EU Law for Tech & Startups

Written with ChatGPT assistance; curated and edited by Sander. 3 weeks ago

Regulation vs Directive

In EU law, a regulation is directly applicable in all EU member states
as soon as it enters into force, meaning it becomes law without any national
implementation (e.g. GDPR). A directive, by contrast, sets binding goals
but leaves it to each member state to transpose those goals into national
law, which can lead to differences in timing and details between countries.

Relevant EU Regulations

Below is a compact table of the most relevant EU regulations for tech
companies & startups, with one-line summaries and official links. These
apply directly in all EU member states.

---

Critical EU Compliance Obligations by Startup Type

Startup Type	Regulation	Core obligations / what to focus on
B2B SaaS	GDPR	Data processing agreements, user consent, breach reporting, privacy by design
	Data Act	Ensure customers can access/export their data; allow interoperable data sharing
	Cyber Resilience Act (CRA)	Secure software development, vulnerability reporting
	DSA	If hosting user content: notice/takedown, transparency reporting
AI / ML tools	GDPR	Data privacy, anonymization, legal basis for AI training data
	AI Act	Risk assessment for AI models, documentation, conformity for high-risk AI
	Data Act	Access to user-generated data, interoperability for B2B SaaS/IoT data
	Data Governance Act	Secure data-sharing intermediaries, compliance if acting as a broker
Fintech / Crypto	GDPR	Data protection, strong customer authentication (SCA) where applicable
	MiCA	Licensing, crypto-asset compliance, stablecoin rules, disclosure obligations
	CRA	Security obligations for financial software
Marketplaces / Platforms	GDPR	Protect user and business customer data
	DSA	Content moderation, transparency, reporting obligations
	DMA	Anti-competitive practices (if large platform / gatekeeper)
	P2B	Fairness and transparency for business users

---

✅ Key takeaway: For early-stage startups, GDPR + CRA + Data Act are
almost always mandatory. Platform/marketplace and fintech startups also need to
prioritize DSA / MiCA / AI Act depending on your business.

---

Key EU Regulations

Regulation	Year	What it covers (short)	Official link
GDPR (EU) 2016/679	2016	Personal data protection, user rights, compliance obligations	https://eur-lex.europa.eu/eli/reg/2016/679/oj
DSA (EU) 2022/2065	2022	Platform obligations, content moderation, transparency	https://eur-lex.europa.eu/eli/reg/2022/2065/oj
DMA (EU) 2022/1925	2022	Competition rules for large “gatekeeper” platforms	https://eur-lex.europa.eu/eli/reg/2022/1925/oj
AI Act (EU) 2024/1689	2024	Risk-based rules for AI systems and models	https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Data Act (EU) 2023/2854	2023	Access to and sharing of data from connected products/services	https://eur-lex.europa.eu/eli/reg/2023/2854/oj
Data Governance Act (EU) 2022/868	2022	Framework for data sharing, intermediaries, data altruism	https://eur-lex.europa.eu/eli/reg/2022/868/oj
Cyber Resilience Act (CRA)	2024	Security requirements for software & connected devices	https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Markets in Crypto-Assets (MiCA)	2023	Crypto assets, stablecoins, crypto service providers	https://eur-lex.europa.eu/eli/reg/2023/1114/oj
Platform-to-Business (P2B)	2019	Fairness & transparency for platforms vs business users	https://eur-lex.europa.eu/eli/reg/2019/1150/oj
Geo-blocking Regulation	2018	Ban on unjustified geo-blocking in digital commerce	https://eur-lex.europa.eu/eli/reg/2018/302/oj

---

Quick Relevance Guide

• Almost every startup: GDPR, DSA (if user-generated content)
• Platforms / marketplaces: DSA, P2B, DMA (only if very large)
• AI / data products: AI Act, Data Act, Data Governance Act
• Fintech / crypto: MiCA
• SaaS / software vendors: GDPR, CRA, Data Act

---

Below is a focused table of EU directives most relevant to tech companies and
startups, with links to authoritative external sources (EUR-Lex or
official EU pages). I’ve prioritized SaaS, platforms, data-driven products,
fintech, and infrastructure startups.

---

Core EU Directives

Data, Privacy & Information

Directive	Short name	Why it matters for startups	Official link
2002/58/EC	ePrivacy Directive	Cookies, tracking, email/SMS marketing, metadata	https://eur-lex.europa.eu/eli/dir/2002/58/oj
2016/943	Trade Secrets Directive	Protects proprietary algorithms, models, and business logic	https://eur-lex.europa.eu/eli/dir/2016/943/oj
2019/1024	Open Data Directive	Re-use of public-sector & high-value datasets	https://eur-lex.europa.eu/eli/dir/2019/1024/oj
2016/680	Law Enforcement Data Protection Directive	Relevant if handling law-enforcement data	https://eur-lex.europa.eu/eli/dir/2016/680/oj

ℹ️ Note: GDPR is a Regulation, not a directive, but it overrides most data
handling concerns.

---

Digital Products, SaaS & Platforms

Directive	Short name	Why it matters	Official link
2000/31/EC	e-Commerce Directive	Platform liability, hosting, notice-and-takedown	https://eur-lex.europa.eu/eli/dir/2000/31/oj
2019/770	Digital Content Directive	Consumer rights for SaaS, APIs, digital services	https://eur-lex.europa.eu/eli/dir/2019/770/oj
2019/771	Sale of Goods Directive	Software embedded in hardware, IoT products	https://eur-lex.europa.eu/eli/dir/2019/771/oj
2011/83/EU	Consumer Rights Directive	Online contracts, refunds, subscriptions	https://eur-lex.europa.eu/eli/dir/2011/83/oj
93/13/EEC	Unfair Contract Terms	Limits one-sided SaaS TOS clauses	https://eur-lex.europa.eu/eli/dir/93/13/oj

---

Cybersecurity & Infrastructure

Directive	Short name	Why it matters	Official link
2022/2555	NIS2 Directive	Mandatory security & incident reporting for many tech companies	https://eur-lex.europa.eu/eli/dir/2022/2555/oj
2018/1972	EECC	Telecom, VoIP, messaging & connectivity services	https://eur-lex.europa.eu/eli/dir/2018/1972/oj

---

Fintech & Payments (if applicable)

Directive	Short name	Why it matters	Official link
2015/2366	PSD2	Payments, open banking, APIs, strong auth	https://eur-lex.europa.eu/eli/dir/2015/2366/oj
2009/110/EC	E-Money Directive	Wallets, stored value, prepaid balances	https://eur-lex.europa.eu/eli/dir/2009/110/oj
2014/65/EU	MiFID II	Trading, investing, crypto-adjacent services	https://eur-lex.europa.eu/eli/dir/2014/65/oj

---

Important Context for Tech Founders

• Directives require national implementation, so details vary by country
  (e.g. NL vs DE).

• Many of these are now overlaid by Regulations:

  • DSA / DMA (platform rules)
  • GDPR (privacy)
  • AI Act (AI systems)

• If you’re building SaaS or infra, NIS2 + Digital Content + Consumer Rights
  usually hit first.

---

Practical Quick Relevance Guide

If you are building…	Pay special attention to…
SaaS / B2C app	Digital Content, Consumer Rights, ePrivacy
B2B SaaS	Trade Secrets, NIS2, e-Commerce
Platform / Marketplace	e-Commerce, Unfair Contract Terms, DSA
Fintech / payments	PSD2, E-Money, MiFID II
Cloud / MSP	NIS2, EECC
AI / data products	Open Data, Trade Secrets, GDPR, upcoming AI Act