Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

Commission launches consultation on revised GMP quality system guidelines

The European Commission's Directorate-General for Health and Food Safety has opened a consultation on proposed updates to Chapter 1 of the Good Manufacturing Practice (GMP) guidelines. The revision aligns with the International Council for Harmonisation (ICH) Q9(R1) guideline on Quality Risk Management, introducing strengthened requirements for knowledge management and risk assessment across product lifecycles. Key changes include new provisions for shortage prevention, clarified product quality review requirements, and guidance on product grouping strategies. The amendments aim to modernise regulatory frameworks while ensuring consistent product quality and availability. Public health stakeholders involved in GMP activities can submit responses via EU Survey tool. Consultation closes 3 December 2025.

EPC Directory Service goes live in support of the VOP Scheme

The European Payments Council (EPC) has announced the successful launch of the EPC Directory Service (EDS) in live mode to support the Verification of Payee (VOP) scheme. All participants and Routing and Verification Mechanisms (RVMs) registered during the test phase are automatically recognised in the live environment, with data entered before 22 August 2025 migrated accordingly, later entries must be re-entered manually.

‘Bigger than we thought it was going to be’—the ICJ Advisory Opinion clarifies states’ legal obligations relating to climate change

Environment analysis: On 24 July 2025, the International Court of Justice (ICJ) handed down its first advisory opinion (AO) on climate change. The AO has been widely heralded as a turning point in both international environmental law and in climate change litigation, transforming climate ambition into enforceable legal obligations and setting the stage for heightened scrutiny of both state and corporate conduct. Written by Estelle Dehon KC, of Corner Stone Barristers.

European Parliament publishes proposed amendments to shorten EU securities settlement cycle to T+1

The European Parliament's Committee on Economic and Monetary Affairs has published proposed amendments to Regulation (EU) No 909/2014, mandating a shorter settlement cycle for securities transactions. Under the new proposal, most securities transactions executed on trading venues will settle within one business day (T+1) rather than the current two-day cycle, with implementation scheduled for 11 October 2027. The amendments exempt certain securities financing transactions and assign the task of monitoring settlement efficiency during the transition to the European Securities and Markets Authority. This change aims to reduce counterparty risks and align EU markets with global practices.