To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster's European Digital Regulatory Complianceteam reports on some of the main topical digital regulatory and compliance developments that have taken place in the final quarter of 2022.

This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1,Q2,Q3,Q4) and (Q1,Q2, andQ3) 2022.

In this issue, we note the adoption of the EU Digital Services Act and Digital Markets Act, which will be key elements of the digital regulatory regime in the EU. In the UK, the Online Safety Bill edges slowly forward. But the area in which there were more key developments is cybersecurity and resilience, with both the EU and the UK adopting and proposing new legislation - and so the post-Brexit gap (and additional regulatory burden for affected businesses) grows proportionately.

EU Digital Policy and Legislation

1. Fitness check of EU consumer law: EU Commission evaluates the digital fairness of existing consumer laws

2. Digital Services Act enters into force

3. Digital Markets Act enters into force

UK Digital Policy and Legislation

4. UK Online Safety Bill - Inching Towards the Finish Line?

5. Time for a Software App-date: the UK's New Code for Apps

Cybersecurity and Resilience

6. NIS2 Directive fully adopted: Enhanced cybersecurity requirements for essential entities

7. UK NIS: UK government proposals and Ofcom response

8. EU Critical Entity Resilience Directive: Enhanced physical security rules for critical infrastructures

9. UK Cybersecurity and the Product Security and Telecommunications Infrastructure Act 2022

Germany

10. Key Points for implementation of EU Digital Services Act via a German "Digital Services Act"

11. Revision of German Antitrust Law and its impact on digital markets

EU Digital Policy and Legislation

1. Fitness check of EU consumer law: EU Commission evaluates the digital fairness of existing consumer laws

In November 2022, the EU Commission announced that it plans to evaluate whether additional action is needed to ensure an equal level of fairness to digital online trading as exists in the offline world. It has launched a public consultation to determine whether existing EU consumer laws are adequate for ensuring a high level of consumer protection in the digital environment. The consultation covers three directives:

  • Unfair Commercial Practices Directive (2005/29/EC)
  • Consumer Rights Directive (2011/83/EU)
  • Unfair Contract Terms Directive (93/13/EEC)

The EU's so-called Omnibus Directive (more formally, the "Enforcement and Modernization Directive" that came into effect in January 2020) has already brought several changes to these three directives, such as requirements for transparency of personalised pricing, ranking of search results, obligations on online marketplaces, and new GDPR-style, revenue-based fines for non-compliant providers. Considering the fast pace of technological progress and its impact on the consumer experience, the Commission intends to assess whether additional measures may still be needed to better address current and emerging needs.

The public consultation will run until February 2023. All stakeholders, including businesses with B2C products or services, may register and contribute to this consultation by submitting the Commission's online questionnaire.

What's next?

In addition to this public consultation, the Commission is conducting targeted consultations addressing, in particular, Member States' authorities and European stakeholder organisations, such as consumer and business organisations.

The Commission will summarise the results of all consultation activities in a report and publish it in the second quarter of 2024. Depending on the conclusions that the Commission draws from the consultations and its further analysis, it may decide to propose additional modifications to these directives to address issues relating to B2C digital products and services.

Areas of further regulation may include a harmonization of rules on renewals and cancellation of subscriptions (currently governed by divergent local laws of the EU Member States) and may introduce specific requirements for new business models such as voice-assisted commerce, AR/VR, and metaverse offerings to the extent that current rules do not fit. However, as a new European Parliament and Commission will be elected in 2024, we do not expect a new legislative proposal before mid-2025.

2. Digital Services Act enters into force

On 16 November 2022, the EU's Digital Services Act (DSA) entered into force. The DSA's main purpose is to fight the spread of illegal content, online disinformation, and other societal digital risks. The DSA introduces a comprehensive regime of content moderation rules for a wide range of businesses operating in the EU, including all providers of hosting services and "online platforms". See our separate DSA client alert for more details.

What's next?

Online platforms now have until 17 February 2023 to report their number of average monthly active end users on their websites. Based on these user numbers, the EU Commission will assess whether a platform should be designated a "very large" online platform (VLOP).

The DSA's main VLOP obligations will apply four months after the Commission's VLOP notification. VLOPs must then, inter alia, carry out their first annual risk assessment and provide the Commission with the results.

On 17 February 2024, the DSA will fully apply to all (other) in-scope entities. This date is also the deadline for each EU Member State to establish its own Digital Services Coordinator – which will be the competent authority in each country responsible for supervising intermediary services established in their territory and enforcing DSA rules against non-VLOP entities. The European Commission itself is the enforcement authority under the DSA for VLOPs.

Individual Member States are also starting to work on creating any associated laws and regulations for when the DSA takes effect – see our article below about the progress being made in Germany.

3. Digital Markets Act enters into force

On 1 November 2022, the Digital Markets Act, EU's flagship digital gatekeeper legislation (see our Q3, 2022 update) entered into force. This started the clock for its full application.

What's next?

Undertakings meeting the quantitative thresholds – annual turnover of €7.5 billion in the EU or market capitalization of €75 billion plus 45 million monthly active end users and 10,000 yearly active business users – must notify the Commission by 2 July 2023 at the latest.

The Commission then has until 1 September 2023 to finalise its designation decisions. The main obligations will apply six months after the designation decision, meaning they will apply from 1 March 2024 onwards at the latest.

These main obligations include data access and data use rules, prohibitions on self-preferencing and bundling, and interoperability obligations (see previous DMA Client Alert for more detail).

From 25 June 2023 onwards, the DMA will also be included in the EU Whistleblowing Directive and Representative Action Directive. This means that consumer class/representative actions under national law must be able to rely on the DMA and that anyone reporting violations of the DMA must be protected from reprisals if they first went through the appropriate internal and external channels.

UK Digital Policy and Legislation

4. UK Online Safety Bill – Inching Towards the Finish Line?

The UK's long-awaited Online Safety Bill (OSB) is showing signs of progress after a five-month delay (covered in our previous client alert – see European Digital Compliance: Key Digital Regulation & Compliance Developments). But there's still a risk that – as it has become more bloated and ambitious in scope – it may fail to be adopted in this parliamentary session.

Below, we outline the key changes in the latest draft of the OSB, which was published in December 2022, as the UK government's quest to heighten online safety for children and adults continues.

What's new?

  • Legal but Harmful Content
    • Removal of obligations. Previously, the obligation for platforms to "address" so-called "legal but harmful" content in relation to adults was considered by many to be the most controversial topic of the OSB, due to freedom of expression concerns. Following the removal of this obligation in the latest draft of the bill, a "triple shield" of protection for adults has instead been emphasised. The terminology is new, but this triple shield contains familiar elements from the previous OSB draft (such as empowering adult users to control the types of content with which they engage and eliminating (a) illegal content and (b) content that violates a company's own terms and conditions).
    • Clarity of scope. One new feature of the latest draft is the clarification of which specific types of content adult users should have control over when viewing and engaging with online content (e.g., content that promotes eating disorders or that encourages hate-speech or self-harm). This content is now explicitly defined in the legislation whereas, previously, similar content was expected to fall under the "legal but harmful" category, but it was never written into the bill itself.
  • The Triple Shield. Does this provide adequate protection for adults? Some critics think not. Although "legal but harmful" content regulation remains in place for children, there are concerns that the OSB has been watered down too much following the removal of similar provisions for adults. Since platforms no longer need to regulate harmful adult content themselves (which may have been the case under the old requirement to "address" such content), the onus is on individual adult users to choose the types of harmful content that they want to see. This could especially impact vulnerable adults, and there have been calls for the OSB to impose more substantive duties (such as more transparent assessment obligations) on companies in relation to harmful content. There is also the risk that platforms might weaken their own terms and conditions regarding content regulation, so that they can take a more back-seat approach when policing their platforms (although this worry could be somewhat curbed with the government's plans for new types of illegal behaviours – discussed further below).
  • Protection of Children
    • Age gating. New measures were added into the latest OSB draft to bolster online safety. These provisions require platforms to explain, in their terms and conditions, how their minimum age policies are enforced and how they prevent children from circumventing age authentication measures.
    • Risk assessments. To add to their list of legal duties, the summaries of the risk assessments that platforms would already have been obliged to carry out under the previous draft (regarding illegal/harmful content for children) must now be published. This means that platforms can no longer get away with conducting these assessments behind closed doors.

What's next?

We are expecting answers from Michelle Donelan (Secretary of State for the Department for Digital, Culture, Media & Sport) after she invited online questions about the OSB in December 2022. The OSB is still due to undergo a third reading in the House of Commons before it can (supposedly) reach the House of Lords, when further amendments are expected to be proposed. These changes are expected to include the introduction of criminal offences for new types of illegal conduct, including controlling or coercive behaviour, so-called "epilepsy trolling", sharing deep fake pornography, and encouraging self-harm.

The OSB must meet its revised deadline of Autumn 2023 (as must all of the other bills that have stalled during the course of this recently extended parliamentary session), otherwise the whole legislative drafting process will need to start again from scratch.

Companies that may be in-scope should keep an eye on the OSB's progress through Parliament and, following a joint statement from Ofcom and the Information Commissioner's Office, technology platforms should also prepare to comply with both the OSB and data protection laws. But, in an attempt to ease compliance concerns, the UK government has noted that it plans to adopt a phased approach to the duties of care in the OSB, with an initial focus on tackling illegal content to address the most serious harms as soon as possible.

5. Time for a Software App-date: the UK's New Code for Apps

The UK government has published a new code of practice, which sets out minimum security and privacy requirements for app store operators and app developers.

What's new?

The Code of Practice for App Store Operators and App Developers (Code) was published in December 2022 by the Department for Digital, Culture, Media and Sport (DCMS) with input from the Information Commissioner's Office.

The Code sets out recommended security and privacy practices, with the aim to protect digital users from malicious actors and vulnerable apps. While the Code is voluntary, some of its content is mandated through existing legislation, and the government hopes that companies will want to demonstrate their seriousness about app security and privacy by publicly affirming compliance with the Code.

The Code targets app store operators, app developers, and platform developers. It does not apply to business-to-business API providers because responsibility falls on the developers to understand such codes and services during app development.

The Code lists eight principles that should be followed.

Key Obligations

Mainly applies to

Principle 1
  • Verify and only permit apps on the app store if they meet the Code's security and privacy baseline requirements set out in Principle 2.
  • Implement processes for reporting and removing detected malicious/fraudulent apps (within 48 hours).
  • App store operators

Principle 2
  • Ensure that apps meet the baseline requirements, which include industry standard encryption.
  • To help users understand the purpose of permissions, avoid requesting permissions that have no functional purpose.
  • App developers
  • Platform developers

Principle 3
  • Implement vulnerability disclosure processes in both apps and app stores – these allow security researchers or other interested parties to inform the company about a product vulnerability.
  • App store operators
  • App developers

Principle 4
  • Update apps (i) after a vulnerability has been discovered or (ii) if the app's dependency receives a security update.
  • Encourage users to update apps so they do not need to seek out updates.
  • Detect apps that have not been updated in two years and confirm with developers whether the app is receiving support (and make the app unavailable if it is not).
  • App store operators
  • App developers
  • Platform developers

Principle 5
  • Inform users when a downloaded app has been removed or is made unavailable on the app store and provide instructions on how to remove it.
  • Display information about the app's security and privacy properties.
  • App store operators
  • App developers

Principle 6
  • Direct developers to the Code so that they understand the baseline standards.
  • State on the app store that developers must meet the Code's standards (or a higher standard, if chosen).
  • App store operators

Principle 7
  • Provide feedback to developers if their app is removed for security or privacy reasons (including reasons for why the app was removed).
  • App store operators

Principle 8
  • Take appropriate steps when a personal data breach occurs.
  • Share breach information with other operators, developers, and any relevant third-party developers.
  • Provide users with information to help them protect themselves after a breach.
  • App store operators
  • App developers

What's next?

There will be a nine-month period for app store operators and developers to implement the Code's practices. From early 2023, the DCMS plans to arrange meetings with (and request confidential written reports from) app store operators, to review any steps that they have taken to adhere to the Code. For now, responsibility will also fall on app store operators to determine whether app and platform developers have implemented the relevant principles.

The Code is expected to be reviewed and possibly updated at least every two years.

Cybersecurity and Resilience

6. NIS2 Directive fully adopted: Enhanced cybersecurity requirements for essential entities

In Q4 of 2022, the EU adopted and published its new Directive on measures for a high common level of cybersecurity across the EU (NIS2). NIS2 will replace the similarly titled Directive (EU) 2016/1148 (NIS1).

Compared to the existing NIS1 rules, NIS2 imposes stricter cybersecurity risk management requirements on more organisations and introduces tougher supervisory and enforcement measures.

What's new?

After the EU institutions had reached a provisional agreement on the final NIS2 wording in Q2/2022 (see our previous Q2 2022 coverage), the Council of the EU and the European Parliament formally adopted the Directive in November with no further substantive changes. It was then published in the EU's Official Journal in December as Directive (EU) 2022/2555.

Among other things, NIS2 sets the baseline for cybersecurity risk management measures and reporting obligations across all covered sectors, which includes energy, transport, chemical manufacturing, production and distribution, postal and courier services, healthcare, and digital infrastructure. It forms part of the EU's wider effort to better protect critical national infrastructure from cybersecurity threats, including the heightened risk and critical vulnerabilities associated with networking and information systems, and digital supply chains.

See our full client alert for a more detailed review on substantive obligations and enforcement rules introduced by NIS2.

What's next?

Since NIS2 is a Directive, it does not have any directly binding effect but, rather, must be implemented into the national laws of each EU Member State. Following the final adoption, the deadline for this implementation expires on 17 October 2024. We thus expect that national legislators across the EU will get working shortly to ramp up their implementation efforts, and some of them may well aim to finalise that work ahead of the deadline, as it was the case for NIS1.

Adoption of NIS2 also marks a further departure from harmonised digital regulatory compliance regimes in the EU and the UK. While the UK had implemented NIS1, it will not implement NIS2 in light of Brexit. Rather, the UK is working on its own revision of its national NIS regime (see next article).

7. UK NIS: UK government proposals and Ofcom response

The UK Government has published its response to a public consultation on proposals to amend the UK's existing Network and Information Systems Regulations 2018 (NIS Regulations). This is one element of the UK government's digital agenda to better protect the UK's economy and critical national infrastructure from new and emerging cyber security threats.

What's new?

Key changes that the UK is now expected to implement include:

  • Expanding the scope of "digital services" to include "managed services": The current regime is limited to "digital services", meaning online search engines, online marketplaces, and cloud computing services. The changes will broaden this scope to include "managed services", which will include IT outsourcing services, security monitoring, and managed network services. At present, the measures proposed will not specifically regulate data centres, but the government has confirmed that it will keep this position under review moving forwards.
  • Applying a two-tier supervisory regime for all digital service providers: Providers of the most critical digital services (as determined against criteria yet to be agreed in consultation with the UK Information Commissioner's Office (ICO)) will be regulated on a more proactive basis than other less critical service providers. The government plans to do so through non-legislative means, for example, through risk-based guidance from the ICO.
  • New Government powers to:
    • designate critical suppliers or services, on which existing essential and digital services depend, bringing them directly into scope of the NIS Regulations. These designated entities would then need to comply with the same duties as operators of essential services. This change seeks to ensure that critical dependencies underpinning essential and digital services are identified and managed, which is not presently the case under the current regime. Designations will be managed by competent authorities, rather than operators of essential services nominating or designating unilaterally; and
    • amend the NIS Regulations, both in terms of framework and scope (with appropriate safeguards). This allows for ongoing amendments without needing to pass primary legislation (which can be time consuming), so that new and emerging cyber security threats can be managed more easily and efficiently.
  • Expanding the incident reporting requirements: These are currently limited to incidents that impact on services under the NIS Regulations, and the planned expansion of the reporting requirement will include not only incidents that disrupt services, but also incidents that pose a high risk to or impact a service, even though they do not immediately disrupt it. Further details around when reporting will be required under the proposed expanded duty and the contents of incident reports are expected to be published in supplementary guidance.
  • Extending the cost recovery provisions: Despite concerns from respondents regarding the potential risk of burdening organisations and incentivising regulators to enforce more frequently, the government has indicated that it still intends to proceed with changes to the existing cost recovery model. This willallow regulators (such as Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from regulated organisations, for example, costs incurred from issuing enforcement and penalty notices, which is not currently permitted.

The UK Government's full response to the consultation.

What's next?

The UK will now proceed with amending the NIS Regulations to give effect to the changes outlined above. While the original NIS Regulations were derived from EU law, the government has already confirmed that "there will be differences" between the EU's equivalent rules and the new UK regime. These "differences" will likely be intensified as the EU amends its own NIS1 directive (see previous article) in parallel to the UK. However, until we see full details of the specific legislative amendments and supplementary guidance from the competent authorities, it is not yet clear how different the two regimes will be.

Meanwhile, Ofcom has been conducting its own consultation on its proposed changes to the NIS guidance, which will lower the reporting threshold under the NIS Regulations. Ofcom's final statement and updated guidance are expected in spring 2023.

For more information regarding the EU's equivalent NIS rules, read our separate client alert.

8. EU Critical Entity Resilience Directive: Enhanced physical security rules for critical infrastructures

In parallel to its legislative proceedings on the NIS2 Directive (see above), the EU also concluded the legislative procedure for a new "Directive on the resilience of critical entities" (CER Directive). The CER Directive is designed to ensure the unobstructed provision of services that are essential to the maintenance of society and economy by laying down substantive obligations and procedural rules to enhance their resilience and supervision. In doing so, the Directive focuses on all topics other than cybersecurity – which will be governed by the NIS2 Directive.

What's new?

After the EU institutions had reached a provisional agreement on the final CER wording in Q2 of 2022, the Council of the EU and the European Parliament formally adopted the Directive in November with no further substantive changes. It was then published in the EU's Official Journal in December as Directive (EU) 2022/2557.

The CER Directive applies to "critical entities" across the sectors of energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and production, processing, and distribution of food. Each of these sectors is further broken down into subsectors and/or specific categories of relevant entities. However, companies active in these sectors will only be in-scope of the relevant rules upon specific identification as a critical entity by each Member State based on the relevant criteria set forth in the Directive.

Companies identified as "critical entities" will have to run recurring assessments of all internal and external risks that could disrupt the provision of their essential services and take resilience measures to mitigate these risks. Where incidents occur despite these measures, companies will have to report those to the competent national regulators.

What's next?

As a Directive, the new CER rules will not have any directly binding effect but must rather be implemented into the national laws of each EU Member State. Following the final adoption, the deadline for this implementation expires on 17 October 2024 – i.e., in parallel to the NIS2 deadline. So, we expect that national legislators across the EU will combine their implementation efforts for both Directives. Based on their national rules, Member States will then have to identify "their" national critical entities by 17 July 2026.

The German government already kicked off the implementation process in early December 2022, shortly before the CER Directive was adopted, by publishing key points for its national CER rules. These key points suggest introducing recurring risk assessment obligations for operators of "critical infrastructures", minimum requirements regarding physical security in addition to existing cybersecurity rules, and monitoring and reporting of security incidents. Further details will become available once the German government initiates consultations on an actual legislative draft.

9. UK Cybersecurity and the Product Security and Telecommunications Infrastructure Act 2022

In our Q4 2021 alert, we outlined the EU's approach to enhancing the regulation of connectable products (see also our separate client alert) and the cybersecurity of digital products (see our Q2 2022 alert). In keeping with this theme, the UK has now passed the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act).

What's new?

There are two main elements of the PSTI Act. Part 1 addresses the cybersecurity of consumer connectable products (also known as "Internet of Things devices" or consumer "smart" devices) made available in the UK ("Products") to ensure they are "secure by default"; and Part 2 amends the UK's electronic communications code to facilitate the accelerated deployment and expansion of advanced telecommunications networks across the UK.

PSTI Part 1 will affect manufacturers, importers, and distributors of in-scope Products and requires that they implement specified technical security requirements designed to enhance the cybersecurity of the Products. Obligations also include preparing statements of compliance, investigating and, if necessary, taking action in relation to potential compliance failures (including, notifying the enforcement authority (to be determined), distributors of the Products and, under certain conditions, consumers) and maintaining records of compliance failures and investigations for 10 years.

The enforcement authority may investigate compliance failures and issue:

  • compliance, stop, and recall notices;
  • monetary penalties, up to a maximum of £10 million or 4% of worldwide revenue (whichever is greater); and
  • uncapped daily penalties of up to £20,000.

What's next?

We await regulations specifying the technical details of each security requirement, although the initial requirements are expected to align with the following:

  • a ban on universal default passwords;
  • implementing a means to manage reports of vulnerabilities; and
  • providing transparency on for how long, at a minimum, the product will receive security updates.

Regulations will also specify the products and software relevant to (and excluded from) each security requirement, the designated enforcement authority, and the required form of compliance statement. The UK government has not provided a timeline on when these may be introduced.

Germany

10. Key Points for implementation of EU Digital Services Act via a German "Digital Services Act"

The Federal Ministry of Digital Affairs and Transport recently announced that it is working on a bill to prepare the ground for when the DSA takes effect in Germany. The working title of the draft bill is "Digitale Dienstegesetz" (DDG), which oddly (and perhaps confusingly) translates to "Digital Services Act" – but it will in fact be national legislation rather than the EU-level law of the same name.

What's new?

Considering that the DSA is directly applicable in all Member States, the DDG will create the necessary rules to enforce the DSA in Germany and amend several existing German laws that currently regulate areas that are also governed by or related to the DSA. The DDG will thus contain very few substantive obligations.

  • The DDG will decide which national authority or authorities will be responsible for enforcing the DSA. Regarding fines, the Ministry is currently combing through each individual DSA rule to decide whether relevant non-compliance should be subject to fines.
  • The DDG will change a couple of existing German laws. All provisions in the Network Enforcement Act will be superseded by the DSA, very likely including the provisions on video-sharing-platforms. The Telemedia Act (TMG), which implemented the EU E-Commerce Directive (ECD), will be significantly amended. Since the DSA replaced the ECD's liability rules, the liability rules in the TMG will also be abolished.
  • The DDG will consolidate substantive provisions for digital services that originate in the EU Audiovisual Media Services Directive (AVMSD) but are currently scattered across several German laws. The existing provisions on video-sharing-platforms might remain in place.

What's next?

The Ministry aims to publish its proposal for the DDG in Q1 of 2023, so that the legislative process should conclude before the end of the 2023.

11. Revision of German Antitrust Law and its impact on digital markets

In September 2022, the German Ministry for Economics and Climate Action (FCO) published its proposal for a "Competition Enforcement Act" to amend national competition law (Act against Restraints of Competition, ARC).

What's new?

The draft contains three major suggestions:

  • Sector inquiry: The draft would allow the FCO to order behavioural or structural remedies against any company active in a sector that was subject to a sector inquiry, with a view to eliminate or diminish an alleged "continuous distortion of competition". No actual competition law infringement would be required, i.e., the FCO could take such measures even where companies are fully compliant with the ARC.
  • Profit skimming: The draft would lower the requirements for the FCO to skim the profits gained through anti-competitive conduct. Intent or negligence of the relevant company would no longer be required. The draft also introduced the presumption that (i) a competition law infringement caused the company to make a profit, and another presumption that (ii) such a profit amounts to at least one per cent of the domestic turnover that the company generated with the products related to the infringement. Affected companies can only rebut the latter presumption, but while this would be possible in theory, it will be hard to achieve in practice.
  • DMA implementation: The draft introduces procedural rules to allow the FCO to fulfil its ancillary tasks under the DMA, but it does not affect the role of the EU Commission as the sole enforcer of the DMA. The draft further allows for a private enforcement, e.g., for competitors or customers to sue a "gatekeeper" for damages or injunctive relief based on alleged DMA violations.

What's next?

Once adopted by the government, the draft will enter parliamentary proceedings. This means that draft could enter into force in Q2 of 2023 at the earliest.

We are grateful to the following members of MoFo's European Digital Regulatory Compliance team for their contributions: Michelle Luo and Harry Anderson (trainee solicitors).

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved