Tag Archives: EU

A More Volatile World: The Digital Omnibus

Legal news, , , , , , , ,

On November 19, 2025, the European Commission unveiled a landmark proposal: the Digital Omnibus Regulation. This initiative is not just another legislative tweak – it signals a philosophical shift in how Europe approaches digital regulation. In a world increasingly defined by volatility, complexity, and rapid technological change, the Commission seems to be saying: “We’ve heard you – let’s regulate, but let’s make it easier to comply.”

Why Now? The Context Behind the ‘Digital Omnibus’

The proposal comes against a backdrop of mounting pressure on Europe’s competitiveness. In his now-famous “Please, do something” speech to the European Parliament, Mario Draghi urged EU institutions to act decisively to restore Europe’s ability to innovate and compete globally. Could the Digital Omnibus be seen as a response to this heartfelt appeal?

For years, the EU has been a global pioneer in digital regulation – think GDPR, AI Act, Data Act, Digital Services Act (DSA), Digital Markets Act (DMA), NIS2, and more. But this success has come at a cost: fragmentation, complexity, and heavy compliance burdens. Businesses have struggled to navigate overlapping obligations. The Digital Omnibus is designed to change that. In the “explanatory memorandum” to the Digital Omnibus, the Commission emblematically acknowledges, for instance, that “some entities, especially smaller companies and associations with a low number of non-intensive, often low-risk data processing operations, expressed concerns regarding the application of some obligations of the GDPR”.

The ‘Digital Omnibus’ Proposal

The proposal introduces technical amendments and structural simplifications across a wide range of legislation, including:

  • General Data Protection Regulation (GDPR)
  • AI Act
  • Data Act
  • ePrivacy Directive
  • NIS2 Directive
  • Data Governance Act
  • Free Flow of Non-Personal Data Regulation
  • Platform-to-Business (P2B) Regulation (to be repealed

Key Highlights

  • GDPR Simplification:
    • Clarifies the definition of personal data
    • Supports controllers with respect to the criteria and means to determine whether data resulting from pseudonymization does not constitute personal data
    • Introduces flexibility for AI development: processing personal data for AI training under “legitimate interest,” with safeguards.
    • Modernizes cookie consent rules – centralized browser settings to end “cookie fatigue.”
  • AI Act Adjustments:
    • Expands regulatory sandboxes and simplifies compliance for SMEs and mid-cap companies.
    • Clarifies the interplay between the AI Act and other EU legislation
    • Introduces an obligation on the Commission and Member States to foster AI literacy
  • Incident Reporting:
    • Creates a single-entry point for incident notifications under GDPR, NIS2, DORA, and CER – ending duplicative reporting.

A New Philosophy?

There are strong indications that the “Digital Omnibus” is more than a mere technical adjustment and may represents a strategic shift in EU “digital law”. The proposals will now proceed to the European Parliament and the Council for deliberation. It remains to be seen whether words will be turned into action.

Substances of Human Origin (or SoHO): the New EU Regulation

Legal news, , , ,

PURPOSE OF THE NEW REGULATION. On June 13, 2024, the European Parliament and the Council adopted a new regulation on the substances of human origin (so-called SoHO), repealing Directives 2002/98/EC and 2004/23/EC. The new regulation:

  • was necessary because previous directives only partially managed to harmonize member states’ legislation on cells, tissues and blood; also, a new definition of SoHO was needed;
  • introduces mechanisms to grant continuity and resilience of SoHO supplies and to facilitate EU cross border exchanges and access to SoHO;
  • enhances safety of donors and recipients (included the offspring born from medical assisted procreation).

WHAT IS A ‘SOHO’? A SoHO is now defined as “any substance collected from the human body, whether or not it contains cells and whether or not those cells are alive, including SoHO preparations resulting from the processing of the above-mentioned substance”. The definition has been expanded to include breast milk and gut microbiota, as well as blood preparations different from those used for transfusions. Any future SoHO will be automatically included in the regulation. The regulation also defines SoHO preparation as a SoHO subjected to processing, with a specific clinical indication, intended for human application on a recipient or for distribution.

WHO DEALS WITH SOHO? The regulation also defines which will be the main actors in the organizational chain from SoHO donation to application. Specifically:

  • A SoHO entity is a legal entity established in the EU that carries out SoHO-related activities (e.g. collection, processing, control, storage, release, distribution, import, export, application on human beings,  clinical studies and outcomes recording on SoHO preparations)
  • A SoHO establishment is a SoHo entity that carries out one of the following SoHO-related activities: A) both processing and storage; B) release; C) import; D) export;
  • Competent authorities for SoHO are appointed by each member state and 1) maintain SoHO entities’ registry, 2) deal with authorization process for SoHO establishments and SoHO preparations 3) carry out inspections and evaluate plans for monitoring clinical outcomes.

WHEN?  The regulation will be enforceable by mid-2027.

TAKEAWAYS. Apparently, it is science-friendly as the definition of SoHO will be broader and more flexible than before. Also, in view of its structure, there is hope that it will succeed in ensuring more uniformity and granting an enhanced minimum level of safety across EU.

New Obligations for Companies Under the Proposed CS3D

Legal news, , , ,

The proposed Corporate Sustainability Due Diligence Directive, so-called CS3D, may set new rules binding large EU or non-EU companies aimed at preventing adverse impacts on the environment and human rights resulting not only from their own operations, but also from those of their business partners.

CS3D has been criticized for its strong impact on the whole supply chain. While only large companies are in scope, vendors of such obligated entities will need to comply with such entities’ policies inspired by CS3D.

What Are the Proposed Obligations?

New due diligence requirements are supposed to be established by CS3D and may subsequently be implemented by each member state. According to the text under discussion, companies will have to identify, prevent, stop, mitigate and account for the adverse impacts on the environment and human rights caused by their activities. In addition, they will need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5°C in line with the Paris Agreementand the climate neutrality goals set by Regulation (EU) 2021/1119.

Which Companies are In Scope of CS3D?

CS3D would apply to European companies that:

  • have, on average, more than 250 employees and a global net turnover of more than EUR 40 million in the last financial year for which the annual accounts were drawn up;
  • even if they do not meet the minimum thresholds, are the parent company of a group that had 500 employees and a global net turnover of more than EUR 150 million in the last financial year for which the annual accounts were drawn up.

It would also applty to third-country companies that:

  • generated a global net turnover of more than EUR 150 million, provided that at least EUR 40 million of that turnover was generated in the European Union in the financial year preceding the last financial year, including turnover generated by third-country companies with which the company and/or its subsidiaries have concluded a vertical agreement in the Union in exchange for licensing rights;
  • even if they do not meet the minimum thresholds mentioned in point (a), are the parent company of a group that had 500 employees and a global net turnover of more than EUR 150 million, of which at least EUR 40 million was generated in the European Union in the last financial year for which the annual accounts were drawn up, including turnover generated by third-country companies with which the company and/or its subsidiaries have concluded a vertical agreement in the Union in exchange for licensing rights.

When Will It Enter into Force?

CS3D is still under discussion. The proposal for the Directive was presented by the European Commission on February 23, 2022, and the Parliament adopted the amended text on December 14, 2023. The proposal must be formally approved by the Commission, the Parliament and the Council before it can officially enter into force.

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

Five Key Takeaways from Our Seminar on Clinical Trials

Events, Legal news, , , , , , , , , , , , , ,

If you missed our seminar on clinical trials on January 16, here are five key takeaways to help you understand the changing regulatory environment in Europe and Italy.

  1. Be ready for a new regulatory landscape

The recent clinical trials regulatory overhaul within the EU aims at fostering research and facilitating the tasks of all actors involved in this area. However, delays in the implementation of such new legislation are posing an actual risk for the entire sector throughout the EU, while competition from emerging economies is getting stronger.

  1. Harmonized, but not enough

In several areas, such as observational studies or ethical committee’s assessments, a unified approach at European level is yet to be adopted. This leaves a lot of fragmentation among the various countries and a lot of work to be done at local level in order to ensure compliance with applicable regulations. Be prepared to deal with such inconveniences, in particular in the pharmaceutical sector.

  1. Changes in data protection laws offer new opportunities but challenges remain

GDPR brought new harmonized provisions to improve and support the use of data for the purpose of conducting research. However, guidance from national data protection and regulatory authorities in areas such as legal grounds for processing and secondary use is far from established. Moreover, different EU countries continue to adopt opposite approaches when it comes to consent and legitimate interest as valid legal grounds for data processing in the framework of clinical research. Data protection compliance will therefore continue to require local check-ups.

  1. New opportunities for independent research

Recent regulatory changes in Italy are being implemented to foster independent not-for-profit research in the clinical area. The new regulations, which are about to be adopted, envisage new opportunities for the participation of private actors in independent research and allow not-for-profit research institutions to better exploit the results of their research. The potential for conflicts remain and caution should be exercised within public-private relationships, but there is hope that new paradigms of collaboration will see the light.

  1. A new world of evidence is out there

More and more projects in the clinical research field involve real world data and real world evidence, gathered in a number of different ways outside the rigid protocols of a controlled study, whether through medical devices or other data collection instruments. Real world data are key to understanding how treatments work in reality and developing new healthcare paths. However, both clinicians and private actors are operating in uncharted territories and the line between studies and alternative research projects is thinner than you may expect. Be mindful of the regulatory and compliance ramifications of these new powerful tools.