Skip to main content

With the rise of AI and growing data complexity in the business space, 2024 is set to be a massive year for regulatory change. For risk managers, staying ahead of the regulatory curve requires a clear outlook on the upcoming evolutions of existing regulations and potential new laws.

Here’s an overview of the key risk and compliance changes to watch in 2024: 

GDPR: New Application Report & Potential New Law Coming in 2024

The continued evolution of the General Data Protection Regulation (GDPR) is likely to impact EU-based risk management over the coming year. 

First introduced in 2012, GDPR enforces key data protections across the EU. 

In a July 2023 press release, the European Commission revealed they would be conducting the next report on the application of GDPR in 2024 and announced a new law proposal to “streamline cooperation between data protection authorities (DPAs) when enforcing the General Data Protection Regulation in cross-border cases.”

While no clear deadlines are in place for this new proposed law, businesses can expect the following changes to potentially impact their compliance needs:

  • Lead Data Protection Authorities must send summaries of key issues that identify the main elements of an investigation to their counterparts
  • Clarification on what to submit when making a complaint
  • Clarification on due process rights when a DPA investigates a potential GDPR breach

A final decision on this new law is still to come, with implementation deadlines unknown at this time. 

EU AI Act: Proposed Law in Final Stages, Final Ruling Expected in 2024

The EU AI Act is the “world’s first comprehensive AI law” — and it may just reshape the regulatory landscape for the EU, setting a clear standard for the rest of the globe to follow. 

If implemented, this new law would aim to establish a clear regulatory framework for the use of AI in business scenarios. Under the proposed law, different AI applications would be analysed and classified according to the specific level of risk each application poses. 

In December 2023, the EU Parliament reached a provisional agreement with the Council regarding the AI Act. Before any compliance deadlines are set, the AI Act must first be formally adopted by both Parliament and the Council. A final decision on the law is expected sometime in 2024.

PCI v4.0: Compliance Expected by 31 March 2024

The PCI Data Security Standard (DSS) plays a global regulatory role in mitigating risk within the payments industry. Anyone dealing with a payments system must adhere to PCI DSS requirements.

Over the course of 2023, the next iteration of the PCI DSS (known as PCI v4.0) was finalised. The first phase of PCI v4.0 has a compliance deadline of 31 March 2024, by which time organisations must have implemented 13 new requirements detailed within the version.

Later in 2024, the second phase of PCI v4.0 will begin, consisting of more than 50 new technical requirement implementations. 

NIS2 Directive: Compliance Expected by 17 October 2024

The Network and Information Security 2 (NIS2) Directive is an EU legislation focused on cybersecurity. 

This regulation aims to address the modern, digital risks in the evolving cybersecurity landscape. NIS2 expands the scope of cybersecurity rules to encompass several new sectors and entities. Additionally, NIS2 aims to improve incident response capacities throughout the EU. 

Compliance with NIS2 is expected by 17 October 2024. 

Among regulators’ many objectives is NIS2, one of the biggest changes is the elimination of the distinction between operators of essential services and digital service providers. Under NIS2, entities will now be categorised as “essential” and “important,” each subject to separate supervision.  

EU Regulators Cracking Down on Transposition of EU Directives in 2024

On 25 January 2024, the European Commission announced the adoption of a package of infringement decisions to address a lack of full compliance with EU directives amongst Member States. 

This new package covers 26 Member States and 11 EU directives in need of full transposition, including: 

  • Directive 2019/1937 (commonly known as the EU Whistleblower Directive)
  • Directive 2020/284 (addressing Value-Added Tax (VAT) fraud)
  • Directive 2021/514 (addressing administrative cooperation in the field of taxation)
  • Directive 2022/2053 (addressing corporate taxation and minimum rate of effective taxation)
  • Directive 2023/1438 (addressing new rules on the registration of agricultural and vegetable species)
  • Directive 2023/959 (addressing the expansion and strengthening of the EU Emissions Trading System)
  • Directive 2021/1883 (addressing legal migration and attracting highly qualified workers to the EU) 
  • Directive 2022/2038 (amendment of the Radio Equipment Directive)
  • Directive 2021/2118 (amendment of the Motor Insurance Directive)
  • Directive 2021/2167 (addressing contractual transparency and consumer protection among credit servicers and credit purchasers)

While these infringement decisions may not immediately impact business, it is vital to cross-reference the decision to see if the regions you operate in will be affected. Most likely, the Member States subjected to these infringement decisions will be implementing new regulatory measures to achieve full transposition in the coming year. 

A full breakdown of each directive and the Member States still in need of a full transposition can be found on the European Commission website

The Evolution of ESG in 2024

ESG is a major global regulatory standard that varies in its requirements from region to region. 

In 2024, we are set to pass a few major ESG milestones:

Want to make staying on top of compliance really easy? Get RiskSmart.

Emma Bamford
Post by Emma Bamford
January 29, 2024
Head of Customer success at RiskSmart. Having spent too much time using reactive and manual risk frameworks and disjointed processes, Emma is passionate about the need for change.

Comments