EuroISPA Monthly Report – September 2025

September marked the start of the EU’s legislative push ahead of year-end, with the goal of streamlining current obligations, and considering the introduction of new legislation.

Despite being one of the main priorities for its mandate, the Danish Presidency failed to secure enough support in the Council to reach an agreement on its Child Sexual Abuse Regulation proposal, mainly due to Germany’s concerns over non-targeted scanning.  

The Commission is also considering delaying the AI Act’s implementation for high-risk systems due to setbacks in developing the necessary technical standards. The attention is mounting on the upcoming Digital Omnibus Package too, expected in November.

The EuroISPA Secretariat is closely monitoring these developments and will respond to the public consultation on the Digital Fairness Act and provide input to the Commission on GDPR implementation challenges. Relevant deadlines are listed in “Recent and ongoing activities” section of this newsletter.

ONLINE CONTENT 

Stalemate persists on CSAM Regulation despite Danish presidency efforts

Despite intensive negotiations throughout September and October, the Danish Presidency has so far been unable to secure agreement on its compromise text for the CSAM Regulation, which it had hoped to table for a vote at the Justice and Home Affairs Council on 14 October. The proposal was examined by Member States at the Law Enforcement Working Party on 12 September and again during a key meeting of Permanent Representatives (Coreper II) on 8 October, where it became evident that Germany could not support the text, leaving no immediate prospect for agreement. While many Member States have expressed appreciation for the Presidency’s efforts – and are under pressure to reach an agreement before the expiry of the Interim Regulation permitting voluntary scanning in April 2026 – significant concerns persist regarding the overall proportionality of the proposed detection order scheme and its impact on encryption.  

Denmark finalises Jutland Declaration on protection of minors online

The Jutland Declaration on the protection of minors, prepared by the Danish Presidency, was signed by 25 Member States (all except Estonia and Belgium) at the informal meeting of telecommunications ministers on 10 October. It calls for measures to complement the DSA on children protection, including requiring privacy-preserving age verification and addressing addictive design practices, and supports Commission President von der Leyen’s initiative to establish an expert panel to examine a potential EU-level approach on a digital age of majority. Compared to latest draft, the final version has been softened to attract broader support: the reference to the Digital Fairness Act was removed from the paragraph on safeguarding minors online; the text now states it would be “difficult” rather than “impossible” to prevent minors from being targeted with adult-oriented content without proper age verification; and it calls to “address” rather than “ban” addictive and manipulative design practices.  

Further push from European Parliament and Commission to fight online piracy

On 7 October, the European Parliament adopted in Plenary its report on the Role of EU policies in shaping the European Sport Model, which includes amendments calling for further legislation to combat piracy and for an extension of the KYBC provision. The press release of the Parliament identifies online piracy as one of the challenges face by the European Sport Model. During the debate that preceded the vote, Commissioner Micallef also called for urgent action to combat piracy of live sport events to ensure financial sustainability of the sector. The Commission is preparing a new strategic vision for sport and is consulting on this matter. As a reminder, by 17 November 2025, the Commission will assess the effects of the Recommendation, taking due account of the data collected by the EUIPO Observatory.

IMCO discusses amendments to its own-initiative report on the protection of minors online and CULT adopts its opinion

During the IMCO session on 24 September, MEPs discussed amendments to the draft own-initiative report on the protection of minors online, ahead of the vote scheduled for 16 October. Rapporteur MEP Christel Schaldemose (S&D, DK) noted progress but highlighted ongoing disagreements, particularly on whether age verification and age assurance should be mandatory. The CULT committee also adopted its opinion on IMCO’s own-initiative report. In parallel, the CULT committee also adopted its draft own-initiative report on the impact of social media and the online environment on young people, for which the LIBE, IMCO and FEMM committees are also preparing their opinions.  

AI & Copyright European Parliament draft report receives first amendments

The JURI committee MEPs have submitted 370 amendments to Axel Voss’ own initiative report on Generative AI & Copyright. Among the most controversial points: remuneration, the role of the EUIPO and the irrebuttable presumption. MEP Voss also tabled additional amendments co-signed by EPP colleagues, including Amendment 110, which aims to clarify that the TDM exceptions (both Articles 3 and 4) “were originally not designed to address generative AI training and therefore are not applicable”. The work on compromise amendments is already ongoing, with a consideration of amendments taking place on 13 October; the vote in committee is expected at the beginning of December.

Von der Leyen backs Australia’s social media age ban, considers approach on EU digital majority age

Speaking at the “Protecting Children in the Digital Age” event in New York on 24 September, Commission President von der Leyen praised Australia’s minimum age law for social media, calling it a “world-first, and world-leading” step, echoing her remarks at the State of the European Union speech. She said the EU is closely watching Australia’s implementation and cited growing concerns over children’s exposure to addictive algorithms, cyberbullying, and online predators. She also highlighted the EU’s pilot for a cross-border age-verification system being tested in five Member States and reiterated plans to convene an expert panel to assess the best approach on a digital majority age for social media at EU level.  

Commission probes costs of compliance with the DSA

The Commission asked VLOPs and VLOSEs to report the financial burden of complying with the DSA. A six-page questionnaire was reportedly sent to the relevant companies on 19 September asking how much they spend on transparency reports and compliance measures, including on IT systems and service providers. Through the questionnaire, companies can also share a qualitative assessment of the practical measures and underlying legal concepts which they consider to be driving the costs. The information collected will feed into the DSA Evaluation report, which is expected on 17 November, and is set to review how the DSA interacts with other legislation, and address the threshold, designation and scope of VLOPs and VLOSEs.  

European Board for Digital Services holds meeting on child protection, political ad rules, and DSA enforcement

At its 15th meeting in Brussels on 23 September 2025, the EBDS emphasized the priority of protecting minors online, agreeing to strengthen enforcement of Article 28(1) of the DSA and to streamline cross-border cooperation. WG 6 was tasked with advancing implementation of the DSA Art.28 Guidelines on minors’ protection, alongside coordinated action targeting pornographic platforms and complementing Commission cases against VLOPs such as TikTok, Instagram, and Facebook. The Board also discussed the upcoming European Democracy Shield (EUDS) and its interplay with the DSA and the political advertising transparency rules, which took full effect on 10 October 2025 (and for which the Commission issued guidelines). The Board also reacted to recent allegations against the DSA, reaffirming its commitment to impartial and effective enforcement.  

Commission, Council and Parliament continue working on the European Democracy Shield (EUDS): According to its latest calendar, the Commission expects to present its communication on the EUDS on 12 November. In the meantime, the European Parliament held a debate on the EUDS in its 10 September plenary session, and an exchange of views with Commissioner McGrath in the EUDS Committee on 23 September. On the Council side, discussions continued on the draft Council conclusions for the EUDS, with Member States asked to submit final input by 8 October.  

DATA ECONOMY 

Council works on access to data for effective law enforcement resume

Council’s Law Enforcement Working Party is hosting a series of presentations by Europol, CEPOL, ECTEG on access to data for effective law enforcement to facilitate cross-border cooperation in digital forensics. Also in the Council, in Coreper II and other bodies are discussing the state of play on the access to data for effective law enforcement.  

Commission and Council assessing possible delay of AI Act implementation for high-risk systems due to technical standards delay

Speaking at Politico’s Competitive Europe Summit on 1 October, Lucilla Sioli (head of the Commission’s AI Office), said the Commission is “still assessing” a potential delay in AI Act implementation for high-risk systems, suggesting this would stem from the delayed development of related technical standards required for compliance. She clarified that “it’s not a matter of pausing the AI Act, but of if and when the standards will be ready”. In parallel, the Danish Presidency raised concerns that the delayed standardisation process poses an urgent challenge for implementing the obligations for high-risk AI systems. To address this, the Presidency proposed using the upcoming digital omnibus package, due on 19 November, and has requested Member States’ input on what measures the Commission should take. Nooshin Amirifar, team lead for ICT standardization at CEN-Cenelec, the organisation responsible for developing the standards, told Politico that some documents could be published and submitted for national-level public inquiry by late 2025 or early 2026.

EU Ombudsman investigates transparency of AI Act standards development

In a related development, a transparency complaint from NGO Corporate Europe Observatory prompted an investigation from the EU Ombudsman on the process for the development of standards under the AI Act. On 1 October, Commission spokesperson Thomas Regnier said the Commission can only review standards once they are drafted to decide whether to endorse them. He emphasised that the Commission works closely with EU standardization organisations CEN and Cenelec but does not interfere in their processes. The Ombudswoman’s inquiry follows concerns that the drafting process lacked transparency, including unpublished participant names and meeting minutes, and that the Commission failed to ensure a balanced representation of interests in the process.  

European Commission releases draft guidance for serious incidents

The European Commission recently released draft guidance and a reporting template for serious incidents under the EU AI Act. The provisions will become applicable starting in August 2026. The consultation process will be open until 7 November.  

EDPS recommends safeguards for EU–US framework on personal data sharing for border and immigration purposes

The European Data Protection Supervisor (EDPS) issued an opinion on the negotiating mandate for a proposed EU-US framework agreement on exchanging information for security screenings and identity verifications. The framework would allow individual Member States to sign bilateral agreements for data exchange from national systems. Since this agreement would be the first EU deal to involve large-scale sharing of personal data for border and immigration control, the EDPS stressed that processing should be strictly necessary and proportionate. The opinion recommendations include narrowing the scope of data sharing, establishing accountability mechanisms, ensuring transparency and information obligations for both authorities, and providing access to judicial redress.  

GDPR access requests can only be refused if abusive, Advocate General opinion says

Advocate General Maciej Szpunar issued an opinion on 18 September stating that companies may refuse a data access request under the GDPR only if the request can be shown to be abusive. According to the opinion, abuse may include situations where an individual deliberately consents to data use to trigger an access request and claim damages. The opinion notes that even a first request can be considered excessive in exceptional cases, and that repeated claims alone are not sufficient to justify refusal.  

Guidelines on the interplay between the DMA and GDPR

On 9 October 2025, the European Data Protection Board and the European Commission have endorsed the first joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). There is a an open consultation till 4 December 2025 to gather comments from the industry or any public organisation with the spirit of reflecting the coherent application of the DMA and the GDPR and to increase the legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB opened consultation on guidelines clarifying interplay between DSA and GDPR

The European Data Protection Board (EDPB) adopted its Guidelines 3/2025 on the interaction between the DSA and GDPR and launched a public consultation with a deadline of 31 October 2025. The guidelines, adopted during the EDPB’s plenary session in September, aim to ensure coherent application of both frameworks, as several DSA provisions on notice-and-action systems, recommender systems, protection of minors, transparency and profiling-based advertising relate to the GDPR. 

CYBERSECURITY AND INFRASTRUCTURE 

EU telecom rules to be “simplified” under DNA, Commission official says

Thibaut Kleiner (Director for Policy, Strategy and Outreach at DG CNECT) announced at the Connected Futures event on 23 September that Orange, Telefónica, and Deutsche Telekom will benefit from a simplification of EU telecom regulations with the DNA. He said the intention of DNA is to unlock market potential, and support innovation. He also emphasised that the DNA would complement the EU’s Applied AI Strategy and broader “EuroStack” ambition for digital sovereignty and added that telecom is “not just about networks anymore”, but also about data centers, cloud infrastructure, and additional services built on top of that.  

The fair share debate and the DNA developments

The Digital Network Act remains unclear in the discussion of the fair share debated. The details of the dispute resolution mechanism demanded by operators as an alternative to the fair shares need to be concretised.  On 22 October, the Commission Regulatory Scrutiny Board should receive the impact assessment of the Digital Networks Act to approve it. The final presentation of the text is expected between the 10 and the 16 of December.

Call for evidence on the Digital Package on Simplification

On 16 of September, The European Commission published a  call for evidence  on the Digital Package on simplification. The initiative seeks to simplify cookies and tracking regulations under the ePrivacy Directive, reduce overlapping cybersecurity reporting, lower compliance costs under the European Digital Identity Framework, and ensure the AI Act is applied effectively with a focus on the needs of small mid-cap businesses. Moreover, the European Commission will continue evaluating the digital rules through the upcoming Digital Fitness Check. According to the latest European Commission Agenda, the digital package will be announced on 19 November, being composed of multiple files including the European Business Wallet, the Digital Omnibus and the CSA.  

Cybersecurity remains high on the agenda

In addition, the EC opened a called for tenders for supporting ENISA for the provision of the EU Cybersecurity Reserve services to Union Entities. Finally, in the Council, the Horizontal WP on cyber issues  discussed on 9 October the priorities for the EU Cybersecurity Reserve, the Cyber Hubs and their interoperability.  

Results of the Consultation for the future Cloud and AI Development Act

The results of the European Commission’s consultation for the future Cloud and AI Development Act (CAIDA) that closed in July were made public showing that most respondents would like to see faster approved building permits and a one stop-shop mechanism. The European Commission highlighted in a meeting to national experts that they have “consistently” cited barriers to expansion, lack of “common EU definition of sovereign cloud” and called for a broad support to finalise the long-pending EUCS cybersecurity certification. The Commission is expected to present in the regulation together with a recommendation for the cloud policy for public administrations and procurement in the first quarter of next year.

Poland calls for separate legal act for ENISA

On 2 October, the Polish Delegation in the Horizontal Working Party on Cyber Issues  shared a paper on the upcoming revision of the EU Cybersecurity Act, calling for the splitting the legislation that will redefine the mandate of ENISA from the other provisions which are set to be controversial as it will address the development of cybersecurity certification schemes. Poland suggests for certification schemes recurring to technical specifications from industrial bodies or from ENISA.  They also suggest a simpler evaluation solution than those based on Common Criteria should be considered more often, where appropriate responding to the demands of the industry, in particular vendors.

European Cloud Sovereignty Discussion

On September 30, Digital experts from the 27 Member States presented to the Commission and other Member States the need to create a European sovereign cloud. This presentation showcased the results of the outcome of the public consultation conducted before summer considering the future regulation to be presented in the first quarter of 2026. The results showed that there should be a “mechanism enabling the federation of cloud services within public administration”, “the creation of public procurement guidelines” and “broad support for the finalisation of the EUCS certification scheme for the cloud and its integration into the public procurement framework”. The EUCS will be revised in November with a view to extending its scope to non-technical risks. Germany stays the only major Member State pushing for non-discriminatory treatment of foreign providers, while Spain, France and the Netherlands supported the Commission’s direction.