Home / Publications


Discover thought leadership and legal insights by our legal experts from across CMS. In our Expert Guides, written by CMS lawyers from across the jurisdictions where we operate, we provide you with in-depth legal research and insights that can be read both online and offline. You can also find Law-Now articles with focused legal analysis, commentary and insights to help you anticipate future challenges and much more.

Media type
Back to Basics briefings - New briefing added!
CMS Funds Group Back to Basics briefings intend to provide high level insights regarding funds fundamentals, funds vehicles and operational considerations New briefings are published on a regular basis, covering a specific jurisdiction or topic, and providing basic essential technical explanations.
Looking ahead to the EU AI Act
Introduction On 21 May 2024, the Council of the European Union adopted the Regulation laying down harmonised rules on artificial intelligence” (the so-called AI Act). As the world's first comprehensive law to regulate artificial intelligence, the AI Act aims to establish uniform requirements for the development and use of artificial intelligence in the European Union. Following the European Parliament's adoption of the draft on 13 March 2024, the AI Act has now been formally adopted . Once signed by the Presidents of the European Parliament and the Council, the Regulation will be published in the Official Journal of the EU and will enter into force twenty days after its publication. With this  adoption of the world’s most significant legislation on Artificial Intelligence, solidifying its position as a pioneer among global legislators. This initiative aims to establish and reinforce the EU’s role as a premier hub for AI while ensuring that AI development remains focused on human-centered and trustworthy principles. After a long and complex journey that began in 2021 with the European Commission’s proposal of a draft AI Act, this new regulation is expected to be passed into law in June  2024. The AI Act aims to ensure that the marketing and use of AI systems and their outputs in the EU are consistent with fundamental rights under EU law, such as privacy, democracy, the rule of law and environmental sustainability. Adopting a dual approach, it outright prohibits AI systems deemed to pose unacceptable risks while imposing regulatory obligations on other AI systems and their outputs. The new regulation, which also aims to strike a fair balance between innovation and the protection of individuals, not only makes Europe a world leader in the regulation of this new technology, but also endeavours to create a legal framework that users of AI technologies will be able to comply with in order to make the most of this significant development opportunity. In this article we provide a first overview of the key points contained in the text of the AI Act that companies should be aware of in order to prepare for the implementing regulation.
Digital Operational Resilience Act (DORA): Impact on the funds sector
The Digital Operational Resilience Act (DORA) is a transformative force in the funds sector, reshaping the relationships between financial entities, financial markets and ICT providers to achieve greater digital resilience. 2024 stands as a pivotal year for DORA’s implementation since the Act will come into effect in January 2025. Our CMS Funds experts are sharing insights on the challenges and key components of this transformation in our upcoming video series, covering the following key components:
GDPR Enforcement Tracker Report
The CMS Data Protection Group is pleased to launch the 5th edition In the six years since the GDPR came into force, this powerful framework to protect personal data has certainly helped to raise awareness and encourage compliance efforts – just as the European legislator intended. At the same time, the risk of fines of up to EUR 20 million or 4% of a company’s global annual turnover can also lead to fear and reluctance or ignorance about compliance issues. We still believe that facts are better than fear. This is why we continuously update our list of publicly known fines in the GDPR Enforcement Tracker and established the GDPR Enforcement Tracker Report as an annual deep dive approach to provide you with more insights into the world of GDPR fines.
WEBINAR REPLAY | Foreign direct investment
The new European protection mechanism to ensure the development of the euro area against foreign investment In this 30-min webinar, our CMS experts: Gérard Maitrejean, Angélique Eguether and Julie Butlingaire...
WEBINAR SERIES REPLAY | Liquidity Management for Investment Funds
Welcome to our Liquidity Management for Investment Funds Webinar series
CMS European M&A Study 2024
The CMS Corporate/M&A Group is pleased to launch the 16th edition of the European M&A Study
Next steps
Following the European Parliament's approval of the draft on 13 March 2024 , the Council of the European Union has also approved the final text of the AI Act on 21 May 2024, meaning that the AI Act has been formally adopted. The AI Act will enter into force on the 20th day after publication in the EU Official Journal and will be applicable after 24 months. However, some specific provisions will have different application dates, such as prohibitions on AI, that will apply 6 months after entry into force; or General Purpose AI models already on the market, which are given a compliance deadline of 12 months. The AI Office was established on 21 February 2024 and the European Commission will oversee the issuance of at least 20 delegated acts. The AI Act’s implementation will be supported by an expert group formed to advise and assist the European Commission in avoiding overlaps with other EU regulations. Meanwhile, Member States must appoint at least one notifying authority and one market surveillance authority and communicate to the European Commission the identity of the competent authorities and the single point of contact. The next regulatory step appears to be focused on AI liability. On 14 December 2023, EU policymakers reached a political agreement on the amendment of the Product Liability Directive. This proposal aims to accommodate technological developments, notably covering digital products like software, including AI. The next proposal in line in the AI package is the Directive on the ad­apt­a­tion/har­mon­iz­a­tion of the rules on non-contractual civil liability to Artificial Intelligence (AI Liability Directive). Addressing issues of causality and fault related to AI systems, this directive proposal ensures that claimants can enforce appropriate remedies when suffering damages in fault-based scenarios. The draft was published on 28 September 2022 and is still pending to be considered by the European Parliament and Council of the European Union . Once adopted, EU Member States will be obliged to transpose its provisions into national law within a likely two-year timeframe. The enactment of the AI Act represents a pivotal step towards fostering a regulatory landscape, not only in the EU but worldwide, that balances innovation, trust, and accountability, ensuring that AI serves as driver of progress while safeguarding fundamental rights and societal values.
Codes of conduct, confidentiality and penalties, delegation of power and...
Codes of conduct (Chapter X, Art. 95)In order to foster ethical and reliable AI systems and to increase AI literacy among those involved in the development, operation and use of AI, the new AI Act mandates the AI Office and Member States to promote the development of codes of conduct for non-high-risk AI systems. These codes of conduct, which should take into account available technical solutions and industry best practices, would promote voluntary compliance with some or all of the mandatory requirements that apply to high-risk AI systems. Such voluntary guidelines should be consistent with the EU values and fundamental rights and address issues such as transparency, accountability, fairness, privacy and data governance, and human oversight. Furthermore, to be effective, such codes of conduct should be based on clear objectives and key performance indicators to measure the achievement of these objectives. Codes of conduct may be developed by individual AI system providers, deployers, or organizations representing them and should be developed in an inclusive manner, involving relevant stakeholders such as business and civil society organisations, academia, etc. The  European Commission will assess the impact and effectiveness of the codes of conduct within two years of the AI Act entering into application, and every three years thereafter. The aim is to encourage the application of requirements for high-risk AI systems to non-high-risk AI systems, and possibly other additional requirements for such AI systems (including in relation to environmental sustainability).
Breaking news - ELTIF 2.0: new RTS amendments submitted by the European...
Breaking News | The European Commission (the Commission) has recently submitted a communication to the attention of the European Securities and Markets Authority (ESMA) proposing certain amendments to...
Governance and post-market monitoring, information sharing, market surveillance
Governance (Chapter VII, Art. 64-70 )The AI Act establishes a governance framework under Chapter VII, with the scope of coordinating and supporting its application on a national level, as well as build capabilities at Union level and integrate stakeholders in the field of artificial intelligence. The measures related to governance will apply from 12 months following the entry into force of the AI Act. To develop Union expertise and capabilities, an AI Office is established within the Commission, having a strong link with the scientific community to support its work which includes the issuance of guidance; its establishment should not affect the powers and competences of national competent authorities, and bodies, offices and agencies of the Union in the supervision of AI systems. The newly proposed AI governance structure also includes the establishment of the European AI Board (AI Board), composed of one representative per Member State, designated for a period of 3 years. Its list of tasks has been extended and includes the collection and sharing of technical and regulatory expertise and best practices in the Member States, contributing to their harmonisation, and the assistance to the AI Office for the establishment and development of regulatory sandboxes with national authorities. Upon request of the Commission, the AI Board will issue recommendations and written opinions on any matter related to the implementation of the AI Act. The Board shall establish two standing sub-groups to provide a platform for cooperation and exchange among market surveillance authorities and notifying authorities on issues related to market surveillance and notified bodies. The final text of the AI Act also introduces two new advisory bodies. An advisory forum (Art. 67) will be established to provide stakeholder input to the European Commission and the AI Board preparing opinions, recommendations and written contributions.A scientific panel of independent experts (Art. 68) selected by the European Commission will provide technical advice and input to the AI Office and market surveillance authorities. The scientific panel will also be able to alert the AI Office of possible systemic risks at Union level. Member States may call upon experts of the scientific panel to support their enforcement activities under the AI Act and may be required to pay fees for the advice and support by the experts. Each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities for the purpose of the AI Act. Member States shall ensure that the national competent authority is provided with adequate technical, financial and human resources and infrastructure to fulfil their tasks effectively under this regulation, and satisfies an adequate level of cybersecurity measures. One market surveillance authority shall also be appointed by Member States to act as a single point of contact.
General purpose AI models and measures in support of innovation
General purpose AI models (Chapter V  V, Art. 51-56)The AI Act is founded on a risk based approach. This regulation, intended to be durable, initially wasn’t associated to the characteristics of any particular model or system, but to the risk associated with its intended use. This was the approach when the proposal of the AI Act was drafted and adopted by the European Commission on 22 April, 2021, when the proposal was discussed at the  Council of the European Union on 6 December, 2022. However, after the great global and historical success of generative AI tools in the months following the Commission’s proposal, the idea of regulating AI focusing only on its intended use seemed then insufficient. Then, in the 14 June 2023 draft, the concept of “foundation models” (much broader than generative AI) was introduced with associated regulation. During the negotiations in December 2023, some additional proposals were introduced regarding “very capable foundation models” and “general purpose AI systems built on foundation models and used at scale”. In the final version of the AI Act, there is no reference to “foundation models”, and instead the concept of “general purpose AI models and systems” was adopted. General Purpose AI models (Arts. 51 to 56 ) are distinguished from general purpose AI systems (Arts. 25 and 75). The General Purpose AI systems are based on General Purpose AI models: “when a general purpose AI model is integrated into or forms part of an AI system, this system should be considered a general purpose AI system” if it has the capability to serve a variety of purposes (Recital 100). And, of course, General Purpose AI models are the result of the operation of AI systems that created them.“General purpose AI model” is defined in Article 3 (63) as “an AI model (…) that displays significant generality and is capable to competently perform a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications”. The definition lacks quality (a model is “general purpose” if it “displays gen­er­al­ity”1Re­cit­al 98 contributes to clarify the concept saying that “generality” means the use of at least a billion of parameters, when the training of the model uses “a large amount of data using self-supervision at scale”. footnote) and has a remarkable capacity for expansion. Large generative AI models are an example of General Purpose AI models (Recital 99). The obligations imposed to providers of General Purpose AI models are limited, provided that they don’t have systemic risk. Such obligations include (Art. 53 (I) (a)  (i) to draw up and keep up-to-date technical documentation (as described in Annex XI) available to the national competent authorities, as well as to providers of AI systems who intend to integrate the General Purpose AI system in their AI systems, and (ii) to take some measures in order to respect EU copyright legislation, namely to put in place a policy to identify reservations of rights and to make publicly available a sufficiently detailed summary about the content used. Furthermore, they should have an authorised representative in the EU (Art. 54). The most important obligations are imposed in Article 55 to providers of General Purpose AI models with systemic risk. The definition of AI models with systemic risk is established in Article 55 in too broad and unsatisfactory terms: “high impact capabilities”. Fortunately, there is a presumption in Article 55.2 that helps: “when the cumulative amount of compute used for its training measured in floating point operations (FLOPs) is greater than 10^25”. The main additional obligations imposed to General Purpose AI models with systemic risks are (i) to perform model evaluation (including adversarial testing), (ii) to assess and mitigate systemic risks at EU level, (iii), to document and report serious incidents and corrective measures, and (iv) to ensure an adequate level of cybersecurity. Finally, an “AI system” is “an AI system which is based on a General Purpose AI model, that has the capacity to serve a variety of purposes” (Art. 3 (66)). If General Purpose AI systems can be used directly by deployers for at least one purpose that is classified as high-risk (Art. 75), an evaluation of compliance will need to be done, if there is sufficient reason to consider that the system is not compliant with AI Act.