News

The eIDAS Regulation, 

which stands for Electronic Identification, Authentication and trust Services, is a major piece of EU legislation that came into force in July 2016. Its main objective is to increase trust and confidence in electronic transactions between citizens, businesses and public administrations across the European Union by providing a common basis for secure electronic interaction. Here's a brief overview of its key aspects:

Key components of eIDAS:

• Standardise electronic identification (eID): eIDAS establishes a framework for mutual recognition and interoperability of electronic identification schemes across EU Member States, allowing citizens and businesses to use their own national eIDs to access public services in other EU countries.
• Trust services: eIDAS creates a legal framework for electronic signatures, seals and other related trust services, ensuring that they are legally recognised and have the same status as their traditional counterparts (e.g. handwritten signatures).
• Electronic signatures: One of the best known aspects of eIDAS is its provision for electronic signatures, distinguishing between simple, advanced and qualified electronic signatures, with qualified signatures offering the highest level of security and legal effect.
• Enhancing trust and security online: By setting standards for electronic transactions, eIDAS aims to increase the efficiency, security and trust of online services.

eIDAS is a cornerstone of the EU's Digital Single Market strategy, facilitating seamless and secure electronic interactions between Member States. It supports the digital transformation of public services (eGovernment) and promotes trust in online transactions, contributing to the growth of the digital economy in Europe.

An updated version, colloquially known as eIDAS 2, has already been published and will enter into force on 20 May 2024. eIDAS 2 extends the scope beyond the original provisions to include new types of electronic trust services and to improve the framework for electronic identities (eIDs). The focus is on improving the management of cross-border electronic identification and trust services, aiming at greater interoperability and ease of use across Member States.

eIDAS 2 ensures higher standards for data protection and verification. 

It introduces the concept of a universal digital identity wallet that links a Member State citizen's national digital identity with their other personal attributes such as driving licence, diplomas and bank accounts. The EU digital identity wallets will be available across the EU to access public and private digital services, and will give wallet users the right to choose which aspects of their identity and data they share with third parties. Due to the scale of the project, widespread use of identity wallets is not expected before 2026.

The Data Governance Act (DGA)

is a legislative proposal from the European Commission, part of the broader European strategy for data, which aims to promote the availability of data for use. It has been adopted by the European Parliament and the Council. The DGA aims to increase trust in data sharing, improve data access mechanisms and facilitate the re-use of certain categories of protected public sector data that cannot be made available as open data. Here's a quick overview:

Key points of the Data Governance Act:

• The DGA aims to create a trusted environment that encourages more businesses and individuals to share their data, thereby increasing the amount and variety of data available for innovation and value creation.
• It proposes the establishment of a European Data Innovation Board to facilitate cross-sectoral data sharing and use, including the exchange of best practices between member states.
• Introduces the concept of data intermediary services to facilitate data sharing, acting as neutral third parties that connect data holders with data users without allowing the intermediaries to use the data for their own purposes.
• The Act includes provisions to facilitate the re-use of certain categories of data held by public sector bodies, such as data subject to the rights of others (e.g. personal data, intellectual property rights), under secure conditions that respect existing rights, expanding the scope of data that can drive innovation beyond what is available as open data.
• The Act recognises data altruism - the voluntary sharing of data for the public good (e.g. scientific research or improving public services). It establishes a European Data Altruism Consent Form and a registration mechanism for entities wishing to collect data voluntarily provided by individuals or companies for altruistic purposes

The Data Governance Act is seen as a key step in the EU's ambition to become a leader in the data-driven society, ensuring that data can flow freely within the EU and across sectors for the benefit of businesses, researchers, public administrations and society at large, under clear and trustworthy conditions.

The Digital Operational Resilience Act (DORA)

 is a regulation proposed by the European Commission as part of its digital finance package, which aims to strengthen the operational resilience of the financial sector against cyber threats and other risks arising from digitalisation. It entered into force on 16 January 2023 and will apply from 17 January 2025.

Key points of DORA:

1. DORA consolidates and enhances existing regulatory requirements related to information and communication technology (ICT) risks across the financial sector (20 different types of financial entities and third party ICT service providers). These include banks, insurance companies, investment firms, crypto-asset service providers and other financial entities.

2. Improving digital operational resilience: The regulation aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber threats, ICT disruptions and other digital vulnerabilities.

3. Establish a harmonised framework: By providing a comprehensive set of standards and requirements, DORA aims to harmonise the approach to digital operational resilience across the EU, ensuring a level playing field and avoiding regulatory fragmentation.

4. It introduces stringent requirements for incident reporting, ICT risk management, digital operational resilience testing and oversight of third party service providers: 

• DORA requires financial firms to put in place mechanisms for the prompt reporting of significant cyber and ICT-related incidents to national and EU authorities. 
• Financial entities must establish, implement, and maintain effective ICT risk management capabilities, including identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents and threats. 
• The regulation mandates regular testing of digital systems to assess their resilience to cyber threats, including advanced testing for significant entities. 
• Recognising the increasing reliance on third party service providers, including cloud services, DORA establishes oversight frameworks and risk management requirements for the use of third party providers.

DORA is an important step towards ensuring that the EU financial sector can withstand, respond to and recover from ICT and cyber threats, thereby protecting market integrity and the financial interests of consumers and businesses.

The Cyber Resilience Act (CRA)

was proposed by the European Commission on 15 September 2022. It aims to improve the security of digital products and related services in the EU. The Act is part of a broader effort to strengthen cybersecurity across the bloc, recognising the increasing reliance on digital technologies and the resulting risks to security and privacy.

The initial version wasn’t warmly received by numerous open source organisations that fell under the regulation. Open source development is harder to fund and open source software (OSS) is often maintained by enthusiasts, yet OSS is freely and widely used in commercial and non-commercial projects. The potential for legal liability, with huge fines for non-compliance, could discourage any enthusiast.

After much criticism, the CRA was revised to reflect the realities of the open source community. The revised version introduced the concept of the "open source steward", a supporter who curates the development of open source software. The difference between a steward and a manufacturer is that a steward's non-compliance with the CRA doesn't result in financial penalties, which doesn't deny the steward's responsibility to adhere to the basic security requirements laid out in the CRA.

Key objectives of the Cyber Resilience Act:

1. Establish security baselines: the CRA aims to set minimum cybersecurity requirements for digital products and their associated services to ensure that they are secure by design, by default, and throughout their lifecycle.
2. Increase transparency: It seeks to provide consumers and businesses with clear information about the cybersecurity features and vulnerabilities of products, thereby increasing transparency in the digital market.
3. Enhance incident response: The act will require manufacturers and providers to report significant cyber incidents to relevant authorities, improving the overall response to and management of cybersecurity threats.
4. Promote accountability: Manufacturers, distributors, and importers will be held accountable for the cybersecurity of their digital products and services, and face penalties for failing to comply with the act's requirements.

Impact and Scope:

• The CRA covers a wide range of digital products, including connected devices, software, and operating systems. It emphasises the importance of addressing cybersecurity from the earliest stages of design and development.
• By establishing a harmonised set of rules across the EU, the CRA aims to create a safer digital environment, promote user confidence in digital solutions and boost the digital economy.

Prominent open source foundations such as the Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation and Eclipse Foundation have announced their commitment to the CRA and their intention to create "common specifications for secure software development based on existing open source best practices" to comply with the act.

The Artificial Intelligence Act (AIA), 

proposed in April 2021 and passed in the European Parliament in March 2024, is a groundbreaking regulatory framework for AI that focuses on ensuring the safety and fundamental rights of individuals and businesses while fostering AI innovation across the EU. 

It categorises AI systems according to their level of risk (unacceptable, high-risk, general purpose, limited risk and minimal risk AI) and imposes appropriate regulatory requirements. Most of the obligations fall on providers (developers) of high-risk AI systems who put their systems into service or use system outputs in the EU. A user, according to the law, is a natural or legal person deploying an AI system in a professional capacity.

AI applications that pose unacceptable risks are prohibited. Banned use cases include the manipulation of human behaviour, social scoring (assigning ranks to people based on their personal and social characteristics), and real-time remote biometric identification (including facial recognition) in public spaces.

For high-risk AI systems, such as those used in critical infrastructure, education, employment, healthcare, law enforcement, justice and essential private and public services, the Act requires rigorous compliance checks before these systems can be deployed. This includes ensuring risk and quality management, cybersecurity, data governance practices, the accuracy of the datasets used, increasing transparency and providing detailed documentation for authorities, system implementers and end users.

General purpose AI applications (e.g. ChatGPT or Gemini) are subject to transparency requirements, must comply with the Copyright Directive, provide technical documentation, user instructions and the training data summary.

Low-risk AI applications (e.g. image, music, video generators or editors) are also subject to transparency requirements.

Minimal risk AI isn't regulated.

Transparency requirements: AI systems that interact with people or are used to recognise emotions must be transparent. Users should be informed when they interact with an AI system, unless it is obvious from the circumstances.

The law emphasises the importance of high-quality data sets that are free of bias, which is crucial for training AI systems. It mandates that data used by AI systems, especially those classified as high-risk, must be well documented, traceable and securely managed to ensure privacy and data protection.

Thank you for reading this article! We hope it has helped you to better understand European data protection legislation.

Sources:

eIDAS - https://en.wikipedia.org/wiki/EIDAS

https://www.docbyte.com/eidas/

https://www.signicat.com/new-european-identity-eidas-2-0

DGA - https://en.wikipedia.org/wiki/Data_Governance_Act

https://digital-strategy.ec.europa.eu/en/policies/data-governance-act

DORA – https://www.digital-operational-resilience-act.com/

https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

CRA - https://en.wikipedia.org/wiki/Cyber_Resilience_Act

https://www.european-cyber-resilience-act.com/

https://news.apache.org/foundation/entry/open-source-community-unites-to-build-cra-compliant-cybersecurity-processes

AI Act - https://en.wikipedia.org/wiki/Artificial_Intelligence_Act

https://artificialintelligenceact.eu/