Last review date: January 2025

☒ omnibus — all data

☒ sector-specific — e.g., financial institutions, governmental bodies

Last review date: January 2025

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

• EU General Data Protection Regulation
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”)
• Regulation (EU) 2024/900 of the European Parliament and of the Council of 13 March 2024 on the transparency and targeting of political advertising (“Political Advertising Regulation”)

Last review date: January 2025

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act")
• Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (“eIDAS Regulation”)
• Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (“NIS 2 Directive”)
• Commission Implementing Regulation of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (“Commission NIS 2 Implementing Regulation”)
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)(“Cyber Resilience Act”)
• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Digital Operational Resilience Act – “DORA”)
• Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (“Critical Entities Resilience Directive”)
• Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD2 Directive”)

Last review date: January 2025

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

• Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
• Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance (“Data Governance Act”)
• Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data (“Data Act”)

Last review date: January 2025

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

New data- and cyber-related legislation was enacted in the European Union in recent years that will come into force, or be implemented in Member States, in 2025 and beyond.

The Digital Operational Resilience Act ("DORA"), which lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, entered into force in January 2023, and includes a two-year implementation window with the new rules mostly taking effect on 17 January 2025.

Obligations imposed by the EU AI Act, Data Governance Act and the NIS2 Directive and Critical Entities Resilience Directive (as implemented into national laws) will continue to take effect throughout 2025. The obligations under the Cyber Resilience Act largely take effect from 2026 onwards, but the Commission should further specify in-scope products before the end of 2025. The Data Act will take effect from September 2025.

The Political Advertising Regulation, which will be mostly applicable from 10 October 2025, lays down specific rules and requirements on personal data processing in the context of the provision of online political advertising.

There is further data- and cyber-related legislation pending in the EU.

A proposal for an ePrivacy Regulation has been pending at a European level since 2017 to adapt rules for electronic communications to the GDPR and to strengthen privacy protection online. If enacted, it would introduce reforms to the EU law on areas such as direct marketing, cookies and similar technologies and electronic communications data. However, progress has been slow in comparison to other major EU digital files of the EU’s data strategy.

In relation to EU-US data transfers, in July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. On the basis of this adequacy decision, personal data can flow from EU companies to US companies participating in the EU-U.S. Data Privacy Framework, without the need for an additional transfer mechanism to be implemented. The first review of the EU-U.S. Data Privacy Framework was completed in October 2024 and concluded that the U.S. authorities have put in place the necessary structures and procedures to ensure that the Data Privacy Framework functions effectively. The adequacy decision is being challenged in the courts.

The European Health Data Space Regulation, on which the Council of the EU and the European Parliament reached political agreement in spring 2024, is currently pending formal adoption at EU level and it is anticipated to enter into force in 2025. It seeks to create a common space for health data within the EU and establishes harmonised rules on the primary and secondary use of electronic health data.

In June 2023, the European Commission put forward a proposed framework for Financial Data Access (“FIDA”) that aims to open the access of financial institutions to each other’s customer data. The Council of the EU reached agreement on its position in December 2024 and the final shape of the legislation will now be negotiated with the European Parliament.

The draft GDPR Enforcement Procedures Regulation is expected to either be adopted, or at the very least, reach the final stages of the legislative process end of 2024 or beginning 2025. The aim of this Regulation is to lay down harmonized rules for cross-border data protection cases, especially cross-border complaints and investigations initiated ex officio by data protection authorities.