Server Systems logo - EU legislation

EU
Legislation

On this page:

Company definitions The Data Act E-Privacy Directive GDPR Cybersecurity Directive (NIS2) Digital Operational Resilience Act (DORA) Cyber Resilience Act (CRA)

Here is a brief overview of some relevant EU legislation, and how it applies to your company or its products.

The EU issues two types of legislation: regulations and directives. A regulation has what is called direct effect – it is a law that applies to all union entities or citizens, and often beyond. A directive, on the other hand, is an instruction to the governments of EU Member States to draft national laws that meet the objectives of the directive.

Mail us

EU Company definitions

MEDIUM ENTERPRISE

  • < 250 employees
  • < €50m turnover
  • < €43m balance sheet

SMALL ENTERPRISE

  • < 50 employees
  • < €10m turnover or balance sheet

MICRO ENTERPRISE

  • < 10 employees
  • < €2m turnover or balance sheet

EU privacy / data security legislation

The Data Act

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)

The Data Act entered into force on 11 January 2024 and into application on 12 September 2025. It attempts to address the challenges and unleash the opportunities presented by data in the EU, emphasizing fair access and user rights, while ensuring the protection of personal data. It is intended to increase legal certainty, mitigate the abuse of contractual imbalances, allow public sector access and use of data, let customers switch between providers, and balance the interests of data holders and users.

E-Privacy Directive

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as the ePrivacy Directive, amended by Directive 2009/136.

  • Deals with confidentiality of personal data, treatment of traffic data, spam and cookies.
  • There is some interplay between this and the GDPR.
  • Security of services: Duty for providers of electronic communications to inform users of particular risks.
  • Prohibits interception or surveillance of communication without user consent.
  • Service providers must erase or anonymize data when no longer needed. Data may be retained with consent of the data subject, who must be informed why and for how long.
  • Location data can be processed only if anonymized, where users have given consent, or for provision of value-added services. Users must be informed beforehand and have the option to opt out.
  • e-mail marketing is an opt-in regime, only with prior agreement, for existing customer relationships or marketing of similar products and services.
  • Unsolicited SMS messages, push mail messages or any similar format are prohibited.
  • Cookies, other than those strictly necessary for the delivery of a service requested by the user may not be placed without user consent.

General Data Protection Regulation GDPR (EU) 2016/679

Basically, this directive says that if you record anyone’s personal data, you must: have a good reason for it; not record any more data than you need for the purpose; inform the subject of the purpose, the scope of data and their rights; keep it safe; inform the subject and the authorities promptly if any is stolen; keep it for a specified time only; delete it when it is no longer needed; allow the subject to see what you hold, rectify it and ask for its irretrievable deletion.

Unlike US data protection legislation which is based on consumer rights concepts, European laws are based on human rights that are established in existing conventions. The GDPR is an important component of EU privacy law and of human rights law.

The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business. It has a certain overlap with the e-Privacy Directive, relating to the processing of personal data of individuals in the EEA. It applies to any enterprise, regardless of location, so any entity selling goods or services into the EU must comply with it.

It also addresses the transfer of personal data outside the EU and EEA areas. Data controllers may not send personal data to any entity that resides in a state that does not have legislation that provides similar safeguards. This has proven one of its most controversial aspects, as anyone familiar with the Danish Chromebooks saga will know.

Cybersecurity Directive (NIS2) (EU)2022/2555

NIS2 is an updating of NIS1, which has been in force since 2016 with a May 2018 deadline for Member States to transpose it into national law. NIS2 entered into force 16 January 2023, and must be adopted by member states by 17 October 2024.

NIS’ objective is to achieve an evenly high level of security of network and information systems across the EU, through improved cybersecurity capabilities at national level, increased EU cooperation and risk management and incident reporting obligations for operators of essential services and digital service providers.

NIS2 does not apply to micro- or small enterprises. It applies to large enterprises in: energy, transport, finance/insurance, health, water/sewage, IT and telecommunications or space. It also applies to medium-sized entreprises in: postal/courier, chemicals, research, manufacturing (medical/diagnostics, IT, electrical, optical, mechanical engineering, automotive/parts, vehicle construction), digital services (marketplaces, search engines, social networks), food (wholesale, production, processing) or waste disposal (waste management).

Operators of Essential Services (OES) must implement appropriate cyber security measures and must report serious Cybersecurity incidents. OES include energy, transport, banking, financial market infrastructures, health, drinking water supply and digital infrastructure providers, wastewater processing, public administrations, space, postal and courier services, waste management, chemicals, food and manufacturing. It also applies to digital service providers such as online marketplaces (that allow businesses to make their products and services available online), data centres, cloud computing services and search engines.
One of the core aspects is that of risk management measures. Compared to NIS1, NIS2 dramatically increases the requirements for enforcing cybersecurity, with a stringent incident notification process. Staff training and audit are mandatory, with stiff penalties for non-compliance. Company leaders and management teams may be held personally liable for failure to comply.

There are 5 core functions:

  • Identify – Know all your assets and your attack surface;
  • Protect – Implement safeguards;
  • Detect – Timely detection of cyber security events;
  • Respond – Have a plan to contain the impact;
  • Restore – Maintain resilience and restore services after an attack.

Read more in this article, on this site or directly from the EC here.

Digital Operational Resilience Act (DORA) Regulation (EU)2022/2554

DORA entered into force on 16 January 2023 and will apply from 17 January 2025.

It aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms, increasing the resilience of the financial sector in the event of a severe operational disruption.

DORA applies to 20 types of financial entity and third-party ICT service providers.

It concerns ICT risk management, third-party risk management including supply chains, digital operational resilience testing, ICT-related incidents and reporting, information sharing on cyber threats and oversight of critical third-party providers.

Read more.

Cyber Resilience Act (CRA) – adopted 12 March 2024

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

Unlike the NIS2 directive, which concerns operational issues, the CRA specifically targets digital products.

It was adopted in March 2024, and manufacturers will have 36 months after its publication to comply (although key vulnerability reporting obligations will apply from 21 months after).

The CRA applies to all products with digital elements, both critical (servers, operating systems, desktops, phones etc.) and non-critical products (IoT etc. – it should prevent your fridge or smoke alarm becoming part of nefarious bot nets).

The CRA will create harmonized rules for products or software with a digital component, a harmonized compliance framework governing the planning, design, development and maintenance of such products and an obligation to provide duty of care for the entire product lifecycle.
The CRA will ensure that manufacturers take security seriously throughout a product’s life cycle, ensuring that hardware and software products are placed on the market with fewer vulnerabilities, and enhance the transparency of security of these products, allowing users to take cybersecurity into account when selecting and using products with digital elements.

Member States are to ensure a ‘notifying authority’ responsible for setting up and carrying out the necessary procedures for the assessment and notification of conformity assessment bodies.

Read more.

Server Systems logo

Server Systems ApS
Amagergade 15
1423 København K

+45 3918 2030

office@serversystems.dk

Home

Linux and open-source

EU Legislation

Privacy policy


© 2025 Server Systems ApS