As of January 17, 2025, financial entities and their critical information and communication technology (ICT) service providers need to comply with the new cybersecurity requirements in the Digital Operational Resilience Act (DORA). DORA introduces significant operational and ICT security requirements for a wide range of financial market participants, including banks, insurers, trading platforms, as well as for their ICT service providers.Continue Reading New EU Cyber Resilience Requirements for Financial Sector Enter into Force
Laura Brodahl
New EU Cybersecurity Obligations for Connected Devices: What You Need to Know
UPDATED: November 20, 2024
On November 20, 2024, the European Union officially published the Cyber Resilience Act (CRA), which introduces cybersecurity obligations for internet-connected hardware and software products offered in the EU (such as wearables). The CRA will enter into force on December 10, 2024 and companies have until September 11, 2026 to comply with the first wave of obligations.Continue Reading New EU Cybersecurity Obligations for Connected Devices: What You Need to Know
Regulators in Europe Signal Increased Scrutiny of Online Platforms
In recent months, politicians and regulators across a number of jurisdictions have called on operators of online platforms to take seriously their legal obligations to promote a safe online environment. The safety of children online has continued to dominate this conversation, with a recent joint UK-U.S. statement (Statement) declaring that online platforms should “go further and faster in their efforts to protect children.”
This alert sets out the regulatory focus areas of the European Commission (EC), the Irish Coimisiún na Meán (CNAM), and the UK’s online safety regulator Ofcom.Continue Reading Regulators in Europe Signal Increased Scrutiny of Online Platforms
Cybersecurity: A Critical Element in Your 2025 Business Forecast
As cyberattacks become more sophisticated, cybersecurity remains a top concern for regulators, consumers, business partners, and investors. Weak security can cause substantial harm to a company and lead to litigation, reputational damage, and hefty fines. Against that background, the EU is introducing stricter regulations that require robust cyber resilience, mandate board oversight on cybersecurity strategy, and hold board members personally liable for weak security practices.Continue Reading Cybersecurity: A Critical Element in Your 2025 Business Forecast
NIS2: Preparing for EU’s New Cybersecurity Rules
The European Union (EU) has revised its Cybersecurity Directive (NIS2). The new rules will apply to a wide range of companies in many sectors, create new cybersecurity obligations, and impose high fines for noncompliance. EU countries have until October 17, 2024, to transpose the new rules. As the deadline approaches, companies should assess the impact on their cybersecurity strategy. This alert summarizes the key obligations for businesses.Continue Reading NIS2: Preparing for EU’s New Cybersecurity Rules
French Data Protection Authority Publishes Its 2024 Enforcement Focus Areas
On February 8, 2024, the French data protection authority (CNIL) published a list of its enforcement focus areas for 2024.[1] The CNIL will focus on the processing of children’s data by online services, the handling of individuals’ requests to access their personal data (so-called “DSAR”), the re-use of data processed for loyalty programs, and data processed in connection with the upcoming Olympic and Paralympic games.Continue Reading French Data Protection Authority Publishes Its 2024 Enforcement Focus Areas
Weaponization of Data Subject Access Requests in the EU
Individuals are increasingly making use of their right to access their personal data under applicable privacy laws in the EU.
It can be a challenge for companies to handle such requests, and in particular, if a request concerns a complex data set, there are a high number of requests, or the right is exercised for strategic reasons, such as in HR or legal disputes. The right of access is, however, not absolute, and its restrictions vary across Member States, adding further complexity to the matter. How to handle such requests and apply these restrictions is commonly set out in internal policies and procedures. We set out below the current landscape as well as a recent enforcement trend.Continue Reading Weaponization of Data Subject Access Requests in the EU