EuroISPA Monthly Report – April 2025
Amid the ongoing uncertainty linked to the Trump tariffs, the EU is also facing internal turbulence driven by the numerous forthcoming strategies, communications, and omnibus packages, as well as the initial mandate-related deadlines that are fast approaching.
While new initiatives are beginning to take shape, several ongoing negotiations and developments continue to draw significant attention from industry stakeholders, political actors and member states’ representatives. These include the still-uncertain outcome of the negotiations on the CSA Regulation, the delays and developments surrounding the implementation of the AI Act, and the growing momentum around the upcoming evaluation of the Recommendation on combating online piracy of sports and other live events.
This continued engagement is reflected in the active collection of input by the Secretariat from EuroISPA members and the Board’s strong presence in various meetings. You can find all relevant deadlines for calls for input listed at the end of each corresponding update, as well as in the “Ongoing Activities” section at the end of the newsletter.
ONLINE CONTENT
Polish Presidency compromise text on the CSA Regulation
As reported in the previous edition of the monthly report, the Polish Presidency has been working on a new compromise text for the CSAR, dated 4th of April. As main takeaways from the draft text, we take note of the wording on ‘voluntary’ scanning orders for messaging services as well as on the safeguards around encryption, referencing that ‘the legislation should not be interpreted as prohibiting, weakening or circumventing end-to-end encryption’.
Member States appear divided in this new version of the compromise text, as some countries argue for stronger language on detection orders making it obligatory for messaging services, while others raise privacy concerns. In a recent document, Spain, Hungary, Ireland and Estonia claimed that the voluntary approach is ‘insufficient to provide security for minors’ and that it ‘represents a significant step backwards’. On the other side, Poland appears to remain firm in its position on voluntary scanning.
The Polish Presidency might not conclude the negotiations by the end of its term, meaning that the discussions will move on under the Danish Presidency (July-December 2025).
Panel on DSA during the EUIPO Conference on live event piracy
On 30 April, European Commission’s DG CNECT representative Maria Tubasa touched upon the interplay of the Recommendation of live events piracy and key-provisions of the DSA relevant to the topic in a dedicated panel. She noted that by November 2025 the Commission, within the exercise of the evaluation of the Recommendation, will also assess the impact of the DSA on the unauthorised transmissions of live events.
She reiterated that the European Commission’s work is guided by some enforcement priorities: protections of minors, consumers and electoral integrity.
At the same conference, two EuroISPA Board members, Alex de Joode (AMS-IX) and Dalia Coffetti (AIIP), participated as guest speakers to a panel on IPTV piracy, debating with other stakeholders challenges and existing solutions of this specific issue.
Work on DSA’s annual risk assessments resumes
Today, 7 May, the Commission is holding a day-long workshop on risk assessments under the Digital Services Act, directed to Very Large Online Platforms and Search Engines, and to which civil society, academia and national authorities are also expected to participate. The yearly risk assessments, required under Articles 34 and 35, are a key transparency pillar of the DSA and mandate VLOPs and VLOSEs to identify, assess, and mitigate systemic risks, like disinformation or minors’ protection, posed by their services.
As a reminder, the Commission has commissioned a study to be delivered to the Board of Digital Services Coordinators (the national authorities implementing the regulation) on the risk assessments.
Age verification controversy continues
In the wait of the (delayed) publication of European Commission’s guidelines on minors’ protection, controversy on age verification continues to spark debate in Europe. While everyone seems to agree on the need to implement age verification, it is not clear whose responsibility this should be: the app stores or the apps. The Meta-owned social media platform Instagram rolled out a campaign on 6 May to ask for EU regulation that would require age verification to happen on the App Store and not by the apps themselves. According to a Meta spokesperson talking to Politico, the campaign will run in Belgium, Denmark, France and Italy until the end of June.
The U.S. are also working on the issue. Utah’s App Store Accountability Act takes effect today, 7 May, allocating the responsibility to mobile app stores to verify ages. Similar bills have been introduced by Republicans in the U.S. Congress and Senate.
DATA ECONOMY
Axel Voss hosts first roundtable in view of INI report on AI & Copyright
On 6 May, German MEP from the EPP group Axel Voss held an online stakeholder roundtable to gather input on his upcoming own-initiative report on AI and Copyright. The MEP shared that a presentation of the EUIPO study on the Development of Generative AI from a Copyright Perspective will take place on 12 May (agenda), and that the presentation of the European Parliament’s study requested by JURI will happen sometime in June. Despite no official timeline, the draft report is foreseen by mid-July.
MEP Voss noted the need to strike a balance between AI developers and copyright holders and invited stakeholders to share their views on the preferred direction for the INI report. Among the issues to be tackled in the report, he suggested transparency, (unfitness of) TDM exception, opt-out standard, licensing, liability.
Given the high level of participation and the imbalance in representation, the MEP will organise another roundtable and has invited stakeholders to coordinate by “sector” in order to streamline their messages more effectively.
The EuroISPA Secretariat took part in the meeting and will provide more details to members during the Joint Committee Meeting planned for next week (15 May, 14:00-16:00).
Digital rights groups and scientists concerned about encryption in Internal Security Strategy
In a letter addressed to European Commission’s Executive Vice-President Henna Virkkunen, civil society organisations, academics and relevant experts raised concerns over the Commission’s recently published Internal Security Strategy “ProtectEU,” particularly regarding the foreseen framework for law enforcement access to encrypted data. The stakeholders argue that the proposed Technology Roadmap on encryption risks undermining fundamental rights and collective cybersecurity. In the letter, dated 5 May, they also point out that technologies like client-side scanning, presented as secure and privacy-preserving, are actually privacy invasive and increase security risks. The stakeholders requested a meeting with EVP Henna Virkkunen and offered to provide expert technical briefings to support the Commission’s objectives.
At national level, European governments argue that E2EE hampers law enforcement’s ability to combat serious crimes such as murder, drug trafficking, and child exploitation. The Danish Justice Minister and Europol warn that authorities are “fighting crime blindfolded.” National governments are also pursuing their own initiatives, with France, Spain, and the Nordics pushing legislation.
Commission outlines details on GDPR simplification plans in email to experts
In an email to an expert group at the end of April, the Commission’s DG JUST confirmed to its GDPR Multistakeholder Group that the simplification of GDPR will be part of a simplification package called the Fourth Omnibus, due to be published on 21 May.
According to the email, the Commission is planning to extend the scope of Article 30(5) to cover “mid-cap” companies with fewer than 500 employees and with a certain annual turnover, as well as organisations such as nonprofits with fewer than 500 employees. Other changes might affect Article 35 (impact assessments) and Articles 40(1) and 42(1), relating to codes of conduct and certification mechanisms.
The EuroISPA Secretariat is currently collecting input from members by 13 May CoB on member’s case studies related to GDPR implementation challenges (especially for SMEs) with the aim to send them to the European Commission and elaborating an answer to any upcoming consultation on the topic.
European Data Union Strategy to streamline existing data legislation to support the AI development
According to an input note from the Commission on the upcoming Data Union Strategy, part of the AI Continent Action Plan recently published, the main priority will be to streamline the existing data legislation with the aim of fostering AI development. The four pillars to be addressed are: 1) Data availability, access and use, 2) Simplification with an evaluation of the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive, 3) Administrative burden reduction and 4) International data flows.
On GDPR, the Commission will look for feedback on the balance between data protection and technological innovation; on ePrivacy, the Commission wants to understand if the framework should be adapted. The consultation is due to be launched in Q2 2025, and the strategy to be published in Q3 2025.
The input note also reports the intention of the Commission to come up with an “Internal Data Strategy,” to be presented alongside the Data Union Strategy expected for the second half of the year, focusing on “the fight against unjustified barriers to international data flows.”
General-purpose AI models to be the subject of guidelines, Code of Practice delayed
On 22 April, the Commission opened a public consultation in order to draft Guidelines for General-purpose AI models, to complement the Code of Practice. According to the working document, the Guidelines will focus on several key-concepts of the AIA including what is a ‘GPAI model’, who is the ‘provider’ and when is a downstream modifier a provider. They aim also at clarifying what constitutes a ‘placing on the market of a GPAI model, and when do the open-source exemptions apply as well as how to estimate the computational resources used to train or modify a model.
The consultation is open until 22 May and the new Guidelines are expected “in May or June 2025.” In an email sent by the Commission to stakeholders involved in the drafting of the Code of Practice, which had a publication deadline of 2 May, the executive said that the code “should be published before August”. The Commission has also announced that it wants to open a targeted consultation on the classification of high-risk AIs.
EDPB adopts guidelines on processing personal data through blockchain
Following the plenary in April, the EDPB adopted Guidelines on processing of personal data through blockchain technologies, relevant to support the secure handling and transfer of data with traceability. With the guidelines, the EDPB is assessing the different architectures and their implications for the processing of personal data and clarifies the roles and responsibilities of the different actors. With the publication of the guidelines, the Board opened a public consultation and sending feedback is possible until 9 June.
In addition, the EDPB also confirmed to closely cooperate with the AI Office on the drafting of the Guidelines on the interplay between the AI Act and the GDPR.
CYBERSECURITY & INFRASTRUCTURE
EU urged to address foreign ownership risks in subsea cable infrastructure
EU Member States have flagged a regulatory gap concerning the protection of submarine telecom cables from foreign ownership, according to feedback submitted to the European Commission. As part of broader efforts to bolster the cybersecurity of critical infrastructure, governments see tighter control over subsea cables as a necessary next step to safeguard European connectivity and digital sovereignty.
EU states push for sovereign cloud in key sectors
EU Member States are calling for prioritised deployment of sovereign cloud solutions in strategic sectors such as health, finance, and defence, according to a summary of expert discussions under the Polish Council Presidency dated 25 April. For “highly critical use cases,” cloud services should be EU-controlled and cybersecurity-certified. Member States also stress the need to avoid vendor lock-in for public entities. Key barriers to new data centre deployment include access to reliable, renewable, and affordable electricity. Proposals include mapping strategic locations for data centres and exploring innovation in water management, cooling systems, component recycling, and AI-assisted load balancing. Harmonising permitting rules at EU level is also suggested to speed up infrastructure deployment.
Bundeskartellamt reasserts need for strict merger control
Germany’s Bundeskartellamt backed a joint statement by six national competition authorities reaffirming the need for strict competition enforcement, even amid calls to ease merger rules to boost EU competitiveness — particularly in telecoms. While recognising that mergers can support company growth, the BKartA stressed the importance of assessing impacts on market competition across all sectors. The debate, reignited by a recent Financial Times article, shows telecoms firms continue to press for more lenient treatment, but authorities are holding firm.
The European Commission publishes outcome document of the conference on the governance of web.4.0
The Global Multistakeholder High-Level Conference on Governance for Web 4.0 and Virtual Worlds set forth critical principles to ensure an open, secure, and inclusive digital future. The document emphasizes the need for multistakeholder governance in managing transformative technologies such as AI, XR, IoT, and blockchain. Key policy goals include protecting human rights, privacy, and accessibility, while encouraging fair competition and preventing digital monopolies. Technically, it highlights the importance of maintaining a global, distributed internet architecture and evolving core protocols like IPv6 to meet increasing demands. The document stresses the urgency of adopting security standards such as RPKI to safeguard internet infrastructure and prevent fragmentation. Sustainability, interoperability, and privacy-by-design are also central tenets. The recommendations call for stronger global coordination, anticipatory governance via sandbox environments, and equitable participation, especially from underrepresented groups, to build a trustworthy, resilient Web 4.0.
European Single Market Strategy leak reveals plans to remove internal barriers and boosting services
According to a draft of the European Commission’s upcoming Single Market Strategy, planned to be released on 21 May, the institution asks EU governments to appoint dedicated officials to identify and address the problems and obstacles that prevent the EU’s single market from functioning smoothly.
“While the world is plunging into a period of economic uncertainty caused by trade tensions, our European market is a safe haven,” the draft document reads. It calls on EU governments to take joint ownership of the single market and make it a political priority by appointing officials, or “sherpas,” within national prime ministers’ or presidents’ offices “with authority towards all parts of the government.”
European Commission’s International Digital Strategy leaked
This new strategy, expected to be presented on 4 June, will lay out how the EU should work with other regions to protect its own assets and speed up innovation. The document suggests the EU to develop further cooperation with Japan on chips, quantum computing, AI safety and 6G, besides enhancing the international cooperation between digital regulators. On this in particular, the plan is to establish by 2030 two forums of digital regulators, hosted by the EU, on digital services and digital markets. The Strategy mentions the promotion of trusted digital networks and infrastructures as well as developing submarine and terrestrial cables. International coordination on cyber resilience, law enforcement and anti-money laundering efforts are also mentioned, together with continuing the protection of an inclusive multistakeholder approach to Internet Governance by opposing initiatives of state-controlled Internet architectures; here the upcoming editions of the IGF and WSIS+20 are mentioned as critical in proactively defending the general availability and integrity of the Internet.
MISCELLANEOUS
EuroStack report outlines next steps
“Buy European”, “Sell European”, “Fund European”: this is what the new report out today, 7 May, reiterates to European policymakers. Tech experts and economists behind the EuroStack initiative reinforce their asks to the EU to drastically reduce dependence on U.S. technology. In an open letter to the Commission accompanying the report, they suggest that “European governments and institutions spending public money should have an obligation to invest in Europe’s economic future,” besides reminding the urgency of the actions to be taken for this effort to be successful. The letter directly references ongoing and upcoming initiatives such as the European Commission’s plan for European digital strategic autonomy and the European Parliament’s own-initiative report on digital sovereignty.
Italy and the U.S. issue joint statement on “discriminatory” digital services taxes
On April 18, the two countries issued a joint statement opposing “discriminatory” taxes on digital services after Italian Prime Minister Giorgia Meloni met Trump in DC. This adds Italy to the list of EU countries dissenting from the threat to tax digital services if trade talks with the United States collapse.
The joint statement also mentions that “President Trump accepted Prime Minister Meloni’s invitation to pay an official visit to Italy in the very near future. There is also consideration to hold, on such occasion, a meeting between U.S. and Europe.”
Germany and Ireland have already been vocal against this potential digital services tax, while France has been favourable to this solution.
