An Overview Of Key EU Cybersecurity And Data Protection Regulations And Their Potential Impacts On Canadian Businesses

Cybersecurity

Network and Information Systems Directive 2022

NIS 2 was adopted in November 2022, came into force in January 2023, and Member States were required to transpose it into their national laws by October 17, 2024, after which NIS 2 replaced the preceding Network and Information Systems Directive (NIS 1).

It establishes a unified legal framework to improve digital security and incident response across the EU.
Awareness and proper compliance with NIS 2 are particularly important as the regulation provides for the accountability and direct liability of an organization's management.

NIS 2 applies to both public and private sector organizations and aims to uphold cybersecurity in 18 critical sectors across the EU. It especially targets organizations that can be categorized as "Essential Entities" or "Important Entities":

• Essential Entities: e.g., organizations operating in sectors such as energy, transport, banking, health, space, digital infrastructure and water supply that meet the relevant size threshold. This threshold varies by sector but generally requires a minimum of 250 employees and an annual turnover of €50 million or a balance sheet total of €43 million. If an organization does not meet the threshold, it may still be considered an "Important Entity" under NIS 2.
• Important Entities: e.g., organizations operating in sectors such as postal services, waste management, chemical production, food processing and digital providers that meet the relevant size threshold. The threshold for Important Entities also varies by sector but generally requires a minimum of 50 employees and an annual turnover of €10 million or a balance sheet total of €10 million.

Stay tuned for our publication focused on NIS 2, which will be available here.

Digital Operational Resilience Act

DORA was adopted in December 2022, came into force on January 16, 2023, and took full effect as of January 17, 2025. Since DORA does not provide for a transitional period, compliance oversight by the European Supervisory Authorities is set to begin as of 2025.

DORA imposes significant cybersecurity risk management obligations on financial entities and regulates critical third parties.

The new requirements include measures for protection, detection, containment, recovery and repair, as DORA aims to encompass all aspects of operational resilience, particularly with respect to Information and Communication Technology ("ICT") risks.

The regulation also introduces strict oversight of critical third-party providers, such as cloud services, by the European Supervisory Authorities.

DORA is a sector-specific regulation that applies to a wide range of financial entities as it aims to standardize their approach to ICT risks based on their size and risk profile, as well as the nature, scale and complexity of their services, activities and operations.

This includes but is not limited to banks, insurance companies, investment firms, payment service providers, credit institutions and crypto-asset service providers.

Stay tuned for our publication on DORA which will be available here.

Data Act

The Data Act was adopted in December 2023, came into force on January 11, 2024, and will partially apply as of September 12, 2025.

The Data Act aims to regulate access to and use of data generated through "connected products" and related services. It gives users greater control over the data they generate through such products.

The Act also imposes specific obligations on cloud providers, such as requiring them to facilitate switching between providers and to ensure data portability and continuity of service.

The Data Act will primarily apply to providers, suppliers, and users of IoT (Internet of Things) devices and related services, including providers and users of cloud services.

Stay tuned for our publication on the Data Act which will be available here.

Data Governance Act

The Data Governance Act was adopted in May 2022, came into force on June 23, 2022, and took effect in September 2023.

The Data Governance Act aims to enhance data sharing within the EU by establishing a framework for voluntary data sharing:

• Public sector bodies must allow the reuse of certain categories of protected data (such as personal or commercially confidential data) under specific conditions and safeguards.
• Data intermediation services are subject to additional obligations under the Data Governance Act. In particular, these services must ensure transparency and neutrality in their operations while facilitating data sharing between data holders and data users.
• Data altruism organizations must meet specific criteria for voluntary data sharing.

The Data Governance Act applies to public sector bodies, companies providing data intermediation services and organizations engaging in data altruism.

Stay tuned for our publication on the Data Governance Act which will be available here.

Platform

and

Content

Digital Markets Act

The DMA was adopted in September 2022, came into force on November 1, 2022, and took effect on May 3, 2023.

The DMA aims to increase fairness and boost competition on digital platforms by imposing multiple obligations on companies designated as "gatekeepers."

The Act notably prevents gatekeepers from using their core platform services to give an unfair advantage to their own products or services.

The DMA also restricts how gatekeepers may use user data for purposes such as advertising. Overall, the Act is likely to significantly impact digital markets, and provide for strong enforcement mechanisms, including fines up to 10% of the gatekeeper's total worldwide annual turnover, or up to 20% in the case of repeated infringements.

The DMA applies to core platform services provided or offered by "gatekeepers," such as search engines and social media.

Stay tuned for our publication on the DMA which will be available here.

Digital Services Act

The DSA was adopted in October 2022, came into force on November 16, 2022, and took full effect in February 2024.

The DSA provides new obligations and more accountability for online intermediaries and platforms that host content with the aim of preventing illegal and harmful activities online. Under the Act, they are required to, among other things:

• take measures to prevent the sharing of harmful content, including setting up mechanisms for users to easily report such content;
• disclose content moderation practices, including how they detect, remove, or restrict access to content;
• inform users when content is removed or access is restricted, and provide clear reasons and appeal mechanisms.

The DSA also sets out additional obligations for large online platforms and search engines, such as performing risk assessments of systemic risks and conducting independent audits.

The DSA applies to providers of intermediary services offered to recipients of the service that have their place of establishment or are located in the EU. It significantly impacts those hosting content as well as social media platforms, online marketplaces and search engines.

Stay tuned for our bulletin on the DSA which will be available here.

Artificial

Intelligence

AI Act

The AI Act was adopted in May 2024, and came into force on August 1, 2024. Its provisions will be implemented in stages, with full application by the end of 2027.

The AI Act clearly defines what qualifies as an AI system and outlines the obligations that must be followed for various risks, which are categorized into four distinct levels:

• Unacceptable Risk: AI systems or uses that pose significant risk of harm and unacceptable risks to individuals and their rights are prohibited. The Act prohibits harmful systems, including those that use cognitive manipulation (e.g., dangerous voice-activated toys), social scoring and biometric identification (e.g., real-time facial recognition).
• High Risk: AI systems and uses that fall within specific categories of use and system types that are considered high risk, but that are not always prohibited or exempt. An example of a high-risk AI system includes one that poses a threat to an individual's safety or fundamental rights.
• Limited Risk: AI systems or uses that do not fall within the High-Risk category but entail certain transparency risks and requirements not associated with Minimal Risk systems. Examples of these systems include deepfakes and chatbots.
• Minimal Risk: AI systems or uses with minimal impact on individuals and their rights and are largely unregulated directly under the EU AI Act. Systems classified as minimal risk are those that do not fall into the other three categories.

The EU AI Act establishes obligations for providers, deployers, importers, distributors and product manufacturers of AI systems connected to the EU market.

For more information, please read our bulletin on the AI Act, available here.