Top Five EMEA Technology Trends to Watch in 2024

Top Five EMEA Technology Trends to Watch in 2024

January 25, 2024, Covington Alert

At the beginning of a new year, we are looking ahead to five key technology trends in the EMEA region that are likely to impact businesses in 2024.

European Union

If 2023 was the year that EU technology legislation started to take effect, 2024 will be the year of enforcement:

• The Digital Services Act (DSA): The DSA, which imposes content moderation and related requirements on providers of certain online services, started to apply to “very large online platforms” (VLOPs) and “very large online search engines“ from 25 August 2023, and will apply to all other intermediary services from 17 February 2024. At least two companies have launched legal proceedings to challenge their VLOP designations. The European Commission announced additional VLOP designations in December 2023, and may designate further VLOPs in 2024, which may result in further legal challenges. In October 2023, the Commission also opened its first investigations into certain VLOPs’ compliance with the DSA, and we expect such enforcement to progress across 2024.
• The Digital Markets Act (DMA): The DMA imposes a range of obligations and prohibitions on online service providers designated as “gatekeepers” with respect to their “core platform services.” The European Commission designated six initial gatekeepers in September 2023, for a total of 22 core platform services provided by these gatekeepers. The DMA’s substantive obligations, such as its ban on self-preferencing, will take effect in March 2024. At least three companies have initiated legal challenges against either their designation as ‘gatekeepers’ or against the designation of certain of their services as core platform services. The European Commission is likely to designate more gatekeepers, and additional core platform services, in 2024, which may result in further litigation, and the Commission may start investigations into gatekeepers’ compliance following March 2024.
• The Data Act (DA): The DA, which was published in the Official Journal of the EU on 22 December 2023, will start to apply on 12 September 2025 with respect to certain obligations, with the Act fully applying in 2027. Three particular areas of the DA that are likely to have significant impacts on technology companies are: (1) data sharing obligations for connected devices and related services, (2) data portability obligations for cloud services, and (3) obligations to disclose data to national governments in emergency situations.
• The Data Governance Act (DGA): The DGA, which amongst other things establishes a new compliance framework for providers of data intermediation services, has been applicable since 24 September 2023.

Also in 2024, proposals published under the European Data Strategy will take shape, such as the European Health Data Space (which is expected to progress to interinstitutional negotiations in early 2024), and EU legislation targeting artificial intelligence (AI) systems. A provisional agreement on the AI Act was reached on 9 December 2023, and a full draft text was published on 21 January 2024. In addition, the AI Liability Directive and revised Product Liability Directive are close to being finalized. These legislative developments will have a significant impact on the way that businesses develop and deploy AI systems, and may create new regulatory enforcement and litigation exposure for providers of software and other technology products and services.

United Kingdom

2023 saw the UK make strides in tech regulation, and we expect that trend to continue in 2024. The Online Safety Act(OSA) passed into law on 26 October 2023 and will create significant new compliance obligations for providers of online services to prevent and rapidly remove illegal content. 2024 will see Ofcom, the UK communications regulator, publish a series of codes of conduct that will assist tech companies in complying with the OSA. Additionally, as we reported here, the UK affirmed its “pro-innovation” approach to AI regulation with the publication of a white paper in March 2023. In addition, the UK government intends to bring forward reforms in 2024 to the UK GDPR via the Data Protection and Digital Information Bill (as we reported here), and a broad regulatory regime governing automated vehicles via the Automated Vehicles Bill.

Middle East

2023 saw the UAE leading the way in issuing a new e-commerce law (Federal Decree Law No.14/2023 on Trading by Modern Technological Means), which came into force towards the end of the year. The new law seeks to transform trade by taking into account the latest technologies and digital infrastructure. The law applies to websites, smart phone applications, blockchain-based platforms, social media and virtual stores, and includes standards for cybersecurity requirements and consumer privacy. The law could have a significant impact on commerce, but also overlaps with many other laws. Business will have to carefully navigate potentially overlapping and conflicting frameworks. Implementing regulations are expected in 2024. We expect that other jurisdictions in the region will update their laws in 2024 to similarly account for technological innovations.

Also in 2023, UAE and Saudi Arabia published guides on ethical AI use and use cases. Most recently, the Saudi Data and Artificial Intelligences Authority (SDAIA) published Generative AI Guidelines that incorporate AI ethics principles, but also highlight the benefits and risks of AI and include risk mitigation strategies. We expect that the UAE and Saudi will continue to focus on AI guidelines in 2024.

Africa

African countries are likely to adopt laws similar to the EU’s Digital Services Act, aimed at imposing stricter content moderation rules on digital platforms, against the threat of substantial fines.

With African countries working together to prevent barriers to the emergence and expansion of African digital platforms, acquisitions by multinational tech companies are likely to be plagued with legal challenges in an effort to thwart reliance on foreign technology resources and to promote competition within African markets.

The sharp rise in enforcement action in 2023 is likely to persist and increase in the short-to-medium term. Data protection authorities across the continent are likely to follow enforcement trends, with a potentially high contagion effect given the foundational similarities between the various privacy laws across the continent.

Countries such as South Africa, Nigeria, Kenya and Uganda have spearheaded a move to introduce taxes on mobile transactions, internet data, and money transfers. Africa is still in the nascent stages of developing digital services tax frameworks, but governments are likely to push for implementation and enforcement in the short-to-medium term. While African countries appear unlikely to adopt a global minimum tax rate on digital services, is seems that national tax rates are likely to be determined depending on the number of multinational corporations in the country and the revenue derived from digital services consumers in the market jurisdictions.

European Union

We expect a number of cyber-related legislative developments in the EU in 2024 that will affect providers of cloud services based outside of the EU and manufacturers of connected devices, including:

• The EU is close to finalising the EU Cybersecurity Certification Scheme for Cloud Services (EUCS), as we reported here. The EUCS may prevent cloud providers that are subject to non-EU laws, including non-EU government demands for data, from obtaining the highest level of certification, which may have consequential effects on those providers as a result of other legislation described below.
• The EU legislature recently finalised the Cyber Resilience Act (CRA), which we expect to be published in the Official Journal of the EU in early 2024. The CRA will impose cybersecurity-related obligations on manufacturers, distributors, and importers of “products with digital elements” that are placed on the EU market. This term covers hardware and software products that connect to the internet and other networks, including smart speakers, some microprocessors, and operating systems. The CRA will also require certain “critical” classes of these products to undergo a certification process before they can be placed on the EU market.
• Member States are required to transpose the Network and Information Security 2 (NIS 2) Directive, which replaces the existing NIS Directive, by 17 October 2024. NIS 2 will require certain types of organizations (such as energy, transport, pharmaceuticals, and various types of digital service providers including cloud computing and DNS service providers) to comply with strict cyber security and incident response standards. Member States may also require covered providers to use only ICT products and services that have achieved specific certifications, for example, certification to a specific standard under the EUCS.
• Finally, negotiations are ongoing regarding the Cyber Solidarity Act. The primary impact of this Act on private companies is that it aims to establish a “cyber reserve” of private operators that are approved to assist public authorities in responding to cyber incidents that affect them. Notably, similar to NIS 2, the Commission’s proposal could require such approved operators to achieve specific certifications.

United Kingdom

At present, the UK’s “horizontal” (i.e., cross-sector) cyber security regime is based on the existing EU NIS Directive, and is therefore aligned with the EU rules. We expect to see greater divergence in 2024. The UK Government consulted on its intended update to its implementation of the NIS Directive in 2022, and we expect to get some clarity on this in the coming year. In parallel to the EU CRA, the UK Government implemented Regulations under the Product Security and Telecommunications Infrastructure Act 2022 which impose more limited obligations than are set out in the CRA on manufacturers of certain connected products (including IoT devices) from 29 April 2024.

Middle East and Africa

The cumulative growth of African economies will contribute to an increase in demand for Internet and digital services in 2024. However, development of the digital sphere across Africa has outpaced the development of cybersecurity laws and regulations. Roughly a third of African countries have not yet developed laws dealing with information security, making it difficult to effectively deal with cyberthreats and complicating the implementation and enforcement of cybersecurity measures. With the increasing availability of the Internet in Africa, an increase in the activities of international organized cybercrime networks in the region is to be expected.

The Middle East faces similar challenges. Deployment of innovative technology far outpaces the development of cybersecurity regulatory frameworks. Saudi Arabia leads the region in several developed cyber frameworks and requirements, applicable in various circumstances (government data, cloud computing, telework). The UAE updated its National Cybersecurity Strategy in 2023, and implementing frameworks like the Information Assurance Regulation provide minimum levels of security requirements for applicable entities. In 2024, we expect that UAE will continue to issue cyber policies. Other jurisdictions are likely follow suit, given the region’s vulnerability to cybercrime.

European Union and United Kingdom

As things stand, the UK and EU have each determined that the other offers adequate protection for personal data, smoothing international data flows. Nonetheless, the EU is monitoring changes to UK legislation that may affect this determination. In particular, the “adequacy” of the UK’s data protection regime could be reconsidered depending on the final text of the Data Protection and Digital Information Bill, which will mark the first significant amendment to the UK’s data protection regime post-Brexit. Any loss of adequacy could cause significant business disruption.

United States

After a turbulent few years following the judgment in Schrems II, 2023 saw agreement on the long-awaited EU-U.S. Data Privacy Framework (and the UK’s subsequent enactment of an Extension thereto). Under this Data Privacy Framework, companies certified by the U.S. Department of Commerce can receive EU data subjects’ personal data in the U.S. without the need to implement additional safeguards to protect the data outside the EU.

However, the validity of the Data Privacy Framework will undoubtedly be tested before EU courts. At least one challenge has already been brought before the General Court, and more will likely follow. A key area of contention, as with the former EU-U.S. Privacy Shield, may be the extent to which U.S. law imposes limits on the ability of U.S. intelligence agencies to access the personal data of EU data subjects.

Middle East and Africa

There currently is no harmonised framework for cross-border data flows in the Middle East or Africa. Instead, Middle East jurisdictions and African states have concluded bilateral and multilateral agreements regulating the cross-border flows of data amongst themselves and with third parties. The extent of regulation of cross-border data flows in free trade agreements and preferential trade agreements currently range from none, to vague and imprecise. Some of the existing provisions speak to data protection in cross-border data flows while others are silent. 

Although many Middle East jurisdictions have adopted laws containing less restrictive measures for cross border transfers to jurisdictions having adequate protection, most jurisdictions have yet to issue any guidance or adequacy decisions on which jurisdictions may be considered to have adequate protection. In addition, many jurisdictions require notification to or authorization from data protection authorities for cross border transfers, but the relevant procedures and requirements haven’t yet been published. Government data and health data require localization in several jurisdictions as well, but lack of published guidance is creating issues for compliance. We expect that 2024 may bring greater clarity on these issues.

The African Union Convention on Cyber Security and Personal Data Protection (“Malabo Convention”), which calls for harmonisation of laws and policies on cross-border transfer of data amongst its members, came into effect on 8 June 2023. The Malabo Convention harmonises domestic data protection legislation in Africa, but it is binding only on those that have ratified it -- currently less than a quarter of African countries. The African Continental Free Trade Area (“AfCFTA”) is the latest free trade area to be constituted in Africa. Forty-six and fifty-four African countries have respectively ratified and signed the Agreement establishing the AfCFTA. The AfCFTA Agreement aims to create a single African market and liberalise trade in goods and services, however, there currently is no express provision under the AfCFTA Agreement or its protocols that speak to cross-border data flows within the continent. There is, however, an indication that cross-border data flow provisions form part of the ongoing negotiations of the AfCFTA Protocol on Digital Trade.

Both the US and the EU will seek to build out internal capacity for critical technology manufacturing and development. Taking the example of semiconductors, the U.S. Government is set to announce further funding awards for the most advanced chips in 2024 under the CHIPS Act, and the EU’s own European Chips Act, which entered into force in September 2023, will see it begin to implement the ‘Chips for Europe’ initiative, in part to provide support to companies facing difficulties in accessing finance in the semiconductor value chain. Meanwhile, the UK Government will look to amplify the UK’s strengths in R&D, IP, and compound semiconductors, under its Semiconductor Strategy.

This desire to onshore and develop national critical technology industries can (and is often designed to) attract inward foreign investment. This more favourable financial investment environment clashes with the growing number of national investment screening regimes that entered into force or were significantly reformed in 2023 (many of which involve close scrutiny of investments in the semiconductor industry). This is a particular consideration for institutional and industry investors looking to invest in the U.S., the EU, and the UK (the last of which under the National Security and Investment Act 2021 (NSIA)).

Foreign direct investment screening in the EU is currently a matter left to individual Member States, an increasing number of which are introducing new or revamped regimes. Countries including Sweden and Luxembourg entered the New Year ready to exercise newly implemented investment screening powers. Ireland’s new screening regime will likely enter into force during the first half of 2024, a notable development given the country’s recent success in attracting foreign investment. In addition to a greater number of countries screening investment, the level of scrutiny from authorities has also significantly heightened over the past couple of years. National screening regimes are also frequently amended to account for new areas of priority. For example, the UK Government is in the process of deciding whether to amend the mandatory sectoral filing triggers under the NSIA, to broaden the scope of the regime in some sectors, and to narrow it in others. The UK is also proposing to clarify and further tailor how the NSIA applies to targets active in the semiconductor industry, including through potentially establishing Semiconductors as a standalone mandatory filing sector under the NSIA (currently, semiconductors are caught by a handful of other sectors within scope of the NSIA).

Following in the footsteps of the U.S., both the EU and UK are also considering introducing outbound investment screening regimes covering particularly sensitive sectors, to mitigate concerns about sensitive information flowing to rival nations. Whilst the UK’s proposals remain nascent, the European Commission is set to unveil details of its new outbound screening regime in late January.

Middle East

In 2023, measures that aimed to develop and diversify the economy have brought visible results. Foreign investment in the technology sector has increased due to improvements in the quality of life in the region, the accessibility of work and residency visas, and legal and regulatory changes creating favorable conditions for foreign investments. The UAE and Saudi have created several tech innovation hubs to attract foreign investment and partnerships. Public and private partnerships and joint ventures in the technology sector will increase in 2024. However, companies looking to avail themselves of these opportunities should prepare to navigate certain requirements for local presence and partnership opportunities.

Africa

With international markets being crucial to continued economic expansion, and non-U.S. and non-EU growth likely to outstrip growth as a percentage for the foreseeable future, navigating heightened scrutiny from African regulatory bodies is going to become increasingly important. Acquisitions by large multinational tech companies are likely to be plagued with legal challenges in an effort to thwart reliance on foreign technology resources as African countries aim at working together to prevent barriers to the emergence and expansion of African digital platforms.

Middle East

Both the KSA and the UAE have made considerable investments in pursuit of becoming centres of excellence in the development and deployment of AI. In 2023, Abu Dhabi government’s Technology Innovation Institute launched Falcon, one of the largest open-source generative AI models. In addition, Jais Climate, the world’s first bilingual large language model dedicated to climate intelligence, was unveiled at the Mohamed Bin Zayed University of Artificial Intelligence in Abu Dhabi, just before COP 28. The UAE started 2024 by issuing a law establishing the Artificial and Advance Technology Council, which will develop strategy and policies for AI and advanced technologies in Abu Dhabi. Saudi Arabia launched multiple AI initiatives in 2023, including a National AI Capability Development Program and an AI program combatting desertification launched by the Ministry of Environment. We expect other Middle East jurisdictions to focus on AI technology in 2024.

These developments have led to a boom in the Middle East data center market. Data centers have become increasingly important due to several factors: data localization requirements for certain types of data (e.g. government data); migration to the cloud for hosting data by both governments and enterprises; rising consumption of data by consumers driven by the growth of 4G or 5G services from telecom companies and the usage of applications that leverage artificial intelligence (AI); and increased connectivity of subsea cables to countries in the region. Significant investments in data centre infrastructure are predicted to continue in the UAE, KSA and the wider region in 2024.

Africa

Last year’s sharp rise in enforcement action is likely to persist and increase in the short-to-medium term. Data protection authorities across the continent are likely to follow enforcement trends, with a potentially high contagion effect given the foundational similarities between the various privacy laws across Africa. Enforcement efforts are also likely to increase as a result of partnerships and collaboration between government agencies (e.g., the establishment of a Joint Enforcement Desk for Nigeria’s privacy regulator and competition authority in 2023).

If you have any questions concerning the material discussed in this client alert, please contact the members of our Technology practice.