Resources
Clear, structured definitions of the key EU and international regulations that every compliance team needs to know.
French law (2020-105) establishing measures against waste and for the circular economy, including extended producer responsibility and a repairability index.
AGEC introduces five key pillars: ending single-use plastics (by 2040), improving consumer information (repairability and durability indices), fighting planned obsolescence, producing better (extended producer responsibility), and reducing waste. The law requires displaying repairability scores on electronics and household appliances, banning the destruction of unsold goods, and mandatory recycled content in certain products.
EU regulation (2024/1689) establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems in the EU.
The AI Act classifies AI systems into four risk categories: unacceptable (banned), high-risk (strict obligations), limited risk (transparency requirements), and minimal risk (voluntary codes). High-risk AI systems must meet requirements for data quality, documentation, human oversight, and robustness. Penalties up to €35M or 7% of global turnover.
Series of EU directives (currently AMLD6) establishing requirements for preventing money laundering and terrorist financing, including customer due diligence (KYC) obligations.
The AML framework requires financial institutions and other obliged entities to perform customer due diligence, report suspicious transactions, and maintain transaction records. AMLD6 introduces a single EU AML Authority (AMLA), harmonized KYC/CDD requirements, a €10,000 limit on cash payments, and beneficial ownership transparency. The new AML Regulation (AMLR) will be directly applicable across EU member states.
EU regulation establishing cybersecurity requirements for products with digital elements, covering their entire lifecycle from design to decommissioning.
The CRA requires manufacturers of connected products (IoT devices, software, hardware) to implement security by design, provide vulnerability handling processes, offer security updates for at least 5 years, and report actively exploited vulnerabilities within 24 hours. Products must bear the CE marking to demonstrate compliance. Penalties up to €15M or 2.5% of global turnover.
EU directive requiring large companies to identify, prevent, mitigate, and account for adverse human rights and environmental impacts throughout their value chains.
CS3D imposes mandatory due diligence obligations on companies with 1,000+ employees and €450M+ net turnover. Companies must map their value chains, conduct risk assessments, implement prevention and mitigation measures, establish grievance mechanisms, and publicly report on due diligence efforts. Directors must integrate due diligence into corporate strategy. Civil liability for failure to comply.
EU directive (2022/2464) requiring large companies to publish detailed reports on environmental, social, and governance (ESG) matters using the European Sustainability Reporting Standards (ESRS).
The CSRD replaces the NFRD and significantly expands the scope of sustainability reporting. Companies must report under the double materiality principle, covering both financial impact of sustainability issues and their impact on people and the environment. Reports must be digitally tagged (XBRL) and independently assured. Phased rollout from 2024 to 2028.
EU regulation (2022/2554) establishing uniform requirements for the security of network and information systems of financial entities and critical ICT third-party service providers.
DORA requires financial entities to implement ICT risk management frameworks, conduct digital operational resilience testing, manage ICT third-party risk, and report major ICT-related incidents. It applies to banks, insurance companies, investment firms, payment providers, and their critical technology suppliers. Applicable since January 17, 2025.
A structured digital record attached to a product that provides information about its origin, composition, repair and disassembly possibilities, and end-of-life handling.
Required under the ESPR framework, the DPP will be mandatory for product categories starting 2027. Each product carries a unique identifier (QR code or NFC) linking to digital data: materials, carbon footprint, repairability score, recycled content, and compliance certificates. First categories include batteries (already mandatory), textiles, electronics, and construction products.
EU regulation establishing ecodesign requirements for sustainable products, including the Digital Product Passport (DPP) framework.
The ESPR extends ecodesign requirements beyond energy-related products to nearly all physical goods placed on the EU market. It introduces the Digital Product Passport (DPP), requiring products to carry digital information about their sustainability characteristics: materials composition, carbon footprint, repairability score, and recycled content. First product categories expected by 2027.
EU regulation (2020/852) establishing a classification system for environmentally sustainable economic activities.
The EU Taxonomy defines which economic activities can be considered environmentally sustainable based on six objectives: climate change mitigation, climate change adaptation, water protection, circular economy, pollution prevention, and biodiversity. Companies subject to the CSRD must report the proportion of their activities that are Taxonomy-aligned.
EU regulation (2023/1115) prohibiting the placing on the EU market of commodities and products associated with deforestation and forest degradation.
The EUDR covers seven commodities: palm oil, soy, wood, cocoa, coffee, rubber, and cattle. Companies must conduct due diligence to ensure products are deforestation-free (produced on land not deforested after December 31, 2020), provide geolocation data for production plots, and submit due diligence statements. Application date: December 30, 2025 for large companies, June 30, 2026 for SMEs.
EU regulation (2016/679) governing the collection, processing, and storage of personal data of individuals in the European Union.
The GDPR is the most comprehensive data protection framework globally, granting EU residents rights over their personal data including access, rectification, erasure, and portability. It applies to any organization processing EU residents' data, regardless of where the organization is based. Non-compliance can result in fines up to €20M or 4% of global annual turnover.
EU regulation (2023/988) ensuring that all non-food consumer products placed on the EU market are safe, with specific provisions for online marketplaces.
The GPSR replaces the General Product Safety Directive (GPSD) and applies from December 13, 2024. It introduces new obligations for online marketplaces, requires internal risk analysis, mandates the use of the Safety Gate (RAPEX) system for product recalls, and strengthens market surveillance. Penalties can reach €20M or 4% of global turnover.
EU regulation (2023/1114) establishing a comprehensive regulatory framework for crypto-assets, their issuers, and crypto-asset service providers.
MiCA creates uniform rules across the EU for crypto-assets not covered by existing financial regulations. It regulates asset-referenced tokens (stablecoins), e-money tokens, utility tokens, and crypto-asset service providers (CASPs). Issuers must publish white papers, maintain reserves, and meet capital requirements. Fully applicable since December 30, 2024.
EU directive (2022/2555) establishing cybersecurity risk management and incident reporting obligations for essential and important entities across critical sectors.
NIS2 expands the original NIS Directive to cover more sectors (energy, transport, banking, health, digital infrastructure, ICT service management, public administration, space, food, manufacturing, waste management, postal services, chemicals). It mandates supply chain security assessments, incident reporting within 24 hours, and management body accountability. Fines up to €10M or 2% of global turnover.
EU directive (2015/2366) regulating payment services and payment service providers, introducing strong customer authentication (SCA) and open banking requirements.
PSD2 opened the European payments market to non-bank providers by requiring banks to give licensed third parties access to customer account data (with consent). It mandates Strong Customer Authentication (SCA) for electronic payments, regulates surcharging practices, and protects consumers against unauthorized transactions. PSD3 is currently in legislative process.
EU regulation (EC 1907/2006) governing the registration, evaluation, authorization, and restriction of chemical substances to protect human health and the environment.
REACH requires manufacturers and importers to register chemical substances produced or imported in quantities of 1 tonne or more per year. It places the burden of proof on companies to demonstrate that chemicals are safe. The regulation covers SVHC (Substances of Very High Concern), restrictions on dangerous substances, and authorization requirements for the most hazardous chemicals. Managed by ECHA (European Chemicals Agency).
French law (2016-1691) on transparency, anti-corruption, and the modernization of economic life, establishing compliance obligations for large companies.
Sapin II requires French companies with 500+ employees and €100M+ revenue to implement eight compliance measures: a code of conduct, an internal whistleblowing system, a risk mapping, third-party due diligence procedures, internal/external accounting controls, training programs, disciplinary sanctions, and internal monitoring. Enforced by the AFA (Agence Française Anticorruption).
EU regulation (2019/2088) requiring financial market participants and advisers to disclose sustainability-related information about their products and investment decisions.
The SFDR classifies financial products into three categories: Article 6 (no sustainability claims), Article 8 (promoting environmental/social characteristics), and Article 9 (sustainable investment objective). Fund managers must disclose principal adverse impacts (PAIs), pre-contractual sustainability information, and periodic reporting on sustainability metrics.
EU directive (2009/138/EC) establishing a risk-based framework for the prudential supervision of insurance and reinsurance undertakings.
Solvency II requires insurance companies to maintain adequate capital reserves based on quantitative risk assessments (Pillar 1), implement governance and risk management systems (Pillar 2), and meet disclosure and transparency requirements (Pillar 3). The Solvency II review (effective 2027) introduces proportionality measures and new sustainability risk requirements.
Cleo maps your regulatory perimeter in minutes. Start with a free scan.
Start free scan