Last review date: January 2025

The data privacy regulators in the EU are primarily national data protection authorities. These are independent public authorities that supervise the application of data protection laws, provide expert advice and guidelines on data protection issues, and handle complaints lodged against violations of the General Data Protection Regulation (GDPR) and relevant national laws. Additionally, the European Data Protection Board (EDPB), which gathers representatives of all EEA data protection authorities, oversees the consistent application of data protection rules across the EU (notably by elaborating guidelines) and facilitates cooperation between national data protection authorities. The EDPB should not be confused with the European Data Protection Supervisor (EDPS) which is the EU’s independent data protection authority. Its main role is to supervise the data processing activities of the EU institutions and bodies and to advise these on all matters relating to personal data processing, including on relevant legislative proposals.

With respect to non-personal data, Regulation 2018/1807 on the free flow of non-personal data does not establish specific regulators for non-personal data. The oversight of these rules is therefore handled by national competent authorities which work in coordination with the European Commission to ensure compliance and address any issues related to the free flow of non-personal data.

Additionally, under the Data Governance Act and the Data Act, which apply to both personal and non-personal data, each EU Member State is required to designate one or more competent authorities responsible for enforcing the respective regulations. A European Data Innovation Board (EDIB) has also been established by the Data Governance Act to support the consistent application of both the Data Governance and the Data Acts, notably by issuing relevant guidance, advising and assisting the European Commission on the implementation of these regulations and facilitating cooperation between competent authorities.

Cybersecurity is regulated by several key authorities in the EU:

• European Union Agency for Cybersecurity (ENISA): ENISA is an EU agency that provides support to EU Member States, EU institutions, and businesses in key cybersecurity areas, including the implementation of the NIS 2 Directive;
• National Cybersecurity Certification Authorities: under the EU Cybersecurity Act, each Member State must appoint one or more national cybersecurity certification authorities which supervise, and enforce the rules of the European cybersecurity certification schemes;
• National competent authorities that have been designated by Member States to supervise compliance with and enforce the eIDAS Regulation, the NIS 2 Directive and the Critical Entities Resilience Directive with different Cooperation Groups (consisting notably of representatives of national authorities) being established to notably facilitate cooperation between national authorities and elaborate guidance with a view to ensure consistent application of the different cybersecurity frameworks.

Under the EU AI Act, enforcement is spread across three different levels:

• National enforcement through national competent authorities whose tasks include supervising the application and implementation of the AI Act as well as carrying out market surveillance activities;
• EU-wide enforcement through the European Commission’s AI Office - whose tasks include contributing to fostering standards and testing practices and enforcing specific cross-border cases - and the AI Board which will act as a coordination platform among the national competent authorities and as an advisory body to the European Commission;
• Stakeholder involvement with a scientific panel of independent experts to advise the AI Office about general-purpose AI models and an advisory forum for stakeholders to provide technical expertise to the AI Board and the European Commission.

Last review date: January 2025

Very active

Last review date: January 2025

This chapter provides information on the position under European Union law and guidance. For information on implementation in specific jurisdictions, see the relevant individual chapter.

A huge number of regulators are involved in the enforcement of EU data and cyber legislation. National regulatory priorities are described in individual country chapters and we have summarized the priorities of two key regulators – the EDPB and ENISA – here.

The key priorities of the European Data Protection Board, as set out in its 2024/2025 work program, are:

• Enhancing harmonisation and promoting compliance
• Reinforcing a common enforcement culture and effective cooperation
• Safeguarding data protection in the developing digital and cross-regulatory landscape
• Contributing to the global dialogue on data protection

  Key concrete actions relevant to private sector organisations include:

• the development of further guidance on topics including anonymisation and pseudonymisation, legitimate interests, children’s data, “consent or pay” models, processing of data for scientific research purposes, data subject rights under the LED, and age verification criteria;
• issuing opinions on accreditation requirements for monitoring bodies of codes of conduct and for certification bodies, and on codes of conduct and on certification criteria , including the European Data Protection Seal;
• establishing common positions and guidance in the cross-regulatory landscape on topics including the interplay between EU data protection law and other EU laws, guidelines on the processing of personal data to target or deliver political advertisements, and transfers of personal data in the context of crypto assets;
• monitoring and assessing new technologies, including guidelines on generative AI and data scraping, telemetry and diagnostic data, and blockchain; and
• providing further guidance on practical implementation of data transfer mechanisms.

Priorities of the European Union Agency for Cybersecurity (ENISA), as set out in its 2024-2026 program, include:

• combatting attempts to destroy critical infrastructures and render them unavailable, thus impacting the target’s resilience, or to dissuade and manipulate public opinion through misinformation and information manipulation;
• enhancing its proactive capabilities, to better support MSs in their efforts to respond to cyber threats and incidents while providing them with knowledge and expertise and increasing preparedness in key sectors;
• strengthening its capabilities and capacities in supporting MSs with the implementation of NIS2; and
• launching a review of ENISA strategy and adopting the first ever state of cybersecurity in the EU report under Article 18 of NIS2.

Last review date: January 2025

Are regulatory investigations or direct enforcement activity by data or cyber regulators:

☒   Common

If applicable, are they:

☒   Increasing

Are class actions/group actions under data or cyber regulation:

☒   Rare

If applicable, are they:

☒   Increasing

Last review date: January 2025

There are:

☒   administrative remedies /civil penalties applied by regulators and law enforcement

☒   criminal penalties from regulators and law enforcement

☒   private remedies

Last review date: January 2025

☒   individual personal actions

☒   representative actions (e.g., brought by a consumer/data privacy body or the supervisory authority)