I see the Digital Decade as a significant catch-up sprint. One driven by good intentions and one that may ultimately deliver gains across all relevant areas, including fundamental rights. That said, it is a sprint that started rather late.
In several previous articles, we explained the Digital Decade: which pieces of legislation are coming, what their core pillars are, and how organisations should deal with them. In this article, we take stock of the catch-up effort already under way. What lies behind us, and where are we now?
The Digital Decade in 2024: an overview
Below is an overview of legislative instruments that became relevant (or more relevant) in the field of technology and law in 2024 (in this article, we refer to European legislation using English terminology). The instruments shown in squares are already in force and applicable. The instruments shown in ovals are final and organisations can already prepare for them, but they are not yet applicable. Below, we discuss developments per topic as categorised in the image.
Overview of legislation 2024, ‘oval’ means in force but not yet applicable, ‘square’ means in force and applicable.
Cyber security: new obligations ahead
In the field of cyber security, the Digital Decade introduces many new obligations for a wide range of parties. For example, the Network and Information Security Directive (NIS2) applies to many more entities, including IT service providers. Whereas the financial sector has long been subject to harmonised obligations aimed at preventing fraud, obligations are now also harmonised in relation to securing networks and information systems. These obligations do not come out of the blue, as this sector was already subject to extensive requirements under, for example, European public procurement rules. Want to know more about cyber security? See also this earlier overview.
Data: from privacy to broader data protection
The GDPR remains the foundation for safeguarding privacy and personal data protection, but the focus is shifting from personal data to data more broadly. Creating safety and trust in the digital society requires more than privacy alone. The legislation we see in 2024 reflects this broader perspective on secure data sharing.
The Data Act (DA) introduces rights and obligations relating to access to and sharing of data generated by connected devices. The obligations under the DA give greater control to the party from whom the data originate and create opportunities to share that data with third parties. The Data Governance Act (DGA) establishes a data-sharing framework designed to facilitate the reuse (for altruistic purposes) of certain categories of publicly held government data. The DGA also introduces a framework for data intermediation services, which are intended to provide a secure and trustworthy platform for data sharing. With both legislative instruments, the legislator aims to safely unlock the full value of (re)using data.
Healthcare and data
The recently published European Health Data Space (EHDS) is an EU initiative to facilitate access to, exchange and use of health data across countries, with the aim of improving healthcare and promoting research, while safeguarding patient privacy. The EHDS requires a substantial shift from current practices in almost every Member State, but it opens up endless possibilities for healthcare.
The Dutch Act on Data Exchange by Collaborative Partnerships (Wet gegevensuitwisseling door samenwerkingsverbanden, WGS) is not part of the Digital Decade, but we briefly address it here. It is a national implementation of the Digital Decade principles aimed at sharing more data in a safer manner. The Act seeks to provide a solution for organisations that exchange data to combat crime but lack a clear legal framework for doing so.
The Act enables statutorily designated collaborative partnerships to exchange data for specific purposes. The WGS has attracted considerable criticism. It is not entirely clear what personal data may be shared, when and for what purposes, which often results in broader powers than originally intended. A form of competence creep, in a way.
The AI Act and AI systems
Then there is the current frontrunner: the AI Act. Much discussed and widely feared, the AI Act is shaking up a technology sector that continues to produce tool after tool. The AI Act introduces obligations based on the risk level of an AI system. The greater the risk to people, the environment and society, the greater the care required in the development, modification and deployment of the system.
Products and services for individuals: modernising liability
On 23 October, the Product Liability Directive (PLD) was adopted. The PLD modernises the existing liability framework for producers in respect of damage caused by their products. Under the PLD, a producer can be held liable for damage caused by a defect even without fault. Proving causation, which is required to obtain compensation, is particularly difficult for consumers. The PLD therefore introduces several evidentiary advantages for consumers. Dutch critics argue that, in practice, the PLD offers limited additional tools within the Dutch compensation system to make it easier to obtain damages.
Until recently, only personal injury or property damage fell within the scope of the PLD. Under the revised PLD, damage caused by data loss is also covered. The PLD now explicitly applies to software, including where software is used as a component in another product.
The Electronic Identification and Trust Services Regulation (EUDI) requires public services to enable online identification. In principle, this is not new in the Netherlands. What is new is that these services must be interoperable across borders. In addition, the EUDI introduces the digital wallet, which can link your identity to other personal information. From 2026, Member States must offer this to everyone. Certain private services are also required to accept the digital wallet, such as banks, insurance companies, very large online platforms and energy suppliers.
The European Accessibility Act
The European Accessibility Act (EAA) plays an important role in the pursuit of equal access to digital services and products for everyone, whether as a citizen or a consumer. The EAA requires that products and services offered or provided on the European market comply with specific accessibility requirements. This is not a new concept, as public authorities were already required to comply with accessibility legislation.
Intermediaries
The Digital Services Act (DSA) and the Digital Markets Act (DMA), although applicable for some time, took on clearer shape in 2024. The European Commission informed X of its preliminary findings that X is in breach of the DSA. These findings relate to the use of dark patterns (broadly speaking, misleading design techniques that steer users into taking certain actions), a lack of transparency around advertising, and access to data for researchers. In addition, the Commission initiated formal proceedings against Temu. That investigation concerns the sale of illegal products, the addictive design of the application, recommender systems and the lack of access to data for researchers.
The DSA creates opportunities for certified researchers to request data from Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) to investigate systemic risks in the EU. Rules clarifying the procedures and conditions for this data access are currently under development.
Is that everything?
There are many other legislative instruments that may be relevant but are not included in this overview. Examples include the Right to Repair Directive, which concerns the ability to repair broken products, and the AI Liability Act, through which the legislator aims to improve the internal market and establish uniform rules on civil liability for damage caused by AI systems (not yet final; more on the EU’s vision on liability in relation to AI systems can be found here). Do not forget legislation that is already applicable.
Pay close attention, therefore. Which legislative instruments are relevant for your organisation depends on what your organisation does, the data it holds and the role it plays. Do not fixate solely on this overview. For a more comprehensive overview (including older legislation), see our legislative overview from September 2024. Want an even broader picture? The so-called “blue wall” by Kai Zenner maps all legislation relating to the Digital Decade and is updated regularly.
Implementation: challenges and delays
The first pieces of Digital Decade legislation are in force and Member States are busy with implementation. Although in practice many companies are responding quickly and there is significant attention for the new legislation, implementation is not entirely smooth. Or at least, it is not keeping pace with the speed at which the EU has launched its catch-up sprint.
We see this, for example, in the Netherlands being late with the implementation acts for NIS2 and the Critical Entities Resilience Directive (CER). Drafts do exist, but the deadline for transposition into national law was 17 October 2024. The implementing act for the DGA has recently been officially published, but the Regulation has been applicable since 2023.
In addition, the “supervisory framework” overseeing the implementation of the Digital Decade is proving complex. The Authority for Consumers and Markets (ACM) and the Dutch Data Protection Authority (AP), for example, both supervise compliance with the DSA. In practice, this means that the same systems may fall under the competence of both authorities, each for a different aspect. Many supervisory authorities are gaining additional tasks as a result of Digital Decade legislation. The ACM, for instance, will oversee the DGA and the DA. Shared and complementary supervisory tasks are not new, but effective execution takes time. And there is not much time available.
With regards to supervision of compliance with the AI Act, the AP and the Inspectorate for Digital Infrastructure (RDI) have advised the government to involve all market surveillance authorities and inspectorates, with the AP acting as coordinating authority. They recommend aligning AI supervision in the various sectors and domains as closely as possible with existing supervisory structures.
No formal decision has yet been taken by the government. The Dutch government unsuccessfully requested an extension of the implementation period. “Compliance with the AI Regulation (including correct classification of AI systems) will be subject to supervision. Work is currently under way on the design of supervision of the AI Regulation,” said State Secretary Zsolt Szabó in response to parliamentary questions on 8 November 2024. This was while the first parts of the AI Act will become applicable from February 2025.
The State Secretary notes that AI is applied across various domains and that effective supervision therefore requires cooperation between different ministries. This appears to align with the vision of the AP and the RDI.
Returning to the introduction, the sprint was launched with the best intentions, but it may even be moving a little too fast. The rest of the team is still lagging, while this is a race we need to finish together.;
What should we take away from this?
Unfortunately, I cannot in good conscience conclude this article with a simple tick-the-box list of obligations to comply with all applicable legislation. As explained earlier, the application of legislation depends so heavily on an organisation’s data, role and services that a single list will never be sufficient. Given the new rights and obligations introduced by the Digital Decade and the constantly evolving tech landscape, it is essential to ensure that someone within your organisation, internally or externally, is responsible for this question: where do we stand within the Digital Decade and what do we need to do?
Beyond specific obligations, it helps if your organisation adopts the following mindset. All legislation stemming from the Digital Decade broadly aims to achieve the same goal: a thriving technology market that can compete with other global powers while safeguarding the fundamental rights agreed within the EU.
Applying that mindset in practice mainly means:
-
continuing to think critically and ask questions, and
-
safeguarding fundamental rights in the use of technology.
Preparing for the future
Even when AI takes over tasks, it remains important to keep thinking for yourself. Use common sense before turning to legal obligations. Does it really make sense to use an AI tool to screen CVs? How do we think our customers will respond, or how would a third party view this given our position? Perhaps we should go back to the drawing board with the developers or introduce limitations in how the tool is implemented.
Perhaps most importantly, embed the protection of fundamental rights in the use of technology. The right to privacy, freedom of expression and non-discrimination, but also the freedom to conduct a business, are fundamental principles that are further elaborated in legislation. When you take these rights seriously, you are often already on the right track before opening the statute book.
This approach will not magically reveal all specific legal obligations, but the questions “are we allowed to do this?” or “should we want to do this?” will already have been answered before you consult your lawyer.
It remains essential to connect technology and ethics and to continuously reflect on the consequences of the choices you make. With that mindset, your organisation will always be ready for the year ahead.
