Institutional activity intensified in October, with negotiations progressing on many files. 

The Danish presidency announced its intention to drop mandatory detection orders from its compromise text on the CSAM Regulation and continue negotiations on the basis of a permanent extension of the interim derogation permitting voluntary scanning. The Commission, Council and Parliament were also very active on the protection of children online, debating the way forward on age verification and a digital age of majority. The public consultation on the Digital Fairness Act closed on 24 October, with EuroISPA submitting its position.  

Stakeholders continued to discuss key topics on the data economy front, including the implementation of the AI Act and the GDPR, as well as the ongoing impact assessment on data retention. On cyber and infrastructure, the Commission unveiled the Cloud Sovereignty Framework, and there are ongoing discussions in the Council on the common criteria for sovereign cloud services. The Cybersecurity Act Review and the Digital Networks Act proposals have been postponed until 20 January 2026. 

Ahead of the publication of the upcoming Digital Omnibus Package, which is due on 19 November, leaked DG CNECT documents suggest the package will be divided into two separate proposals: one on data and cyber, and another on AI.  

The EuroISPA Secretariat is closely monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below. The Secretariat is also preparing EuroISPA’s third annual General Meeting, which will take place at our offices in Brussels on 17-18 November.  

ONLINE CONTENT 

Danish presidency dropping mandatory detection orders from CSAM Regulation compromise text 

In a note shared with Member States on Thursday, 30 October, Denmark proposed dropping mandatory detection orders from its compromise text and permanently extending the interim derogation permitting voluntary scanning, which is currently expiring in April 2026. Under the revised approach, companies would still have to conduct risk assessments, with voluntary detection listed as a possible mitigation measure, while some components of the previous text would retained, notably the ability to issue blocking and removal orders, reporting obligations, and the creation of the EU Centre. Denmark also intends to include a review clause which would allow the Commission to reassess, in light of technological progress, whether mandatory detection orders could become necessary and feasible in the future. At the Coreper II meeting on 5 November, Member States gave their green light to continue negotiations on this basis, with the caveat that they hadn’t seen a full legal text yet. Denmark is expected to prepare a revised text ahead of discussions at the 12 November Law Enforcement Working Party.  

EU debates continue on the protection of minors online and a digital age of majority 

At EU level, the Commission is aiming to convene, by the end of the year, an expert panel assessing the best approach to a digital majority age at EU level, and said that its recommendations should be evidence-based. The European Council conclusions on 23 October also stressed the importance of a “digital age of majority for accessing social media, respecting national competences”. On the European Parliament side, the IMCO committee adopted its own-initiative report on the protection of minors on 16 October, calling for an EU-wide digital age limit of 16 for access to social media, below which parental consent would be required. The CULT committee is working on its own draft initiative report on the impact of social media for youth mental health, on which IMCO, LIBE and FEMM are preparing opinions.

Stakeholders and institutions continue working on piracy of live content 

On 21 October, 35 rightsholders signed a letter urging EVP Virkkunen and Commissioner Micallef to legislate against live-content piracy, citing criminal threats, weak results from the 2023 Recommendation, and data suggesting that 81% of detected illegal streams weren’t suspended. They ask for legislative measures ensuring infringing content is taken down immediately and at least within 30 minutes, making live dynamic blocking which addresses mirror sites and successor domains available in Member States, and imposing KYBC policies on intermediaries (incl. platforms, hosts, VPNs, CDN and app stores). The letter also calls for enforcement of the DSA and calls on Digital Services Coordinators to award private bodies trusted flagger status when requested. The Commission is expected to release its assessment of the 2023 Recommendation no later than the 17th of November. 

New compromise amendments (CAs) to JURI committee’s draft AI & Copyright own-initiative report 

Following amendments published in September, Euractiv circulated a batch of leaked draft CAs to Axel Voss’s own-initiative report. In the CAs document, Axel Voss says this batch of CAs covers areas on which there is (in principle) a general agreement, and the CAs that will follow will be more specific. Of relevance for EuroISPA members, one of the CAs calls to push for full and mandatory transparency for a coherent licensing framework for the novel use of copyright-protected works, noting that trade secrets should not be invoked to prevent an AI model provider from offering full transparency. The same CA notes that the current opt-out system is impractical and may not cover all relevant acts of TDM, lacking necessary transparency.  

Commission preliminarily finds TikTok and Meta in breach of DSA transparency obligations 

On 24 October, the Commission issued preliminary findings on TikTok and Meta, finding them in breach of the obligation to grant researchers adequate access to public data under the DSA. The findings also conclude that Meta (both Facebook and Instagram) is breaching its obligations to provide users with simple mechanisms to notify illegal content (child sexual abuse material and terrorist content are given as examples), and to allow them to effectively challenge content moderation decisions.  

Commission is not considering simplification of the DSA 

At a press briefing after the informal meeting of EU telecom ministers on 10 October, Virkkunen stated that there is little bureaucracy to remove from the DSA. She underlined that the DSA already provides exemptions for SMEs and that its most stringent obligations apply only to VLOPs. The Commission instead plans to assess the DSA’s interaction with other EU legislative frameworks in November, which could lead to the withdrawal of the Platform-to-Business (P2B) Regulation and targeted amendments to other instruments, notably the AVMSD. According to her statement, moving forward, the Commission will consider how to address new technological developments like AI services through the DSA, although Virkkunen also noted that AI tools embedded in platforms are already covered by the DSA.   

Commission launches investigations of platforms on the protection of minors under the DSA 

The Commission launched its first investigative actions following the adoption of the DSA’s Guidelines on the protection of minors, requesting information from Snapchat, YouTube, Apple App Store, and Google Play about their age verification systems and content controls. The Commission also announced further measures on children protection: the European Board for Digital Services’ Working Group on the protection of minors has been asked to ensure DSA compliance by smaller online platforms, identifying those posing the greatest risks to children, and develop common tools to coordinate investigations and enforcement across the EU.  

Commission publishes guidelines on political advertising transparency as Regulation takes effect  

On 8 October, the Commission issued guidelines on the Regulation on the Transparency and Targeting of Political Advertising, which entered into force on 10 October, introducing new disclosure requirements for paid political ads, including information on targeting, costs, and links to elections or legislative processes.  

DATA ECONOMY 

Danish Presidency circulates questionnaires on data retention and access to data 

The Danish Minister of Justice noted that laws regarding access to data are one of the top priorities for the Presidency of the Council of the EU. As part of these efforts, the Danish Presidency circulated two documents dated 17 September and 2 October. The first document invited Member States to provide written input to help the Commission shape a new legal framework on data retention. The second document outlines how the Council Standing Committee on Operational Cooperation on Internal Security (COSI) and the Coordinating Committee on Police and Judicial Cooperation (CATS) will monitor the implementation of the Roadmap for Lawful Access to Data. 

Apply AI Strategy addresses AI adoption across EU industries 

On 8 October, the Commission unveiled the Apply AI strategy, building on the AI Act and AI Continent Plan, to promote AI adoption and a “buy European” approach across the EU. The strategy outlines several measures of interest, including: on electronic communications (section 2.6), the creation of a European Telco AI Platform for collaborative AI stack development and the promotion of edge AI devices; and on cultural and creative industries (section 2.10), support for investment in European AI models for storytelling and the discoverability of European online content, as well as a study on the legal challenges of AI-generated content, particularly on copyright (expected Q1 2027, see Annex III). The strategy also mentions the preparation of guidelines on high-risk AI classification and guidelines on AI Act interplay with other EU laws (reportedly expected by Q3 2026).  

Commission presentation to AI Board indicates a tight schedule for AI Act transparency guidelines 

At the 24 October meeting of the AI Board, the Commission reportedly indicated to Member States that a first draft of the code of practice for AI transparency rules is due in December, a second in March (with comments in April and May), a final draft in June, and a Commission adequacy check for approval in July, ahead of the 2 Aug 2026 deadline. The Commission’s presentation also highlighted pressure from stakeholders to align the application date for the AI Act’s high-risk requirements with the availability of the related technical standards, and stakeholder concerns over readiness to comply with the AI Act’s transparency rules on labelling deepfakes and watermarking AI-generated content.  

CEN/Cenelec suspends consensus process on AI standards  

In the context of ongoing delays with the development of the AI-Act standards, European standardisation organisations CEN and Cenelec exceptionally suspended the usual consensus method for adoption and appointed a drafting group of “already active experts” to finalize the six least-advance standards.  

McGrath simplification report suggests DG Just will examine targeted modifications to the GDPR 

In the annex to his annual simplification report for 2025, Commissioner McGrath indicates that DG JUST will focus over the next twelve months on identifying “targeted modifications” to the GDPR. The Commission intends to rely on the main conclusions of the late-July implementation dialogue. The annex also says that DG JUST will work on simplification and reducing burdens through the 2030 Consumer Agenda, and through the simplification component of the DFA, following input from the digital fitness check and the DFA consultation.  

Lawmakers approve Regulation on GDPR enforcement 

The European Parliament has approved new procedural rules to accelerate and simplify the European Union’s most complex data protection investigations under the General Data Protection Regulation (GDPR).These rules are designed to streamline cross-border investigations into personal data breaches and, for the first time, set overall deadlines for handling such cases. The finalized text, agreed upon on 16 June, has already been endorsed by the Parliament’s civil liberties committee and EU ambassadors. 

The law now awaits formal approval by EU member states, expected during a meeting of foreign and European affairs ministers on 17 November. Once officially adopted, the rules will come into force and take full effect 15 months after the date of adoption. 

Commission sends questionnaire to DMA gatekeepers on data handling amid AI rollout 

The Commission reportedly sent questionnaires to all DMA gatekeepers on compliance with the DMA’s ban on combining personal data across services without consent and on user reactions to opt-out/consent choices. The questionnaires ask when users are served with a prompt over data combination, how many consent and how many refuse, how often a user can defer making a choice, how a gatekeeper notifies users that some services might not work without consent, and how often those warnings are shown.  

EDPB announces it will continue working on guidelines for “consent or pay” business models 

At its 109^th plenary meeting on 7–9 October, the European Data Protection Board decided to continue developing guidelines on consent-or-pay models. Data protection authorities reportedly remain divided, with some considering that the models should be banned, and most agreeing that publishers and platforms should be allowed to use them under defined conditions. The forthcoming guidelines, developed by a subgroup of national data protection authorities, are expected to clarify the criteria under which consent-or-pay models can comply with EU data protection law.  

European Data Protection Supervisor guidelines on Generative Artificial Intelligence 

The EDPS published its updated guidelines on the use of generative artificial intelligence and processing of personal data by EU institutions, bodies, offices and agencies. These updated guidelines offer clearer and more practical instructions for the responsible development and deployment of generative AI tools. 

CYBERSECURITY AND INFRASTRUCTURE 

Negative opinion delays Digital Networks Act proposal 

On 22 October, the Regulatory Scrutiny Board (RSB) issued a negative opinion on the impact assessment for the upcoming Digital Networks Act (DNA), requiring a redraft within five working days which resulted in a postponement of the proposal. According to reports, the Digital Networks Act and the Cybersecurity Act Revision will be presented on 20 January. Discussions on the content of the DNA proposal have been challenging, particularly regarding copper switch-off and spectrum allocation. On network fees, the Commission is informally engaging with Parliament to seek amendments.  

Commission prepares proposal to revise the Europol Regulation 

The European Commission launched a public feedback period to support its review of the Europol Regulation, which is expected to be completed by the second quarter of 2026. The initiative aims to strengthen Europol’s ability to address growing cross-border criminal threats. The consultation, open until 15 January 2026, seeks input on expanding Europol’s mandate to cover emerging crimes such as hybrid threats and information manipulation, improving cooperation with EU and international partners, removing barriers to data sharing, and enhancing Europol’s technological and governance capacities to meet real-time operational needs. 

Cloud Sovereignty framework paper 

The Commission unveiled its Cloud Sovereignty Framework which will be integrated into the new Cloud III Dynamic Purchasing System (Cloud III DPS) procedure. The framework defines Sovereignty Objectives relevant for the provision of Cloud services requested in this procedure. They draw on European initiatives such as CIGREF’s Trusted Cloud Referential v2, Gaia-X policy rules and architecture, and the European Cybersecurity Certification Framework (ENISA, NIS2, DORA). In addition, they echo lessons from national cloud sovereignty strategies, as well as international practices in export controls, supply chain resilience, and security auditability. The result is a set of objectives that supplement security assurance requirements with sovereignty-specific safeguards defining clearly what sovereignty means. 

Council calls for common criteria for sovereign cloud services 

The TELECOM WP on 4 November called on the Commission to adopt “common criteria for sovereign cloud services” in response to the concerns about foreign countries accessing European citizens’ data via their surveillance agencies. The fourth compromise of the Council’s review of the EU’s Digital Decade policy framework now states that sovereign cloud criteria must address dependency risks, including the “extraterritorial effects” of US laws. The full text calls for common criteria to address market transparency and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries for highly critical use cases. The compromise will be voted on at Coreper I on 21 November, with EU telecommunication ministers expected to adopt the final text on 5 December. 

European Telcos call on the Commission to take urgent action on digital connectivity  

Leading European telecoms and tech companies expressed their concerns over the EU’s slow progress in implementing bold digital reforms, warning that Europe’s global competitiveness is at risk due to fragmented policies and underinvestment in digital infrastructure. They noted that only 2% of Europeans currently access 5G standalone networks, far behind the US and China, and argued that this gap threatens Europe’s industrial strength, innovation potential, and digital sovereignty. They called for ambitious measures through the DNA.  

Commission signs the UN Convention against cybercrime 

On 27 October, the Commission signed the UN Convention to step up the fight against Cybercrime on behalf of the EU. The Convention provides a framework for international cooperation, including extradition and electronic evidence exchange, while safeguarding fundamental rights such as privacy and data protection. Following the signature, the Council will discuss and decide on the conclusion of the Convention, which will also require the consent of the Parliament. Member States will sign and ratify the Convention in accordance with their national procedures. The Convention will enter into force once it is ratified by 40 parties. 

CRA: Commission opens consultation on delegated act for reporting security incidents 

On 16 October, the Commission launched a feedback period on the delegated act under the Cyber Resilience Act, outlining the terms and conditions under which a Member State’s designated CSIRT may delay the dissemination of vulnerability or incident notifications to other CSIRTS. The delegated act is expected to be adopted by 11 December, with reporting obligations under the CRA becoming applicable from 11 September 2026. 

TIC Council warns about the delayed implementation of NIS2 Directive 

The Testing, Inspection and Certification (TIC) Council has issued a call for urgent implementation of the NIS2 Directive, warning that delays in transposition by several Member States pose serious risks to Europe’s critical infrastructure. Addressing recent cyberattacks that disrupted airport operations, the Council notes the importance of robust cybersecurity frameworks and urges governments to designate competent authorities and adopt internationally recognized standards like ISO/IEC 27001. Early adopters such as Finland and Belgium are already leveraging certification to demonstrate compliance and enhance resilience. 

MISCELLANEOUS

Leak of Commission Digital Omnibus proposals  

According to two leaked documents from DG Connect, the Digital Omnibus will be composed of two separate proposals. The first proposal will introduce targeted amendments to the EU data rules and streamlining reporting obligations under cybersecurity legislation. The second proposal contains targeted amendments focused on the AI Act implementation, with some exemptions for both data and AI obligations applicable to small businesses. The Commission will officially present the Digital Omnibus on 19 November. 

Leaked Cyprus Council Presidency draft work programme for the first half of 2026 

News outlets published a leaked draft work programme (for January-June 2026) of the upcoming Cypriot presidency of the Council. Interestingly, the draft suggests that the protection of children online is of paramount importance and that Cyprus will aim to conclude negotiations on the CSAM Regulation before the expiry of the Interim Regulation in April 2026. On most other digital files, however, it appears to foresee no agreements. For example, Cyprus aims only to advance negotiations on the DNA and the revision of the Cybersecurity Act, and there is no target for the 19 November tech simplification omnibus beyond supporting efforts to simplify digital and data frameworks without deregulation. Law enforcement access to data is also slated for discussions.   

Virkunnen simplification report indicates Digital fitness check to run until mid-2027 

Virkkunen’s annual report on simplification and implementation says the digital acquis fitness check will run until mid-mandate, kicking off on 19 November alongside the digital simplification package; the process will examine digital laws beyond those in the first simplification omnibus (AI, data, cyber) and may lead to “potential additional simplification measures”; the report also confirms that the Commission will present on 19 November its first assessment of interactions between the DSA and other consumer-protection and product-safety laws.  

Franco-German Tech Summit on digital sovereignty 

France and Germany are organizing a summit on digital sovereignty taking place in Berlin on 18 November, where they will discuss Europe digital’s future. The agenda is now out, with the Executive Vice President of the European Commission Henna Virkkunen plans to present the long-awaited Digital omnibus during the morning. Other topics on the official programme include EUDI Wallet, Digital Commons as a Pillar of Digital Sovereignty, and the DMA.  

The Netherlands circulates paper on simplification, touching on AI, data protection and cookies 

The Dutch government circulated a document on simplification, emphasizing that EU digital law revisions should focus on legal clarity, coherence, and streamlined governance rather than extending deadlines. The paper also includes specific recommendations on AI and data protection simplification. On AI, it prioritizes simplifying the AI Act’s implementation over extending legal deadlines for high-risk requirements, proposing clearer definitions for critical infrastructure, flexible compliance options, and extended derogations for SMEs. On data protection, it advocates for more practical tools to ease compliance for smaller organizations, including the development of standardized lists of low-risk processing activities by supervisory authorities, greater use of codes of conduct, exemptions for cookies and similar technologies, and technical solutions such as centralized browser-level consent management.   

German contribution to the Digital Omnibus  

The German Federal Ministry for Digital Transformation presented a paper on the upcoming Digital Omnibus package calling for simplification measures, including on the Data Act, GDPR, e-Privacy Directive (e.g.  including an additional exemption for cookies in art.5 (3)). The paper also outlines many specific recommendations on the AI Act, including emphasising on innovation-friendly implementation, avoiding double regulation and reducing market entry barriers, extending implementation deadlines, and providing clear definitions and harmonized standards. 

ITRE publishes report on the interaction between AI act and other pieces of legislation 

The European Parliament’s Industry, Research and Energy Committee (ITRE) published a study outlining how the AI Act relates to other crucial pieces of EU digital legislation, such as the GDPR, Data Act and Cyber Resilience Act. The document also provides reflections and suggestions for possible evolutions of digital legislation, keeping in mind that Europe can establish a competitive AI industry. 

 

July and August saw continued progress on the EU’s digital policy agenda despite the summer break.  AI featured prominently, as the Commission finalised the General-Purpose AI code of practice, published the Guidelines on the scope of obligations for providers of GPAI under the AI Act, and launched a stakeholder consultation and call for expression of interest to support the development of guidelines and a code of practice on transparency obligations under the AI Act. Parliamentary debates and studies on generative AI, copyright, and AI liability continued to shape the political agenda.  

There were significant developments on the child protection front, as the Danish presidency continued negotiations on the Child Sexual Abuse Regulation proposal. The Commission also published the Guidelines under Article 28 of the DSA on the protection of minors online, accompanied by an Age Verification Blueprint, and launched calls for tenders for studies on online risks for children and the alignment of national measures with the DSA, as well as a consultation on its cyberbullying strategy.  

A political agreement on the EU-US trade deal was reached, with a Joint Statement confirming that there will be no network fees measures from the EU, and that the DSA and DMA were excluded from the negotiations. Its publication, however, was followed by threats of additional tariffs from President Trump towards countries adopting digital taxes or regulations harming US tech companies, drawing strong EU reactions. 

The EuroISPA Secretariat is closely monitoring these developments and is currently gathering input for key consultations, including on Data Retention and the upcoming Digital Fairness Act. Relevant deadlines are listed in the “Recent and ongoing activities” section of this newsletter. 

ONLINE CONTENT 

Denmark publishes latest version of the CSAR compromise text 

In its latest compromise text dated 24 July, to be discussed at the Council’s Law Enforcement Working Party on 12 September, the Danish Presidency maintains the core structure of its CSAR proposal from July 1st, notably preserving mandatory detection orders for high-risk services as the long-term solution, while extending the Temporary Regulation permitting voluntary detection for up to 72 months after the CSAR enters into force. It also maintains the same approach on encryption, prohibiting any requirement to decrypt or weaken encryption and introducing consent-based pre-transmission scanning as a condition for detection in encrypted environments. The latest text introduces a new requirement for providers to describe age-verification and age-assessment tools in their terms and conditions, while also mandating that details undermining their effectiveness not be disclosed (Article 4(4)).  

Global Encryption Coalition warns CSAR compromise text threatens encryption  

The Global Encryption Coalition (GEC) Steering Committee has issued a statement criticizing the Danish Presidency’s 1 July compromise text on the proposed EU Child Sexual Abuse Regulation (CSAR), warning it undermines end-to-end encryption. GEC argues that requiring service providers to scan for both known and unknown CSAM, including in encrypted environments, is ineffective, creates new vulnerabilities, and breaks the core principle of strong encryption that safeguards human rights. The coalition, which includes CDT Europe, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla, urges EU ministers to reject any form of mandated scanning, including client-side scanning, and to instead pursue measures that are technically sound, rights-respecting, and capable of effectively protecting children. 

The European Parliament to push for new legislation to fight online piracy 

On 16 July, the CULT committee adopted its own initiative report on the Role of EU policies in shaping the European Sport Model, coordinated by MEP Bogdan Zdrojewski (EPP, PL). Amendments calling the Commission for further legislation to combat piracy and for an extension of the KYBC provision were adopted. The finalised report is expected to be voted during one of the upcoming Plenary sessions. 

The European Commission issued guidelines on protecting minors under Article 28 of the DSA 

On July 14, the Commission published the guidelines clarifying Article 28(4) of the DSA, which sets out obligations for online platforms accessible to minors. According to the guidelines, platforms must implement proportionate measures to ensure high levels of privacy, safety, and security, including a ban on profiling-based advertising using minors’ data. The guidelines also mandate AI safeguards, user support tools, guardian controls, and transparent terms of service. While serving as a compliance reference for Article 28(1), they also emphasize alignment with the GDPR, AI Act, and BIK+ Strategy, with a review scheduled for December 2026. The guidelines were published alongside the Commission’s Age Verification Blueprint, which provides technical solutions to help platforms meet the DSA’s child protection requirements. 

EU Commission adopts Delegated Act on Data Access under the DSA 

On July 2 the Commission adopted a delegated act establishing harmonised rules and technical conditions for granting vetted researchers access to data from very large online platforms (VLOPs) and very large online search engines (VLOSEs), as required under the DSA. The aim of the delegated act is to facilitate research on systemic risks such as disinformation, algorithmic amplification, and online harms. It sets out which information should be published by platforms and Digital Services Coordinators (DSCs) to assist researchers in applying for access to data. Alongside the delegated act, the Commission also launched the DSA Data Access Portal, a central hub where researchers will find guidance, submit applications, and engage with platforms and regulators.  

European Commission opens consultation on Digital Fairness Act 

On 17 July, the European Commission launched the call for evidence to support an impact assessment on the upcoming Digital Fairness Act (DFA), open until 24 October. According to the text of the call for evidence, the DFA is expected in Q3 2026, may take the form of a Directive or Regulation, and will aim to address issues such as manipulative digital practices, addictive design (especially affecting minors), exploitative personalisation, and harmful influencer and pricing tactics. It will also seek to reduce legal fragmentation and compliance burdens for businesses across the EU. The impact assessment will explore strengthening consumer protection and trust online, with additional input to be gathered via surveys, stakeholder meetings, and public events, including the European Consumer Summit 2025. 

Commission launches consultation and call for evidence on its Action Plan against Cyberbullying 

On 22 July, the European Commission opened a public consultation and call for evidence to support the development of the Action Plan against Cyberbullying, running until 29 September 2025. The consultation invites input from stakeholders, including youth, educators, civil society, and online platforms, and is meant to complement other EU actions such as the Better Internet for Kids Strategy, age-verification solutions, and guidelines under the DSA. The call for evidence seeks input on definitions, national legislations and policies, and best practices related to cyberbullying.  

Commission launches call for tenders for a study on the compatibility of national measures with DSA. 

On 24 July 2025, the European Commission also launched a call for tenders for a study to assess how Member States have adapted their national legislation following the full application of the DSA. The study aims to map existing and upcoming legally binding national measures applicable to providers of online intermediary services and identify any overlaps or conflicts with the DSA that could lead to fragmentation of the Single Market.  

European Commission issues call for tenders to study risks and harms to minors online 

On 1 August 2025, the Commission launched a call for tenders to secure a support contract aimed at tracking the evolution of risks, harms, and benefits that children face on online platforms across the EU. This contract will provide comprehensive data and a monitoring framework to identify trends related to children’s online experiences, supporting enforcement and policy initiatives under the DSA, including the recent Guidelines on article 28(1). It will also gather insights into children’s perceptions and their needs from very large online platforms and search engines to enhance privacy, safety, and well-being online. The deadline to submit tenders is 15 September 2025.  

European Commission seeks experts to join Network for the Prevention of Child Sexual Abuse 

On 5 August the Commission launched a call for applications to join the newly established Network for the Prevention of Child Sexual Abuse, aimed at enhancing cooperation among Member States, researchers, practitioners, and stakeholders to support the implementation of EU policies and legislation on child sexual abuse and exploitation. The Network will focus on all aspects of prevention, including reducing risks of offending and of children becoming victims, promoting research, sharing best practices, and fostering international collaboration. The initiative is meant to deliver on a commitment under the EU Strategy for a more effective fight against child sexual abuse (2020-2025). The call is open to individual experts and organisations active in the field until 15 September.  

DATA ECONOMY 

EU court upholds EU-U.S. Data Privacy Framework despite legal challenge 

On 3 September, the EU’s General Court rejected a case brought by French lawmaker Philippe Latombe (T-553/23 – Latombe v Commission), who challenged the European Commission’s July 2023 adequacy decision that found the US provided “essentially equivalent” protection for personal data under GDPR. Latombe argued that the EU-U.S. Data Privacy Framework fails to prevent bulk collection of Europeans’ data by U.S. intelligence services and that the Data Protection Review Court (DPRC) created to address EU privacy complaints lacks independence. The court found instead that safeguards are in place to ensure the DPRC’s independence and that U.S. intelligence activities are subject to its oversight, meeting the requirements set out in Schrems II. It also underlined that the European Commission must continue to monitor whether the U.S. legal framework changes. Latombe has two months and ten days to appeal the ruling to the Court of Justice, limited to points of law. 

European Data Protection Board and European Data Supervisor support GDPR simplification and request clarifications 

On 9 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion supporting proposed amendments to the GDPR aimed at reducing administrative burdens for smaller companies. They welcomed the extension of the record-keeping exemption (Article 30(5)) to organisations with fewer than 750 employees, provided the data processing does not pose a high risk to individuals’ rights and freedoms. However, they requested clarification on the choice of this threshold and recommended aligning it with newly introduced definitions of small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). They also supported extending the scope of Articles 40(1) and 42(1), concerning codes of conduct and certification, to both SMEs and SMCs. In addition, they called for confirmation that public bodies are not covered by the proposed exemption. Both authorities emphasised that simplification must not come at the expense of fundamental rights.  

LIBE Committee approves GDPR enforcement trialogue agreement  

Following the provisional agreement reached by the European Parliament and the Polish Presidency of the Council on 16 June to clarify and speed up cross-border enforcement of the GDPR, the Parliament’s LIBE committee adopted the text on July 15, with the plenary vote expected in October. 

European Commission publishes conclusions of Implementation Dialogue on Data Policy 

The Commission published the conclusions of the 1 July 2025 Implementation Dialogue on Data Policy. According to the conclusions, stakeholders including SMEs and larger tech companies agreed on the need to improve data access to foster innovation and welcomed horizontal legislation like the Data Act to reduce legal complexity. They also highlighted key challenges including fragmented enforcement, overlapping regulations, and issues related to interoperability and quality of data, and suggested potential solutions such as support through regulatory guidance and sandboxes, especially for SMEs. The feedback from stakeholders will inform the upcoming Digital Package on simplification and the European Data Union Strategy (for which the public consultation closed on 20 July).  

European Parliament study challenges Commission’s withdrawal of AI Liability Directive 

The EP’s Policy Department for Justice, Civil Liberties and Institutional affairs, at the request of the JURI Committee, released another study on artificial intelligence and civil liability, strongly criticizing the European Commission’s decision to withdraw the AI Liability Directive (AILD). The study argues that the original AILD proposal may have been so flawed that no legislation would have been preferable but still calls for a revamped approach. It recommends either introducing strict liability for high-risk AI systems through a revised directive (Option 4) or establishing a fault-based rule limited to high-risk AI (Option 3), while also suggesting the possibility of adopting a regulation instead of a directive. The study also argues that the revised Product Liability Directive (PLD) fails to adequately address AI-related risks. In a related development, MEP Tiemo Wölken (S&D, Germany) announced on 22 July his intention to bring a case before the CJEU against the Commission over its withdrawal of the AILD, following allegedly unanswered access-to-document requests. In August, the Commission officially confirmed its withdrawal of the Directive. 

Commission finalises GPAI code of practice and AI Act GPAI obligations come into force 

On July 10, the Commission published the final version of the GPAI code of practice, organised into three chapters on transparency, copyright, and safety and security. The Commission and the AI Board officially endorsed the Code of Practice on August 1. On August 2, GPAI obligations under the AI Act came into force (Chapter 5, Article 78 on data confidentiality and enforcement of intellectual property rights) but the application of the rules will be gradual, with the Commission enforcing full compliance with fines as of 2 August 2026, and models placed on the market before 2 August 2025 required to comply by 2 August 2027. 

Commission publishes Guidelines on the scope of obligations for providers of GPAI under the AI Act  

In a related development, on July 18, the Commission also published the guidelines on the scope of obligations for providers of general-purpose AI models. The Guidelines on GPAI aim to clarify key concepts, such as the terms of ‘GPAI model’, ‘provider of a GPAI model’ and ‘placing on the market of a GPAI model’, and how to estimate the computational resources used for training a GPAI model. 

Commission starts work on second Code of Practice on transparency obligations under AI Act 

At the end of August, the Commission held a workshop with stakeholders to present the framework, objectives and future drafting process for a new code of practice on transparency obligations, as provided by Article 50 of the AI Act. The AI Act requires AI providers to have labelling solutions that meet certain requirements: effectiveness, interoperability, robustness and reliability. To inform the discussions, the Commission shared three studies carried out by independent experts on the labelling of AI-generated text, audio and audiovisual content, analysing metadata labelling, watermarking and digital fingerprinting. The studies are meant as starting points and do not predetermine the code’s content. The drafting process is expected to begin this autumn, with the code and accompanying guidelines scheduled to enter into force on 2 August 2026. In early September, the Commission launched a stakeholder consultation and call for expression of interest to support the development of the code and the accompanying guidelines (both with deadlines on October 2).  

JURI Committee debated draft report on copyright and generative AI  

On 15 July, the JURI Committee discussed Axel Voss’s (EPP, DE) draft report on copyright and generative AI. Several MEPs raised concerns about a centralised EUIPO register, suggesting alternatives such as opt-in systems, blockchain, or collective management. MEPs Farreng (Renew, FR) and Cormand (Greens, FR) called for full transparency of training data and a reversed burden of proof, but criticising the proposed 5-7% lump-sum remuneration. EPP and S&D warned of generative AI’s threat to press plurality and cultural sovereignty. Axel Voss also organised a stakeholder roundtable to discuss his report on September 1, ahead of the deadline for amendments which is set for September 12 at 11am.   

CYBERSECURITY AND INFRASTRUCTURE 

Network fees in the EU-US Framework Agreement 

On August 21st, the EU and US issued the Joint Statement on the EU-US trade agreement, setting a 15% US tariff ceiling on most EU exports such as cars, pharmaceuticals, semiconductors. The statement follows the July 27 political agreement between Presidents von der Leyen and Trump, and suspends the EU’s recently adopted countermeasures. In paragraph 17, the statement indicates that the EU will not adopt or maintain network usage fees and that the US and the EU will not impose customs duties on electronic transmissions. 

EU Alliance unveils roadmap to advance digital sovereignty through open-source cloud, edge & Internet of Things 

On 8 July, the European Alliance for Industrial Data, Edge and Cloud released a thematic roadmap emphasizing how European open-source cloud, edge, and IoT technologies are essential to strengthening the EU’s digital sovereignty and global competitiveness. Titled “The Open-Source Way to EU Digital Sovereignty & Competitiveness”, the roadmap outlines how open-source solutions can improve security, cost-efficiency, innovation, flexibility, and sustainability. The Alliance also submitted recommendations on Common Trust Principles to the European Data Innovation Board, identifying gaps and calling for standardised, trustworthy frameworks for data sharing in cloud-edge ecosystems and data spaces.  

Commission proposes to sign and ratify the UN Convention against Cybercrime 

The Commission proposed to sign and ratify the United Nations Convention against Cybercrime, covering both substantive criminal law and judicial cooperation. For the first time, a global instrument will criminalise conduct related to child sexual abuse material, the grooming of children for sexual purposes, and the non-consensual dissemination of intimate images. The Convention also includes measures for international cooperation, including the extradition of suspects and the exchange of electronic evidence.  

It is now for the Council to adopt the Decisions authorising the Commission, on behalf of the EU, to sign and, with the consent of the European Parliament, conclude the Convention. Member States will also have to sign and ratify the Convention, in accordance with their national procedures. 

European Commission convenes High-Level Workshop on AI Compute Stack 

On 7 July, the Commission held a high-level multistakeholder workshop in Brussels on the AI Compute Stack, referring to the full range of infrastructure involved in AI development, from advanced chips to complete AI system integration. Organised as a targeted consultation, the event brought together stakeholders including chip designers, cloud infrastructure providers, and AI model developers. The workshop launched a discussion on strengthening Europe’s role in the AI compute landscape, where complex AI models require more integrated and sovereign technical solutions. Participants discussed current trends in AI hardware, systems, and models, shared insights on compute needs, and explored collaboration opportunities. The initiative aims to reduce external dependencies and contribute to Europe’s strategic autonomy in AI infrastructure.  

ENISA to operate the EU Cybersecurity Reserve 

The Commission and ENISA signed an agreement for the administration of the EU Cybersecurity Reserve of €36 million under the Cyber Solidarity Act. The Cybersecurity Reserve is designed to enhance the Union’s capacity to respond to and recover from major cyber incidents providing access to incident response services delivered by vetted providers. The Reserve will be available to entities operating in sectors deemed critical or highly critical under the NIS2 Directive, including areas such as healthcare and energy. 

MISCELLANEOUS 

EU-US trade agreement Joint Statement confirms DSA/DMA excluded from talks 

As mentioned above, the EU and US issued a Joint Statement on the EU-US trade agreement on 21 August. Interestingly, the Commission also confirmed that the DSA and DMA, were excluded from the EU-US trade talks but did not rule out their inclusion in future discussions. The publication of the Joint Statement was followed by threats of additional tariffs from President Trump towards countries adopting “digital taxes, legislation, rules or regulations” harming US tech companies, eliciting strong responses from European officials, including Prosperity and Industrial Strategy Commissioner Stéphane Séjourné, and Commissioner for Tech Sovereignty, Security, and Democracy Henna Virkunnen. 

EPP pushes for a “light” version of the GDPR for SMEs, stricter online ad rules, and digital sovereignty According to a document seen by Mlex, The European People’s Party (EPP), the EU’s largest political group, is preparing a position paper urging the European Commission to introduce a “light” version of the GDPR for small and medium-sized enterprises to ease compliance burdens, while also calling for tougher restrictions on online advertising. It also supports modernizing GDPR enforcement and addressing fragmented interpretations across member states. The draft highlights priorities including stronger protections for minors, greater transparency and accountability in algorithms, and reinforcing Europe’s digital sovereignty.  The paper stresses that these political objectives should be adopted swiftly through coordinated action within the group and across EU institutions, with a dedicated EPP team to lead the initiative. 

Franco-German agenda to boost cutting-edge tech, sovereignty and simplification 

At their 25th Council of Ministers, France and Germany launched an agenda to strengthen Europe’s technological sovereignty and competitiveness. They pledged deeper cooperation on cutting-edge technologies such as AI, quantum, cloud and space, with joint initiatives on generative AI models (IPCEI-AI), high-performance computing, and a quantum computing ecosystem. Both sides committed to reinforcing digital sovereignty through a high-level summit on November 18, and to presenting joint positions on AI, cyber and data regulation, including proposals to simplify the EU’s legal framework. They also stressed the need to reduce bureaucracy across the Single Market, backing the Commission’s simplification packages and urging a “new legislative mindset” to ease regulatory burdens for SMEs and scale-ups. Following this approach, they are pushing to ease GDPR obligations through the omnibus simplification package, seeking to go beyond the Commission’s proposal to raise the employee threshold under which companies are exempt from keeping GDPR records, by adopting a more general risk-based approach that reduces reporting requirements for SMEs  without undermining the regulation’s effectiveness. 

Austria presents digital sovereignty charter proposals 

Austria circulated a paper to Member States titled “Shaping Digital Sovereignty – Cornerstones for a Common Charter”. The paper highlights risks ranging from geopolitical tensions, cyberattacks, disinformation, and Europe’s dependence on non-European tech firms, which are amplified by rapid AI developments. Austria calls for a European strategy based on independence, innovation, data protection, and values, aligned with the Digital Decade 2030 goals. Proposals in the paper include a pan-European stocktaking exercise to identify best practices and hidden champions, stronger cooperation on joint open-source solutions, and promotion of open-source in public procurement. The paper also stresses the need to expand data sovereignty as a “strategic resource,” strengthen intra-EU cooperation on data protection, and invest in digital skills to retain top talent. Austria will ask EU Member States to share their goals and recommended actions to bolster Europe’s digital sovereignty in a dedicated dialogue during the TELECOM WP meeting of 12 September.  

Danish Presidency outlined digital priorities in the Parliament’s JURI, IMCO, CULT and ITRE Committees 

The Danish Presidency outlined its digital priorities across Parliament committees. Key digital priorities include simplifying the EU cyber legislation framework, updated copyright regulation to ensure fair remuneration or effective licensing in response to AI’s impact on the creative sector, and protecting minors online (including through the enforcement of the DSA, stronger age verification rules and action against addictive design). Digital Affairs Minister Caroline Stage Olsen also supported postponement of AI Act provisions to give small companies more time to comply.  

Amid the ongoing uncertainty linked to the Trump tariffs, the EU is also facing internal turbulence driven by the numerous forthcoming strategies, communications, and omnibus packages, as well as the initial mandate-related deadlines that are fast approaching. 

While new initiatives are beginning to take shape, several ongoing negotiations and developments continue to draw significant attention from industry stakeholders, political actors and member states’ representatives. These include the still-uncertain outcome of the negotiations on the CSA Regulation, the delays and developments surrounding the implementation of the AI Act, and the growing momentum around the upcoming evaluation of the Recommendation on combating online piracy of sports and other live events. 

This continued engagement is reflected in the active collection of input by the Secretariat from EuroISPA members and the Board’s strong presence in various meetings. You can find all relevant deadlines for calls for input listed at the end of each corresponding update, as well as in the “Ongoing Activities” section at the end of the newsletter. 

ONLINE CONTENT 

Polish Presidency compromise text on the CSA Regulation 

As reported in the previous edition of the monthly report, the Polish Presidency has been working on a new compromise text for the CSAR, dated 4^th of April. As main takeaways from the draft text, we take note of the wording on ‘voluntary’ scanning orders for messaging services as well as on the safeguards around encryption, referencing that ‘the legislation should not be interpreted as prohibiting, weakening or circumventing end-to-end encryption’. 

Member States appear divided in this new version of the compromise text, as some countries argue for stronger language on detection orders making it obligatory for messaging services, while others raise privacy concerns. In a recent document, Spain, Hungary, Ireland and Estonia claimed that the voluntary approach is ‘insufficient to provide security for minors’ and that it ‘represents a significant step backwards’. On the other side, Poland appears to remain firm in its position on voluntary scanning. 

The Polish Presidency might not conclude the negotiations by the end of its term, meaning that the discussions will move on under the Danish Presidency (July-December 2025).

Panel on DSA during the EUIPO Conference on live event piracy 

On 30 April, European Commission’s DG CNECT representative Maria Tubasa touched upon the interplay of the Recommendation of live events piracy and key-provisions of the DSA relevant to the topic in a dedicated panel. She noted that by November 2025 the Commission, within the exercise of the evaluation of the Recommendation, will also assess the impact of the DSA on the unauthorised transmissions of live events. 

She reiterated that the European Commission’s work is guided by some enforcement priorities: protections of minors, consumers and electoral integrity. 

At the same conference, two EuroISPA Board members, Alex de Joode (AMS-IX) and Dalia Coffetti (AIIP), participated as guest speakers to a panel on IPTV piracy, debating with other stakeholders challenges and existing solutions of this specific issue. 

Work on DSA’s annual risk assessments resumes 

Today, 7 May, the Commission is holding a day-long workshop on risk assessments under the Digital Services Act, directed to Very Large Online Platforms and Search Engines, and to which civil society, academia and national authorities are also expected to participate. The yearly risk assessments, required under Articles 34 and 35, are a key transparency pillar of the DSA and mandate VLOPs and VLOSEs to identify, assess, and mitigate systemic risks, like disinformation or minors’ protection, posed by their services.  

As a reminder, the Commission has commissioned a study to be delivered to the Board of Digital Services Coordinators (the national authorities implementing the regulation) on the risk assessments.  

Age verification controversy continues 

In the wait of the (delayed) publication of European Commission’s guidelines on minors’ protection, controversy on age verification continues to spark debate in Europe. While everyone seems to agree on the need to implement age verification, it is not clear whose responsibility this should be: the app stores or the apps. The Meta-owned social media platform Instagram rolled out a campaign on 6 May to ask for EU regulation that would require age verification to happen on the App Store and not by the apps themselves. According to a Meta spokesperson talking to Politico, the campaign will run in Belgium, Denmark, France and Italy until the end of June.  

The U.S. are also working on the issue. Utah’s App Store Accountability Act takes effect today, 7 May, allocating the responsibility to mobile app stores to verify ages. Similar bills have been introduced by Republicans in the U.S. Congress and Senate.  

DATA ECONOMY 

Axel Voss hosts first roundtable in view of INI report on AI & Copyright 

On 6 May, German MEP from the EPP group Axel Voss held an online stakeholder roundtable to gather input on his upcoming own-initiative report on AI and Copyright. The MEP shared that a presentation of the EUIPO study on the Development of Generative AI from a Copyright Perspective will take place on 12 May (agenda), and that the presentation of the European Parliament’s study requested by JURI will happen sometime in June. Despite no official timeline, the draft report is foreseen by mid-July. 

MEP Voss noted the need to strike a balance between AI developers and copyright holders and invited stakeholders to share their views on the preferred direction for the INI report. Among the issues to be tackled in the report, he suggested transparency, (unfitness of) TDM exception, opt-out standard, licensing, liability. 

Given the high level of participation and the imbalance in representation, the MEP will organise another roundtable and has invited stakeholders to coordinate by “sector” in order to streamline their messages more effectively. 

The EuroISPA Secretariat took part in the meeting and will provide more details to members during the Joint Committee Meeting planned for next week (15 May, 14:00-16:00). 

Digital rights groups and scientists concerned about encryption in Internal Security Strategy 

In a letter addressed to European Commission’s Executive Vice-President Henna Virkkunen, civil society organisations, academics and relevant experts raised concerns over the Commission’s recently published Internal Security Strategy “ProtectEU,” particularly regarding the foreseen framework for law enforcement access to encrypted data. The stakeholders argue that the proposed Technology Roadmap on encryption risks undermining fundamental rights and collective cybersecurity. In the letter, dated 5 May, they also point out that technologies like client-side scanning, presented as secure and privacy-preserving, are actually privacy invasive and increase security risks. The stakeholders requested a meeting with EVP Henna Virkkunen and offered to provide expert technical briefings to support the Commission’s objectives. 

At national level, European governments argue that E2EE hampers law enforcement’s ability to combat serious crimes such as murder, drug trafficking, and child exploitation. The Danish Justice Minister and Europol warn that authorities are “fighting crime blindfolded.” National governments are also pursuing their own initiatives, with France, Spain, and the Nordics pushing legislation.  

Commission outlines details on GDPR simplification plans in email to experts 

In an email to an expert group at the end of April, the Commission’s DG JUST confirmed to its GDPR Multistakeholder Group that the simplification of GDPR will be part of a simplification package called the Fourth Omnibus, due to be published on 21 May. 

According to the email, the Commission is planning to extend the scope of Article 30(5) to cover “mid-cap” companies with fewer than 500 employees and with a certain annual turnover, as well as organisations such as nonprofits with fewer than 500 employees. Other changes might affect Article 35 (impact assessments) and Articles 40(1) and 42(1), relating to codes of conduct and certification mechanisms. 

The EuroISPA Secretariat is currently collecting input from members by 13 May CoB on member’s case studies related to GDPR implementation challenges (especially for SMEs) with the aim to send them to the European Commission and elaborating an answer to any upcoming consultation on the topic. 

European Data Union Strategy to streamline existing data legislation to support the AI development 

According to an input note from the Commission on the upcoming Data Union Strategy, part of the AI Continent Action Plan recently published, the main priority will be to streamline the existing data legislation with the aim of fostering AI development. The four pillars to be addressed are: 1) Data availability, access and use, 2) Simplification with an evaluation of the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive, 3) Administrative burden reduction and 4) International data flows. 

On GDPR, the Commission will look for feedback on the balance between data protection and technological innovation; on ePrivacy, the Commission wants to understand if the framework should be adapted. The consultation is due to be launched in Q2 2025, and the strategy to be published in Q3 2025.  

The input note also reports the intention of the Commission to come up with an “Internal Data Strategy,” to be presented alongside the Data Union Strategy expected for the second half of the year, focusing on “the fight against unjustified barriers to international data flows.”  

General-purpose AI models to be the subject of guidelines, Code of Practice delayed 

On 22 April, the Commission opened a public consultation in order to draft Guidelines for General-purpose AI models, to complement the Code of Practice. According to the working document, the Guidelines will focus on several key-concepts of the AIA including what is a ‘GPAI model’, who is the ‘provider’ and when is a downstream modifier a provider. They aim also at clarifying what constitutes a ‘placing on the market of a GPAI model, and when do the open-source exemptions apply as well as how to estimate the computational resources used to train or modify a model. 

The consultation is open until 22 May and the new Guidelines are expected “in May or June 2025.” In an email sent by the Commission to stakeholders involved in the drafting of the Code of Practice, which had a publication deadline of 2 May, the executive said that the code “should be published before August”. The Commission has also announced that it wants to open a targeted consultation on the classification of high-risk AIs. 

EDPB adopts guidelines on processing personal data through blockchain 

Following the plenary in April, the EDPB adopted Guidelines on processing of personal data through blockchain technologies, relevant to support the secure handling and transfer of data with traceability. With the guidelines, the EDPB is assessing the different architectures and their implications for the processing of personal data and clarifies the roles and responsibilities of the different actors. With the publication of the guidelines, the Board opened a public consultation and sending feedback is possible until 9 June.  

In addition, the EDPB also confirmed to closely cooperate with the AI Office on the drafting of the Guidelines on the interplay between the AI Act and the GDPR.  

CYBERSECURITY & INFRASTRUCTURE 

EU urged to address foreign ownership risks in subsea cable infrastructure 

EU Member States have flagged a regulatory gap concerning the protection of submarine telecom cables from foreign ownership, according to feedback submitted to the European Commission. As part of broader efforts to bolster the cybersecurity of critical infrastructure, governments see tighter control over subsea cables as a necessary next step to safeguard European connectivity and digital sovereignty. 

 

EU states push for sovereign cloud in key sectors 

EU Member States are calling for prioritised deployment of sovereign cloud solutions in strategic sectors such as health, finance, and defence, according to a summary of expert discussions under the Polish Council Presidency dated 25 April. For “highly critical use cases,” cloud services should be EU-controlled and cybersecurity-certified. Member States also stress the need to avoid vendor lock-in for public entities. Key barriers to new data centre deployment include access to reliable, renewable, and affordable electricity. Proposals include mapping strategic locations for data centres and exploring innovation in water management, cooling systems, component recycling, and AI-assisted load balancing. Harmonising permitting rules at EU level is also suggested to speed up infrastructure deployment. 

Bundeskartellamt reasserts need for strict merger control 

Germany’s Bundeskartellamt backed a joint statement by six national competition authorities reaffirming the need for strict competition enforcement, even amid calls to ease merger rules to boost EU competitiveness — particularly in telecoms. While recognising that mergers can support company growth, the BKartA stressed the importance of assessing impacts on market competition across all sectors. The debate, reignited by a recent Financial Times article, shows telecoms firms continue to press for more lenient treatment, but authorities are holding firm. 

The European Commission publishes outcome document of the conference on the governance of web.4.0  

The Global Multistakeholder High-Level Conference on Governance for Web 4.0 and Virtual Worlds set forth critical principles to ensure an open, secure, and inclusive digital future. The document emphasizes the need for multistakeholder governance in managing transformative technologies such as AI, XR, IoT, and blockchain. Key policy goals include protecting human rights, privacy, and accessibility, while encouraging fair competition and preventing digital monopolies. Technically, it highlights the importance of maintaining a global, distributed internet architecture and evolving core protocols like IPv6 to meet increasing demands. The document stresses the urgency of adopting security standards such as RPKI to safeguard internet infrastructure and prevent fragmentation. Sustainability, interoperability, and privacy-by-design are also central tenets. The recommendations call for stronger global coordination, anticipatory governance via sandbox environments, and equitable participation, especially from underrepresented groups, to build a trustworthy, resilient Web 4.0. 

European Single Market Strategy leak reveals plans to remove internal barriers and boosting services  

According to a draft of the European Commission’s upcoming Single Market Strategy, planned to be released on 21 May, the institution asks EU governments to appoint dedicated officials to identify and address the problems and obstacles that prevent the EU’s single market from functioning smoothly. 

“While the world is plunging into a period of economic uncertainty caused by trade tensions, our European market is a safe haven,” the draft document reads. It calls on EU governments to take joint ownership of the single market and make it a political priority by appointing officials, or “sherpas,” within national prime ministers’ or presidents’ offices “with authority towards all parts of the government.” 

European Commission’s International Digital Strategy leaked 

This new strategy, expected to be presented on 4 June, will lay out how the EU should work with other regions to protect its own assets and speed up innovation. The document suggests the EU to develop further cooperation with Japan on chips, quantum computing, AI safety and 6G, besides enhancing the international cooperation between digital regulators. On this in particular, the plan is to establish by 2030 two forums of digital regulators, hosted by the EU, on digital services and digital markets. The Strategy mentions the promotion of trusted digital networks and infrastructures as well as developing submarine and terrestrial cables. International coordination on cyber resilience, law enforcement and anti-money laundering efforts are also mentioned, together with continuing the protection of an inclusive multistakeholder approach to Internet Governance by opposing initiatives of state-controlled Internet architectures; here the upcoming editions of the IGF and WSIS+20 are mentioned as critical in proactively defending the general availability and integrity of the Internet. 

MISCELLANEOUS 

EuroStack report outlines next steps 

“Buy European”, “Sell European”, “Fund European”: this is what the new report out today, 7 May, reiterates to European policymakers. Tech experts and economists behind the EuroStack initiative reinforce their asks to the EU to drastically reduce dependence on U.S. technology. In an open letter to the Commission accompanying the report, they suggest that “European governments and institutions spending public money should have an obligation to invest in Europe’s economic future,” besides reminding the urgency of the actions to be taken for this effort to be successful. The letter directly references ongoing and upcoming initiatives such as the European Commission’s plan for European digital strategic autonomy and the European Parliament’s own-initiative report on digital sovereignty. 

Italy and the U.S. issue joint statement on “discriminatory” digital services taxes 

On April 18, the two countries issued a joint statement opposing “discriminatory” taxes on digital services after Italian Prime Minister Giorgia Meloni met Trump in DC. This adds Italy to the list of EU countries dissenting from the threat to tax digital services if trade talks with the United States collapse. 

The joint statement also mentions that “President Trump accepted Prime Minister Meloni’s invitation to pay an official visit to Italy in the very near future. There is also consideration to hold, on such occasion, a meeting between U.S. and Europe.” 

Germany and Ireland have already been vocal against this potential digital services tax, while France has been favourable to this solution.