Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Powered by Lexis+®
Latest EU Law News

EU adopts regulation streamlining financial services reporting requirements

The European Parliament and Council have adopted Regulation (EU) 2025/… of 8 October 2025 amending Regulations (EU) No 1092/2010, (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) No 806/2014, (EU) 2021/523 and (EU) 2024/1620 regarding reporting requirements in financial services and investment support (otherwise known as the Better Data Sharing Regulation). The regulation introduces new information sharing obligations between EU financial authorities including the European Supervisory Authorities (ESAs), European Systemic Risk Board (ESRB), Single Resolution Board (SRB), European Central Bank (ECB) and the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), implementing a 'report once' principle whereby authorities must request information from other authorities rather than directly from financial institutions where possible. The regulation requires European Supervisory Authorities (ESAs) to prepare a feasibility study for a cross-sectoral integrated reporting system within 60 months, establish a permanent single contact point for reporting duplicative requirements, and grants authorities discretionary powers to share anonymised information with researchers for innovation purposes. The regulation also changes InvestEU Programme reporting frequency from biannual to annual and mandates authorities to review and propose removal of redundant reporting requirements within 24 months.

View EU Law by content type :

Popular documents