Understanding the EU’s New Legislative Framework

Ordinary legislative procedure (OLP)

The main law‑making process in the EU where the European Parliament and the Council of the EU act as co‑legislators on a proposal usually initiated by the Commission, going through readings, possible conciliation, and adoption.

European Commission

The EU institution that usually has the exclusive right of legislative initiative, drafts proposals for EU laws, ensures their implementation, and can adopt delegated and implementing acts when empowered.

European Parliament

The directly elected EU institution representing citizens; acts as co‑legislator with the Council in the ordinary legislative procedure and can approve, amend, or reject Commission proposals.

Council of the European Union

The institution representing the governments of the Member States; meets in different configurations of national ministers and shares law‑making power with Parliament in the ordinary legislative procedure.

Regulation

A binding EU legal act of general application that is directly applicable in all Member States without the need for national transposition, ensuring uniform rules across the EU.

Directive

A binding EU legal act that sets results to be achieved but leaves Member States the choice of form and methods; it must be transposed into national law by a deadline.

New Legislative Framework (NLF)

A horizontal EU framework (mainly Regulation 765/2008, Decision 768/2008/EC, and Regulation 2019/1020) that provides common rules and a toolbox for product legislation, especially on accreditation, market surveillance, CE marking, and economic operator obligations.

Regulation (EC) 765/2008

An EU regulation that sets rules for accreditation of conformity assessment bodies, lays down the basic framework for market surveillance, and defines and protects the CE marking.

Decision 768/2008/EC

A non‑binding legislative template used by the EU to draft product legislation. It standardises definitions, obligations of manufacturers/importers/distributors, conformity assessment modules, and rules for Notified Bodies.

Regulation (EU) 2019/1020

A regulation on market surveillance and product compliance that updates and strengthens the NLF, particularly regarding online sales, cooperation between authorities, and the requirement for a responsible economic operator in the EU.

Conformity assessment

The process of demonstrating that specified requirements relating to a product, process, system, person, or body are fulfilled. In the NLF, this is organised into standard 'modules' and may involve a Notified Body.

Notified Body

A conformity assessment body designated by an EU Member State and notified to the European Commission to perform specific conformity assessment tasks under EU harmonisation legislation.

Harmonised standard

A European standard adopted by CEN, CENELEC, or ETSI on the basis of a request from the European Commission and whose reference is published in the Official Journal of the EU under specific EU harmonisation legislation, giving a presumption of conformity with the related essential requirements.

Presumption of conformity

The legal effect whereby products manufactured in accordance with applicable harmonised standards cited in the OJEU are presumed to comply with the essential requirements covered by those standards, unless evidence to the contrary is found.

Conformity assessment

A systematic examination (such as testing, inspection, certification, quality system assessment) to determine whether specified requirements relating to a product, process, system, person, or body are fulfilled.

Notified body

A conformity assessment body designated by an EU Member State to carry out conformity assessment tasks under specific EU harmonisation legislation and notified to the European Commission and other Member States; listed in the NANDO database.

Accreditation (in the EU context)

An attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and is competent to carry out specific conformity assessment tasks, as organised under Regulation (EC) No 765/2008.

CE marking

A marking by which the manufacturer indicates that the product is in conformity with all applicable EU harmonisation legislation providing for its affixing and that the required conformity assessment procedures have been carried out.

Horizontal legislation

EU rules that apply across many product sectors, providing common concepts, operator obligations, conformity assessment modules, CE marking rules, and market surveillance frameworks (e.g. Decision 768/2008/EC, Regulation 765/2008, Regulation 2019/1020, GPSR 2023/988).

Sector-specific legislation

EU product laws that apply to particular product groups or sectors (e.g. toys, radio equipment, machinery) and set essential requirements for those products while reusing the horizontal NLF toolbox.

Decision No 768/2008/EC

A 2008 EU Decision containing reference provisions that serve as a template for modern product legislation, providing standardised definitions, obligations of economic operators, conformity assessment modules, CE marking rules, and safeguard procedures.

Alignment to the NLF

The process of drafting or revising sector-specific EU product legislation so that it follows the structure and wording of the NLF reference provisions in Decision 768/2008/EC.

Conformity assessment modules

Standardised procedures (Module A, B, C, etc.) described in the NLF reference provisions, used by sector laws to specify how manufacturers must demonstrate that products meet essential requirements.

CE marking (in the NLF context)

A marking by which a manufacturer declares that a product complies with all applicable EU harmonisation legislation that provides for its affixing, following common NLF-style rules on form, placement, and meaning.

Digital Services Act (DSA)

EU Regulation (EU) 2022/2065 that sets horizontal rules for online intermediaries and platforms, focusing on illegal content, transparency, user protection, and systemic risk management.

Digital Markets Act (DMA)

EU Regulation (EU) 2022/1925 that imposes obligations on large digital platforms designated as gatekeepers to ensure fair and contestable digital markets.

Gatekeeper

A large platform provider of core platform services that has a significant impact on the internal market, a strong intermediation position, and a durable market position, designated under the DMA.

Very Large Online Platform (VLOP)

An online platform with at least 45 million monthly active users in the EU (about 10% of the EU population), subject to enhanced DSA obligations such as systemic risk assessments.

New Legislative Framework (NLF)

A set of EU principles and reference provisions structuring product legislation around essential requirements, harmonised standards, conformity assessment, CE marking, and market surveillance.

Systemic risks (under DSA)

Risks arising from the design or functioning of a platform’s services that can have broad societal impacts, such as dissemination of illegal content, harms to fundamental rights, or impacts on public security and elections.

AI Act (Regulation (EU) 2024/1689)

The EU’s horizontal regulation on artificial intelligence, in force since August 2024, using a risk‑based approach with four main risk categories and phased application of obligations.

Unacceptable‑Risk AI

AI practices that are prohibited under the AI Act because they are considered incompatible with EU values and fundamental rights (e.g., social scoring by public authorities, most real‑time remote biometric identification in public spaces for law enforcement).

High‑Risk AI

AI systems that significantly affect safety or fundamental rights (e.g., AI in medical devices, employment, education, essential services, law enforcement). They are allowed but subject to strict requirements (risk management, data quality, human oversight, etc.).

Limited‑Risk AI

AI systems that mainly trigger transparency obligations (e.g., chatbots, deepfakes, some emotion recognition). Users must be informed that AI is being used or that content is artificially generated.

Minimal‑Risk AI

AI systems with low impact on safety or fundamental rights (e.g., game NPCs, spam filters). The AI Act does not impose specific obligations on them, though other laws still apply.

Entry into Force vs Application

Entry into force is when a regulation becomes legally valid (for the AI Act, August 2024). Application refers to when specific obligations actually start to bind stakeholders, which can be staggered over several years.

Cyber Resilience Act (CRA)

Regulation (EU) 2024/2847 establishing horizontal cybersecurity requirements for products with digital elements in the EU, using an NLF-style structure (essential requirements, standards, conformity assessment, CE marking).

Product with digital elements

Any hardware or software product that has at least one direct or indirect data connection to a device or network, including many IoT devices, operating systems, and applications.

Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, harmonising rules on ICT risk management, incident reporting, testing, and third-party ICT risk.

Digital operational resilience

The ability of a financial entity to withstand, respond to, and recover from ICT-related disruptions and cyber incidents, ensuring continuity of critical services.

Interoperable Europe Act (IEA)

Regulation (EU) 2024/903 establishing a cooperation framework and governance for interoperable digital public services across the EU, promoting reusable solutions and common standards.

Interoperability (public sector)

The ability of public administrations and their systems to work together across legal, organisational, semantic, and technical layers to deliver seamless digital public services.

VAT in the Digital Age (ViDA)

An EU legislative package updating VAT rules for the digital economy, built around three pillars: digital reporting & e‑invoicing, VAT rules for the platform economy, and single VAT registration/modernised rules, with a long implementation horizon from around 2025 into the 2030s.

Digital Reporting Requirements (DRR)

Obligations for businesses to submit key VAT‑relevant transaction data (often derived from e‑invoices) to tax authorities in near real time, using harmonised EU data fields and interoperable systems.

E‑Invoicing (in the ViDA context)

The issuance and receipt of invoices in a structured electronic format (not just PDFs), enabling automated processing and real‑time reporting of VAT‑relevant data to tax authorities.

Deemed Supplier (Platform Economy)

A VAT concept where a digital platform is treated as if it is the supplier of a good or service for VAT purposes, even though the actual supplier is a third party, making the platform responsible for charging and remitting VAT.

One‑Stop Shop (OSS) / Import One‑Stop Shop (IOSS)

EU schemes allowing businesses to declare and pay VAT due in multiple Member States via a single electronic portal, which ViDA further extends to support a form of single VAT registration.

Long Transition Period (2025–2035)

The extended timeframe over which ViDA’s measures are phased in, reflecting the need for major IT upgrades, alignment of data standards, and coordination with other EU digital, data protection, and cybersecurity rules.

Market Surveillance (Regulation (EU) 2019/1020)

Activities carried out by national authorities to ensure products on the EU market comply with EU harmonisation legislation and do not endanger health, safety, or other public interests. It includes inspections, sampling, testing, corrective measures, and coordination across Member States.

Accreditation

A procedure by which a national accreditation body formally recognises that a conformity assessment body is competent to perform specific conformity assessment tasks (e.g. testing, certification) according to harmonised standards.

Notified Body

A conformity assessment body designated by a Member State and notified to the European Commission and other Member States to carry out specific conformity assessment tasks under EU harmonisation legislation (e.g. medical devices, machinery). Listed in the NANDO database.

Digital Services Coordinator (DSC)

The national authority designated in each Member State as the main enforcer of the Digital Services Act for providers under its jurisdiction, responsible for supervision, investigations, and cooperation with other DSCs and the European Commission.

European Board for Digital Services (EBDS)

A body composed of Digital Services Coordinators and the European Commission that supports consistent application of the DSA, facilitates cooperation, issues opinions and guidance, and assists in cross-border cases.

European AI Office

A structure within the European Commission created under the AI Act to coordinate enforcement, especially for general-purpose AI models, support national authorities, and help ensure consistent application of the AI Act across the EU.

Digital Omnibus (in EU digital policy)

A proposed approach where the EU would adopt a single legislative act that **amends several existing digital regulations at once** (e.g., DSA, DMA, AI Act, GDPR, Data Act) to align definitions, streamline obligations, and fix overlaps.

Regulatory simplification

Efforts to **reduce complexity and duplication** in the legal framework, for example by harmonizing definitions, consolidating reporting duties, or clarifying how different acts interact.

High-risk AI (AI Act context)

AI systems that pose significant risks to health, safety, or fundamental rights (e.g., in employment, credit scoring, critical infrastructure) and are therefore subject to **stricter obligations** under the AI Act.

Dark patterns

User interface designs that **manipulate or mislead** users into choices they might not otherwise make, often by hiding information, nudging toward more profitable options, or making refusal difficult.

Digital Fairness Act (DFA)

An emerging EU legislative proposal focusing on **modernizing consumer protection** in the digital environment, particularly targeting dark patterns and unfair digital practices, and complementing DSA and GDPR.

Overlap review

A systematic assessment of how different laws apply to the same services or technologies, identifying **conflicts, duplications, and gaps** to inform simplification or amendment proposals.