As the digital landscape in the European Union evolves, so does the complexity of its regulatory framework. With all sector-specific regulations having been introduced in the past few years, navigating data protection, cybersecurity and artificial intelligence compliance poses unprecedented challenges for Canadian organizations.
Through a series of bulletins, we will highlight key regulations that may impact Canadian organizations operating in the EU and address the practical issues they may encounter. In particular, we will review the following regulations:
- Directive (EU) 2022/2555 ("Network and Information Systems Directive 2022" or "NIS 2")
- Regulation (EU) 2022/2554 ("Digital Operational Resilience Act" or "DORA")
- Regulation (EU) 2023/2854 ("Data Act")
- Regulation (EU) 2022/868 ("Data Governance Act")
- Regulation (EU) 2022/1925 ("Digital Markets Act" or "DMA")
- Regulation (EU) 2022/2065 ("Digital Services Act" or "DSA")
- Regulation (EU) 2024/1689 ("AI Act")
To kick off this series, we have prepared the following table summarizing the scope of these essential regulations.
Cybersecurity |
Network and Information Systems Directive 2022 NIS 2 was adopted in November 2022, came into force in January 2023, and Member States were required to transpose it into their national laws by October 17, 2024, after which NIS 2 replaced the preceding Network and Information Systems Directive (NIS 1). It establishes a unified legal framework to improve digital
security and incident response across the EU. NIS 2 applies to both public and private sector organizations and aims to uphold cybersecurity in 18 critical sectors across the EU. It especially targets organizations that can be categorized as "Essential Entities" or "Important Entities":
Stay tuned for our publication focused on NIS 2, which will be available here. Digital Operational Resilience Act DORA was adopted in December 2022, came into force on January 16, 2023, and took full effect as of January 17, 2025. Since DORA does not provide for a transitional period, compliance oversight by the European Supervisory Authorities is set to begin as of 2025. DORA imposes significant cybersecurity risk management obligations on financial entities and regulates critical third parties. The new requirements include measures for protection, detection, containment, recovery and repair, as DORA aims to encompass all aspects of operational resilience, particularly with respect to Information and Communication Technology ("ICT") risks. The regulation also introduces strict oversight of critical third-party providers, such as cloud services, by the European Supervisory Authorities. DORA is a sector-specific regulation that applies to a wide range of financial entities as it aims to standardize their approach to ICT risks based on their size and risk profile, as well as the nature, scale and complexity of their services, activities and operations. This includes but is not limited to banks, insurance companies, investment firms, payment service providers, credit institutions and crypto-asset service providers. Stay tuned for our publication on DORA which will be available here. |
Data |
Data Act The Data Act was adopted in December 2023, came into force on January 11, 2024, and will partially apply as of September 12, 2025. The Data Act aims to regulate access to and use of data generated through "connected products" and related services. It gives users greater control over the data they generate through such products. The Act also imposes specific obligations on cloud providers, such as requiring them to facilitate switching between providers and to ensure data portability and continuity of service. The Data Act will primarily apply to providers, suppliers, and users of IoT (Internet of Things) devices and related services, including providers and users of cloud services. Stay tuned for our publication on the Data Act which will be available here. Data Governance Act The Data Governance Act was adopted in May 2022, came into force on June 23, 2022, and took effect in September 2023. The Data Governance Act aims to enhance data sharing within the EU by establishing a framework for voluntary data sharing:
The Data Governance Act applies to public sector bodies, companies providing data intermediation services and organizations engaging in data altruism. Stay tuned for our publication on the Data Governance Act which will be available here. |
Platform and Content |
Digital Markets Act The DMA was adopted in September 2022, came into force on November 1, 2022, and took effect on May 3, 2023. The DMA aims to increase fairness and boost competition on digital platforms by imposing multiple obligations on companies designated as "gatekeepers." The Act notably prevents gatekeepers from using their core platform services to give an unfair advantage to their own products or services. The DMA also restricts how gatekeepers may use user data for purposes such as advertising. Overall, the Act is likely to significantly impact digital markets, and provide for strong enforcement mechanisms, including fines up to 10% of the gatekeeper's total worldwide annual turnover, or up to 20% in the case of repeated infringements. The DMA applies to core platform services provided or offered by "gatekeepers," such as search engines and social media. Stay tuned for our publication on the DMA which will be available here. Digital Services Act The DSA was adopted in October 2022, came into force on November 16, 2022, and took full effect in February 2024. The DSA provides new obligations and more accountability for online intermediaries and platforms that host content with the aim of preventing illegal and harmful activities online. Under the Act, they are required to, among other things:
The DSA also sets out additional obligations for large online platforms and search engines, such as performing risk assessments of systemic risks and conducting independent audits. The DSA applies to providers of intermediary services offered to recipients of the service that have their place of establishment or are located in the EU. It significantly impacts those hosting content as well as social media platforms, online marketplaces and search engines. Stay tuned for our bulletin on the DSA which will be available here. |
Artificial Intelligence |
AI Act The AI Act was adopted in May 2024, and came into force on August 1, 2024. Its provisions will be implemented in stages, with full application by the end of 2027. The AI Act clearly defines what qualifies as an AI system and outlines the obligations that must be followed for various risks, which are categorized into four distinct levels:
The EU AI Act establishes obligations for providers, deployers, importers, distributors and product manufacturers of AI systems connected to the EU market. For more information, please read our bulletin on the AI Act, available here. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.