Financial Entities in the EU: Time to Register Your ICT Third-Party Service Providers under DORA
The European Union’s (“EU”) Digital Operational Resilience Act (“DORA”) became effective on 17 January 2025. Since then, financial entities (such as banks, insurance companies and investment firms) and their ICT third-party service providers operating in the EU have been – directly or indirectly – subject to the new regime. One of the first key DORA compliance deadlines, for financial entities to register their ICT service providers with competent EU Member State authorities, is coming into effect across most of the member states this month.
EU Commission Publishes AI Continent Action Plan and Seeks Input
On April 9, 2025 the European Commission adopted a communication on the so-called AI Continent Action Plan – its strategy to shape the next phase of AI development in Europe, with consultation to follow. The Commission’s declared objective is to transform the EU into a global leader in AI by fostering innovation, ensuring trustworthy AI, and enhancing competitiveness while safeguarding democratic values and cultural diversity. Keep monitoring Data Matters for more on the Commission’s consultation, when available. (more…)
New UK Consumer Rules Herald Stricter Enforcement and Significant Fines
Consumer protection is rising to the top of the regulatory agenda worldwide. The UK consumer protection regime is undergoing a major shift: The Competition and Markets Authority (CMA) now has powerful new tools under the Digital Markets, Competition, and Consumers Act (DMCCA) (see our Sidley Update here), including the ability to directly enforce consumer law and fine companies up to 10% of global annual turnover for serious infringements. (more…)
Chambers 2025 Global Practice Guide for Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published. Sidley lawyers have contributed to: Cybersecurity 2025. (more…)
EIOPA Publishes Consultation on Opinion on AI Governance and Risk Management
On February 12, 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a consultation on its draft opinion on artificial intelligence (“AI”) governance and risk management (the “Opinion”).
EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action
On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. The Report provides useful recommendations for controllers on how to comply with access requests, including guidance on how long access request documentation should be retained, the importance of maintaining internal documentation, and how to avoid a ‘one size fits all’ approach. The Report emphasizes that access requests should be handled on a case-by-case basis, considering the broad scope of the right and the limited exemptions.
EU Commission Launches Cybersecurity Action Plan for Hospitals and Healthcare Providers
On January 15, 2025 the EU Commission published an action plan with an aim to support cybersecurity in hospitals and healthcare providers in the EU (the Action Plan). The Action Plan is another response by the EU to the increasing cybersecurity threats facing all industries, including the health sector. The Commission notes that this risk has increased due to, amongst other factors, the increased digitisation of healthcare, which has allowed attack surfaces to grow. It also comes following a number of high-profile incidents which have impacted healthcare providers in the EU. The Action Plan is intended to build on the new EU cybersecurity legislation, such as the NIS Directive 2 (NISD2) and the Cyber Resilience Act, and feed into the full deployment of the European Health Data Space Regulation which was adopted on January 21, 2025. See our blog post here.
Data Privacy and Cybersecurity Outlook for 2025: What Financial Services Firms Need To Know
Last year saw many developments across the worldwide data privacy and cybersecurity landscape, including in the EU/UK, and this momentum shows no sign of slowing in 2025. The EU General Data Protection Regulation (GDPR) enters its seventh year in May 2025. New cybersecurity and operational resilience legislation and related guidance are coming into force to regulate new and challenging technologies, several of which will affect financial services firms.
European Health Data Space Regulation Adopted: What’s Next for Life Sciences Companies?
On January 21, 2025, the European Health Data Space Regulation (EHDS) was formally adopted by the Council of the European Union. This marks the near-final step in the adoption process, and will enter into force in the coming weeks. Importantly for life sciences companies (pharma, biotech, and medtech), the EHDS’ so-called secondary use provisions will become applicable in 2029, leaving companies four years to consider, adapt to, and implement these wide-ranging requirements.
UK Operational Resilience Rules: Are You Ready for 31 March 2025?
Several categories of UK financial services firms, including banks, insurers, electronic money institutions, and payment institutions, are required to comply with new requirements on operational resilience beginning 31 March 2025.
