EU Data Act & Co: New legal foundation for data platforms and digital services

2023/09/28
News

Anyone involved in the practical implementation of data analytics concepts and the development of data platforms should consider the future legal framework in their data strategy from the outset. We provide an overview of new legislation that is already important today as part of the EU Digital Strategy. Of particular relevance are the Cyber Resilience Act, the EU Data Act, and the Artificial Intelligence Act.

If you are considering a data platform based on the Data Lakehouse concept, you should be aware of their implications and consider them in your planning. In essence, these laws emphasize the importance of a holistic and proactive approach to a modern data strategy for several reasons. Complying with them is crucial for efficient risk management, avoiding legal and financial consequences, and safeguarding your reputation. Building a data strategy aligned with these new laws also promotes responsible innovation and can provide a clear competitive advantage in a market where partners and consumers increasingly value data privacy and ethical AI.

Particularly relevant are the three EU regulations: the Cyber Resilience Act, the Data Act, and the Artificial Intelligence Act. Together, they form a comprehensive framework aimed at addressing the legal challenges arising from the rapid developments in the Internet of Things (IoT). Here’s an overview:

EU Cyber Resilience Act:

This law focuses on improving the overall cybersecurity of devices and systems. It is planned to come into effect in 2024, impacting all products in early concept phases or already in development today. The implications include:

Security by design and standards: Companies must integrate data platform security into their strategy from the outset. This includes using encryption, secure authentication, and regular software updates to address vulnerabilities.
Incident Reporting: The law mandates the reporting of cybersecurity incidents. Companies also need response plans for incidents and must promptly rectify issues.
Certification regulations: The law introduces certification systems for IoT devices to attest to compliance with defined security standards. Consider such certifications to demonstrate your commitment to best cybersecurity practices.

EU Data Act:

The EU Data Act, which came into force at the beginning of 2024 and will become directly applicable law throughout the EU from 12 September 2025, is intended to modernize and harmonize data protection laws within the European Union. Building upon the General Data Protection Regulation (GDPR), it seeks to provide users with control over their personal data and enable them to better understand how their data is used. Clear rules for international data flows and interoperability between different data platforms and formats are intended to foster data trade growth within the EU. It regulates:

Data protection and consent: The law emphasizes the need for explicit user consent before data can be transmitted, collected, and processed. As a company, you must ensure transparency in data usage and provide users with options to control their data.
Data minimization: The law promotes the principle of data minimization, requiring only the collection and storage of as much personal data as absolutely necessary for any given purpose.
Data portability and deletion: Users have the right to request their IoT-generated data to be transferred to another service provider, for example, or to have it deleted. This obliges you to facilitate easy data portability and ensure secure data deletion upon user request.

EU Artificial Intelligence Act:

Expected to come into force in 2026, the AI Act aims to regulate AI systems, including those embedded in IoT devices and related platforms. Its key implications for data and security include:

High-risk AI systems: The law has identified “high-risk” AI systems that warrant special security precautions. Applications such as autonomous vehicles or the management of critical infrastructure may fall into this category. Companies must conduct risk assessments for such AI-powered applications, ensure transparency, and maintain human oversight.
Transparency and accountability: When using AI systems in your data platform, you must ensure that these systems’ decisions are transparent and explainable to comply with the AI Act’s requirements.
Security and robustness: The law requires AI systems to be secure and resilient against attacks. IoT devices are often part of interconnected systems susceptible to cyber threats. Therefore, companies must implement security measures to protect both the AI algorithms and the data they utilize.

Conclusion: Clear advantages of a Lakehouse architecture

These laws will shape data usage and security from various perspectives. While they are set to take effect in the coming years, their impacts and compliance should already be considered in the planning of digital processes. In summary, these laws focus on data management, security, and transparency and are best aligned with existing architectures and products today. One thing is clear: the more unified, secure, and straightforward data systems are organized, the less complex and cumbersome the practical implementation of these new requirements becomes.

A Lakehouse architecture, such as the one offered by Databricks, can significantly assist in this regard. It allows companies to store, manage, and analyze data in a unified manner by combining data engineering and analytics. Additionally, it provides tools for data governance, quality assurance, or enhanced cybersecurity for your data platform. At Databricks, this solution layer is known as the Unity Catalog – we’ll delve deeper into that in part 3 of our blog series.