The DSA aims to improve user safety and to protect fundamental rights in digital environments. The scope of services that the DSA covers is broad, capturing a wide range of ‘intermediary service providers’ such as hosting services, online platforms and online marketplaces. For example, every B2B online platform which showcases third party content, products or services is captured by the DSA, even if the product or service itself cannot be bought on the platform. The DSA applies regardless of the relevant provider’s place of establishment as long as their services are offered to recipients that have their place of establishment or are located in the EU.

The DSA creates a layered set of obligations tailored to the different categories of digital services; it introduces a set of baseline obligations which apply to all online intermediaries and requires, for example, the designation of single points of contacts for authorities and users, annual transparency reporting, and transparent terms and conditions. Increased obligations apply to online platforms connecting customers with goods, services and content; those obligations require providers to implement a notice and action mechanism, adopt adequate measures to combat the dissemination of illegal content online, and increase the transparency of their platforms for users.

Additional specific obligations apply for online marketplaces and look to ensure the traceability of traders and safeguarding of users’ rights. The most stringent rules apply to ‘very large online platforms’ (VLOP) and ‘very large online search engines’ (VLOSE), which are designated by the European Commission depending on whether their monthly average user numbers in the EU are above 45m. For most companies, the majority of the obligations under the DSA will start to apply in March 2024. In addition, for those VLOPs and VLOSEs initially designated by the Commission, the key obligations started to apply on 25 August 2023. Enforcement rules under the DSA are severe with, for example, fines of up to 6% of total worldwide annual turnover.

In a nutshell, all companies covered by the DSA—and not only the largest online platforms and search engines—will face comprehensive compliance tasks. Companies should therefore start with reviewing online business models and potentially adapting and redesigning those to comply with the new set of rules (eg, to design interfaces in ways which omit dark patterns). Their compliance work may need to continue and require additional resources, including for the implementation of complaints systems and changes to T&Cs.

Last but not least, companies are well-advised to set up a solid strategy for dealing with transparency and compliance requests from national authorities and, in case of VLOPs and VLOSEs, the Commission.

The DMA is intended to promote fair competition and to address certain practices of so-called gatekeepers (ie, providers of very large digital services) which are potentially harmful to the overall EU digital market. Most of the DMA’s obligations will start to apply in March 2024.

The DMA introduces a framework which defines certain practices that are inherently considered as anti-competitive and which can be addressed by the regulator without the need to conduct a lengthy investigation into the relevant practices. It is presumed that this will significantly speed up competition enforcement in the digital space.

The set of potentially harmful practices addressed by the DMA includes certain data practices (ie, certain cross-service processing of personal data) which may now require consent under the DMA.

The DMA will also impose obligations on gatekeepers to facilitate access to end user and business user data, and impact the extent to which gatekeepers may use business user data in competition with those business users. As such, the DMA will not only impact the relevant gatekeepers, which will need to review their current practices, but will also have an impact on the end users and business users of the relevant services who may be provided with broader access to their data. Other obligations relate to bundling, self-preferencing, interoperability of services, and transparency (eg, in relation to advertising services).

Fines for DMA infringement are up to 10% of the gatekeeper’s worldwide turnover in case of non-compliance, and up to 20% in case of repeated infringements.

The Data Act aims to introduce rules for the Internet of Things and for enabling users to easily switch between cloud providers. It is designed to improve access, exchange and use of valuable data generated by connected devices so that more public and private stakeholders can benefit from big data and machine learning.

The Data Act applies to personal and non-personal data and introduces data sharing obligations to companies that manufacture or offer connected products or related services in the EU. Users of a connected product or a related service will be entitled to access data generated by the connected product or service and can even ask the product’s manufacturer or seller to transfer this data to a third party. These rules will apply in B2B, B2C and B2G contexts. There are some exceptions which limit data sharing; for example, if the relevant data includes trade secrets then those shall be preserved and only be disclosed where technical and organisational measures necessary to preserve the confidentiality of the shared data have been agreed in advance.

Implementing these new rules will come with a variety of challenges and considerable compliance work for companies. For example, the data access and data portability rights will require companies to include into the design of their products interfaces that make data easily retrievable. In practice, companies must not only put in place stringent governance and procedures to comply with the data sharing obligations, but also implement the limitations regarding trade secrets and track any infringements of these by their customers or competitors.

Data processing services, like cloud services providers, infrastructure as a service providers, or platform as a service providers must allow users to easily switch their services and to improve portability between different data processing services providers. The scope of interoperability obligations is not completely clear, and it is yet to be determined how the requirements will function regarding the practical challenges of IT migration. Likewise, the obligation to limit switching charges is not clear cut, with uncertainties about which costs will be in scope.

Service providers will also have to cope with another compliance burden by being subject to safeguards for the international transfer of non-personal data, similar to those from the so-called Schrems II ruling of the EU’s Court of Justice for personal data.

Infringement of the Data Act may lead to GDPR-level fines of up to €20m or 4% of the company’s annual turnover—whichever is higher.

To prepare for the different compliance tasks that will come with the Data Act, especially for connected products, companies should start data mapping to gain an overview of the types of data their products generate. In addition, starting to plan the technical elements for data sharing/data portability into products will help to minimise the amount of rework required if product design subsequently changes.

The Data Governance Act (DGA) is a cross-sectoral regulation designed to enhance trust in and facilitate voluntary data sharing for the benefit of businesses and citizens.

While the aim of the Data Act is to determine who is entitled to generate economic value from data and under which conditions, the DGA sets up the process and framework to enable data sharing.

The DGA applies to public sector bodies, providers of data intermediation services (ie, companies which do not sell data themselves but bring together other companies interested in monetising and reusing data), and data altruism organisations which facilitate data sharing for public benefit purposes.

Among other things, the DGA aims to:

• create shared data spaces and mechanisms for reusing certain categories of protected public sector data;
• ensure trust in data by establishing neutral data intermediaries;
• establish data altruism mechanisms which facilitate data sharing for companies, individuals, and public organisations for public benefit purposes; and
• introduce obligations for data intermediation services providers to guarantee their neutrality and prevent conflicts of interest (eg, structural separation of data intermediary services from other services and an obligation to notify a national authority of their intent to provide data intermediation services). Once the notified authority has confirmed, such providers will then be able to use a label and a common logo to show they are a recognised data intermediary in the EU.

Non-compliance with these obligations may lead to fines which are yet to be determined by national law.