Navigating the new wave of EU legislation: An introductory guide to legal acts in the IT/data sector

In the rapidly and constantly changing digital landscape, the EU is at the forefront, including in launching regulatory frameworks to ensure data protection, the ethical use of artificial intelligence (AI) and safe and fair digital services and products. How is your organisation affected and what are you expected to do to comply with the new requirements? 

At the EU level, several new legal acts are now coming into force that will have far-reaching consequences for many businesses – not just those operating in the ‘digital sector’. The list of new legislation is long, and, in this article, we summarise the AI Act, NIS2 Directive and Data Act, among others. Legal acts that we are currently receiving many questions about and that are relevant to most companies. Happy reading and welcome to Setterwalls!

AI Act
Overview: The AI Act is a comprehensive framework that regulates, among other things, the development, deployment and use of AI. The AI Act categorises AI systems based on their risks, and the requirements differ depending on whether the system poses a high or low risk, with higher risk imposing stricter requirements on those developing, deploying or using the system. There is also a ban on certain types of AI systems.

Status: The AI Act entered into force in August 2024. The provisions will be applied in phases starting in February 2025 when the ban on certain AI systems will apply. By August 2027, the entire Act will be applicable.

Main requirements: The requirements are different depending on the AI system used and the operator you are. For example, as a provider of a high-risk system, you must ensure that you have a risk management system in place, methods for handling data, technical documentation and that you fulfil the requirements for transparency towards the users of the system. As a user of an AI system, you must, among other things, take appropriate technical and organisational measures to ensure that you use the system as intended, monitor the operation of the system and, in some cases, carry out an impact assessment. In summary, you therefore need to make an initial inventory of your AI systems (existing systems and planned purchases/licences), classify the systems and your role, and then take relevant actions.

NIS2 Directive
Overview: The NIS2 Directive is a revision of the EU’s first cybersecurity directive, the NIS Directive. It aims to strengthen cybersecurity and resilience and to achieve a high common level of cybersecurity across the EU. NIS2 brings a significant increase in the number of companies covered by the legislation and also increases the requirements for security measures.

Status: The Directive should have been transposed into Swedish law in October 2024. It is likely that the Swedish law (the Cybersecurity Act) will not become applicable until summer 2025.

Main requirements: The Directive applies to a wide range of operators, including companies active in energy, transport, healthcare, digital infrastructure, waste, machinery manufacturing and food and chemical production and distribution. If you are covered by NIS2, you need to work systematically with information security and take security measures based on your business risks, including the implementation of an incident management process, access control procedures, staff training and methods to protect sensitive information. Please note that your suppliers will also need to fulfil the requirements of NIS2 and that you will therefore probably need to renegotiate or enter into new supplier agreements. Thus, other companies that are not directly affected by NIS2 may also be indirectly affected when they provide services or products to a company subject to the legislation.

For more information on NIS2, see this article, which also includes a checklist on how to fulfil the requirements of NIS2.

Data Act
Overview: The Data Act aims to facilitate the use and sharing of data in general and, in particular, data generated by the use of connected products (IOT) and related services.

Status: The Data Act entered into force in January 2024 and will start applying in September 2025.

Main requirements: The requirements are different depending on who you are. The provider of an IOT product or service must, among other things, ensure interoperability (i.e. that the product/service can work together and communicate with other products/services), that users can access and reuse their data (with the exception of trade secrets), users must also be provided with certain information before entering into a contract for the purchase of a product or service, and in the case of contracts between companies, reasonable terms and conditions must be applied. Users can be natural or legal persons and cannot, for example, use data from a connected product to develop a competing product or use such data to gain insight into the manufacturer’s production methods. If you are a company providing connected products (e.g. smart machines) or services (e.g. measurement services that can be linked to machines), you need to ensure that you – and any developers and other suppliers that provide you with smart solutions and services – comply with the requirements of the Act and take them into account in your product/service development. You should also map your data to separate trade secrets from other data. As a user, you should have clear guidelines on how your staff can use your products and services.

Additional regulatory framework
In addition to the legislation mentioned above, which affect a number of companies and sectors, there are also some sector-specific directives or regulations that target a particular type of service. Some of these are:

• DORA (Digital Operational Resilience Act): aims to strengthen the digital operational resilience of financial firms, primarily in terms of ICT risk management. DORA entered into force in January 2023 and will start to apply in January 2025.
• DGA (Data Governance Act): Aims to increase trust in data sharing, promote the availability of data and set conditions for its re-use. The regulation is relevant mainly for the public sector but there are also conditions for data brokering services. The DGA entered into force in June 2022 and became applicable in September 2023.
• CRA (Cyber Resilience Act): Aims to increase the security and resilience to cyber-attacks of products with digital elements and is relevant mainly to manufacturers of such products. There are also rules for distributors and importers. The CRA will enter into force in December 2024 and will be applied in phases starting in June 2026.

How can we at Setterwalls help?
Setterwalls has extensive experience in these types of issues and understands the complexity of these legislative acts. We want to help you find the right level when working with the legislation so that you can focus on taking the measures that actually make a difference to your business and that address relevant risks and requirements.

• Training: If you want to gain deeper insight into any of the legislation or requirements above, we are happy to organise tailor-made training for you and your business.
• Assessments: We help with assessments and analyses, for example, on whether you are covered by any of the legislation above or on what measures you need to take.
• Documentation and contracts: We assist in preparing the documentation required by the above-mentioned legislation to demonstrate your compliance. We also review and negotiate contracts with your suppliers to ensure that they also fulfil the relevant requirements and thus allow you to do the same.
• Speaking partner: We are of course also available as a sounding board if you wish to discuss interpretation issues, approaches or have any other questions linked to the legislation above or any other legislation in the IT/data area.

Navigate the right path and move from challenge to competitive advantage
With the right guidance, legal acts can be transformed from daunting challenges into opportunities for growth and innovation, not only avoiding potential sanctions but also creating competitive advantages. So don’t hesitate to contact us – we’ll be happy to help you.