EU regulatory workspace, sourced to article level

In-house counsel at EU companies must track eight converging horizontal regulations: GDPR (data protection, fines up to 4% global turnover); EU AI Act (AI systems, phased 2024–2027, fines up to €35M/7%); NIS2 (cybersecurity for 18 sectors, management personal liability); DORA (financial sector ICT resilience, applicable from January 2025); CRA (products with digital elements, 2027); Data Act (data sharing and cloud switching, September 2025); DMA (gatekeeper obligations); and DSA (online intermediary duties). Each has distinct scope thresholds, timelines, and penalty regimes.

The EU AI Act establishes three fine tiers: €35 million or 7% of global annual turnover (higher figure applies) for placing prohibited AI systems on the market; €15 million or 3% for violations of high-risk AI system obligations under Articles 9–49; and €7.5 million or 1.5% for supplying incorrect or misleading information to authorities. For SMEs and start-ups, the lower of the two figures (percentage vs. absolute) applies. Unlike GDPR, these are per-infringement ceilings, not cumulative turnover calculations.

The US CLOUD Act (2018) gives US law enforcement access to data held by US-based cloud providers regardless of where that data is stored. This creates tension with GDPR Chapter V transfer restrictions and the Schrems II judgment. Legal counsel should assess the CLOUD Act exposure of each significant cloud vendor — whether they are a US person, incorporated in the US, or controlled by a US entity — when drafting DPAs, selecting sub-processors, and advising on data localisation strategies. Sovereignty-first procurement targets EU-incorporated providers without US parent structures.

NIS2 Article 20 creates personal management body liability: management bodies must approve cybersecurity risk management measures; management bodies can be held personally liable for infringements; and management bodies must undergo regular security training to adequately assess ICT risks. Sanctions include temporary bans on holding management positions for repeat infringements. In-house counsel should incorporate these personal liability provisions into director appointment terms, D&O insurance reviews, and board governance frameworks.

The EU Data Act (Regulation (EU) 2023/2854) imposes switching facilitation obligations on cloud service providers from September 2025: providers must offer functional equivalence during and after a switch; must provide technical assistance; must reduce and ultimately eliminate switching charges over a 3-year phase-in; and must support data portability in interoperable formats. Contracts entered into or renewed after September 2025 cannot contractually restrict these rights. Legal counsel should audit cloud contracts and procurement terms to identify incompatible clauses.

The EU AI Act and GDPR interact in several key areas: AI systems processing personal data must comply with both simultaneously; the AI Act's fundamental rights impact assessment (Article 27) for high-risk AI by public authorities should be coordinated with the GDPR DPIA under Article 35; GDPR Article 22 automated decision restrictions remain fully applicable to AI outputs; and AI Act transparency obligations for systems interacting with individuals parallel GDPR information obligations under Articles 13 and 14. The AI Act explicitly states it does not affect GDPR — both apply.

NIS2 Article 21(d) requires essential and important entities to address supply chain security as part of their cybersecurity risk management. Legal counsel must ensure ICT contracts include: minimum security standards the supplier must maintain; incident notification obligations (supplier must notify the covered entity promptly); audit rights or third-party audit reports; sub-processor notification and approval rights; and the ability to terminate if the supplier fails to maintain security requirements. Article 22 empowers the Commission to require coordinated supply chain security assessments for specific ICT products.

The Digital Markets Act (Regulation (EU) 2022/1925) creates obligations for 'gatekeeper' platforms that meet specific thresholds: €7.5 billion annual EU turnover or €75 billion market capitalisation; at least 45 million monthly active EU end users; and at least 10,000 active business users annually. Covered core platform services include: app stores, search engines, social networks, messaging services, operating systems, online intermediation services, browsers, virtual assistants, cloud services, and online advertising services. Gatekeepers must comply with interoperability, self-preferencing restrictions, and data access obligations.