Digital Law Resources

This whistleblower tool enables individuals to securely and confidentially report suspected violations of the EU Artificial Intelligence Act (AI Act) directly to the EU AI Office. Operated via a secure IntegrityLine platform, the tool supports anonymous reporting, multi-language submissions, and two-way communication. It is open to both insiders (e.g. employees) and external observers.

The standardised reporting template for serious incidents involving general‑purpose AI (GPAI) models with systemic risk under the EU Artificial Intelligence Act template promotes consistent, transparent reporting and assists providers in demonstrating compliance with Commitment 9 of the GPAI Code of Practice. It supports providers of such AI systems in fulfilling their reporting obligations under Article 55 of the AI Act, including notifying the AI Office and, where appropriate, national competent authorities when serious incidents occur.

This draft implementing act outlines harmonised rules for the establishment, implementation, and supervision of AI regulatory sandboxes under the AI Act (Regulation 2024/1689). It sets out eligibility and participation criteria, emphasises access for SMEs, and describes procedures for sandbox planning, real-world testing, exit reporting, and regulatory learning. Sandboxes aim to provide legal certainty for AI developers while supporting responsible innovation. Member States must ensure at least one national sandbox is operational by August 2026. Participation may result in written reports, but does not equate to formal AI Act conformity.

This draft code of practice outlines voluntary commitments and best practices for increasing transparency in the use and dissemination of AI-generated content within the EU. It provides recommended measures such as labeling synthetic content, traceability mechanisms, provenance signaling, and responsible watermarking. The Code aims to mitigate the risks of disinformation, user deception, and manipulation while balancing innovation and fundamental rights. Stakeholders are invited to endorse and implement the code voluntarily, with the possibility of updates and co-regulatory evolution.

This resource answers common questions on the EU’s Digital Services Act (DSA), an EU-wide regulatory framework for digital intermediary services. It explains what the DSA is, whom it applies to (including online marketplaces, social networks, hosting services, etc.), and why EU-level regulation is needed. It covers interactions with existing laws such as the GDPR, the differences with the Digital Markets Act (DMA), and key protections the DSA introduces (e.g., reporting illegal content, stronger user rights, transparency obligations, and safeguards on targeted advertising, particularly regarding minors and sensitive data). It also outlines exemptions for small enterprises and additional obligations for very large platforms.

This recommendation outlines the EDPB’s position on the legality of requiring users to create an account in order to access services or content, particularly in the context of consent under the GDPR. It highlights that making account creation a condition for accessing a service may not always comply with the requirements of freely given consent under Article 7 GDPR. The document also clarifies the criteria for assessing whether such practices are necessary for the performance of a contract under Article 6(1)(b) GDPR.

This internal document outlines procedural guidance and best practices under Article 64(2) of the GDPR. It details when and how Supervisory Authorities, the EDPB Chair, or the European Commission may request an EDPB opinion on matters of general application or with cross-border effects. It explains the admissibility criteria, procedural steps, and scope of such requests. The accompanying appendix provides detailed best practices to ensure quality, clarity, and consistency in the drafting and management of opinion requests.

This Draft Recommendation outlines a set of non‑binding Model Contractual Terms (MCTs) for data access and use and non‑binding Standard Contractual Clauses (SCCs) for cloud computing contracts under the EU Data Act. These templates are designed to help businesses — especially SMEs — implement fair, reasonable, and non‑discriminatory contractual arrangements for data sharing and cloud services. While voluntary, the MCTs cover various mandatory and voluntary data‑sharing scenarios, and the SCCs support contractual terms for cloud switching, security, liability, and termination. The initiative aims to reduce legal uncertainty and support practical implementation of the Data Act.

This joint guidance outlines how the GDPR and Digital Markets Act (DMA) should be applied in a complementary and coherent manner, particularly in the context of the DMA’s Draft Delegated Regulation on regulatory reporting templates. It provides methodological guidance to ensure that regulatory obligations under both instruments are aligned, especially in the areas of data protection, user consent, and platform gatekeeper accountability. The contribution stresses that compliance with one regulation does not automatically ensure compliance with the other.

This report outlines the European Commission's evaluation of the application of Article 33 of the Digital Services Act (DSA), particularly the designation and scope of very large online platforms (VLOPs) and search engines (VLOSEs), and their due diligence obligations. It also examines how the DSA interacts with other EU legal acts, identifying both complementary and overlapping areas. The report confirms the current thresholds and definitions under the DSA are effective but acknowledges increasing legal complexity and proposes stronger coordination and simplification efforts in future reviews.

This implementing regulation provides precise technical definitions for the categories of “important” and “critical” products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). It clarifies which products fall into each category based on core functionality, ensuring that manufacturers know when stronger conformity assessments or cybersecurity certification requirements apply. The regulation sets out detailed product descriptions in its annexes, covering both important and critical product types to improve legal certainty and facilitate consistent application of cybersecurity rules.

This implementing regulation sets out operational rules for the peer‑review mechanism under the EU cybersecurity certification framework. It establishes scheduling and rotation of peer reviews of National Cybersecurity Certification Authorities (NCCAs), criteria for peer‑review teams, observer roles (e.g., ENISA), procedures for conducting reviews, and reporting templates to support consistent evaluation and shared learning across Member States.

This implementing regulation outlines amendments to EU cybersecurity certification rules under the EUCC scheme. It introduces definitions like "product series", "minor change", and "major change" to support consistent application across ICT product certifications. It allows certification of product series rather than only individual products, clarifies how to handle changes to certified products, streamlines certificate identification formats, and updates documentation requirements (including use of English for key documents).

This document outlines a preliminary set of technical FAQs to assist stakeholders with the implementation of the Cyber Resilience Act (Regulation (EU) 2024/2847). It addresses recurring questions about the scope, definitions, interplay with other legislation, classification of products, manufacturer obligations, conformity assessments, and the transition period. The FAQs clarify compliance expectations, especially in relation to risk assessments, vulnerability management, product categories (default, important, critical), and alignment with existing EU laws like the GDPR, Data Act, and Machinery Regulation. It serves as a non-binding, living document prepared by Commission services to guide early compliance efforts.

This guidance outlines how the obligations under the Digital Markets Act (DMA) intersect with requirements of the General Data Protection Regulation (GDPR). It focuses on ensuring a consistent and complementary application of both laws by clarifying overlaps in areas such as consent (Art. 5(2) DMA), data portability (Art. 6(9) DMA vs. Art. 20 GDPR), and interoperability (Art. 7 DMA). The guidelines emphasize lawful processing under GDPR when implementing DMA measures, and address coordination between competent authorities.

This platform outlines tools and resources to help stakeholders understand and implement the EU AI Act. It provides access to an AI Act Explorer, Compliance Checker, national authority contacts, and FAQs. The platform aims at supporting understanding obligations under the AI Act and fostering consistent application across the EU.

This tool outlines an interactive self-assessment for stakeholders to evaluate whether they are subject to the EU AI Act and identify applicable legal obligations. It provides tailored pathways based on user role (e.g. provider, deployer, or distributor) and guides users through regulatory requirements based on their AI system's function, purpose, and deployment.

This delegated act complements the DSA rules that oblige VLOPs and VLOSEs to grant access to researchers to publicly available data on their platforms. The delegated act lays down the technical conditions and harmonises the procedures for the management of the data access process. Moreover, it sets out which information Digital Services Coordinators (DSCs), VLOPs and VLOSEs must make public to facilitate vetted researchers' applications to access relevant datasets.

This Q&A supports the Commission’s consultation on drafting guidelines and a Code of Practice for AI transparency under Article 50 of the AI Act. It explains the transparency obligations for certain AI systems, the roles of guidelines vs. code of practice, the types of AI systems covered, and the next steps in stakeholder engagement and implementation.

This guidance (draft) outlines how providers of high‑risk AI systems should report serious incidents under Article 73 of the AI Act. It clarifies definitions, provides illustrative examples, and explains the relationship with existing reporting obligations. The guidance is accompanied by a draft reporting template. It also encourages stakeholder feedback during the consultation period (until 7 November 2025).

This guidance document outlines how the GDPR applies in the context of the Digital Services Act (DSA), clarifying overlaps and interactions between the two laws. It explains which DSA provisions involve personal data processing, how key GDPR concepts (e.g. profiling, special‑category data, transparency of advertising) apply under the DSA, and offers practical advice for how authorities and online intermediaries should cooperate. The guidelines also address enforcement coordination between DSA competent authorities and data protection authorities to ensure consistent protection of individuals’ fundamental rights.

The guidance supports the implementation of the Data Act in the automotive sector. It is specifically tailored to Chapter II of the Data Act, which governs Business-to-Consumer (B2C) and Business-to-Business (B2B) data sharing. The goal is to clarify how vehicle data should be handled by original equipment manufacturers (OEMs), service providers, and insurers, and to outline the types of data that fall under the scope of the Data Act.

This document outlines non‑binding guidance for the “relevant entities” —such as cloud providers, DNS registries, CDNs, MSSPs and trust-service providers—supporting the technical and methodological requirements set out by Commission Implementing Regulation (EU) 2024/2690 on cybersecurity risk management under Article 21(2) of NIS2. It provides implementation advice, suggested evidence, and mappings to standards and good practices across 13 requirement domains like risk policy, incident handling, supply‑chain security, cryptography, HR security, access control, asset management, and environmental security. It is based on collaboration with the European Commission, NIS Cooperation Group, and relevant expert authorities.

The document provides practical guidance to stakeholders when implementing the DGA. It includes sections on the re-use of protected data by public sector bodies, outlining categories of data, procedures for re-use, and international transfers. It also covers requirements for data intermediation service providers, the concept of data altruism, and the roles of competent authorities. Additional sections address procedural provisions, the European Data Innovation Board, and international data access and transfers.

This guidance outlines how NIS2 obligations (such as risk management and incident reporting under Articles 21 and 23) are mapped to relevant European Cybersecurity Skills Framework (ECSF) roles. It provides detailed mappings of 12 ECSF role profiles—like CISO, incident handler, system admin—to specific regulatory tasks and deliverables. Practical use‑cases demonstrate how medium‑sized organisations can plan staffing, upskill or outsource to meet legal requirements. The guidance also helps Member States align workforce strategies with NIS2 implementation objectives.

The guidelines aim to standardize the practice of amicable settlements by supervisory authorities (SAs) in GDPR-related complaints, addressing the diverse interpretations and implementations across Member States. The guidelines address the handling of complaints originating from data subjects, including national cases, cross-border cases handled through the One-Stop-Shop (OSS) mechanism, and local cross-border cases under Article 56(2), with a particular emphasis on cross-border complaints.

This handbook outlines the methodology for designing and conducting cyber stress tests. A cyber stress test is defined as ‘a targeted assessment of the resilience of individual organisations and their ability to withstand and recover from significant cybersecurity incidents, ensuring the provision of critical services, in different risk scenarios.’ The handbook aims to support national authorities in assessing the cybersecurity and resilience of critical sector entities. The document includes phases for preparation, execution, and evaluation, and provides templates, threat scenarios, and recommendations for test implementation.

The guidelines released in the context of the COVID-19 pandemic, address questions related to the use of health data for scientific research purposes. The document clarifies key issues such as the legal basis for data processing, the implementation of adequate safeguards, and the exercise of data subject rights in this context.

The Guidelines aim to assist data controllers in identifying breaches, assessing risks, and implementing appropriate measures, based on the collective experiences of EEA supervisory authorities since the GDPR's implementation. The guidelines cover breach categorization (confidentiality, integrity, availability), risk assessment, notification requirements, and appropriate breach mitigation measures. Additionally, the document provides fictitious case studies based on real experiences to guide controllers in assessing and handling various types of data breaches.

These Guidelines, mandated by Article 11(11) of the Digital Operational Resilience Act (DORA), aim to harmonise how financial entities estimate and report aggregated annual costs and losses from major ICT‑related incidents. They apply to non‑micro‑entities and require use of a common template, alignment with incident classification/reporting RTS, inclusion of only 'major' incidents with final reports in the reference year, and submission of gross costs and recoveries via a standard template.

This delegated regulation outlines an exclusion from the application of the CRA for products with digital elements covered by Regulation (EU) No 168/2013 on the type-approval of two- or three-wheel vehicles and quadricycles. The exclusion is based on the updated scope of UN Regulation No 155 on vehicle cybersecurity, which now includes L-category vehicles. To avoid overlapping cybersecurity requirements, these vehicles are exempt from the Cyber Resilience Act, except for L1e category cycles designed to pedal, which remain within its scope.

The Transparency Chapter offers a user-friendly Model Documentation Form which allows providers to easily document the information necessary to comply with the AI Act obligation to on model providers to ensure sufficient transparency.

This Copyright Chapter aims to contribute to the proper application of the obligation laid down in Article 53(1), point (c), of the AI Act pursuant to which providers that place general-purpose AI models on the Union market must put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed by rightsholders pursuant to Article 4(3) of Directive (EU) 2019/790.

This Q&A gives additional information about the Template for general-purpose AI model providers to summarise their training content.

This Q&A gives additional information about the Guidelines on obligations for General-Purpose AI providers.

This Q&A gives additional information about the General-Purpose AI Code of Practice.

This Q&A gives additional information about signing the General-Purpose AI (GPAI) code of practice.

This Q&A gives additional information about the interpretation of certain provisions of the AI Act, specifically pertaining to GPAI.

The regulation outlines the technical and methodological requirements for DNS service providers, TLD name registries, cloud computing service providers, and other relevant entities like content delivery networks, managed services, online marketplaces, search engines, and social networking platforms. It specifies the measures referred to in NIS2 Article 21(2), focusing on security measures these entities must adopt. Furthermore, it defines when an incident qualifies as significant, establishing the thresholds for reporting and response.

This guidance provides practical explanations of prohibited AI practices under the AI Act. It covers bans on AI systems that engage in harmful manipulation, exploit vulnerabilities, conduct social scoring, predict individual criminal behavior, or use biometric categorization in certain contexts. The guidelines clarify the enforcement mechanisms and interplay with high-risk AI systems. They also outline exceptions, such as research activities and national security, and provide criteria for assessing prohibited practices.

This guidance outlines DORA oversight and cooperation mechanisms, providing a framework for collaboration and information exchange between European Supervisory Authorities (ESAs) and competent authorities. It aims to establish harmonized supervisory practices, set protocols for digital operational resilience oversight, and ensure effective risk management across financial entities within the EU.

The document provides an overview of how the ERPD will be implemented by the European Commission. It specifies how metadata must be provided and structured by the National Single Information Points (NSIPs) under Article 8 of the DGA to interface with the ERPD. The guidelines further explain what metadate is required for NSIPs and the ERPD according to Articles 5-8 of the DGA.

The Delegated Regulation specifies certain criteria and fees relating to critical ICT third-party service providers under DORA. The fees are established to fully cover the Lead Overseer’s and the other European Supervisory Authorities’ necessary expenditure when performing oversight tasks in the context of DORA. The annual oversight fee should also cover the estimated costs by competent authorities to whom tasks are delegated by the European Supervisory Authorities.

The Delegated Regulation specifies criteria for designating ICT third-party service providers as critical for financial entities, supplementing DORA. It introduces a two-step assessment process by the European Supervisory Authorities, focusing on both quantitative and qualitative sub-criteria to evaluate the criticality and systemic impact of these providers on the financial sector.

This guidance outlines the European Commission’s interpretation of the AI Act obligations for providers of general-purpose AI (GPAI) models under Article 96(1). It clarifies four key topics: (1) what constitutes a GPAI model; (2) who qualifies as a provider placing GPAI models on the market; (3) which providers are exempt when releasing models as open-source; and (4) expectations for compliance and enforcement from 2 August 2025 onward.

The Safety and Security Chapter outlines concrete state-of-the-art practices for managing systemic risks, i.e. risks from the most advanced models. Providers of GPAI can rely on this chapter to comply with the AI Act obligations for providers of general-purpose AI models with systemic risk.

This template explains the minimum disclosure requirements for general-purpose AI model providers under Article 53(1)(d) of the AI Act. The template outlines three key sections: (1) General information identifying the provider, the model, and overall characteristics of training data; (2) List of data sources, requiring disclosure of major datasets, narrative descriptions of web-scraped data (including top domain names), and other sources like user or synthetic data; and (3) Relevant data processing aspects, focusing on copyright, illegal content, and rights enforcement.

The General-Purpose AI Code of Practice is a voluntary tool, prepared by independent experts in a multi-stakeholder process, designed to help industry comply with the AI Act’s obligations for providers of general-purpose AI models. The Code has three chapters: Transparency and Copyright, both addressing all providers of general-purpose AI models, and Safety and Security, relevant only to a limited number of providers of the most advanced models, subject to the AI Act's obligations for providers of general-purpose AI models with systemic risk. The AI Act defines systemic risk as specific to high-impact capabilities, i.e. capabilities that match or exceed the capabilities of the most advanced general-purpose AI models, that have a significant impact on the Union market. The AI Act currently presumes that models trained with a cumulative amount of compute greater than 10^25 floating-point operations possess high-impact capabilities.

The Transparency Chapter of the Code of Practice describes three Measures which Signatories of the GPAI commit to implementing to comply with their transparency obligations under Article 53(1), points (a) and (b), and the corresponding Annexes XI and XII of the AI Act. The Transparency Chapter offers a user-friendly Model Documentation Form which allows providers to easily document the information necessary to comply with the AI Act obligation to on model providers to ensure sufficient transparency.

This document provides a Q&A on the European Health Data Space (EHDS), explaining its objectives, benefits, and legal framework. It details how the EHDS facilitates access to and sharing of health data for both primary and secondary uses while ensuring data protection and security. The document also outlines the roles of stakeholders, its impact on patients and healthcare providers, and how it aligns with EU data protection laws, including the GDPR.

With this Q&A, the AI Office seeks to facilitate the interpretation of certain provisions of the AI Act.

The respository publishes, on the basis of notifications received from national DSCs, up-to-date information on the entities that have been awarded the status of trusted flagger across the EU.

The European register for protected data held by the public sector (ERPD), is a searchable register of the information compiled by national single information points in order to further facilitate data re-use in the internal market and beyond. ERPD implements a requirement to establish a European single access point offering a searchable electronic register of data under Article 8(4) of the DGA.

The one-stop-shop thematic case digest on the right to object and right to erasure offers insights in how data protection authorities (DPAs) analyse the internal processes implemented within organisations to comply with these rights, lists the most frequent infringements and gives an overview of which corrective measures have been issued. Cases cover for example the exercise of the right to object to direct marketing or the wish of individuals to erase their account or online data profile.

The one-stop-shop case digest on security of processing and data breach notification offers insights into how DPAs have interpreted and applied GDPR provisions on security and data breaches in diverse scenarios, such as hacking, ransomware, or accidental data disclosure. It also refers to available guidance at EU level, relevant cases before the Court of Justice of the European Union, as well as decisions and guidance adopted at national level.

The first document provides a test catalogue of mandatory, recommended, and optional requirements which a GDPR-compliant messenger frontend would have to meet. The second document outlines the data protection audit methodology tailored to messenger services.

The first document provides a test catalogue of mandatory, recommended, and optional requirements which a GDPR-compliant messenger frontend would have to meet. The second document outlines the data protection audit methodology tailored to messenger services.

The Delegated Regulation specifies the requirements for and the contents of the policy on the use of ICT services supporting critical or important functions provided. The policy is a mandatory part of the ICT third-party risk strategy which some financial entities must adopt under Article 28(4) of DORA.

The Delegated Regulation identifies further elements related to ICT risk management to harmonise tools, methods, processes and policies. It includes the key elements that financial entities subject to the simplified regime and of lower scale, risk, size and complexity would need to have in place, setting out a simplified ICT risk management framework.

The Delegated Regulation specifies the criteria for the classification of major ICT-related incidents, the approach for the classification of major incidents, the materiality thresholds of each classification criterion, the criteria and materiality thresholds for determining significant cyber threats, the criteria for competent authorities to assess the relevance of incidents to competent authorities in other Member States and the details of the incidents to be shared in this regard.

The repository contains the documents compiled by the ESAs to help financial entities be ready with the preparation and submission of their registers under Article 28(3) of DORA. The registers must contain contractual arrangements with ICT third-party service providers available at entity, sub-consolidated and consolidated levels.

This portal outlines a harmonized EU-wide age verification framework based on the European Digital Identity Wallet. It provides a privacy-preserving, interoperable, and modular solution enabling individuals to prove eligibility for age-restricted services without revealing unnecessary personal data. The blueprint supports compliance with Article 28 of the Digital Services Act and includes technical documentation, integration guides, and open-source components for developers and service providers. Features include hosted test services, a modular architecture, interoperability with national systems, and future integration of privacy-enhancing technologies like Zero-Knowledge Proofs.

This guidance outlines a set of non‑binding measures under Article 28(1) of the DSA for online platforms accessible to minors. It recommends default privacy‑protective settings (e.g. minors’ accounts private), controls on recommender systems, screenshot/download restrictions, feature restrictions (e.g. disabling streaks and autoplay), robust moderation/reporting tools, and safeguards against exploitative commercial practices. It also calls for risk‑based assessments using the OECD 5‑Cs typology, and the use of accurate, non‑intrusive age assurance (e.g. age verification or estimation) while ensuring children's rights are upheld and not unduly restricted.

This guidance outlines the interpretation and practical application of Article 48 GDPR. It clarifies that third‑country court or administrative decisions demanding personal data from EU controllers/processors are not enforceable absent a valid international agreement (e.g., MLAT) and compliance with GDPR Chapter V. It provides a two‑step test: (1) establish a legal basis under Article 6, and (2) identify a valid transfer mechanism (adequacy decision, safeguards, or derogation). It also gives procedural advice for dealing with such requests.

This delegated regulation outlines regulatory technical standards under Regulation (EU) 2022/2554 for financial entities subcontracting ICT services that support critical or important functions. It specifies the elements to be assessed in such arrangements, including risk assessments, monitoring obligations, due diligence, and contractual safeguards. The regulation addresses issues of proportionality, group-wide implementation, and termination rights, emphasizing the responsibility of financial entities to manage digital operational risks when using third-party ICT providers and their subcontractors.

The DSA data access portal is the tool to support the data access process provided for in the DSA. It allows researchers to access relevant information and to send their application for data access to the relevant DSCs. The DSA data access portal also allows VLOPs, VLOSEs and DSCs to participate in the data access process, have access to and disseminate relevant information, such as the details of the dedicated points of contact, and communicate with one another.

This FAQ answers questions regarding the application of the AI Act to public and private actors, risk categories for AI systems, obligations for high-risk AI systems, and requirements for general-purpose AI models. It also addresses penalties for non-compliance, governance structures, and timelines for full applicability.

This FAQ provides detailed guidance on compliance with Article 4 of the EU AI Act. The document offers guidance on gauging a “sufficient level” of AI literacy and implementing practical measures. It also confirms that enforcement of Article 4 begins on 3 August 2026, under the responsibility of national market surveillance authorities, not the AI Office.

The EUVD provides aggregated, reliable, and actionable information on cybersecurity vulnerabilities affecting ICT products and services. It aggregates data from various sources, including CSIRTs, vendors, and existing databases, offering details such as mitigation measures and exploitation status. The database is publicly accessible and aims to enhance cybersecurity risk management across the EU.

The report outlines the key privacy risks associated with the use of large language models (LLMs), including data protection concerns related to training data, model outputs, and deployment scenarios. It presents practical mitigation strategies focusing on transparency, data minimisation, legal basis for processing, and the rights of data subjects. The document also addresses technical safeguards such as differential privacy and federated learning. The report is produced in the context of the Support Pool of Experts programme.

This report outlines non-binding Model Contractual Terms (MCTs) and Standard Contractual Clauses (SCCs) for B2B data sharing and cloud computing, developed by an expert group under Article 41 of the Data Act. The MCTs cover various data sharing scenarios including data holders to users, users to data recipients, and voluntary sharing. The SCCs address fairness, switching, termination, and security in cloud computing contracts. The document provides detailed templates and guidance to support fair, transparent, and lawful data access and use across the EU. These models are voluntary, designed to align with the Data Act, GDPR, and other relevant legislation.

This decision outlines internal rules governing how the European Commission provides information to data subjects and applies restrictions to certain data protection rights under Regulation (EU) 2018/1725. It applies in the context of processing personal data for supervision, investigation, enforcement, and monitoring tasks under the Digital Services Act (Regulation (EU) 2022/2065). The rules define when and how rights such as access, rectification, restriction, and notification may be limited to protect investigations or the rights of others.

HealthData@EU is a central online hub that brings together health datasets from across Europe, making it easier for researchers, policymakers, and public health authorities to find and access health data. The HealthData@EU is released open-source and includes release note, architectual model and technical specification, user manual and other documentation and datasets.

RTS specifying the criteria for determining the composition of the joint examination teams ensuring a balanced participation of staff members from ESAs and from relevant competent authorities, their designation, tasks, and working arrangements under under DORA Article 41(1) point (c)

This guidance outlines the updated cooperation procedure for the approval of Binding Corporate Rules (BCR) for controllers and processors under the GDPR. It replaces the previous WP263rev.01 document adopted on 11 April 2018, and reflects practical experience gained. It describes the roles of the BCR Lead Supervisory Authority, the review and cooperation phases among supervisory authorities, and the steps leading to EDPB opinion and final approval. It also includes an annex on informal BCR sessions and their procedural aspects.

This regulation outlines the rules for AI Act regarding the establishment of a scientific panel of independent experts in artificial intelligence (AI). It specifies the panel’s composition, selection criteria, operational procedures, and responsibilities. The panel will support enforcement activities and advise the European Artificial Intelligence Office (AI Office). It also defines procedures for issuing qualified alerts, providing expert assistance, and ensuring transparency, independence, and confidentiality in the panel’s operations.

This guidance outlines processes for vulnerability management and disclosure under the European Common Criteria-based cybersecurity certification scheme (EUCC). It provides recommendations for certificate holders on handling vulnerabilities, emphasizing compliance with ISO/IEC standards. The document addresses preparation, identification, coordination, and disclosure of vulnerabilities to ensure cybersecurity risk management.

This delegated regulation defines oversight requirements for ICT third-party service providers under DORA. It mandates critical providers to submit detailed information on their operations, market impact, and security frameworks. It also addresses subcontracting, risk management, and compliance monitoring by competent authorities to support resilience across the financial sector.

This delegated regulation supplements DORA, specifying the content and timelines for financial entities in the EU to report major ICT-related incidents and cyber threats. It outlines mandatory details for initial, intermediate, and final reports, aiming to harmonize incident reporting for better oversight. It also includes flexibility provisions for smaller entities and national-level aggregate reporting under certain conditions.

This toolkit provides guidance for Digital Services Coordinators (DSCs) on enforcing the Digital Services Act (DSA) in the context of elections. It outlines key obligations for online platforms, including measures to combat disinformation, transparency requirements for political advertising, and crisis response mechanisms. The document also offers best practices for collaboration between national authorities and platforms to safeguard electoral integrity.

This Code of Conduct on Disinformation provides a detailed framework for addressing the spread of disinformation online. It outlines commitments and technical measures across multiple areas, including: scrutiny of ad placements to reduce revenues of disinformation purveyors; transparency and verification requirements for political and issue-based advertising; integrity and security of services, focusing on preventing manipulative behaviors such as coordinated inauthentic behavior, bot-driven amplification, and malicious deepfakes. The Code emphasizes transparency obligations for AI-generated content, requiring policies for detecting and labeling manipulated content. It also strengthens user empowerment with tools for flagging false information, transparency in recommender systems, and media literacy initiatives. Additionally, it introduces enhanced cooperation mechanisms for data sharing with researchers, integration of fact-checking services, and monitoring through a centralized Transparency Centre and Permanent Task-force. On 13 February 2025, The Commission and the European Board for Digital Services has endorsed the integration of the voluntary Code of Practice on Disinformation into the framework of the DSA. This integration will make the Code a benchmark for determining platforms’ compliance with the DSA. The Code conversion will take effect from 1 July 2025, making its commitments auditable from that date onwards.

This brand book provides guidelines for the visual identity and branding of the European Common Criteria-Based Cybersecurity Certification Scheme (EUCC). It establishes the correct use of the EUCC logo, colors, typography, and other visual elements to ensure consistency in communications and certification materials. The document is intended for stakeholders involved in cybersecurity certification, including national authorities, industry participants, and certification bodies.

This repository provides examples of AI literacy practices from AI Pact organizations to help providers and deployers comply with Article 4 of the AI Act, which mandates ensuring AI literacy for staff and users. It encourages learning and exchange through a regularly updated collection of practices, without implying legal compliance or endorsement.

These guidelines define an AI system under the AI Act by detailing seven key elements: (1) Machine-based system, which emphasizes the computational basis; (2) Autonomy, where the system operates with varying levels of independence; (3) Adaptiveness, enabling systems to adjust behavior after deployment; (4) AI objectives, which can be explicit or inferred; (5) Inferencing capabilities, allowing AI to generate predictions, content, recommendations, or decisions; (6) Impact on environments, influencing physical or virtual spaces; and (7) Human interaction, highlighting the role of human oversight.

The study presents a mapping of the existing cybersecurity standards against the essential requirements listed in Annex I of the CRA proposal, along with a gap analysis between the mapped standards and the requirements. In view of the development of harmonised standards, this analysis offers a possible overview about the current coverage of the requirements by existing specifications carried out mainly by ESOs and international Standards Development Organizations (SDOs), highlighting possible lacks that may be compensated by further standardisation work.

The opinion clarifies the notion of the main establishment of a controller under Article 4(16)(a) GDPR, and the criteria for the application of the one-stop-shop mechanism, in particular regarding the notion of the controller’s “place of central administration” in the Union.

This webinar and its slides focuse on the architecture and implementation of the AI Act, providing stakeholders with insights into its regulatory framework and practical implications. The event discusses the key provisions of the AI Act, including risk-based approaches to AI regulation, obligations for providers and users, and enforcement mechanisms.

This case digest provides an overview of decisions related to the right of access under GDPR Article 15, as resolved through the One-Stop-Shop (OSS) mechanism. It analyzes cases where data subjects exercised their right to access personal data and highlights key issues such as delays, inadequate responses, and refusals. The document also identifies best practices for organizations to ensure compliance with GDPR obligations and strengthen transparency in interactions with data subjects. Recommendations emphasize the importance of clear communication, proper procedures for handling access requests, and collaboration among supervisory authorities to address cross-border cases effectively.

This report examines the use of cloud-based services by public sector entities across the EU. It evaluates compliance with GDPR, focusing on contractual arrangements, data transfers, and the security of data processing. The document highlights common shortcomings, such as inadequate data protection clauses, lack of proper risk assessments, and non-compliance with international data transfer requirements. Recommendations emphasize the need for stronger safeguards, detailed risk evaluations, and compliance with GDPR principles to ensure the lawful use of cloud services.

This coordinated enforcement action examines how organizations designate and position Data Protection Officers (DPOs) in compliance with GDPR requirements. It reviews the legal, organizational, and operational aspects of DPO roles, focusing on independence, expertise, and resource allocation. The document highlights common challenges, such as conflicts of interest and insufficient resources, and provides recommendations for ensuring DPOs can perform their tasks effectively while maintaining compliance. This initiative aims to strengthen the uniform application of GDPR and enhance accountability across Member States.

This report, part of the EDPB's Coordinated Enforcement Framework (CEF) for 2024, focuses on the right of access under Article 15 of the GDPR. It provides an analysis of how organizations across the EU handle data subject requests for access to their personal data. The report identifies common issues, such as delays, incomplete responses, or refusals to provide data, and highlights best practices to ensure compliance. Recommendations include improving transparency, simplifying procedures for access requests, and providing clear guidance to data subjects. The report aims to strengthen harmonized enforcement of the GDPR and ensure that the right of access is respected across Member States.

This Code of Conduct outlines a framework for combating illegal hate speech online within the EU. It was developed in collaboration with IT companies, including major social media platforms, to ensure that flagged hate speech is assessed and removed within 24 hours. The Code promotes transparency, user education, and partnerships between governments, civil society, and online platforms to counter illegal hate speech while protecting fundamental rights such as freedom of expression. Updates to the Code have included progress reports and extended commitments to address new challenges in online content moderation. This Code of Conduct, an example of a code under Article 45 of the Digital Services Act (DSA). It builds on the Code of Conduct adopted in 2016.

This report, adopted under Article 18 of the NIS2 Directive, outlines the current state of cybersecurity across the EU in 2024, analyzing key trends, challenges, and developments. It identifies major cybersecurity threats, evaluates the effectiveness of current measures, and highlights gaps that require urgent attention. The report also emphasizes the importance of cooperation among Member States and sectors to enhance resilience against emerging cyber risks.

This amendment to the EUCC introduces a new state-of-the-art document concerning the accreditation of certification bodies. It also modifies an existing document related to the accreditation of cybersecurity testing facilities. Additionally, it includes several editorial updates to the main text of the EUCC.

The Regulation establishes the circumstances, formats and procedures for notifications of conformity assessment bodies by national cybersecurity certification authorities.

This implementing regulation specifies the templates and procedures that financial entities must use to report major ICT-related incidents and notify significant cyber threats under DORA. It outlines a standardized approach for incident data collection, reporting requirements for third-party providers, and aggregated reporting options. Additionally, it addresses secure submission methods and conditions for reclassifying incidents.

The Implementing Regulation standardises the format, content, and reporting periods for transparency reports under the Digital Services Act (DSA), detailing the platforms' content moderation practices. Annex I to the Regulation provides a template of the transparency report. Annex II to the Regulation provides instructions for filling out transparency report.

The Implementing Regulation standardises the format, content, and reporting periods for transparency reports under the Digital Services Act (DSA), detailing the platforms' content moderation practices. Annex I to the Regulation provides a template of the transparency report. Annex II to the Regulation provides instructions for filling out transparency report.

The Guidance focuses on the applicability of Article 5(3) of the ePrivacy Directive to emerging tracking methods. It highlights three key elements for determining applicability—information, terminal equipment, and access/storage of data—and provides a detailed analysis of these. Additionally, it applies this analysis to common tracking techniques such as URL and pixel tracking, IP-based tracking, IoT reporting, and the use of unique identifiers, ensuring compliance with data protection rules.

This opinion outlines obligations under GDPR Article 28 when using processors and sub-processors. It covers contractual requirements, data protection safeguards, and documentation for accountability. The opinion also addresses the specific responsibilities regarding sub-processing agreements, data transfers, and incident management. It clarifies the roles and liability of controllers and processors.

This guidance outlines how organizations can lawfully process personal data under GDPR Article 6(1)(f), which allows for processing based on legitimate interests. It details three key conditions: identifying a legitimate interest, ensuring processing is necessary for that interest, and balancing it against the rights and freedoms of data subjects. The guidelines provide a framework for conducting this assessment and offer examples, including areas like fraud prevention and marketing. The guidance is subject to public consultation and might be amended.

The study is a part of the data.europa.eu, an initiative of the European Commission. The report examines the evolving concept of data ownership within the EU and investigates the impact of the Data Act on the data ownership rights. It argues that the Data Act does not address data ownership issues, instead focusing on defining access and usage rights. According to the report, this approach is more efficient as it tackles unfair market practices directly, rather than trying to impose a data ownership framework.

The document is a presentation delivered during the 1st European AI Office webinar. The presentation explains AI Act’s risk management and QMS logic. It specifically considers risk management system logic for high-risk AI systems. The presentation also provides an overview of the AI standardization landscape, including relevant ISO/IEC standards.

The guidelines explain the territorial scope of the GDPR as defined in Article 3, focusing on the "establishment" criterion (Article 3(1)) and the "targeting" criterion (Article 3(2)). Additionally, the guidelines cover the requirements for non-EU entities that engage in processing activities as per Article 3(2) to designate a representative in the EU, outlining the responsibilities and process for this designation.

These guidelines are focused on defining the general requirements and criteria for certification mechanisms under Articles 42 and 43 of the GDPR. They explore the role of certification as an accountability tool, explaining key concepts of certification within Articles 42 and 43, and detailing the scope and purpose of what can be certified under these articles.

The Decision outlines the mission and tasks of the AI Office, its cooperation mechanisms, and stipulates provisions relevant to the financing of the Office.

This exemption request template, under Article 10 of the DMA, is intended for entities seeking relief from specific DMA obligations under Articles 5, 6 or 7. It provides a structured format to present arguments and evidence supporting the exemption request, ensuring that all relevant information is considered by the regulatory authorities.

The Article 11 DMA Compliance Report Template Form is a tool for entities to document and demonstrate their compliance with the DMA. It covers various aspects of compliance, requiring detailed information about the measures implemented, their effectiveness, and any challenges faced.

The Article 9 DMA template is designed for entities to formally request a temporary suspension of certain DMA obligations under Articles 5, 6 or 7. It includes sections for explaining the basis of the request, the specific obligations to be suspended, and the anticipated impact of the suspension.

The rules of procedure outline the tasks and cooperation modalities of the data protection authorities when handling complaints in the EU and EEA regarding alleged non-compliance with the DPF. The DPA panel is competent to provide binding advice to the US organisations following unresolved DPF complaints from individuals.

A database includes state-of-the-art documents spcifying evaluation methods, techniques and tools that apply to the certification of ICT products or security requirements of a generic ICT product category in order to harmonize evaluation in technical domains or of protection profiles. These documented are referenced in the Annex I of the EU Cybersecurity Certification Scheme (EUCC).

The register includes all Joint Q&As, such as Joint Committee Q&As, ESAs Q&As, and Q&As of joint interest pertaining to DORA. This file combines responses given by the European Commission to questions requiring the interpretation of Union Law and responses generated by the ESAs relating to the practical application or implementation of the specific provisions of DORA.

The note provides a comprehensive overview of the key provisions under the Data Act.

The Article 15 DMA Template outlines categories of information that gatekeepers must provide about their consumer profiling activities, such as methods, purposes, and impacts of consumer profiling.

The gudelines specify how Member States fulfill a reqirement under Article 3(3) NIS2 to establish a list of essential and important entities, as well as entities providing domain name registration services.

The table included in the document clarifies the BCR-P content as outlined in Article 47, distinguishing between the content of BCRs and the information to be submitted to the Supervisory Authority during the application process, and offers explanations or comments on each requirement.

The recommendation set out a template of a Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data (BCR-P).

This document focuses on standardizing the application process for BCR approval for controllers (BCR-C) and detailing the necessary content of these BCRs as stated in Article 47 GDPR. The document include a standard "Application Form for Approval of Controller Binding Corporate Rules (“BCR-C”)" and guidance for filling it out.

The updated European Essential Guarantees support assessing whether non-EU countries' public authorities handle personal data in a manner that complies with EU standards, focusing on national security and law enforcement access. These guidelines aid in determining if a non-EU country offers data protection equivalent to the EU, examining the impact of their surveillance measures on privacy and data protection rights. The document outlines the four European Essential Guarantees and provides specific evaluation criteria.

This FAQ includes information about the EU-U.S. Data Privacy Framework for European businesses. The document outlines eligibility criteria for U.S. companies, specifying that they must fall under the jurisdiction of the FTC or DoT. Before transferring data, European businesses must verify U.S. companies' active certifications and coverage of relevant data types. Guidance is provided on handling transfers to U.S. subsidiaries and the necessary data processing agreements under GDPR. Lastly, it directs businesses to resources for verifying certifications and the self-certification process.

This FAQ includes information about the EU-U.S. Data Privacy Framework for European individuals. It explains the benefits of the DPF for individuals, including rights to be informed, access, correct, or delete their data. The document provides guidance on how to lodge a complaint if a U.S. company violates its obligations, detailing the complaint procedure and the role of national Data Protection Authorities (DPAs) in handling complaints, including potential referral to U.S. authorities or setting up an informal panel of EU DPAs for investigation.

The Template is to be used by the data subjects in the EU and EEA when lodging complaints with the EU data protection authorities regarding an alleged violation of the EU-US Data Privacy Framework.

The database includes the materials (opinions, working documents, letters etc.) issued by the Article 29 Working Party between 1997 and November 2016.

The database includes the materials (opinions, working documents, letters etc.) issued by the Article 29 Working Party between November 2016 and 25 May 2018.

The Decision establishes a High-Level Group on the DMA composed of 30 representatives nominated from the Body of the European Regulators for Electronic Communications (BEREC), the European Data Protection Supervisor (EDPS) and European Data Protection Board, the European Competition Network (ECN), the Consumer Protection Cooperation Network (CPC Network), and the European Regulatory Group of Audiovisual Media Regulators (ERGA). The High Level Group can provide the Commission with advice and expertise with the aim of ensuring that the DMA and Other official document sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner.

The Implementing Regulation details procedural aspects related to the implementation and enforcement of the DMA, such as the right for parties to be heard and to access the file, and it includes the notification form which potential gatekeepers have to use when providing certain figures to the Commission in the designation process. It aims to ensure effective proceedings, as well as to provide legal certainty on procedural rights and obligations to the companies concerned, including those who will be designated as gatekeepers.

The template for granting power of attorney in the context of the DMA.

This template is tailored for entities seeking a specification dialogue under Article 8(3) of the DMA. It guides the requester through the process of detailing their concerns or ambiguities regarding DMA provisions, facilitating a structured dialogue with regulatory authorities to ensure clear understanding and proper implementation of the DMA.

This template is intended to be used by the gatekeepers when providing European Commission with the information of any intended concentration.

The form is adopted as Annex I to the Commission Implementing Regulation (EU) 2023/814 of 14 April 2023 on detailed arrangements for the conduct of certain proceedings by the Commission pursuant to Regulation (EU) 2022/1925 of the European Parliament and of the Council. Notifications pursuant to Article 3(3) of the DMA must contain all the information, including documents, indicated in the form.½

The form is adopted as Annex I to the Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/2555 (NIS 2 Directive). The template is to be used by the Member States when establishing a list of essential and important entities, as well as entities providing domain name registration services.

The DMA Cases database is an online platform where users can find information about cases related to the Digital Markets Act. It includes details on enforcement actions, decisions, and investigations. The site offers search functionality to filter cases by different criteria.

The document provides the European Commission's answers to frequently asked questions regarding the obligation under DSA to publish information on the number of average monthly active recipients of the service. The Q&A answers questions regarding the scope of the obligation, publication repository, the concept of "active recipient" and Other official documents.

This recommendation aims to encourage Member States to coordinate their response to the spread and amplification of illegal content on VLOPs and VLOSEs by sharing details about appointed Digital Service Coordinators and appointing high-level official to participate in the Informal Network.

The database collects statements of reasons provided by the providers of online platforms to the users. The statements of reasons are information provided by the hosting services to users whenever they remove or Other official documentwise restrict access to their content. The requirements for these statements are outlined in DSA Article 17.

The database collects terms and conditions of digital service providers, with a focus on online platforms such as social media, app stores or marketplaces.

The Delegated Regulation supplements DSA by laying down the necessary rules for the performance of audits under Article DSA 37 in particular on the procedural steps, auditing methodologies and reporting templates for the audits performed. It provides a framework to guide providers of VLOPs and VLOSEs and auditing organisations in the preparation and issuance of audit reports and audit implementation reports.

The templates are adopted as Annexes to the Commission Delegated Regulation of 20 October 2023 on independent audits, supplementing DSA Article 37. The document includes two templates. Annex I sets out a template for the audit report and Annex II - a template for the audit implementation report.

The Delegated Regulation sets out a methodology for calculating supervisory fees imposes on the providers of VLOP and VLOSEs.

The page maintains a public register of all data intermediation services providers offering their services in the EU.

This form is to be used by the Member States when notifying the Commission as and when data intermediation organisations are registered.

The page maintains a public register of all recognised data altruism organisations offering their services in the EU.

This form is to be used by the Member States when notifying the Commission as and when data altruism organisations are registered.

The Implementing Regulation provides for the design of logos to be used by the recognised data intermediation services providers and data altruism organizations.

The manuals specify how recognised data intermediation services providers and data altruism organizations should be using and displaying the corresponding logos.

The Implementing Decision adopts four sets of standard contractual clauses to provide appropriate safeguards within the meaning of Article 46(1) of GDPR, i.e. to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. They contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. They can be used by data exporters, without the need to obtain a prior authorisation (for the data transfer or the clauses used) from a data protection authority.

The Annex to the Implementing Decision provides a template for SCCs as a data transfer tool. The SCCs follow a modular structure whereby the parties have to combine general clauses (that are applicable regardless of the specific transfer scenario) with the module(s) that apply to their situation. Four sets of modules are included to cover the following scenarios of data transfers: Controller to Controller (Module 1), Controller to Processor (Module 2), Processor to Processor (Module 3), and Processor to Controller (Module 4).

The Implementing Decisions adopts SCCs for the relationship between controllers and processors. These SCCs fulfil the requirements in Article 28(3) and (4) of GDPR and in Article 29(3) and (4) of Regulation (EU) 2018/1725 (the Data Protection Regulation applicable to EU institutions, bodies, offices and agencies, ‘EUDPR’).

The Annex to the Implementing Decision provides a template for SCCs to be used between data controllers and data processors as a standard data processing agreement.

Tha database contains the European Commission decisions determining that a specific jurisdiction outside the EU offers an adequate level of data protection (adequacy decisions). It also includes a list of reports documenting the Commission's periodic reviews of adopted adequacy decisions.

The register collates decisions taken by the lead supervisory authorities in the context of the One-Stop-Shop (OSS) cooperation mechanism for cross-border cases under Article 60 of GDPR.

The register includes final decisions of the supervisory authorities on the approval of the Binding Corporate Rules (BCR-P and BCR-C) under GDPR. For each approved BCR, the type of BCR and the category of data subjects covered under BCRss are specified.

The register includes codes of conduct (CoC) approved by the supervisory authorities under GDPR. For each approved CoC, the type and scope of CoC as well as its owner and a monitoring body (where applicable) are specified.

The register collates decisions taken by the supervisory authorities in the context of consistency mechanism cooperation under Article 63 of GDPR.

The register collates all approved certification mechanisms and data protection seals and marks approved in accordance with Article 42 of the GDPR.

The register collates all binding decisions taken by the EDPB when executing its tasks under Article 65 of GDPR.

The Guidelines GDPR detail the dispute resolution process for cases involving cross-border data processing, aiming to resolve disagreements among Lead Supervisory Authorities (LSAs) and Concerned Supervisory Authorities (CSAs) regarding GDPR infringements. They outline the legal framework and procedure stages, emphasizing the EDPB's role in issuing binding decisions on objections that meet the "relevant and reasoned" criteria. Additionally, the guidelines address procedural safeguards and remedies, including the right to be heard and access to files, but exclude scenarios involving disputes over supervisory authority competence or non-adherence to EDPB opinions under Articles 65(1)(b) and (c) GDPR.

The guidelines focus on supporting entities with identifying a lead supervisory authority and discuss key concepts such as 'cross-border processing of personal data', 'lead supervisory authority', and 'main establishment'. The document outlines steps to identify the lead supervisory authority, discussing the main establishment for controllers, groups of undertakings, joint data controllers, and borderline cases, along with considerations for processors. Additional sections cover the role of the 'supervisory authority concerned', local processing, companies not established within the EU, and an annex with questions to assist in identifying the lead supervisory authority.

This document explains the right of access for data subjects under Article 15 GDPR. It details three elements of access right: 1) confirmation of data processing, 2) access to the data itself, and 3) information about the processing. The guidelines cover the assessment of access requests, formats for providing access, time frames for response, and address limits and restrictions on the right of access, including the impact on the rights of others and circumstances where requests may be considered unfounded or excessive.

The guidelines detail the mandatory breach notification and communication requirements outlined in the GDPR, providing guidance for controllers and processors on how to fulfil these obligations. Additionally, the document includes examples of different types of data breaches and specifies the parties that need to be notified in various scenarios.

The Guidelines focus on certification as a new mechanism for international data transfers.These guidelines are divided into four parts, beginning with general guidance on using certification as a transfer tool, including the roles of data exporters and importers and the process for obtaining certification. The second part details accreditation requirements for certification bodies, while the third part provides specific criteria for certification mechanisms, covering aspects like third-country legislation assessment, obligations of exporters and importers, and rules on onward transfers. The fourth part discusses binding and enforceable commitments required from controllers or processors outside the GDPR's jurisdiction to provide appropriate safeguards. An annex offers examples of supplementary measures for using certification in data transfers.

The Guidelines provide three criteria for qualifying a data processing operation as a data transfer: the involvement of a GDPR-subjected data exporter, the transmission or sharing of personal data with an importer, and the location of the importer in a third country or international organization, regardless of their GDPR Article 3 status. The objective is to determine when data transfers require Chapter V compliance, distinct from the broader applicability of Article 3. The guidelines also include practical examples and an annex to demonstrate various data transfer scenarios.

The guidelines for social media providers focus on identifying and avoiding "deceptive design patterns" in social media interfaces. These guidelines categorize deceptive design patterns into six types: Overloading, Skipping, Stirring, Obstructing, Fickle, and Left in the Dark, each with specific subtypes and examples. They also provide an assessment framework based on GDPR principles like fair processing, transparency, and data minimisation, and include best practice recommendations for user interface design. Additionally, the guidelines offer a checklist in Annex I for easy reference to these design pattern categories and examples.

The guidelines on the GDPR's one-stop shop mechanism under Article 60 detail the cooperation process among supervisory authorities in cross-border processing cases. They outline the procedures for information exchange, decision-making, and the roles of the lead supervisory authority and concerned supervisory authorities. The guidelines also address the submission and revision of draft decisions, compliance by controllers or processors, and the application of the Urgency Procedure, providing a quick reference guide for practitioners working in the supervisory authorities.

This document provides guidance on the application of Article 23 of the GDPR, offering an analysis of the criteria for applying restrictions, the necessary assessments, the exercise of data subjects' rights post-restriction, and the consequences of infringing Article 23. It concludes with an annex providing checklists for Article 23 GDPR requirements.

The Guidelines outline the application of GDPR roles of controllers, joint controllers, and processors. It includes sections defining each role, detailing their respective responsibilities and the criteria for determining these roles. The guidelines also discuss the relationships and agreements required between controllers and processors, as well as among joint controllers, and the necessary compliance measures with GDPR obligations

The recommendations focus on the requirements for transferring personal data to third countries under GDPR, in response to the CJEU's Schrems II judgment. The document includes six steps for data exporters: mapping data transfers, verifying transfer mechanisms, assessing third-country laws, identifying supplementary measures, fulfilling procedural steps, and ongoing re-evaluation of data protection levels. The document includes an annex with examples of effective and non-effective supplementary measures (technical, organizational and contractual) applied to specific scenarios.

The recommendations are designed to standardize the application of data protection rules in the context of the processing of credit card data. The focus is on the storage of credit card data by online providers of goods and services, particularly for facilitating future purchases by data subjects. The document addresses scenarios where a data subject inputs credit card information on a website or application for a one-time transaction, providing guidance on how this data should be handled and stored.

The guidelines detail the interpretation of "relevant and reasoned objection" as defined in Article 4(24) of the GDPR. They focus on the process for Concerned Supervisory Authorities (CSAs) to object to draft decisions by the Lead Supervisory Authority (LSA) under Article 60 of the GDPR. The document outlines how an objection should be structured, the necessary elements it must contain to meet the defined threshold, and the way in which it should address potential infringements of the GDPR or inappropriate actions towards controllers or processors.

This document provides guidance on applying Articles 46(2)(a) and 46(3)(b) of the GDPR for data transfers from EEA public authorities to public bodies in third countries or international organisations not covered by adequacy decisions of the European Commission. It focuses on international data transfers for administrative cooperation within the GDPR scope, excluding areas like public security, defence, state security, and transfers related to criminal law enforcement, as well as transfers involving private entities.

These guidelines clarify data protection implications under thePayment Services Directive 2 (PSD2), focusing on the processing of personal data by Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). They address access to payment account information, processing for secondary purposes, and the interplay between PSD2 and GDPR concepts such as explicit consent and data minimization. The document also covers the processing of 'silent party data' and special categories of personal data.

The guidelines provide guidance on how to effectively implement the data protection principles in Article 5, listing key design and default elements as well as practical cases for illustration. The document includes recommendations for cooperation between controllers, processors, and producers in achieving Data Protection by Design and by Default set forth in Article 25 in the GDPR and highlights the role of certifications and codes of conduct in data protection practices.

The guidelines focus on the interpretation of the right to be forgotten in the context of search engines, as established by the CJEU Costeja judgment and Article 17 of the GDPR. It outlines the obligations of search engine providers to erase links to web pages from search results based on a person's name, while also considering the rights to object and to erasure under GDPR Articles 17 and 21. Additionally, the document discusses the distinctions between data processing by search engines and third-party websites, the limitations of delisting in not erasing data completely, and exceptional cases where complete erasure in indexes or caches is necessary, concluding with an overview of grounds for delisting requests and exceptions to the right to request delisting.

These guidelines provide analysis on applying the GDPR to personal data processing through video devices, covering lawfulness of processing, and disclosure of video footage to third parties. Key areas include the processing of special categories of data, such as biometric data, and the rights of data subjects, including access, erasure, and objection. The document also addresses transparency, information obligations, storage periods, erasure obligations, and technical and organizational measures for video surveillance systems, culminating in a section on data protection impact assessment.

These guidelines focus on the aplication of Article 6(1)(b) of the GDPR in the context of online services. The analysis covers general observations, the interaction of Article 6(1)(b) with other lawful bases for processing, the specific scope of Article 6(1)(b), the concept of necessity, and its application to the performance of a contract and steps taken prior to entering into a contract. The final part discusses the applicability of Article 6(1)(b) in specific situations such as processing for service improvement, fraud prevention, online behavioral advertising, and content personalization.

These guidelines are designed to assist in applying Articles 40 and 41 of the GDPR, focusing on the submission, approval, and publication of codes at national and European levels. They detail the criteria for Competent Supervisory Authorities to review and evaluate codes, and how to ensure these codes effectively apply and monitor GDPR compliance. The guidelines also provide a framework for consistent evaluation of codes and address the need for re-evaluating previously approved codes under the new GDPR requirements.

These guidelines define the role of accreditation in the context of the GDPR and outline the available routes for accrediting certification bodies as per Article 43(1), highlighting key considerations. They provide frameworks for establishing additional accreditation requirements, both when accreditation is managed by the national accreditation body and when handled by the supervisory authority.

These guidelines provide interpretative assistance on the transparency requirements of the GDPR, focusing on how information should be provided to data subjects in a clear, concise, and accessible manner. They cover the specifics of delivering information under Articles 13 and 14, including modalities, timing, and changes to the information provided. Additionally, the guidelines address transparency in specific contexts such as data breaches, profiling, automated decision-making, and the exercise of data subjects' rights.

The document provides guidance on interpreting and implementing the GDPR's right to data portability, outlining its scope, applicability conditions, and the types of data covered. Recommendations for data controllers include developing tools for handling portability requests, ensuring data is transmitted in structured, machine-readable formats, and promoting interoperability standards to facilitate this right effectively.

The document outlines the interpretation of Article 49 of the GDPR, detailing exceptions that allow for the transfer of personal data to countries without an adequacy decision or appropriate safeguards. These exceptions include data transfers with explicit consent from the data subject, transfers necessary for contract performance or pre-contractual measures, contracts in the data subject's interest, important public interest reasons, legal claims, vital interests of the data subject, data from public registers, and compelling legitimate interests. Each exception is discussed in detail.

The document outlines guidelines for the designation, position, and tasks of the Data Protection Officer (DPO) under the GDPR. It covers mandatory designation criteria, including what constitutes a 'public authority or body,' 'core activities,' 'large scale' operations, 'regular and systematic monitoring,' and handling of special categories of data. It discusses the DPO's role for processors, conditions for appointing a single DPO for multiple organizations, DPO accessibility, required expertise and skills, and how to communicate the DPO's contact details. The position section emphasizes the DPO's involvement in all data protection matters, the resources needed, independence, protection against dismissal or penalty, and conflict of interests. The tasks section details the DPO's responsibilities in monitoring GDPR compliance, involvement in data protection impact assessments, cooperation with supervisory authorities, and a risk-based approach to duties.

The document outlines guidelines for conducting a Data Protection Impact Assessment (DPIA) under the GDPR. It details the DPIA process, including when and how it should be conducted, who is responsible, the methodology to follow, and conditions under which the supervisory authority should be consulted. The document concludes with recommendations and includes annexes with examples of existing EU DPIA frameworks and criteria for an acceptable DPIA.

The document provides an overview of profiling and automated decision-making regulation under the GDPR. Specific provisions on solely automated decision-making as defined in Article 22, exceptions to the prohibition, and the rights of the data subject concerning automated decision-making are detailed. The document also discusses the implications for children, the role of Data Protection Impact Assessments (DPIA), and Data Protection Officers (DPO). It concludes with good practice recommendations, key GDPR provisions related to profiling and automated decision-making, and further reading materials.

The Working Party 29's position paper clarifies exemptions from the GDPR's Article 30(5) requirement for maintaining records of processing activities, noting exemptions for organizations with fewer than 250 employees do not apply if processing poses a risk to data subjects, is non-occasional, or involves special data categories. The document underscores the role of these records in enhancing accountability and risk assessment in line with GDPR principles. It also advocates for supervisory authorities to assist small and medium-sized enterprises (SMEs) with resources and tools to comply with these obligations.

This working paper focuses on adequacy decisions under Article 45 of the GDPR, specifically on implementing acts of the European Commission for assessing data protection levels in third countries and international organizations. It outlines core data protection principles necessary for a third country or international organization to achieve essential equivalence with the EU's data protection framework. The document is structured into four chapters, covering the concept of adequacy, procedural aspects for making adequacy findings, general data protection principles for equivalent protection levels, and essential guarantees for law enforcement and national security access.

The Q&A document provides practical guidance on the application of the two sets of the standard contractual clauses (SCCs) adopted by the European Commission on 4 June 2021.

The Implementing Regulation lays down rules concerning practical arrangements for inspections and monitoring actions conducted by the European Commission in the context of DSA. In addition it outlines arrangements regarding the exercise of the right to be heard and the terms of disclosure under DSA Article 79.

The Implementing Regulation establishes a data-sharing platform "AGORA" between Member States and the Commission. AGORA will support communications between the Digital Services Coordinators (DSCs) in the Member States, the Commission, and the European Board for Digital Services (composed of the DSCs). The Commission, the DSCs and the Board will use AGORA for all communications relating to the enforcement of the DSA.

This document contains guidance for VLOPs and VLOSEs to support their compliance with their obligation to mitigate specific risks linked to electoral processes.The measures outlined in the guidance cover reinforcing internal processes; risk mitigation measures for electoral processes; mitigations measures linked to generative AI; cooperation with EU and national authorities, independent experts and civil society organisations; the process of putting into place risk mitigation measures during and after an electoral event; and specific guidance for elections to the European Parliament.

The assessment similarities and divergencies between the requirements under NIS2 and the recommendations issued by the US Department of Homeland Security (DHS) in its report entitled “Harmonization of Cyber Incident Reporting to the Federal Government" of September 2023.

The Implementing Regulation sets out the European Common Criteria-based cybersecurity certification scheme.The scheme applies on a voluntary-basis EU-wide and focuses on certifying the cybersecurity of ICT products in their lifecycle: biometric systems, firewalls (both hardware and software), detection and response platforms, routers, switches, specialised software (such as SIEM and IDS/IDP systems), data diodes, operating systems (including for mobile devices), encrypted storages, databases as well as smart cards and secure elements included in all sorts of products, such as in passports daily used by all the citizens.

The Note summarizes the process for handling an individual complaint lodged by a data subject in the EU and EEA regarding an unlawful access and use of their data by the U.S. authorities. The Note specifically focuses on the personal data transmitted from the EU to the US under any data transfer mechanism under GDPR and considers complaints related to the national security context only.

The Template is to be used by the data subjects in the EU and EEA when lodging complaints regarding an unlawful access and use of their data by the U.S. authorities in the context of national security signals intelligence activities.

The rules of procedure outline the tasks of the EDPB Secretariat and national data protection authority and on processing individual complaints alleging unlawful access to personal data by the US national authorities in the context of national security signals intellignence activiites are properly verified, processed and transmitted to the U.S. Office of the Director of National Intelligence’s Civil Liberties Protection Officer (CLPO)

The opinion assesses the compliance of the use of facial recognition technology by airport operators and airline companies for biometric-enabled authentication or identification of passengers to streamline the passenger flow at airports. The opinion is limited to the assessment of the compatibility of this processing with GDPR Articles 5(1)(e) and (f), 25 and 32 GDPR in the context of four specific scenarios: (1) Storage of enrolled biometric template only in the hands of the individual, for authentication, (2) Centralised storage of enrolled biometric template in an encrypted form within the airport and with a key/ secret solely in the passengers’ hands, for authentication, (3) centralised storage in a database within the airport, under the control of the airport operator), (4) centralised storage in a cloud, under the control of the airline company.

The report details ongoing efforts for a coordinated approach regarding ChatGPT among EU data protection authorities and preliminary views on OpenAI's data processing practices' lawfulness, fairness, and transparency. The report emphasises OpenAI's responsibility for GDPR compliance, particularly regarding user data input and web-scraping practices, with a common questionnaire included as an annex.

This Commission Staff Working Document contains the overview of elements accounted for the estimation of the amount of external assigned revenues stemming from the supervisory fee pursuant to Article 6(1) of Commission Delegated Regulation on Supervisory Fees (2023/1127) for the DSA.

The Guidelines aim to standardize how supervisory authorities calculate fines under GDPR, complementing previous guidelines that focused on when to impose fines. The new guidelines outline a five-step methodology for determining fines, taking into account factors like the nature and seriousness of the infringement, the offending entity's behavior and turnover, and legal maximum limits, while ensuring the fines are effective, proportionate, and dissuasive. The guidelines emphasize that fine calculation is not a strict mathematical process but depends on the specifics of each case..

This document is designed to guide supervisory authorities in the application and enforcement of the GDPR, focusing on a shared interpretation of Article 83. The document outlines guidance for each criterion included in Article 83 such as "the nature, gravity and duration of the infringement", "the intentional or negligent character of the infringement", "any action taken by the controller or processor to mitigate the damage suffered by data subjects", "the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32" and others.

The Opinion addresses the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms. The EDPB considers that, in most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee. With respect to the DSA, the Opinion specifically mentions notions of 'gatekeeper' and 'core platform services' and the concept of 'consent'. According to the EDPB, "(t)this Opinion refers to relevant provisions of the DMA and the DSA insofar as necessary to foster a coherent application of EU law" (para. 47 of the Opinion).

The document addresses the use of data-driven solutions in managing the COVID-19 pandemic, focusing on privacy concerns and the balance between effective pandemic response and protection of fundamental rights. It provides guidelines on the proportionate use of location data and contact tracing tools, emphasizing their role within a broader public health strategy. The guidelines also discuss the applicability of the GDPR and ePrivacy Directive in the context of monitoring and containing the SARS-CoV-2 virus.

These guidelines represent an updated version of the Guidelines on consent under Regulation 2016/679, originally adopted by the Article 29 Working Party and later endorsed by the EDPB. With respect to ePD, the guidelines clarify that "the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive."

The scope of these guidelines focus on the data processing in the context of non-professional use of connected vehicles. With respect to ePD, the guidelines specify that in certain cases connected vehicle and device connected to it should be considered as a “terminal equipment” (just like a computer, a smartphone or a smart TV) and provisions of ePD Article 5(3) would apply where relevant. The guidelines further specify the application of consent requirements under ePD.

The guidelines focus on defining roles and responsibilities in social media targeting, involving social media providers, their users, targeters, and other relevant actors. A number of examples included in the guideline feature cookies and other tracking technologies as well as social plugins (e.g., "like" button) and hence the document discusses applicability and consent requirements under Article 5(3) of ePD.

The document provides guidelines on the application of GDPR and e-Privacy Directive for Virtual Voice Assistants (VVAs). From ePD perspective, the guidelines specify that "(i)nsofar the VVA data is processed in order to execute the user’s requests, i.e. as strictly necessary in order to provide a service requested by the user, data controllers are exempted from the requirement of prior consent under Article 5(3) e-Privacy Directive. Conversely, such consent as required by Article 5(3) e-Privacy Directive would be necessary for the storing or gaining of access to information for any purpose other than executing users’ request."

The Decision outlines the membership of the EDIB, member selection process, rules around operation, handling of classified information and transparency of the Board.

The document includes a methodology in the form of a check-list to perform an audit of an AI system. The proposed methodology focuses on an end-to-end, socio-technical algorithmic audit (E2EST/AA) aimed at inspecting a system in the actual implementation, processing activity and running context, looking at the specific data used and the data subjects impacted. The project includes documents proposing the design of AI leaflets and algo-scores.

Guidelines clarify the application of Article 4(1) and (2) of NIS2, which concern the relationship between Directive (EU) 2022/2555 and current and future sector-specific Union legal acts addressing cybersecurity risk-management measures or incident reporting requirements. The Appendix to the Guidelines lists the sector-specific Union legal acts that the Commission considers to fall within the scope of Article 4 of Directive (EU) 2022/2555.

The EDPB Opinion outlines the interaction between the GDPR and the ePrivacy Directive, focusing on their overlapping material scopes and the relationship between their provisions. It clarifies the specific roles of each framework in regulating data processing activities, emphasizing how the ePrivacy Directive "particularises" and "complements" the GDPR. The opinion also addresses the enforcement powers of data protection authorities, particularly where the two frameworks intersect, and discusses whether certain national provisions and processing operations fall outside of these authorities' competencies. Additionally, the opinion touches on the applicability of cooperation and consistency mechanisms within the legal context.

This opinion outlines the EDPB's stance on claims of AI model anonymity and the use of legitimate interest as a legal basis for processing personal data in AI development and deployment. It emphasizes a case-by-case assessment of anonymity by supervisory authorities (SAs) and provides a framework for evaluating claims, including documentation review and suggested anonymization methods. The opinion also recalls the GDPR’s three-step test for legitimate interest, focusing on necessity and balancing tests.

This position paper explores the interplay between data protection and competition law, emphasizing the importance of cooperation between data protection authorities and competition regulators. It provides guidance on how compliance with data protection laws, such as GDPR, intersects with competition law objectives, particularly in cases involving data-driven markets and digital platforms. The document highlights that data protection compliance should not be interpreted as an obstacle to competition enforcement but as a complementary consideration to promote fairness, transparency, and accountability in the digital economy. The paper also outlines key recommendations for fostering collaboration between regulators to address challenges posed by the increasing overlap of these legal domains.

The first report provides an overview of methods and tools to adress bias in AI systems. The second report covers covers techniques and methods that can be used for effective implementation of data subject rights, specifically, the rights to rectification and the right to erasure when AI systems have been developed with personal data.

This statement outlines key principles for designing GDPR-compliant age assurance systems. It emphasizes the need for proportionality, data protection by design, and risk-based assessments to ensure the least intrusive methods are used while balancing safety and privacy. The document highlights the application of Articles 5, 25, and 32 of the GDPR in online services requiring age assurance, such as minimum age checks for legal acts, services, and goods that may pose risks to children. DPIAs are recommended for high-risk processing activities.

This report examines the implementation of the Cyber Resilience Act (CRA) in relation to the EU Common Criteria (EUCC) certification scheme. It details the alignment between CRA requirements and EUCC, focusing on security objectives, conformity assessments, and applicable technical elements. The study seeks to examine the technical aspects of implementing the CRA through the EUCC as a European cybersecurity certification scheme, focusing on its technical elements and provides potential conclusions that could be considered by the European Commission when establishing presumption of conformity.

The EDPB website auditing tool helps identify tracking technologies deployed on the website in order to assess their compliance with the law and, in particular consent requirements under GDPR and ePrivacy Directive. It supports the preparation, completion and evaluation of audits directly in the tool.

The AI risks project assesses the data protection risks of AI for Optical Character Recognition (OCR) and Named Entity Recognition (NER). OCR is a technology used to convert images or scanned documents containing text into machine-readable text. NER is used to identify named entities such as names, organizations and locations within a document and classify them into predefined categories.