AGEFI Luxembourg - janvier 2023

Janvier 2023 37 AGEFI Luxembourg Informatique financière I n 2022, companies continued their efforts following the covid-19 pandemic to adapt their organi- sational and business processes to allow for up-to-date and secure digi- tal tools and technologies. We have identified the following five main developments in the area of tech- nology and their legal aspects, which will shape your agenda in the coming year. By anticipating these de- velopments, you can use them to your advantage and pre- pare for their impact. Development #1 - Continued focus on IT resilience In December 2022, the Official Journal of the EU finally pub- lished both the adopted Digital Opera- tional Resiliency Act ( DORA ) and the NIS2 Directive ( NIS2Directive ). The legal landscape for IT resiliency is now more complete (and busy!) than ever. DORA establishes a set of requirements for the fi- nancial sector, from risk management to opera- tional resilience testing, through incident management and reporting. DORA also regulates the contents of contractual arrangements con- cluded between financial entities and ICT service providers. DORA’s requirements are pervasive and the act applies to the financial sector at large (with an impressive list of no less than twenty-one different categories of entities in scope, fromcredit institutions to ICT third-party service providers, through crypto-asset service providers and insur- ance intermediaries!). The significant amount of work required to com- plywithDORA froman operational point of view is likely to involve a broad range of services pro- vided by the in-scope entities, making the effective date of 17 January 2025 relatively short notice. Considering DORA in processes and contract ne- gotiations with providers over the course of 2023 seems essential to ensure timely compliance. Still in the financial sector, the deadline for adop- tion of the EBA guidelines on outsourcing (for credit institutions, investment firms and pay- ment service providers) was, in principle, 31 De- cember 2021 according to these guidelines. However, in Luxembourg the CSSF, the financial sector regulator, has set this date at 31 December 2022, although for most financial institutions this is a work in progress. We expect this topic to re- main high on the agenda of many institutions for part of 2023. The NIS 2 Directive (a remodeling of the original NIS Directive) is a further source of information for standards to adopt in terms of IT resilience for a list of (highly) critical sectors (most utilities sec- tors, credit institutions, space operators andman- ufacturers of important products). Aimed at the improved harmonization of requirements within the EU, the NIS2 Directive sets specific minimum rules (and ensures consistencywithDORA, where needed) in terms of ICT risk-analyses and security policies, incident handling, business continuity and crisis management, as well as supply chain security and security in network and information systems acquisition, development and mainte- nance. Hence, it constitutes an interesting and use- ful baseline for future compliance projects. Luxembourg has until October 2024 to adopt, publish, and apply measures in line with NIS2. Some member states are likely to adopt require- ments that are higher than the minimum rules of theNIS2 Directive. Froma practical point of view, for certainmultinational undertakings with estab- lishments across various EU member states, the higher standard adopted by one of those member states that have separate and concurrent jurisdic- tion is likely to become the new de facto standard for the whole group of undertakings. Closely fol- lowing parliamentary progress on the transposi- tion of the NIS2 Directive (in Luxembourg, but also in each member state where a business is ac- tive) will be essential to the improved planning of compliance programmes and initiatives for the 2024 deadline. In parallel, a Proposal for a Regulation on cyber- security requirements for products with digital el- ements ( Cyber Resilience Act ) is at advanced stages of discussion, aiming to improve cyberse- curity in technological products (including hard- ware and software) designed, manufactured, imported, or otherwise distributedwithin the EU, by establishing minimum cybersecurity require- ments for such products. This new initiative demonstrates the degree to which cybersecurity must be an essential consideration in the design process of new technological products (and in the review process for importers and distrib- utors), even for consumer-grade prod- ucts. Also in the area of cybersecurity, by the end of 2023 the European Com- mission is to have carried out its first assessment of the Cyber Security Act ( CSA ) to determine if any ICT products, processes or services are to be covered by mandatory certifi- cation. The CSA lays down the main requirements for European cyberse- curity certification schemes in the ICT field. Initially, certification pursuant to the cyberse- curity schemes has been voluntary, but the possibility of it gradually becoming mandatory for critical products or activities had already been envisaged. The European Commission’s assess- ment is to be carried out by 31 December 2023 at the latest, and businesses designing, manufac- turing or implementing ICT products, services, or processes should monitor the outcome to see whether it affects any of their provisions. Development #2 - Shift in platform relations and Bigtech regulation In -mid 2023, the Digital Markets Act ( DMA ), which entered into force early November 2022, will start to apply. By July 2023, the largest plat- forms (both EU and non-EU based) must have notified the European Commission of their core platform services. No later than 6 September 2023, the European Commission will have desig- nated which of these qualify as gatekeepers, fol- lowing which these platforms will have six months to comply with the obligations in the DMA ( i.e. by 6 March 2024 at the latest). For some, the DMA may have far-reaching conse- quences for their innovation efforts and business models, while for others it may offer opportuni- ties to benefit from a more innovative and com- petitive business environment. For instance, we can expect (i) the end of plat- form monopolies ( e.g. in hotel booking or car rental markets) because sellers will be free to offer their product elsewhere, and (ii) a better competitive position for non-gatekeeper busi- nesses, now that gatekeepers can no longer rank their own products and services above those of other providers. For companies that offer serv- ices on the gatekeepers’ platforms or competing digital platforms, it may be worthwhile analysing the DMA in more detail to see if the new regulatory framework provides a legal basis for a broader provision of services. The Digital Services Act ( DSA ), which is part of the same set of new rules that aim to create a safer andmore open digital space, entered into force on 16 November 2022. It applies to various online in- termediary services, including platforms. The lia- bility exemptions for intermediary service providers ( ISPs ), introduced by the e-Commerce Directive, will remain in the DSA. However, in order to avoid liability under consumer protection laws, the providers of online B2C marketplaces will have to ensure that an average consumer does not believe that the information or product is pro- vided by the onlinemarketplace itself, rather than the professional trader using the marketplace. In-scope ISPs will have to complywith specific in- formation and transparency obligations and may have to amend their terms and conditions accord- ingly. Due to the DSA’s extraterritorial scope, ISPs established outside the EU that offer services in the EU must appoint a legal representative in the EU for compliance and supervision purposes. Hosting service providers (evenwhen they are not an online platform or online marketplace) will have to put in place electronic reporting tools al- lowing users to report any illegal content, and are subject to specific additional transparency obliga- tions towards users as well as notification obliga- tions towards law enforcement and judicial authorities. With the exception of micro and small enterprises, online platforms will additionally have to provide users with access to internal complaint-handling systems and certified out-of-court dispute settle- ment bodies for disputes relating to decisions of the online platforms to, for instance, suspend serv- ices or a user’s account. Theywill also have to pri- oritise notices submitted by so-called “trusted flaggers”, a status awarded by the supervisory au- thorities, and complywith enhanced transparency obligations. The EuropeanCommission has published a useful overview of obligations per different type of on- line service. Based on the number of active end- users, the European Commission will determine whether a platform belongs in the ‘very large’ category, subject to stricter obligations. Platforms have until 17 February 2023 to report the number of end-users on their website. On 17 February 2024, the DSA will become fully applicable to all entities in scope, with the exception of an antici- pated application from four months after their notification for platforms assigned to the ‘very large’ category. Apart from a safer and more transparent digital space, the harmonisation of these rules should make it easier for online plat- forms to start and grow in the EU. The further development of the metaverse may also cause a shift in platform relations. In 2023 we expect that manymore business will follow com- panies such as HSBC, JPMorgan, Nike and Gucci to establish a presence in the metaverse. Unlike social media and search engines, which seem pretty well covered by giants such as Google and Meta, there is still everything to play for in the metaverse. 2023 is likely to bring further interesting devel- opments in that area, as the EU will also present an initiative to address virtual worlds, such as the metaverse. The initiative was qualified as “key” by European Commission President Ursula von der Leyen, in the latest State of the Union letter of intent. Development #3 - Increased focus on Environmental, Social &Governance (ESG) The amount and depth of sustainability reporting is likely to further increase in 2023. At European level, themost recent examples are the newly pub- lished Corporate Sustainability Reporting Direc- tive ( CSRD ) and the proposed Corporate Sustainability Due Diligence Directive ( CSDD ). These rules force companies to extend their un- derstanding to their supply chains to analyse po- tential impacts for sustainability (human rights and environmental impacts). Examples of ESG- issues in the technology sector are energy con- sumption ( e.g. data centers), staff working conditions (IT service desks, low-wage countries) and risks associated with big data / smart tech- nology and facial recognition / surveillance tech- nology, to name a few. Although the larger parts of the relevant EU leg- islation target public interest / listed companies and other companies that meet certain thresholds (relating to net-turnover, number of employees or business sector), we expect many tech companies to be directly or indirectly affected by the new rules. If not driven by their own intrinsic desire to meet ESG standards, then by their customers’ due diligence requirement or ethical consumerism. Development #4 - Progress onArtificial Intelligence (AI) legal framework Since the first introduction of the EU’s Proposal for a Regulation onArtificial Intelligence ( AI Act ) in 2021, the text was significantly amended and discussed. We expect work on the AI Act to con- tinue to intensify in the first few months of 2023, with the ultimate goal of having it on the books by the end of the year. The main impact of theAIAct would be on AI systems classified in the regula- tion as “high-risk”. In the latest proposal, such high-risk AI systems are those either: - in themselves products, or forming part of or used as a safety component of a limited list of products, defined in other harmonisation direc- tives and regulations (including, for instance, motor vehicles, medical devices, toys), that are re- quired to undergo a third-party conformity assess- ment with a view to placing them on the market or putting them into service; or - expressly listed in the AI Act (such as some spe- cific AI systems used in education, employment, or law enforcement), unless AI’s output is purely accessory. TheAIAct provides different obligations for mul- tiple stakeholders: providers, importers, distribu- tors and users. In particular with regard to high-risk AI systems, each operator in the supply chain up to and including the user will have to complywith specific regulatory obligations. Users will, for instance, have monitoring and incident reporting obligations and the obligation to ensure human oversight. The creation of a supervisory board, the Euro- pean Artificial Intelligence Board ( EAIB ), in- spired by the EU GDPR’s EDPB and the EU GDPR’s EDPS, is also an important component of theAI Act. The EAIBwould be tasked inter alia with contributing to the harmonised enforce- ment of the AI Act within the EU, providing ex- pertise and best practices, and advising the European Commission onAI. TheAI Act is with- out prejudice to the competences, tasks and in- dependence of national data protection authorities, which should have access to any doc- umentation created under the AI Act. How the EAIB would collaborate with the European Cen- tre for Algorithmic Transparency ( ECAT ), re- cently created by the DSA, is not clear yet. The AI Act was also completed with a separate (but complementary) initiative: the Proposal for a Directive on adapting non-contractual civil liabil- ity rules to artificial intelligence ( AI Liability Di- rective ). Where the purpose of the AI Act is to prevent harm caused by artificial intelligence, the AI LiabilityDirective is aimed at offering effective remedies to people having suffered damages caused by artificial intelligence. It aims to help victims to evidence their liability claim in two ways. The AI Liability Directive in- troduces a rebuttable presumption of causality in case of non-compliance with a duty of care, and facilitates access to relevant evidence by enabling victims to request the court to order disclosures of information about high-riskAI systems. Even though these proposals are still being dis- cussed, we expect 2023 to be an important year in getting closer to final texts. The AI Act would be applicable within 36 months following its entry into force (the initial proposal has recently been amended to include an increase to 36 from 24 months, but whether such amendment will be ac- cepted is yet to be confirmed). According to the current text, theAI LiabilityDirectivewould have to be transposed by member states within two years of its entry into force – a deadline that might be further aligned with the AI Act. Overall, the deadlines to adapt to such significant changes to the legal framework applicable to AI would be quite short and it would be important for players inAI tomonitor the legislative trends, and to consider the impacts already taking place in 2023. Development #5 - Changes driven by foreign affairs and competition law In many EU countries, foreign direct investments ( FDI ) screening mechanisms are being imple- mented (based on the EU FDI Regulation). The Luxembourg FDI screeningmechanismwill be in- troduced by the bill n°7885, and will apply to for- eign direct investmentsmade by foreign investors that effectively participate in the control of a Lux- embourg companywhich carries out critical activ- ities on Luxembourg territory. Control can follow from either (i) owning directly or indirectly 25% ormore of the capital of the Lux- embourg company, (ii) having a majority of the voting rights of the shareholders of the Luxem- bourg company, (iii) having the right to appoint or remove the majority of the members of the ad- ministrative, management or supervisory body of the Luxembourg company and being at the same time a shareholder, or (iv) being a shareholder of the Luxembourg company and controlling, pur- suant to an agreement with other shareholders, a majority of the voting rights. In the course of 2023, a new bill of lawwill likely be filed with a view to the introduction of a merger control regime in Luxembourg. Based on an intermediate report of the preparatory works, the Luxembourg regime will probably be aligned with and inspired by pre-existing rules and concepts used both by the European Com- mission and by national competition authorities of other member states. Luxembourg is the last EUmember state to adopt such a general merger control regime. Such types of controls, however, are not entirely new in Luxembourg. For instance in the space sector, since 2021, any transfer of space activities is subject to authorisation, and any change of control (exceeding certain thresholds) of space operators authorised under Luxembourg law is subject to notification and screening by the Min- istry of Economy, which can object to the envis- aged acquisition. It will also be important to continue to closely fol- low national and international sanction regula- tions, including with respect to Russia, Belarus and Iran, to enable companies to respond to any changes in a timely manner. Vincent WELLENS (picture) Admitted Lawyer in Luxembourg and Brussels Partner, NautaDutilh Avocats Luxembourg Sigrid HEIRBRANT Admitted Lawyer in Luxembourg and Brussels Senior Associate, NautaDutilh Avocats Luxembourg Yoann le BIHAN Senior Associate, NautaDutilh Avocats Luxembourg Technology Law: five things you need to know in 2023