Volume of new EU laws a challenge for risk managers

The number of new laws and regulations coming from the EU, especially around digital legislation, is quickly increasing the complexity of the regulatory and compliance environment, making it difficult for organisations to keep on top of new developments.

That is the perspective offered by Charles Low, head of EU Affairs, FERMA, who describes the pace of change as cause for concern. He said it is especially difficult for smaller businesses to keep up. “It is very challenging for all companies. However, it is considerably more demanding for SMEs than larger enterprises, which should be borne in mind,” he told FERMA Forum Today.

“Nevertheless, it is certainly a cause for concern that laws coming in have increased the complexity of the regulatory and compliance environment. It is difficult for organisations to keep on top of these developments.”

He cites figures that suggest that digital legislation coming from the EU has risen dramatically in recent years. In 2000, there were only around seven EU laws that touched on digitalisation. Fast forward to 2024, and there are now 88 related pieces of legislation (source: Bruegel think-tank).

“What that boils down to is essentially four new laws touching on digitalisation every year, over that period. This is a lot to keep up with, especially if you consider the size of each piece of legislation, as well as the cross-references,” he said.

He explained that you also need to add in all that comes from the EU Green Deal, as well as changes to prudential regulation, liability laws, and collective redress.

“Risk managers will find this tough since a lot of the legislation that has emerged over the past five years has some direct implications on risk management processes and frameworks,” Low said.

He added that notable recent examples include the risk-based EU AI Act, and the due diligence requirements that have a significant impact on risk management in the context of the Corporate Sustainability Due Diligence Directive.

FERMA is advocating for simplifying this “regulatory maze” as part of its policy manifesto.

Low believes there needs to be more collaboration between regulators and the risk management community. He notes, for example, that one of the next steps in the implementation of the EU AI Act is for the European Commission to coordinate on standards being developed in themes such as risk management.

“This is definitely an area FERMA and risk managers more broadly should be consulted on, in our view. There are other areas where it certainly makes sense to collaborate more, and a pressing concern for FERMA is that, unfortunately, much new legislation is enacted without sufficient recognition of the possible ramifications for enterprises in terms of them being able to secure appropriate insurance coverage. We feel this area should be addressed in a more systematic way,” he said.

“We take encouragement from the moves the EU has made towards making Solvency II more risk based.” Charles Low, FERMA

He stressed that it is important to have a more practical approach to regulation. His ideal is to strive toward a type of lawmaking in the EU which manages to strike a balance between protecting people as well as the environment, but also manages to facilitate the innovation required to be more competitive—which needs risks to be taken.

“Clearly there needs to be a focus on mitigating risks—but it is important that the approach is balanced,” he said.

“What we have seen in the EU over the past five years especially is an increase in the framing of certain pieces of legislation as risk based. We take encouragement from the moves the EU has made towards making Solvency II more risk based, for example.”

The move there, he noted, has been to create a new category of insurance undertaking, Small and Non-Complex Undertakings which, because they pose less risk to the system overall, in theory are allowed to apply a less restrictive interpretation of the prudential framework. “This has taken a lot of pushing but it is there,” he said.

Another area where he sees ‘risk based’ being at the core of legislation is in the framework of the EU AI Act. In it there is a risk classification of the use of AI systems, where systems deemed as high risk (AI systems used in medical devices to deliver care for example), must meet requirements that are more stringent than less risky uses such as chatbots.

“Introducing a risk classification does make sense. However, the AI Act’s risk-based approach also means that some systems pose an ‘unacceptable risk’. What begins to get problematic here is what falls into ‘unacceptable’ over time and how risks, which are normative assessments, are used to justify such a designation. We will be monitoring how this develops.”

FERMA Forum Today is in partnership with Captive Review, part of Newton Media.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.