Regulations : Digital Services, Data, Cybersecurity, AI

Our environment has undergone a general digitization, which has created a need for regulation first focused on personal data, and then focused on data in general. Indeed, the latter now have a real monetary value and the digitization of society has reached such a magnitude that new excesses have emerged.

Data protection

France was a pioneer in Europe in legislating for the protection of personal data through Law No. 78-17 of January 6, 1978 known as the “Computer and Freedoms Law” with the creation of an independent administrative authority responsible for oversight: the CNIL (National Commission for Information Technology and Civil Liberties).

In 2002, the EU intervened with the e-Privacy Directive, which protects privacy through the confidentiality of electronic communications (emails, SMS, communications via social networks, etc.). It prohibits SPAM and requires the user’s consent for the deposit of cookies (the user must be informed and have the option to refuse).

Since May 25, 2018, the General Data Protection Regulation (GDPR) has been applicable. The GDPR is the main European legislative framework applicable to the protection of personal data with the aim of harmonizing the policies and regulations of Member States concerning the processing of personal data around three pillars: transparency, trust, and Responsibility.

• Transparency, because data controllers must inform users of their rights concerning their data and how to exercise them, in the clearest and simplest way possible.

• Trust, thanks to the principle of consent and the establishment of guarantees in case of data transfers, in particular.

• Responsibility, because the regulation strengthens the obligations of data controllers and imposes the creation of independent control authorities: in France, the CNIL (established in 1978) has been retained for this role.

The GDPR has many contributions, with a consolidation of existing rights (principle of consent, principle of transparency, right to be forgotten), the protection of new rights (right to data portability; right to protection against profiling), and the definition of important terms, such as sensitive data. The GDPR established the role of DPO responsible for GDPR compliance and privileged contact person who must meet certain competency requirements (good knowledge of national and European texts regarding the protection of personal data) and independence (Article 37). In principle, the appointment of a DPO is not mandatory but highly recommended to avoid any surprise visit or sanction from the CNIL! By exception, the appointment of a DPO is mandatory for certain organizations, including all local authorities regardless of their size, any company whose activity involves regular and systematic monitoring of individuals on a large scale, or processing of “sensitive” data on a large scale (Article 9 and 10 of the GDPR). The DPO can be either internal or external.

At the French level, this text is in line with the continuity of the “Informatique et Libertés” law of 1978, which already established several of the principles and rights now protected by the GDPR and established the CNIL (National Commission for Informatics and Liberties), the national reference authority on the subject.

The GDPR and the e-privacy directive are primarily concerned with the actors who are data controllers and processors. Software publishers, on the other hand, have been little impacted by the GDPR.

Protection des données


Cybersecurity regulation


The NIS Directive and NIS2

The NIS Directives (Network and Information Security) :

The NIS Directive 1 is a set of measures related to cybersecurity within the EU, aimed at strengthening the cybersecurity of “Operators of essential services for the functioning of the economy and society.” The ANSSI (National Cybersecurity Agency of France) will be there to support these operators when they are victims of a cyberattack.

The NIS Directive 2 is a deepening of cybersecurity and an extension of its scope. It will come into effect by 2024. The novelties of this directive include a mechanism of proportionality that distinguishes between essential and important companies (establishing different requirements for each of them) and a strengthening of sanctions.


The Cybersecurity Act

The Cybersecurity Act, which came into effect on June 27, 2019, aims to ensure the proper functioning of the internal market while striving for a high level of cybersecurity, cyber resilience, and trust within the Union (Article 1). It is a real breakthrough for Europe’s strategic autonomy in cybersecurity. This text is the culmination of valuable work by the EU and national cybersecurity agencies.

The Cybersecurity Act consists of two parts:

– The first part formalized the mandate of ENISA (European Union Agency for Cybersecurity) or the European Union Agency for Cybersecurity (Article 3) and strengthened its capacities (Article 6);

– The second legislative framework concerns cybersecurity certification for ICT products, services, and processes (Article 56).

The Cybersecurity Act is the legislative framework for cybersecurity in the European space. The Cybersecurity Act has general and obligatory scope for all Member States. It is a regulation with direct application in all its provisions.


Regulation of digital platforms and content

DMA : Digital Markets Act

The DMA (Digital Market Act) is a European regulation voted in 2020 and entered into force on May 2, 2023. It aims to prevent abuses of dominant positions and offer greater choice to European consumers, in order to combat the near-monopoly of the GAFAM on the European market.

The companies concerned are those that exercise some form of control over access to the internet, based on data related to their presence in European countries, their revenue and the number of users of these companies.

Affected companies will have to appoint a responsible person to ensure compliance with the DMA. The DMA imposes several obligations, such as facilitating the unsubscribing from a platform or service, or facilitating the uninstallation of pre-installed applications. The DMA also imposes prohibitions, such as companies no longer being allowed to favor their own content. To make these obligations and prohibitions effective, heavy fines are provided as a sanction.

Drapeau et parlement européen

DSA : Digital Services Act

Regarding digital content, in parallel with the DMA, the Digital Services Act (DSA) was voted in. It will come into effect on August 25th, 2023 for very large digital platforms and search engines, and on February 17th, 2024 for other digital platforms. It aims to control the content that can be found online: to combat hate speech, illegal content, and misinformation. The principle is that what is illegal offline is also illegal online.

The entities concerned are internet service providers, digital storage services, and digital platforms (marketplaces, social networks, search engines, etc.).

Among the obligations set forth by the DSA, there is the establishment of a complaints system, an obligation to conduct annual independent audits. Failure to comply with these obligations will result in sanctions imposed by the text.

European Data Strategy

Data Governance Act et Data Act

The Data Governance Act and the Data Act are part of this European data policy, this time outside the EU: it is the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) who have made this proposal for a European data regulation, the Data Act, which follows the 2021 Data Governance Act on data governance.

Although the Data Act is not an official EU standard, it is part of the European strategy to develop a single data market while protecting the rights of individuals and EU values. This proposal is significant of the economic value that is now attributed to digital data.

Protection des données en Europe

AI regulation

The evolution of new technologies and the increasing role of artificial intelligence has prompted legislative and regulatory authorities to look more broadly at the regulation of data. Indeed, data now has significant monetary value and the digitization of society has led to new abuses.

Unlike the GDPR, which mainly focused on data controllers and processors, the new regulations will mainly target software publishers and AI developers.

Intelligence artificielle

AI Act : Artificial Intelligence Act

Regarding the development of AI and its limitations, the AI Act (Artificial Intelligence Act) is a European regulatory proposal presented in 2021, through which the EU aims to establish a legal framework related to the development of artificial intelligence. The objective is to establish trust and enable companies to adopt AI under the best possible conditions.

CNIL has identified four main objectives regarding the AI Act:

• Set up safeguards for developers and users of AI.

• Align with the GDPR as these AIs will often process personal data.

• Harmonize European regulations related to AI.

• Foster innovation.

Project to revise Directive 85/374/EEC

Project to revise Council Directive 85/374/EEC of 25 July 1985 transposed into France by Law No. 98-389 of 19 May 1998. The new directive aims to modernize and strengthen the rules on liability for defective products to facilitate the repair of damages, including bodily harm, data loss, and more. The directive will create more equitable competition conditions between European manufacturers and those from third countries. It will facilitate the implementation of liability (action for compensation, proof, and indemnification) and allow for the repair of damages caused by AI products, robots, drones, etc.

Draft Directive on Specific Liability Related to AI.

Draft Directive on Specific Liability Related to AI. The idea is to harmonize national rules regarding AI liability. This regulation is intended to effectively protect victims of damages caused by AI (such as privacy violations and security issues) by facilitating access to legal remedies, evidence, and reparations. It will also simplify the legal process of AI liability by establishing a presumption of causality that relieves victims of the burden of proof.

The regulation will apply to all AI systems.

Cerveau numérique

The implementation of a normative framework

The question then arises about how to align these new regulations with the GDPR, as there is a risk of creating a complex and unreadable legal framework. To help French actors implement this regulatory framework, various authorities will be able to assist them:

At the national level, the CNIL is the leading actor for the French Data Protection Law and the GDPR, but it is not the only one implementing European legislation. In fact, the National Agency for Information Systems Security (ANSSI) is seeing its role expand: if it had until now only played a proactive role (supporting companies victimized by cyberattacks), it now wants to develop and have a repressive role, for example, with the power to impose fines in case of non-compliance with regulations.

Finally, at a more local level, it is possible to note an increase in the number of Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs), who are now essential to ensuring that French companies comply with current and upcoming European standards.

Formation à distance

Contact us to discover our support offers