Legal Practice Notes

ARCHIVED: This Practice Note is archived and is not being maintained, and will not be updated further. This Practice Note follows the development of the European Commission’s proposal to amend Regulation ( EU) 910/2014 ( OJ L 257/73), the EU e IDAS Regulation, to create a framework for a European Digital Identity. It records milestones as the proposal moved forward. Adopted in 2014, the EU e IDAS Regulation replaced Directive 1999/93/ EC, commonly known as the EU e‑ Signature Directive. Regulation ( EU) 2024/1183, the European Digital Identity Framework, was published in the Official Journal of the EU on 30 April 2024 and entered into force on 20 May 2024. It is expected to streamline access to online services; bolster user trust and confidence in digital interactions; spur the digital economy by encouraging innovation and competition; and lessen the risk of identity theft and...

This Practice Note offers a concise outline of Regulation ( EU) 910/2014 (the e IDAS Regulation), as updated by Regulation ( EU) 2024/1183 (the European Digital Identity Regulation, or EUDI Regulation). The updated regime is commonly known as e IDAS 2.0. The revised e IDAS framework establishes the legal basis for electronic signatures, digital identities and other ‘trust services’ across the EU. It clarifies who may rely on electronic signatures and digital identities, and in what circumstances. It also sets specific obligations for providers of ‘trust services’ and brings in a European Digital Identity Wallet ( EUDI Wallet), scheduled to be available in 2026. This Practice Note focuses solely on EU law; for the general position on electronic signatures under the law of England and Wales, see Practice Note: Electronic...

This Practice Note outlines Directive 2000/31/ EC, the Directive on electronic commerce (the EU E- Commerce Directive), highlighting core definitions, obligations, and the country of origin principle. The defences under the EU E- Commerce Directive—incorporated into Regulation ( EU) 2022/2065, the EU Digital Services Act, from 17 February 2024—are addressed only in brief here. For fuller coverage of intermediary service providers’ liability and the conditional exemptions from liability, see Practice Note: The liability exemptions/defences under the EU Digital Services Act. Background EU businesses operating as information society service providers ( ISSPs) are subject to the EU E- Commerce Directive (together with any relevant local laws in applicable EEA states) for information society services delivered within the EEA. Information society service providers must: make specified information available to service recipients clearly identify commercial communications provide certain information to service recipients with whom an...

Key information Ecodesign Directive Official title: Directive 2009/125/ EC of the European Parliament and of the Council of 21 October 2009, establishing a framework for setting ecodesign requirements for energy‑related products (recast). Repeals: Directive 2005/32/ EC of the European Parliament and of the Council of 6 July 2005 on ecodesign requirements for energy‑using products, without prejudice to the obligations of the Member States regarding the time limits for transposition into national law as laid down in Annex IX, Part B of Directive 2009/125/ EC; and Directive 2008/28/ EC of 11 March 2008, Article 1 only. Entry into force: 20 November 2009. National transposition: See the Eur‑ Lex list of national transposition measures, as provided by Member States. Transposition deadline: 20 November 2010. Amended by: Directive 2012/27/ EU of the European Parliament and of the Council of 25 October 2012 on...

This Practice Note reviews the principal EU legal considerations tied to operating unmanned aircraft, or drones, for leisure and business purposes. It covers: Drones—the basics International aviation regulation European aviation regulation Classification of drones under the Implementing Regulation and the Delegated Regulation Key provisions of the Implementing Regulation Product liability Insurance Cybersecurity Regulating the design and manufacture of UAS Uncrewed aircraft (including other forms of uncrewed aeroplanes) are typically grouped into three main classes. The largest uncrewed types, such as those built for carrying passengers or for extended-range military use, are handled in law in the same manner as crewed aeroplanes. As a result, they face stringent oversight, encompassing platform certification and registration, pilot licences and operating rules comparable to standard civil aviation. This drone class is outside the scope of this Practice Note. Operations with unmanned aircraft that fall short of conventional certification benchmarks, yet can be shown to be safe,...

This tracker highlights important dates linked to EU civilian drone regulation, including key developments and initiatives (also termed unmanned aerial vehicles, or UAVs). It captures consultations, legislative changes and EASA guidance, alongside reports and announcements. For a fuller overview of EU drone law, see Practice Note: Drones—the EU legal framework. To monitor UK actions on drones, see Practice Note: UK drones—tracker. Key developments 3 December 2024 — Legislation: EASA issues updated Easy Access Rules for Standardised European Rules of the Air, bringing together amendments to operating rules on the use of Air Traffic Management and Air Navigation Services systems and constituents in the Single European Sky airspace, the relevant ICAO provisions and the radio communication failure procedure, the associated acceptable means of compliance and guidance material, and the requirements for operating manned aircraft with a vertical take-off and landing...

Background Adopted in 2003, the Market Abuse Directive 2003/6/ EC ( MAD) set an EU‑wide legal framework to safeguard market integrity against insider dealing and market manipulation. In the wake of the extensive harm caused by the financial crisis, MAD’s effectiveness was reviewed, leading the European Commission to recommend its repeal and replacement. Consequently, on 12 June 2014, two new instruments were published in the Official Journal of the European Union: Regulation ( EU) 596/2014 ( EU Market Abuse Regulation) Directive 2014/57/ EU on criminal sanctions for market abuse ( CSMAD) In combination, the EU Market Abuse Regulation and CSMAD displaced MAD and introduced a refreshed EU market abuse regime, capturing a wider array of markets, products and behaviours than before. Both measures took effect on 3 July 2016. For further detail on the EU Market Abuse Regulation, see Practice Note: EU Market Abuse...

This Practice Note monitors developments relating to Regulation ( EU) 2022/2065 on a Single Market for Digital Services and the amendment of Directive 2000/31/ EC (the EU Digital Services Act, or EU DSA). The tracker is organised as follows: General Court and Court of Justice cases Other materials VLOPs and VLOSEs designations Legislative process For further details on enforcement matters, see Practice Note: EU Digital Services Act—enforcement cases tracker. Background In December 2019, through her political guidelines, Commission President Ursula von der Leyen pledged to introduce a new EU DSA to modernise liability and safety standards for digital platforms, services and products. The intention was for the EU DSA to revise the E‑ Commerce Directive and, by comparison, extend its reach to facilities including internet service providers, content delivery networks, search engines, blockchains and cloud services. A public...

This Practice Note outlines the EU approach to the liability of intermediary service providers and the conditional exemptions from liability under Regulation ( EU) 2022/2065, the EU Digital Services Act ( EU DSA). These liability principles were first set out in Directive 2000/31/ EC, the EU E‑ Commerce Directive. From 17 February 2024, the EU DSA repealed and replaced the E‑ Commerce Directive’s liability exemptions and introduced a notice and action mechanism for hosting providers. Where illegal content is provided by recipients of the services, the exemptions apply to information society service providers ( ISSPs) delivering intermediary services that involve only the technical and automatic handling of content. The exemptions examined in this Practice Note are: mere conduit caching hosting The Practice Note also briefly considers Regulation ( EU) 2021/784 on addressing the dissemination of terrorist content online, Directive ( EU)...

This Practice Note monitors enforcement cases concerning Regulation ( EU) 2022/2065 on a Single Market for Digital Services, which amends Directive 2000/31/ EC (the EU Digital Services Act, or EU DSA). Background In December 2019, within her political guidelines, the President of the Commission, Ursula von der Leyen, pledged to bring forward a new EU DSA to refresh liability and safety standards for digital platforms, services and products. The EU DSA is designed to revise the E- Commerce Directive and, by contrast, to carry a broader scope, taking in facilities such as internet access providers, content delivery networks, search engines, blockchains, and cloud services. While the E- Commerce Directive’s liability safe harbours are expected to remain as a guiding principle, they will be specified and codified in harmony with more recently adopted secondary instruments (including Directive ( EU) 2019/790, the DSM Copyright...

FORTHCOMING CHANGE : This Practice Note captures the Digital Omnibus proposal issued on 19 November 2025, aligned with the European Commission’s ‘simplification’ drive. Please note that certain elements and details will be shaped by the political deal concluded by the European Parliament and the Council of the EU on 7 May 2026. This Practice Note will be revised following formal adoption of that agreement in due course. This tracker closely monitors the progress of the European Commission’s proposals for a Digital Omnibus, originally released on 19 November 2025. Background The simplification agenda On 12 February 2025, the Commission approved its 2025 Work Programme setting out key initiatives for the year ahead, including measures to streamline existing regulatory regimes. The 2025 Work Programme builds on the longer‑term framework established by the Competitiveness Compass, published in January 2025. Alongside the 2025 Work Programme, the Commission issued a...

This Practice Note This Practice Note outlines, at a high level, how gatekeepers are designated and the duties they must meet under Regulation ( EU) 2022/1925 on contestable and fair markets in the digital sector, which amends Directive ( EU) 2019/1937 and Directive ( EU) 2020/1828 (the EU Digital Markets Act or EU DMA). It took effect on 1 November 2022 and has applied from 2 May 2023. The EU DMA covers online platforms formally designated as holding ‘gatekeeper status’. Such platforms deliver core platform services acting as a ‘gateway’ between business users and consumers for key digital offerings. The EU DMA tackles the risk that these providers, due to their position, can set private rules, potentially creating bottlenecks across the digital economy. It imposes a catalogue of obligations on ‘gatekeepers’—clear dos and don’ts they must follow. For business users of these core...

Practice Note on financial technology ( Fintech) This Practice Note explores how EU institutions, the European Supervisory Authorities ( ESAs) — namely the European Securities and Markers Authority ( ESMA), the European Banking Authority ( EBA) and the European Insurance and Occupational Pensions Authority ( EIOPA) — together with the European Central Bank ( ECB), pursue innovation in the EU Fintech landscape while maintaining robust oversight. For details of Fintech strategies and initiatives by UK authorities and regulators, see Practice Note: UK regulation of financial innovations and fintech. For insight into supranational activity in this field, see Practice Note: Supranational regulation of financial innovations and Fintech. Technology’s role in delivering financial services is reshaping the industry. Fintech spans an extensive array of technology‑enabled financial services and products. Examples include crowdfunding platforms such as peer‑to‑peer lending, online payments and credit services, digital wallets and e‑money,...

This Practice Note outlines Directive ( EU) 2019/770 ( OJ L 136/1) on certain aspects of contracts for the supply of digital content and digital services—the EU Digital Content Directive ( EU DCD)—brought in as part of the European Commission’s Digital Single Market strategy. The EU DCD sets out a range of consumer rights and remedies for business-to-consumer ( B2C) agreements covering digital content or digital services, and is complemented by Directive ( EU) 2019/771 ( OJ L 136/28) on certain aspects concerning contracts for the sale of goods, the EU Sale of Goods Directive ( EU SGD). For more on the EU SGD, see Practice Note: The EU Sale of Goods Directive. The EU DCD entered into force on 11 June 2019. EU Member States had to adopt and publish the measures needed to comply by 1 July 2021 and to apply them from 1...

This Practice Note reviews the EU legal landscape for digital advertising, encompassing the programmatic purchase and sale of advertising inventory and real-time bidding ( RTB). It examines the legal considerations impacting the digital advertising supply chain, including data protection and privacy, consumer protection, competition, and specific developments for digital markets. It also assesses the key industry, trade and self-regulatory bodies that oversee and regulate these activities across the EU. Introduction Any communication of advertising or marketing material aimed at a particular individual, or group of individuals, however delivered—digitally, by telephone or through print—constitutes direct marketing. Direct marketing is subject to specific rules, especially concerning data privacy and consumer protection. When such material is delivered digitally, these considerations can become even more complex. The term ‘digital’ advertising is an umbrella concept covering the wide array of digital, online and social media channels available to...

Introduction The ability to trade is fundamental to debt securities. Investors’ capacity to buy and sell them rests on: standardisation of terms and conditions (see Practice Notes on Terms and conditions of debt securities and Terms and conditions—first time issuer's guide) the fungible nature of the instruments (see Practice Note: Key legal issues in English law in debt capital markets—fungibility) the presence of a secure, efficient and liquid market—allowing rapid, straightforward sales at steady prices This market relies on a wide-ranging framework of systems and services, grouped into four main areas: mechanisms that generate, sustain, or provide access to liquidity (trading infrastructure) arrangements that remove counterparty non-completion risk in concluded sale and purchase contracts (clearing infrastructure) systems that facilitate delivery of securities from one holder to another in fulfilment of an agreed sale and purchase or other...

STOP PRESS : This Practice Note reflects the law as it currently stands; however, be aware that some elements will be affected by the Digital Omnibus proposals released on 19 November 2025 under the Commission’s ‘simplification’ agenda. For more detail, see Practice Note: EU Digital Omnibus—tracker. The European Strategy for Data seeks to build a single European data market by enabling responsible access, wider sharing and re-use of personal and non-personal data, in line with EU values and existing legislation, notably on personal data protection, consumer protection and competition rules. Regulation ( EU) 2022/868, the Data Governance Act ( DGA), reinforces governance within the single European market and creates a framework to enable both general and sector-specific data sharing, while Regulation ( EU) 2023/2854, the Data Act ( DA), concerns the substantive rights to access and use data. It is estimated that data...

This Practice Note charts the principal stages of EU legislative action on cyber security, mapping the developments across the initiatives set out below. Key EU cyber security initiatives include: Revised EU Cybersecurity Act (proposal issued on 20 January 2026) EU Cybersecurity Act (adopted, with amendments adopted in January 2025) Digital Operational Resilience Act or DORA (adopted, applying from 17 January 2025) NIS 2 Directive (adopted, in force from 18 October 2024; amendments proposed on 20 January 2026) EU Critical Entities Resilience Directive or CER (adopted, in force from 18 October 2024) EU Cyber Security Regulation (adopted, in force from 7 January 2024) EU Cyber Resilience Act (adopted, applies from 11 December 2027) EU Cyber Solidarity Act (adopted, in force from 4 February 2025) All of these measures are monitored in this note, except DORA, whose...

STOP PRESS This Practice Note sets out the law as it currently stands in legislative terms, but note that certain elements will be materially affected by the Digital Omnibus proposals issued on 19 November 2025 under the Commission’s ‘simplification’ programme. For further information and updates, see Practice Note: EU Digital Omnibus—tracker. It offers, by way of summary, a concise, high-level survey of EU cybersecurity legislation and regulation at EU level, with particular emphasis on: Regulation ( EU) 2016/679, the EU General Data Protection Regulation ( EU GDPR) Directive ( EU) 2022/2555, the EU’s second Network and Information Systems Directive ( NIS 2 Directive), which superseded and replaced Directive ( EU) 2016/1148, the NIS Directive Directive ( EU) 2022/2557, the EU Critical Entities Resilience Directive ( CER Directive) Directive 2002/58/ EC, the EU e Privacy Directive Directive ( EU)...

This Practice Note outlines the material, personal and territorial reach and application of Regulation ( EU) 2024/2847, the EU Cyber Resilience Act ( CRA). It further sets out how products are categorised under the CRA, including non‑critical, important and critical products. For further background on the CRA and the key obligations placed on economic operators, see the following Practice Notes: The EU Cyber Resilience Act—overview and regulatory framework The EU Cyber Resilience Act—obligations, compliance and enforcement The CRA is the first EU measure of its kind, imposing mandatory cyber security standards for ‘products with digital elements’ across the Union. Items failing to satisfy these requirements will be barred from sale on the EU market from December 2027 onwards. Meeting the CRA will therefore be vital for market entry into the EU for both hardware and software....