EuroISPA Monthly Report – November 2025

The institutional agenda is wrapping up before the end of the year, after a very busy month of November.

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text. Political trilogues started on 9 December, and technical meetings are expected to start on the week of 12 January, with the aim of having a second round of political trilogues by the end of February. The Commission is also expected to submit a proposal to extend the interim derogation to the ePrivacy Directive before its expiry on 3 April 2026, in order to give more breathing space to negotiators.

The Digital Omnibus package was published on 19 November, proposing amendments to existing legislation on data, cybersecurity and AI. The package consists of a proposed regulation to simplify cybersecurity incident reporting and data protection obligations, and another regulation on AI, with targeted amendments to the AI Act. Along with the package, the European Commission introduced a proposal for the European Business wallet and also the Data Union Strategy.

Stakeholders are also discussing key topics on the online content front, such as the AI & Copyright own-initiative report in the European Parliament, and two ongoing consultations concerning protocols for TDM rights and a call for evidence to support the upcoming review of the Audiovisual Media Services Directive.

The beginning of next year is expected to be particularly busy, marked by the review of the Cybersecurity Act on 14 January and the publication of the Digital Networks Act proposal on 20 January, as well as the CSAM Regulation trilogues.

The EuroISPA Secretariat is monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below.

ONLINE CONTENT 

Council adopts position on CSAM Regulation and trilogues start 

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text, and introducing language in the recitals to indicate that nothing in the Regulation should be interpreted as mandating detection or “prohibiting, weakening or circumventing, requiring to disable, or making end-to-end encryption impossible”.  The first political trilogue between the co-legislators took place on 9 December, with technical negotiations reportedly set to begin on the week of 12 January, and a second political trilogue epxetcted by the end of February. A tense exchange of views between Commissioner Brunner and MEPs in the LIBE committee on 4 December indicated that discussions on core issues, including encryption, are likely to be contentious, but there were reports that the first political trilogue was constructive, and that the Commission will submit a proposal to extend the e-Privacy derogation which expires in early April 2026, to ensure that a legal gap is avoided. 

EP plenary adopts own initiative report on the protection of minors 

On 26 November, the EP plenary approved without amendments IMCO’s own-initiative report on the protection of minors online. The report’s key recommendations include calls for effective, privacy-preserving age-verification and for a harmonised EU-wide digital age limit of 16 for social media, below which parental consent would be required. Discussions on the topic of age verification and the protection of children online are continuing in the context of the CULT committee’s on own-initiative report on the impact of social media and the online environment on youth mental health. The expert panel announced by von der Leyen in her State of the European Union speech, which is meant to provide recommendations on the best approach at EU level on social media age limits, has still not been convened.  

European Commission publishes evaluation of its Recommendation on Piracy 

Last month, the European Commission published its awaited evaluation concluding that the recommendation has had limited effects on the prompt treatment of notices relating to live events. The report stresses the increasing number of notices being addressed to other intermediaries, such as CDNs and reverse proxies, which are not subject to the DSA rules on notices. 

On dynamic injunctions, the assessment revealed a mixed picture among Member States, even though the report notes that some countries are taking effective measures while providing safeguards against over-blocking.  

On the issue of overblocking, the Italian Piracy Shield and LaLiga/Telefonica cases are referenced and the complaints from users experiencing over-blocking have been reflected even though the Commission indicates that the available information suggests that the number of reported incidents related to the blocking of legitimate content appears to be very limited compared with the total number of dynamic injunctions. The Commission is nevertheless of the view that give more time to DSA implementation is needed. 

Commission opens targeted consultation on DSA Article 18 notifications 

The Commission launched a targeted consultation on how providers of hosting services (including cloud and online platforms) should notify law-enforcement or judicial authorities when they become aware of information indicating suspected criminal offences that threaten life or safety (e.g., incitement to terrorism, child sexual abuse/exploitation, human trafficking). Run via the European Board for Digital Services’ Working Group 7, the exercise seeks feedback on the functioning of the notification process and areas needing clarification, including which offences fall in scope. Stakeholders with relevant experience (DSCs, law-enforcement and judicial authorities, hosting providers, researchers, civil society, trusted flaggers and internet hotlines) are invited to submit input by 19 December 2025. 

European Commission publishes Digital Services Act evaluation report 

On 17 November, the Commission published its DSA evaluation report, focusing on the interaction of the DSA with other legislation. The report finds that the DSA largely complements other EU laws, while acknowledging a complex legal landscape and pledging to reflect this in upcoming discussions (incl. fitness check of digital acquis, AVMSD, DFA) in line with the EC better regulation and simplification agenda. It confirms the VLOPs/VLOSEs thresholds and core definitions are fit for purpose but notes future designation challenges where services bundle multiple functionalities. The report flags a number of instances where the DSA rules apply in parallel to other similarly crafted EU law provisions, giving raise to potential legal uncertainty or undue compliance burdens, for example regarding the transparency of terms and conditions and of the ranking parameters of recommender systems,  transparency reporting obligations, content moderation obligations, dark patterns and SMEs. 

European Board for Digital Services 16th meeting focuses on IP rights, systemic risks, and scams 

On 18 November 2025, the Board had its 16th regular meeting. According to the statement published after the meeting, it discussed tackling online intellectual-property infringements under the DSA, adopted its 13-month Annual Work Plan, and the first Article 35(2) report on prominent and recurrent systemic risks and related mitigation measures. It also launched a coordinated initiative against online scams and fraud, with authorities sharing intelligence and guidance, and the Commission preparing a pan-EU awareness campaign before year-end. The Board further submitted views on the Commission’s preliminary findings in ongoing DSA transparency investigations into TikTok, Facebook and Instagram, and discussed key elements of the Commission’s Article 91(1) DSA report on the interaction between the DSA and other EU laws.   

Publication of Digital Services Act annual report on systemic risks 

On 20 November 2025, the Commission and the Board of DSCs published the first annual report outlining prominent and recurrent risks on VLOPs and VLOSEs. It identifies systemic risks (including the spread of illegal content and threats to fundamental rights), highlights issues such as impacts on mental health and minors, generative AI’s effects on platforms, and IP challenges on marketplaces, and summarizes mitigation measures reported under the DSA (i.e., automated detection of emojis used to code illegal drug sales). Drawing on platforms’ risk assessments, audits, transparency reports, independent research and civil-society input, the report is meant to serve as a reference point for transparency and accountability and will expand over time as more data and best practices become available.  

Vote in Legal Affairs committee on AI & Copyright postponed 

Leaks of the ongoing negotiations in the European Parliament on the own-initiative report on AI & Copyright announce that finding an agreement on certain provisions (TDM applied to AI, EUIPO role, is taking more time than expected. The JURI Committee in fact postponed its vote to the end of January, which should give enough time to MEPs to find an agreement on the most controversial parts of the report. In addition, the European Commission launched on 1 December a consultation on protocols for TDM rights reserving under the AI Act and the GPAI Code of Practice (deadline on 9 January 2026).  The consultation invites stakeholders to express their views on TDM opt-out solutions and enquires their interest in participating in two follow-up workshops (Q1 2026). 

Commission seeks input for 2026 evaluation of the Audiovisual Media Services Directive 

On 24 November 2025, the Commission launched a call for evidence to assess the AVMSD’s effectiveness in a fast-changing media landscape and to gather views on possible updates. The evaluation will consider visibility and prominence of European media, a more level playing field between traditional and digital players, protections for viewers (especially minors) when viewing content online, and possible simplification of advertising rules. Inputs are invited from regulators, academia, broadcasters, VOD providers, video-sharing platforms, influencers, and advertisers. The consultation is open until 21 December and will feed into the 2026 evaluation of the AVMSD, which is part of the European Democracy Shield commitments. 

DATA ECONOMY 

Digital Omnibus on Data: Member States flag risks in GDPR/ePrivacy revisions 

A group of Member States criticised the European Commission’s proposal on the data strand of the Digital Omnibus, arguing that the proposed changes went beyond technical simplification, and that the revised definition of personal data could weaken rights safeguards, complicate data transfers, and strain supervisory authorities.  

On data-subject requests, Belgium, the Netherlands, Slovenia and Poland cautioned that tighter “abuse-of-rights” rules could ease rejections. Slovenia also warned that controllers might infer motives, and Germany questioned whether the changes would lead to more complaints to authorities.   

On the proposed ePrivacy and GDPR framework for device access, the Netherlands said it could incentivize the processing of personal data by companies just to benefit from GDPR exemptions. France queried how enforcement would be split between GDPR and ePrivacy, and Latvia also asked for a clear boundary between rules on data protection and communications confidentiality. Finland and Poland wanted more details on how default browser settings would work, and on consent withdrawal and media exemptions.   

On changes to the definition of personal data, Belgium and Slovenia warned “non-personal” labels could still allow re-identification. Germany asked how regulators were supposed to assess re-identification risks. Germany, Finland, the Netherlands and Austria questioned shifting tasks from national regulators/EDPB to the European Commission. Slovenia and Slovakia criticised the lack of a fundamental-rights impact assessment.  

Digital Omnibus on AI: Member States flag legal gaps and seek clarifications 

In their initial set of questions to the European Commission on its AI Omnibus proposal, Member States seek clarifications on AI literacy, the legal basis for processing sensitive data for developers of high-risk AI, centralization of enforcement, oversight gaps caused by removing a registration obligation, recognition of conformity assessment bodies, regulatory privileges, the legal value of codes of practice and the purpose of an EU-level sandbox. On the legal basis for processing personal data for high-risk AI, France noted that the suggested revision is not aligned with the related technical standard. The Netherlands was critical of the proposal in substance, arguing that it conflicts with fundamental rights. On centralized enforcement, Germany, the Netherlands and Poland asked the Commission to clarify how the new enforcement structure would be compatible with the requirement that high-risk AI systems in justice, law enforcement and migration control should be supervised by data protection authorities or an equivalently independent regulator. On the removal of the Commission’s power to adopt codes of practice via secondary regulation, Spain asks if this creates legal uncertainty and whether codes of practice are sufficient to ensure compliance.  

Digital Omnibus on AI: European Parliament committee allocation disputed 

According to reports in the press, IMCO and LIBE were initially slated to co-lead the AI strand of the Digital Omnibus, but ITRE and JURI have challenged that allocation and want a leading role. Committee coordinators were scheduled to confirm the committee responsibilities on 4 December. Because of the challenge, the decision is being escalated to the presidents of the EP’s political groups. All four committees have postponed appointing a lead MEP until their next file-assignment meetings (some only happening after the holidays), so substantive work on the AI Omnibus may not start before January. For the data strand of the Digital Omnibus, LIBE and ITRE are expected to lead, with JURI seeking at least an “opinion” role. Allocations can still be contested.  

CYBERSECURITY AND INFRASTRUCTURE 

Coalition of Member States against the Digital Networks Act proposal 

On 26 November, delegations from Austria, France, Germany, Hungary, Italy and Slovenia shared a non-paper on the Digital Networks Act, including their perspectives on the upcoming proposal. Member States stressed that national markets differ, and only a Directive ensures the right of flexibility and preserves sovereignty in areas like lawful interception. The delegations also mentioned that the spectrum should remain nationally managed to reflect market needs, avoiding unjustified centralization. They argued that ex-ante tools remain necessary during the copper-to-fiber transition and that the copper switch-off needs careful assessment to avoid distortions. Finally, they noted that BEREC and RSPG already work well with distinct roles and should not be merged or redesigned. As regards the next steps, the document underlines the importance of maintaining engagement with the Council, with priority preferably given to the Member States that co-signed the non-paper. 

Implementing Regulation Cyber Resilience Act 

The European Commission published an implementing regulation defining what “important” and “critical” products are under the Cyber Resilience Act. The list includes password managers, ID checking software, cybersecurity software, virtual private networks, operating systems, routers and others. 

ENISA provides a NIS2 requirement guidance report 

ENISA has published  a report provides technical guidance to support the implementation of the NIS2 Directive for several types of entities covered under NIS2.  ENISA’s guidance offers practical advice, examples of evidence, and mappings of security requirements to help companies implement the regulation. 

Commission calls on Member States to comply with the EU Cyberattacks Directive 

The Commission has launched enforcement steps against Estonia, Hungary, and Poland for failing to correctly implement the EU Directive on Attacks against Information Systems. The Directive obliges Member States to maintain strong national cybercrime laws, criminal sanctions for large-scale attacks, and 24/7 contact points for cross-border cooperation. The Commission has sent reasoned opinions to Estonia and Poland and a further notice to Hungary, giving them two months to address gaps related to illegal interception and misuse of tools, or risk escalation to the Court of Justice.   

Commission seeks participants for the NIS2 Forum on the deployment of internet technical standards 

The Commission has launched a new forum to develop a set of guidelines to inform relevant stakeholders and support compliance with network security measures laid out in the NIS2 Implementing Act. The main goal is to boost the deployment of standards and use of best practices in four areas, including: network layer communication protocols, e-mail security protocols, DNS security, and internet routing. The Forum is expected to start its work by early 2026 (with a tentative kick-off meeting planned for 21-22 January 2026) and publish its outputs within the timeframe of two years. Applications for participation are now open, with priority for submissions by 12 December 2025. 

Member States concerns on the single-entry point mechanism 

According to a document dated 28 November seen by MLex, EU member states are broadly sceptical of the Commission’s plan for a single-entry point for cyber-incident reporting, warning that a central EU platform run by ENISA could threaten national sovereignty, create security vulnerabilities, and clash with existing national reporting systems. Governments question whether the system might become a single point of failure, interfere with national threat-awareness processes, or complicate compliance across different EU laws. They also posed questions on the interoperability with national tools, data retention policies, encryption, storage, and language support, stressing that many countries have already invested heavily in their own reporting platforms and that SMEs might not be benefited by the introduction of this mechanism. Several warn that concentrating sensitive incident information at EU level could create major risks and ask how national control over security-relevant data and effective incident response will be preserved. 

Council and Parliament reach provisional deal on Payments Package 

Trilogues have been ongoing and a provisional political agreement was reached on 27 November. According to the press release online platforms would be liable to payment service providers that reimbursed customers if they were notified of fraudulent content and did not remove it. It is unclear to what extent the set of proposed measures affecting electronic communication services (mainly in the Parliament’s position) has been adopted in the final deal, as the text is not available yet. Next steps are technical work by co-legislators followed by formal adoption.  

MISCELLANEOUS

Commission seeking feedback for the 2030 Digital Decade targets and objectives 

The European Commission has launched a call for evidence to examine whether the Digital Decade objectives and targets for 2030 remained aligned with the current tech landscape. This reviewing exercise will assess the relevance of the current 2030 objectives and targets ensuring flexibility, effectiveness, and resilience as the EU navigates its digital future. The exercise will explore ways to further align policy with funding opportunities and evaluate how to improve engagement through channels for regions, cities, and local actors. The call for evidence is open for views until 23 December. 

The Council Conclusions on European Competitiveness in the Digital Decade  

The European Council has published its conclusions, stressing that the EU remains far away from meeting its 2030 targets, particularly in the areas of artificial intelligence, SME digitalization, and digital skills. The document highlights the importance of the Digital Decade Policy Programme in advancing Europe’s digital transformation, strengthening technological sovereignty, and enhancing competitiveness. The conclusions call for the strategic use of European funding programs to achieve these goals and identify several priority areas crucial for digital sovereignty, notably semiconductors, quantum technologies, cloud, artificial intelligence, cybersecurity, and connectivity.  The Ministers expressed interest in developing common criteria for cloud services to increase market transparency and reduce risks arising from strategic dependencies. The forthcoming Cloud and AI Development Act, expected in the first quarter of 2026, may provide an effective means of addressing this issue.