The diversity and increase in use of technology has given rise to an increase in digital, data, cybersecurity and IT laws or regulations as well as Codes of Practice. The move away from the EU has also created divergences between the UK and the EU laws, making this a dynamic and evolving area of the law, just like technology itself.
Here we highlight some of the legal changes and evolving regulatory frameworks that organisations may need to take into account, and the new risk environment applicable to adapting and transforming digital and technological operations. We’ve summarised some of these key new legislative developments below.
Digital Markets, Competition and Consumers Act 2024
Jurisdiction: UK
Is it in force? Yes, although most provisions remain to be brought into force by secondary legislation.
What does it do and who does it apply to? The Act introduces a new pro-competition regime for digital markets in the UK. It gives the Competition and Markets Authority the power to designate undertakings as having strategic market status in respect of a digital activity (provided they have an annual UK turnover exceeding £1bn or global turnover exceeding £25bn) and to impose conduct requirements on them. It also makes significant changes to UK merger thresholds and gives the CMA new powers to enforce consumer protection law. In particular, companies could now face fines of up to 10% of group global turnover for breaches of consumer protection law.
Is there a parallel law in the EU? The Act is comparable to the EU Digital Markets Act which imposes obligations on "gatekeeper" platforms.
Digital Markets Act
Jurisdiction: EU
Is it in force? In force from 1 November 2022, it started to apply from 2 May 2023.
What does it do and who does it apply to? The Act aims to ensure that large, online platforms designated as “gatekeepers” by the Commission behave fairly. It applies to “core platform services” (e.g. online marketplaces, search engines, social networks, operating systems, cloud computing services and web browsers) offered by gatekeepers. An undertaking will be a gatekeeper if it has a significant impact on the internal market, it is an important gateway for businesses to reach end users and it enjoys an entrenched position in its operations. Platforms meeting certain turnover and user number thresholds must notify the Commission and will be assumed to be gatekeepers unless they successfully argue they do not meet the qualitative criteria. In September 2023, the first six “gatekeepers” were announced - Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. They have been required to comply since 7 March 2024.
Does it apply to UK businesses? The Act applies to core platform services provided by gatekeepers to users in the EU, irrespective of the place of establishment or residence of the gatekeepers.
Is there a parallel law in the UK? The Act has similarities to the UK Digital Markets, Competition and Consumer Act which will, among other things, impose obligations on undertakings with strategic market status in respect of a digital activity.
Online Safety Act 2023
Jurisdiction: UK
Is it in force? Royal Assent received 26 October 2023, but the main duties will only apply once certain guidance and codes of practice are in place, which are expected from late 2024 onwards.
What does it do and who does it apply to? The Act provides for a new regulatory framework intended to make the use of the internet safer for individuals. It applies to online providers of user-to-user services and search services and will impose duties of care on them in relation to content and activity on their services (e.g. to carry out suitable risk assessments). In addition, it imposes a duty on online publishers of pornographic content to use of age verification and/or age estimation to prevent access by children.
Is there a parallel law in the EU? In the EU, the Digital Services Act overlaps with the scope with the Online Safety Act (OSA). However, the OSA is more prescriptive in relation to the obligations to tackle illegal content.
Digital Services Act
Jurisdiction: EU
Is it in force? In force from 16 November 2022, some provisions have applied since then, but the majority applied from 17 February 2024. The first “very large online platforms” (VLOPs) and “very large online search engines” (VLOSEs) designated by the Commission were required to comply from August 2023.
What does it do and who does it apply to? The Act aims to prevent illegal and harmful activities and the spread of disinformation online. It imposes obligations on providers of online “intermediary services” - which include search engines, social networks and online marketplaces, as well as mere “conduit” or “caching” services for third party information.
Obligations cumulate depending on the intermediary service’s role, size and impact. All must, for example, appoint single points of contact and report on content removal activities, unless they are “micro” or “small” enterprises. The highest level of regulation applies to VLOPs and VLOSEs - those with over 45 million monthly EU users and as designated by the Commission – who must, for example, undertake assessments for risks such as illegal content, electoral effects, public security and physical and mental well-being.
Does it apply to UK businesses? Providers of intermediary services not themselves established in the EU will be in scope if they have a “substantial connection” to the EU, e.g. if a significant number of recipients are in the EU or if they target activities towards one or more Member States.
Is there a parallel law in the UK? The Digital Services Act overlaps in some of its scope with the Online Services Act.
Product Security and Telecommunications Infrastructure (security requirements for relevant connectable products) Regulations 2023
Jurisdiction: UK
Is it in force? In force from 29 April 2024.
What does it do and who does it apply to? The Regulations aim to make consumer connected products more secure against cyber attacks. They provide the detail of the security requirements indicated in the Product Security and Telecommunications Infrastructure Act 2022. Manufacturers, importers and distributors each have a duty to comply with the security requirements, as well as ensuring the relevant connectable products are accompanied by a statement of compliance.
Is there a parallel law in the EU? The Regulations have a comparable scope to the proposed EU Cyber Resilience Act.
Cyber Resilience Act
Jurisdiction: EU
Is it in force? Not yet. Expected to come into force in 2024, with most provisions not applying until three years thereafter.
What does it do and who does it apply to? The Act regulates cybersecurity requirements for products with digital elements (PDEs) whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. Examples include connected home cameras, smart fridges and smart televisions. The Act will affect manufacturers, importers and distributors of PDEs placed on the EU market.
Does it apply to UK businesses? Yes, the Act could apply to UK businesses that supply to the EU.
Is there a parallel law in the UK? The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 have a similar function in relation to “connectable products” in the UK.
Critical third parties regime
Jurisdiction: UK
Is it in force? Not yet. Expected late 2024.
What does it do and who does it apply to? The regime, being established under the Financial Services and Markets Act 2023, will oversee the material services critical third parties provide to the financial sector. Regulators have proposed six fundamental rules that critical third parties would be required to comply with in respect of all the services that they provide to firms, along with a series of operational risk and resilience requirements.
Is there a parallel law in the EU? Similar requirements in relation to ICT-related disruptions are at a later stage in the EU in the form of the Digital Operational Resilience Act (DORA).
Digital Operational Resilience Act (DORA)
Jurisdiction: EU
Is it in force? Entered into force on 16 January 2023 and applies from 17 January 2025.
What does it do and who does it apply to? DORA aims to deepen the digital risk management of financial institutions and harmonise legislation with a view to improving the sector’s ability to withstand ICT-related disruptions and threats. It imposes obligations on financial entities (including in the insurance, banking, payments and investment sectors) and ICT providers designated as “critical third parties”.
Does it apply to UK businesses? DORA will apply to firms operating in EU financial markets, but also to providers of ICT services to those firms, even if the providers are located outside of the EU.
Is there a parallel law in the UK? While not exactly the same as DORA, the UK Critical Third Parties Regime has been proposed as an updated framework for UK firms to manage systemic risk posed by reliance on certain third party services, such as cloud services.
Artificial Intelligence Act
Jurisdiction: EU
Is it in force? Not yet, publication of the Act in the Official Journal is expected in July 2024.
What does it do and who does it apply to? The Act sets out rules for the placing on the market, the putting into service, and the use of AI systems in the EU. It applies to providers and users of AI systems and places prohibitions on certain AI practices and sets requirements for high-risk systems.
Does it apply to UK businesses? The Act will catch UK businesses that put AI systems into service or place them on the market in the EU or that provide or use AI systems outside the EU, where the output is used in the EU.
Is there a parallel law in the UK? The Act contrasts with the UK’s approach to support existing regulators to develop a bespoke approach within their sectors.
Data Act
Jurisdiction: EU
Is it in force? In force from 11 January 2024, it shall apply from 12 September 2025.
What does it do and who does it apply to? The Data Act aims to ensure fairness in the allocation of value from data among actors in the digital environment and make data more accessible to all.
It requires manufacturers and service providers to allow users to access, reuse and share data generated from their connected products, such as smart household appliances and intelligent industrial machines. It also facilitates switching between data processing (or cloud) services and regulates unfair terms in business-to-business data licences. The Act applies to manufacturers, suppliers and other “data holders” in respect of connected products and related services, as well as the users of such products or services, third parties receiving data at the request of the user and providers of data processing services.
Does it apply to UK businesses? Irrespective of their place of establishment, the Act will apply to manufacturers of connected products (or suppliers of related services) placed on the EU market, data holders providing data to recipients in the EU and data processing service providers to EU customers.
Is there a parallel law in the UK? While there is no directly comparable UK law, the proposed Data Protection and Digital Information Bill envisages the development of comparable “smart data schemes” for customer and business data.
NIS 2 Directive
Jurisdiction: EU
Is it in force? Entered into force on 16 January 2023. Measures adopted by Member States to comply with the Directive shall apply from 18 October 2024.
What does it do and who does it apply to? NIS 2 aims to achieve a high common level of cybersecurity across the EU, replacing the earlier NIS 1 Directive to cover more sectors and services (adding e.g. waste water and courier services and manufacturing) as well as introducing new reporting obligations and stricter enforcement requirements. It also adds a much wider range of technology providers, including social network platforms, data centre providers and managed service providers, to the three categories of digital service providers previously covered under NIS 1 (cloud service computing providers, online marketplaces and search engines).
Does it apply to UK businesses? Yes, it will apply to UK businesses in the categories regulated by the Directive which provide their services in the EU.
Is there a parallel law in the UK? Yes, the UK government is separately reviewing the current UK Network and Information Systems Regulations 2018 (which transposed the NIS 1 Directive into UK law) and has proposed a number of reforms to improve the UK’s cyber resilience, including expanding the meaning of "digital services" under the Regulations to include managed services.
The information contained in this guide is intended to be a general introductory summary of the subject matters covered only. It does not purport to be exhaustive, or to provide legal advice, and should not be used as a substitute for such advice.
Beverley Flynn