Navigating the digital regulation tsunami:

February 27, 2024

María González Gordon, Head of Intellectual Property, Industrial Property and Digital Business at CMS Albiñana & Suárez de Lezo


Watch out: Businesses all around the world are facing a Digital Regulation Tsunami!

There are significant global developments in digital media policy and regulation which all companies urgently need to learn how to navigate successfully.

In the context of the European Parliament’s initiative ‘A Europe fit for the digital age’, the European Commission is carrying out an important legislative exercise by setting forth regulations to address the evolving digital landscape, marking a paradigm shift in regulatory frameworks. This is what I like to refer to as the ‘Digital Regulation Tsunami’.

A whole set of recent and upcoming regulations and directives is being promoted by the European Union, to respond to the challenges of the digital era. All eyes are now on the European Union regulator, on the lookout for every new wave of regulation. Many companies, however, seem to be unaware of how to surf and master this ‘Digital Regulation Tsunami’.

This expanding regulatory landscape has driven the creation of over 80 EU-level regulations. Examples of this legislative effort include:

  • the Digital Services Act (DSA), aiming to create a safer digitalspace where the fundamental rights of users are protectedand to establish a level playing field for businesses;
  • the Digital Markets Act (DMA), which is a useful tool tocomprehensively regulate the power of gatekeepers;
  • the NIS 2 Directive, which aims to provide a harmonisedframework for cybersecurity risk management; and
  • the Data Act, seeking to make more data available andfacilitate data sharing across sectors.

There is also a large pipeline of regulatory proposals currently under review:

  • The AI Act, trying to ensure better conditions for the development and use of AI, while ensuring the protection of AI users through a risk-classification of AI systems;
  • the Gigabit Infrastructure Act, which is expected to introduce measures to reduce the cost of deploying gigabit electroniccommunications networks; and
  • the European Media Freedom Act, which establishes acommon framework for media services in the internal market.

CMS conducted a survey amongst 450 General Counsels based in the European Union and the UK from a wide range of business perspectives for a better understanding of their position in terms of awareness, concerns, commercial threats, and commercial advantages they foresee. The results show that even if companies recognise what is at stake, they don’t seem to be acting upon it effectively.

Now is the time to act

It is necessary for businesses to assess the impact of digital regulation. In fact, over three quarters of the survey respondents agree that the ability to adapt to regulation will determine who succeeds in digital business in the next five years. Moreover, businesses know they can’t wait: 73% agree that acting quickly on new regulation is essential to keeping pace with digital innovation. However, only 36% have revised their digital transformation plans, despite looming deadlines. And falling behind schedule is not an option.

The findings of our survey also unveil a less-than-ideal approach adopted by businesses. A clear indication of this is the fact that only 9% consider non-personal data (NPD) to be ‘highly’ strategic to their business. This surprising figure underscores a concerning trend where 91% may be overlooking the profound implications of the EU’s non-personal data strategy—a strategy laying the groundwork for a new era in the data economy. The NPD regulations’ objective is to level the playing field and provide greater access to data across all sized business in fair, reasonable and non-discriminatory terms, providing efficiencies and a more competitive landscape. In an era where data is universally acknowledged as a strategic asset, its pivotal role across sectors cannot be overstated. Consequently, businesses that fail to grasp the significance of NPD may find themselves grappling with adverse consequences as the regulatory landscape evolves.

Risks of AI regulation

When it comes to AI, the chief commercial threat suggested by the respondents of our survey is the reduced ability of business to compete compared to Big Tech. Most companies expect the AI Act to have legal or compliance implications for their companies. Specifically, increased complexity of contracts and risk of litigation is feared by most of the businesses. Although commercial and legal risks of AI adoption can be greatly reduced by taking appropriate prevention measures, a lot of companies still fail to understand the risks that this regulation poses and, even more, to implement a plan to ensure compliance with this new and intricate AI regulation.

Heads up for all in-house counsel: you should be drawing up plans for compliant AI adoption, so your business has the confidence to innovate ahead of your competitors.

It is also significant that 78% expect to have moderate or significant legal implications in relation to digital platform regulation, such as increased technology/operational costs to ensure compliance. A particular compliance concern surrounding this regulation area is how to determine what constitutes a platform, especially in the context of large online services. In some cases, businesses may be operating as a platform without knowing it, exposing them to the risk of regulatory penalties. It seems that a clearer answer to this question might be now falling into place. If in-house counsels have not yet assessed its impact on their organisations, now is the time to do so.

Cyber security as a strategic asset

Moreover, a notable 40% express concerns that adherence to cyber safety regulations may stifle innovation. It is surprising that a significant proportion of senior in-house legal counsel seem not to be aware that security can help unlock technology adoption. In the contemporary business landscape, where market dynamics emphasize a fervent appetite for innovation, technological solutions, and creations fortified by robust cyber safety protocols, it becomes imperative for industry leaders to acknowledge the inherent synergy between these elements. Companies that are not prepared to deliver distinctive products coupled with a comprehensive cyber safety package, don’t stand a chance, not only to meet market expectations but also to drive substantial demand.

Compliance with these regulations becomes imperative, and understanding their nuances can also yield strategic advantages. The most widely anticipated opportunities are the ability to develop a long-term technology strategy, an increased ability to disrupt competitors and the possibility to enable new products and services. As we navigate this intricate regulatory landscape, it is our role to ensure that our clients are not only aware of the regulations, but also positioned to leverage them to their benefit. Careful and strategic preparation will ensure that businesses can predict and mitigate compliance costs, minimize risks, and identify and capture the opportunities that this regulation presents. Companies that recognise this opportunity, and act upon it, will be the ones that thrive in the coming decade.

A global regulatory tsunami

The ‘Digital Regulation Tsunami’ goes beyond companies located in the European Union, or companies focused on core digital activities. Every client is inherently a digital client. This assertion holds true because a client’s core business may be inherently tech/digital, or they may engage in tech/digital projects and businesses—selling products online, offering content to third parties, or collecting data. Additionally, clients may embark on AI projects or integrate AI into their daily operations and would therefore need legal advice.

For instance, a company engaged in a project involving AI and data, even if their core business is unrelated, can benefit by understanding the regulations that impact their project by assessing the proposals for the Artificial Intelligence Liability Directive (AILD) or the Artificial Intelligence Act. A food company, for example, involved in an AI and data project for production processes could potentially benefit from implementing the Data Act allowing cloud users to seamlessly switch between servers, showcasing how regulatory insights can inform strategic business decisions.

Therefore, the ‘Digital Regulation Tsunami’ will not only affect tech/digital-centric businesses, but a wide array of industries, especially those in Business Advisory and Financial Services (BAF), Energy, and Technology, Media, and Communications (TMC). Professional legal advice therefore becomes an invaluable asset for any client seeking clarity and strategic advantage in the complex digital regulatory landscape.

The expected impact of this new regulatory framework will definitely be global. It is therefore vital, not only for EU citizens, but also foreign players and companies anchored in traditional industries and sectors to, first, catch up with digital regulations, and second, align their operations with EU standards to be able to maintain their EU market share.

The European Commission intends to establish comprehensive standards for companies both within and also outside the EU to precisely transform the digital business regulatory landscape on a global scale. Every business that has contact with the EU must comply with these set of regulations, irrespective of whether it is because they are based in the EU, or because they target the EU market. As international businesses tend to align with the strictest regulatory standards, EU rules often become global standards. And, by doing so, positioning the EU as a competitive force against the US and Asia. In fact, the EU digital business regulatory framework might help to create a level playing field, resulting in greater competitiveness for companies established in the EU.

With the General Data Protection Regulation (GDPR), the EU has already shown that it is capable of setting new standards that shape global markets. After that example, it seems that the Commission decided to mirror the experience with the GDPR, where the establishment of benchmarks catalysed a global ripple effect. Considering the Commission’s latest moves, the AI Act might become the next regulation causing a domino effect worldwide.

Navigating the tsunami: be proactive

Whether companies view this regulatory tsunami as an opportunity or as a threat, they need to learn to skilfully navigate this new environment to survive and, even better, leverage it as early movers. Many companies all over the world have already started to adapt their businesses, motivated either by a positive desire to be ahead of their rivals, as a result of fear of the impact of the new EU regulations, so that they can continue to offer their services and products in the internal market.

Companies can use a first-mover strategic advantage by being an early implementer and master of these legal frameworks. It transcends mere compliance; it is about identifying the benefits and seizing the opportunities inherent in this evolving regulatory landscape. The key is to transition from a stance of strict compliance to a proactive approach that identifies and capitalizes on business opportunities.

For instance, businesses can explore the opportunity of acquiring industrial data access from competitors, following the FRAND standard (fair, reasonable and non-discriminatory data access conditions), under the Data Services Act and other EU legislation. The flexibility to switch between different cloud data- processing service providers and putting in place safeguards against unlawful data transfer (portability and standard setting) is another advantageous aspect. Companies can also benefit from mitigating their liability in relation to third-party content hosted on their websites and marketplaces thanks to the DSA. Furthermore, these regulations offer the prospect of avoiding the use of payment mechanisms within app stores, allowing businesses to use their own payment methods and retain a significant portion, up to 30%, of their revenues. Navigating these regulations strategically allows businesses not only to comply with them, but also to proactively leverage the opportunities they present, thereby gaining a competitive edge in the dynamic digital landscape.

This ‘Digital Regulation tsunami’ will create an immense business potential, if it is understood and companies receive the correct guidance on how to adapt to it. Nevertheless, as with any transformative shift, challenges will still emerge. Clients may grapple with the complexity of understanding and implementing these regulations, requiring comprehensive legal guidance to navigate potential pitfalls. The rapid evolution of the digital environment requires continuous adaptation, making it crucial for businesses to stay informed and agile. The role lawyers play is therefore pivotal in assisting clients in deciphering the intricacies of these regulations, ensuring compliance, and strategically leveraging them to foster growth and innovation by mastering these regulations.

All businesses who are adrift amongst the challenges of the ‘Digital Regulation Tsunami’ need to seek expert help and guidance to surf the choppy waters and identify the business opportunities that lie amongst these regulatory waves!


María González Gordon heads up the Industrial/ Intellectual Property & Digital Business department at CMS. She specialises in advising domestic and international companies on intellectual property, industrial property, copyright and technology, particularly in dispute resolution. She is expert in the drafting, negotiation and termination of a wide range of IP/IT agreements (licences, trademarks, designs, software, outsourcing, distribution agreements, transfers, assignments, etc.). She has particular expertise in technology, digital transformation and data analytics in sectors such as insurtech, fintech, energy, health and wellbeing and real estate, among others. Maria was appointed by INTA as a member of its European Global Advisory Board as well as its representative at the Observatory of the EUIPO in the IP in the Digital Working Group. She is a member of the steering committee of EUIPO’s expert group in the Anti- Counterfeiting technology Guide project. She is also a member of the board of the Spanish group of AIPPI. She has been recognized in the field of IP by leading legal directories including Chambers & Partners, Legal 500, IP Star, IAM patents, MLI and Who’s Who Legal.