The Hitchhiker’s Guide to the Digital Decade – Prologue
16 March 2023
The EU has laid out an ambitious strategy, the EU Digital Decade Strategy, to shape the digital future of the continent by 2030. The vision includes a more digitally inclusive, secure, and sustainable society, while the actual roadmap for achieving these goals includes a wide range of investments, policy initiatives, and legislative actions. With the legislative actions alone, there is quite a lot to digest. Therefore, we are thrilled to share that Hannes Snellman has a new Digital Decade website up and running. The website is intended as a one-stop-shop for all relevant legislation that has or is about to enter into force in the name of the Digital Decade. We are actively working on the website to make it a better and smoother tool, especially with our fellow lawyers in mind. We are inviting everyone to engage and share your user experience with us. The website can be found here.
You might still wonder what we are talking about, so let us paint the bigger picture first. At its core, the EU Digital Decade Strategy pledges to tap into the vast potential that digital technologies have to drive economic growth, support innovation, and improve our European lives. For example, the EU’s research and innovation programme for 2021–2027 (Horizon Europe) alone has a budget of EUR 95.5 billion and includes a focus on digital transformation, with research areas such as artificial intelligence, cybersecurity, and digital health. On the flip side, the EU seeks to address some of the key challenges posed by this transformation, such as the need to protect personal data, ensure digital security, and foster a more equitable and inclusive digital economy. However, the aforementioned does not really sound that concrete, does it? So here are a few things we might expect in the years to come:
- Improved digital infrastructure: The EU aims to invest in improving and expanding its digital infrastructure, including 5G networks and fiber-optic broadband, to ensure fast and reliable connectivity for all citizens.
- Better digital skills: The EU plans to invest in improving digital skills and literacy among its citizens, with a particular focus on training and upskilling workers to meet the demands of the digital economy.
- A European data space: The EU aims to create a single market for data, enabling businesses and researchers to access and share data across borders and sectors, while protecting privacy and data security.
- More support for digital innovation and entrepreneurship: The EU plans to support digital innovation and entrepreneurship by investing in research and development, providing funding and support for startups, and promoting the use of digital technologies in industries such as healthcare and agriculture.
- Digital rights and values: The EU will ensure that digital technologies are developed and used in ways that respect fundamental rights and values, including privacy, data protection, and non-discrimination.
- Focus on a sustainable digital transformation: The EU aims to ensure that the digital transformation is sustainable by reducing the environmental impact of digital technologies, promoting energy efficiency, and addressing issues such as e-waste.
Overall, the strategy is an ambitious effort that reaches its tentacles into many places and will create a new and ever-evolving legal landscape for us to patiently navigate in the meantime. To avoid complete paralysis while trying to comprehend what this actually means for your company and potential stakeholders, we suggest taking a little breather and approaching this forthcoming Digital Decade systematically in bite-sized pieces. As we see it, the strategy for the Digital Decade falls into subcategories and further into legislative actions related thereto, which may be sketched as follows:
While we brace ourselves for the above, it is worth looking more closely at some of these legislative actions adopted or proposed and what they bring forth. New legislation has been adopted or proposed particularly for the sake of a digital single market, citizens' digital rights, and fair competition in the digital sector. Some of the key actions include:
- Data Act: For its part, the Data Act stipulates who may benefit from the free flow of data and how. The objective of the Data Act is to ensure fairness in the allocation of value from data among the players in the data economy. The Data Act regulates access to, and use of, data generated by use of IoT devices and related services. Products primarily designed to display, play, record, and transmit content are excluded (e.g., servers, PCs, and smart phones). The Data Act will also affect cloud providers, for instance through requirements on interoperability and data portability to smoothly enable switching cloud providers and avoid vendor lock-in. There will also be new restrictions on cloud providers providing unlawful access to (non-personal) data to third-country governments.
- Data Governance Act (DGA): The adopted DGA and Data Act go hand in hand as they intend to create a single market for data, so that it may flow freely and benefit businesses, researchers, public administrations, and society at large. The DGA aims at creating the processes and structures for the aforementioned. In particular, the DGA sets certain technical requirements for the public sector to ensure privacy and confidentiality in data sharing.
- Cybersecurity Act (CSA): The CSA is a regulation that was adopted in 2019 to strengthen the EU's cybersecurity infrastructure and cooperation. It establishes a European cybersecurity certification framework, which aims to increase trust in digital products and services by ensuring they meet common cybersecurity standards.
- NIS2 Directive: The NIS2 Directive is adopted to align and enhance cybersecurity within all EU Member States. It significantly extends the scope of the previous NIS1 Directive establishing that all medium-sized and large entities active in the sectors covered by the NIS2 framework would have to comply with the security rules under the NIS2 Directive. The NIS2 Directive, inter alia, enhances rules on incident reporting and also increases the number of companies in the financial sector that may be subject to its rules. Furthermore, it addresses cybersecurity of the ICT supply chain. The NIS2 Directive applies to two categories of entities depending on business sector: (i) Essential Entities (EE), which includes, e.g., credit institutions as well as entities providing digital infrastructure and entities providing ICT-service management services B2B, and (ii) Important Entities (IE), covering, e.g., manufacturers of computer products.
- Digital Operational Resilience Act (DORA): The DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector regulated at the EU level, such as credit institutions, payment institutions, electronic money institutions, and crypto-asset service providers. In addition, critical third parties providing information communication technology (ICT) services, such as cloud platforms, are within the scope of the DORA. The DORA creates a qualitative regulatory framework on digital operational resilience whereby financial entities need to ensure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats.
- ePrivacy Regulation: The ePrivacy Regulation is a proposed regulation that would update the EU's current ePrivacy Directive to provide stronger protection for citizens' privacy and data in the digital age. It would require companies to obtain explicit consent from users before collecting or using their personal data and provide more transparency about their data practices. The ePrivacy Regulation includes more privacy rules applicable to the big players (Whatsapp, Meta, etc.), streamlining of rules on cookies, and more privacy guaranteed for communications content and metadata.
- Artificial Intelligence Act (AI Act): The AI Act is a proposed regulation that aims to establish a framework for the development and use of artificial intelligence (AI) in the EU. The AI Act lays down obligations regarding the use of AI systems, with the aim of ensuring free movement of AI systems and protecting fundamental rights. The AI Act is applicable to software that has been developed in accordance with certain techniques listed in the annexes to the act and which can, for a given set of human-defined objectives, generate outputs such has content, predictions, recommendations, or decisions influencing the environments they interact with. It makes a risk-based distinction between four types of AI systems (unacceptable risk, high risk, limited risk, and minimal risk) and attaches a different set of obligations to each category. The applicable obligations also vary depending on the role as provider, distributor, importer, manufacturer, or user.
- Digital Services Act (DSA): The DSA is gradually entering into force and aims to establish clear rules and responsibilities for digital service providers operating in the EU, including online and social media platforms. The act will, e.g., require companies to take greater responsibility for content moderation, address online hate speech, and provide more transparency in their algorithms and advertising practices.
- Digital Markets Act (DMA): The DMA will likewise be adopted gradually and aims to address competition issues in the digital sector. The act will establish a set of rules for so-called "gatekeeper" platforms, which have a significant impact on the market, such as Google and Amazon. The DMA will require these platforms to be more transparent in their business practices, make it easier for users to switch between platforms, and prevent them from unfairly favouring their own products or services over those of competitors. Consequently, businesses may have access to more information on how their products or services are performing on third-party platforms, and meanwhile, consumer lock-in by gatekeeper platforms will be prevented.
More information regarding the legislations and proposals are available on our Digital Decade website.
Finally, whenever you are working with questions relating to data, every business should start with mapping out which rules are applicable to your business. It should also be borne in mind that while the Digital Decade may entail new compliance concerns, it also offers new business opportunities. Unlocking this potential will certainly require some navigation, but we at Hannes Snellman are ready and prepared to embark on such journey together with our clients. That being said, let us know if you want a deeper dive into the subject. The onboarding has already begun.