Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

ECHA launches online tool for Drinking Water Directive notifications of intention

The European Chemicals Agency (ECHA) has launched a new online tool via the ECHA Industry Portal to allow companies to notify their intention to update the EU Positive Lists of substances approved for use in materials that come into contact with drinking water. The tool enables companies to indicate substances they wish to keep, add to or remove from the European Positive Lists. ECHA has published a manual on preparing Drinking Water Directive notifications of intention, alongside a guidance document and a video tutorial to assist notifiers in preparing their notifications. Following submission of a notification of intention, notifiers have 12 months to submit their application, with the application window opening in January 2027.

Compulsory licensing regulation for crisis management to come into force in EU on 19 January 2026

The European Commission's Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs has announced that the regulation on compulsory licensing for crisis management, amending Regulation (EC) No 816/2006, will come into force on 19 January 2026 following its publication in the Official Journal of the European Union. The regulation establishes an EU-wide framework for granting compulsory licences in cross-border crisis or emergency situations, enabling the Commission to issue EU-wide compulsory licences for protected inventions related to crisis-relevant products once a crisis has been declared under relevant EU crisis instruments. Compulsory licensing under the regulation is intended as a measure of last resort, subject to strict conditions, including limits on the scope and duration of licences and obligations to provide fair and adequate remuneration to rights holders in line with the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

Commission publishes fitness check on EU energy security regulations

The European Commission has published a fitness check assessing the EU regulations on gas supply security and electricity risk preparedness, originally introduced in 2017 and 2019. The review finds that while these regulations have generally enhanced energy supply stability, they proved inadequate during the 2021–23 energy crisis, necessitating additional emergency measures. In response, the Commission intends to publish revised legislative proposals in the first half of 2026. These proposals will adopt a more robust, cross-sectoral approach to energy security, addressing emerging challenges such as physical and cyber threats, climate risks, and geopolitical tensions.