Digital Regulation Timeline

The DSA aims to update the "rules of the internet", with the key principle that what is illegal offline should also be illegal online.

The DSA both preserves and updates the intermediary liability position set out in the e-Commerce Directive (e.g. the hosting defence). However, the range of requirements fundamentally changes the liability of online services in the EU with strict obligations for the supervision of illegal content online, as well as new rules on transparency, user safety and advertising accountability. It also includes detailed rules on features that must be incorporated into online platforms and marketplaces or included in user terms and conditions.

Illegal online content

The DSA preserves the liability defences under Articles 12-15 of the e-Commerce Directive (the "mere conduit" defence, the "caching" defence, the "hosting" defence and the "no obligation to monitor" provision). Clarity is added that these defences remain available even if the platform has voluntarily taken action to detect, identify and remove, or disable access to, illegal content.

However, notice and take down obligations on online platforms are strengthened. Platforms must put in place mechanisms for users to report illicit content (such as hate speech, terror propaganda, discrimination or counterfeit goods). Platforms must decide what to do about reported content in a timely, diligent and non-arbitrary manner, in order to continue to benefit from the hosting defence. Specified mechanisms to challenge content removal must be made available, including alternative dispute resolution. Online platforms must monitor for repeated submission of illegal content or unfounded complaints by particular users, and suspend their access.

Third party content monitors can apply for "trusted flagger" status. Platforms must prioritise illegal content reports from such individuals and bodies.

Transparency

General obligations will apply in relation to user safety, transparency, controls and information.

Annual reports are required from all intermediary service providers on their content moderation activity, with the required contents depending on the service provided (see below "Implementation progress"). Hosting service providers must include information about illegal content notices and complaints received and action taken. These include provisions relating to content recommendations and online terms, and obligations relating to the publication and communication of information on the average monthly active recipients of the service.

In September 2023, the Commission launched the DSA Transparency Database which is a publicly accessible database of "statements of reasons" that online platforms must submit to the Commission setting out their reasons for making content moderation decisions (with the exception of micro and small enterprises). The Commission has also published an open-source software package  to facilitate analysis of data in the Transparency Database.

Under the DSA, websites must not be designed and organised in away that deceives or manipulates users – so-called "dark patterns" – but must be designed in a user-friendly and age-appropriate way to make sure users can make informed decisions.

Online marketplaces

The DSA introduces traceability provisions for online marketplaces. These include a "know-your-trader" obligation, requiring online marketplaces that allow B2C sales to conduct due diligence on traders prior to allowing them to use the platform.

Platforms must be designed to facilitate compliance with traders' legal obligations such as e-commerce and product safety requirements. The illegal content take down provisions are to facilitate the removal of illegal or counterfeit products, and platforms have obligations to contact consumers who have purchased those products.

Advertising accountability

Specific transparency obligations apply to online advertising. It must be clear to users whether a displayed item is an advertisement and from whom it originates. Information about the main parameters used to decide to whom it will be displayed is essential in this context.

VLOPs and VLOSEs

VLOPs and VLOSEs are designated by the Commission. The first tranche of designations (17 VLOPs and 2 VLOSEs) were made on 25 April 2023. Platforms and search engines will need to report on the number of users at least every 6 months. Obligations on VLOPs and VLOSEs apply from four months after their designation as such.

An additional layer of obligations are imposed on VLOPs and VLOSEs. They must diligently monitor and mitigate systemic risks including their service being used for the dissemination of illegal content; the impact of their service on human rights; and the risk of their service negatively affecting civic discourse, electoral processes, public security, gender-based violence, the protection of public health and minors and individuals' physical and mental well-being.

The European Commission's guidelines on mitigating against systemic risks in relation to electoral processes were published in the EU's Official Journal on 26 April 2024. The guidelines aim to support VLOPs and VLOSEs with their compliance obligations under Article 35 of the DSA (mitigation of risks) and with other obligations relevant to elections. As well as mitigation measures, the guidelines cover best practices before, during and after electoral events.

VLOPs and VLOSEs also have to implement strict processes towards regular risk assessments, produce reports of action regarding content moderation and are obliged to conduct independent annual audits to assess compliance and any commitments made pursuant to codes of conduct and crisis protocols that the Commission has adopted. They also have to disclose their parameters for recommender systems and provide for at least one recommender system which does not involve profiling. In addition, the EU Commission as well as member states, can seek access to their algorithms.

The Commission has also launched a DSA whistleblower tool which allows individuals with inside information to report harmful practices by VLOPs and VLOSEs that are potentially in breach of the DSA, anonymously if preferred.

Enforcement

Each member state must designate one or more competent authorities as responsible for the application and enforcement of the DSA in their jurisdiction, and each member state must designate one of these as a "Digital Services Coordinator." (DSC)" The DSCs are responsible for enforcement of the DSA in respect of platforms that are not VLOPs or VLOSEs in their different territories and can work together. The DSCs make up a European Board for Digital Services, chaired by the European Commission, which works as an independent advisory group to enforce the DSA.

In April 2024, the Commission opened infringement procedures against six member states which either had not designated their DSC by the 17 February 2024 deadline (Estonia, Poland and Slovakia), or had not yet granted them full powers to carry out their duties under the DSA (Cyprus, Czechia and Portugal). Enforcement in relation to VLOPS and VLOSEs is exclusively reserved to the EU Commission. Fines of up to 6% of global annual turnover can be levied for breaches. The Commission has opened infringement procedures against six member states which either did not designate their Digital Services Coordinator by the 17 February 2024 deadline (Estonia, Poland and Slovakia), or have not yet granted them full powers to carry out their duties under the DSA (Cyprus, Czechia and Portugal). In July 2024, the Commission opened infringement proceedings against six further member states (Belgium, Spain, Croatia, Luxembourg, Netherlands and Sweden).

Enforcement in relation to VLOPS and VLOSEs is exclusively reserved to the EU Commission. Fines of up to 6% of global annual turnover can be levied for breaches.

The European Commission has been, and continues to be, proactive in sending requests for information to various platforms concerning their compliance with their DSA obligations. It has also opened formal proceedings against some platforms following preliminary investigations and requests for information. 

In May 2024, the European Commission and the UK's Ofcom signed an administrative arrangement to support their work in enforcing the new online safety regimes in both the EU and the UK under the DSA and the UK Online Safety Act 2023 respectively.

The Commission and the European Regulators Group for Audio visual Media Services (ERGA), which brings together national media regulators under the Audiovisual Media Services Directive, have also agreed to work together on enforcement, focussing on VLOPs and VLOSEs. ERGA will act as a facilitator to gather information at national level and report on issues such as media pluralism, disinformation and the protection of children to help the Commission identify and assess the systemic risks in these areas. It is also expected to assist the DSCs.

On 22 February 2024, the delegated regulation on  independent audits entered into force. The delegated act provides a framework to guide VLOPs and VLOSEs when preparing their external independent audits.  It also provides mandatory templates for auditors to use when completing an audit report, as well as mandatory templates for the VLOPs and VLOSEs to use when completing their audit implementation reports.

The first risk assessment reports and independent audit reports from designated VLOPs and VLOSEs were published in November 2024.

Over the summer 2024, the EU Commission conducted a call for evidence to inform its upcoming guidelines on the protection of  children online under the DSA. The guidelines will apply to all online  platforms that are accessible to children, including those not directed at children, but which still have child users due to a lack of age-assurance mechanisms. The Commission will use the input from the call for evidence to draft the guidelines on which it will consult separately and which it plans to adopt before summer 2025.

On 29 October 2024, the Commission launched a consultation on a draft delegated regulation on the rules for researchers to access platforms' data under the DSA. Article 40 allows "vetted researchers" to access VLOPs' and VLOSEs' data, subject to approval from a Digital Services Coordinator, for the purposes of evaluating systemic risks and mitigation measures. The consultation closed on 10  December 2024, and the rules are expected to be adopted in the first quarter of 2025.

In November 2024, the Commission adopted an implementing regulation on transparency  reporting under the DSA. The regulation standardises templates and reporting periods for the transparency reports that providers of intermediary services have to publish in relation to their content moderation practices. VLOPs and VLOSEs must report twice a year, while other services report annually. Under the implementing regulation, providers must start collecting data in line with the templates from 1 July 2025, with the first harmonised reports due at the beginning of 2026. The Commission also plans to update the requirements for submitting statements of reasons to the DSA transparency database so that they align with the implementing regulation. 

In January 2025, the Commission and the European Board for Digital Services endorsed the integration of the voluntary Code of Practice on Disinformation into the framework of the DSA. With integration, full adherence to the Code may be considered an appropriate risk mitigation measure for signatories designated as VLOPs and VLOSEs. The Code will therefore be a benchmark for determining DSA compliance. Conversion of the Code into a DSA Voluntary Code of Practice will take effect from 1 July 2025, making its commitments capable of audit from that date onwards.

17 February 2024: The Digital Services Act (DSA) is now fully applicable

EU gets one step closer to adopting the Digital Services Act

Rethinking regulation of data-driven digital platforms

EU's Digital Service Act to introduce first express ban on 'dark patterns'

Commission finds EU consumer law inadequate to protect consumers in the digital world

Part 1 of The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) sets out powers for UK Government Ministers to specify security requirements relating to relevant connectable products (a product which is internet or network connectable).

The obligations imposed on manufacturers of connectable/digital products include:

·        Restricting the use of default passwords;

·        Providing information to consumers on how to report security issues; and

·        Providing information on minimum periods for which devices will receive security updates.

In addition, businesses may face liability where cybersecurity vulnerabilities lead to the loss or corruption of consumer data.

The PSTIA also imposes obligations on manufacturers, importers and distributors to not make products available in the UK unless accompanied by a statement of compliance with applicable security conditions.

The PSTIA leaves room for further delegated legislation to introduce additional obligations, and clarifications.

For more on the practical steps to comply with the new regime, please see the link to our Eating Compliance for Breakfast webinar below.

On 8 January 2024, the Office for Products Safety and  Standards (OPSS) published guidance for businesses that need to comply with the  requirements. See the link to the February Regulatory Outlook below for more.  

Additional  guidance was added on 23 April 2024 specifying that the product's  statement of compliance (SoC) must be "accompanied" by the product  itself, and defining the SoC as a "document". However, the terms  "document" and "accompany" are not clearly defined in the  PSTIA and so businesses must determine how they will comply with these  requirements for their individual products.

⭐ Amending regulations were made on 24  February 2025 and came into force on 25 February 2025. The changes exempt the  following categories of products from the PSTIA: motor vehicles agricultural,  two- or three-wheel vehicles and quadricycles, and forestry vehicles. The  amending regulations also clarify that where a manufacturer of relevant  connectable products extends the minimum length of time for which security  updates relating to such products will be provided, the new minimum length of time must be published as soon as is practicable. 

New UK telecommunications infrastructure law brings changes to the Electronic Communications Code - Osborne Clarke

Products | UK Regulatory Outlook February 2024 - Osborne Clarke | Osborne Clarke

Webinar recording: Eating Compliance for Breakfast | Connected devices and new security obligations – headlines before 29 April 2024 (on24.com) (24 April 2024)

Cybersecurity measures

The regulation introduces a set of mandatory measures that  each entity must address to prevent cybersecurity incidents. This includes policies on risk analysis and information system security, cyber hygiene practices, cybersecurity training, and multi-factor and continuous authentication solutions.

Responsibility of management bodies

To ensure that organisations are aware of their NIS2 obligations  and acquire knowledge on cybersecurity risk prevention, management bodies are  required to attend training sessions and to pass this information and knowledge on to their employees.

Enforcement measures

Member states must implement effective, proportionate, and dissuasive sanctions. Fines for non-compliance can reach 2% of the  organization's annual turnover or €10 million − whichever is greater – for  essential entities, and up to 1.4% of the organisation's annual turnover or €7 million for important entities.

Reporting obligations and timelines

The new directive clarifies the scope of reporting obligations with more specific provisions regarding the reporting process, content, and timelines. In particular, entities affected by an incident that has a signification impact on provision of their services must submit an initial assessment of the incident to their computer security incident response team (CSIRT) or, where applicable, to the competent authority within 24 hours of becoming aware of the incident. A final update must be provided within a month of the initial notification.

Use of artificial intelligence

One of the most novel aspects of this directive is the requirement for member states to promote the use of innovative technologies,  including artificial intelligence, to improve the detection and prevention of cyber-attacks, which would allow for a more efficient and effective allocation of resources to combat these threats.

Member states were obliged to legislate for appropriate measures to implement the directive by 17 October 2024. National implementing legislation can be tracked from this page. As of 28 February 2025, Belgium, Croatia, Greece, Hungary, Italy, Latvia, Lithuania, Romania and Slovakia have completed transposition of the directive into their national laws.

Organisations in those countries must therefore act swiftly to ensure compliance before the respective national laws come into force. In particular, they will have to consider whether they fall under the scope of the directive and therefore need to register with the national cyber security authority before the applicable national deadline.

On 4 December 2024, the Commission announced that it had opened infringement procedures against 23 member states (Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden) for failing to meet the 17 October deadline. These member states have two months to respond to the letters of formal notice by completing the transposition process and notifying the Commission of the measures introduced.

⭐ As of 28 February 2025, the member states which have published draft transposition law and are expected to adopt the national implementing acts in 2025 are: Austria, Bulgaria, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Ireland, the Netherlands, Poland, Portugal, Slovenia and Sweden.

Although there is significant fragmentation in the implementation of the directive across the EU, it is important to be ready to comply in the remaining member states as they could adopt implementing acts at any point, with a short period between adoption and when the new changes become enforceable. Organisations should therefore closely monitor implementation of national legislation and prepare in advance of the relevant national laws entering into force by conducting risk assessments, developing incident response plans and enhancing their overall level of cyber security awareness.

On 17 October 2024, the Commission adopted the first implementing regulation, which details the cyber security risk management measures and the criteria for when an incident will be considered significant under the directive. The implementing regulation was published in the Official Journal on 7 November 2024 and entered into force 20 days later, i.e. on 27 November 2024. A reminder that implementing regulations are adopted to ensure uniform implementation of the relevant EU legislation and will take precedence over national legislation in the event of contradiction.

Insight: Cyber Security | UK Regulatory Outlook November 2024

Insight: Implementation deadline for NIS2 and new EU cybersecurity compliance regime draws nearer

Insight: What EU businesses need to know about NIS2 and cybersecurity compliance

The Act aims to protect children and to deal with illegal online content. It was initially proposed that measures on "legal but harmful" content would also be included but these have now been removed from the Act except in the case of certain harmful content hosted on services likely to be accessed by children. The Act seeks to strike a balance between ensuring safe online interactions for children and adult users, and freedom of speech.

Key provisions under the Act include:

• duties on regulated services to protect all users from illegal content;
• duties on regulated services to protect child users from certain types of legal but harmful content;
• various duties to empower users to control their exposure to harmful content;
• duties to protect free speech and fundamental rights;
• duties to protect consumers from fraudulent advertising;
• powers for Ofcom to require regulated services to use technology to proactively identify and remove content relating to terrorism or child abuse;
• new communications offences and other offences relating to online behaviour; and
• extensive investigatory and enforcement powers for Ofcom: services which breach their obligations under the Act can be liable for fines of up to £18 million or 10% of their global turnover (whichever is larger); companies (and in certain circumstances their senior managers) may also be criminally liable for breaches.

In order to ensure that the online safety regime is flexible and "future proof", a number of these provisions are to be dealt with in secondary legislation, and by codes of practice and guidance to be developed by the designated regulator, Ofcom.

Ofcom has devised a consultation process to inform its codes of practice and guidance, which comprises four major consultations together with various sub-consultations, on numerous aspects of the new regime.

Illegal content

The process began in November 2023, with a first major consultation on draft codes of practice and guidance on illegal harms duties, which closed on 23 February 2024 (see our insight).

In August 2024, Ofcom published a consultation (which closed on 13 September 2024) to strengthen its draft illegal harms codes of practice and guidance to include animal cruelty and human torture due to these categories of content not being fully covered by the list of "priority offences" in the Act. The "priority offences", listed in Schedule 7 of the Act, relate to the most serious forms of illegal content. Regulated online platforms will not only have to take steps to prevent such content from appearing, but will also have to remove it when they become aware of it. By including animal cruelty and human torture in its codes and guidance, Ofcom aims to ensure that providers understand that they will also have to remove this type of content.

In December 2024, following consultation Ofcom published its final form illegal content codes of practice and guidance. This signalled the start date for services to comply with the new rules on conducting illegal content risk assessments. All in-scope services must complete their illegal content risk assessment, to evaluate the risk of harms to users resulting from the presence of illegal content on their service, by 16 March 2025. Services will need to implement the recommended measures set out in these codes (or be using other effective measures to protect users from illegal content) by 17 March 2025.

⭐ To tackle the specific risks faced by women and girls online, Ofcom is required to publish additional, dedicated guidance on safety for women and girls. On 25 February 2025, Ofcom published draft guidance, setting out how in-scope service providers can combat content and activities that disproportionately impact women and girls. The guidelines describe nine  actions providers can take and highlights good practice in this area. Ofcom is consulting on the draft until 23 May 2025 and expects to publish final guidance by the end of 2025.

Pornographic content

On 16 January 2025, Ofcom published its final form guidance on "highly effective age assurance and other Part 5 duties" relating to the duties of regulated providers of pornographic content to prevent access by children to such content through the use of age verification/estimation tools. This duty came into effect on 17 January 2025.

Categorised services

Ofcom has also published a call for evidence to inform its further consultation on draft codes of practice and guidance on the additional duties that will apply to "categorised services" under the Act. The Act introduces a system categorising some regulated online services, based on their key characteristics and whether they meet certain numerical thresholds, as category 1, 2A or 2B services. This call for evidence closed on 20 May 2024. Ofcom expects to publish the consultation in early 2025.

⭐ The regulations defining the thresholds above which in-scope services become "categorised services" and subject to certain additional obligations under the Act came into force on 27 February 2025. Ofcom will, once it has assessed services against these final thresholds, publish a register of categorised services, as well as a list of emerging category 1 services. The Act is intended to create a "triple shield" of protection for users. Service providers must remove illegal content, remove content in breach of their own terms and conditions, and give adults more choice over what to engage with.

In July 2024, Ofcom published a consultation (which closed on 4 October 2024) on its draft transparency reporting guidance, which is designed to assist categorised services comply with the requirement to publish transparency reports. These reports must set out the information requested by Ofcom in transparency notices, which Ofcom must issue to every provider of a categorised service once a year.

Children

On 16 January 2025, Ofcom published its Statement on Age Assurance and Children's Access, comprising final form versions of Part 3 guidance on highly effective age assurance, guidance on children's access assessments (and guidance on highly effective age assurance and other Part 5 duties see above under Pornographic content)). This marked the start of compliance with the protection of children duties under the Act by firing the starting gun for the three-month period within which all in-scope services must complete their Child Access Assessments (i.e. by 16 April 2025).

Fees and penalties‍

At the end of May 2024, the government published guidance to Ofcom on determining the fees that will be payable by regulated services under the Act. The fees paid by regulated service providers whose "qualifying worldwide revenue" (QWR) meets or exceeds a certain revenue threshold and who are not otherwise exempt will fund the new online safety regime. The government will retain oversight of the regulatory costs of the regime by setting Ofcom's total budget cap.

In October 2024, Ofcom launched a consultation on draft secondary legislation to define QWR, which term will be used to calculate not just the fees payable by regulated services, but also the maximum penalty that Ofcom will be able to levy against providers for breaches of the Act. Ofcom is proposing to define QWR as the total revenue of a provider referable to the provision of regulated services anywhere in the world. Where the provider is found liable together with it’s a group undertaking, the QWR will be calculated on the worldwide revenues of the entire group, whether they relate to regulated services or not. Ofcom proposes setting a £250m revenue threshold for fees and exempting providers with UK referable revenue under £10m. The consultation closed on 9 January 2025.

The fee regime is expected to be in place by 2026/27 financial year. Until then, the government is funding Ofcom's initial costs. Additional fees will then be charged over an initial set period of consecutive years to recoup the set-up costs.

Information notices

⭐ Under the Act, Ofcom has powers to require and obtain information from regulated services that it needs to fulfil its online safety duties. It will do this by issuing "information notices". On 26 February 2025, Ofcom published final guidance on its information gathering powers under the Act, how it plans to use them and the typical procedures it will follow. Failing to comply with an information notice may result in Ofcom taking enforcement action under the Act.

Enforcement

⭐ On 3 March 2025, Ofcom launched an enforcement programme to monitor whether services are meeting their illegal content risk assessment and record keeping duties under the Act. As part of the programme, the regulator asked various providers to provide it with their illegal content risk assessments to assist it in identifying possible compliance concerns and to monitor how the guidance is being applied. Ofcom expects the programme to run for at least 12 months, during which period, it may initiate formal investigations if it suspects that a provider is failing to meet its obligations under the Act.

Miscellaneous‍

In September 2024, the Secretary of State for Science, Innovation and Technology, Peter Kyle, wrote to Ofcom asking how it plans to monitor and address the issue of "small but risky" online services. In its response, Ofcom confirmed its awareness of the issue and said that tackling these services is a "vital part" of its regulatory mission. The regulator confirmed that it has already developed plans to take early action against these services.

In October 2024, the UK and US governments signed a joint statement on online safety, calling for platforms to go "further and faster" to protect children online by taking "immediate action" and continually using the resources available to them to develop innovative solutions, while ensuring there are appropriate safeguards for user privacy and freedom of expression. See this Regulatory Outlook for more.

In November 2024, Ofcom published an open letter to UK online service providers on how the Act will apply to generative AI and chatbots. Ofcom reminded providers that various AI tools and content relating to user-to-user services, search services and pornographic material, will be in scope of the Act.

In November 2024, the government also published its draft Statement of Strategic Priorities for online safety highlighting five priorities that Ofcom must have regard to when implementing the OSA and that industry is expected to adhere to. See this Regulatory Outlook for details.

The UK Online Safety Act: Top 10 takeaways for online service providers

UK Online Safety Act: Ofcom launches its first consultation on illegal harms

UK's Online Safety Act is a seismic regulatory shift for service providers

Online Safety Act 2023: time to prepare as UK's Ofcom confirms start of illegal content duties

Digital Regulation | UK Regulatory Outlook October 2024 

Ofcom publishes final illegal content risk assessment guidance and codes of practice under UK Online Safety Act | Osborne Clarke

UK Online Safety Act: Ofcom publishes guidance on age assurance and children's access assessments | Osborne Clarke

Definition of AI

The AIA defines an AI system as "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments".

A risk-based approach

The AIA takes a risk-based approach, with the regulatory framework depending on both the level of risk created by an AI application, and the nature of the regulated entity's role. AI deemed high risk is regulated more strictly, as are those who create and distribute AI systems, who are regulated more strictly than organisations which deploy systems created by third parties. In addition, the AIA creates a regulatory framework for general-purpose AI.

"Risk" is assessed in the AIA by reference to both harm to health and safety, and harm to fundamental human rights and is a combination of the probability of occurrence of harm and the severity of that harm.

The proposed tiers of AIA regulation are prohibited AI, high risk AI, transparency requirements for certain forms of AI, and unregulated AI. Two further but distinct tiers apply to general-purpose AI.

Prohibited AI

Some uses of AI are considered to pose such a significant risk to health and safety or fundamental rights that they should be banned. Banned applications include:

• AI systems that use subliminal, manipulative or deceptive techniques intended to distort someone's behaviour materially by impairing their ability to make an informed decision and so causing them to take a decision that they would not otherwise have taken, causing significant harm;
• AI that exploits vulnerabilities of age, disability, social or economic circumstances in order to distort their behaviour, causing significant harm;
• social scoring based on behaviour or personal characteristics where the scoring results in detrimental treatment of the person in question in a social context unrelated to the context in which the scoring data was originally generated or collected, or which is unjustified or disproportionate;
• AI systems used to predict the likelihood of a person committing a criminal offence, based solely on profiling that person or an assessment of their personality traits;
• AI systems that create or expand facial recognition databases through untargeted web-scraping of the internet or CCTV footage;
• emotion inference systems used in the workplace or educational settings unless for medical or safety reasons;
• biometric categorisation around sensitive characteristics (including race, political views, trade union memberships, religious or philosophical beliefs, sex life or sexual orientation); and
• real time remote facial recognition systems used in publicly accessible spaces for law enforcement, with exceptions.

High risk AI

Some AI applications are considered to pose a potentially high risk to health and safety or to fundamental rights, but not to the point that they should be prohibited. These high risk systems fall into two broad categories.

Firstly, AI will be classified as "high risk" for AIA purposes where it is used in safety systems or in products that are already subject to EU product safety legislation, including transport, other vehicles or machinery, and products such as toys, personal protective equipment and medical devices (the Annex I high risk categories).

Secondly, there is a list of specified "high risk" AI systems (in Annex III to the AIA). The detail of this list includes:

• permitted remote biometric identification systems (excluding systems solely used to confirm someone's identity);
• AI used for biometric categorisation based on sensitive or protected attributes or characteristics;
• emotion recognition systems;
• AI systems used as safety components in critical physical and digital infrastructure;
• AI systems used in an educational or vocational context, including determining access to training institutions, learning evaluation systems, educational needs appraisal systems, and systems used to monitor behaviour during exams;
• workplace AI systems for recruitment, applications appraisal, awarding and terminating employment contracts, task allocation and performance appraisal;
• assessment of eligibility for public benefits and services;
• credit checks (excluding fraud prevention systems);
• systems used to assess risk and set prices for life and health insurance;
• systems for the despatch or prioritisation of emergency services; and
• various uses in law enforcement, immigration, asylum, judicial and democratic processes.

However, high risk regulation will not apply to AI falling in the Annex III categories where "it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making". This will be an issue for self-assessment. Where there is no such actual risk, the system will not have to comply with the AIA high risk regulatory regime.

Onerous compliance obligations are proposed for high risk AI systems concerning a "continuous, iterative" risk management system for the full lifecycle of the AI system. Compliance will require meeting the AIA requirements for technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity.

In addition, the AIA will impose extensive obligations concerning the governance and curation of data used to train, validate and test high risk AI. The focus is on ensuring that such data sets are relevant, sufficiently representative and, to the best extent possible, reasonably free of errors and complete in view of the intended purposes. The data should have "appropriate statistical properties", including as regards the people in relation to whom the AI system will be used. Data sets must reflect, to the extent appropriate for their intended use, the "specific geographical, contextual, behavioural or functional setting" within which the AI system will be used.

The burden of high risk AI compliance will apply in different ways to businesses at different points in the AI supply chain – providers (developers and businesses who have had AI developed for them to put onto the market), product manufacturers whose products incorporate AI, importers, distributors and deployers.

Lower risk AI

Some lower risk AI, outside the high risk regime, will nevertheless be subject to obligations, mainly relating to transparency. The prime concern is that users must be aware that they are interacting with an AI system, if it was not obvious from the circumstances and context. These provisions will apply to:

• chatbots and other systems that interact directly with individuals;
• systems producing synthetic audio, image, video or text content, which must be marked (in machine-readable format) as having been artificially generated or manipulated;
• emotion recognition systems;
• biometric categorisation systems;
• deep fakes images/video/audio content that have been created or manipulated by AI (with exceptions for "evidently artistic, creative, satirical, fictional or analogous works"); and
• systems producing text intended to inform the public on matters of public interest.

Other AI

For AI systems that do not fall within any of the above categories, the AIA provides for codes of conduct and encourages voluntary adherence to some of the regulatory obligations which apply to the high risk categories. Codes of practice may also cover wider issues such as sustainability, accessibility, stakeholder participation in development and diversity in system-design teams.

"General-purpose AI"

Since the AIA was first proposed in 2021, foundation AI systems have emerged as a significant slice of the AI ecosystem. They do not fit readily within the AIA tiers because they perform a specific function (translation, text generation, image generation etc) that can be put to many different applications with differing levels of risk.

The AIA creates two layers of regulation for "general-purpose AI" models: one universal set of obligations for general-purpose AI models and a set of additional obligations for general-purpose AI models with systemic risk.

General-purpose AI include foundation models and some generative AI models. They are defined as models "Including where such AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications", with an exception for AI models used for research, development or prototyping before they are placed on the market.

A general-purpose AI model will be classified as having "systemic risk" if:

• the cumulative amount of computation used to train it is more than 10²⁵ floating point operations;
• it otherwise has "high-impact capabilities" – i.e. it matches or exceed the capabilities of the most advanced existing general-purpose AI; or
• it is designated as a general-purpose model with systemic risk by the Commission.

The largest, state of the art AI models are expected to fall within this category.

The universal obligations for all general-purpose AI apply in addition to the core risk-based tiers of AIA regulation. Providers of all general-purpose AI models will be required to meet various transparency obligations (including information about the training data and in respect of copyright), which are intended to support downstream providers using the model in their AI system to comply with their own AIA obligations.

General-purpose AI models with systemic risk are subject to a second tier of obligations. These will include model evaluation and adversarial testing, assessment and mitigation of systemic risk, monitoring and reporting on serious incidents, adequate cybersecurity, and monitoring and reporting on energy consumption.

Regulatory bodies and enforcement regime

As regards enforcement, the AIA requires member states to appoint national level AI regulators which will be given extensive powers to investigate possible non-compliance, with powers to impose fines.

In addition, the "AI Office" has been created within the Commission to centralise monitoring of general-purpose AI models, and to lead on interaction with the scientific community, and in international discussions on AI. It will also support the Commission in developing guidance, standards, codes of practice, codes of conduct, and in relation to investigations, testing and enforcement of AI systems. The AI Office will play a key role in governance across the national AI regulatory bodies appointed in member states.

Coordination and coherence of the AIA regime is the responsibility of the AI Board, which is separate to the AI Office and comprises representatives from member states.

Regulatory fines are in three tiers:

• up to the higher of 7 per cent of worldwide turnover or €35 million for breach of the prohibition provisions;
• up to the higher of 3 per cent of worldwide turnover or €15 million for breach of other substantive provisions (including compliance with the high risk AI regime, the low risk transparency regime, and the general-purpose AI provisions); and
• up to the higher of 1% of worldwide turnover or €7.5 million for supplying incorrect, incomplete or misleading information to the relevant authorities.

The fining regime for SMEs is similar to the above, except that the maximum fine is whichever percentage or amount is the lower.

As noted above, deadlines for compliance will be staggered.

Definition of AI

⭐ In February 2025, the Commission published its guidelines on the definition of "AI system", which simply describe the definition, apply the recital and give examples. The key is the ability of a system to act autonomously and infer how to generate output based on inputs. See this Regulatory Outlook.

Prohibited AI

⭐ On 2 February 2025, the AIA's restrictions on prohibited AI practices, as well as general AI literacy obligations, came into full effect. Following this, the Commission published its long-awaited guidelines on prohibited categories of AI. See this Regulatory Outlook for more details.

General-purpose AI code of practice

The AI Office is drawing up a general-purpose AI code of practice (Code). The Code is intended to facilitate the proper application of the AIA for general-purpose AI models. Based on a call for expressions of interest, the Commission has formed a Code of Practice Plenary which held its first meeting in September 2024. The first workshop on the Code took place on 23 October (see this Regulatory Outlook). The AI Office also conducted a multi-stakeholder consultation on trustworthy general-purpose AI models to collect views on the topics to be covered by the Code and on related AI Office work.

The first draft Code was published in November 2024. The Commission stressed that this was very much a first draft, and that drafting will be an iterative process, with three further rounds of input and drafting envisaged.

The second draft, taking account of feedback received in response to the first draft, was published in December 2024. The third draft is expected in the week commencing 17 February 2025.

⭐ The third draft was expected in the week commencing 17 February 2025. However, this interim deadline was extended at the last minute and it is  now  expected in March, accompanied by a survey to allow participants to give feedback.

The AI Office aims to publish the final version in April 2025. See a tentative timeline on the Code here.

When will businesses have to comply with the EU's AI Act?

How will the new UK government resolve the conflict over AI development and IP rights?

EU delays compliance deadlines for the AI Act

Artificial Intelligence | UK Regulatory Outlook February 2025

The Act introduces new statutory powers for the DMU to regulate powerful digital firms. The DMU remains an administrative unit within the CMA, rather than being designated as a separate regulator.

The Act concerns digital activities, defined as services provided over the internet or digital content, whether paid-for or free of charge. CMA jurisdiction will require a link to the UK.

A business will not be designated with SMS unless it meets the financial threshold of £1 billion in UK group turnover or £25 billion global group turnover in a relevant 12 month period.

The DMU may designate a business as having SMS following an SMS investigation. The investigation will consider whether the business has substantial and entrenched market power, with a forward-looking analysis at least five years into the future. It will also assess whether the business has a position of strategic significance in relation to the digital activity in question, whether by its size or scale, the reliance by others on its services, or the influence that it can exert on others as a consequence of its position. Designations will last for five years and the designation process will include public consultation and liaison with other regulators.

The DMU may create a bespoke code of conduct for each SMS business with a view to ensuring fair dealing, open choices (which may require enhanced data portability and interoperability of services), and trust and transparency.

The CMA is given extensive powers of investigation and enforcement, including fines of up to 10% of global turnover and wide-ranging remedies. In addition to SMS investigations and enforcement, the CMA may also make a "pro-competition intervention" to deal with an adverse effect on competition in a digital market. It will have the same powers as it currently enjoys to take remedial action as following a market investigation, including the power to order divestments and break-ups.

The regulatory regime:

• Allows the DMU to designate firms that have a substantial, entrenched and strategic position in certain digital activities with SMS.
• Makes firms with SMS subject to a new code of conduct, designed to achieve the statutory objectives of fair trading, open choices and trust and transparency.
• Allows the DMU to use pro-competitive interventions. The DMU will have powers to flexibly design pro-competitive interventions.
• Makes changes to the existing merger control regime. This makes notification of mergers, acquisitions and the creation of joint-ventures by SMS firms mandatory where the total consideration is at least £25 million and the transaction will result in the SMS firm crossing certain share/voting rights thresholds. The Act also introduces changes to the notification thresholds for all mergers, including a new "transaction value" threshold of £100 million. There is also a requirement to notify mergers where either party has a 33% or more share of supply and a UK turnover of £350 million. This is designed to capture "killer acquisitions" that would otherwise slip under the CMA's radar.
• The Act gives extraterritorial effect to the UK prohibition against anti-competitive agreements for agreements which are likely to have an immediate, substantial and foreseeable effect on trade within the UK, including agreements that are not implemented or intended to be implemented in the UK. Additionally the Act gives the CMA power to issue fines to overseas companies for failure to comply with an information request.
• Gives the CMA power to impose fines for breaches of competition orders and undertakings.

Most of the Act's provisions will be brought into force by secondary legislation.

In December 2024, the CMA published finalised guidance on the digital markets competition regime, following consultation.

The digital markets and competition elements of the Act came into force on 1 January 2025 via the Digital Markets, Competition and Consumers Act 2024 (Commencement No. 1 and Savings and Transitional Provisions) Regulations 2024

The CMA| has set out the steps it will take when conducting initial Strategic Market Status (SMS) investigations, mirroring legislative requirements for extensive consultation with third parties and potential SMS firms before making any decision. The steps are:

Stage 1 (January to March 2025): initial evidence gathering and engagement with potential SMS firms and other stakeholders.

Stage 2 (April to June 2025): further evidence gathering and analysis, followed by a consultation on the proposed SMS designation decision and any initial conduct requirements.

Stage 3 (July to September 2025): analysis of consultation responses and further evidence gathering.

In addition to this the CMA to publish "roadmaps" alongside our consultations on the proposed SMS decisions in June (for search), and July (for mobile). The CMA intends to do this for all future SMS designations.

Are you ready for the UK Digital Markets Competition and Consumers Act?

The Digital Markets Competition and Consumers Act (DMCCA)

Firms within the scope of DORA must be able to withstand, respond to and recover from ICT incidents. Important requirements for firms will include:

•         Having internal governance and control frameworks that allow them to manage ICT risks effectively and prudently.

•         Having a robust and well-documented ICT risk management framework in place that allows them to address ICT risks quickly and comprehensively.

•         Reporting major ICT-related incidents to the relevant regulator.

•         Regularly carrying out digital operational resilience testing, including a range of assessments, methodologies, practices and tools.

•         Managing ICT third-party risk within their ICT risk management framework.

Under DORA, the European Supervisory Authorities (being the European Banking Authority (EBA) European Insurance and Occupational Pensions Authority (EIOPA) European Securities and Markets Authority (ESMA) (together the ESAs)) will develop 13 Regulatory Technical Standards (RTS) and Implementation Technical Standards (ITS) setting out details and guidance on key provisions and requirements within DORA. Financial entitles must be fully compliant with and implement these standards in their ICT systems by 17 January 2025.

The first batch of technical standards published by the ESAs were adopted by the Commission and brought into effect via implementing and delegated acts in February and March 2024 (see below).

The second batch of draft technical standards were published by the ESAs on 17 July 2024. Those still to be adopted by the Commission and implementing and delegated acts put in place are:

• RTS and ITS on the content, format, timelines, and procedures for incident reporting;

• Guidelines on aggregated costs and losses from major ICT-related incidents; and

• Guidelines on cooperation of oversight activities between the ESAs and competent authorities.

To date, the Commission has brought the following technical standards into effect via implementing and delegated acts:

• Delegated regulation specifying oversight fees for critical ICT third-party service providers in the financial sector, which came into effect on 13 March 2024.

• Delegated regulation on further specifying the criteria for designation of ICT third-party service providers as critical for financial entities, which. came into effect on 19 June 2024.

• Delegated regulation on oversight fees for critical ICT third-party service providers, which came into effect on 19 June 2024.

• Delegated regulation on RTS specifying the criteria for classification of ICT-related incidents, which came into effect on 15 July 2024.

• Delegated regulation on RTS specifying criteria regarding ICT risk management, which came into effect on 15 July 2024.

• Delegated regulation on RTS specifying ICT services policies supporting the critical or important functions provided by third party ICT providers, which came into effect on 15 July 2024.

• Implementing regulation on standard templates for the register of information, which came into effect on 22 December 2024.

• Delegated regulation on RTS on harmonising oversight activities, which will come into effect on 5 March 2025.

• Delegated regulation on RTS for threat-led penetration testing, which will come into effect on 5 March 2025.

• Delegated regulation on RTS on harmonising oversight activities, which will come into effect on 5 March 2025.

• Delegated regulation on RTS which specify the content and time limits for the notification and reporting of major ICT-related incidents, and the content of notifications for significant cyber threats, which will come into effect on 12 March 2025.

• Implementing regulation on ITS setting out the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat, which will come into effect on 12 March 2025.

• Delegated regulation on RTS specifying the criteria for determining the composition of the joint examination team. This has not yet been published in the Official Journal so is not yet in effect.

On 31 January 2025, the Commission rejected the draft RTS on subcontracting, which sets out the requirements and conditions for the use of subcontracted ICT services supporting critical or important functions under DORA. The Commission explained that it considers the requirements introduced by Article 5 on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” as exceeding the legal mandate under DORA.

The ESAs have six weeks upon receipt of the Commission's rejection to amend and resubmit the draft RTS and remove Article 5 as proposed by the Commission. Should the ESAs fail to submit a draft RTS, however, the Commission may adopt the RTS with those amendments it considers relevant, or reject it.

The implementing and delegated acts can be tracked from this page.

Cyber security | UK Regulatory Outlook January 2025

DORA – New EU cybersecurity law for Crypto

Webinar recording: Future of Financial Services Week | Deciphering DORA