regulatory change

The European Union is founded on four pillars, allowing the free movement of people, free movement of goods and services, a system of common external tariffs, and of similar laws enacted across all member states.

This latter point is a key consideration for any organization trading with or within the Single Market, as non-compliance can result in significant penalties.

In January 2021, for example, the European Union fined several video game publishers for allowing their products to be activated in some member states, but not others, depending on where they had been purchased.

The EU’s continent-wide regulations continue to evolve over time. It’s essential that anyone doing business in or with the EU is aware of these regulations and any applicable changes.

Financial services

Already highly regulated, the financial services sector is of particular interest to EU lawmakers on account of the Union’s shared currency, and the free movement of money across its internal borders.

Following the 2008 financial crash, it started to consider what measures could be put in place to protect consumers, businesses, and economies in the future. The result was a raft of regulations, including the Single Resolution Mechanism Regulation and amendments to its Capital Requirements Directive.

The Single Resolution Mechanism, which came into force in 2014, places all decision-making authority in the hands of a single board, which will decide which measures should be taken should it look likely that a bank in a member state might fail. Options open to the board include refinancing from a communal fund, and restructuring. The Capital Requirements Directive, meanwhile, aim to make the banking system more stable and robust by requiring banks to set aside a greater proportion of high quality capital to cover potential obligations.

The Basel III framework, which is expected to be implemented in 2023, will further strengthen the EU’s hand, and place increased burdens on financial institutions operating within the continent to manage risk and use external ratings agencies in a standard manner.

Medicine and life sciences

The European Union’s Medical Device Regulation was introduced in mid-May 2020 and replaced the existing Medical Devices Directive. It strengthens controls over the sale of medical devices for human use, requires manufacturers to nominate people with specific responsibility for regulatory compliance (much as organisations need appointed data officers for compliance with GDPR), and introduces better marking of products.

However, the concept of ‘medical devices’, within the scope of the regulations doesn’t only include implements for use in medical procedures. It also encompasses, for example, contact lenses and tattoo removal lasers. The deadline for implementation was May 2021.

Personal data

Implemented in 2018, GDPR (the General Data Protection Regulation) is well known and much discussed. Its implications are clear, requiring that all entities handling data regarding EU subjects, whether those entities are in the EU or not, make it easy to have that data corrected, removed, or transferred. Non-compliance can be penalised with fines of up to 4% of global turnover.

Since leaving the European Union, the UK has implemented the requirements of GDPR in its own UK GDPR regulations to ensure the territory remains in line with the EU and thus facilitate more effective cross-border working.

However, despite now being in its third year, GDPR continues to evolve, so measures put in place in advance of its enforcement may no longer be sufficient. Employers can no longer charge employees for subject access requests, for example.

It is essential that organisations are always aware of how much data they hold, what data they hold, and where it is held if they are to comply with GDPR. Increasingly, data will be spread across local and cloud services, so data controllers must be able to locate it and respond appropriately to data subject requests, even if they are not working with their own infrastructure.


The European Electronic Communications Code (EECC) entered force at the end of 2018, and is the basis on which the European Union will regulate the roll-out of enhanced services across the continent including, but not limited to, 5G services. It aims to have 100% population coverage for 5G by 2030.

However, the EECC is not the only set of regulations governing telecoms within the Union – either already existing or in progress. Many others exist or are under discussion. These include those that:

Meanwhile, the EU’s ePrivacy Regulation, which is awaiting Parliament’s position on the first reading, would repeal and replace the Privacy and Electronic Communications Directive 2002 and would exist alongside GDPR.

Its aim is to guarantee the privacy of communications and the regulation of cookies and online consent. Penalties for non-compliance would be in line with those for GDPR infractions.

If implemented, ePrivacy would treat many innovative communications providers, such as app-based services like Skype and WhatsApp, in a similar manner to traditional PSTN providers, and will apply not only to the content of communications, but also the metadata surrounding it if that metadata contains identifiable information.

Digital Services Act

The Digital Services Act has been drawn up to standardise rules for the handling of data across the European Union, making it easier for trans-national organisations to offer services across all member states.

At present, it is still in the proposal stage and under discussion in the European Parliament. If implemented, its provisions will apply exclusively to organisations that serve at least 10% of the European population (i.e 45m consumers or more), and breaching the Act would likely result in hefty fines of up to 6% of annual turnover or 5% of daily turnover.

Compliance would depend on the kind of content being handled but is likely to require removal of illegal content. This will be particularly relevant to anyone running social networking services, or sites that allow user contributions, such as news or video publishers welcoming reader / viewer comments.

Administrators will also need to disclose how their algorithms work. This would be of particular relevance to search engines, which have traditionally protected such information, so they retain greater control over results pages.

The provisions of the Digital Services Act will apply equally to organisations based outside the EU if they provide services within the Union. So, being a US or UK-based search engine without any EU office will not mean you’re exempt if you nonetheless have at least 45m users within the Union. Dominance in just one member state could be sufficient to cross that threshold.

Digital Markets Act

The Digital Markets Act aims to make it easier for competitors to gain a foothold in markets dominated by large, established rivals.

Within the provisions of the Act, these rivals are considered ‘gatekeepers’ as they are a primary conduit by which many users access the content they consume on a daily basis.

The EU has not named these gatekeepers explicitly, but they will probably include the likes of Google, Facebook and Microsoft due to their dominance of the markets for web browsers, social media use and desktop operating systems.

The Act, if it were to become law, would allow regulators to take a range of measures to limit what established players can do, with the aim of assisting new entrants. These include limiting their options for sharing data between two or more complimentary services, or promoting their own products or services above those of their competitors on the platforms they already own. For example, leading app stores would not be able to promote their owners’ own products where competition exists.

The Act remains at the proposal stage and is not expected to be implemented before 2023.

Selling into the EU

The European Union already applies common import regulations at its external border to protect its internal market. Measures are being updated throughout 2021.

For smaller organisations selling into the Union, the measure most likely to be felt is the scrapping of VAT low value consignment relief, which used to exempt items costing €22 or less from VAT. This will no longer apply, so VAT will be charged on all items entering the territory, regardless of the point of origin.

For third-party countries, including Britain, this has the potential to depress sales if cheaper alternatives exist within the EU.

VAT payments due on items costing €150 or less can be managed through a new centralised system, known as IOSS, which will make implementation simpler. However, at the same time, businesses selling into the European Union will need to provide more detailed documentation, again increasing the burden on external exporters. This is required for compliance with the Import Control System 2, a customs pre-arrival security program designed to make air transport safer and more efficient.

Machine learning and AI

As fast-growing sectors, it is essential that lawmakers worldwide ensure the legislation surrounding machine learning and artificial intelligence remains fit for purpose. The EU is currently debating how it can regulate its use – in particular where it has an impact on human beings.

Specifically, it is concerned with decisions made by AI that may have a detrimental impact on the subject, such as where AI is used to sift job applications; how AI impacts health and safety, which would be particularly relevant in a range of applications surrounding autonomous vehicles; and how it should calculate where liability lies for any accidents caused by artificial intelligence.

Merit Group’s expertise in Regulatory Data

Merit Data and Technology has over 15 years of experience in data intelligence. We work with some of the world’s leading brands to provide valued information that keeps our clients and their customers ahead of changes to policy and regulations.

Get in touch to talk to us about your regulatory data needs.

  • 01 /

    A Bespoke Retail Data Solution for Better Insights and Forecasting

    A pioneer in the retail industry with an online solution providing easy access to global retailer data, had the challenge of creating retailer profiles through the data capture of financial and operational location information.

  • 02 /

    Document Collection and Metadata Management System For the Pharmaceutical Industry

    A leading provider of data, insight and intelligence across the UK healthcare community needed quick and reliable access to a vast number of healthcare documents that are published everyday in the UK healthcare community.