European Digital Regulation

One of the first big pieces of EU digital regulation was the General Data Protection Directive (GPDR), which seeks to set rules for the gathering, storage and sharing of personal data. The scope of this legislation was to protect people’s right to control their personal data, but also for businesses and the public sector to be able to use personal data in a clear framework. As universities are gathering and storing considerable amounts of personal data, they have faced challenges in complying with these rules as described in detail in the GDPR Section.

Another aim of EU digital regulation has been to reign in the big technology companies, preventing them from engaging in monopolistic behaviour, which limits the freedom of choice for customers. The main tool for this has been the Digital Markets Act (DMA), which defines a small number of large companies as ‘gatekeepers’ who must follow specific rules limiting possible abuse of their dominant position. This is interesting for universities, as they are users of services from these gatekeepers, for example, products from Microsoft Office or Google. The DMA seeks to ensure that customers are not locked into any of the products that they buy from these companies (see also Digital Sovereignty).

Moreover, the European Commission is generally pushing for interoperability of services, also for smaller companies, as the main means to ensure freedom of choice between different providers. For example, it asks EU member states to promote interoperability of educational technologies as well as to set up structures that ensure transparent standards for virtual worlds such as the metaverse. The topic of interoperability is also addressed through the European Interoperability Framework and the Digital Education Hub, which are as much concerned with regulation as with coordination and setting common standards.

The Digital Services Act (DSA) regulates platforms such as social media, aiming to ensure that especially large companies such as Twitter (now X) or Facebook do not disseminate illegal content, and also that customers of these companies have the right to know the reason for company actions—why, for example, their posts have been cancelled. The DSA also sets rules for smaller platforms, which could encompass Open Access Repositories, as well as universities that want to set up their own social media servers.

Europe is also pioneering regulation on artificial intelligence through its Artificial Intelligence Act. Consistent with the principles about a human-centric digital transformation, this act defines risk related to uses of artificial intelligence, measured by their impact on people’s lives. Most uses, such as efficiency in heating systems, are not seen as risky, whereas artificial intelligence that makes decisions regarding access to education are. Even for most cases that are seen as risky, these uses are not forbidden, but they do require higher standards for the data used to teach the artificial intelligence as well as human oversight.

An important aim of the EU is to usher in a European data economy. For this reason, the European Commission has proposed legal frameworks for sharing data in the Data Act and Data Governance Act. The aim here is to ensure that there is free access to data so that policy makers or innovators can access data, for example, in the health sectors, but also from machines or consumer products that generate data.

As a part of this, the EU is developing a series of data spaces in strategic sectors, where participants can share or trade data, for example, regarding skills, health or energy. Here, the EU aims to develop the legal foundation as well as technical frameworks such as the European Blockchain Services Infrastructure (EBSI). The European Commission also funds a pilot project to develop the data spaces, looking at ways to set up governance and ensure interoperability.

A well-functioning digital market depends on secure critical services. For this reason, the EU has adopted the second Network and Information Security Directive (NIS2), which defines critical sectors and sets the framework for national rules that ensure a high level of cybersecurity in these sectors. Definitions vary between EU member states, and implementation has not finished yet. However, universities are generally not seen as a critical sector, but certain types of research – for example, health – will fall under the rules of the directive.

Another kind of safety is addressed in the DSA, which sets rules for moderation of social media platform so that illegal material is found and removed. Notably, this also includes requirements for very large platforms to have particularly strict risk management processes and obligations to share data with researchers in certain circumstances.

Another fundamental pillar for the digital transformation is digital identity. The EU is planning new rules in the eIDAS regulation (regulation on electronic identification and trust services) that will provide the framework for a European digital identity and digital wallets for identification as well as storing certificates, including digital credentials such as university diplomas.

See also Regulatory framework.