Since 2022, the European Union has been in the midst of a transformation of its regulatory strategy for digital technologies. The goal is an EU digital market that fosters fair competition, protects consumers and data, opens new opportunities for companies and citizens, and supports EU’s green transition to reach climate neutrality in 2050.

To that end, the EU is developing many technology-related legislation and proposals which will affect customers and vendors in various ways.

So far, I have identified the legal proposals and laws in the sections below as directly impacting the Analytics use cases from a technological perspective.

EU Tech Legislation Directly Impacting the Analytical Ecosystem

Data Act

The Data Act focuses on making product data and related service data available to the user of a connected product or related service and data. It should connect data holders to data recipients, public sector bodies, relevant EU bodies, and authorities.

The key elements to know from this act are:

• Accessibility and transparency: Products and services must be designed to make data accessible to users by default. Users must also be provided with certain transparent information about data before purchasing.
• Data portability: Product users are granted the right to request that data holders make all data generated by products available to third parties of their choice.
• Data-sharing agreements with small and medium-sized enterprises: The Data Act protects medium-sized enterprises against unfair contract clauses in data-sharing agreements with more powerful market players.
• Switching cloud services: Cloud service providers must remove obstacles restricting customers from entering into contracts with new providers and porting over data, applications, and other digital assets to the new provider.
  • In other words, the European Union’s recently enacted Data Act might eventually force all public cloud service providers operating in Europe to stop charging for egress. The Data Act requires the gradual wind-down of switching charges, including charges for data egress, within the next two years.
  • It simplifies exit plans for leaving accounts in a cloud service provider and moving to another or returning to on-prem. It also democratises multi-cloud architectures.
  • Incidentally, AWS and Google Cloud have already announced that they won’t charge for egress costs when moving data to another cloud, even though they require approval to meet specific requirements. Note that these announcements apply to egress costs for these two cloud service providers worldwide, not only in the EU.
• Rules for international transfer of non-personal data: The Data Act proposes new restrictions, similar to those found in the General Data Protection Regulation (GDPR) and Schrems, applicable to international transfers of non-personal data held in the EU.
• Exclusion for database rights: The Data Act specifies that the database rights created by the EU Database Directive do not apply to databases containing data from or generated by a connected device.

The Data Act has been applicable since 11 January 2024.

Data Governance Act

The Data Governance Act (DGA) aims to improve data-sharing across sectors and EU countries, particularly by facilitating more comprehensive reuse of data held by public sector bodies. For example, it contemplates supporting data-driven innovation using health, mobility, environmental, agricultural, and public administration data. To achieve this aim, it introduces four types of measures:

• Facilitating the reuse of public sector data not currently accessible to third parties.
• Ensuring trust in data intermediaries.
• Supporting individuals and businesses in making their data available for the benefit of society.
• Facilitating data-sharing across sectors and borders and ensuring the correct data is found for the proper purpose.

The Data Governance Act has been applicable since 24 September 2023.

Digital Operational Resilience Act (DORA) – Financial sector

The DORA Act provides the legal means for financial institutions (banks, insurance companies, and investment firms) to use the latest and greatest technology (AI, cloud, blockchain, etc.) while strengthening their IT security and ensuring that the financial sector in the EU can stay resilient in the event of severe operational disruption.

One consequence of this act is that financial institutions are focusing on Disaster Recovery solutions and redesigning existing ones. For example, they want to have the primary and secondary database instances in different regions in the same cloud service providers. The financial institutions are abandoning architectures where their primary and secondary systems are in different availability zones within the same region.

The DORA Act is in force and will apply on 17 January 2025.

Artificial Intelligence Act

The Artificial Intelligence Act is a regulation targeted at regulating AI systems in the EU and across the EU’s single market. It has two key aims: to maintain trust in the AI systems used in the EU and the EU market, and to create an ecosystem of excellence for AI in the EU. It proposes to achieve these aims by addressing the risks of specific uses of AI, categorising them into four risk levels — unacceptable risk, high risk, limited risk, and minimal risk — and regulating systems that fall into each category accordingly.

The Artificial Intelligence Act is in force. The Commission expects to finalise the Code of Practice by April 2025, and the application should follow later.

AI Liability Directive

The AI Liability Directive is a proposed legal framework for the targeted harmonisation of product liability rules for AI. By enabling victims of AI-related damage to obtain compensation without burdensome evidentiary hurdles, the directive aims to boost consumer confidence in interacting with emerging technologies. It achieves this by alleviating the burden of proof concerning damage caused by AI systems, establishing broader protection for victims, and fostering the AI sector by increasing guarantees. It complements the Product Liability Directive, which covers a producer’s strict liability for defective products, and the AI Act.

The AI Liability Directive has two key features:

• Presumption of causation. It creates a rebuttable presumption of causation when certain criteria are met.
• Preservation of evidence. Regarding high-risk AI systems, it empowers courts to order specific measures to preserve—or enable access to—evidence that could prove a causal link.

The AI Liability Directive is in the construction phase.

Conclusions

The EU digital regulatory transformation shows concern for ensuring that technology truly benefits citizens and organisations operating within the territory. It tries to maintain balance among the different stakeholders without damaging any of them, especially the nationals. Furthermore, it considers that environmental matters are part of the desired outcome.

As a matter of fact, these considerations are not exclusive to the European Union, as many other territories and countries are already legislating on or debating some of these areas.

Consequently, the strategy the European Union is applying in technological legislation may not be seen as restricted to the EU. On the contrary, it shows a worldwide tendency to identify who is involved in the development of a solution and who receives the outcome in order to protect all interests, creating new scenarios that require architecting more advanced solutions.

So, changes in technological laws, such as in the EU, impact technology delivered to the market worldwide. For example, eliminating egress costs when leaving a cloud service provider benefits individuals and organisations anywhere by opening new opportunities to enhance their solutions.

Note that some legislation is not exclusive to the EU, such as the DORA Act, which is equivalent in other countries, such as the UK and Colombia. Furthermore, European legislation inspires laws in regions and countries outside the EU. The European Union also looks at other territories to shape its legal texts and proposals.

So, I recommend:

• Even if your company doesn’t need to comply with the EU Tech Legislation, you may benefit from keeping an eye on what changes they are imposing on tech vendors so you can adopt features, solutions, or discounts.
• Assess which new and proposed laws may apply to your business and what they mean to it. In this post, I only showed the pieces of legislation where I clearly see an impact on Analytical ecosystems.
  • You may need, among others, to adopt or modify policies and processes or adapt your services.
• Adopt a holistic approach to compliance and how you adopt new solutions in your company, as it will cost you less time and money. Additionally, it will integrate better with your data architecture and strategy.
  • For example, the proposed AI Act, the proposed Cyber Resilience Act and the GDPR, require goods and services to meet prescribed security standards.
  • As an example of the integration with your architecture and requirements, consider moving data from point A to point B. You must meet specific security requirements, such as the data being encrypted with Customer-Managed Encryption Keys (CMEK keys). When moving the data, you need to decrypt it from the source to read it and encrypt it with a different key when writing it to the target system. So, you must ensure that your solution will support it and that you keep the encryption keys according to your security requirements.
• Allocate appropriate resources.
• Consider indirect impacts.

Finally, please comment below on any other law impacting your Data and AI architecture, or discuss my reasoning. I will benefit from your experience. Thank you.