EuroISPA Monthly Report – July/August 2025
July and August saw continued progress on the EU’s digital policy agenda despite the summer break. AI featured prominently, as the Commission finalised the General-Purpose AI code of practice, published the Guidelines on the scope of obligations for providers of GPAI under the AI Act, and launched a stakeholder consultation and call for expression of interest to support the development of guidelines and a code of practice on transparency obligations under the AI Act. Parliamentary debates and studies on generative AI, copyright, and AI liability continued to shape the political agenda.
There were significant developments on the child protection front, as the Danish presidency continued negotiations on the Child Sexual Abuse Regulation proposal. The Commission also published the Guidelines under Article 28 of the DSA on the protection of minors online, accompanied by an Age Verification Blueprint, and launched calls for tenders for studies on online risks for children and the alignment of national measures with the DSA, as well as a consultation on its cyberbullying strategy.
A political agreement on the EU-US trade deal was reached, with a Joint Statement confirming that there will be no network fees measures from the EU, and that the DSA and DMA were excluded from the negotiations. Its publication, however, was followed by threats of additional tariffs from President Trump towards countries adopting digital taxes or regulations harming US tech companies, drawing strong EU reactions.
The EuroISPA Secretariat is closely monitoring these developments and is currently gathering input for key consultations, including on Data Retention and the upcoming Digital Fairness Act. Relevant deadlines are listed in the “Recent and ongoing activities” section of this newsletter.
ONLINE CONTENT
Denmark publishes latest version of the CSAR compromise text
In its latest compromise text dated 24 July, to be discussed at the Council’s Law Enforcement Working Party on 12 September, the Danish Presidency maintains the core structure of its CSAR proposal from July 1st, notably preserving mandatory detection orders for high-risk services as the long-term solution, while extending the Temporary Regulation permitting voluntary detection for up to 72 months after the CSAR enters into force. It also maintains the same approach on encryption, prohibiting any requirement to decrypt or weaken encryption and introducing consent-based pre-transmission scanning as a condition for detection in encrypted environments. The latest text introduces a new requirement for providers to describe age-verification and age-assessment tools in their terms and conditions, while also mandating that details undermining their effectiveness not be disclosed (Article 4(4)).
Global Encryption Coalition warns CSAR compromise text threatens encryption
The Global Encryption Coalition (GEC) Steering Committee has issued a statement criticizing the Danish Presidency’s 1 July compromise text on the proposed EU Child Sexual Abuse Regulation (CSAR), warning it undermines end-to-end encryption. GEC argues that requiring service providers to scan for both known and unknown CSAM, including in encrypted environments, is ineffective, creates new vulnerabilities, and breaks the core principle of strong encryption that safeguards human rights. The coalition, which includes CDT Europe, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla, urges EU ministers to reject any form of mandated scanning, including client-side scanning, and to instead pursue measures that are technically sound, rights-respecting, and capable of effectively protecting children.
The European Parliament to push for new legislation to fight online piracy
On 16 July, the CULT committee adopted its own initiative report on the Role of EU policies in shaping the European Sport Model, coordinated by MEP Bogdan Zdrojewski (EPP, PL). Amendments calling the Commission for further legislation to combat piracy and for an extension of the KYBC provision were adopted. The finalised report is expected to be voted during one of the upcoming Plenary sessions.
The European Commission issued guidelines on protecting minors under Article 28 of the DSA
On July 14, the Commission published the guidelines clarifying Article 28(4) of the DSA, which sets out obligations for online platforms accessible to minors. According to the guidelines, platforms must implement proportionate measures to ensure high levels of privacy, safety, and security, including a ban on profiling-based advertising using minors’ data. The guidelines also mandate AI safeguards, user support tools, guardian controls, and transparent terms of service. While serving as a compliance reference for Article 28(1), they also emphasize alignment with the GDPR, AI Act, and BIK+ Strategy, with a review scheduled for December 2026. The guidelines were published alongside the Commission’s Age Verification Blueprint, which provides technical solutions to help platforms meet the DSA’s child protection requirements.
EU Commission adopts Delegated Act on Data Access under the DSA
On July 2 the Commission adopted a delegated act establishing harmonised rules and technical conditions for granting vetted researchers access to data from very large online platforms (VLOPs) and very large online search engines (VLOSEs), as required under the DSA. The aim of the delegated act is to facilitate research on systemic risks such as disinformation, algorithmic amplification, and online harms. It sets out which information should be published by platforms and Digital Services Coordinators (DSCs) to assist researchers in applying for access to data. Alongside the delegated act, the Commission also launched the DSA Data Access Portal, a central hub where researchers will find guidance, submit applications, and engage with platforms and regulators.
European Commission opens consultation on Digital Fairness Act
On 17 July, the European Commission launched the call for evidence to support an impact assessment on the upcoming Digital Fairness Act (DFA), open until 24 October. According to the text of the call for evidence, the DFA is expected in Q3 2026, may take the form of a Directive or Regulation, and will aim to address issues such as manipulative digital practices, addictive design (especially affecting minors), exploitative personalisation, and harmful influencer and pricing tactics. It will also seek to reduce legal fragmentation and compliance burdens for businesses across the EU. The impact assessment will explore strengthening consumer protection and trust online, with additional input to be gathered via surveys, stakeholder meetings, and public events, including the European Consumer Summit 2025.
Commission launches consultation and call for evidence on its Action Plan against Cyberbullying
On 22 July, the European Commission opened a public consultation and call for evidence to support the development of the Action Plan against Cyberbullying, running until 29 September 2025. The consultation invites input from stakeholders, including youth, educators, civil society, and online platforms, and is meant to complement other EU actions such as the Better Internet for Kids Strategy, age-verification solutions, and guidelines under the DSA. The call for evidence seeks input on definitions, national legislations and policies, and best practices related to cyberbullying.
Commission launches call for tenders for a study on the compatibility of national measures with DSA.
On 24 July 2025, the European Commission also launched a call for tenders for a study to assess how Member States have adapted their national legislation following the full application of the DSA. The study aims to map existing and upcoming legally binding national measures applicable to providers of online intermediary services and identify any overlaps or conflicts with the DSA that could lead to fragmentation of the Single Market.
European Commission issues call for tenders to study risks and harms to minors online
On 1 August 2025, the Commission launched a call for tenders to secure a support contract aimed at tracking the evolution of risks, harms, and benefits that children face on online platforms across the EU. This contract will provide comprehensive data and a monitoring framework to identify trends related to children’s online experiences, supporting enforcement and policy initiatives under the DSA, including the recent Guidelines on article 28(1). It will also gather insights into children’s perceptions and their needs from very large online platforms and search engines to enhance privacy, safety, and well-being online. The deadline to submit tenders is 15 September 2025.
European Commission seeks experts to join Network for the Prevention of Child Sexual Abuse
On 5 August the Commission launched a call for applications to join the newly established Network for the Prevention of Child Sexual Abuse, aimed at enhancing cooperation among Member States, researchers, practitioners, and stakeholders to support the implementation of EU policies and legislation on child sexual abuse and exploitation. The Network will focus on all aspects of prevention, including reducing risks of offending and of children becoming victims, promoting research, sharing best practices, and fostering international collaboration. The initiative is meant to deliver on a commitment under the EU Strategy for a more effective fight against child sexual abuse (2020-2025). The call is open to individual experts and organisations active in the field until 15 September.
DATA ECONOMY
EU court upholds EU-U.S. Data Privacy Framework despite legal challenge
On 3 September, the EU’s General Court rejected a case brought by French lawmaker Philippe Latombe (T-553/23 – Latombe v Commission), who challenged the European Commission’s July 2023 adequacy decision that found the US provided “essentially equivalent” protection for personal data under GDPR. Latombe argued that the EU-U.S. Data Privacy Framework fails to prevent bulk collection of Europeans’ data by U.S. intelligence services and that the Data Protection Review Court (DPRC) created to address EU privacy complaints lacks independence. The court found instead that safeguards are in place to ensure the DPRC’s independence and that U.S. intelligence activities are subject to its oversight, meeting the requirements set out in Schrems II. It also underlined that the European Commission must continue to monitor whether the U.S. legal framework changes. Latombe has two months and ten days to appeal the ruling to the Court of Justice, limited to points of law.
European Data Protection Board and European Data Supervisor support GDPR simplification and request clarifications
On 9 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion supporting proposed amendments to the GDPR aimed at reducing administrative burdens for smaller companies. They welcomed the extension of the record-keeping exemption (Article 30(5)) to organisations with fewer than 750 employees, provided the data processing does not pose a high risk to individuals’ rights and freedoms. However, they requested clarification on the choice of this threshold and recommended aligning it with newly introduced definitions of small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). They also supported extending the scope of Articles 40(1) and 42(1), concerning codes of conduct and certification, to both SMEs and SMCs. In addition, they called for confirmation that public bodies are not covered by the proposed exemption. Both authorities emphasised that simplification must not come at the expense of fundamental rights.
LIBE Committee approves GDPR enforcement trialogue agreement
Following the provisional agreement reached by the European Parliament and the Polish Presidency of the Council on 16 June to clarify and speed up cross-border enforcement of the GDPR, the Parliament’s LIBE committee adopted the text on July 15, with the plenary vote expected in October.
European Commission publishes conclusions of Implementation Dialogue on Data Policy
The Commission published the conclusions of the 1 July 2025 Implementation Dialogue on Data Policy. According to the conclusions, stakeholders including SMEs and larger tech companies agreed on the need to improve data access to foster innovation and welcomed horizontal legislation like the Data Act to reduce legal complexity. They also highlighted key challenges including fragmented enforcement, overlapping regulations, and issues related to interoperability and quality of data, and suggested potential solutions such as support through regulatory guidance and sandboxes, especially for SMEs. The feedback from stakeholders will inform the upcoming Digital Package on simplification and the European Data Union Strategy (for which the public consultation closed on 20 July).
European Parliament study challenges Commission’s withdrawal of AI Liability Directive
The EP’s Policy Department for Justice, Civil Liberties and Institutional affairs, at the request of the JURI Committee, released another study on artificial intelligence and civil liability, strongly criticizing the European Commission’s decision to withdraw the AI Liability Directive (AILD). The study argues that the original AILD proposal may have been so flawed that no legislation would have been preferable but still calls for a revamped approach. It recommends either introducing strict liability for high-risk AI systems through a revised directive (Option 4) or establishing a fault-based rule limited to high-risk AI (Option 3), while also suggesting the possibility of adopting a regulation instead of a directive. The study also argues that the revised Product Liability Directive (PLD) fails to adequately address AI-related risks. In a related development, MEP Tiemo Wölken (S&D, Germany) announced on 22 July his intention to bring a case before the CJEU against the Commission over its withdrawal of the AILD, following allegedly unanswered access-to-document requests. In August, the Commission officially confirmed its withdrawal of the Directive.
Commission finalises GPAI code of practice and AI Act GPAI obligations come into force
On July 10, the Commission published the final version of the GPAI code of practice, organised into three chapters on transparency, copyright, and safety and security. The Commission and the AI Board officially endorsed the Code of Practice on August 1. On August 2, GPAI obligations under the AI Act came into force (Chapter 5, Article 78 on data confidentiality and enforcement of intellectual property rights) but the application of the rules will be gradual, with the Commission enforcing full compliance with fines as of 2 August 2026, and models placed on the market before 2 August 2025 required to comply by 2 August 2027.
Commission publishes Guidelines on the scope of obligations for providers of GPAI under the AI Act
In a related development, on July 18, the Commission also published the guidelines on the scope of obligations for providers of general-purpose AI models. The Guidelines on GPAI aim to clarify key concepts, such as the terms of ‘GPAI model’, ‘provider of a GPAI model’ and ‘placing on the market of a GPAI model’, and how to estimate the computational resources used for training a GPAI model.
Commission starts work on second Code of Practice on transparency obligations under AI Act
At the end of August, the Commission held a workshop with stakeholders to present the framework, objectives and future drafting process for a new code of practice on transparency obligations, as provided by Article 50 of the AI Act. The AI Act requires AI providers to have labelling solutions that meet certain requirements: effectiveness, interoperability, robustness and reliability. To inform the discussions, the Commission shared three studies carried out by independent experts on the labelling of AI-generated text, audio and audiovisual content, analysing metadata labelling, watermarking and digital fingerprinting. The studies are meant as starting points and do not predetermine the code’s content. The drafting process is expected to begin this autumn, with the code and accompanying guidelines scheduled to enter into force on 2 August 2026. In early September, the Commission launched a stakeholder consultation and call for expression of interest to support the development of the code and the accompanying guidelines (both with deadlines on October 2).
JURI Committee debated draft report on copyright and generative AI
On 15 July, the JURI Committee discussed Axel Voss’s (EPP, DE) draft report on copyright and generative AI. Several MEPs raised concerns about a centralised EUIPO register, suggesting alternatives such as opt-in systems, blockchain, or collective management. MEPs Farreng (Renew, FR) and Cormand (Greens, FR) called for full transparency of training data and a reversed burden of proof, but criticising the proposed 5-7% lump-sum remuneration. EPP and S&D warned of generative AI’s threat to press plurality and cultural sovereignty. Axel Voss also organised a stakeholder roundtable to discuss his report on September 1, ahead of the deadline for amendments which is set for September 12 at 11am.
CYBERSECURITY AND INFRASTRUCTURE
Network fees in the EU-US Framework Agreement
On August 21st, the EU and US issued the Joint Statement on the EU-US trade agreement, setting a 15% US tariff ceiling on most EU exports such as cars, pharmaceuticals, semiconductors. The statement follows the July 27 political agreement between Presidents von der Leyen and Trump, and suspends the EU’s recently adopted countermeasures. In paragraph 17, the statement indicates that the EU will not adopt or maintain network usage fees and that the US and the EU will not impose customs duties on electronic transmissions.
EU Alliance unveils roadmap to advance digital sovereignty through open-source cloud, edge & Internet of Things
On 8 July, the European Alliance for Industrial Data, Edge and Cloud released a thematic roadmap emphasizing how European open-source cloud, edge, and IoT technologies are essential to strengthening the EU’s digital sovereignty and global competitiveness. Titled “The Open-Source Way to EU Digital Sovereignty & Competitiveness”, the roadmap outlines how open-source solutions can improve security, cost-efficiency, innovation, flexibility, and sustainability. The Alliance also submitted recommendations on Common Trust Principles to the European Data Innovation Board, identifying gaps and calling for standardised, trustworthy frameworks for data sharing in cloud-edge ecosystems and data spaces.
Commission proposes to sign and ratify the UN Convention against Cybercrime
The Commission proposed to sign and ratify the United Nations Convention against Cybercrime, covering both substantive criminal law and judicial cooperation. For the first time, a global instrument will criminalise conduct related to child sexual abuse material, the grooming of children for sexual purposes, and the non-consensual dissemination of intimate images. The Convention also includes measures for international cooperation, including the extradition of suspects and the exchange of electronic evidence.
It is now for the Council to adopt the Decisions authorising the Commission, on behalf of the EU, to sign and, with the consent of the European Parliament, conclude the Convention. Member States will also have to sign and ratify the Convention, in accordance with their national procedures.
European Commission convenes High-Level Workshop on AI Compute Stack
On 7 July, the Commission held a high-level multistakeholder workshop in Brussels on the AI Compute Stack, referring to the full range of infrastructure involved in AI development, from advanced chips to complete AI system integration. Organised as a targeted consultation, the event brought together stakeholders including chip designers, cloud infrastructure providers, and AI model developers. The workshop launched a discussion on strengthening Europe’s role in the AI compute landscape, where complex AI models require more integrated and sovereign technical solutions. Participants discussed current trends in AI hardware, systems, and models, shared insights on compute needs, and explored collaboration opportunities. The initiative aims to reduce external dependencies and contribute to Europe’s strategic autonomy in AI infrastructure.
ENISA to operate the EU Cybersecurity Reserve
The Commission and ENISA signed an agreement for the administration of the EU Cybersecurity Reserve of €36 million under the Cyber Solidarity Act. The Cybersecurity Reserve is designed to enhance the Union’s capacity to respond to and recover from major cyber incidents providing access to incident response services delivered by vetted providers. The Reserve will be available to entities operating in sectors deemed critical or highly critical under the NIS2 Directive, including areas such as healthcare and energy.
MISCELLANEOUS
EU-US trade agreement Joint Statement confirms DSA/DMA excluded from talks
As mentioned above, the EU and US issued a Joint Statement on the EU-US trade agreement on 21 August. Interestingly, the Commission also confirmed that the DSA and DMA, were excluded from the EU-US trade talks but did not rule out their inclusion in future discussions. The publication of the Joint Statement was followed by threats of additional tariffs from President Trump towards countries adopting “digital taxes, legislation, rules or regulations” harming US tech companies, eliciting strong responses from European officials, including Prosperity and Industrial Strategy Commissioner Stéphane Séjourné, and Commissioner for Tech Sovereignty, Security, and Democracy Henna Virkunnen.
EPP pushes for a “light” version of the GDPR for SMEs, stricter online ad rules, and digital sovereignty According to a document seen by Mlex, The European People’s Party (EPP), the EU’s largest political group, is preparing a position paper urging the European Commission to introduce a “light” version of the GDPR for small and medium-sized enterprises to ease compliance burdens, while also calling for tougher restrictions on online advertising. It also supports modernizing GDPR enforcement and addressing fragmented interpretations across member states. The draft highlights priorities including stronger protections for minors, greater transparency and accountability in algorithms, and reinforcing Europe’s digital sovereignty. The paper stresses that these political objectives should be adopted swiftly through coordinated action within the group and across EU institutions, with a dedicated EPP team to lead the initiative.
Franco-German agenda to boost cutting-edge tech, sovereignty and simplification
At their 25th Council of Ministers, France and Germany launched an agenda to strengthen Europe’s technological sovereignty and competitiveness. They pledged deeper cooperation on cutting-edge technologies such as AI, quantum, cloud and space, with joint initiatives on generative AI models (IPCEI-AI), high-performance computing, and a quantum computing ecosystem. Both sides committed to reinforcing digital sovereignty through a high-level summit on November 18, and to presenting joint positions on AI, cyber and data regulation, including proposals to simplify the EU’s legal framework. They also stressed the need to reduce bureaucracy across the Single Market, backing the Commission’s simplification packages and urging a “new legislative mindset” to ease regulatory burdens for SMEs and scale-ups. Following this approach, they are pushing to ease GDPR obligations through the omnibus simplification package, seeking to go beyond the Commission’s proposal to raise the employee threshold under which companies are exempt from keeping GDPR records, by adopting a more general risk-based approach that reduces reporting requirements for SMEs without undermining the regulation’s effectiveness.
Austria presents digital sovereignty charter proposals
Austria circulated a paper to Member States titled “Shaping Digital Sovereignty – Cornerstones for a Common Charter”. The paper highlights risks ranging from geopolitical tensions, cyberattacks, disinformation, and Europe’s dependence on non-European tech firms, which are amplified by rapid AI developments. Austria calls for a European strategy based on independence, innovation, data protection, and values, aligned with the Digital Decade 2030 goals. Proposals in the paper include a pan-European stocktaking exercise to identify best practices and hidden champions, stronger cooperation on joint open-source solutions, and promotion of open-source in public procurement. The paper also stresses the need to expand data sovereignty as a “strategic resource,” strengthen intra-EU cooperation on data protection, and invest in digital skills to retain top talent. Austria will ask EU Member States to share their goals and recommended actions to bolster Europe’s digital sovereignty in a dedicated dialogue during the TELECOM WP meeting of 12 September.
Danish Presidency outlined digital priorities in the Parliament’s JURI, IMCO, CULT and ITRE Committees
The Danish Presidency outlined its digital priorities across Parliament committees. Key digital priorities include simplifying the EU cyber legislation framework, updated copyright regulation to ensure fair remuneration or effective licensing in response to AI’s impact on the creative sector, and protecting minors online (including through the enforcement of the DSA, stronger age verification rules and action against addictive design). Digital Affairs Minister Caroline Stage Olsen also supported postponement of AI Act provisions to give small companies more time to comply.
