Thales Blog

EU Security and Privacy Laws: What to Expect in 2023 and beyond

March 28, 2023

Dirk Geeraerts Dirk Geeraerts | Security Evangelist More About This Author >

In the modern era, it’s indisputable: data is king. Organizations know it. The more data they collect, the more insightful their decision-making becomes. And, less resource drain goes into trial-and-error.

Of course, business heads are not the only ones who recognize the value of data. Cybercriminals have also caught on and targeted organizational weaknesses or oversights to exploit for their gain. With a rise in cybercrime and data theft, the struggle persists between businesses and bad actors to see who will come out on top.

As such, governments and policymakers have focused on mitigating risk through regulatory and compliance measures. In the US, the Biden administration has published the National Cybersecurity Strategy, which seeks “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

In the EU, on the other hand, the next two years are crucial as approaching compliance deadlines will impact all sectors.

Digital Services Act (DSA) - February 2023

The Digital Services Act (DSA) defines a set of rules that will foster innovation, growth and competitiveness, and facilitate scaling for smaller platforms, including startups and SMEs. The DSA is an EU law that will limit the spread of illegal digital content through a new set of obligations to establish a safe, secure online environment for all.

The DSA applies to marketplaces, online platforms, and hosting services that offer their goods or services in the EU. If successful, the DSA will safeguard the rights to freedom of information and expression and is rooted in a desire to keep fundamental rights protection as a core tenant of regulation.

Digital Markets Act (DMA) - May 2023

The Digital Markets Act (DMA) defines objective criteria for large online platforms to be considered “gatekeepers,” allowing the DMA to hold these organizations to fair online behavior. Applicable from May 2023, companies providing core platform services must notify the DMA commission and supply relevant information within two months.

To qualify as a gatekeeper, platforms must meet criteria defined by internal market impact (an annual turnover threshold), control of an important gateway (a minimum monthly user and annual business user threshold), and standards of durability and entrenchment (meeting previous criteria for the previous three financial years).

The DMA will provide a more just business environment for businesses, ensure a fair price structure, and remove unfair terms and conditions that may hinder innovation.

Network and Information Systems 2 (NIS2) - October 2024

Building on existing NIS regulations, Network and Information Systems 2 (NIS2) Directive expands the scope in an effort to increase cybersecurity across Europe.

NIS2 ensures:

  • that EU Member States are prepared and mitigating risk by requiring them to be appropriately equipped
  • cooperation among Member States via an established Cooperation Group to support and facilitate the exchange of information and alliance actions
  • a security culture across vital sectors, with an emphasis on energy, transport, water, banking, financial markets, healthcare, and digital infrastructure

Digital Operational Resilience Act (DORA) - January 2025

The Digital Operational Resilience Act (DORA) establishes uniform requirements for network and information system security for organizations in the financial sector. DORA extends to critical third parties offering ICT services to entities in the financial sector, including data analytics services, cloud platforms, and more.

Building on the NIS2 directive, DORA aims to build digital operational resilience and ensure all relevant firms can withstand, respond to, and recover from all ICT-related threats and disruptions. At its core, DORA aims to mitigate cyber threats and defines homogenous requirements that apply to all EU member states.

EU-US Data Privacy Framework

Besides the above regulatory initiatives, we should expect the adequacy decision for the EU-US Data Privacy Framework. The EU-US Data Privacy Framework aims to foster safe trans-Atlantic data transmission. Should the framework be adopted, it will ensure a level of protection for personal data transferred from the EU to US organizations.

The new data privacy framework comes in response to the Schrems II ruling that invalidated the Privacy Shield act. At the time of writing, the EU-US Data Privacy Framework is still under consideration for its adequacy to GDPR requirements. After a series of approvals through the European Data Protection Board (EDPB) and representatives of EU Member States, the European Parliament will review. Projected for late spring or early summer 2023, the European Commission will proceed to the final adequacy decision, and the Framework will establish data flow regulations.

Businesses should always keep an eye on developing regulatory and compliance initiatives to be ahead of the curve. Although some deadlines seem further down the line, adopting a wait-and-see stance is not a good policy. Business should start their compliance journey now, before the last-minute panic.

Learn how Thales can help your business meet the regulatory requirements of tomorrow today.