Navigating the nexus of EU Policy, Digital Technologies, and Futures


Why (and how) everyone and their neighbour in the Software Sector should be aware of European Union legislation

Max, a friend of mine, is a software designer and developer. Because of his day job, we always joke with him that nobody is perfect! But this is not why Max became very upset five years ago, in 2018. The reason was a new four-letter word that came to haunt him: GDPR – the European Union’s General Data Protection Regulation, which was published in 2016 and started to be applied in May 2018.

The GDPR was probably the first European legislation to have so big an impact on the software industry, and this well beyond the European Union (EU) borders. My friend Max was distressed because the many rules imposed by the GDPR implied that large chunks of his programmes had to be rewritten; that systems running at his organization had to be redesigned; that the several data-bases he used had to be put under the oversight of several different people – under contractual obligations to do so; that this whole set had to be more strictly protected; and that a new compliance department had to be created, transferring part of his department’s budget to the hiring of yet more lawyers. Of course, there are more constraints, like the fact that in spite of it being a regulation, a great deal of liberty was left to the Member States to translate the GDPR into national legislation, making it not exactly a blanket regulation for the EU market.

This example shows a real necessity facing the Software Sector since at least 2018: to be aware of upcoming EU legislation in the area of digital technologies, so that when they are promulgated, the software that are in production/test/development/design/etc are fully compliant and will not need new investment to become so. Indeed, the initial EC text for the legislation was proposed in the beginning of 2012! Had Max been aware of it, all his work would have taken the GDPR-to-be into consideration from the onset, and he would not have been so unsettled when the regulation finally entered into application.

That’s why I’m glad to take the opportunity offered by SWForum.eu and propose in this space a short series of blogs that will try and illuminate the main policies and legislation stemming from the European Union and that have a true impact on the Software sector, worldwide actually. In this introductory episode we’ll first very briefly address how legislation work at the EU level, to make clear that such a process is usually long enough, leaving ample time for adaptation. After that we’ll see sectors and specific policies that will be discussed in further instalments of this blog series.

I sincerely hope that this series will convince you of the benefits of keeping track of the legislation process constantly taking place in Brussels, Luxembourg, and Strasbourg. I can tell you that more and more companies in Asia, Latin America, and the Middle East reach out to me to get advice on risks and opportunities arising from such a process. This is truly a hot topic.

EU Governance 101

Informally and in a nutshell, a EU law usually starts as a Communication from the European Commission (EC), based on White Papers written by its staff on a particular topic, indicating the policy lines it wants to take. Some time and some exchanges with plethora of stakeholders later, the EC submits a legislative proposal to the EU Council and the EU Parliament (EP), who then agree, separately, on their own version of the text. Finally, the EC facilitates what is called a “Trilogue”, where the Council and the Parliament negotiate a common position to adopt the final text of the law. Once the text of the law is published in the Official Journal of the Union, it enters into force and usually provides for some adaptation delay before being applied.

Let’s take the example of the GDPR given above to get a glimpse of its timeline. The process started in 2009 with a consultation by the EC on the legal framework for the fundamental right to the protection of personal data. The GDPR proposal was released by the EC services in early 2012. After very difficult negotiations, the current text was finally adopted and published in 2016, for application in 2018.

Selected EU policies and legislation that all in the Software community should know

Below I give a list of selected EU policies and legislation. They all have considerable impact on the manners by which we design, develop, sell, deploy, apply, and maintain software systems. Most of them have a very large reach down supply chains, implying obligatory compliance for every enterprise around the world, large or small, whose software products end up being sold in the EU market as part of a bigger system. Beware!

Policy and legislation touching data – personal or not

  • GDPR (in application since 2018)
  • European data strategy (Communication in 2020)
    • Regulation on European data governance (In force. In application from Sep 2023)
    • The Data Act (Proposed Feb 2022 – In discussion at Council and Parliament)

Policy and legislation touching markets and competition

  • Digital Services Package for the European Digital Single Market
    • Digital Services Act (In application since Feb 2023 – yes, last month!)
    • Digital Markets Act (In application since Feb 2023)
  • The Digital Content Directive (In application since Jan 2022)
  • The Sale of Goods Directive (In application since Jan 2022)

Policy and legislation touching cybersecurity

  • (All of the above have some cybersecurity component. GDPR, for instance, bases its data protection guidelines on the security of the information systems that hold personal data.)
  • NIS2 Directive (In force since Jan 2023. In application from Oct 2024)
  • CER – Critical entities resilience Directive (In force since Jan 2023. In application from Oct 2024)
  • DORA – Digital operational resilience for the financial sector Regulation (In force since Jan 2023. In application from Jan 2025)
  • eID Regulation Revision – Framework for a European Digital Identity (Proposed in Jun 2021. In discussion at Council and Parliament)
  • Artificial Intelligence (AI)
    • AI Act – A European legal framework for AI to address fundamental rights and safety risks specific to the AI systems (Proposed in Apr 2021. In discussion at Council and Parliament);
    • Liability rules on products and AI
      • An AI liability directive - adapting liability rules to the digital age and AI (Proposed Sep 2022. In discussion at Council and Parliament);
      • A Proposal for the Revision of the product liability directive (Proposed Sep 2022. In discussion at Council and Parliament)
  • IoT
    • EU Cyber Resilience Act (Proposed Sep 2022. In discussion at Council and Parliament)


That’s it for now. Soon I’ll be back with S1/E2, addressing issues related to software compliance with the protection of (personal) data in the EU. Keep tuned!


[This blog series is inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK.]


Afonso Ferreira

CNRS - France

Digital Skippers Europe (DS-Europe)