Regulatory framework

Copyright © 2025 LexisNexis

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest EU Law News

Opera’s Edge dispute raises key question: Who can challenge EU DMA decisions?

MLex: Web browser Opera's challenge to the European Commission over its refusal to designate Microsoft's Edge as a digital 'gatekeeper' was heard in court this week. It delved into the thorny question of who can challenge the regulator's Digital Markets Act decisions: The law doesn't specify any official status for third parties, despite the commission relying on them to inform its decisions. The outcome of the appeal will be significant for companies that operate in the shadows of the biggest platforms.

EU Commission eyes changes to how AI law covers sector regulated products

MLex: The European Commission is considering changes to how products regulated under EU sectoral product safety laws are covered by the EU’s AI law as part of its wider drive to streamline digital regulations, MLex has learned. The move, which is being considered as part of a digital ‘omnibus’ package due 19 November 2025, could ease obligations for sectors such as medical devices and industrial machinery.

EBA publishes CRR final draft RTS on CVA risk of securities financing transactions

The European Banking Authority (EBA) has published its final draft regulatory technical standards (RTS) made under ​Article 382(6) of the Capital Requirements Regulation (Regulation (EU) No 575/2013) (CRR) specifying the conditions and criteria for assessing whether credit valuation adjustment (CVA) risk exposures arising from fair-valued securities financing transactions (SFTs) are material. The RTS also define the frequency of this assessment.

Commission establishes Digital Commons European Digital Infrastructure Consortium

The European Commission has adopted a decision establishing the Digital Commons European Digital Infrastructure Consortium (DC-EDIC), a new legal instrument enabling Member States to jointly develop, deploy and operate cross-border digital infrastructures with dedicated governance and legal personality. DC-EDIC will have its statutory seat in Paris, with France, Germany, the Netherlands and Italy as founding members, while other Member States may join under fair and reasonable terms. The consortium's governance structure comprises an Assembly of Members, a Director for day-to-day management, and an Advisory Board for strategic orientations. Legal requirements include GDPR-compliant data practices with arrangements for investigating security breaches, default release of jointly developed software under Free and Open-Source licences, and procurement following non-discrimination principles. The consortium is scheduled for official launch in December 2025, with planned milestones including recruitment of the Director and founding team, launch of a DEP support project, and delivery by 2027 of a One-Stop-Shop and Expertise Hub, Digital Commons Forum and Award, and an annual State of the Digital Commons report.

View EU Law by content type :
News
Practice notes
Precedents
Q&As

Popular documents

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of
What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the

If a rentcharge is shown as being informally exonerated on title information, does this apply to the current registered owner? Or does the informal exoneration only apply to the parties to the document which informally exonerated the rentcharge?This Q&A considers the situation where, at some

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of