Interoperable Europe logo

Landscape of EU digital regulations

Introduction

The European Union has developed a comprehensive set of digital regulations to govern how data, digital services, and emerging technologies are used across Member States. These rules aim to ensure that digital transformation is safe, fair, and beneficial for citizens, while also supporting innovation and a competitive market. Together, these regulations establish a common legal framework covering key areas such as data protection, online platforms, artificial intelligence, cybersecurity, digital identity, and the reuse of public information. They also ensure that individuals have stronger rights and control over their personal data and digital interactions, while businesses operate under clear and harmonised rules across the EU. The regulations have been grouped into thematic categories, each representing a different dimension of the EU digital ecosystem and the rules that shape it. All the regulations listed below have been formally adopted and published in the Official Journal of the European Union.

Table of Contents

Data and information sharing

These regulations govern how data is collected, shared, reused, and accessed across the EU. Their goal is to unlock the value of data while ensuring trust, transparency, and fair access for citizens, businesses, and public authorities.

How they relate

  • General Data Protection Regulation (GDPR) protects personal data.
  • Data Governance Act (DGA) creates trusted mechanisms for sharing data.
  • Data Act defines who can access and use data.
  • Open Data Directive promotes reuse of public-sector information.

The GDPR is the law that protects personal data and privacy of individuals. It regulates how organisations collect, store, and share personal data giving citizens strong rights over their information. It applies to all companies and public authorities processing personal data in the EU (and outside the EU if they target EU citizens) 

WHAT IS THE AIM OF THE REGULATION? 

  • The general data protection regulation (GDPR) protects individuals when their data is being processed by the private sector and most of the public sector. The processing of data by the relevant authorities for law-enforcement purposes is subject to the data protection law enforcement directive (LED) instead (see summary). 
  • It allows individuals to better control their personal data. It also modernises and unifies rules, allowing businesses to reduce red tape and to benefit from greater consumer trust. 
  • It establishes a system of completely independent supervisory authorities in charge of monitoring and enforcing compliance. 
  • It is part of the European Union (EU) data protection reform, along with the data protection law enforcement directive and Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies (see summary). 

KEY POINTS 

Individuals’ rights 

The GDPR strengthens existing rights, provides for new rights and gives individuals more control over their personal data. It includes the following. 

  • Easier access to an individual's own data. This includes providing more information on how that data is processed and ensuring that that information is available in a clear and understandable way. 
  • A new right to data portability. This makes it easier to transmit personal data between service providers. 
  • A clearer right to erasure (right to be forgotten). When an individual no longer wants their data to be processed and there is no legitimate reason to keep it, the data will be deleted. 
  • The right to know when their personal data has been breached. Companies and organisations have to notify the relevant data protection supervisory authority and, in cases of serious data breaches, also the individuals affected. 

FROM WHEN DOES THE REGULATION APPLY? 

The GDPR has applied since 25 May 2018. 

Example:  

A citizen asks an organisation to delete their personal data. Under the General Data Protection Regulation, the organisation is required to comply this request unless a legal exception applies, ensuring that individuals can exercise effective control over their personal information.

The Data Governance Act provides a framework to enhance trust in voluntary data sharing for the benefit of businesses and citizens. 

The economic and societal potential of data is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges. In the area of health, for example, data can contribute to providing better healthcare, improving personalised treatments and helping cure rare or chronic diseases. It is also a powerful engine for innovation and new jobs, and a critical resource for start-ups and SMEs. 

However, this potential is not being realised. Data sharing in the EU remains limited due to a number of obstacles (including low trust in data sharing, issues related to the reuse of public sector data and data collection for the common good, as well as technical obstacles). 

In order to truly capitalise on this enormous potential, it should be easier to share data in a trusted and secure manner. 

The Data Governance Act (DGA) is a cross-sectoral instrument that aims to regulate the reuse of publicly/held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. Both personal and non-personal data are in scope of the DGA, and wherever personal data is concerned, the General Data Protection Regulation (GDPR) applies. In addition to the GDPR, inbuilt safeguards will increase trust in data sharing and reuse, a prerequisite to making more data available on the market. 

WHAT IS THE AIM OF THE REGULATION? 

The Data Governance Act (DGA) aims to make more data1 available for reuse and facilitate data sharing across areas such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills for the benefit of European Union (EU) citizens and businesses, creating jobs and stimulating innovation. 

KEY POINTS 

The regulation sets out: 

  • conditions for reusing certain protected data held by public sector bodies; 
  • rules for companies providing data intermediation services; 
  • a framework for data altruism (the sharing of data voluntarily and for no reward); 
  • a framework for the European Data Innovation Board (EDIB); and 
  • measures to permit the secure flow of non-personal data outside the EU. 

FROM WHEN DOES THE REGULATION APPLY? 

It will apply from 24 September 2023. 

See also Data Act 

Example:  

A citizen authorises the use of their anonymised health data for a research project. Under the Data Governance Act, this reuse must be facilitated through authorised data intermediaries, ensuring secure handling, transparency, and public trust in how sensitive information is managed.

The Data Act is a comprehensive initiative to address the challenges and unleash the opportunities presented by data in the EU, emphasising fair access and user rights, while ensuring the protection of personal data. 

The Data Act is designed to empower users — both consumers and businesses — by giving them greater control over the data generated by their connected devices, such as cars, smart TVs, and industrial machinery. It lays the foundation for a fair, innovative, and competitive European data economy. With this aim, the Data Act: 

  • Ensures that connected devices on the EU market are designed to allow data sharing 
  • Gives consumers the possibility to choose more services, without having to rely on the manufacturer of the device 
  • Gives business users in industries like manufacturing or agriculture access to data about the performance of industrial equipment opening up opportunities to enhance efficiency and optimise operations 
  • Allows consumers to easily transfer data and switch between cloud providers 
  • Prohibits unfair contracts that could prevent data-sharing 
  • The Data Act is a cross-sectoral piece of legislation (i.e. it lays out principles and guidelines that apply to all sectors). It does not modify existing data access obligations, however any forthcoming legislation should align with its principles. 

WHAT IS THE AIM OF THE REGULATION? 

  • guaranteeing a fair distribution of the benefits derived from data amongst stakeholders; 
  • stimulating a competitive data market
  • opening up opportunities for data-driven innovation; and 
  • making data, in particular data generated by connected products, more accessible

KEY POINTS 

The regulation ensures fairness in the allocation of the value of data amongst the stakeholders in the data economy. It clarifies who can use what data and under which conditions. 

To this end, it includes measures to allow users of connected products, ranging from smartphones and smart household appliances to intelligent industrial machines, to get access to data generated by their use. In addition, it comprises measures to increase legal certainty in relation to data access and use, in particular in the context of connected products, such as: 

  • clear rules on the permissible use of data and the conditions that apply; 
  • continued incentives for data holders to invest in high-quality data generation; 
  • rules facilitating the seamless transfer of valuable data between data holders and data users while preserving confidentiality; 
  • incentives encouraging more individuals and entities, whatever their size, to participate in the data economy
  • rules on users’ rights to share data with third parties
  • rules on protecting trade secrets and intellectual property rights, with safeguards against abusive behaviour; and 
  • a system of reasonable compensation for making data available and a dispute settlement mechanism. 

Other measures include the following. 

  • Mitigating the abuse of unfair contracts that impede equitable data sharing. This entails: 
  • safeguarding enterprises from unjust contractual terms imposed by parties in stronger market positions; and 
  • developing model contract wording to help market participants draft and negotiate fair data-sharing contracts. 
  • Enabling public sector bodies to access and use certain data held by the private sector, for example to help in their response to public emergencies. 
  • Facilitating switching between data-processing service providers to unlock the cloud market in the EU, and the gradual withdrawal of switching charges, contributing to more efficient data interoperability2
  • Exempting data acquired through connected products from the provisions of Directive 96/9/EC, the database directive. 
  • Safeguarding against unlawful third-party government access to non-personal data. 

This regulation does not affect EU or national legal acts providing for the sharing of, access to and the use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the execution of criminal penalties, or for customs and taxation purposes. 

FROM WHEN DOES THE REGULATION APPLY? 

The regulation entered into force on 11 January 2024 and applies from 12 September 2025. 

See also Data Governance Act  

Example:  

A citizen requests access to the data generated by their connected car and decides to share it with an independent repair shop. Under the Data Act, the manufacturer is required to make this data in a usable and accessible format, enabling the repair shop to provide its services without unnecessary barriers.

The directive promotes the use of open data (data presented in open formats5 that individuals can use freely and share for any purpose). Public-sector bodies and public undertakings must make their documents available in any pre-existing format or language and, where appropriate, by electronic means in formats that are open, machine readable, accessible, findable and reusable, complete with their metadata. 

WHAT IS THE AIM OF THE DIRECTIVE? 

  • It lays down the legal framework for the reuse1 of public-sector information such as geographical, land registry, statistical or legal information held by public-sector bodies2 or public undertakings3, and of publicly funded research data. 
  • It aims to boost the socioeconomic potential of public-sector information, for example by making it more easily available for start-ups and small and medium-sized enterprises, by increasing the supply of dynamic data4 and datasets with a particularly high economic impact, and by promoting competition and transparency in the information market. 
  • It is part of a package of measures designed to reinforce the European Union’s (EU) data economy, including the development of artificial intelligence. 
  • Also referred to as the ‘open data directive’, it recasts Directive 2003/98/EC
  • It repeals Directive 2003/98/EC and Directive 2013/37/EU from 17 July 2021. 

KEY POINTS 

The directive is based on the general principle that public and publicly funded data should be reusable for commercial or non-commercial purposes. 

Open data 

The directive promotes the use of open data (data presented in open formats that individuals can use freely and share for any purpose). Public-sector bodies and public undertakings must make their documents available in any pre-existing format or language and, where appropriate, by electronic means in formats that are open, machine readable, accessible, findable and reusable, complete with their metadata. 

Practical arrangements for reuse 

  • Public-sector bodies must process requests for document reuse, through electronic means where appropriate, making them available within a reasonable time. 
  • They must also make the necessary arrangements to facilitate the online search and discovery of the documents they keep. 
  • EU Member States must also facilitate the effective reuse of documents, in particular by supplying information on the rights outlined in the directive and by offering assistance and guidance. 

Exceptions 

The directive does not apply to: 

  • documents for which third parties hold intellectual property rights; 
  • documents to which access is excluded or restricted bya national access regime, or on the grounds of sensitive critical infrastructure protection; 
  • documents whose supply falls outside the scope of the public task of a public-sector body or outside the scope of provision of services in the general interest of a public undertaking; 
  • documents held by public undertakings that are related to activities directly exposed to competition and therefore not subject to procurement rules under Article 34 of Directive 2014/25/EU; 
  • other documents referred to in Article 1(2) of the directive. 

FROM WHEN DO THE RULES APPLY? 

The directive had to be transposed into national law by 17 July 2021. 

Example:  

A citizen uses a mobility app that provides real-time public transport information on public transport services. Under the Open Data Directive, public authorities are required to make these data openly available, enabling such applications to deliver accurate and up-to-date travel information.

Data and information sharing image
divider

Online platforms and digital markets

These regulations ensure that online platforms operate in a safe, transparent, and competitive manner. They protect users while preventing large digital platforms from abusing their market power.

How they relate

  • Digital Services Act (DSA) focuses on safer online services and platform accountability.
  • Digital Markets Act (DMA) focuses on fair competition and limiting the power of digital gatekeepers.

The Digital Services Act (DSA) introduces rules for online services used by European citizens in their everyday life. These services include marketplaces, social media networks, app stores, and online travel and accommodation platforms. 

The main goal of the DSA is to create a digital space that respects citizens and consumers’ fundamental rights. By establishing a clear set of rules across the EU, the DSA also enables smaller platforms, small and medium enterprises (SMEs) and start-ups to scale up in Europe, fostering innovation, growth and competitiveness. 

The DSA is complemented by the Digital Markets Act (DMA), which includes rules for gatekeeper online platforms. Gatekeepers function as bottlenecks between businesses and consumers for digital services, affecting competition and the functioning of the EU internal market. Some of these services are also covered in the DSA, but for different reasons and with different types of provisions. 

WHAT IS THE AIM OF THE REGULATION? 

The Digital Services Act aims to create a safer online environment for consumers and companies in the European Union (EU), with a set of rules designed to: 

  • define clear responsibilities for online platforms and social media; 
  • deal with illegal content and products, hate speech and disinformation; 
  • achieve greater transparency with better reporting and oversight; and 
  • encourage innovation, growth and competitiveness in the EU’s internal market

KEY POINTS 

The regulation introduces responsibilities and a system of accountability and transparency for providers of intermediary services, such as: 

  • internet access providers, 
  • hosting services such as cloud computing and web-hosting services, 
  • domain name registrars, 
  • online marketplaces, 
  • app stores, 
  • collaborative economy platforms, 
  • social networks, 
  • content-sharing platforms, 
  • online travel and accommodation platforms. 

The regulation also includes special rules for: 

  • very large online platforms (VLOPs) used by more than 10% of the 450 million consumers in the EU; and 
  • very large online search engines (VLOSEs) used by more than 10% of the 450 million consumers in the EU. 

FROM WHEN DOES THE REGULATION APPLY? 

  • The regulation applies from 17 February 2024. 
  • Some rules relating to VLOPs and VLOSEs have applied since 16 November 2022, including reporting obligations, independent audits, data sharing, and supervision (including fees), investigation, enforcement and monitoring. 

See also Digital Markets Act  

Example:  

A citizen encounters a fraudulent advertisement on a large online platform and reports it. Under the Digital Services Act, the platform must act promptly to assess the report, remove illegal content, inform the user of the decision, and offer a clear mechanism to contest it.

The Digital Markets Act is the EU’s law to make the markets in the digital sector fairer and more contestable. In order to do so, the Digital Markets Act (“DMA”) establishes a set of clearly defined objective criteria to identify “gatekeepers”. 

Gatekeepers are large digital platforms providing so called core platform services, such as online search engines, app stores, messenger services. Gatekeepers will have to comply with the do’s (i.e. obligations) and don’ts (i.e. prohibitions) listed in the DMA. 

The DMA is one of the first regulatory tools to comprehensively regulate the gatekeeper power of the largest digital companies. The DMA complements, but does not change EU competition rules, which continue to apply fully. 

WHAT IS THE AIM OF THE REGULATION? 

The regulation aims to guarantee a competitive and fair digital sector, allowing innovative digital businesses to grow and ensuring the safety of users online, through: 

  • clear obligations and prohibitions for large online platforms; 
  • better services and fairer prices for consumers; 
  • promoting innovation and a fairer online platform environment for technology start-ups; 
  • giving business users the ability to offer consumers greater choice; 
  • banning unfair practices on large online platforms. 

KEY POINTS 

 The regulation designates certain large online platforms as ‘gatekeepers’ if they: 

  • have an annual turnover of a minimum of €7.5 billion in the European Union (EU) in the previous 3 years, or a market valuation of at least €75 billion; 
  • have at least 45 million monthly end users and at least 10,000 business users established in the EU; 
  • control one or more core platform services in at least three EU Member States
  • have a strong economic position and significant impact on the internal market
  • provide a core platform service, which is an important gateway for business users to reach customers; 
  • have an entrenched and durable position in the market, either now or in the near future. 

Core platform services include, among other things: 

  • marketplaces 
  • app stores 
  • search engines 
  • social media 
  • cloud services 
  • advertising. 

Gatekeepers must: 

  • allow third parties to interoperate with the gatekeeper’s services in some specific situations; 
  • allow their business users to access the data generated while using the gatekeeper’s platform; 
  • allow their business users to promote their product offering and conclude contracts with their customers outside the gatekeeper’s platform; 
  • provide tools and information to companies who advertise on their platform to carry out independent verification of their advertisements hosted by the gatekeeper. 

Gatekeepers must not: 

  • treat the gatekeeper’s own services and products more favourably in ranking than similar offerings by third parties on the platform; 
  • track end users outside the gatekeeper’s core platform service to target advertising without consent; 
  • prevent developers from using third-party payment platforms for app sales; 
  • process users’ personal data for targeted advertising, unless consent is granted; 

FROM WHEN DOES THE REGULATION APPLY? 

It has applied since 2 May 2023. 

Example:  

A citizen uses a messaging app and wants to communicate with contacts who use a different service. Under the Digital Markets Act, designated gatekeepers must ensure interoperability, giving users more choice and preventing lock-in to a single platform.

Online platforms and digital markets image
divider

Artificial intelligence

This regulation establishes rules for the development and use of AI systems in Europe, with a focus on safety, transparency, and protection of fundamental rights.

How they relate

The Artificial Intelligence (AI) Act works closely with:

  • General Data Protection Regulation (data protection)
  • Data Act (data access and use)
  • Network and Information Security Directive 2 (cybersecurity)

The AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. 

The AI Act (Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence) is the first-ever comprehensive legal framework on AI worldwide. The aim of the rules is to foster trustworthy AI in Europe. For any questions on the AI Act, check out the AI Act Single Information platform

The AI Act sets out a risk-based rules for AI developers and deployers regarding specific uses of AI. The AI Act is part of a wider package of policy measures to support the development of trustworthy AI, which also includes the AI Continent Action Plan, the  AI Innovation Package and the launch of AI Factories. Together, these measures guarantee safety, fundamental rights and human-centric AI, and strengthen uptake, investment and innovation in AI across the EU. 

To facilitate the transition to the new regulatory framework, the Commission has launched the AI Pact, a voluntary initiative that seeks to support the future implementation, engage with stakeholders and invite AI providers and deployers from Europe and beyond to comply with the key obligations of the AI Act ahead of time. In parallel, the AI Act Service Desk is also providing information and support for a smooth and effective implementation of the AI Act across the EU. 

WHAT IS THE AIM OF THE REGULATION? 

Regulation (EU) 2024/1689 aims to encourage the development and uptake of safe and trustworthy artificial intelligence (AI) systems across the European Union (EU) single market in both the private and public sectors, while ensuring EU citizens’ health and safety and respect for fundamental rights. The regulation sets out risk-based rules on: 

  • placing on the market, putting into service and using certain AI systems; 
  • banning certain AI practices; 
  • requirements and obligations around high-risk AI systems; 
  • transparency for certain AI systems; 
  • transparency and risk management for general-purpose AI models (powerful AI models that underpin AI systems capable of carrying out a wide range of tasks); 
  • market monitoring, market surveillance, governance and enforcement; 

KEY POINTS 

What is an AI system? 

An AI system is a machine-based system designed to operate with some level of autonomy that can: 

  • adapt after it is deployed; and 
  • generate outputs such as predictions, content, recommendations or decisions from input it receives (to achieve explicit or implicit objectives). 

FROM WHEN DOES THE REGULATION APPLY? 

The regulation will apply from 2 August 2026. However, there are some exceptions: 

  • the prohibitions, definitions and obligations regarding AI literacy have applied since 2 February 2025; 
  • some rules will take effect on 2 August 2025, including those on governance structure, penalties, and obligations for providers of general-purpose AI models. 

Example:  

A citizen applies for a job where their CV is evaluated by an AI-based screening system. Under the Artificial Intelligence Act, this system must be auditable, avoid discriminatory outcomes, and provide clear explanations of the criteria used in the screening process.

Artificial intelligence image
divider

Cybersecurity and digital resilience

These regulations strengthen cybersecurity across Europe by improving the security of organisations, critical services, and digital products.

How they relate

  • Network and Information Security Directive 2 (NIS2) focuses on organisations and critical sectors.
  • Cyber Resilience Act (CRA) focuses on secure digital products and software.

The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. 

Cybersecurity involves protecting network and information systems (NIS), their users, and other affected individuals from cyber incidents and threats. To respond to the increased exposure of Europe to cyber threats, Directive 2022/2555, also known as NIS2, replaced its predecessor, Directive 2016/1148 or NIS1. NIS2 raises the EU common level of ambition on cyber-security, through a wider scope, clearer rules and stronger supervision tools. It requires Member States to enhance their cybersecurity capabilities, while introducing risk management measures and reporting requirements to entities from more sectors and setting up rules for cooperation, information sharing, supervision, and enforcement of cybersecurity measures. 

The directive mandates that each Member State adopt a national cybersecurity strategy, which includes policies for supply chain security, vulnerability management, and cybersecurity education and awareness. Member States must also establish and regularly update a list of operators of essential services, ensuring these entities comply with the directive's requirements. 

In addition to the sectors already covered by NIS 1 - energy, transport, healthcare, finance, water management, and digital infrastructure - the new rules also apply to providers of public electronic communications, more digital services (such as social platforms), waste and wastewater management, critical product manufacturing, postal and courier services, and public administration at both central and regional levels, as well as the space sector. As a rule, medium-sized and large entities in these critical sectors, will have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents. These are incidents that could cause significant disruption or damage. 

The directive also includes provisions for supervision, enforcement, and voluntary peer reviews to enhance mutual trust and cybersecurity capabilities across the EU. It also introduces accountability of the top management for non-compliance with cybersecurity risk management measures thus bringing cybersecurity to the attention of the boardroom. 

The directive sets up a network of Computer Security Incident Response Teams (CSIRTs) to exchange information on cyber threats, and respond to incidents. These teams are crucial for maintaining situational awareness and offering assistance. To manage large-scale cybersecurity incidents or crises, the directive creates the European cyber crisis liaison organisation network (EU-CyCLONe). This network supports coordinated management and ensures regular information exchange among Member States and EU institutions in case of large-scale incidents and crises.  

In parallel, the NIS Cooperation Group is a platform established by the NIS Directive to facilitate strategic cooperation and information exchange among EU Member States, the European Commission, and the EU Agency for Cybersecurity (ENISA). The group publishes non-binding guidelines and recommendations to support the implementation of the NIS Directive. 

On 20 January 2026, as part of a new cybersecurity package, the Commission proposed targeted amendments to the NIS2 directive to increase legal clarity. The amendments will simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. They will ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises.   

WHAT IS THE AIM OF THE REGULATION? 

This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market. To that end, this Directive lays down: 

  • obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs); 
  • cybersecurity risk-management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557; 
  • rules and obligations on cybersecurity information sharing; 
  • supervisory and enforcement obligations on Member States. 

Example:  

A citizen is receiving medical treatment at a hospital that suffers a cybersecurity incident affecting its IT systems. Under the NIS2 Directive, the hospital is required to maintain strong security measures, implement comprehensive incident-response plans, and follow rapid notification procedures to ensure continuity of care and protect sensitive patient data.

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying software or hardware products with digital elements. The CRA addresses the inadequate level of cybersecurity in many products, and the lack of timely security updates. It also tackles the challenges consumers and businesses currently face when trying to determine which products are cybersecure and in setting them up securely, making it easier to identify hardware and software with the proper cybersecurity features. 

The CRA introduces mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of such products. These obligations must be met at every stage of the value chain. The CRA also requires manufacturers to handle vulnerabilities during the lifecycle of their products. Some products of particular relevance for cybersecurity may need to undergo a third-party assessment by a notified body before they are sold on the EU market. 

The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and EU Security Union Strategy. It complements other legislation in this area, specifically the NIS2 Directive 

WHAT IS THE AIM OF THE REGULATION? 

Regulation (EU) 2024/2847, the Cyber Resilience Act (CRA), aims to strengthen cybersecurity across the European Union (EU). It sets out a comprehensive framework to ensure that digital products and services are: 

  • secure by design; 
  • resilient against cyber threats; and 
  • capable of providing continuing protection throughout their life cycle. 

It addresses the growing cybersecurity challenges posed by the increasing connectivity of devices and the rise of cyberattacks, which have significant economic and societal impacts. 

KEY POINTS 

The CRA has several core objectives. 

  • Enhance cybersecurity across the EU by setting mandatory cybersecurity requirements for products with digital elements. 
  • Promote secure practices by encouraging manufacturers to integrate cybersecurity into the product design and development phases. 
  • Ensure transparency and accountability by requiring manufacturers to provide clear information about the cybersecurity features of their products and to take responsibility for addressing vulnerabilities. 
  • Foster a single market for cybersecurity by harmonising rules across EU Member States to reduce fragmentation and ensure a level playing field. 

FROM WHEN DOES THE REGULATION APPLY? 

The regulation applies from 11 December 2027, with some exceptions: 

  • reporting obligations concerning actively exploited vulnerabilities and severe incidents apply from 11 September 2026; 
  • notification of conformity assessment bodies applies from 11 June 2026. 

Example:  

A citizen installs a smart home device that that relies on regular security updates to operate safely. Under the Cyber Resilience Act, manufacturers are required to fix vulnerabilities and provide ongoing security support throughout the product’s lifecycle, ensuring that consumers remain protected against emerging threats.

Cybersecurity and digital resilience image
divider

Digital identity and public services

These regulations support seamless digital interactions across borders and help public administrations work together more effectively.

How they relate

  • Electronic Identification, Authentication and Trust Services (eIDAS) enables trusted digital identity and electronic signatures.
  • Interoperable Europe Act improves data exchange and cooperation between public administrations.

The eIDAS regulation facilitates secure cross-border transactions by establishing a framework for digital identity and authentication. It aims to create confidence in electronic interactions and promote seamless digital services in the EU. 

Benefits of eIDAS 

With eIDAS, the EU has managed to lay down the right foundations and a clear legal framework for people, companies and public administrations to safely access services and carry out transactions online. Indeed, rolling out eIDAS means higher security and more convenience for any online activity such submitting tax declarations, enrolling in a foreign university, setting up a business in another Member State, bidding to online calls for tenders. In the future uses will be extend to authenticating to internet payments and remotely opening a bank account.  

eIDAS brings benefits to European businesses, citizens and government services. Download the infographics below to explore how eIDAS can benefit you. 

FROM WHEN DOES THE REGULATION APPLY? 

The regulation has applied since 17 September 2014. 

View the legal text summary: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02014R0910-20241018&qid=1776859628848

Example:  

A citizen uses their European Digital Identity Wallet to sign a rental contract online. Under the eIDAS Regulation, this qualified electronic signature carries full legal effect across all EU Member States, ensuring that the contract is recognized as valid regardless of where it is executed.  

The Interoperable Europe Act entered into force on 11 April 2024. The Act aims to strengthen cross-border interoperability and cooperation in the public sector across the EU.  

The Act introduces a structured and co-owned EU cooperation framework for public administrations with the following pillars: 

  • An Interoperable Europe Board - that is co-owned by the Member States and the EU and supported by public and private actors – for the development of a common strategic agenda for cross-border interoperability, the support in operational implementing interoperability solutions, and progress monitoring. 
  • Mandatory interoperability assessments to evaluate the impact of changes in IT systems related to cross-border interoperability in the EU. 
  • An ‘Interoperable Europe Portal’ as a community platform and one-stop-shop for shared and reusable interoperability solutions. 
  • Innovation and support measures, including regulatory sandboxes and GovTech cooperation, to promote policy experimentation, developing skills and the scaling up of interoperability solutions for reuse.   

The interoperability cooperation framework will be steered by the Interoperable Europe Board. The Board will be composed of representatives from the EU Member States, the Commission, the Committee of the Regions and the European Economic and Social Committee. 

KEY POINTS 

Objectives of the regulation: 

  • sets up a clear legal framework to support interoperability of trans-European digital public services across a range of administrative levels and sectors; 
  • promotes the digital transformation of public administrations aiming to achieve fully interoperable public services by 2030; 
  • enhances connectivity and inclusivity, by aiming to ensure that digital transformation benefits reach rural and remote areas. 

FROM WHEN DOES THE REGULATION APPLY? 

It applies from 12 July 2024. Rules on interoperability assessments, sharing solutions between EU bodies and public sector bodies, and appointing national competent authorities and single points of contact apply from 12 January 2025. 

Example:  

A citizen who is moving to another EU country requests the transfer of their educational records. Under the Interoperable Europe Act, public administrations can exchange these documents automatically, reducing administrative burden and ensuring a smoother cross-border relocation process.

Digital identity and public services image
divider

Accessibility and inclusion

This regulation ensures that key digital products and services are accessible to everyone, including persons with disabilities and older citizens.

How they relate

  • European Accessibility Act complements other EU digital regulations by helping ensure that digital services and technologies are accessible to all users.

The European accessibility act is a directive that aims to improve the functioning of the internal market for accessible products and services, by removing barriers created by divergent rules in Member States. 

Businesses will benefit from: 

  • common rules on accessibility in the EU leading to costs reduction. 
  • easier cross-border trading.   
  • more market opportunities for their accessible products and services. 

Persons with disabilities and elderly people will benefit from: 

  • more accessible products and services in the market.  
  • accessible products and services at more competitive prices. 
  • fewer barriers when accessing transport, education and the open labour market. 
  • more jobs available where accessibility expertise is needed. 

WHAT IS THE AIM OF THE DIRECTIVE? 

  • It aims to harmonise accessibility1 requirements for certain products2 and services so the EU’s internal market operates smoothly by eliminating and preventing any free-movement barriers that may exist because of divergent national legislation. 
  • It aims to bring benefits to businesses, people with disabilities3 and the elderly. Applying accessibility requirements will clarify the existing accessibility obligation in EU law, particularly in public procurement and structural funds

Products and services covered 

The European accessibility act covers products and services that have been identified as being most important for persons with disabilities while being most likely to have diverging accessibility requirements across EU countries. 

The Commission consulted stakeholders and experts on accessibility and took into account the obligations deriving from the UN convention on persons with disabilities. These products and services include: 

  • computers and operating systems 
  • ATMs, ticketing and check-in machines 
  • smartphones 
  • TV equipment related to digital television services 
  • telephony services and related equipment 
  • access to audio-visual media services such as television broadcast and related consumer equipment 
  • services related to air, bus, rail and waterborne passenger transport 
  • banking services 
  • e-books 
  • e-commerce 

FROM WHEN DOES THE DIRECTIVE APPLY? 

It has to become law in the EU countries by 28 June 2022. EU countries must apply the measures from 28 June 2025. However, EU countries may: 

  • delay compliance for the European emergency 112 number until 28 June 2027; 
  • give service providers whose facilities were already lawfully in use by 28 June 2025 a further 5 years (until 28 June 2030);  
  • allow self-service terminals to operate until the end of their economically useful life, but no longer than 20 years after entering service. 

Example:  

A citizen with visual impairment accesses a financial services website using a screen reader. Under the European Accessibility Act, the website must meet accessibility standards that ensure essential digital services can be used independently by people with disabilities. 

Accessibility and inclusion image
Report abusive content Share