Key regulations: Technology and AI

Major international regulation and global standards  

Information management and processing (i.e., AI, big data, loT regulation, etc.) 

Blueprint for an Artificial Intelligence Bill of Rights  

Scope: USA | Regulator: WH | Industry: Tech | Topic: Artificial Intelligence | Date of publication: October 2022 

The Blueprint for an Artificial Intelligence Bill of Rights (AI Bill of Rights) sets out five principles or citizen rights regarding AI, including safe and effective systems, protection against discrimination by algorithms, data privacy, notification and explanation, and evaluation and correction by a human in the event of AI failure (fallback).  

Click here to access this regulation 

Proposal for a Regulation on Artificial Intelligence (AI Act)

Scope: EU | Regulator: EC | Industry: Tech | Topic: artificial intelligence | Date of publication: April 2021 

The draft of Artificial Intelligence Regulation aims to ensure a high level of trust in AI and its applications, while laying the groundwork for innovation. To this end, it proposes a classification of AI practices into the following levels: i) prohibited practices; ii) high-risk AI systems; iii) low-risk AI systems. Furthermore, it includes transparency obligations for systems that: i) interact with humans; ii) are used to detect emotions; or iii) generate or manipulate content.  

Click here to access this regulation 

Principles for Artificial Intelligence 

Scope: Global | Regulator: OECD | Industry: Technology | Topic: artificial intelligence| Date of publication: May, 2019 

This recommendation of the OECD focuses on two building blocks. On the one hand, it sets out principles for responsible stewardship of trustworthy AI: i) inclusive growth, sustainable development and well-being; ii) human-centred values and fairness; iii) transparency and explainability; iv) robustness, security and safety; v) accountability. On the other hand, it sets out recommendations for the integration of AI into national policies and encourages international cooperation of governments for safe AI. 

Click here to access this regulation 

Regulation on the protection of natural persons with regard to the processing of personal data and on free movement of such data (GDPR) 

Scope: EU | Regulator: EP/Council | Industry: Technology | Topic: Data protection | Date of publication: April, 2016 

Regulation on the protection of natural persons with regard to the processing of personal data and the free movement of such data. This regulation includes new rights for natural persons (e.g. right to be forgotten), and offsets out obligations for personal data controllers and processors. 

Click here to access this regulation 

Cybersecurity and technology risks 

Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing NIS Directive (NIS 2 Directive) 

Scope: EU | Regulator: EP and Council | Industry: Technology | Topic: Cybersecurity; resolution | Date of publication: December, 2022 

Directive setting out new measures to achieve a high common level of cyber security in the Union. This new Directive aims to address the deficiencies of the previous Network and Information Systems (NIS) Directive. 

Click here to access this regulation  

ISO/IEC 27001:2022 

Scope: Global | Regulator: ISO | Industry: Technology | Topic: Information security, cybersecurity and privacy protection| Date of publication: October, 2022 

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within an organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. 

Click here to access this regulation 

E-commerce / digital transactions (e-commerce, online platforms, encryption and blockchain) 

Directive on payment services in the internal market (PSD 2) 

Scope: Global | Regulator: EP/Council | Industry: Tech| Topic: digital finance, electronic payments | Date of publication: November, 2015 

Directive establishing the rules under which Member States are to distinguish between the following payment service provider categories: credit institutions, electronic money institutions, post office giro institutions, payment institutions, the ECB and national central banks, and Member States or their regional or local authorities. It also sets out rules on transparency and reporting requirements for payment services, and the requirements for payment services, the rights of payment service users and the obligations of payment service providers.  

Click here to access this regulation 

 

Major industrial regulation 

Information management and processing (i.e., AI, big data, loT regulation, etc.) 

Use of artificial intelligence and machine learning by market intermediaries and asset managers  

Scope: Europe | Regulator: IOSCO | Industry: Technology | Topic: artificial intelligence; machine learning | Date of publication: June, 2020 

This Consultation Report seeks to assist IOSCO members in providing suitable regulatory frameworks in the supervision of market intermediaries and asset managers using artificial intelligence and machine learning. 

Click here to access this regulation 

Cybersecurity and technology risks 

Regulation on digital operational resilience for the financial sector (DORA) 

Scope: EU | Regulator: EP, Council | Industry: Tech | Topic: digital finance | Date of publication: December, 2022 

This regulation provides a regulatory framework on digital operational resilience to ensure all institutions can cope with, respond to and recover from all types of ICT-related disruptions and threats. DORA lays down uniform requirements on the security of network and information systems of financial institutions and third parties providing critical ICT-related services to them, such as cloud platforms or data analytics services. 

Click here to access this regulation 

Guidelines on outsourcing to cloud service providers 

Scope: Europe | Regulator: ESMA | Industry: Technology | Topic: outsourcing| Date of publication: May, 2021 

Guidelines providing guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. These guidelines are consistent with the recommendations on outsourcing to cloud service providers published by the European Banking Authority (EBA) and will help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements.  

Click here to access this regulation 

Guidelines on ICT security and governance 

Scope: Europe | Regulator: EIOPA | Industry: Technology | Topic: ICT risk | Date of publication: August, 2020 

Guidelines aiming to: provide clarification and transparency to market participants on the minimum expected reporting and cyber security capabilities; avoid potential regulatory arbitrage; and foster supervisory convergence in terms of the expectations and processes applicable in relation to ICT security and governance as a key to proper security and risk management.  

Click here to access this regulation 

Guidelines on outsourcing to cloud service providers 

Scope: Europe | Regulator: EIOPA | Industry: Technology | Topic: outsourcing | Date of publication: February, 2020 

Guidelines providing guidance on how insurance and reinsurance undertakings should apply the outsourcing requirements set forth in the Solvency II Directive and in the Commission Delegated Regulation on the taking-up and pursuit of the business of Insurance and Reinsurance, in the context of outsourcing to cloud service providers. These Guidelines are addressed to competent authorities and apply to both individual undertakings and mutatis mutandis to groups. 

Click here to access this regulation 

Guidelines on ICT and Cybersecurity risk management 

Scope: Europe | Regulator: EBA| Industry: Technology | Topic: ICT risk| Date of publication: November, 2019 

Guidelines setting out how credit institutions, investment firms and payment service providers (PSPs), should manage the ICT and cybersecurity risks that they are exposed to. In addition, these guidelines aim to provide the financial institutions to which they apply with a better understanding of supervisory expectations for the management of ICT and cybersecurity risks, and implicitly cover the need for cybersecurity within the financial institution’s information security measures. 

Click here to access this regulation 

Guidelines on outsourcing arrangements 

Scope: Europe | Regulator: EBA | Industry: Technology | Topic: outsourcing | Date of publication: February, 2019 

Guidelines providing guidance on the internal governance systems - including appropriate risk management, that financial institutions, payment institutions and electronic money institutions should implement when outsourcing functions, in particular in relation to the outsourcing of critical or significant functions. The guidelines apply to credit institutions and investment firms without prejudice to Directive 2014/65/EU and Commission Delegated Regulation (EU) 2017/565 on outsourcing requirements. 

Click here to access this regulation 

Guidelines on ICT risk assessment under the supervisory review and evaluation process (SREP) 

Scope: Europe | Regulator: EBA | Industry: Technology | Topic: ICT risk | Date of publication: September, 2017 

Guidelines specifying the assessment criteria to be used by competent authorities in the supervisory assessment of financial institutions’ ICT governance and strategy and the supervisory assessment of financial institutions’ ICT risk exposure and controls.  

Click here to access this regulation 

E-commerce / digital transactions (e-commerce, online platforms, encryption and blockchain)  

Digital Services Act (DSA) 

Scope: EU | Regulator: EP, Council | Industry: Tech | Topic: digital services | Date of publication: November, 2022 

This regulation unifies the rules applicable to intermediary services in the internal market and includes provisions applicable to all providers of intermediary services and providers of hosting services, including online platforms.  

Click here to access this regulation 

Digital Markets Act (DMA)  

Scope: EU | Regulator: EP, Council | Industry: Technology | Topic: markets finance | Date of publication: October, 2022 

This Regulation contributes to the proper functioning of the internal market by laying down harmonised rules ensuring fair digital markets across the Union where gatekeepers are present, to the benefit of business users and end users. It applies to core platform services provided or offered by gatekeepers to business users established in the EU or end users established or located in the EU, irrespective of the place of establishment or residence of the gatekeepers. 

Click here to access this regulation 

Regulation on markets in crypto-assets 

Scope: EU | Regulator: EP, Council | Industry: Technology | Topic: digital finance | Date of publication: May, 2021 

This Regulation lays down uniform rules, including on: i) transparency and disclosure requirements for the issuance and admission to trading of crypto-assets; ii) the authorisation and supervision of crypto-asset service providers, issuers of asset-referenced tokens and issuers of electronic money tokens; iii) the operation, organisation and governance of issuers of asset-referenced tokens. It applies to persons that are engaged in the issuance of crypto-assets or provide services related to crypto-assets in the Union. 

Click here to access this regulation 

Major local regulation 

Information management and processing (i.e., AI, big data, loT regulation, etc.) 

Consultation on the Royal Decree establishing a Sandbox for the testing of compliance with the proposed AI Regulation 

Scope: Spain | Regulator: MINECO | Industry: Tech | Topic: artificial intelligence | Date of publication: May 2023 

The future Royal Decree would establish a Sandbox for the testing of compliance with the proposed AI Regulation, which has the purpose of studying the operability of the requirements set out in the proposed Regulation, as well as the self-assessment of compliance and the testing of monitoring systems of participants' high-risk AI systems during their operation within the Sandbox. 

Click here to access this regulation