The EU Charter of Fundamental Rights says that EU citizens have the right to protection of their personal data.
EU GDPR is a European Union (EU) law governs the use, processing, and storage of personal data (information about an identifiable, living person).
Regulation (EU) 2016/679 The regulation entered into force on 24 May 2016 and applies since 25 May 2018.
GDPR applies to processors of the personal data of EU citizens or residents even if the processors are not in the EU.
There are seven Data Protection Principles and everything an organisation does, must “by design and by default,” consider data protection. The fines for violating the GDPR are very high - €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.
All European institutions and bodies have a duty to report certain types of personal data breaches to the European Data Protection Supervisor (EDPS). This must be within 72 hours of becoming aware of the breach, where feasible.
The Directive on security of network and information systems (NIS Directive), ensures the creation and cooperation of government bodies. This Directive was reviewed at the end of 2020 and as a result (NIS2 Directive) entered into force on 16 January 2023. Read our article on NIS2.
This is a proposal for regulating cybersecurity requirements for any hardware or software product with digital elements, making them more secure. Read more about the Cyber Resilience Act.
The Cybersecurity Act strengthens the role of ENISA (the EU agency that deals with cybersecurity). The agency now has a permanent mandate, and is empowered to contribute to operational cooperation and crisis management across the EU.
On 18 April 2023, the European Commission proposed the EU Cyber Solidarity Act, to improve the response to cyber threats across the EU. The proposal will include a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism to create a better cyber defence method.
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and applies as of 17 January 2025.
It aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms, making sure that the financial sector in Europe can stay resilient in the event of severe operational disruption.
DORA makes the rules relating to operational resilience for the financial sector more consistent, applying to 20 different types of financial entities and ICT third-party service providers.
Critical ICT Third Party Providers (CTTPS) to Europe's financial firms will be subject to DORA's requirements as well. Even providers not deemed CTTPS will likely see requirements pushed down the supply chain and built into their contractual relationships with financial firms.
The information here is not, and doesn’t intend to be, legal advice.
All information, content, and materials are for general information only. The information may not be the most up-to-date, legally or otherwise and may not be exhaustive. This website contains links to other websites – these are for convenience; Brit does not recommend or endorse the contents of the third-party sites.
Read the latest insights from our cyber security partners.