European Legislation and Regulation

The GDPR is the European privacy directive. In the Netherlands, it is further elaborated in the Dutch GDPR Implementation Act (in Dutch, Uitvoeringswet AVG). The law has been in effect since 2018. A report on the outcomes of this law is due in 2024, which may lead to a revision.

The Digital Services Act came into effect across Europe in 2022. This law applies to intermediary services, including social media platforms and app stores. The DSA primarily aims to protect citizens from illegal content and misinformation.

The DMA came into force in 2023. This regulation assigns responsibilities to providers of major digital platforms and online service providers. The DMA includes rules, prohibitions, and obligations for these platforms. It also contains rules about the use and sharing of data.

eIDAS stands for ‘Electronic Identities And Trust Services’. With eIDAS, the European member states have agreed to uniform concepts, levels of assurance, and digital infrastructure. In 2023, the eIDAS regulation was amended to make the access provided by this system universal. Part of the regulation is the cross-border use of European-recognised login tools and certificates.

The Single Digital Gateway is a regulation that establishes a single digital access point. This gateway provides online access to the necessary information, administrative procedures, and services to live or run a business in another EU country.

The Data Governance Act is a key pillar of the European Data Strategy. Its aim is to utilise data capacity for the benefit of European citizens and businesses. The DGA will make more data available and facilitate data sharing between sectors and EU countries.

The Directive on Open Data and the Reuse of Public-Sector Information promotes the use of open data by governments.

The Directive on the Accessibility of Websites and Apps of Public Sector Bodies helps member states achieve their accessibility goals and meet the obligations of the UN Convention on the Rights of Persons with Disabilities (CRPD). Another goal of the directive is to harmonise the accessibility requirements of EU countries. In the Netherlands, the directive is further elaborated in the Temporary Decree on Digital Accessibility of the Government (in Dutch, Tijdelijk besluit digitale toegankelijkheid overheid).

The Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS2) aims to further strengthen cybersecurity in Europe. The directive provides legal measures to raise the overall level of cybersecurity in the EU.

The Data Act allows public authorities to access data from third parties, provided the data is requested for a legitimate purpose, such as an emergency. The regulation was passed at the end of 2023 and has a long implementation period. It will be until 2026 before all the rules in the Data Act are mandatory.

The AI Act includes requirements and frameworks for the development and use of AI systems by governments and market players, facilitating innovation and economic development while protecting public values.

The EU is working on a regulation to establish interoperability frameworks for sharing information in the public sector. There are already several EU interoperability initiatives, such as the European Interoperability Framework (EIF). They are non-binding and have limited impact. The Interoperability Act aims to improve the quality of public services across all EU countries. The regulation was provisionally adopted in 2023.

With the Cyber Solidarity Act, the European Commission strives to strengthen the cybersecurity capabilities of member states and the EU.

The proposed Gigabit Infrastructure Act focuses on accelerating the installation of high-quality networks by making it financially attractive. The proposal is still in an early stage and may take until 2030 to be enacted into law.