EuroISPA Monthly Report – October 2025
Institutional activity intensified in October, with negotiations progressing on many files.
The Danish presidency announced its intention to drop mandatory detection orders from its compromise text on the CSAM Regulation and continue negotiations on the basis of a permanent extension of the interim derogation permitting voluntary scanning. The Commission, Council and Parliament were also very active on the protection of children online, debating the way forward on age verification and a digital age of majority. The public consultation on the Digital Fairness Act closed on 24 October, with EuroISPA submitting its position.
Stakeholders continued to discuss key topics on the data economy front, including the implementation of the AI Act and the GDPR, as well as the ongoing impact assessment on data retention. On cyber and infrastructure, the Commission unveiled the Cloud Sovereignty Framework, and there are ongoing discussions in the Council on the common criteria for sovereign cloud services. The Cybersecurity Act Review and the Digital Networks Act proposals have been postponed until 20 January 2026.
Ahead of the publication of the upcoming Digital Omnibus Package, which is due on 19 November, leaked DG CNECT documents suggest the package will be divided into two separate proposals: one on data and cyber, and another on AI.
The EuroISPA Secretariat is closely monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below. The Secretariat is also preparing EuroISPA’s third annual General Meeting, which will take place at our offices in Brussels on 17-18 November.
ONLINE CONTENT
Danish presidency dropping mandatory detection orders from CSAM Regulation compromise text
In a note shared with Member States on Thursday, 30 October, Denmark proposed dropping mandatory detection orders from its compromise text and permanently extending the interim derogation permitting voluntary scanning, which is currently expiring in April 2026. Under the revised approach, companies would still have to conduct risk assessments, with voluntary detection listed as a possible mitigation measure, while some components of the previous text would retained, notably the ability to issue blocking and removal orders, reporting obligations, and the creation of the EU Centre. Denmark also intends to include a review clause which would allow the Commission to reassess, in light of technological progress, whether mandatory detection orders could become necessary and feasible in the future. At the Coreper II meeting on 5 November, Member States gave their green light to continue negotiations on this basis, with the caveat that they hadn’t seen a full legal text yet. Denmark is expected to prepare a revised text ahead of discussions at the 12 November Law Enforcement Working Party.
EU debates continue on the protection of minors online and a digital age of majority
At EU level, the Commission is aiming to convene, by the end of the year, an expert panel assessing the best approach to a digital majority age at EU level, and said that its recommendations should be evidence-based. The European Council conclusions on 23 October also stressed the importance of a “digital age of majority for accessing social media, respecting national competences”. On the European Parliament side, the IMCO committee adopted its own-initiative report on the protection of minors on 16 October, calling for an EU-wide digital age limit of 16 for access to social media, below which parental consent would be required. The CULT committee is working on its own draft initiative report on the impact of social media for youth mental health, on which IMCO, LIBE and FEMM are preparing opinions.
Stakeholders and institutions continue working on piracy of live content
On 21 October, 35 rightsholders signed a letter urging EVP Virkkunen and Commissioner Micallef to legislate against live-content piracy, citing criminal threats, weak results from the 2023 Recommendation, and data suggesting that 81% of detected illegal streams weren’t suspended. They ask for legislative measures ensuring infringing content is taken down immediately and at least within 30 minutes, making live dynamic blocking which addresses mirror sites and successor domains available in Member States, and imposing KYBC policies on intermediaries (incl. platforms, hosts, VPNs, CDN and app stores). The letter also calls for enforcement of the DSA and calls on Digital Services Coordinators to award private bodies trusted flagger status when requested. The Commission is expected to release its assessment of the 2023 Recommendation no later than the 17th of November.
New compromise amendments (CAs) to JURI committee’s draft AI & Copyright own-initiative report
Following amendments published in September, Euractiv circulated a batch of leaked draft CAs to Axel Voss’s own-initiative report. In the CAs document, Axel Voss says this batch of CAs covers areas on which there is (in principle) a general agreement, and the CAs that will follow will be more specific. Of relevance for EuroISPA members, one of the CAs calls to push for full and mandatory transparency for a coherent licensing framework for the novel use of copyright-protected works, noting that trade secrets should not be invoked to prevent an AI model provider from offering full transparency. The same CA notes that the current opt-out system is impractical and may not cover all relevant acts of TDM, lacking necessary transparency.
Commission preliminarily finds TikTok and Meta in breach of DSA transparency obligations
On 24 October, the Commission issued preliminary findings on TikTok and Meta, finding them in breach of the obligation to grant researchers adequate access to public data under the DSA. The findings also conclude that Meta (both Facebook and Instagram) is breaching its obligations to provide users with simple mechanisms to notify illegal content (child sexual abuse material and terrorist content are given as examples), and to allow them to effectively challenge content moderation decisions.
Commission is not considering simplification of the DSA
At a press briefing after the informal meeting of EU telecom ministers on 10 October, Virkkunen stated that there is little bureaucracy to remove from the DSA. She underlined that the DSA already provides exemptions for SMEs and that its most stringent obligations apply only to VLOPs. The Commission instead plans to assess the DSA’s interaction with other EU legislative frameworks in November, which could lead to the withdrawal of the Platform-to-Business (P2B) Regulation and targeted amendments to other instruments, notably the AVMSD. According to her statement, moving forward, the Commission will consider how to address new technological developments like AI services through the DSA, although Virkkunen also noted that AI tools embedded in platforms are already covered by the DSA.
Commission launches investigations of platforms on the protection of minors under the DSA
The Commission launched its first investigative actions following the adoption of the DSA’s Guidelines on the protection of minors, requesting information from Snapchat, YouTube, Apple App Store, and Google Play about their age verification systems and content controls. The Commission also announced further measures on children protection: the European Board for Digital Services’ Working Group on the protection of minors has been asked to ensure DSA compliance by smaller online platforms, identifying those posing the greatest risks to children, and develop common tools to coordinate investigations and enforcement across the EU.
Commission publishes guidelines on political advertising transparency as Regulation takes effect
On 8 October, the Commission issued guidelines on the Regulation on the Transparency and Targeting of Political Advertising, which entered into force on 10 October, introducing new disclosure requirements for paid political ads, including information on targeting, costs, and links to elections or legislative processes.
DATA ECONOMY
Danish Presidency circulates questionnaires on data retention and access to data
The Danish Minister of Justice noted that laws regarding access to data are one of the top priorities for the Presidency of the Council of the EU. As part of these efforts, the Danish Presidency circulated two documents dated 17 September and 2 October. The first document invited Member States to provide written input to help the Commission shape a new legal framework on data retention. The second document outlines how the Council Standing Committee on Operational Cooperation on Internal Security (COSI) and the Coordinating Committee on Police and Judicial Cooperation (CATS) will monitor the implementation of the Roadmap for Lawful Access to Data.
Apply AI Strategy addresses AI adoption across EU industries
On 8 October, the Commission unveiled the Apply AI strategy, building on the AI Act and AI Continent Plan, to promote AI adoption and a “buy European” approach across the EU. The strategy outlines several measures of interest, including: on electronic communications (section 2.6), the creation of a European Telco AI Platform for collaborative AI stack development and the promotion of edge AI devices; and on cultural and creative industries (section 2.10), support for investment in European AI models for storytelling and the discoverability of European online content, as well as a study on the legal challenges of AI-generated content, particularly on copyright (expected Q1 2027, see Annex III). The strategy also mentions the preparation of guidelines on high-risk AI classification and guidelines on AI Act interplay with other EU laws (reportedly expected by Q3 2026).
Commission presentation to AI Board indicates a tight schedule for AI Act transparency guidelines
At the 24 October meeting of the AI Board, the Commission reportedly indicated to Member States that a first draft of the code of practice for AI transparency rules is due in December, a second in March (with comments in April and May), a final draft in June, and a Commission adequacy check for approval in July, ahead of the 2 Aug 2026 deadline. The Commission’s presentation also highlighted pressure from stakeholders to align the application date for the AI Act’s high-risk requirements with the availability of the related technical standards, and stakeholder concerns over readiness to comply with the AI Act’s transparency rules on labelling deepfakes and watermarking AI-generated content.
CEN/Cenelec suspends consensus process on AI standards
In the context of ongoing delays with the development of the AI-Act standards, European standardisation organisations CEN and Cenelec exceptionally suspended the usual consensus method for adoption and appointed a drafting group of “already active experts” to finalize the six least-advance standards.
McGrath simplification report suggests DG Just will examine targeted modifications to the GDPR
In the annex to his annual simplification report for 2025, Commissioner McGrath indicates that DG JUST will focus over the next twelve months on identifying “targeted modifications” to the GDPR. The Commission intends to rely on the main conclusions of the late-July implementation dialogue. The annex also says that DG JUST will work on simplification and reducing burdens through the 2030 Consumer Agenda, and through the simplification component of the DFA, following input from the digital fitness check and the DFA consultation.
Lawmakers approve Regulation on GDPR enforcement
The European Parliament has approved new procedural rules to accelerate and simplify the European Union’s most complex data protection investigations under the General Data Protection Regulation (GDPR).These rules are designed to streamline cross-border investigations into personal data breaches and, for the first time, set overall deadlines for handling such cases. The finalized text, agreed upon on 16 June, has already been endorsed by the Parliament’s civil liberties committee and EU ambassadors.
The law now awaits formal approval by EU member states, expected during a meeting of foreign and European affairs ministers on 17 November. Once officially adopted, the rules will come into force and take full effect 15 months after the date of adoption.
Commission sends questionnaire to DMA gatekeepers on data handling amid AI rollout
The Commission reportedly sent questionnaires to all DMA gatekeepers on compliance with the DMA’s ban on combining personal data across services without consent and on user reactions to opt-out/consent choices. The questionnaires ask when users are served with a prompt over data combination, how many consent and how many refuse, how often a user can defer making a choice, how a gatekeeper notifies users that some services might not work without consent, and how often those warnings are shown.
EDPB announces it will continue working on guidelines for “consent or pay” business models
At its 109th plenary meeting on 7–9 October, the European Data Protection Board decided to continue developing guidelines on consent-or-pay models. Data protection authorities reportedly remain divided, with some considering that the models should be banned, and most agreeing that publishers and platforms should be allowed to use them under defined conditions. The forthcoming guidelines, developed by a subgroup of national data protection authorities, are expected to clarify the criteria under which consent-or-pay models can comply with EU data protection law.
European Data Protection Supervisor guidelines on Generative Artificial Intelligence
The EDPS published its updated guidelines on the use of generative artificial intelligence and processing of personal data by EU institutions, bodies, offices and agencies. These updated guidelines offer clearer and more practical instructions for the responsible development and deployment of generative AI tools.
CYBERSECURITY AND INFRASTRUCTURE
Negative opinion delays Digital Networks Act proposal
On 22 October, the Regulatory Scrutiny Board (RSB) issued a negative opinion on the impact assessment for the upcoming Digital Networks Act (DNA), requiring a redraft within five working days which resulted in a postponement of the proposal. According to reports, the Digital Networks Act and the Cybersecurity Act Revision will be presented on 20 January. Discussions on the content of the DNA proposal have been challenging, particularly regarding copper switch-off and spectrum allocation. On network fees, the Commission is informally engaging with Parliament to seek amendments.
Commission prepares proposal to revise the Europol Regulation
The European Commission launched a public feedback period to support its review of the Europol Regulation, which is expected to be completed by the second quarter of 2026. The initiative aims to strengthen Europol’s ability to address growing cross-border criminal threats. The consultation, open until 15 January 2026, seeks input on expanding Europol’s mandate to cover emerging crimes such as hybrid threats and information manipulation, improving cooperation with EU and international partners, removing barriers to data sharing, and enhancing Europol’s technological and governance capacities to meet real-time operational needs.
Cloud Sovereignty framework paper
The Commission unveiled its Cloud Sovereignty Framework which will be integrated into the new Cloud III Dynamic Purchasing System (Cloud III DPS) procedure. The framework defines Sovereignty Objectives relevant for the provision of Cloud services requested in this procedure. They draw on European initiatives such as CIGREF’s Trusted Cloud Referential v2, Gaia-X policy rules and architecture, and the European Cybersecurity Certification Framework (ENISA, NIS2, DORA). In addition, they echo lessons from national cloud sovereignty strategies, as well as international practices in export controls, supply chain resilience, and security auditability. The result is a set of objectives that supplement security assurance requirements with sovereignty-specific safeguards defining clearly what sovereignty means.
Council calls for common criteria for sovereign cloud services
The TELECOM WP on 4 November called on the Commission to adopt “common criteria for sovereign cloud services” in response to the concerns about foreign countries accessing European citizens’ data via their surveillance agencies. The fourth compromise of the Council’s review of the EU’s Digital Decade policy framework now states that sovereign cloud criteria must address dependency risks, including the “extraterritorial effects” of US laws. The full text calls for common criteria to address market transparency and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries for highly critical use cases. The compromise will be voted on at Coreper I on 21 November, with EU telecommunication ministers expected to adopt the final text on 5 December.
European Telcos call on the Commission to take urgent action on digital connectivity
Leading European telecoms and tech companies expressed their concerns over the EU’s slow progress in implementing bold digital reforms, warning that Europe’s global competitiveness is at risk due to fragmented policies and underinvestment in digital infrastructure. They noted that only 2% of Europeans currently access 5G standalone networks, far behind the US and China, and argued that this gap threatens Europe’s industrial strength, innovation potential, and digital sovereignty. They called for ambitious measures through the DNA.
Commission signs the UN Convention against cybercrime
On 27 October, the Commission signed the UN Convention to step up the fight against Cybercrime on behalf of the EU. The Convention provides a framework for international cooperation, including extradition and electronic evidence exchange, while safeguarding fundamental rights such as privacy and data protection. Following the signature, the Council will discuss and decide on the conclusion of the Convention, which will also require the consent of the Parliament. Member States will sign and ratify the Convention in accordance with their national procedures. The Convention will enter into force once it is ratified by 40 parties.
CRA: Commission opens consultation on delegated act for reporting security incidents
On 16 October, the Commission launched a feedback period on the delegated act under the Cyber Resilience Act, outlining the terms and conditions under which a Member State’s designated CSIRT may delay the dissemination of vulnerability or incident notifications to other CSIRTS. The delegated act is expected to be adopted by 11 December, with reporting obligations under the CRA becoming applicable from 11 September 2026.
TIC Council warns about the delayed implementation of NIS2 Directive
The Testing, Inspection and Certification (TIC) Council has issued a call for urgent implementation of the NIS2 Directive, warning that delays in transposition by several Member States pose serious risks to Europe’s critical infrastructure. Addressing recent cyberattacks that disrupted airport operations, the Council notes the importance of robust cybersecurity frameworks and urges governments to designate competent authorities and adopt internationally recognized standards like ISO/IEC 27001. Early adopters such as Finland and Belgium are already leveraging certification to demonstrate compliance and enhance resilience.
MISCELLANEOUS
Leak of Commission Digital Omnibus proposals
According to two leaked documents from DG Connect, the Digital Omnibus will be composed of two separate proposals. The first proposal will introduce targeted amendments to the EU data rules and streamlining reporting obligations under cybersecurity legislation. The second proposal contains targeted amendments focused on the AI Act implementation, with some exemptions for both data and AI obligations applicable to small businesses. The Commission will officially present the Digital Omnibus on 19 November.
Leaked Cyprus Council Presidency draft work programme for the first half of 2026
News outlets published a leaked draft work programme (for January-June 2026) of the upcoming Cypriot presidency of the Council. Interestingly, the draft suggests that the protection of children online is of paramount importance and that Cyprus will aim to conclude negotiations on the CSAM Regulation before the expiry of the Interim Regulation in April 2026. On most other digital files, however, it appears to foresee no agreements. For example, Cyprus aims only to advance negotiations on the DNA and the revision of the Cybersecurity Act, and there is no target for the 19 November tech simplification omnibus beyond supporting efforts to simplify digital and data frameworks without deregulation. Law enforcement access to data is also slated for discussions.
Virkunnen simplification report indicates Digital fitness check to run until mid-2027
Virkkunen’s annual report on simplification and implementation says the digital acquis fitness check will run until mid-mandate, kicking off on 19 November alongside the digital simplification package; the process will examine digital laws beyond those in the first simplification omnibus (AI, data, cyber) and may lead to “potential additional simplification measures”; the report also confirms that the Commission will present on 19 November its first assessment of interactions between the DSA and other consumer-protection and product-safety laws.
Franco-German Tech Summit on digital sovereignty
France and Germany are organizing a summit on digital sovereignty taking place in Berlin on 18 November, where they will discuss Europe digital’s future. The agenda is now out, with the Executive Vice President of the European Commission Henna Virkkunen plans to present the long-awaited Digital omnibus during the morning. Other topics on the official programme include EUDI Wallet, Digital Commons as a Pillar of Digital Sovereignty, and the DMA.
The Netherlands circulates paper on simplification, touching on AI, data protection and cookies
The Dutch government circulated a document on simplification, emphasizing that EU digital law revisions should focus on legal clarity, coherence, and streamlined governance rather than extending deadlines. The paper also includes specific recommendations on AI and data protection simplification. On AI, it prioritizes simplifying the AI Act’s implementation over extending legal deadlines for high-risk requirements, proposing clearer definitions for critical infrastructure, flexible compliance options, and extended derogations for SMEs. On data protection, it advocates for more practical tools to ease compliance for smaller organizations, including the development of standardized lists of low-risk processing activities by supervisory authorities, greater use of codes of conduct, exemptions for cookies and similar technologies, and technical solutions such as centralized browser-level consent management.
German contribution to the Digital Omnibus
The German Federal Ministry for Digital Transformation presented a paper on the upcoming Digital Omnibus package calling for simplification measures, including on the Data Act, GDPR, e-Privacy Directive (e.g. including an additional exemption for cookies in art.5 (3)). The paper also outlines many specific recommendations on the AI Act, including emphasising on innovation-friendly implementation, avoiding double regulation and reducing market entry barriers, extending implementation deadlines, and providing clear definitions and harmonized standards.
ITRE publishes report on the interaction between AI act and other pieces of legislation
The European Parliament’s Industry, Research and Energy Committee (ITRE) published a study outlining how the AI Act relates to other crucial pieces of EU digital legislation, such as the GDPR, Data Act and Cyber Resilience Act. The document also provides reflections and suggestions for possible evolutions of digital legislation, keeping in mind that Europe can establish a competitive AI industry.
