NIS 2, AI Act, and more: How the EU’s digital strategy is driving the data-driven economy

The EU is continuously expanding its digital strategy with legislation such as the Cyber Resilience Act, the EU Data Act, the NIS 2 Directive, and the Artificial Intelligence Act. We provide an update on the key developments since late summer 2023 and explain how companies can not only adapt to the new requirements but also benefit from them in the long term.

NIS-2

The digital transformation in Europe is accompanied by numerous regulatory frameworks. The main pillars of the EU’s digital strategy include the Cyber Resilience Act, the EU Data Act, and the Artificial Intelligence Act. Each of these laws aims to make the EU’s digital infrastructure more secure and efficient while fostering innovation. The NIS 2 Directive (Network and Information Security Directive) is also part of the EU’s digital strategy. It is an evolution of the original NIS Directive from 2016 and aims to strengthen cybersecurity requirements for critical infrastructures.

Progress on key EU digital laws

In recent months, significant progress has been made on these regulations. The Cyber Resilience Act is currently in its final approval phase. This law imposes new security requirements on manufacturers of products with digital components, aiming to minimize vulnerabilities and make the entire lifecycle of a product more secure. Many companies are now tasked with rethinking their security strategies and investing more heavily in cybersecurity measures.

The EU Data Act has also undergone significant developments over the past year. The legal framework governing the access and use of data has been further refined. As of early 2024, the EU Data Act applies to many areas, particularly in the use of smart devices. The legislation ensures that data is stored, managed, and processed in compliance with data protection standards. Companies must implement strict management of their data bases to meet regulatory requirements.

EU AI Act: The countdown is on

On August 1, 2024, the EU AI Act, the first comprehensive regulatory framework for artificial intelligence, came into effect. While the main obligations and requirements of the AI Act will be phased in over the next few years, with full implementation by 2026 depending on the risk category, it’s important to note that the AI Act is a regulation with direct legal effect, without the need for national implementation laws. Companies using or distributing AI systems in the EU should implement the regulations as soon as possible to avoid legal risks and economic disadvantages. Non-compliance can result in heavy fines of up to 7% of global annual turnover.

The EU AI Act classifies AI systems into the risk categories: minimal, limited, high, and unacceptable. Systems in the last category — such as AI-based social scoring systems — are banned in the EU, as they can threaten fundamental rights. High-risk systems in healthcare or human resources are subject to high transparency requirements and human oversight. For generative AI, commonly used in chatbots, the AI Act mandates that machine-generated content must be clearly labeled. Additionally, a Code of Practice for General Purpose AI (GPAI) is being developed, set to take effect in 2025. It will include rules on transparency, risk assessment, risk mitigation, and internal governance, helping companies make their generative AI solutions legally compliant.

NIS 2: Stricter cybersecurity requirements for critical infrastructures

The NIS 2 Directive significantly expands the scope and applicability of the original 2016 NIS Directive and imposes stricter cybersecurity requirements on companies operating critical infrastructures. NIS 2 becomes legally binding in October 2024 and, in addition to large companies in highly critical sectors, now also covers medium-sized companies with at least 50 employees or an annual turnover of 10 million euros. In Germany alone, up to 30,000 companies could fall under its scope for the first time. This means that companies previously unfamiliar with strict data governance will soon need to implement extensive measures to secure their IT infrastructures.

These measures include:

  • Regular risk assessments
  • Strict incident management protocols
  • Reporting obligations with short deadlines to national authorities
  • A wide range of technical and organizational measures

The impact of the NIS 2 Directive on the development of smart and connected products is significant. Companies developing IoT and analytics-based solutions to optimize energy grids or similar infrastructures must strengthen their security precautions early in the development phase.

NIS 2 case study: Smart electricity meters

An example is smart electricity meters, which continuously collect data on energy consumption and transmit it in real-time to central servers. This data is then analyzed to make the power grid more efficient and better utilize energy resources.

Under the NIS 2 Directive, manufacturers must ensure that these meters and the entire data transmission infrastructure meet stricter security requirements. This includes encrypted communication protocols, robust authentication methods, and regular security updates, as well as penetration testing.

Smart Metering ist geradezu prädestiniert für den Einsatz von Narrowband-IoT

The role of a data lakehouse in data governance

Given the increasing regulatory requirements, data governance is becoming a critical focus. A data lakehouse, which combines the benefits of data lakes and data warehouses, can play a central role in this regard. This technology allows for the centralized storage and management of large amounts of structured and unstructured data while maintaining high standards of data quality and security.

A data lakehouse offers companies the flexibility to quickly respond to new regulatory requirements and ensures compliance with frameworks such as the EU Data Act, Cyber Resilience Act, or NIS 2 Directive. The central management and control of all company data enable efficient implementation of security and data protection mechanisms. By combining data storage and analysis in one platform, companies can not only meet legal requirements but also gain insights into critical business areas. This can provide a decisive competitive advantage, especially in highly regulated industries.

Conclusion and outlook

Recent developments in the EU’s digital strategy show that the demands on companies will continue to increase in the coming years. With the Cyber Resilience Act, the EU Data Act, the NIS 2 Directive, and the Artificial Intelligence Act, the EU is setting a framework to promote the secure, responsible, transparent, and ethical use of digital technologies. A lakehouse architecture can help companies prepare for future regulatory tightening. By adopting consolidated data strategies, companies can not only achieve legal compliance but also strengthen their competitiveness in an increasingly regulated environment and benefit from effective data governance and cybersecurity tools.

Recommended Posts

Image
2024/10/30
Case Studies

Gerolsteiner: How to succeed on the path to the data-driven factory

How Gerolsteiner is becoming faster and more flexible with the help of a Data Intelligence Platform.
Image
2023/12/19
News

Advancing Your Data Strategy with IoT Consulting

How Can IoT and Data Use Cases Be Successfully Implemented?
Image
2023/12/12
News

Data Strategy: Where do German companies stand on the path to becoming a Data-Driven Enterprise?

How are the key industries in Germany positioned regarding their data strategy?