Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

ISDA, EFAMA and AFME submit joint response on EC environmental legislation burden

The International Swaps and Derivatives Association (ISDA), the European Fund and Asset Management Association (EFAMA), and the Association for Financial Markets in Europe (AFME) submitted a joint response on 10 September 2025 to the European Commission’s call for evidence on reducing administrative burdens in environmental legislation. Their submission advocates for regulatory coherence with existing sustainable finance frameworks, the continued exemption of financial products from the Green Claims Directive, and clarification that due diligence under the Deforestation Regulation should target lead operators rather than downstream financial institutions.

EU Law weekly highlights—18 September 2025

This week's edition of EU Law weekly highlights covers the entry into application of the EU Data Act, the launch of a call for evidence on the forthcoming Digital Omnibus package, the publication of new guidelines to assist Member States in implementing the EU Critical Entities Resilience Directive, and the launch of a call for evidence on the planned revision of the EU energy security framework. In addition this week, the European Data Protection Board opened a public consultation on its draft Guidelines on interplay between the EU Digital Services Act and the General Data Protection Regulation, the Commission launched a consultation on draft revisions to the Technology Transfer Block Exemption Regulation, the Commission adopted technical standards for European Green Bond external reviewers, the European Investment Bank launched a €17.5bn financing initiative to support SMEs in making energy efficiency improvements, and the European Parliament adopted its position on reforms to the Package Travel Directive. Finally this week’s highlights include an analysis of decisions by the French data protection authority to fine Google and Shein for cookie rule violations.

Commission Delegated Decision to grant renewal of provisional equivalence under Article 227 of Solvency II to Brazil, Mexico and Japan for further ten year period

The Euopean Commission (the Commission) has published the wording of the proposed Commission Delegated Decision on the renewal of the determination that the solvency regime in force in Brazil, Japan and Mexico applicable to undertakings with their head office in those third countries is provisionally equivalent to that laid down in Title I, Chapter VI of the Solvency II Directive (Directive 2009/138/EC).

Commission consults on minimum sustainability requirements for public net zero technology contracts

The European Commission has launched a consultation on a draft implementing regulation that will establish minimum environmental sustainability requirements for public procurement of clean technologies under the EU Net Zero Industry Act. The regulation will set mandatory requirements for contracting authorities and entities engaged in procurement procedures for net-zero technology contracts, including wind power, heat pumps and grid technologies. The implementing regulation supplements Regulation (EU) 2024/1735 and aims to standardise environmental sustainability criteria in public procurement across the EU. The consultation is open for feedback from 16 September 2025 to 14 October 2025.