to the point: technology & digitalisation l January 2025

As we settle into 2025, the rapidly evolving digital regulatory landscape present challenges that businesses can no longer afford to ignore. From AI tools and digital services to data sharing and cybersecurity frameworks, today's technological innovations are intersecting with an increasingly intricate and expanding web of EU regulations. January has already brought significant developments, underscoring the urgent need for companies to stay ahead of the compliance curve. In this edition of our newsletter, we highlight some of the most pressing updates.

On 17 January, the EU's Digital Operational Resilience Act (DORA) came into effect, requiring businesses to implement robust cybersecurity measures, resilience frameworks and transparency in the face of digital disruptions. If your company is involved in the financial sector or its supply chain, now is the time to ensure your ICT systems meet DORA's rigorous requirements. Additionally, in December, Italy's data protection authority imposed a substantial fine on OpenAI for failing to comply with the EU's General Data Protection Regulation (GDPR), reinforcing the fact that no company, regardless of size, is exempt from regulatory scrutiny.

As these developments show, the EU's digital regulatory environment is becoming increasingly complex and demanding. With new regulations being introduced and existing laws being enforced more stringently, businesses must adopt a proactive approach to compliance. Regular audits of digital products, AI tools, online services and ICT systems are no longer optional—they are essential to avoid costly fines and legal issues. Staying ahead of regulatory changes and anticipating future requirements is key to ensuring long-term success. As we move through 2025, it is crucial to remember that in a world where technology outpaces regulation, maintaining compliance is the best way to safeguard your business's future.

The Digital Operational Resilience Act (Regulation (EU) 2022/2554 – "DORA") came into effect on 17 January 2025, bringing significant implications for organisations operating within the financial sector. Under DORA's mandate, financial entities and their critical third-party technology service providers are now required to implement rigorous cybersecurity requirements. DORA's primary objective is to ensure a high level of digital operational resilience against cyber risks across the EU financial market. Additionally, it introduces a new supervisory structure for critical ICT third-party service providers that offer ICT services to financial institutions.

Who is affected by DORA?

DORA applies to most financial institutions, including credit institutions, payment and e-money entities, investment firms, crypto-asset service providers, issuers of crypto-assets, insurance and reinsurance companies, credit rating agencies, statutory auditors and audit firms, as well as crowdfunding service providers. It also extends to third-party ICT service providers that are deemed critical to financial institutions, including Cloud computing service providers, software providers or data analysis services providers.

The five key pillars of DORA

• ICT Risk Management: Under DORA, financial institutions are required to implement advanced risk management frameworks to identify, assess and mitigate ICT-related risks.
• ICT-related Incident Reporting: DORA outlines a clear protocol for reporting and responding to ICT incidents, enabling institutions to act swiftly and limit damage from cyberattacks or system failures.
• Digital Operational Resilience Testing: DORA mandates regular testing of ICT systems and their operational resilience, ensuring that financial institutions can withstand disruptions.
• ICT Third-Party Risk Management: For the first time, financial institutions are required to actively manage and monitor the resilience of their external ICT vendors and conduct thorough due diligence when selecting third-party providers.
• Cyberthreat Sharing: DORA also facilitates collaboration among financial institutions by enabling information exchange regarding emerging cyberthreats.

The implications of DORA for financial institutions are significant and far-reaching. Compliance with DORA requires financial firms to review their ICT risk management practices, revise internal policies, and ensure that third-party contracts and arrangements align with the Regulation's stringent standards. Institutions will need to demonstrate a continuous process for managing ICT risks, including maintaining up-to-date incident response and recovery plans.

Today's food industry faces many challenges in ensuring food safety, quality and sustainability. As the demand for safe, healthy and organic food continues to grow, food traceability in the process of food making becomes a key element.

Aiming to ensure a high level of protection for human health and consumer interests in relation to food, Regulation (EC) No 178/2002 mandates the traceability of food, feed, livestock and any substances intended to be, or expected to be, added to food or feed at all stages of production, processing and distribution. While in the past the process of tracking food was based on paper documentation, filed and recorded by humans, nowadays new technologies are transforming food traceability, enabling transparency, accuracy and efficiency across the supply chain.

• Blockchain: One example of technology used in relation to food traceability is blockchain. Blockchain, or distributed ledger technology, ensures the unchangeability and security of records, making it ideal for food traceability. With blockchain, each transaction or record in a document (e.g. transport, processing, sale) can be recorded transparently and unchangeably, preventing data manipulation. Everyone involved in the supply chain has access to the same, reliable information, enabling a quick response if problems are identified. The consumer can easily verify the process of how a particular product was made. This technology also simplifies the identification of faulty food already in stores and protects consumers from the negative consequences of consuming such products.
• Internet of Things (IoT): The Internet of Things (IoT) is a network of connected devices that can collect, transmit and analyse data. Regarding food traceability, IoT enables automatic control of the conditions under which food is stored and transported. By using the right sensors, manufacturers and distributors can monitor the quality of products at every stage of the supply chain. Thanks to IoT technology, it is also possible to track the location of products, preventing them from being lost in transportation. This is particularly important for products that require specific storage conditions, such as frozen or easily perishable foods.
• Artificial Intelligence (AI): Artificial intelligence (AI) is applied to the analysis of data from various sources in the context of food traceability. AI can help identify patterns in data, predict potential problems and optimise the supply chain. An example would be an algorithm that analyses data on product transport and storage conditions and then pinpoints the most common trouble spots, such as inappropriate temperature or delivery delays. AI also allows for the automatic detection of inconsistencies in documentation, which can help eliminate human error and increase efficiency in the food tracking process.
• Data Analytics: The above-mentioned solutions lead to the collection of huge amounts of data in real time. This makes it possible to analyse trends in food production and supply on a large scale and quickly detect anomalies. AI systems can combine data from a variety of sources – such as IoT sensors and blockchain data – to provide a complete picture of the supply chain situation and apply new solutions that can lead to lower food prices or improved food quality.

Without a doubt, new technologies such as blockchain, IoT and AI are revolutionising food traceability and bringing enormous benefits in the food sector, such as enhanced operational efficiency and faster problem resolution for manufacturers and improved food safety, quality, and transparency, strengthening consumer trust. Experts predict that the market for food traceability solutions will triple by 2030, underscoring the transformative potential of this sector. In the long term, food traceability can help promote more environmentally friendly and ethical food creation practices. However, the food sector might also face challenges with those new technologies, as high implementation costs may disadvantage smaller businesses. Furthermore, it is important to bear in mind that those technologies also come with potential cybersecurity and privacy risks, including data breaches and potential misuse of personal information. Therefore, robust compliance with regulations like GDPR and local cybersecurity laws is required.

Cybersecurity is one of the most critical challenges of our time. On 17 December 2024, Hungary adopted a new law that comprehensively regulates the country's cybersecurity and implements the EU's NIS2 Directive. A milestone in Hungary's digital defence, the law came into effect on 1 January 2025.

In addition to full implementation, Hungary's Cybersecurity Act will become a code-like legislation for cybersecurity. It includes the basic rules of cybersecurity, the distinction and obligations of essential and important organisations, guidelines for handling cybersecurity incidents, and detailed rules for the certification system.

In line with the NIS2 Directive, organisations subject to regulatory activity have been categorised into essential and important organisations.

Innovations have also been introduced in the conceptual system. For example, the concepts of interpretative provisions have been clarified (e.g. vulnerability assessment) or expanded. The concept of electronic information system now clearly includes cyber-physical systems (also known as industrial systems). The previous types of event management are replaced by a multi-component scale due to the requirements of the NIS2 Directive and based on the experiences of recent years.

The types of security classes are reduced from the previous five to three: "basic", "significant" and "high" classes. The "basic" security class applies to systems whose damage could cause limited harm. The "significant" class includes systems which, if compromised, could have serious consequences, while "high" class systems are part of critical infrastructure. In addition, the review period for security classification is modified from three years to two years.

The law uniformly uses the term national cybersecurity authority, but in practice:

• the Authority for Regulated Activities (Szabályozott Tevékenységek Felügyeleti Hatósága) remains the authority over market players affected by the NIS2 Directive;
• the National Security Service (Nemzetbiztonsági Szakszolgálat) oversees the civil side of the state sphere, while for organisations or systems with defence implications, the Military National Security Service (Katonai Nemzetbiztonsági Szakszolgálat) may be the authority designated in a separate government decree;
• the Hungarian National Bank (Magyar Nemzeti Bank) is designated as the authority for the banking and financial sector by the directly applicable EU DORA regulation, which does not need to be transposed into national law.

Legal consequences and sanctions

The system of legal consequences is explained in more detail in the law. It includes warnings, notices, obligations, turning to the supervisory body or the owner's rights practitioner, appointing an information security supervisor, or imposing fines of up to HUF 15m (approx. EUR 36,300). In the case of non-administrative essential organisations, the NIS2 Directive prescribes the possibility of applying stricter legal consequences, which is also reflected in the law. However, these temporary suspensions and disqualifications should be applied as a last resort, only after exhausting other measures, and remain in effect until the affected organisation takes the necessary actions.

Summary

The law significantly transforms cybersecurity supervision and certification in Hungary. It introduces several innovations to cybersecurity supervision and certification, particularly regarding organisational categories and risk management, the authority's powers and the conceptual system. These changes aim to increase national security and ensure EU compliance, i.e. to modernise national regulations based on the NIS2 Directive. To comply with the law, businesses should inform themselves about the new provisions and compliance with the cybersecurity requirements.

Back in March 2023, the Italian Data Protection Authority, known as the "Garante", initiated an investigation into OpenAI's ChatGPT. This investigation resulted in a temporary suspension of ChatGPT in Italy due to concerns over data privacy violations.

On 20 December 2024, the Garante concluded its investigation and imposed a fine of EUR 15m on OpenAI. The fine was levied for several reasons:

• Inadequate legal basis for data processing: OpenAI was found to have processed users' personal data to train ChatGPT without relying on or even identifying an appropriate legal basis, violating the General Data Protection Regulation (GDPR).
• Lack of transparency: OpenAI failed to meet the GDPR's principle of transparency and related information obligations towards users, not adequately informing them about how their data was being used.
• Age verification issues: OpenAI did not implement sufficient age verification mechanisms, risking exposure of children under 13 to inappropriate AI-generated content.
• Data breach notification: OpenAI did not notify the Italian Authority of a data breach that occurred in March 2023, which exposed contact and payment information of some users.

In addition to the fine, the Italian Data Protection Authority has ordered OpenAI to conduct a six-month public awareness campaign. This campaign will be carried out through various media channels, including radio, television, newspapers and the internet. The goal is to educate the public about how ChatGPT collects and uses data, and to inform users and non-users about their rights under the GDPR, including the rights to object, rectify and delete their data.

OpenAI has expressed its intention to appeal the decision, calling the fine "disproportionate." The company highlighted that the fine is nearly 20 times the revenue it made in Italy during the relevant period. OpenAI also pointed out that it had cooperated with the investigation and had already made significant changes to address the issues raised, including implementing an age verification tool and improving its privacy policy.

Opinion 28/2024 on data protection in AI models

The recent developments also align with the European Data Protection Board's Opinion 28/2024 on data protection aspects related to AI models. This opinion emphasises that legitimate interests can be used as a legal basis for data processing if the three-step balancing test under the GDPR favours the data controller. It also highlights the importance of considering the reasonable expectations of data subjects regarding the processing of their data for purposes such as AI-driven cybersecurity and conversational agents. The legality of AI models trained with unlawfully processed data depends on whether the data has been properly anonymised.

Conclusion and to-dos

The fine imposed on OpenAI by the Garante marks a significant step in regulating AI systems and ensuring compliance with data privacy laws. As AI technology continues to evolve, it is crucial for companies to adhere to stringent data protection standards and maintain transparency with users. The ongoing public awareness campaign and the guidelines set forth by the European Data Protection Board will play a vital role in shaping the future of AI and data privacy.

In recent months, the European Commission has adopted numerous legislative acts that may require changes to be made to apps, platforms, websites or other digital products and services.

The Digital Services Act foresees numerous obligations for providers of online services that must be implemented as quickly as possible. Thus, the qualification as a provider of mere conduit services, caching services or hosting services entails numerous diverging obligations, ranging from purely "cosmetic" requirements to the implementation of internal complaint handling mechanisms and the creation of new resources for handling user concerns.

Under the AI Act, manufacturers, providers and, to some extent, users of AI systems must also comply with a wide range of requirements. These range from transparency requirements and regulations for training employees to the obligation to create risk management systems and to prepare and maintain technically complex records.

Pursuant to the Data Act, which will be applicable starting September 2025, a large amount of previously confidential data generated by (inter-)connected products and related services will have to be shared on request across sectors and also with competitors. Some data, such as those containing trade secrets, may be excluded, provided that this is appropriately marked and substantiated. Conversely, one will also be able to request this data from other market participants or access it. In this regard, too, numerous preparatory measures will need to be taken.

In addition, some business areas are subject to sector-specific requirements. These include, for example, those arising from the Digital Operational Resilience Act (applicable to the financial industry), the NIS2 Directive (for important and critical businesses/industries) or the Cyber Resilience Act (relevant for manufacturers or importers of products with digital elements).

To-dos

Although most of this legislation provides for substantial fines for violations, this risk can be effectively mitigated by having your products and platforms comprehensively reviewed from a legal perspective and, if necessary, adapted.

The following overview, however, can serve as a basic framework of relevant to-dos:

Digital Services Act (DSA)

• Assess applicability and classification
  • Determine if the DSA applies to your digital platform or service.
  • Classify your service under the appropriate provider category (e.g. intermediary service, hosting service, online platform, very large online platform, etc.).

• Extract relevant obligations based on provider qualification (excerpt)
• Transparency obligations: Ensure you provide a contact e-mail address for users and authorities.
• Internal structures and processes: Establish a complaint handling team to manage user complaints (if required).
• Content moderation: Implement clear content moderation policies and procedures (if required).
• Risk management: Conduct risk assessments and implement measures to mitigate identified risks.

AI Act

• Determine applicability
  • Assess if your machine-based/automation tool falls under the definition of an AI system and therefore under the scope of the AI Act.
• Risk classification: Classify your AI system based on the risk level (e.g. minimal risk, limited risk, high risk, unacceptable risk).
• Transparency and documentation: Maintain detailed documentation and transparency about the AI system's functionality and data usage.
• Human oversight: Ensure human oversight mechanisms are in place for high-risk AI systems.
• Data governance: Implement robust data governance practices to ensure data quality and integrity.

Data Act

• Assess data sharing obligations
  • Determine the extent to which your service is required to share data with other businesses or public authorities.
• Implement data management practices
• Data portability: Facilitate data portability for users, allowing them to transfer their data easily. Examine which data can/is to be excluded from access and transmission!
• Data access and use: Ensure compliance with rules on data access and use, including user consent and data protection.
• Interoperability: Promote interoperability of data and systems to facilitate data sharing.

On 4 December 2024, the Council of the EU reached an agreement on a proposed framework for Financial Data Access (FIDA). This initiative aims to enhance the digital transformation of the financial sector by enabling secure and open access to customer data across a wider array of financial services. By prioritising consumer interests, competition, security and trust, FIDA seeks to drive innovation and modernisation in financial services while safeguarding the rights of consumers and businesses. Building on the principles of "open banking", the framework introduces a customer-centric model that aligns with the General Data Protection Regulation (GDPR) and the business-to-business data-sharing standards outlined in the Data Act.

FIDA's rights and obligations

The key rights and obligations of the framework include:

• Customer control: Consumers retain full authority over who can access their data and for what purposes.
• Voluntary data sharing: Customers can choose whether to share their data with third-party users.
• Obligation for data holders: Customer data holders are required to make data available to users upon customer request.
• Standardisation: Customer data and technical interfaces will be standardised to streamline sharing and access.

For consumers, including individuals and small and medium-sized enterprises (SMEs), FIDA thus aims to facilitate easier access to personalised financial products, such as tailored loans and investment options. Crucially, the framework ensures that consumers retain control over their personal data while benefiting from innovative financial services.

For obliged entities, this means that they must adhere to transparent standards for what data must be shared, how it is shared, and the compensation due for making such data available. Financial institutions, especially those involved in services like investment management, lending and financial advice, will be required to adapt their systems to meet these obligations and compete in a more data-driven marketplace.

Furthermore, FIDA incorporates safeguards to prevent unfair practices and financial exclusion. The European Supervisory Authorities are tasked with issuing guidelines to ensure fair treatment of consumers and businesses. The scope of the rules is defined by specifying the data sets and sectors covered, with some flexibility for Member States, such as the option to include occupational pensions in the framework. Additionally, FIDA allows obliged entities to set time limits for sharing non-digitised customer data. It also imposes stricter oversight measures for third-country service providers and digital gatekeepers to maintain fair competition in cross-border financial services.

Looking ahead

In conclusion, the FIDA framework represents a significant step toward modernising the EU's financial landscape, fostering innovation while maintaining strong consumer protections. Financial institutions and service providers should align their operations with these new requirements and seize the opportunities offered by a more open and competitive financial ecosystem.

Cyberattacks are on the rise in the EU, and as the threat becomes increasingly complex and dynamic, it poses a serious risk to the health sector as well. In 2023, EU Member States reported 309 significant cybersecurity incidents in the healthcare sector, surpassing those in any other critical industry. These disruptions, which can delay medical procedures and endanger lives, highlight the urgent need for a robust cybersecurity strategy tailored to the healthcare environment.

On 15 January 2024, the Commission launched a European action plan to strengthen the cybersecurity of hospitals and healthcare providers. It provides tailored guidance, tools, services and training to hospitals and healthcare providers to improve threat detection, preparedness and crisis response. This initiative represents the first sector-specific effort to apply the entire spectrum of EU cybersecurity measures.

Key measures of the action plan:

1. Strengthening prevention: The action plan aims to strengthen the healthcare sector's capacity to prevent cyberattacks. This includes guidelines for implementing critical cybersecurity practices and the introduction of cybersecurity vouchers to help smaller hospitals and healthcare providers to invest in cybersecurity. In addition, a specific training tool should equip healthcare professionals with the skills to address cybersecurity challenges effectively.
2. Enhancing threat detection: A new Cybersecurity Support Centre for Hospitals and Healthcare Providers, managed by the EU Agency for Cybersecurity (ENISA), will be established. By 2026, the Centre will offer an EU-wide early warning system, enabling near-real-time alerts to identify and address emerging cyberthreats.
3. Rapid response to cyberattacks to minimise impact: The plan is to establish a health sector rapid response service provided through the EU Cybersecurity Reserve. This reserve, which is supported by the Cyber Solidarity Act, will provide incident response services through trusted organisations.
4. Deterring cyberthreat actors: To dissuade malicious actors, the EU will employ its Cyber Diplomacy Toolbox, a coordinated response mechanism aimed at holding cyberthreat actors accountable and safeguarding critical healthcare infrastructure. Therefore, Member States should ensure that law enforcement is fully integrated into their national action plans. In particular, they should make full use of the provisions under the Directive on attacks against information systems and under the Council of Europe's Budapest Convention on Cybercrime to deter attacks, bring criminals to justice and dismantle criminal infrastructure facilitating attacks.

The success of this initiative depends on collaboration between healthcare providers, Member States and the cybersecurity community. To refine the proposed measures, the Commission will soon launch a public consultation to gather feedback from citizens and industry stakeholders. Specific actions will be rolled out in 2025 and 2026.

The Action Plan leverages existing EU legislation to strengthen cyber resilience, such as:

• NIS2 Directive: Identifies healthcare as a sector of high criticality and establishes baseline cybersecurity standards.
• Cyber Resilience Act: Mandates cybersecurity requirements for digital products.
• Cyber Solidarity Act: Supports threat detection and response through the Cyber Emergency Mechanism.

These efforts align with the broader European Health Data Space, designed to empower citizens with control over their health data while ensuring robust security for sensitive information.

In conclusion, the EU Action Plan represents a significant step toward a secure and resilient healthcare sector. By addressing cybersecurity challenges through prevention, detection, response and deterrence, the EU is laying the foundation for a safer, technology-driven healthcare environment where innovation thrives, patient care improves and trust remains paramount.