EU Law Explained

An EU regulation is directly applicable in all member states the moment it enters into force. It becomes law without any national implementation needed. The GDPR and the EU AI Act are both regulations. An EU directive sets out a goal that all member states must achieve, but each country transposes it into national law through its own legislative process. This means the actual rules can differ between countries. The NIS2 Directive and the CSRD are directives. For lawyers, this distinction matters because regulations mean one text to read, while directives mean you need to find and read the national transposition in every relevant member state.

Direct effect means an EU law provision creates rights that individuals can enforce in national courts, even if the member state has not implemented it. The principle was established in the landmark CJEU case Van Gend en Loos (Case 26/62, 1963). Regulations have automatic direct effect. Directives can have "vertical direct effect" against the state if the transposition deadline has passed, the provision is sufficiently clear and unconditional, and the member state has failed to implement it correctly. Directives do not have horizontal direct effect between private parties, which is a critical distinction for advising clients.

Most EU legislation follows the Ordinary Legislative Procedure. The European Commission proposes a draft (a COM document). The European Parliament and the Council of the EU then both need to agree on the text. In practice, about 85% of legislation is agreed through informal negotiations called "trilogues" between the three institutions. The process typically takes 18 to 36 months from proposal to adoption, though complex files like the AI Act can take longer. After adoption, the final text is published in the Official Journal and enters into force 20 days later unless it specifies a different date.

EU law operates in layers. At the top sit the Treaties (TEU, TFEU, Charter of Fundamental Rights). Below that is Level 1 legislation: regulations and directives adopted by the Parliament and Council. The Commission then adopts delegated acts (supplementing Level 1 legislation) and implementing acts (ensuring uniform application). For financial services regulations like DORA and MiCA, the European Supervisory Authorities draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that contain the operational detail. Below all of this sit guidelines, recommendations, and Q&As from supervisory authorities. Each layer is published by a different body, in a different place, on a different timeline. This is why EU legal research takes so long.

Recitals are the numbered paragraphs in the preamble of EU legislation, before the operative articles. They are not legally binding provisions, but the CJEU regularly cites them when interpreting ambiguous articles. The Court uses a purposive approach and treats recitals as evidence of legislative intent. In some cases, if recitals contradict the operative articles, the legislation can even be challenged. For practical research, always read the recitals alongside the articles they relate to. One important detail: consolidated texts on EUR-Lex only include the original recitals, not recitals from amending acts, which can leave gaps in your understanding of later amendments.

All 24 official language versions of EU legislation are equally authentic. No single version takes precedence. When versions conflict, the CJEU resolves the issue by comparing multiple language versions and interpreting in light of the legislation's purpose and overall scheme. This was established in the CILFIT case (Case C-283/81). In practice, a thorough legal opinion on an ambiguous provision should compare at least the English, French, and German versions, plus the version in the client's operating jurisdiction. Language divergences are more common than most lawyers realise.

The General Data Protection Regulation (Regulation 2016/679) is the EU's data protection framework. It applies to any organisation that processes personal data of individuals in the EU, regardless of where that organisation is based. This extraterritorial scope means a US company serving EU customers must comply. The GDPR is built on seven principles in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Fines can reach 20 million euros or 4% of global annual turnover. Since May 2018, regulators across Europe have issued over 2,800 fines totalling more than 6.2 billion euros.

The EU AI Act (Regulation 2024/1689) is the first comprehensive AI regulation in the world. It uses a risk-based framework with four categories. Prohibited AI practices (social scoring, manipulative AI, untargeted facial scraping) have been banned since February 2025. General-purpose AI model rules apply from August 2025. The major deadline is August 2, 2026, when high-risk AI system obligations take effect across eight domains including employment, education, law enforcement, and the administration of justice. Fines can reach 35 million euros or 7% of global annual turnover for prohibited practice violations.

A system qualifies as high-risk through two routes. First, if it is a safety component of a product already covered by EU product safety legislation listed in Annex I. Second, if it falls into one of the use-case categories in Annex III: biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services (credit scoring, insurance), law enforcement, migration and border control, and administration of justice. High-risk systems must meet requirements for risk management, data governance, technical documentation, logging, human oversight, accuracy, robustness, and cybersecurity. Providers must complete a conformity assessment and affix CE marking before placing the system on the market.

The Corporate Sustainability Reporting Directive (Directive 2022/2464) requires companies to report on environmental, social, and governance (ESG) matters using European Sustainability Reporting Standards (ESRS). The original scope captured companies with 250+ employees and 50 million euros turnover. The EU Omnibus Simplification package, agreed in December 2025, raised these thresholds dramatically. Now only companies with 1,000+ employees and 450+ million euros turnover remain in scope. The number of mandatory ESRS data points dropped from around 1,073 to 320. However, because the CSRD is a directive, exemption depends on how each member state transposes the changes, which creates a 27-jurisdiction tracking problem for companies operating across Europe.

On EUR-Lex, open the original regulation and look at the left-hand panel for "All consolidated versions." Consolidated texts merge the original act with all subsequent amendments into a single readable document. Always use the most recent consolidated version. Two important caveats: consolidated texts are for information only and have no legal effect (the original act plus its amendments are technically the binding law), and there can be a processing lag before the latest amendments are included. For time-sensitive advice, always check whether any recent amending acts have been adopted that might not yet appear in the consolidated version.

DORA (Digital Operational Resilience Act, Regulation 2022/2554) and MiCA (Markets in Crypto-Assets, Regulation 2023/1114) are both financial services regulations but target different risks. DORA focuses on ICT risk management and digital operational resilience. It applies to banks, insurance companies, investment firms, payment institutions, and their critical ICT service providers. MiCA regulates crypto-asset markets, establishing rules for crypto-asset service providers (CASPs), stablecoin issuers, and token offerings. Both involve extensive delegated acts and technical standards from the European Supervisory Authorities (ESMA, EBA, EIOPA), which contain the detailed operational requirements.

EUR-Lex (eur-lex.europa.eu) is the EU's official free legal database containing every treaty, regulation, directive, decision, and court judgment the EU has ever produced. Over 2 million documents in 24 languages. The fastest way to find a specific instrument is by its CELEX number. For example, 32016R0679 is the GDPR: "3" means secondary legislation, "2016" is the year, "R" means regulation, "0679" is the document number. For topic-based research, use the advanced search with EuroVoc thesaurus filters. Always tick "in force" to exclude repealed legislation, and always check for a consolidated version of any act that has been amended.

Open the directive on EUR-Lex and click "National transposition" in the left-hand menu. This shows each member state's implementing legislation with notification dates and national identifiers. The data depends on member states notifying the Commission, so there can be delays. Some entries only have titles without links to the full national text. To read the actual national legislation, you typically need to visit the member state's own legal database: Legifrance for France, gesetze-im-internet.de for Germany, BOE for Spain, legislation.gov.uk for the UK. For complex transpositions across multiple countries, specialist trackers like Accountancy Europe's CSRD tracker or the ECSO NIS2 tracker can help map the landscape.

Use Curia (curia.europa.eu), the Court of Justice's official database. Search by the regulation number in parentheses, for example "2016/679" for the GDPR. This catches cases that cite the regulation. You can also search EUR-Lex's case law collection, which links cases to the legislation they interpret. For GDPR enforcement decisions specifically, GDPRhub (gdprhub.eu) provides a searchable database of DPA decisions and national court judgments across Europe, organised by article. Always check Advocate General opinions separately from the Court's judgments. AG opinions are not binding but are often more analytically detailed and are followed by the Court more often than not.

The Official Journal of the European Union is published daily (Tuesday through Saturday) in two main series. The L series (Legislation) publishes binding legal acts: regulations, directives, decisions, and international agreements. Publication in the L series is what makes legislation official. The C series (Information and Notices) publishes non-binding documents: recommendations, opinions, resolutions, European Parliament minutes, court case reports, and public notices. There is also a supplement (S series) for public procurement notices. For legal research, the L series is where you find the authoritative published text of any EU legal act.

Delegated acts (Article 290 TFEU) allow the Commission to supplement or amend non-essential elements of Level 1 legislation. Implementing acts (Article 291 TFEU) ensure uniform conditions for implementation. In practice, these instruments contain critical operational detail that the parent regulation intentionally leaves out. For financial services regulations like DORA, the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) drafted by the ESAs are adopted as delegated or implementing acts. Find them on EUR-Lex by checking the "Related documents" tab of the parent regulation, or search the Register of Delegated Acts. The ESA websites (esma.europa.eu, eba.europa.eu, eiopa.europa.eu) publish the draft versions during consultation.

For new regulations like the AI Act or DORA where provisions are untested, follow this sequence. First, exhaust the text and recitals. Second, compare language versions for interpretive clues. Third, pull the EUR-Lex procedure file (enter the procedure reference, e.g., 2021/0106/COD for the AI Act) to trace the provision through the legislative process. Fourth, read the Commission's explanatory memorandum attached to the original proposal. Fifth, check whether the provision was in the original proposal or added during parliamentary amendments or trilogues. Sixth, review the impact assessment. Seventh, check for post-adoption guidance from the Commission or relevant supervisory authority. Advocate General opinions on analogous provisions in related legislation can also provide useful interpretive guidance.

General-purpose AI tools like ChatGPT, Claude, and Gemini can help you understand legal concepts and build initial mental models. But they should never be your endpoint for legal research. Stanford's CodeX Center found that general-purpose LLMs fabricate legal citations 30-45% of the time. They present invented case names, article numbers, and regulatory references with complete confidence. Over 700 court cases now involve AI-generated hallucinations or fabricated content. For EU law specifically, the problem is worse because these models have less training data on European legislation than US case law. Use them for orientation. Never cite them without independent verification against primary sources.

An AI hallucination occurs when a language model generates information that sounds plausible but is factually wrong. In legal research, this typically means fabricated case citations, invented article numbers, incorrect statutory language, or misidentified case holdings. Stanford research found hallucination rates vary significantly: general-purpose models like ChatGPT hallucinate 30-45% of the time on legal queries, while specialised legal AI tools from Lexis and Westlaw produce errors in roughly 17-33% of responses. The most notorious example is Mata v. Avianca, where a lawyer submitted six completely fabricated cases generated by ChatGPT. Since then, courts have imposed escalating sanctions, with fines reaching $12,000 in a February 2026 patent case.

Citation-based AI means the system grounds every answer in a specific source passage and provides a direct link to that passage. Instead of generating a confident-sounding paragraph with no way to verify it, a citation-based system shows you exactly where the information comes from. You can click through to the original legislative text and see the highlighted passage in context. This matters for legal work because lawyers have a professional obligation to verify the authorities they rely on. A system that says "Article 35 of the AI Act requires X" and links you to the exact text of Article 35 is fundamentally different from one that says the same thing with no source attached. The first is a research tool. The second is a liability.

Always trace the claim back to the primary source. If the AI cites an article number, pull up that article on EUR-Lex and read it yourself. If it cites a case, search for it on Curia and confirm the holding matches what the AI said. If it cites a statistic, find the original report. Three specific checks: first, confirm the cited authority actually exists (fabricated citations are common). Second, confirm it says what the AI claims it says (mischaracterisation is even more common). Third, confirm it is still good law and has not been amended, overruled, or superseded. This verification process should be non-negotiable regardless of which AI tool you use.

Lawyers remain fully responsible for AI-generated outputs. Using AI does not change your duty of care. Courts have sanctioned lawyers for submitting fabricated AI citations, with penalties including fines, mandatory refiling at the lawyer's expense, public apologies on the record, and referrals to disciplinary committees. Some courts now require attorneys to disclose AI use in filings. The ABA Model Rules of Professional Conduct are being interpreted to include a duty of technological competence that covers understanding AI limitations. For law students, academic integrity violations involving undisclosed AI use can affect bar admission. The practical rule is simple: treat every AI output as a first draft that requires full human verification before relying on it professionally.

Venato covers EU and UK regulations, directives, and related legislative instruments. The platform includes the full text of each instrument with consolidated versions reflecting all amendments. Coverage is continuously expanding as new instruments are added. The focus is on the legislation that law students and junior lawyers work with most frequently, including major regulatory frameworks like the GDPR, EU AI Act, CSRD, and PPWR, alongside broader EU and UK legislative coverage. You can try three free searches on the homepage at venato.ai to see the current scope.

Venato uses real-time web scraping to detect legislative changes the moment they appear on official government portals and legal databases. There is no waiting for editorial teams to review and publish updates. When a regulation is amended, a new delegated act is adopted, or guidance is updated, the system picks it up immediately. This is a fundamental difference from legacy platforms like Westlaw and LexisNexis, which rely on editorial processes that introduce delays of days or weeks between a change being published and it appearing in their database.

EUR-Lex is the authoritative source for EU legislation, and it is free. But it is a document repository, not a research tool. Its search is keyword-based, cross-referencing between instruments is manual, and there is no AI assistance. General AI chatbots like ChatGPT can answer questions but fabricate legal citations 30-45% of the time, with no way to verify their outputs against primary sources. Venato sits between the two. It provides citation-based AI chat where every answer links directly to the exact passage in the source document. You get the research assistance of AI with the source verification of a primary legal database. The interface is built specifically for navigating EU and UK legislation, not repurposed from a US case law platform.

When you ask Venato a question, every statement in the response is backed by a numbered citation. Each citation links to the specific passage in the source legislative text. Click the citation number to see the exact paragraph or article highlighted in context. This means you can verify any claim in seconds rather than manually searching through lengthy legislative documents. The system is designed so that the original source is always one click away, which is critical for professional legal work where you need to confirm exactly what the law says before relying on it.

Venato offers Core plans for individual users starting at $19 per month (Light, 600 credits), $45 per month (Standard, 1,200 credits), and $99 per month (Plus, 3,000 credits). Pro plans for teams with unlimited users start at $249 per month. All plans include citation-based AI chat, database search, and real-time regulatory updates. Pro plans add project management, team collaboration, and regulatory change alerts. There is no annual lock-in required. You can also try Venato with a 14-day free trial with 1,000 credits, no credit card required.