracting.
Cyber Resilience Act
The Cyber Resilience Act (CRA) seeks to set European-wide cybersecurity compliance standards for digitised products that are manufactured / sold in the EU. The law was agreed by the EU legislative bodies in November 2023; it will likely be passed early next year and take effect in 2025.
The CRA puts requirements on manufacturers to protect European consumers against cybersecurity risks and report vulnerabilities within 24 hours and obligations on manufacturers, importers and distributors to ensure products meet high cyber security standards. These include undertaking risk and conformity assessments, ensuring that the products they import bear CE markings and contain other transparency information.
Penalties under the CRA are similar to the GDPR provisos. A manufacturer that doesn’t meet its obligations can be subject to a fine of up to the higher of €15 million or 2.5% of total worldwide annual turnover. Other infringements can lead to similar fines up to a percentage of global annual revenue. If incorrect, incomplete or misleading information is given to authorities in response to a request, fines may once more be imposed.