What is data? The very notion of “data” has required a dedicated effort to define. According to Article 2 of the Data Governance Act, data is understood as “any digital representation of acts, events, or information and any compilation of such acts, events or information, including in the form of sound, visual, or audiovisual recordings.”
For personal data—that is, data that can identify an individual—we are all familiar with the General Data Protection Regulation (GDPR), the European regulation introduced in 2018 aimed at protecting personal data, especially on the Internet. It is thanks to this regulation that we have the choice to share—or not share—our data (and it is also the reason why we are bombarded with cookies everywhere). The transposition of the regulation is left to each EU member state, and in France, it is the responsibility of the Commission Informatique et Liberté to implement the regulation; their strategic plan for 2022-2024 included some recommendations related to the GDPR and new guidelines are emerging for 2025.
For other types of data, the goal is to facilitate the creation of a data market. To that end, another regulation has been introduced and will come into force in September—the Data Act: “a law aimed at strengthening the EU’s data economy and fostering a competitive data market by making data (in particular industrial data) more accessible and usable.”
New GDPR Rules in Effect in 2024
In 2022, the CNIL published its strategic plan to address the new challenges linked to the growing digitalization of society, especially after the pandemic accelerated the process. In 2024, they reinforced their guide on the security of personal data with the following measures:
- Use of cloud digital services: Companies must assess their cloud service providers and ensure they comply with the GDPR (data localization, designated GDPR contact, data deletion procedures, contact address, etc.).
- Data collection by mobile applications: Apps must minimize the data they collect and manage permissions transparently. These measures are challenging to implement in the global mobile app market.
- Improvement of web application security and their APIs, particularly by following OWASP recommendations (see below).
- Artificial Intelligence: Ensuring the quality of produced data and providing information about the model used.
The last two measures show that the protection of personal data is understood in a broader sense, encompassing IT security of digital systems and the control of generated data.
OWASP Recommendations
OWASP (Open Worldwide Application Security Project) is a non-profit organization dedicated to improving web application security. They offer the OWASP Top 10 list, which highlights the most frequent and/or problematic security issues along with recommendations to avoid them. The latest top 10 (2021) includes issues such as:
- Poor access control management: Inadequate granularity of permissions, uncontrolled routes, and overly lax identification. This is the most recurring issue.
- Cryptography issues: Absence of cryptography or use of outdated and weak algorithms, self-signed certificates, etc.
- Code injection: Using a text field to transmit code—the most famous example being SQL code inserted into an identifier. Every string must be protected to prevent misinterpretation.
- Architecture or design problems: A catch-all category that highlights potential issues caused by poor architecture, which may not necessarily lead to a security breach.
- Poor security configuration: Unnecessary modules, inadequate password policies, lack of updates, etc. Vulnerable and outdated components (dependencies): No updates, abandoned dependencies, poor compatibility.
- Poor identity management: Lack of protection against automated attacks, weak or outdated passwords, absence of multi-factor authentication, etc.
- Software and data integrity: Concerns attacks that might occur during update processes or continuous integration. Lack of logging and monitoring: When events do not appear in application logs or when logs are not monitored.
- Server-side request forgery (SSRF): When the connection between an application and a resource is manipulated through user-supplied data.
New GDPR Rules for 2025
While the full details of the 2025 regulation are not yet known, several major directions are already emerging for the new GDPR rules in 2025:
- Strengthening the protection of personal data: Recent intrusions and personal data breaches have demonstrated the need to enhance personal data protection. Note: data breaches must be reported to the CNIL if they pose a risk to privacy, meaning the authority is well-informed on the subject.
- Protection of digital access: This includes using strong and varied passwords, backing up data to prevent ransomware attacks, securing and updating devices, etc.
- A new clampdown on the collection of personal data by mobile applications: Many apps collect more data than necessary and often not transparently. The goal is to achieve a more granular control of permissions to avoid consenting to everything just to use a service. A control campaign will be launched in the first half of the year.
- Further strengthening of sanctions in cases of non-compliance with the regulations.
DORA Regulation on Financial Services
It is not only the GDPR that compels improvements in data security. At the beginning of 2025, the Digital Operational Resilience Act (DORA) will come into force. DORA establishes a regulatory framework for digital operational resilience, under which financial entities must ensure they can withstand, respond to, and recover from any serious operational disruption related to information and communication technologies (ICT).
Implication: If you provide a service to a financial operator, you must commit to supplying all necessary information so that your digital resilience can be assessed. You will also need to agree on a service contract that stipulates service quality, problem resolution times, and penalties in case of non-compliance. This applies even to non-strategic partners.
The Data Act
The Data Act was passed in 2023 and will become applicable on 12 September 2025. It is “a law intended to strengthen the EU’s data economy and promote a competitive data market by making data (especially industrial data) more accessible and usable, encouraging data-driven innovation, and increasing data availability.”
In doing so, this regulation “ensures an equitable distribution of data value among the actors in the data-driven economy. It specifies who can use which data and under what conditions.”
The objectives are to:
- Facilitate the sharing of data generated by connected devices in exchange for fair, equitable, and proportionate compensation;
- Allow public bodies in EU member states and EU institutions to access and use these data, provided they can justify an exceptional need;
- Establish international cooperation rules regarding the transmission of non-personal data;
- Combat illicit access to these data, particularly preventing intrusions by governments of third countries.
In practice, the aim is to reduce the factors that hinder data circulation:
- The non-distribution of data by the companies that own them;
- Costs related to a lack of interoperability and data dispersion;
- Contracts favoring partnerships with digital giants.
While creating a data market is promising, viable economic models must be found to prevent public authorities from replacing economic actors by funding the data market at a loss. We will see how this regulation will challenge the digital giants.
