On 25 May 2018, the widely anticipated and ambitious General Data Protection Regulation (GDPR) became effective for businesses globally, requiring organisations that process personal data to comply with Europe’s fundamental right to data protection in the data-driven economy.

GDPR at 4: The Story So Far

Four years into the GDPR’s legal regime, its impact is clear: individuals are much more aware of their data protection rights, and businesses are settling into the risk-based approach embedded into the GDPR’s overarching principle of accountability. Regulatory fines and enforcement are also commonplace (see our other insights here, here and here).

GDPR: A Foundation To Europe’s “Digital Decade”

The GDPR is arguably the most progressive piece of data protection legislation in the world, setting the standard for data protection legal frameworks globally.

An objective of the European Commission under its Digital Strategy for its “digital decade” is to ensure that the European Union (EU) is “fit for the digital age”. The GDPR plays a huge part in this objective because it is shaping the future of and building the foundation for seven further EU legislative frameworks that businesses can expect to come into law over the next two years.

EU Digital Strategy: 7 New Pieces of Legislation Over 2-Years

To help businesses get to grips with this new legislation, we set out some key information and expected timelines for the seven new pieces of data-driven legislation from the EU that we can expect:


What is it? The AI Act is a regulation that introduces a legal framework for artificial intelligence (AI). The AI Act will regulate the development and use of “high risk” AI systems by establishing rules and obligations for developers, deployers and users of AI technologies and place an outright ban on other AI systems which are harmful to humans. It is estimated that the legislation will affect up to 35% of AI systems used in Europe, applying to everything from toy safety, HR monitoring, aviation safety and emotional manipulation. Obligations on businesses will  be  determined  based on the category of risk triggered by the relevant AI developed - be that “unacceptable risk”, “high-risk”, “limited risk”, or “minimal risk”.

Expected timeline of enactment: end of 2023/start of 2024


What is it? The DA is a legal framework aimed at removing barriers to accessing data (non-personal data and personal data) for both public and private sector bodies (i.e. providers and manufacturers of connected devices and smart objects). Its focus is on accessing, sharing and managing data created by these bodies and end- users. For end-users, the DA focus will reinforce the GDPR’s right to data portability as it will permit end-users to switch providers and facilitate the transfer of data gathered through smart objects and connected devices (from one provider to another). The DA will nonetheless seek to protect trade secrets and confidentiality (similar to the challenges businesses face with the right to data portability under the GDPR).

Expected timeline of enactment: mid-2024.


What is it? While the DA deals with who can share and what data they can share, the DGA deals with how data is shared. The DGA sets out a legal framework to facilitate and enable the safe access to and sharing of certain categories of public-sector data (non- personal data and personal data). The DGA aims to make data available to develop new products and services. It encourages “data altruism” by public bodies (e.g. the re-use of data created by end-users and/or public bodies by those who want to it for research), requires “data intermediaries” to be licensed  to  hold data and will create a European Data Innovation Board. The DGA will also set down strict requirements in relation to anonymisation techniques and secure processing environments.

Expected timeline of enactment: mid-2023.


What is it? The DMA will establish rules concerning the market power of “core platform services” who are “gatekeepers”  (e.g. online search engines, social networking services, app stores, messaging services,  etc.)  in  the  digital  sector.  The  DMA  aims to open up the digital market to new players by ensuring more competition and preventing gatekeepers from abusing the market power they hold (e.g. by imposing unfair conditions on end-users of online platforms).

Expected timeline of enactment: mid-2023.


What is it? The DSA aims to regulate digital services that act as online intermediaries by connecting consumers with goods, services and content (e.g. cloud services, internet  service providers, social networks, etc.). Its objectives include protecting users’ fundamental rights and the  digital  space  against  the spread of illegal content and establishing a strong transparency framework. The obligations of the DSA will apply at  an  earlier stage for very large online intermediaries (e.g.  online  platforms and search engines).

Expected timeline of enactment: early-2024.


What is it? The NIS2D is a response to the ever-growing cyber- attack landscape within the EU and worldwide. It aims to ensure a high, common level of cybersecurity across the EU. The NIS2D updates and expands the scope of the pre-existing framework (the NIS Directive) to include medium and large businesses from more critical sectors (e.g. manufacturing of critical products (including medical device manufacturers),  postal  and  courier  services, public administration, digital services). The NIS2D will also put cybersecurity  and  breach   reporting   obligations   on   operators of essential services and digital service providers (e.g. online marketplaces, search engines and cloud services).

Expected timeline of enactment: early-2024.


What is it? The long-awaited e-Privacy Regulation proposes to update the existing e-Privacy legal framework on electronic communications and reinforce trust  in  e-commerce  services.  It will impact the way tracking technologies (including cookies and metadata) are used along with the direct marketing activities of businesses. While the e-Privacy Regulation’s details have yet to be formally approved and agreed, we can expect this regulation to complement and apply in parallel with the GDPR.

Expected timeline of enactment: an update may be  published  at the end of the French presidency of the Council of the EU (June 2022).


It is important for businesses to  understand  the  application  of  these  new  pieces  of  legislation  over  the next 2 years within the EU. Nonetheless, any business that achieved a level of GDPR readiness since 25 May 2018 should be equipped and have the foundations for the EU’s “digital decade”.