Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

EU Financial Services—daily round-up (19 February 2026)

A round-up of EU financial services developments.

EU Law weekly highlights—19 February 2026

This week's edition of EU Law weekly highlights includes analyses on the European Commission’s 2026 priorities for implementing the EU AI Act, and the EU's draft Code of Practice on Transparency of AI-Generated Content. In addition this week, the Commission introduced an information and communication technologies (ICT) Supply Chain Security Toolbox, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) published a joint opinion on the Commission's Digital Omnibus proposal, the EDPB published its Work Programme for 2026–27, issued an Opinion on the Commission's proposal to extend data processing rules for combating child sexual abuse material online, the Council of the EU formally adopted a Directive updating the list of pollutants affecting surface water and groundwater, the European Parliament adopted a legislative resolution approving the codification of the Regulation on European Union designs, adopted new measures to strengthen protection for farmers against cross-border unfair trading practices, the Commission opened formal proceedings against Shein under the EU Digital Services Act for alleged violations relating to addictive design, and reported that, two years after the EU DSA began to apply, online platforms in the EU have reversed nearly 50 million content moderation decisions following user appeals.

EDPB adopts report on coordinated enforcement of GDPR right to erasure

The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework action concerning the right to erasure under Article 17 Regulation (EU) 2016/679 (General Data Protection Regulation(GDPR)). The coordinated action, conducted throughout 2025, involved 32 Data Protection Authorities across Europe, with responses from 764 controllers ranging from small and medium-sized enterprises to large companies and public entities. Nine DPAs initiated or continued formal investigations, while 23 conducted fact-finding exercises. The report identifies seven recurring challenges hindering full implementation of the right to erasure, including inadequate internal procedures for handling requests, insufficient information provided to individuals, reliance on inefficient anonymisation techniques, and difficulties in determining retention periods and deletion of personal data in back-ups. The EDPB noted that some controllers face difficulties assessing conditions for exercising the right to erasure and conducting balancing tests between erasure rights and other rights and freedoms. The report includes recommendations for controllers to improve compliance. The next CEF action in 2026 will focus on transparency and information obligations under GDPR.

ESMA issues statement on revised prospectus framework introduced by the Listing Act

The European Securities and Markets Authority (ESMA) has issued a statement with practical guidance to national competent authorities (NCAs), issuers and their advisors on the application of the revised prospectus framework introduced by the Listing Act. ESMA says it expects NCAs to follow the approach outlined in the statement, enabling issuers and advisors to rely on its content.