The EU legal framework on digital products and services relevant to Local Digital Twins

The EU legal framework on digital products and services relevant to LDTs


1. Introduction

Guideline on EU public procurement legal framework and this guideline helps city procurement officers identify relevant EU digital legislation for procurement objects in their tenders. This guideline is structured by legal acts found in the Technical Specifications of procurement templates. Each legal act is presented through a consistent set of information to clarify its scope and applicability to specific procurement objects. The guideline also explains the reasoning behind the legal requirements included in the Technical Specifications, linking them to relevant legislative provisions.

The sub-section “Scope and Applicability” will provide brief information about the specific act, its applicability to the public sector and to the concrete object of procurement, and the importance of the act for awareness-raising purposes.

Following this introduction, the sub-section “From legal requirements to technical specifications” will help city officers navigate through the legislation. With this aim, in this section, the reader:

  • will learn where to find the legal requirements in the different pieces of legislation,
  • will understand the reasoning behind the inclusion of the requirements as part of the technical specifications of the different objects of procurement,
  • will find useful resources and information to comprehend the requirements for compliance.

By reading these guidelines, city officers’ will be knowledgeable about the legislation that applies to their required objects of procurement and how to interpret it to facilitate enforcement and compliance with the requirements when awarding the tender.

It should be noted that section 8 of the Artificial Intelligence Act should be read in conjunction with the Guideline on AI/ML since the legal requirements might need to be implemented in different templates depending on the concrete use.

2. General Data Protection Regulation

2.1 Scope and applicability

When is it triggered?

The General Data Protection Regulation (GDPR) 1 is a comprehensive data protection law that applies across the European Union (EU). It aims to protect individuals’ fundamental rights and freedoms, particularly the right to the protection of personal data. It lays down the rules regarding the processing of personal data wholly or partly by automated means, as well as the conditions for the free movement of personal data.

It is important to understand that personal data refers to any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of natural persons (Article 4(1) of the GDPR).

Based on the above, the processing of anonymised data would not fall under the scope of the GDPR. However, it should be highlighted that the handling of anonymised personal data requires adopting appropriate safeguards to avoid potential risks of re-identification and personal data breaches. If an anonymised data set becomes identifiable – due to, e.g., new de-anonymisation techniques in the state of the art, the combination with other existing data sets– the processing of such a dataset would fall under the scope of the GDPR because the data would constitute personal data.

Who does it apply to?

The GDPR applies to any natural or legal person, public authority, agency or other body which processes 2 personal data wholly or partly by automated means.

The two main parties regulated by the GDPR are controllers and processors of personal data.

A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).

A processor is a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

In this context, the CA will be the controller of personal data, and the winning tenderer will be the processor of personal data. This is an important distinction to bear in mind when defining the obligations and responsibilities of each party in the different processing activities.

Timeline

The GDPR is applicable from 25 May 2018.

2.2 From legal requirements to tender technical specifications

Requirements for tender applicants

The GDPR is applicable to all different objects of procurement, due to the nature of the data surrounding the activities of these components. It is recommended that the CA works closely with their data protection officer and privacy and data protection team to assess if the requirements related to privacy and data protection are applicable and to adapt these depending on the use case.

The technical specifications refer to the following concepts and provisions provided by the GDPR:

  • Principles relating to the processing of personal data (Article 5 of the GDPR). The principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; data accuracy; storage limitation; and integrity and confidentiality constitute the starting point and underlying rationale of more detailed provisions under the Regulation. They should be guiding the interpretation of all articles under the act, especially the rights of data subjects (Chapter III of the GDPR).

    Targeting specific objects of procurement, these principles are explained one by one under the technical specifications.
     
  • Data protection by design and by default (Article 25 of the GDPR). This provision requires that controllers of personal data put in place effective measures to implement data protection principles and to integrate the necessary safeguards to meet individuals' rights and GDPR requirements. These measures should be implemented at the time of processing and when determining the means of processing. This signifies that the tender applicant should be able to implement the data protection by design and by default measures defined by the CA as part of their project, like, among others, encryption of personal data at rest and in-transit or the use of privacy-enhancing technologies.

    The CA shall assess whether the measure is appropriate and effective in implementing the data protection principles and the rights of data subjects.
     
  • Security of personal data processing (Article 32 of the GDPR). Controllers and processors of personal data must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks of varying likelihood and severity for the rights and freedoms of natural persons. The technical specifications refer to different types of security measures that should be adopted by the tender applicant to protect personal data from any accidental or unlawful destruction, loss, alteration, access or unauthorised disclosure of it.

    These measures are reinforced by the requirements defined by the Network and Information Systems Directive explained in Chapter 3 of this guideline.
     
  • Transfers of personal data to third countries or international organisations (Chapter V of the GDPR). The GDPR allows for the free flow of personal data within the EU. However, it provides specific requirements relating to the transfers of personal data to third countries and international organisations. In this regard, Chapter V of the Regulation contains the conditions and mechanisms to offer the same level of protection to personal data being transferred outside the European Economic Area (EEA). These mechanisms are adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanisms, codes of conduct, and derogations (for very exceptional circumstances).

There are different means to demonstrate and assess compliance against the GDPR obligations and requirements defined in the technical specifications:

  • Codes of Conduct (Article 40 of the GDPR). Either approved by a Data Protection Authority when the processing activities do not take place in several Member States or approved by the European Commission by means of an implementing act when different processing activities in several Member States are concerned. For instance, the CISPE Code of Conduct for cloud infrastructure service providers.
  • Certification (Article 42 of the GDPR) provided by a Data Protection Authority, European Data Protection Board, or certification body, like the European Data Protection Seal.

The CA has the obligation to conduct a Data Protection Impact Assessment (DPIA) where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons. In any case, it is required in the cases referred to in Article 35(3) of the GDPR. Moreover, Data Protection Authorities shall establish lists of the kind of processing operations which require carrying out a DPIA.

The obligations and requirements for the processing of personal data by the processor must be defined in a contract or other legal document. This is commonly referred to as the Data Processing Agreement, the content of which is specified in Article 28(3) of the GDPR. Therefore, the CA should make sure that this agreement is signed with the winning tenderer to define the nature, scope, purposes, security measures, and other obligations for the processing of personal data on their behalf.

Supporting material

In addition to the guidelines, recommendations, and best practices of the European Data Protection Board, it is recommended to follow the recommendations and decisions issued by National Data Protection Authorities.

Relevant objects of procurement and procurement templates

The GDPR requirements are included in all procurement templates since the different objects of procurement will be processing individuals’ personal data, from CA users and/or end-users.

3. ePrivacy Directive


3.1 Scope and applicability

When is it triggered?

The Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) 2 covers the processing of personal data and the protection of privacy in the electronic communications sector. This includes rules on confidentiality, traffic data, location data, and unsolicited communications (e.g., so-called ‘spam’).

The ePrivacy Directive complements the General Data Protection Regulation (GDPR) by providing more specific rules for electronic communications. While GDPR covers general data protection principles, the ePrivacy Directive focuses on the confidentiality of communications, cookies, and similar technologies. Hence, it is a sector-specific legislation.

Who does it apply to?

The ePrivacy Directive applies to both public and private entities that provide publicly available electronic communications services. This means that public bodies must also comply with these rules when they handle electronic communications.

Timeline

The Directive has been applicable since 2003, and it was last amended in 2009.

3.2. From legal requirements to technical specifications

Requirements for tender applicants

The tender applicant should comply with certain obligations when handling communications data (traffic and location data).

Therefore, according to Article 6 of the ePrivacy Directive (traffic data):

  • The winning tenderer should erase or anonymise the traffic data once they are no longer needed for:
    • the purpose of the transmission of a communication,
    • subscriber billing and interconnection payments purposes,
    • the provision of their services,
    • marketing electronic communication services purposes,
    • for the provision of value-added services, or
    • at any time, users’ consent is withdrawn
  • The processing of traffic data should be restricted to persons acting under the authority of the winning tenderer and solely with the purposes of handling or providing the following activities:
    • Billing or traffic management
    • Customer inquiries
    • Fraud detection
    • Marketing electronic communications services
    • A value-added service

In line with Article 9 of the ePrivacy directive on location data other than traffic data:

  • Location data should only be processed anonymously or, with the consent of the users or subscribers, to the extent and for the duration necessary for the provision of the service
  • Prior to obtaining their consent, users or subscribers should be informed about the type of location data, the purposes and duration of the processing, and whether the data will be transmitted to a third party for the provision of the service.
  • Users or subscribers can withdraw their consent for the processing of location data and temporarily refuse it for each connection to the network or for each transmission of a communication.
  • The processing of location data should be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the service.
  • The processing should be restricted to what is strictly necessary for the purposes of providing the service.

Moreover, in what concerns so-called cookies or similar tracking technologies, Article 5(3) of the Directive provides that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, among others, about the purposes of the processing. The latter without detriment to the necessary technical storage or access for the sole purpose of carrying out the transmission of the communication (exception where consent is not required).

Supporting material

Relevant objects of procurement and procurement templates

According to the European electronic communications code,electronic communication services include the following:

  • internet access service – a publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology and terminal equipment used;

  • interpersonal communications service;
  • services used wholly or mainly for sending signals, such as transmission services used for the provision of machine-to-machine services and for broadcasting.

Therefore, e-Privacy Directive applies to the following templates, and underlying objects of procurement.

  • IoT Platform A.02
  • IoT Sensor
  • Network Infrastructure I.02.1
    • Public WiFi (Internet Network)
    • Network – Network Equipment
  • Network Infrastructure Public WiFi I.02.3

4. Network and Information Systems Directive (NIS2)


4.1 Scope and applicability

When is it triggered?

The aim of this act 3 is to achieve a high common level of cybersecurity across the Union. As the provision and continuity of critical services, functions and operations rely more and more on digital assets and sensitive information is also stored on such, it has become quite essential to maintain a standard level of security in the network information systems and the physical environment of those systems.

NIS 2 contains strong requirements for a broad scope of actors on cybersecurity risk management, including technical, operational and organisation measures to manage risks posed to the security of network and information systems, as well as including incident notification requirements regarding cybersecurity incidents.

Who does it apply to?

The law introduces the concepts of essential entities and important entities. Member States shall establish a list of them by 17 April 2025. These are entities falling within the following sectors:

  • Essential entities (category 1): energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management; public administration; space.
  • Important entities (category 2): postal and courier services; waste management; manufacture, production, and distribution of chemicals; food production, processing, and distribution; manufacturing; digital providers; research.

It is important to highlight that the legislation designates the public administration sector as an “essential entity”. In concrete, it indicates that:

  • This law applies to “a public administration entity at regional level as defined by a Member State in accordance with national law that, following a risk-based assessment, provides services the disruption of which could have a significant impact on critical societal or economic activities”.
  • And that the Member States may provide for this Directive to apply to public administration entities at the local level. This will depend on the national choices made by each Member State when transposing the Directive into its national legislation.

Timeline

The NIS 2 Directive entered into force in January 2023, and it had to be transposed by all EU Member States into its national legislation before 17 October 2024.

4.2 From legal requirements to tender technical specifications

Requirements for tender applicants

Core requirements from this Directive stem from Articles 21 and 23 for providers of digital products and services.

Core requirements for providers of digital products and services and the operators of such are included in Article 21. It establishes a list of appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems and the physical environment of those systems:

  • Policies on risk analysis and information system security. Providers must have a structured approach to identifying, assessing, and managing risks to their information systems.
  • Incident handling policies and mechanisms that comply with the requirements of Article 23; Article 23 describes in detail the notification obligations regarding cybersecurity incidents, which will mean that organisations must report the incident to its CSIRT or national authority within 24 hours of becoming aware of the incident, followed by a final report within one month.
  • Business continuity. This means:
    • Regularly backing up critical data and systems to ensure they can be restored after an incident.
    • Developing plans to recover and restore operations after major disruptions (e.g., cyberattacks, outages).
    • Outlining protocols for responding to crises, including roles and responsibilities, communication strategies, and decision-making processes.
  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • Security in network and information systems acquisition, development, and maintenance, including vulnerability;
    • Security should be integrated into the design, development, and maintenance of systems and applications.
    • Systems should be regularly scanned for vulnerabilities, and patches or updates should be implemented to address known weaknesses.
    • Secure development practices should be adopted, such as code reviews, penetration testing, and adherence to industry standards.
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures, such as the implementation of regular audits, reviews, and assessments. Use of tools like penetration tests, vulnerability assessments, and incident response simulations to validate preparedness.
  • Basic cyber hygiene practices and cybersecurity training: Cyber hygiene consists of simple, essential security measures such as strong passwords, regular updates, and antivirus software. Training includes providing employees with training on identifying phishing attacks, secure data handling, and incident reporting to build a cybersecurity-aware culture.
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption; occasions where it is applicable and methods.
  • Human resources security, access control policies and asset management. Background checks for employees in sensitive roles and cybersecurity training. Access Control Policies, such as role-based access control (RBAC), ensure employees only have access to systems or data necessary for their roles. Maintaining an inventory of all hardware, software, and data assets, including ownership and security classification.
  • The use of multi-factor authentication (multiple verification factors, e.g., password and biometrics) or continuous authentication solutions which monitor user behaviour (e.g., typing patterns, location), secured voice, video and text communications and secured emergency communication systems.

Further clarification and explanation of what the above measures should be for tenderers and practical steps or examples for compliance can be found in the Commission Implementing Regulation (EU) 2024/2690 4 on technical and methodological requirements of cybersecurity risk management measures of NIS2.

To demonstrate compliance, it can be required by each Member State that certain products or services have to be certified according to specific certification schemes under the Cybersecurity Act (Article 24 NIS2). The Cybersecurity Act 5 is an accompanying EU law which sets a framework for the establishment of European cybersecurity certification schemes for ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes and avoiding fragmentation with regard to cybersecurity certification schemes in the Union. There are a few national cybersecurity schemes but without a common framework between Member States. The new European cybersecurity certification schemes will replace national cybersecurity certification schemes whenever there is an overlap in their scope.

Each European scheme will include the categories of products and services covered, the cybersecurity requirements (such as standards or technical specifications), the type of evaluation (such as self-assessment or third party) and the intended level of assurance.

Currently, there is only one published scheme at the EU level, the Scheme on Common Criteria (EUCC) (replacing the former SOG-IS Common Criteria evaluation framework) and two others under development: the European Certification Scheme for Cloud Services (EUCS) and the European Cybersecurity Certification Scheme for 5G. You can monitor which certification schemes are under development or published at the website of the EU’s cybersecurity agency, ENISA.

Relevant objects of procurement and procurement templates

This legal requirement applies to all objects of procurement and templates. To ensure a cyber-secure Local Digital Twin, all the encompassing components (hence objects of procurement) that are needed to implement it will need to adhere to cybersecurity standards, be it software, middleware or hardware.

Contracting authorities should, therefore, assess and consider the overall quality and resilience of digital products and services they aim to purchase. They should assess the existence of adequate cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, to ensure that the whole supply chain the Local Digital Twin or any other technological application is sustained from, is cybersecure and to limit the chances of a cascading effect of either malicious or non-malicious cybersecurity incidents.

5. Radio Equipment Directive (RED)

5.1 Scope and applicability

When is it triggered?

The RED 6 establishes a regulatory framework for placing radio equipment on the market. It sets essential requirements for safety and health, electromagnetic compatibility, and the efficient use of the radio spectrum. It includes technical features and requirements for the protection of privacy, personal data, and against fraud. Moreover, additional aspects cover interoperability, access to emergency services, and compliance regarding the combination of radio equipment and software.

‘Radio equipment’ in short, as defined in Article 2 of the Directive, means an electrical or electronic product which intentionally emits and/or receives radio waves. This includes, for example, smartphones, laptops, wireless headphones, drones, wireless cameras, and wireless sensors, among others.

Who does it apply to?

The Directive applies to manufacturers, authorised representatives, importers, distributors, or economic operators of radio equipment which is made available or placed in the EU market. These actors will have to comply with all the different procedural obligations set out in the act regarding CE marking, technical documentation, and conformity assessments as well.

Should a contracting authority aim to purchase devices connected to the internet, they should assess whether providers of such equipment comply with the requirements set in this Directive.

Timeline

The Radio Equipment Directive (RED) entered into force in 2014. In 2021, the Commission complemented the act 7 with an extension of cybersecurity requirements for internet-connected devices and wearable devices and products available in the EU market.

In 2022 the European Parliament and the Council signed an amendment to the Directive that introduced the requirement for all electronic devices to be equipped with a USB Type C receptacle.

5. 2 From legal requirements to tender technical specifications

Requirements for tender applicants

The RED Directive focuses on ensuring safety, electromagnetic compatibility (EMC), and efficient use of the radio spectrum, while addressing specific additional aspects such as cybersecurity. It addresses emerging concerns about security and privacy in connected devices.
Key requirements are among other:

  • Safety: connected devices must comply with the general safety requirements outlined in Article 3(1)(a), ensuring they are safe for users and do not pose hazards.
  • Electromagnetic compatibility (EMC): Article 3(1)(b) mandates that wireless equipment must not interfere with other devices and should function properly in the presence of electromagnetic disturbances.
  • Efficient use of the radio spectrum: Article 3(2) requires wireless equipment to use the spectrum effectively to avoid harmful interference with other devices.
  • Interoperability and accessibility: Optional provisions under Article 3(3) allow for regulations on features like interoperability, data protection, and user accessibility.
  • Compliance testing: Manufacturers must conduct conformity assessments to ensure compliance with RED requirements before marketing products.

The Commission Delegated Regulation (EU) 2022/30, adopted under the RED Directive, adds specific cybersecurity requirements for certain categories of radio equipment, including IoT devices. It addresses emerging concerns about security and privacy in connected devices.

Key additions:

  • Network protection:
    • Devices must include safeguards to protect against unauthorised access or tampering (e.g., preventing hacking or remote attacks on IoT sensors).
    • Ensure data integrity and resistance to disruptions in networked environments.
  • Data protection:
    • IoT devices must implement measures to safeguard personal data in compliance with GDPR (e.g., encryption, secure data transmission).
    • This includes ensuring secure data storage and transmission protocols to protect users' privacy.
  • Fraud prevention:
    • The regulation emphasises preventing device misuse, such as unauthorised usage or fraud that could result from security vulnerabilities.
  • Scope:
    • These cybersecurity measures apply to IoT devices with direct or indirect communication over the internet (e.g., smart home sensors, wearables, and industrial IoT devices).

Relevant objects of procurement and procurement templates

  • IoT Sensors
  • Public Wi-Fi network infrastructure
  • Network
  • Network monitoring tool
  • Network capacity infrastructure hardware

6. Directive on the Resilience of Critical Entities (CER)


6.1Scope and applicability

When is it triggered?

The Directive 8 lays down the following requirements:

  • Member States should identify critical entities and support critical entities in meeting the obligations imposed on them;
  • Obligations for critical entities aimed at enhancing their resilience and ability to provide essential services;
  • Measures with a view to achieving a high level of resilience of critical entities to ensure the provision of essential services within the Union and improve the functioning of the internal market.

Who does it apply to?

“Critical entities”, meaning public or private entities which have been identified by a Member State. The sectors are energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, production, processing and distribution of food.

Among the sectors included in the Directive, the Annex identifies “public administration entities of central governments as defined by Member States in accordance with national law”. A local contracting authority might not fall under this category but under any other category where a public entity at the local level is, for instance, managing wastewater, and is identified as a critical entity by its Member State. That said, suppliers of contracting authorities that provide digital services and products that are essential to the functioning, monitoring, or control of critical services (e.g. indicatively in the energy, health, transportation, or digital infrastructure sectors, among others outlined in the Directive), that could be regarded as critical infrastructure, should comply with the requirements set in this Directive.

This concerns physical infrastructure but also software on which critical physical infrastructure relies to function properly.

In a complementing act 9 the Commission lays an indicative list of the types of services essential for the maintenance and unobstructed function of vital societal or economic activities and whose resilience should be enhanced as the Directive mandates.

Timeline

The Directive entered into force on 16 January 2023. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from 18 October 2024.

Each Member State shall adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities (the ‘strategy’). Member States will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026. They will use this list of essential services to carry out risk assessments and then identify the critical entities. Once identified, the critical entities will have to take measures to enhance their resilience.

By 17 July 2027, the Commission shall submit a report to the European Parliament and the Council assessing the extent to which each Member State has taken the necessary measures to comply with this Directive.

6.2 From legal requirements to tender technical specifications

Requirements for tender applicants

Some measures that critical entities will have to uptake to become more resilient are listed in Article 13 of the Directive:

  • Prevent incidents from occurring, duly considering disaster risk reduction and climate adaptation measures;
  • Ensure adequate physical protection of their premises and critical infrastructure, duly considering, for example, fencing, barriers, perimeter monitoring tools and routines, detection equipment and access controls;
  • Respond to, resist and mitigate the consequences of incidents, duly considering the implementation of risk and crisis management procedures and protocols and alert routines;
  • Recover from incidents, duly considering business continuity measures and the identification of alternative supply chains in order to resume the provision of the essential service;
  • Ensure adequate employee security management, duly considering measures such as setting out categories of personnel who exercise critical functions, establishing access rights to premises, critical infrastructure and sensitive information, setting up procedures for background checks in accordance with Article 14 and designating the categories of persons who are required to undergo such background checks, and laying down appropriate training requirements and qualifications. Critical entities should consider the personnel of external service providers when setting out categories of personnel who exercise critical functions.
  • Raise awareness about the measures referred to above among relevant personnel, duly considering training courses, information materials and exercises.

A critical entity, in this case, could either be the contracting authority who would need to comply by doing due diligence of their suppliers to the requirements of the Directive or the suppliers themselves responsible for the operation, provision or maintenance of the service that is considered critical and over which the contracting authority has decisive capacity (on the selection of suppliers and course of operation). In any case, these requirements should be included in the procurement process for potential tenderers.

More information on the resilience of critical infrastructure and its regulation can be found at this link at the European Commission’s official website.

Relevant objects of procurement and procurement templates

  • Public Wi-Fi network infrastructure
  • Network
  • Network monitoring tool
  • Network capacity infrastructure hardware
  • IoT platform application development and/or maintenance services.
  • on-premises automatic computing management tool,
  • on-premises computing measures tool
  • on-premises computing provisioning and cleanup tool
  • on-premises automatic storage management tool,
  • on-premises storage provisioning and cleanup tool
  • advanced cloud computing tools,
  • cloud automatic computing management tool
  • cloud computing measures tool
  • cloud computing provisioning and cleanup tool
  • Cloud automatic storage management tool
  • Cloud storage provisioning and cleanup tools
  • Cloud connection service (SaaS)
  • Cloud connection service (PaaS)
  • Cloud connection service (IaaS)
  • User-facing platform
  • Middleware software application development and/or maintenance services

7. Open Data Directive

7.1 Scope and applicability

When is it triggered?

This Directive lays down the legal framework for the re-use of public-sector information such as geographical, land registry, statistical or legal information held by public-sector bodies or public undertakings, and of publicly funded research data. This Directive is focused on Open Data, data that is openly accessible, exploitable, editable and shared by anyone for any purpose. It is relevant where the information that the object of procurement will process is open, as in the examples above (hence excluding non-confidential, non-personal, not bound by other confidentiality or any commercial restriction).

The open data generated or held by government entities plays a pivotal role in enriching data availability within common European data spaces. It enhances data quality and interoperability and facilitates the reuse of data across borders. Availability of this diverse data also allows for cross-domain insights and the ability to address complex, interconnected challenges more effectively.

The Directive promotes the use of open data (data presented in open formats that individuals can use freely and share for any purpose). Public-sector bodies and public undertakings must make their documents available in any pre-existing format or language and, where appropriate, by electronic means in formats that are open, machine-readable, accessible, findable and reusable, complete with their metadata. The documents shall be re-usable for commercial or non-commercial purposes.

Who does it apply to?

Public-sector bodies, bodies governed by public law, and public undertakings 10 . As per Article 2, those are state, regional or local authorities governed by public law (or associations of those).

Timeline

The Open Data Directive entered into force on 16 July 2019 and had to be transposed into national legislation by Member States before 17 July 2021.

No sooner than 17 July 2025, the European Commission will evaluate the Directive and submit a report with their findings to the European Parliament, the Council, and the European Economic and Social Committee.

7.2 From legal requirements to tender technical specifications

Requirements for tender applicants

The Open Data Directive requires CA to adhere to the following requirements that should be included when procuring the necessary tools and components:

  • Tools must ensure data can be stored and shared in machine-readable formats (e.g., CSV, JSON, XML).
  • Tools should prioritise compatibility with open standards to avoid vendor lock-in and promote data reuse.
  • Tools should support the creation and maintenance of metadata to help catalogue and describe datasets for public access.
  • Any tool used for processing public sector data must facilitate documentation and transparency, ensuring compliance with the principles of accountability and openness.

More information on European open data legislation can be found at this link at the European Commission’s official website.

Relevant objects of procurement and procurement templates

  • Data analytics tool,
  • Data analytics tool for 3D modelling,
  • Data backup tool,
  • Data governance tool,
  • Data prediction and simulation models,
  • Real-time data collection tools,
  • Middleware

8. Data Act

8.1 Scope and applicability

When is it triggered?

The Data Act 11 aims to regulate data obtained or generated by (‘smart’) devices connected to the Internet of Things and to clarify who can create value from this increasing amount of data and under which conditions. It aims to facilitate the seamless transfer of valuable data between data holders 12 and data users while upholding its confidentiality. It sets the rules and contractual terms regarding access and use of data generated using connected products and related services.

The Data Act lays down harmonised rules, inter alia, on:

  • the making available of product data and related service data to the user of the connected product or related service (Internet of Things);
  • the making available of data by data holders to data recipients;
  • the making available of data by data holders to public sector bodies, the Commission, the European Central Bank and Union bodies, where there is an exceptional need for those data for the performance of a specific task carried out in the public interest;
  • facilitating switching between data processing services;
  • introducing safeguards against unlawful third-party access to non-personal data; and
  • the development of interoperability standards for data to be accessed, transferred, and used.

The Commission will also develop model contract clauses to help market participants draft and negotiate fair data-sharing contracts. Articles 33 to 36 establish the essential requirements that need to be fulfilled to ensure the interoperability of data.

Who does it apply to?

Manufacturers of products or suppliers of services connected to IoT, data holders, and data processing services (e.g., cloud/edge computing).

Timeline

The Data Act entered into force on 11 January 2024 and will be applicable starting September 2025.

8.2 From legal requirements to tender technical specifications

Requirements for tender applicants

Tenderers such as data holders (manufacturers or providers of IoT products or related services that process data stemming from IoT device usage) should adhere to the following measures (indicative list from the Act):

  • The concerned data must be accessible (where not possible, available after request) to users (individuals and businesses) along with related information, e.g. regarding the nature & volume of data, how the user can access them, etc.
  • Data holders can use the data only according to agreement with the user, while users can not use the data to create a competing product or disclose trade secrets.
  • On instruction by the user, the data holder is obliged to share the concerned data with third parties of the user’s choice.

It mandates companies holding data from connected devices to make them available to public sector bodies and Union institutions, agencies or bodies when an exceptional need is present (e.g. health crisis, flood, wildfire) or to fulfil a specific task in the public interest explicitly provided in law if data are not otherwise available. It establishes the circumstances under which an exceptional need exists and the conditions and content of the relevant request.

In addition to what concerns tenderers that offer data processing services, the following obligations are entailed:

  • It requires them to remove commercial, technical, contractual and organisational obstacles that hinder a customer from switching between the same service types among different service providers (e.g. easy contract termination, direct data portability to new service providers, gradual cost elimination for switching between providers, functional equivalence in the IT environment of the new provider, compatibility with open standards)
  • It restricts international transfers or non-EU governmental access to non-personal data held in the Union by data processing services, where such transfer could conflict with Union or national law.

The Act also sets interoperability requirements in Articles 33 to 36:

  • Facilitating data, data sharing mechanisms and services that operators of common European data spaces must comply with.
  • Regarding data processing services by establishing open interoperability specifications and open standards for interoperability, portability of digital assets and functional equivalence between different data processing services providers of the same type of services, including essential requirements for smart contracts in the context of data sharing arrangements.

Relevant objects of procurement and procurement templates

  • IoT sensors
  • Data analytics tool (3D modelling services),
  • Real-time data collection tool
  • Data backup tool
  • Data prediction and simulation models
  • Real-time data analytics tool
  • Cloud connection service (SaaS)
  • Cloud connection service (IaaS)
  • User-facing platform
  • Middleware software application development and/or maintenance services

9. Artificial Intelligence Act

9.1 Scope and applicability

When is it triggered?

The recently published Artificial Intelligence Act (AI Act) 13 by the European Union aims to regulate artificial intelligence (AI) to ensure safety, transparency, and fundamental rights protection. This Regulation will impact both private and public organisations operating within the EU. The AI Act applies to providers and users of AI systems 14 within the EU, as well as to those outside the EU, if the AI systems affect people within the EU. This includes public sector bodies that deploy AI systems in their operations.

It covers a wide range of AI systems, from simple algorithms to complex machine learning models. It classifies AI systems based on risk levels: unacceptable risk, high risk, limited risk, and minimal risk. Each category has specific requirements and obligations.

Who does it apply to?

This Regulation applies to:

  • Providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country;
  • Deployers of AI systems that have their place of establishment or are located within the Union;
  • Providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union;
  • Importers and distributors of AI systems;
  • Product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark;
  • Authorised representatives of providers, which are not established in the Union;
  • Affected persons that are located in the Union.

Exceptions and more specific provisions regarding the applicability of the law can be found in Article 2 of the act.

Timeline

The Regulation entered into force on 2 August 2024, but the general applicability of the Regulation starts on 2 August 2026. Nonetheless, some particular provisions of the Regulation have a different starting date:

  • The prohibitions, as well as the general provisions of this Regulation (Chapters I and II), already apply from 2 February 2025.
  • The provisions on notified bodies, governance structure, penalties and on obligations for providers of general-purpose AI models apply from 2 August 2025 (Chapter III Section 4, Chapter V, Chapter VII and Chapter XII and Article 78 except for Article 101).
  • The provisions relating to the classification of AI Systems and the corresponding obligations in this Regulation apply from 2 August 2027 (Article 6(1)).

To facilitate the transition during the implementation period of the act, the Commission launched the AI Pact, a voluntary initiative for AI developers in the EU who aim to comply with key obligations of the AI Act ahead of time.

9.2 From legal requirements to tender technical specifications

Requirements for tender applicants

Depending on the category of AI system to be put into service or placed on the market, different rules, requirements and conditions apply:

  • Unacceptable risk AI systems.Harmful uses of AI that contravene EU values (such as social scoring by governments or systems deploying subliminal, manipulative, or deceptive techniques to distort behaviour) are prohibited as per Article 5 of the AI Act because of the unacceptable risk they create.
  • High-risk AI systems. A number of AI systems (listed in Annex III) that have an adverse impact on people's safety or their fundamental rights are considered to be high-risk. To ensure trust and a consistently high level of protection of safety and fundamental rights, a range of mandatory requirements (including a conformity assessment) will apply to all high-risks systems. Providers of high-risk AI systems must perform comprehensive risk assessments, document system details, and register with authorities, ensuring regulatory compliance, transparency and mitigation of adverse impacts.

This category of AI systems is subject to requirements of risk management systems (Article 9), high-quality datasets and data governance (Article 10), detailed technical documentation (Article 11), record keeping (Article 12), transparency (Article 13), human oversight (Article 14), accuracy, robustness and cybersecurity (Article 15), conformity assessment (Articles 43-48). Moreover, these systems will have to be registered under a public registry before being placed on the market or put into service (Article 49). These requirements are defined in Chapter III of the AI Act.

It is important to highlight the obligation of deployers, which are bodies governed by public law or private entities providing public services, to conduct a fundamental rights impact assessment in accordance with the requirements listed in Article 27.

The AI Office (European Commission) will develop a template for a questionnaire, including an automated tool to facilitate compliance with this requirement.

  • Limited risk AI systems. Certain AI systems, like AI chatbots, will be subject to a limited set of obligations (e.g. transparency, human oversight, accuracy) included in Chapter IV (Article 50). In this regard, providers are required to disclose AI system functionalities, decision-making processes, and risks to ensure users’ trust and regulatory oversight. In terms of transparency, it should be ensured that “AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use”.
  • General-purpose AI models 15 Regulated in Chapter V of the act, the Regulation establishes differentiates between general-purpose AI (GPAI) models, and GPAI models with systemic risks when the conditions of Article 51 are met. Obligations for providers of the former are included in Article 53, and for the latter, in Article 55.

Moreover, to ensure the proper application of the requirements defined for GPAI models, the AI Office will facilitate the drafting of codes of practice at the EU level. In this regard, the first General-Purpose AI Code of Practice will detail the AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risks. A first draft has already been published on 14 November 2024.

In parallel to the Code of Practice process, the AI Office is also developing a template on the sufficiently detailed summary of training data that general-purpose AI model providers are required to make public according to Article 53(1)d) of the AI Act.

  • Minimal risk AI systems. All other AI systems can be developed and used in the EU without additional legal obligations than existing legislation. An example would be spam filters.

Relevant objects of procurement and procurement templates

As referenced in the Guideline on AI-ML, AI/ML technologies have wide-ranging applications across smart city initiatives, including predictive maintenance, transportation optimisation, resource management, and citizen engagement.

In this regard, objects of procurement like data prediction and simulation models or real-time data collection tools might require AI/ML technologies to function. Therefore, in addition to all other EU digital legislation applicable to these objects of procurement (e.g., GDPR or NIS 2 Directive), it will be necessary to incorporate the requirements stemming from the AI Act. Depending on the concrete use case and characteristics of the AI system to be procured, different requirements will apply, as listed above.

Regardless of the category, it is important to always bear in mind the core principles of transparency, explainability, accuracy, robustness, human oversight, fairness, and accountability, as well as to ensure a human-centric, responsible use of AI.

Supporting material

  • 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • 2 a b “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) GDPR).
  • 3Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, (NIS 2 Directive) :https://eur-lex.europa.eu/eli/dir/2022/2555/oj
  • 4Commission Implementing Regulation (EU) 2024/2690 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant [...] (https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj)
  • 5Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act):https://eur-lex.europa.eu/eli/reg/2019/881/oj/eng
  • 6Directive 2014/53/EU on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment:https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014L0053-20241228
  • 7Delegated Regulation (EU) 2022/30 with regard to the application of the essential requirements referred to in Article 3(3), points (d), (e) and (f), ofDirective 2014/53/EU(RED Directive):https://eur-lex.europa.eu/eli/reg_del/2022/30/oj
  • 8Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive):https://eur-lex.europa.eu/eli/dir/2022/2557/oj/eng
  • 9Commission Delegated Regulation supplementing Directive (EU) 2022/2557 of the European Parliament and of the Council by establishing a list of essential services [C/2023/4878 final]:https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=pi_com%3AC%282023%294878
  • 10Public undertakings are any undertakings over which public-sector bodies have a dominant influence through ownership, financial participation or the rules which govern it; these include those acting as public passenger road or rail transport operators, air carriers and EU shipowners fulfilling public-service obligations.
  • 11Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data and amending (Data Act) :https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R2854&qid=1704709568425
  • 12Those can be the manufacturers and designers of connected products or providers of the related services, but it can also be the seller, renter, or lessor of a connected product (when not manufacturer/designer), if it can control making the concerned data available.
  • 13Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) : https://eur-lex.europa.eu/eli/reg/2024/1689/oj
  • 14“‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments” (Article 3(1) AI act).
  • 15‘General-purpose AI modelmeans an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market (Article 3(63) AI act)
EC logo

These services are provided as part of the Local Digital Twins toolbox procurement - Advancing initial stages for the transformation of Smart Communities - Lot 1 and Lot 2, as described in the Digital Europe programme, and funded by the European Union.

© 2024. European Union. All rights reserved. Certain parts are licensed under conditions to the EU

The Commission’s reuse policy is implemented by Commission Decision 2011/833/EU of 12 December 2011 on the reuse of Commission documents (OJ L 330, 14.12.2011, p. 39 – https://eur-lex.europa.eu/eli/dec/2011/833/oj,). Unless otherwise noted (e.g. in individual copyright notices), content owned by the EU on this website is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence. This means that reuse is allowed, provided appropriate credit is given and any changes are indicated. You may be required to clear additional rights if a specific content depicts identifiable private individuals or includes third-party works. To use or reproduce content that is not owned by the EU, you may need to seek permission directly from the rightholders. Software or documents covered by industrial property rights, such as patents, trade marks, registered designs, logos and names, are excluded from the Commission's reuse policy and are not licensed to you.