What SMEs should know about EU digital legislations

The previous European Commission adopted the 2030 Digital Compass as a response to technological developments. It aims to bring about digital transformation with regulatory and policy action. It covers different areas, some of which are digital markets and services, data, and cybersecurity. What are the legislations in these areas? And what are their implications? Olga Batura, Senior scientist at TNO, shares some insights about the Digital Markets Act (DMA), the Digital Services Act (DSA), the Data Act, the Cyber Resilience Act, and the Artificial Intelligence Act (AIA) (which she also shared during our Community Meeting of June).

To start off, Olga says: “All this legislation is relevant for SMEs in different ways. Legislations always create rights and obligations. Sometimes they provide more rights that SMEs can benefit from. But sometimes they create mainly obligations.” Olga also clarifies that ‘Act’ or ‘Regulation’ means that the legislation “applies directly, there is no need for a national transposition. What you see in the text on the EU legislation, is what you get.”

1. Digital Markets Act (DMA)

According to the European Commission, “the Digital Markets Act establishes a set of clearly defined objective criteria to qualify a large online platform as a ‘gatekeeper’ and ensures that they behave in a fair way online and leave room for contestability.”

This DMA focuses on regulating market power of large undertakings, so-called gatekeepers. Olga explains: “To become a gatekeeper, you need to be designated by the Commission based on specific conditions. A regular SME can’t just become a gatekeeper. Furthermore, in most cases, the DMA does not create obligations for SMEs, but possibilities, so benefits or rights.” Olga highlights some of these:

If you as an SME are a business user of a designated gatekeeper (see this list of gatekeepers by the Commission), the DMA aims to create a level playing field between offers that you as an SME offer on a large online platform and the offers that the gatekeepers themselves offer. “Think of Amazon, selling its own product and you as an SME also selling on Amazon.”
It allows you to not use the bundled offers of a gatekeeper.
Gatekeepers are obliged to provide detailed information about advertising, e.g. how your ad is performing on their website, free of charge.
You have access to app stores, search engines, social networking services, and query data on so-called ‘FRAND terms’ (Fair, Reasonable and Non-discriminatory).

Olga concludes: “Depending on who you are (an app developer or an SME selling something online), the benefits will slightly differ. Inform yourself about your rights and use them. You don’t have to worry about being hit by the DMA.”

2. Digital Services Act (DSA)

According to the European Commission, “the Digital Services Act regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment.”

Olga says: “This is a tricky one. It’s mainly about regulating online content and protecting users online. Mainly end users, but in some cases also business users. However, this Act creates obligations for SMEs depending on the type of activity the SME performs.” Olga says you become a subject to the DSA if you are:

An intermediary service provider, which providers of mere conduit (e.g. internet exchange points, wireless access points, virtual private networks, DNS services), caching (e.g. content delivery networks, reverse proxies or content adaptation proxies) or hosting.
A hosting service provider, which providers of storage of information provided by, and at the request of, a recipient of the service (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing).
An online platform provider, which hosts a service that, at the request of a recipient of the service, stores and disseminates information to the public (e.g. social networks, online auctions).

Olga explains that these different types of SMEs have certain main obligations, which apply in a staggered manner. If you are an intermediary service provider, you have two main obligations to comply with:

If you are residing outside of the EU, you must have a single point of contact in the EU
You must be transparent about terms and conditions of use and changes in them

If you are not only an intermediary service provider, but also a hosting service provider, you have additional obligations:

Easy-to-access, user-friendly Notice-and-Action mechanisms
Notify relevant parties, including, if necessary, law enforcement authorities

If, on top of this, you are also an online platform (“for example a mini Amazon or mini Facebook”), you have even more obligations. This is the category with the most regulatory obligations in the case of SMEs:

Trusted flaggers for illegal content
Internal complaint handling
Out-of-court dispute resolution
Transparency and control for ads and recommendations
Traceability of traders

Olga continues: “There are also obligations in the DSA that refer only to very large online search engines and online platforms. It is unlikely that an SME can become one.” Very large online search engines and online platforms are designated by the Commission (see the current list).

3. Data Act

According to the European Commission, “the Data Act is designed to enhance the EU’s data economy and foster a competitive data market by making data (in particular industrial data) more accessible and usable, encouraging data-driven innovation and increasing data availability. To achieve this, the Data Act ensures fairness in the allocation of the value of data amongst the actors in the data economy. It clarifies who can use what data and under which conditions.”

Olga says: “This is a fairly new regulation. It is very interesting. It has seven chapters that all focus on slightly different things. It mainly deals with access and use of non-personal data that is generated by IoT devices – which are called ‘connected devices’ in the Act. I selected three chapters to focus on. If you are a manufacturer of connected devices or you write software or create hardware for such devices, this Act will be applicable to you.”

“As a device manufacturer, you have obligations towards users of those connected devices. And as an SME you can of course also be a user of a connected device, such as sensors.” There are various obligations for manufacturers and benefits that users can gain from this Act, for example:

If you are a user of a connected device, you can share data generated by this device with third parties without asking the manufacturer for any permissions. And as a manufacturer, you are obliged to give the user all the raw and pre-processed data of the connected device – no questions asked.
If you are a manufacturer, you have to provide the user with very detailed pre-contractual information related to the data of the connected device and its use. This is very good for the user, because they know exactly what they can do with the device and the data. But it’s kind of burdensome for a manufacturer because you have to come up with this information.
If the data contains important technical or organisational information, it can be protected as confidential data and as a manufacturer you don’t have to share it.
Unfair contractual terms are not considered binding. So if the terms are more burdensome for one party, they are not binding.

Olga concludes: “I would advise to read chapter 2 and 3 of the Data Act to learn about your obligations as a manufacturer. But also as a user, because you might get a lot of benefits by getting this data from the manufacturer and using it in your enterprise.”

4. Artificial Intelligence Act (AIA)

According to the European Commission, “the AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. This Act aims to provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).”

Olga explains: “The AIA focuses on risky practices involving AI systems and risky products incorporating AI. It applies only when an AI system is placed on the EU market, put into service or use in the EU. It does not apply to the R&D stage of the AI. So if you develop your AI system in the EU, but sell it outside of the EU, you are not subject to the AIA.” Olga also notes that AI systems for the defence and national security sector are excluded from the AIA.

“The first important thing to understand, is what an AI system is according to the AIA,” says Olga. “The definition of an AI system is quite complex and ambiguous. But one thing is clear: simple rules-based systems (i.e. if-then systems) are not covered by the AIA. In the near future, the European Commission should issue guidelines on the AI definition. SMEs should keep their eyes open for this document as it should bring more clarity about what else might be excluded (or included) in the notion of AI system. SMEs should also check the list of prohibited practices involving AI systems listed in Article 5 AIA. If SMEs are using an AI system in any of the prohibited ways, they should stop and look for other options.”

According to Olga, the greatest scope of AIA obligations is linked to the so-called high-risk AI systems. There are two types of such systems.

“The first type of high-risk AI is very straightforward. It is an AI system that is used as a safety component in one of the products that requires CE marking before marketing in the EU (e.g. elevators, cars, toys, planes, medical devices).”
“The second type of high-risk AI is linked to specific uses of AI, where AI can negatively influence fundamental rights of people. Examples of this are biometrics AI systems, AI systems used for recruitment procedures, for processing migration applications, for evaluating students and similar. However, there are special exemptions from this second type of high-risk AI, and SMEs would be well advise to consult an expert to help them determine whether AI they provide or deploy can be exempted and how.”

In the context of high-risk AI systems, Olga says that SMEs should determine whether they are a provider or a deployer of an AI system because the obligations differ for these actors. “Deployers are organisations or people using AI in the course of their business and have fewer obligations. Providers must conduct risk assessment, fundamental rights assessment (for high-risk AI of the second type) and attach the CE mark. Only then they can put the AI system on the market. However, sometimes a deployer may become a provider of a high-risk AI system. For example, this is the case when the deployer puts its trademark on the AI system.”

When can we expect this Act to come into force? Olga says: “The AIA is already adopted and will be published any day now. It enters in force 20 days after the publication, but it will not start to apply immediately – this happens in stages (i.e. different rules will become applicable at different times). For example, the rules on prohibited AI practices will apply 6 months after the entry into force. So SMEs must become compliant and stop prohibited practices within 6 months. The rules on high-risk AI will start applying in 36 months, so SMEs providing high-risk AI have almost 3 years to figure out how to become compliant. Companies should use this time to learn more about the application of the AIA to their specific situation and adapt their products and processes. A good first step to get more information on the AIA is to check the presentation of Irvette Tempelman (VNO-NCW).”

Click here for Irvette’s presentation

5. Cyber Resilience Act (CRA)

According to the European Commission, “the Cyber Resilience Act aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.”

“This Act is new and has not yet been published,” says Olga. “But it will be published and entered into force soon. This Act is about cybersecurity of products with digital elements. Products with digital elements mean software or hardware and their remote data processing solutions (for example, if you have software that uses cloud for data processing) – including software or hardware components being placed on the market separately. This is a very broad definition, it’s basically everything software or hardware related. Many SMEs are probably doing something like this, so this Act applies to them.” Olga clarifies: “If you produce in the EU, but you don’t sell in the EU, this Act doesn’t apply to you. But if you place a product on the European market, you need to conduct a risk assessment, attach CE conformity marking and only then you are allowed to sell. So you need to jump through all these loops before you can sell the product.”

There is a full list of what SMEs need to comply with and Olga suspects this will be a lot for many SMEs, because it’s an addition to many other things they have to do. “The Commission said they will provide some guidance to make it less burdensome for SMEs. For example, the rules about technical documentation and how to conduct risk assessment. Keep your eyes and ears open for this additional documentation that will help you to become compliant. But for now: relax. It’s not applicable yet.”

Olga continues: “Please remember that in addition to the above, there is a very important document that applies: the General Product Safety Regulation. For example, if you did everything for cybersecurity but you failed, you still might be liable. So always keep this document in mind if you produce anything for consumers.”

What will be the new focus of the Commission?

Everyone is curious about the priorities of the new Commission. Olga shares: “I looked at the priority list of the old Commission. The two acts that remain from the old legislative plan are the AI Liability Directive and the Directive on liability for defective products (revision of the Product Liability Directive). I assume it will probably not be the priority of the new Commission right now, but in a few years it could be the case. Also, the insiders are saying that it is very likely that the new Commission will not be so focussed on adopting more new legislation, but on compliance and application of the legislations that have been adopted so far. So start thinking about your compliance and observe what is happening around you.”

What can you do to prepare yourself?

In the last few years, we had this incredible legislative activity of the EU we have to keep pace with. But this is difficult, also for Olga: “is impossible to read everything. It is also impossible to make sense of it and understand how it all fits together. However, as manufacturers, services suppliers, etc. you still have an obligation to comply. That’s why ‘know your rights and obligations’ is still on you and as critical as always.”

Olga shares some tips: “As an SME, pay attention to what is coming from the Commission and what is coming from the specialised EU-level bodies (AI office, ENISA and similar). This is the best information you can get, directly from the source. Also try to use different fora to get advice and information. If you are a developer of AI systems, then go to those industry fora where you can get specific advice for your situation, for example the AI Coalition. And pick your sources and don’t read anything, because you will drown.” Olga believes SMEs shouldn’t be thrown in the deep: ” I think the government should provide more support for SMEs, from information to participating in regulatory sandboxes (for the Cyber Resilience Act).”

Do you want to learn more?

Olga hosted a session about these Acts at our Community Meeting of June. You can either download her presentation slides, or watch the recording.

Download the slides or Watch the recording

Combine data spaces and Privacy Enhancing Technologies for larger and secure shared data analysis

How to get insights from data shared between organisations while safeguarding sensitive data? Both data spaces and Privacy Enhancing Technologies (PETs) can do this. Real progress can be made if we combine both methods. This combination enables us to get insights from larger numbers of (privacy sensitive) data and still meet the required privacy protection.

DSIC co-creative workshop on interoperable Trust & Discoverability

Recordings and slides of Data Spaces Interoperability Compass session on interoperability

On July 5th, the Data Spaces Interoperability Compass (DSIC) team organised an interactive session on data spaces interoperability: challenges and value potential in practice. Watch the recordings and discover the slidedeck.

The CoE-DSC joins the public-private partnership Company Passport

The CoE-DSC joins the public-private partnership Company Passport, a trust framework that evolved from an innovation project.

Recordings and slides of our Community Meeting of June on EU Digital & AI laws

In June, our Community Meeting was focused on the topic of EU Digital & AI laws. We offered an exploration into the Digital and AI laws of the European Union, their impact and how you can get started with AI within your organisation. Discover the key take-aways, recordings and slides.