EU policy businesses can expect to see this autumn

To help businesses understand what new EU law is coming, we explore how politics might play into policymaking, some of the existing EU legislative files under development that might be finalised before new year, what new policy we can expect once the new European Commission has been configured, and what actions businesses can take to stay ahead of legislative and regulatory change.

A tumultuous summer

EU proposals likely to be finalised this autumn

The EU Cyber Resilience Act

The Platform Workers Directive

What to expect from the new European Commission

Actions for businesses

Hear Emmer Roberts and Mark Ferguson discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.

A tumultuous summer

The European Parliament elections in June brought about a recalibration of the Parliament’s make-up, though support for MEPs on the far right of the political spectrum was lower than many had predicted.

MEPs have returned to the normal business of law-making for the first time since before the elections, with their first plenary session scheduled to start on Monday 16 September, when one of their first tasks will be to consider legislative files that are being carried over from the previous parliament – this includes potential reforms in areas such as environmental, employment, and cybersecurity law.

MEPs in the newly configured parliament sat briefly in July, at which time they approved Ursula von der Leyen’s re-election as president of the European Commission. Von der Leyen has set out political guidelines that will shape the work of her new Commission – guidelines that she said have been “enriched” by discussions with Mario Draghi, the former European Central Bank president who earlier this month published a detailed report into EU competitiveness. It is expected to be November or even December before the new Commission gets properly to work in making substantive policy announcements. This is because the new commissioners that will form von der Leyen’s team have still to be appointed in what is a heavily politicised process.

Von der Leyen is chief policymaker in EU terms. Her re-election will ensure a degree of continuity and stability at the top of the EU. Some of her plans for her new Commission have already been trailed for months – including a new Biotech Act. However, her ability to deliver her agenda over the next five years will be influenced by the wider economic and political environment – including the changed make up of the European Parliament and the way in which individual EU member states respond to political undercurrents in their own countries.

In France, while the population rejected a far-right takeover of the National Assembly in July, the result of that snap summer poll has weakened the authority of Emmanuel Macron ahead of the presidential elections in 2027. In Germany, the far-right recorded success in recent state elections ahead of federal elections planned for September 2025. Political pressures within member states can sway national governments in the level of support they provide for proposed new regulation, particularly at a time when frustrations are building about stagnant economic growth.

The political position in individual member states can flow into the EU law making process, particularly in the work of the Council of Ministers – the institution, which together with the European Parliament, scrutinises and typically amends the proposals the European Commission puts forward before deciding whether or not to adopt them. This autumn, the Council’s appetite for specific reforms will be influenced by the degree to which Hungary, under the leadership of controversial figure Viktor Orbán, prioritises each legislative file in its role as president of the Council. The Council presidency rotates between EU member states every six months, with Hungary’s term running from July and being due to expire at the end of this year.

Political developments external to the EU will also influence law makers’ willingness within the trading bloc to support individual legislative files. The outcome of the US presidential election this November will be pertinent in this regard, including in the context of the sustainability agenda – some law makers and business groups have already expressed concern about too much EU regulation in this area compared to other parts of the world.

EU proposals likely to be finalised this autumn

While there is undoubtedly some uncertainty over the direction of travel EU law making will take, there is some activity this autumn that businesses can predict with confidence.

In the weeks before the European Parliament broke off for the elections, MEPs worked feverishly behind the scenes with colleagues in the Council of Ministers to reach an informal consensus on a number of legislative proposals that the European Commission had outlined. Time pressures before the dissolution of parliament in May for the elections meant that while MEPs voted to adopt some of the legislative proposals, all the legal linguistic work that goes into finalising the wording of EU legislation could not be undertaken properly before the Parliament voted on them.

However, the parliament’s corrigendum procedure allows for corrections to be made to adopted legal texts and then put back before the parliament for ‘silent’ approval. Provided no objection is raised, the corrected text is the one that is deemed to be adopted – and it is this text that then goes to the Council for it to vote on adopting.

The Council of Ministers provided an insight into how this process might work in June, when it listed the corrigenda it expects to pass over to the new parliament for approval and for its subsequent adoption. Its list referred to 25 different legislative files. If the new parliament approves the corrigenda, the Council said it “should be able to approve the position” that the parliament adopts on those legislative files and therefore vote itself to adopt the proposals into EU law based on the parliament’s wording.

The Council’s list only refers to some of the many EU legislative proposals on the slate. It does not include other legislative files that have made less progress in the EU law-making process, including important proposals like those in the draft Green Claims Directive. Nevertheless, the list trails some significant EU legislation.

Below, Pinsent Masons colleagues shine a spotlight on two specific legislative files, but the Council’s list also includes legislative proposals for: the establishment of a so-called European health data space; a new certification framework for carbon removals; new rules on urban wastewater treatment, air quality, and packaging; reform of EU design rights law; prohibiting products made with forced labour from being placed on the EU market; establishing a new liability regime for defective products; and helping companies access the capital they need to grow.

The EU Cyber Resilience Act

The proposed new Cyber Resilience Act is aimed at ensuring that robust cybersecurity measures are baked into “products with digital elements” being sold in the EU. This concept is wide-ranging, meaning the legislation will apply to a wide range of product manufacturers – as well as importers and distributors of those goods.

Munich-based technology, data and cyber law expert Stephan Appt of Pinsent Masons said: “The definition of ‘products with digital elements’ is very broad and covers a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately. The Act applies to products whose intended purpose or reasonably foreseeable use includes a data connection to a device or network, as is typically the case with smart home products or other ‘internet of things’ devices. Therefore, this law will have an impact on the entire supply chain, affecting both the software and hardware markets.”

Manufacturers will have to undertake a cybersecurity risk assessment pertaining to their in-scope products and take action to address the risks identified and ensure “an appropriate level of security” before those products are placed on the EU market. They also face record-keeping, disclosure and reporting obligations – including rules requiring them to make technical documentation about their products publicly available. They will also have to notify regulators and, in some cases, consumers, upon becoming aware of exploited vulnerabilities with, or severe incidents impacting, their products.

The Cyber Resilience Act is not prescriptive in terms of dictating to companies how to achieve ‘an appropriate level of security’ through technical or organisational measures, but its annexes do set out basic security requirements the products must meet – including that vulnerabilities can be addressed through security updates, that there are appropriate control mechanisms to prevent unauthorised access to the hardware, software or networks in question, and that users are able to permanently remove data and settings.

Appt said: “The support period for which manufacturers must ensure the effective handling of vulnerabilities should generally not be less than five years.”

For many in-scope products, manufacturers will be able to undertake their own conformity assessment before placing their products on the EU market. However, for products that qualify as ‘important’ or ‘critical’ products with digital elements – such as routers, security software, connected toys, smart alarms or baby monitors, and wearable health trackers, on the one hand, and smart meter gateways on the other – a stricter conformity assessment procedure will apply, which could entail manufacturers subjecting their products to external assessment or certification before they are placed on the market.

For importers and distributors of in-scope products, their duties include checking that conformity assessment procedures have been completed, that technical documentation for the relevant products have been drawn up, and – in certain scenarios – reporting security risks they believe exist in products to regulators and withdrawing non-compliant products from the market.

The cybersecurity requirements proposed under the Act cover the design, development and production of the in-scope products and are therefore likely to impact not just manufacturers but businesses within the manufacturing supply chain.

“Only limited categories of products that are already tightly regulated, like medical devices, certified products used in aircraft, and vehicles already subject to type-approval requirements, are exempt from the Act,” Appt said. “Other exemptions apply to websites that do not support the functionality of a product with digital elements, and cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements, such as Software as a Service (SaaS) models, which are addressed by the second Network and Information Security Directive (NIS2).”

NIS2 is one of a number of cybersecurity rulebooks that will sit alongside the Cyber Resilience Act when the legislation is in force. There is also cross-over between the Cyber Resilience Act and rafts of other EU legislation, including the General Data Protection Regulation (GDPR) and AI Act.

Businesses that fail to comply with the Cyber Resilience Act could face fines of up to €15 million or 2.5% of their total worldwide annual turnover for the preceding financial year, whichever is higher. Most of provisions will take effect three years after the Act enters into force, though it is envisaged that manufacturers’ reporting obligations in relation to exploited vulnerabilities and severe incidents will apply from 21 months after the regulation enters into force.

Appt said: “Businesses, regardless of whether located in the EU or abroad, must be aware of the scope of the Cyber Resilience Act and conduct a thorough inventory of their individual products to get ahead of these forthcoming new requirements. This will allow them to implement any necessary compliance measures. Given that this process requires significant time and resources, it is crucial to act early to ensure reliable performance and maintain customer trust.”

“The relevance of the Cyber Resilience Act will go beyond the obligation to implement specific cybersecurity requirements and will also impact warranty and product liability law: a product that does not comply with Cyber Resilience Act requirements will likely fall foul of the level of security that customers can objectively expect from a product, thus, rendering the product to be defective in the sense of warranty. Similarly, for purposes of product liability a non-compliant product will likely be considered defective and may give rise to strict product liability claims,” he added.

According to Appt, as new laws like the Cyber Resilience Act emerge, businesses should anticipate that the objective basic level of cybersecurity expected of them will continue to rise.

“In addition to the public law sanctions, manufacturers, importers and dealers with regard to warranty law will also have to expect stricter liability for neglected cybersecurity in the future,” Appt said, adding that businesses can obtain a “competitive advantage” by taking action to get ahead of compliance obligations arising from the Cyber Resilience Act.

“Speed in achieving a satisfactory level of compliance with cybersecurity requirements may mean a competitive advantage where this is used as a value-creating factor of the product,” he said.

The Platform Workers Directive

In recent years, there have been high-profile examples of online businesses emerging and disrupting the status quo in their respective markets by using digital infrastructure and other technologies, including to enable consumers to access products or services in the physical world in a convenient way.

Uber offers one example, enabling consumers to request a taxi ride via a mobile app and a pool of drivers to decide whether to accept the fare, which is calculated through algorithms. Other examples are prominent in the world of online takeaway delivery, where the platforms not only connect consumers with delivery drivers – they also connect them with takeaway restaurants. There are further online-only examples of platforms being involved in organising work.

The Platform Workers Directive represents EU policymakers’ attempt to legislate specifically on the question of workers’ rights in the context of platform work.

At the heart of the legislative proposals are plans to establish a new legal presumption regarding the employment status of people performing platform work. Under the plans, those people would be considered employees of ‘digital labour platforms’ “when facts indicating control and direction … are found”.

The draft law provides that ‘control and direction’ can be exerted by digital labour platforms in different ways, not just directly but also through the application of sanctions, the way they treat platform workers or the pressure they put on them. How the facts apply in each case will, the proposals state, be determined with reference to national law, collective agreements or practice in force in an EU member state, with the case law of the Court of Justice of the EU also a relevant factor. The proposals give the platforms scope to rebut the presumption, but the burden of proof will be on them to show that law, collective agreements or practices do not support the presumption that the arrangements in place between them and the workers is that of an employment relationship.

The proposed new directive requires EU countries to have “appropriate and effective procedures in place to verify and ensure the correct determination of the employment status of persons performing platform work, with a view to ascertaining the existence of an employment relationship”, and it also envisages that guidance will be made available to help platforms ascertain whether an employment relationship exists in the context of their arrangements with platform workers.

Munich-based employment law expert Dr. Joël Hofmann of Pinsent Masons said the planned legal presumption of employment is a significant development from a German law perspective.

Hofmann said: “The assessment on the basis of ‘control and direction’ is very close to the criteria already used in German law in the context of the relevant definition for the classification of an employment relationship under social security law. This should be seen quite favorably by platform operators in Germany as they can make their assessment based, to a certain degree, on already known criteria and therefore evaluate the risk of the legal presumption of employment more easily.”

“Nevertheless, from a practical point of view, the chosen scope of the legal presumption of employment is not ideal. The reason behind this is that – contrary to the original draft of the directive – it applies to all relevant administrative or judicial proceedings, but explicitly not to tax law. This change should have been avoided in order to circumvent different assessments of the same situation under social and tax law. Yet, it remains to be seen how all this will ultimately be transferred to national law. This is something platform operators should keep an eye out for,” he said.

Further rules under the proposed new directive would require digital labour platforms to inform platform workers about their use of automated monitoring or decision-making systems and place limits on what personal data of platform workers they can process if using such systems – including a ban on processing data on their psychological or physical state, from their private conversations, or about the workers when they are not performing or offering platform work. The planned rules also provide for human oversight of the operation of automated monitoring or decision-making systems and rights for platform workers to human review of decisions taken by such systems.

Amsterdam-based employment law expert Stephanie Dekker of Pinsent Masons said: “The directive provides for more specific data protection safeguards, thereby providing for a higher level of protection than the GDPR in the context of platform work. It is recommended that digital labour platforms consider how these additional safeguards will impact their systems, staffing, processes and information obligations.”

Dekker added that the proposed directive also sets out specific conditions around the protection of health and safety of platform workers, including requiring that digital labour platforms shall not use automated monitoring or decision-making systems in any manner that puts undue pressure on platform workers or otherwise puts their safety and physical and mental health at risk. She said the directive would also require EU countries to ensure that digital labour platforms take preventative measures, including effective reporting channels, to ensure the health and safety of platform workers, including protection from violence and harassment.

“These conditions should be taken into consideration as well as part of an impact assessment,” Dekker said.

The proposed new rules are envisaged to take effect across the EU two years after the directive enters into force.

What to expect from the new European Commission

Ursula von der Leyen’s new Commission is being assembled at a time when the challenges facing the EU have been laid out starkly in Mario Draghi’s report, which warned of the “existential threat” facing the EU unless it cannot arrest the stagnation it has seen in economic growth.

Draghi identified challenges for the EU around enabling the commercialisation of technological innovation, including from a financing and skills perspective, as well as a need to avoid an uncoordinated approach towards decarbonisation – to maximise growth opportunities. He further warned that Europe must address its exposure to risks arising from its dependency on suppliers of important materials and components elsewhere in the world and said the EU must get away from imposing too much regulation, from slow law-making, and from EU member states taking disparate actions in major areas of industrial policy.

Draghi prepared his report at the request of von der Leyen who now faces the challenge of addressing the problems he has identified between now and 2029. The political guidelines she has developed for the next Commission provide clues for businesses on what action they can expect.

The guidelines trail a raft of measures which will be designed to catalyse private investment within the EU – including new risk-absorbing measures to make it easier for commercial banks, investors and venture capital to finance fast-growing companies – as well as a series of initiatives aimed at driving up skills.

In terms of regulation, each new EU commissioner will be tasked with reducing red tape as part of plans to make business easier and faster in the single market.

Some new regulation is trailed, however, including, in the field of life sciences and healthcare where a Critical Medicines Act to reduce dependencies relating to critical medicines and ingredients and a new Biotech Act to help new biotech medicines reach patients faster are planned. The Biotech Act will be put forward in 2025, according to the guidelines, and will form part of “a broader strategy for European life sciences to look at how we can support our green and digital transitions and develop high-value technologies”. Healthcare providers can also expect a new cybersecurity action plan to be introduced in the first 100 days of von der Leyen’s mandate.

A new European Climate Law is also anticipated, which will enshrine the EU’s commitment to lower greenhouse gas emissions by 90% from 1990 levels by 2040 into EU law.

A new Industrial Decarbonisation Accelerator Act is also planned. This will “channel investment in infrastructure and industry”, “support European lead markets for the development, production and diffusion in industry of clean tech”, and further “help to speed up related planning, tendering and permitting processes”. It will form part of wider plans to ensure “competitive industries and quality jobs” through a just clean industrial transition, with a new ‘Clean Industrial Deal’ to be outlined in this respect within the first 100 days of von der Leyen’s mandate.

Other environmental regulation is trailed too, with a new Circular Economy Act planned “to create market demand for secondary materials and a single market for waste, notably in relation to critical raw materials”. A simplification of chemicals regulation – including potential reforms in the context of so-called ‘forever chemicals’ – is also on the agenda.

In tech, von der Leyen has promised to “step up” investment in “the next wave of frontier technologies”, citing supercomputing, semiconductors, the Internet of Things, genomics, quantum computing, and space tech as examples. On AI specifically, she has provided an AI Factories Initiative will be introduced in the first 100 days of her new mandate to ensure the EU has access to new, tailored supercomputing capacity for AI start-ups and industry. She also said her new Commission will work to develop a new ‘apply AI’ strategy to boost industrial uses of AI and improve the delivery of public services.

To help power technologies like AI, the new Commission is also planning to outline a new European data union strategy. This strategy is expected to draw on existing rules and will be designed to “ensure a simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards”.

Technology companies can also expect the new Commission to “ramp up and intensify” its enforcement of the Digital Services Act and the Digital Markets Act, according to the guidelines.

Actions for businesses

It has become the norm for businesses to have to navigate challenging economic conditions and some political instability to operate successfully. As businesses look ahead to how the policy and regulatory landscape will evolve this autumn and beyond, there are things they can do to make the process of change smoother on their operations.

Focus on horizon scanning for your sector

The outline of the Commission’s policy and legislative agenda for this next session is becoming clearer but is continually developing. Companies should be actively monitoring the main directorates, influential MEPs and committees in the European Parliament and the actions and agenda of the Council of Ministers to anticipate and prepare for future legislative changes. This proactive approach will ensure that companies can adapt and respond in a timely and effective manner.

Stakeholder mapping and engagement

There has been a significant amount of change in the EU across 2024, so while there is legislation being progressed, many of the stakeholders have changed. There is a new European Parliament which now leans more to the right, which will have an impact on policy- and law-making, as well as a new Commission that is soon to be confirmed. Businesses will need to understand who their new key stakeholders are and begin mapping out when and how to engage with them on the legislative files most important to them.

Develop clear asks and show your expertise

Businesses can bring a great deal of benefit to the development of new policy and legislation. Business expertise can help policymakers to understand the practical impacts of proposed legislation, joining up the legal and public policy elements of the policy process. However, organisations should be prepared to clearly explain their position to ensure conversations with policymakers contribute to the improvement of legislation.