EU data economy & digitalization
In response to the era of technological advancement and data-driven societies, the EU has taken an ambitious and proactive step to create a comprehensive regulatory framework that fosters data economy and cybersecurity while preserving and strengthening the core values of the EU. On this page, we provide an overview and more detailed insight into the Regulations and Directives that are a part of the EU’s Digital Decade Strategy to help you navigate this complex landscape and understand its impact on your business.
European rules for the data economy
The European rules for the data economy comprising of legislation, known together as the “Big Five” legislative initiative, includes rules for platforms and digital services, use and sharing of personal and non-personal data, and use of artificial intelligence technologies. Below you will find an overview of the scope and main content of each of the Regulations and Directives that are part of these initiatives.
Use and governance of data
- The EU has outlined its aim to create a “single market” and identified several issues in the prevailing state of affairs, regarding availability of data, imbalances in market powers, data interoperability and quality, data governance, and individuals’ access to their data.
- As part of EU’s data strategy, the Data Act and Data Governance Act and Data Act both address these issues by creating a framework for data governance, making more data available, and facilitating data sharing and access across sectors.
- In November 2025, the European Commission issued a Digital Omnibus proposal to simplify European data rules. The proposed changes to the data legislation include, among others, the repeal of the Data Governance Act and consolidation of data rules into the Data Act and the GDPR, enhanced safeguards against trade secret disclosure, narrower business-to-government data sharing by limiting the regime to “public emergencies,” lighter cloud-switching regimes for custom-made services and services provided by SMEs/SMCs, and the removal of smart-contract requirements.
A European approach to artificial Intelligence
- By establishing new rules for artificial intelligence (“AI)”, the Artificial Intelligence Act and the AI Liability Directive has a significant impact on AI technology industries across all sectors in and beyond the European continent.
- The regulation aims to increase trust in AI technologies by addressing their adverse impacts on individuals’ safety, health and fundamental rights whilst safeguarding the continuous global development and growth of successful innovations in the AI market.
- In November 2025, the European Commission issued a Digital Omnibus proposal to simplify European AI rules. The proposed changes to the AI legislation include, among others, changes to the implementation timeline for rules on high-risk AI systems, a reduced registration burden for providers of AI systems that are used in high-risk areas but that are not high-risk, changes to the oversight role of authorities, exemptions for smaller businesses, and rules on the use of sensitive data.
Digital services package
- The package includes two regulations, the Digital Services Act and the Digital Markets Act.
- By establishing new rules for digital commerce, both the Digital Services Act and the Digital Markets Act will have a significant impact on the digital platform industry.
- The legislative framework provides legal certainty and transparency for SMEs and individual users in a rapidly growing digital environment.
- The regulations aim to safeguard the fundamental rights of individual users of digital services while creating a more competitive environment for innovation and growth both in the European single market and globally.
European rules for cybersecurity
With the rise of digitalization, cybersecurity incidents have increased and new cyber threats have emerged. In response, the EU is working to enhance cybersecurity and resilience within the Union, especially in critical sectors. This effort impacts various entities, systems, and products.
Below you will find an overview of the scope and main content of Regulations and Directives that are part of the EU’s cybersecurity initiative. In addition, Roschier has created a high-level overview of certain recommended preparatory and response measures for cybersecurity incident situations.
Unified EU approach for cybersecurity
- EU is strengthening the Union’s cybersecurity preparedness and capabilities to ensure that organizations across Europe are well equipped to detect and respond to cybersecurity threats and incidents.
- As part of the unified EU cybersecurity approach, the EU has adopted the Cybersecurity Act to give permanent mandate to the EU Agency for Cybersecurity and to establish an EU-wide cybersecurity certification framework for ICT products, services, and processes. In addition, the European Commission has adopted a proposal for the Cyber Solidarity Act, a regulation introducing improved mechanisms for preparing and responding to cybersecurity incidents and a European cybersecurity alerting system.
Resilience of critical and essential entities
- The continuation of essential services in the event of emergencies and crises is fundamental for modern societies. Disruptions in such services could have significant, cross-border effects.
- The EU is aiming to develop the resilience of essential services and has introduced two new Directives, the Network and Information Systems (NIS II) Directive and the Critical Entities Resilience (CER) Directive, stipulating resilience, risk assessment, and notification obligations for entities providing essential services.
Cybersecurity requirements for products with digital elements
- More products with digital elements are placed on the EU market year after year, and the cyber threat landscape for such products is expanding.
- To address the recent development, the EU has proposed a Cyber Resilience Act which would require that products with digital elements made available on the EU market meet specific cybersecurity requirements. The new Act would also require that manufacturers factor cybersecurity into the design and development of their products with digital elements as well as introduce cybersecurity obligations for each stage of a product’s value chain.
Cybersecurity in the financial sector
- Financial entities, such as banks and insurance companies, use complex ICT systems for daily operations. At the same time, digitalization and interconnectedness increase the risks associated with these systems, making the financial industry more vulnerable to cybersecurity incidents.
- The Digital Operational Resilience Act (DORA) is a sector-specific Regulation that strives for enhancing digital operational resilience of financial entities by integrating ICT risk management into their operational frameworks and by ensuring their resistance to and recovery from disruptions.
Preparatory and response measures for cybersecurity incidents
Cybersecurity incidents, such as cyberattacks and security breaches, adversely affect businesses by damaging, disrupting or otherwise negatively impacting network and information systems, the users of such systems, and other persons.
Malicious actors actively find new ways to exploit cyber vulnerabilities, setting a high standard for the cybersecurity preparedness and response capabilities required from businesses to avoid and mitigate the potential adverse effects of cybersecurity incidents.
See below Roschier’s cybersecurity incident guide including a high-level overview of certain recommended preparatory and response measures for cybersecurity incident situations.
