The European Union (EU) is a leader in regulating the digital domain, with several initiatives aimed at enhancing the security, privacy, and ethical use of information and communication technologies (ICTs). Among these initiatives are the Artificial Intelligence Act (AI Act), the General Data Protection Regulation (GDPR), the ePrivacy Regulation (ePR), and the Network and Information Systems Directive 2 (NIS2). In this blog post, we will explore how these four regulations connect with each other and what implications they have for businesses and citizens.
Overview on Regulations
AI Act
The AI Act is a comprehensive legal framework for artificial intelligence (AI) in the EU, which was agreed on December 2024 and the official final text is yet to be published by the European Commission. The AI Act aims to ensure that AI systems are trustworthy, human-centric, and respect fundamental rights and values. The AI Act classifies AI systems into four risk categories: unacceptable, high, limited, and minimal. Depending on the risk level, different requirements and obligations apply to AI providers, users, and third parties. For example, high-risk AI systems must undergo a conformity assessment before being placed on the market, and must comply with transparency, accuracy, robustness, and human oversight requirements. The AI Act also establishes a governance structure for AI regulation, involving national competent authorities, a European Artificial Intelligence Board, and the Commission.
GDPR
The GDPR is the considered as golden standard of data protection law, which came into force in May 2018. The GDPR regulates the processing of personal data of individuals in the EU by data controllers and processors, both within and outside the EU. The GDPR sets out principles and rules for lawful, fair, and transparent data processing, such as obtaining valid consent, providing information notices, implementing data protection by design and by default, ensuring data security and data minimization, and respecting data subjects' rights. The GDPR also establishes a cooperation and consistency mechanism among national data protection authorities, led by the European Data Protection Board, and empowers them to impose administrative fines of up to 4% of global annual turnover or €20 million, whichever is higher.
ePR
The ePR is a proposal for a regulation on privacy and electronic communications, which was first published by the Commission in January 2017. The ePR aims to update and replace the existing ePrivacy Directive from 2002, which regulates issues such as confidentiality of communications, cookies, direct marketing, and traffic and location data. The ePR intends to align the ePrivacy rules with the GDPR, extend their scope to new technologies and services (such as over-the-top providers and internet-of-things devices), and harmonize their enforcement across the EU. However, the ePR has faced significant delays and challenges in the legislative process, due to diverging views among Member States and stakeholders on key aspects such as consent requirements, legitimate interests, metadata processing, and encryption.
NIS 2
The NIS2 is a directive on network and information systems security that entered into force in January 2023. The NIS2 replaces the NIS Directive from 2016, which was the first EU-wide legislation on cybersecurity. The NIS2 aims to achieve a high common level of cybersecurity across the EU by imposing risk management measures and reporting obligations on essential entities (such as energy providers or health services) and important entities (such as postal services or digital providers) that operate in critical sectors or provide essential services. The NIS2 also introduces more stringent supervisory measures and stricter enforcement requirements for national competent authorities, including harmonized sanctions of up to €10 million or 2% of global annual turnover. Moreover, the NIS2 enhances cooperation among Member States through a network of Computer Security Incident Response Teams (CSIRTs) and a Cooperation Group.
Interplay and Interconnection
These four instruments have different scopes, objectives, and legal effects, but they also interact and are interconnected in various ways. For instance:
AI systems that process personal data must comply with both the AI Act and the GDPR.
The AI Act does not affect the application of the GDPR or the ePR to the processing of personal data by AI systems. However, it adds some specific requirements for high-risk AI systems that process personal data, such as data quality, data governance, data protection impact assessment, and data retention.
Electronic communications that involve AI systems must comply with both the AI Act and the ePR.
The GDPR and the ePR provide for the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on individuals. This right applies to any automated decision-making process that falls within the scope of these regulations, whether it involves AI or not. However, the AI Act prohibits certain types of AI systems that manipulate human behavior or exploit vulnerabilities in a manner that causes physical or psychological harm or subverts individuals' autonomy or will.
Entities that fall under the scope of NIS2 must also comply with GDPR when processing personal data related to cybersecurity incidents.
Entities that fall under the scope of NIS2 must also comply with AI Act when using AI systems for cybersecurity purposes. The NIS2 does not regulate AI systems per se, but it applies to essential and important entities that use AI systems as part of their network and information systems. Therefore, such entities have to comply with both the NIS2 obligations regarding cybersecurity risk-management measures and incident reporting, as well as with the AI Act obligations regarding conformity assessment and transparency of high-risk AI systems.
The interplay between these four instruments poses significant challenges and opportunities for businesses and citizens alike. On one hand, it creates a complex regulatory landscape that requires careful analysis and compliance efforts. On the other hand, it offers a comprehensive framework that fosters innovation while ensuring trustworthiness, security, privacy, and respect for fundamental rights in the digital economy.
Affect and Implications to Business
Summarizing the impact and affect to businesses before taking a deep dive.
One of the main impacts of these regulations on businesses is that they have to adapt their processes, products, services, and systems to meet different sets of requirements that may vary depending on the sector, activity, location, or type of data involved. This may entail additional costs, resources, training, documentation, audits, certifications, or consultations. Businesses also have to be aware of their rights and obligations regarding data protection, cybersecurity incidents reporting, AI system transparency or prohibition.
Another impact is that businesses have to face potential sanctions or liabilities in case of non-compliance or breach of these regulations. The fines or penalties can be substantial and may affect the reputation, market position, or competitiveness of the businesses. Moreover, businesses may have to deal with different supervisory authorities or enforcement bodies at the national or EU level, as well as with possible complaints or claims from individuals or other stakeholders.
A third impact is that businesses have to seize the opportunities that these regulations offer to innovate and differentiate themselves in the digital market. By complying with these regulations, businesses can demonstrate their commitment to ethical, secure, and trustworthy AI and data practices, and thus gain the trust and confidence of their customers, partners, and regulators. Furthermore, businesses can benefit from the harmonization and coordination of these regulations across the EU, which can facilitate cross-border operations, collaborations, and access to new markets.
Conclusion
These interconnections imply that businesses and citizens need to be aware of the different rules and obligations that apply to them depending on their activities and roles in relation to ICTs. They also imply that regulators need to ensure coherence and consistency among the different legal frameworks and avoid overlaps or conflicts. In conclusion, the EU's digital regulations are complex but comprehensive instruments that aim to foster a secure, trustworthy, and ethical digital environment for all.
Don't let the AI Act, GDPR, ePR, NIS2 overwhelm you. These are important but complicated laws that affect your organization. We have the expertise and the experience to help you comply with them. Contact us today and find out how we can make your life easier.
Comentários