Are new or material changes to those key data privacy and cybersecurity laws anticipated in the near future?
Last review date: 30 December 2023
In July 2023 the German Federal Ministry of the Interior and Community published a draft bill with respect to the implementation of the NIS 2 Directive.
In September 2023 the Federal Ministry of the Interior and Community published a first draft law amending the German Federal Data Protection Act. The draft focuses inter alia on the role of the German Data Protection Conference.
European developments
New data- and cyber-related legislation was enacted in the European Union in 2022 and 2023 that will come into force, or be implemented in Member States, in the next few years.
The Digital Operational Resilience Act ("DORA"), which lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, entered into force in January 2023, andincludes a two-year implementation window with the new rules taking effect on 17 January 2025.
The NIS2 Directive, which in particular broadens the scope of application and also extends the relevant obligations in comparison to NIS, requires Member States to apply implementing measures from 17 October 2024.
In December 2023, Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data ("Data Act") was published in the Official Journal of the EU. It shall apply from 12 September 2025. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. Users can also ask data holders to make this data available to third parties..
A political agreement on the EU Artificial Intelligence Act ("EU AI Act") was announced in December 2023. The EU AI Act provides for graduated regulation of AI products based on risk categories: it prohibits certain technologies and imposes obligations on technology producers and deployers based on the risk category into which the AI product falls. The EU AI Act should apply two years after its entry into force, with some exceptions for specific provisions. The EU AI Act awaits formal adoption by the European Parliament and the Council.
A political agreement was also reached on the Cyber Resilience Act, in November 2023. It will introduce new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products. Manufacturers will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. The Cyber Resilience Act awaits formal adoption by the European Parliament and the Council.
There is further data- and cyber-related legislation pending in the EU.
