The European Commission has presented a proposal for a Biotech Act aimed at boosting innovation in the field of biotechnology in Europe. At the same time, European data protection authorities have emphasized that this development must be carried out in accordance with the GDPR and strong data security standards.
If the bill is passed, it could have implications for businesses and organizations that handle health data, research, and sensitive personal information —in terms of compliance, governance, and cybersecurity.
Do you want to build a stronger safety culture within your organization?
Learn more about awareness training for employees.
What is the EU Biotech Act?
The European Commission has presented a proposal for a European Biotech Act, which aims to make it easier to develop and scale up biotechnology solutions in Europe.
The purpose is, among other things, to:
- strengthen Europe's competitiveness in biotechnology
- reduce regulatory barriers to innovation
- make it easier to conduct clinical trials and research
- promote the use of data and advanced technologies in the healthcare sector
However, precisely because biotechnology relies heavily on personal and health data, data protection authorities in the EU have also emphasized that such developments must take place within the framework of the GDPR and strong data protection measures.
Data protection will be a central part of the Biotech Act
In connection with the bill, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion.
The message is clear:
Innovation must not come at the expense of the protection of sensitive personal data.
If the Biotech Act is passed, organizations will therefore still need to ensure:
- clear legal basis for the processing of personal data
- clear division of responsibilities among data controllers
- robust technical and organizational security measures
- transparency in the use of data in research and development
In practice, this means that data security and governance will become a central part of biotechnology innovation in the EU.
Calculate the cost of awareness and phishing training in just a few minutes
Handling health data requires a high level of cybersecurity
Biotechnology and health research often involve the handling of some of the most sensitive data:
- health information
- genetic data
- research data from clinical trials
- patient data
Under the GDPR, this information is classified as special categories of personal data, which imposes very strict security requirements.
Organizations that work with this data must therefore ensure, among other things, that:
Data minimization and pseudonymization
Personal data should be limited to what is necessary and pseudonymized whenever possible.
Control of access to data
Only employees with a clear need should have access to sensitive data.
Documented data management
Organizations must be able to document their purposes, legal basis for processing, and security measures.
Do you want to improve your employees’ ability to spot phishing and social engineering?
See how Secure First can help with phishing simulation and training
Compliance, NIS 2, and Biotechnology
Biotechnology companies and research institutions are often part of critical value chains in the healthcare sector.
This means that many organizations are also affected by the NIS2 Directive, which imposes stricter cybersecurity requirements.
This includes, among other things:
- risk management
- security procedures
- incident management
- supplier reliability
- employee awareness and training
When companies handle large amounts of sensitive data, security culture and employee awareness become a critical part of compliance.
Do you work with compliance and regulation in the EU?
See how Secure First can help with NIS2 compliance:
