DOMAIN:EU_REGULATION:DATA_PROCESSING_STANDARDS¶

OWNER: julian
ALSO_USED_BY: eric, aimee, ALL dev agents building regulated features
UPDATED: 2026-03-26
SCOPE: EU data processing regulatory landscape beyond GDPR — NIS2, DGA, Data Act, AI Act, DORA, CRA

OVERVIEW¶

The EU has built a comprehensive regulatory stack for data processing, cybersecurity,
and digital products. GDPR was the foundation. Since 2022, a wave of new regulations
adds sector-specific and technology-specific requirements. GE must navigate this landscape
both as a software vendor (supply chain obligations) and as a builder of client products
(compliance-by-design).

WHY_GE_CARES: GE builds software for EU-based clients. Almost every project touches
at least one of these regulations. Failing to assess regulatory impact at scoping
(Aimee's domain) creates costly rework. Understanding the full landscape is essential
for accurate project estimation and architecture decisions.

NOTE: GDPR implementation is covered in domains/compliance-frameworks/gdpr-implementation.md.
The EU AI Act summary is in domains/eu-regulation/index.md. This page provides
deeper coverage and cross-regulation analysis.

NIS2 DIRECTIVE (EU) 2022/2555¶

WHAT_IT_IS¶

NIS2 is the EU's updated Network and Information Security Directive.
It replaces the original NIS Directive (2016/1148) with significantly
expanded scope, stricter requirements, and higher penalties.

STATUS: transposition deadline was 17 October 2024. Most Member States missed it.
The European Commission sent reasoned opinions to multiple countries including
the Netherlands for failure to transpose.

SCOPE — WHO IS AFFECTED¶

ESSENTIAL_ENTITIES (Annex I):
- energy (electricity, oil, gas, hydrogen)
- transport (air, rail, water, road)
- banking and financial market infrastructure
- health sector
- drinking water and wastewater
- digital infrastructure (IXPs, DNS, TLD registries, cloud, data centres)
- ICT service management (B2B: managed service providers, managed security providers)
- public administration
- space

IMPORTANT_ENTITIES (Annex II):
- postal and courier services
- waste management
- chemicals manufacturing and distribution
- food production, processing, distribution
- manufacturing (medical devices, electronics, machinery, motor vehicles)
- digital providers (online marketplaces, search engines, social networks)
- research organisations

SIZE_THRESHOLD: generally 50+ employees OR EUR 10M+ annual turnover.
Some entities are in scope regardless of size (DNS, TLD registries, QTSPs).

SUPPLY_CHAIN_IMPACT — THIS AFFECTS GE¶

NIS2 Art. 21(2)(d) requires regulated entities to manage supply chain cybersecurity.
This creates CASCADING obligations on software vendors like GE.

WHAT_THIS_MEANS:
- regulated clients will include NIS2-aligned security requirements in contracts
- GE must demonstrate secure development practices
- GE must provide vulnerability disclosure and incident notification capabilities
- GE may need to supply SBOMs and security documentation
- demonstrating NIS2-aligned security = COMMERCIAL DIFFERENTIATOR

OBLIGATIONS (Art. 21)¶

All entities must implement measures proportionate to risk:

risk analysis and information security policies
incident handling procedures
business continuity and crisis management
supply chain security (including vendor assessment)
security in network and systems acquisition, development, maintenance
policies for assessing effectiveness of cybersecurity measures
basic cyber hygiene practices and cybersecurity training
policies on cryptography and encryption
human resources security, access control, asset management
use of multi-factor authentication, continuous authentication, secured communications

INCIDENT_REPORTING¶

TIMELINE:
- 24 hours: early warning to national CSIRT (is the incident likely malicious? cross-border impact?)
- 72 hours: full incident notification with initial assessment
- 1 month: final report including root cause analysis, mitigation measures, cross-border impact

REPORT_TO: national CSIRT (in NL: NCSC — Nationaal Cyber Security Centrum)

MANAGEMENT_LIABILITY¶

NIS2 introduces PERSONAL LIABILITY for management bodies:
- management must APPROVE cybersecurity risk management measures
- management must OVERSEE implementation
- management must receive CYBERSECURITY TRAINING
- management can be held PERSONALLY LIABLE for infringements

THIS IS NEW: previous regulations focused on organisational liability.
NIS2 makes C-level/board directly accountable.

NETHERLANDS — CYBERBEVEILIGINGSWET (Cbw)¶

REPLACES: Wbni (Wet beveiliging netwerk- en informatiesystemen, 2018)
STATUS: bill submitted to Tweede Kamer 4 June 2025
PLENARY_DEBATE: scheduled 23 March 2026
EXPECTED_IN_FORCE: Q2-Q3 2026 (after Senate approval)

The Cbw consists of three components:
1. the Cyberbeveiligingswet itself (primary law)
2. the Cyberbeveiligingsbesluit (Cbb) — general administrative order with detailed obligations
3. ministerial regulations per sector

DUTCH_ADDITIONS:
- higher education institutions (universities) included (optional under NIS2)
- local and regional governments included
- DNS providers, public digital communication providers classified by size

CURRENT_SITUATION: Wbni remains in force until Cbw takes effect.
Entities are advised to prepare now (risk analyses, awareness, incident procedures).
Voluntary NCSC registration available since 17 October 2024.

PENALTIES¶

ESSENTIAL_ENTITIES: EUR 10M or 2% global annual turnover (whichever is higher)
IMPORTANT_ENTITIES: EUR 7M or 1.4% global annual turnover

DATA GOVERNANCE ACT (DGA) — Regulation (EU) 2022/868¶

WHAT_IT_IS¶

The DGA creates a framework for data sharing across the EU.
It governs data intermediaries, data altruism organisations,
and the reuse of certain public sector data.

STATUS: applicable since 24 September 2023
ENFORCEMENT: Commission sent reasoned opinions to 10+ Member States (Dec 2024)
for failing to designate responsible authorities.

KEY_CONCEPTS¶

DATA_INTERMEDIARIES:
- neutral third parties that facilitate data sharing between data holders and data users
- must register with national authorities
- must NOT use shared data for own commercial purposes
- must operate neutrally (no preferential treatment)

DATA_ALTRUISM:
- voluntary donation of data for public interest purposes (health research, climate, etc.)
- organisations must register as "Data Altruism Organisations Recognised in the EU"
- requires informed consent from data subjects
- EU-wide recognised status

PUBLIC_SECTOR_DATA_REUSE:
- conditions for reusing certain categories of protected public data
- includes commercially confidential data, statistical data, personal data
- does NOT override GDPR (data protection requirements still apply)
- single information points in each Member State for reuse requests

DIGITAL_OMNIBUS_CONSOLIDATION¶

IMPORTANT: the November 2025 Digital Omnibus Regulation Proposal proposes
to repeal the DGA and consolidate its provisions into the Data Act.
If adopted, the Data Act becomes the single instrument for data governance.
Monitor legislative progress — this may simplify the regulatory landscape.

GE_RELEVANCE¶

LOW for most projects. Becomes relevant when:
- building platforms that facilitate data sharing between organisations
- client is a public sector body with data reuse obligations
- building data altruism platforms (health, research)

DATA ACT — Regulation (EU) 2023/2854¶

WHAT_IT_IS¶

The Data Act regulates fair access to and use of data generated by connected products
and related services. It also addresses cloud switching rights and
interoperability requirements.

STATUS: entered into force 11 January 2024, applicable from 12 September 2025

PHASED_APPLICATION¶

Date	Obligation
12 Sep 2025	Core provisions: user data access rights, interoperability, fair contractual terms
12 Sep 2026	Design obligations: new connected products must enable easy data access
12 Sep 2027	Legacy B2B contracts: unfair terms restrictions; all cloud switching fees eliminated

KEY_PROVISIONS¶

USER_DATA_ACCESS (Chapter II):
- users of connected products have the right to access data generated by their products
- data must be provided free of charge, in a commonly used machine-readable format
- data holders must make data available without undue delay, continuously, in real-time where relevant
- GDPR rights remain intact — personal data still protected

B2B_DATA_SHARING (Chapter III):
- fair, reasonable, and non-discriminatory (FRAND) terms for data sharing
- unfair contractual terms in B2B data contracts are not binding
- protection of trade secrets must be ensured

CLOUD_SWITCHING (Chapter VI):
- customers have the right to switch cloud providers
- switching fees must be phased out entirely by September 2027
- providers must assist with switching (port data, maintain interfaces)
- functional equivalence: destination provider must ensure comparable output

IOT_DATA_ACCESS (Chapter II+III):
- IoT device manufacturers must design products to make data accessible to users
- from September 2026, new connected products must have built-in data access capabilities
- users can share their IoT data with third parties of their choice

NL_PENALTIES¶

Fines up to EUR 1,030,000 or 10% of EU-wide annual turnover for non-personal data violations.

GE_RELEVANCE¶

MEDIUM-HIGH for projects involving:
- IoT / connected products → user data access obligations
- cloud services / SaaS → switching and portability obligations
- B2B data platforms → fair terms requirements
- any client product that generates user data from connected devices

EU AI ACT — Regulation (EU) 2024/1689¶

EXTENDED_COVERAGE¶

The summary in index.md covers risk classification and basic obligations.
This section adds depth for implementation in GE projects.

TIMELINE_DETAIL¶

Date	What Applies
2 Feb 2025	Prohibited AI practices banned; AI literacy required
2 Aug 2025	GPAI rules + penalty regime in effect
2 Aug 2026	High-risk AI obligations; transparency rules (ORIGINAL date)
2 Dec 2027	High-risk compliance deadline (if Digital Omnibus delay adopted)
2 Aug 2027	Full scope including Annex II (medium-high risk)
2 Aug 2028	Product-embedded AI systems (if Digital Omnibus delay adopted)

IMPORTANT: the Digital Omnibus Proposal (Nov 2025) may push high-risk deadlines
to December 2027. This is NOT confirmed yet. GE should plan for August 2026
but monitor the Omnibus legislative progress.

WHEN_GE_BUILDS_AI_FEATURES_FOR_CLIENTS¶

ROLE_ASSESSMENT:
- GE builds AI system under client's brand → GE = PROVIDER (heaviest obligations)
- GE modifies purpose of high-risk AI → GE becomes PROVIDER
- GE integrates third-party AI (Claude API, OpenAI) → client = DEPLOYER
- GE provides AI-powered SaaS → GE may be PROVIDER of the system

HIGH_RISK_CHECKLIST (if applicable):

[ ] risk management system documented (Art. 9)
[ ] data governance measures in place (Art. 10)
[ ] technical documentation per Annex IV (Art. 11)
[ ] automatic logging implemented (Art. 12)
[ ] transparency information for deployers (Art. 13)
[ ] human oversight design implemented (Art. 14)
[ ] accuracy, robustness, cybersecurity tested (Art. 15)
[ ] quality management system established (Art. 17)
[ ] conformity assessment completed (Art. 43)
[ ] registered in EU database (Art. 49)

TRANSPARENCY_OBLIGATIONS (all AI systems):
- users must be informed they are interacting with AI (chatbots, virtual assistants)
- AI-generated content must be identifiable
- deepfakes and synthetic text for public interest must be labelled
- emotion recognition / biometric categorisation users must be informed

AI_LITERACY (Art. 4) — ALREADY IN FORCE¶

ALL organisations deploying AI must ensure staff have sufficient AI literacy.
This is not just technical staff — it includes management, sales, customer service.
GE must ensure its own AI literacy AND help clients achieve theirs.

DORA — Regulation (EU) 2022/2554¶

WHAT_IT_IS¶

DORA (Digital Operational Resilience Act) is a regulation for the financial sector
ensuring that financial entities can withstand, respond to, and recover from
ICT disruptions. Directly applicable in all EU Member States (not a directive).

STATUS: fully applicable since 17 January 2025

WHO_IS_AFFECTED¶

banks and credit institutions
payment institutions and electronic money institutions
investment firms
insurance and reinsurance companies
crypto-asset service providers
central securities depositories
trading venues
fund managers (UCITS and AIFM)
credit rating agencies
crowdfunding service providers
ICT third-party service providers (if designated as "critical")

FIVE_PILLARS¶

PILLAR_1 — ICT_RISK_MANAGEMENT:
- comprehensive ICT risk management framework
- board-level accountability (management must approve and oversee)
- cybersecurity training for management
- regular risk assessments

PILLAR_2 — INCIDENT_REPORTING:
- classify and report major ICT-related incidents to authorities
- initial notification within tight timeframes
- root cause analysis required

PILLAR_3 — RESILIENCE_TESTING:
- regular testing of ICT systems
- threat-led penetration testing (TLPT) at least every 3 years for systemically important entities
- scenario-based drills

PILLAR_4 — THIRD_PARTY_RISK:
- mandatory contract provisions with ICT service providers
- covering: service locations, data handling, business continuity, incident reporting
- register of all ICT third-party arrangements
- Critical Third-Party Providers (CTPPs) subject to direct EU oversight

PILLAR_5 — INFORMATION_SHARING:
- voluntary sharing of cyber threat intelligence between financial entities

IMPACT_ON_GE¶

IF GE builds software for financial sector clients, DORA creates requirements:

AS_ICT_PROVIDER:
- client contracts must include DORA-mandated clauses
- GE must support client's right to audit
- GE must provide incident notification to client
- GE must maintain business continuity plans
- GE must cooperate with client's resilience testing

AS_BUILDER:
- software must support DORA logging and monitoring requirements
- incident detection capabilities must be built in
- resilience testing hooks should be available
- backup and recovery features must meet DORA standards

PENALTIES¶

up to 2% of total annual worldwide turnover (entities)
up to 1% of average daily global turnover (periodic penalties)
up to EUR 1M for individuals
up to EUR 5M for Critical Third-Party Providers

CYBER RESILIENCE ACT (CRA) — Regulation (EU) 2024/2847¶

WHAT_IT_IS¶

The CRA sets cybersecurity requirements for ALL products with digital elements
placed on the EU market — including software. This is the first EU regulation
that mandates secure-by-design for software products.

STATUS: entered into force 10 December 2024

IMPORTANT_DISTINCTION: SaaS falls under NIS2, NOT the CRA.
CRA applies to software products that are placed on the market
(downloadable software, firmware, SDKs, libraries).

TIMELINE¶

Date	Obligation
11 Jun 2026	Conformity assessment body procedures established
11 Sep 2026	Vulnerability reporting obligations apply
11 Dec 2027	Full compliance required

SBOM_REQUIREMENT¶

The CRA makes SBOM (Software Bill of Materials) mandatory for every product
with digital elements sold in Europe.

FORMAT: machine-readable, commonly used format (SPDX or CycloneDX expected but not yet mandated)
SCOPE: at minimum, top-level direct dependencies
DISCLOSURE: NOT required to be public. Must be in technical documentation.
Must be provided to market surveillance authorities on request.

DRAFT_STANDARD: CEN/CENELEC working on horizontal standard specifying SBOM schema.
Expected mid-2026. Until then, use CycloneDX or SPDX.

THE_HIDDEN_SEPTEMBER_2026_DEADLINE¶

Most organisations focus on December 2027. But the vulnerability reporting obligation
starts 11 September 2026. To report actively exploited vulnerabilities within 24 hours,
you MUST have:
- a complete SBOM (to know what components you have)
- automated vulnerability tracking (to detect exploited vulnerabilities)
- incident response process (to report within 24 hours)

Without SBOMs by September 2026, you CANNOT comply with reporting obligations.

VULNERABILITY_HANDLING¶

actively exploited vulnerability: initial report within 24 hours to ENISA + national CSIRT
further information within 72 hours
final report within 14 days after patch/workaround
coordinate vulnerability disclosure with ENISA
provide security updates for product lifetime (minimum 5 years)

PENALTIES¶

Up to EUR 15M or 2.5% of global annual turnover.

GE_RELEVANCE¶

APPLIES_IF:
- GE builds downloadable software, SDKs, or libraries for clients
- GE builds firmware or embedded software
- GE builds software components distributed to end users

DOES_NOT_APPLY_IF:
- GE builds SaaS (→ NIS2 instead)
- GE builds internal tools not placed on market

REGARDLESS: adopting CRA-aligned practices (SBOM, vulnerability handling, secure-by-design)
is a commercial differentiator and prepares GE for client requirements.

ENFORCEMENT TIMELINE — CONSOLIDATED¶

Date	Regulation	Milestone
Jan 2025	DORA	Fully applicable
Feb 2025	AI Act	Prohibited practices banned
Aug 2025	AI Act	GPAI rules + penalties
Sep 2025	Data Act	Core provisions applicable
Q2 2026	NIS2/Cbw	Netherlands implementation expected
Jun 2026	CRA	Conformity assessment bodies
Aug 2026	AI Act	High-risk systems (may be delayed to Dec 2027)
Sep 2026	CRA	Vulnerability reporting
Sep 2026	Data Act	Product design obligations
Sep 2027	Data Act	Legacy contract terms + cloud switching
Dec 2027	CRA	Full compliance
Aug 2027	AI Act	Full scope

IMPACT MATRIX — WHICH REGULATIONS AFFECT WHICH GE PROJECT TYPES¶

PROJECT_TYPE              | GDPR | NIS2 | AI_ACT | DORA | CRA | DATA_ACT | DGA
─────────────────────────────────────────────────────────────────────────────────
Web app (SaaS)            | YES  | YES  | IF_AI  | NO*  | NO  | IF_IOT   | NO
Mobile app                | YES  | YES  | IF_AI  | NO*  | YES | IF_IOT   | NO
Fintech platform          | YES  | YES  | IF_AI  | YES  | NO  | MAYBE    | NO
Healthcare system         | YES  | YES  | IF_AI  | NO   | NO  | MAYBE    | MAYBE
E-commerce marketplace    | YES  | YES  | IF_AI  | NO   | NO  | NO       | NO
IoT product               | YES  | YES  | IF_AI  | NO   | YES | YES      | NO
Data sharing platform     | YES  | YES  | IF_AI  | NO   | NO  | YES      | YES
Downloadable software     | YES  | MAYBE| IF_AI  | NO   | YES | MAYBE    | NO
AI-powered system         | YES  | YES  | YES    | NO*  | NO  | NO       | NO
Internal enterprise tool  | YES  | YES  | IF_AI  | NO*  | NO  | NO       | NO

* DORA applies if client is financial sector entity
IF_AI = only if project includes AI/ML features
IF_IOT = only if connected/IoT product

HOW_TO_USE_THIS_MATRIX¶

At scoping (Aimee's domain), run through the matrix:
1. identify project type
2. mark applicable regulations
3. for each YES, assess specific obligations
4. include regulatory compliance tasks in project estimate
5. flag to Julian for compliance review
6. document in project scope document

ANTI_PATTERNS AND FIXES¶

ANTI_PATTERN: treating GDPR as the only data regulation
FIX: GDPR is the foundation, but NIS2, Data Act, CRA, DORA, and AI Act
add significant requirements. Always run the impact matrix at scoping.

ANTI_PATTERN: assuming NIS2 does not affect GE because GE is small
FIX: NIS2 affects GE INDIRECTLY through supply chain obligations.
Regulated clients will require GE to demonstrate NIS2-aligned practices.
Size does not exempt GE from contractual security requirements.

ANTI_PATTERN: waiting for December 2027 to start CRA compliance
FIX: the practical deadline is September 2026 (vulnerability reporting).
Start SBOM generation and vulnerability tracking NOW.

ANTI_PATTERN: building AI features without AI Act risk classification
FIX: ALWAYS classify the AI system's risk level before implementation.
If high-risk, the compliance cost significantly affects project scope and timeline.
Classify FIRST, then estimate.

ANTI_PATTERN: treating DORA as "only for banks"
FIX: DORA applies to 20 types of financial entities AND their ICT providers.
If GE builds for any financial sector client, GE must support DORA compliance
through contract terms, audit rights, and incident reporting.

ANTI_PATTERN: ignoring management liability provisions
FIX: NIS2 and DORA both impose personal liability on management.
Client stakeholders need to understand their legal exposure.
Build management reporting and oversight features into regulated systems.

ANTI_PATTERN: building cloud services without switching provisions
FIX: the Data Act requires cloud switching support and bans switching fees
from September 2027. Design data portability and export features from day one.

READ_ALSO:
- domains/eu-regulation/index.md (AI Act, NIS2, CRA summaries)
- domains/compliance-frameworks/gdpr-implementation.md
- domains/compliance-frameworks/iso27001-controls.md
- domains/security/secure-design-patterns.md
- domains/eu-regulation/eidas.md