Tech Regulation – Quarterly Newsletter January 2024

Over the last few years, EU and UK legislators have introduced a raft of digital legislation and powers for regulators, covering areas such as platform regulation, data privacy and online safety.

2023 was the year when many of the flagship digital laws across Europe – from the EU Digital Markets Act to the UK Online Safety Act – finally came into effect, even if their full impact may not start to be felt for months to come. It was also the year when Governments and regulators were warned against falling behind the curve without action in rapidly developing areas including AI and cyber security. In our first newsletter of 2024, we look back at technology regulation and the year that was, and cast our eye ahead to the key developments to watch out for in 2024, as the trend towards more – and more strict – digital regulation shows no sign of abating.

At the end of 2023, the Technology Regulation team at Fieldfisher issued a survey to over 1,700 UK and international clients earlier to find out how GCs and other in-house counsel are coping with mounting technology regulation in Europe. The group put together a report highlighting the key findings – the most important being that some tech companies reconsider market strategy following increasing regulatory demands. Just 5% of respondents felt they had a very good understanding of changes to come in EU and UK tech regulation, while one in five suggested they were delaying cross-border deals for fear of incurring regulatory penalties. See our survey results here: Tech companies reconsider market strategy following increasing regulatory demands, survey finds | Fieldfisher

Online safety

Online Safety Act (UK)

The Online Safety Act (OSA) finally received Royal Assent on 26 October 2023. The OSA imposes new duties on service providers and grants Ofcom extensive new investigation and enforcement powers.

Looking ahead: Ofcom will be implementing the OSA in phases and has published its updated roadmap to regulation (here). The first phase of implementation will be on illegal harms; the second on child safety, pornography and protection of women and girls; and the third on so-called categorised services.

During each phase, Ofcom will be consulting on draft guidance and codes of practice before each set of codes is approved by Parliament. The first consultation on illegal harms opened on 9 November 2023 and will close on 23 February 2024 (here). This consultation provides an opportunity for stakeholders to have their say on Ofcom's proposed measures for user to user services and search services regarding illegal content. It also asks for comment on Ofcom's proposed guidance for risk assessments and record keeping. The second consultation, Protecting children from online pornography, was issued on 5 December (Implementing the Online Safety Act: Protecting children from online pornography - Ofcom)

The controversial "spy clause", enabling Ofcom to notify service providers that they must use "accredited technology" to identify terrorist or child sexual exploitation and abuse content, remains in the OSA. Ofcom plans to consult on the framework for its use of these powers in 2024.

In terms of next steps, in scope services should engage with Ofcom's consultations to help shape the regulatory regime. The consultations also mark the beginning of each phase of implementation and provide key milestones for regulation. We expect a busy 2024 of responding to consultations, engaging with Ofcom to ensure the proposed rules and guidance documents are workable, and entry into force of each phase of the OSA. Read more

The Digital Services Act (EU)

12 months ago we saw the adoption and implementation of the Digital Services Act (DSA) into EU law. The DSA aims to create a single set of rules for increased safety and consistency across digital services in the EU. It imposes obligations around illegal content and transparency in advertising, terms and conditions, content moderation, and traders using digital services.

The first 19 Very Large Online Platforms and Search Engines (VLOPs and VLOSEs) were designated in April 2023 and became subject to the DSA at the end of August. Some of these organisations have already filed legal challenges on their status as a VLOP. The European Commission has issued its first requests for information and established the DSA Transparency Database (see here). The recent conflict in the Middle East has led to several statements from the Commission about the importance of upholding content moderation rules, particularly for terrorism content and disinformation. It remains to be seen how the Commission will use its full suite of investigatory and enforcement powers in practice.

Looking ahead: The requirements for all other online intermediaries under the DSA will apply from 17 February 2024, and providers will therefore need to ensure they understand and comply with their obligations. Member States must also empower their Digital Services Coordinators (DSC) by this date, which are responsible for supervision and enforcement of the DSA at a Member State level. We expect further updates, guidance, and templates from the European Commission during the course of 2024 as the new transparency and accountability rules for intermediaries and online platforms take effect.

MEPs are already calling for further rules on addictive designs in digital platforms, meaning the DSA may not be the last word on EU online safety.

Finally, the European Commission is preparing for the first Delegated Regulation regarding data access by researchers and DSCs under Article 40 of the DSA, having run a call for evidence on how to shape the framework for data access (see here). The call for evidence invited responses on the types of data access required, the procedure for applying to be a vetted researcher, formats of data, and access to publicly available data. The Delegated Regulation is currently scheduled for adoption in Q1 2024. Read more

Platform

Digital Markets, Competition and Consumers Bill (UK)

The Digital Markets, Competition and Consumers (DMCC) Bill substantially overhauls the UK's competition and consumer law regimes. The Bill: (1) imposes unique obligations on firms with Strategic Market Status (SMS), (2) reforms the general competition law framework with a rebalanced merger control system and greater powers to enforce against anti-competitive conduct, and (3) will finally bring the CMA's consumer law enforcement powers to the same level as the competition enforcement regime, with the CMA able to fine businesses up to 10% of their global turnover for infringing consumer law.

Recent amendments tabled to the Bill seek to balance strong new regulatory powers with fair review processes. In particular:

• While regulatory decisions (except fines) by the CMA will be challengeable on the basis of judicial review principles (including on proportionality grounds), businesses will be able to challenge fines "on the merits" (i.e. on matters of substance as well as process).
• The CMA will be required to assess and publish evidence supporting the designation of firms as SMS.
• The Bill now makes clear that the CMA cannot impose a conduct requirement or pro-competition intervention on an SMS firm unless it is proportionate to do so and there is a strong evidence base behind the intervention.

Looking ahead: The Bill is now at Committee Stage in the House of Lords, and is expected to come into force some time in 2024.

Read our blog series:

• Part 1: Enhanced consumer rights and consumer enforcement powers
• Part 2: The DMU and competition law reforms

Dark patterns – tackling hidden tactics and unlawful practices (UK)

In a joint paper published in August 2023, the UK's CMA and Information Commissioner's Office (ICO) warned online businesses against harmful design practices that could undermine people’s control over their personal information, and lead to worse consumer and competition outcomes. The paper sets out practical examples of potentially harmful design practices (i.e. "dark patterns"), and establishes best practice principles for businesses designing their online choice architecture. Those principles include putting users at the heart of design choice, using design that empowers user choice and control, testing and trialling design choices, and ensuring that those choices comply with relevant laws. The regulators have stated that if they don't see improvements, they will take enforcement action against businesses.

Looking ahead: The CMA and ICO have in recent weeks held meetings and webinars with interested stakeholders in order to refine their approaches to tackling dark patterns. We expect to see enforcement action in 2024 as the CMA progresses two relevant ongoing consumer protection cases against Wowcher and Emma Group. The addition of fining powers to the CMA's consumer law enforcement arsenal under the DMCC Bill (see above) could materially increase the risk for businesses engaging in these sorts of practices. Watch our recent webinar. Read more

Digital Markets Act (EU)

The Digital Markets Act (DMA) imposes conduct obligations and restrictions on the largest digital firms in the name of fair, open and competitive markets. Under the DMA, the European Commission can designate digital platforms as "gatekeepers" if they provide an important gateway between businesses and consumers in relation to "core platform services". The Commission has designated six gatekeepers – Alphabet (i.e. Google), Amazon, Apple, ByteDance, Meta and Microsoft – in relation to 22 individual core platform services. Non-compliance with the DMA carries the threat of fines of up to 10% of the gatekeeper's total worldwide turnover, which can increase to 20% in case of repeated infringement.

Looking ahead: The gatekeepers are required to be fully compliant with the obligations under the DMA by March 2024. Some gatekeepers have filed appeals challenging the designation of certain (although not all) of their services as core platform services. The outcome of the appeals will be key to determining the initial scope of the DMA and clarifying the threshold for the Commission to designate a core platform service. Meanwhile, 2024 will be the first year when the full effects of the legislation are felt, both for the gatekeepers and those businesses and individuals that engage with them and use their services day-to-day. Read more

Cyber

Digital Operational Resilience Act (DORA) (EU)

The EU has in recent years adopted a strong focus on developing a framework to bolster the resilience of financial systems operating within its territories. The culmination of this was the approval by the European Parliament in December 2022 of the Digital Operational Resilience Act (DORA), which looks to harmonise approaches on tackling digital operational resilience and IT security across the sector as a whole. DORA seeks to cover the vast majority of the financial services ecosystem and, therefore, applies to a broad spectrum of market participants. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.

DORA introduces five core sets of obligations on financial entities in order to mitigate the risk of exposure to cyber disruptions and threats: (1) the implementation of a risk management framework and governance to detect, prevent and manage IT risks; (2) the management, classification and reporting of ICT incidents; (3) the performance of resilience testing; (4) the sharing of information and intelligence within the sector; and (5) the sound management of ICT third-party risk.

Given the breadth of coverage of DORA, a significant number of firms and their IT suppliers will have to get to grips with the new regulation. Firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections. IT suppliers will need to improve their infrastructure and performance to stay in the market. Some "critical" providers will be directly regulated for the first time.

Looking ahead: DORA has a two year implementation period, and will apply from 17 January 2025. In the interim, we are awaiting more guidance from regulators (much expected by mid-January) around: (i) the contents for inclusion in ICT security policies, procedures, protocols and tools; (ii) the elements to be included in ICT risk management frameworks; (iii) the criteria for determining which types of ICT incidents are reportable, and the content of those reports / when reports must be provided; (iv) the contents of the policy regarding contractual arrangements on the use of ICT services; and (v) designation of the critical ICT third party providers who will be directly regulated. We expect financial entities and their IT suppliers to engage more closely with the regulation in Q1 2024, and organisations that are proactive in taking steps to uplift their compliance will be placed at a significant competitive advantage.

For more information, read our blog series:

Read our blog series:

• Part 1: overview
• Part 2: ICT incident management, classification and reporting
• Part 3: managing ICT third party risk
• Part 4: DORA for IT suppliers

NIS Regulations (UK)

Following the most recent review of the UK NIS Regulations, the UK Government released a proposal for extensive reforms in January 2022 and a response to public consultation on that proposal in November 2022.

The changes contemplated are wide-ranging. Managed service providers would be brought directly within the scope of the UK NIS Regulations for the first time. Critical relevant digital service providers (a type of entity regulated by the legislation) would be subject to a new proactive supervisory regime, in addition to the existing reactive regime. The UK Government would be empowered to update aspects of the UK NIS Regulations without parliamentary approval, including sectors regulated by the legislation. Incident reporting obligations would also be expanded beyond those affecting continuity of service to include those which significantly impact the security of network and information systems for essential services.

In its response to the public consultation in November 2022, the UK Government indicated that it intended to release draft legislation once parliamentary time allowed. However, this has not yet occurred. 

Looking ahead: We expect the UK Government to release draft legislation for its proposed reforms to the UK NIS Regulations in the new year. However, given that next UK general election is due to be held before the end of January 2025, this is not a certainty. Depending on the results of that election, it's possible that the changes described above will not be implemented or will be revised significantly (potentially to align them more closely with the EU's NIS 2 Directive). Read more

NIS 2 Directive (EU) 

The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) entered into force on 16 January 2023. The aim of the NIS 2 Directive is to enhance the overall level of cybersecurity in the EU. In so doing, it replaces and repeals the existing Network and Information Systems Directive (EU) 2016/1148 (NIS 1 Directive). The NIS 2 Directive reflects a considerable broadening of scope versus the NIS 1 Directive, bringing a large number of new industry sectors (and therefore, new types of entities) within scope of the obligations – including e.g. wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration. New measures under the NIS 2 Directive include: 

• imposing direct obligations on management in respect of an organisation's compliance, and onerous penalties where those are not complied with; 
• requiring all covered organisations to put in place cyber risk management measures;
• acknowledging the importance of security at all levels in supply chains and supplier relationships;
• clarifying and strengthening incident reporting requirements;
• providing supervisory authorities with a greater ability to supervise companies; and
• increasing the sanctions for non-compliance. 

Looking ahead: Member States have until 17 October 2024 to transpose the Directive into national legislation. The majority of obligations imposed on organisations will come into force when the implementing legislation becomes effective in the relevant Member State. Some territories (e.g. Germany) have already issued their implementing legislation; we expect a flurry more in Q1/2 2024. Read more

Cybersecurity Act (EU)

The Cybersecurity Act, which came into force in June 2021, established a framework for the cybersecurity certification for ICT products, processes and services (ICT Services).

In April 2023, the European Commission released a proposed amendment to the EU Cybersecurity Act to add managed security services to the types of ICT Services that can receive certification. On 15 November 2023, Member States' representatives (Coreper) reached a common position on the amendment, a key aspect of which was alignment of the definition of managed security service with the equivalent definition in the NIS 2 Directive.

Separately, in October 2023, the European Commission undertook public consultation on a draft implementing regulation to establish the European Common Criteria-based cybersecurity certification scheme (EUCC). If implemented, the EUCC will operate under the Cybersecurity Act and replace all relevant national cybersecurity certification schemes in the EU.

Looking ahead: The amendment to add managed security services to the Cybersecurity Act will soon be the subject of trilogues between the European Parliament, Council and Commission to agree the final text. We expect the amendment will likely be agreed and adopted in the coming months. The final version of the regulation establishing the EUCC is due to be released by the end of 2023 and will apply12 months after it comes into force. Read more

Cyber Resilience Act (EU)

In September 2022, the European Commission released a proposed regulation on horizontal cybersecurity requirements for products with digital elements ("Products"). The Cyber Resilience Act aims to avoid overlapping requirements stemming from different pieces of legislation in EU member states and will affect a range of economic actors who are developing, manufacturing, marketing, importing and distributing connectable Products. The proposal entails significant obligations for manufacturers, importers and distributors of Products.

In July 2023, member states' representatives (Coreper) reached agreement at a technical level on the text of the proposed regulation. Recently, on 30 November 2023, the final text of the Cyber Resilience Act was agreed by the EU Commission, Parliament and Council after a series of trilogues. Key areas of negotiation during these trilogues included the body (or bodies) to which security incidents and vulnerabilities must be reported, the period during which manufacturers must guarantee security updates and the approach to open-source software and critical product categories.

Looking ahead: Following agreement at the trilogues, the Cyber Resilience Act is now subject to formal approval by the European Parliament and Council. Once adopted, the Act will enter into force 20 days after it is published in the Official Journal. The majority of the obligations set out in the Cyber Resilience Act become effective 3 years after it enters into force (excluding manufacturers' reporting obligation, which will apply after 21 months).

Watch our recent webinar

AI

AI (Regulation) Bill (UK)

A Private Member's Bill was introduced in the House of Lords on 22 November 2023. The short Bill (at less than 10 pages) introduces the concept of an AI Authority to: (1) coordinate with different regulators to set up a regulatory sandbox; and (2) ensure alignment of approach across regulators. This approach isn't entirely aligned to the approach set out by Rishi Sunak for the Government, but we are aware that some MPs want a more rigid approach to regulation.

The Bill also refers to the potential for organisations being required to appoint AI Officers to ensure the responsible use of AI, to notify the AI Authority as to the sources of training data for AI where it engages third party IP, as well as establishing independent accredited AI auditors to review processes and systems.

Looking ahead: We are following the AI (Regulation) Bill's progress to see whether this will become law. Read more

Artificial Intelligence Act (EU)

The Act proposes a risk-based approach to AI regulation, whereby AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex ante conformity assessment, (c) permitted but subject to certain information and transparency obligations, or (d) permitted without restrictions. On 8 December 2023, EU lawmakers reached a political agreement on the Act. 

Looking ahead: The text of the Act still needs to be formally adopted, but this is now almost guaranteed to be done before the EU Parliament elections next summer. Full application may then only happen in 2025. The agreement of the text reflects the strength of the political will of EU lawmakers to be the first region in the world to adopt a comprehensive legislation regulating AI. It now puts the EU at centre stage on AI, and in the months to come, we can expect another “Brussels effect” similar to the introduction of GDPR. Read more

White Paper on AI (UK)

The UK Government's consultation on its White Paper on AI closed on 21 June 2023.

The White Paper aims 'to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology'. Unlike the EU, the UK's approach to AI is not by way of a new regulator or legislation but instead will establish key principles that existing regulators should consider as part of their remit.

There are no published timescales on when we may see the feedback and/or output from the consultation.

Looking ahead: The UK Government will publish the output following the consultation. Read more

Code of Conduct for Artificial Intelligence (EU)

Despite announcements from the EU in May 2023 about producing a draft Code of Conduct for AI "within weeks" to provide a set of voluntary standards for the use of AI, we've yet to see a draft published. However, on 13 October 2023 the G7 published draft principles for those developing advanced AI systems, on which the European Commission ran a brief call for input.

Looking ahead: We anticipate an international code of conduct for AI developers to follow in the new year. A Code of Conduct would serve as something of a stopgap while the AI Act continues through the legislative process. Read more

Data

Data Governance Act and Data Act (EU)

The Data Act (DA) was adopted formally by the European Council on the 27 November 2023. The Regulation aims to ensure fair access to and use of data. Under the DA, manufacturers and service providers will have to allow connected device users access and to reuse data produced by their products and services. It will also allow users to share such data with third parties.

The Data Governance Act (DGA) came into force on 24 September 2023, with the objective of establishing a harmonised framework for data sharing and governance across sectors and Member States. It specifically aims to encourage wider re-use of non-personal data held by public sector bodies, boost data sharing through the regulation of novel "data intermediaries" (organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data) and encourage data sharing for altruistic purposes. It also establishes a new European Data Innovation Board which will develop guidelines and standards for data sharing with third parties, including businesses.

Looking ahead: The DA will be published in the Official Journal of the EU in the coming weeks and will enter into force 20 days later. Most of its provisions will apply 20 months from the date of its entry into force. However, article 3, paragraph 1 (requirements for simplified access to data for new products), shall apply to connected products and the services related to them placed on the market after 32 months from the date of entry into force. Read more

Data Protection and Digital Information Bill (UK)

A carry-over motion has been announced to ensure that the Data Protection and Digital Information Bill (DPDI Bill) (recently renamed to remove the "No. 2") will continue its progress in the new parliamentary year.

A revised version of the Bill (as introduced into the House of Commons) was published on 8 November 2023. A "raft of common-sense changes" have been proposed to the revised Bill that will now proceed to the House of Lords for consideration. The changes to the Bill include amendments relating to retention of biometric data for national security purposes, a data preservation process to require social media companies to retain data that may be required for investigations, for example after a suicide, and new powers to require data from third parties such as banks and financial organisations. Owen Rowland, the deputy director and head of data protection policy at the Department for Science, Innovation and Technology (DSIT) stressed at a conference in November that the 'UK data reform bill amendments won't endanger EU data adequacy'. The current EU-UK adequacy decision is reviewed every four years (next in 2025).

Looking ahead: Following its third reading, the Bill passed the report stage on 29 November 2023. It will now proceed to the House of Lords. The expectation is that there will be guidance and FAQs published in the next few months and that the Bill will become law in mid-2024 (although there is no limit to debate time in the House of Lords). Read more

Health Data Spaces Regulation (EU)

The Health Data Space Regulation (EHDS) is a health specific ecosystem aimed at addressing the complexities of current European rules on data sharing in the health sector in order to maximise the potential of health data. The EHDS is comprised of common standards and practices, infrastructures, rules and a governance framework. The framework will empower individuals through increased digital access to and control of their electronic personal health data, at both national and EU-wide level as well as foster a single market for electronic health record systems, relevant medical devices and high risk AI systems. In addition, the EHDS will provide a trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities. The options for this secondary use of data are being explored by TEHDAS, the joint action Towards the European Health Data Space. The EHDS is a key pillar of the European Health Union and will build on the EU GDPR as well as NIS 2 Directive, the Data Act and Data Governance Act. In a recent step forward, on 28 November 2023, a draft Parliament position was adopted by the committees on Environment, Public Health and Food Safety and on Civil Liberties, Justice and Home Affairs.

Looking ahead: The draft position will now be voted on by the full house of the European Parliament in December. The European Commission is hopeful that the EHDS will be finalised by June 2024, and up and running by 2025. Read more

Other technology regulation

European Accessibility Act (EU)

The European Accessibility Act (EEA) ensures products and services are accessible for persons with disabilities. The goal is to improve accessibility across the EU by synchronising accessibility rules for all Member States. The law covers a range of products and services, including computers and operating systems, ATMs, ticketing and check-in machines, smartphones, and banking services.

The EAA came into effect in April 2019, and all Member States were required to pass implementation laws by 28 June 2022.

Looking ahead: Every company that does business in the European market must prepare by making internal modifications to the way they operate. Although the measures envisioned by the EEA are not due to take effect until 28 June 2025, it is recommended that companies begin taking steps now to ensure compliance. Read more

Automated Vehicles Bill (UK)

In the King's Speech on 7 November 2023, it was announced that a new Automated Vehicles Bill will be introduced to ensure the safety and regulation of self-driving vehicle technology. The proposed legal framework aims to establish clear liability for the user, make companies responsible for the behaviour of their self-driving vehicles, set the safety threshold for legal self-driving, introduce a regulatory scheme to monitor the ongoing safety of these vehicles, and provide the government with enforcement tools to maintain safety standards.

Looking ahead: At the time of writing, the Bill is currently under review by the Committee in the House of Lords. The UK government has released a policy paper setting out the process for consultation on statutory instruments and guidance, from the upcoming year until 2026. Read more

Media Bill (UK)

The government presented the draft Media Bill to Parliament in November 2023. The aim of the bill is to empower Public Service Broadcasters (PSBs) such as the BBC, ITV, Channel 4, Channel 5, STV and S4C. It includes measures that will help PSBs to compete with streaming giants by making their video-on-demand services and internet programme services more visible and accessible to a wider audience. Additionally, the draft bill offers new protections for UK radio stations to ensure that their services can be easily accessed on smart speaker platforms like Google and Amazon.

Looking ahead: In the King's Speech, the Government confirmed its commitment to move forward with this comprehensive media reform. At the time of writing, the Bill is at the Committee stage in the House of Commons. We expect the Report Stage, which gives MPs an opportunity, on the floor of the House of Commons, to consider further amendments to the draft, to take place over the coming weeks. Read more