EuroISPA Monthly Report – April 2025

Amid the ongoing uncertainty linked to the Trump tariffs, the EU is also facing internal turbulence driven by the numerous forthcoming strategies, communications, and omnibus packages, as well as the initial mandate-related deadlines that are fast approaching. 

While new initiatives are beginning to take shape, several ongoing negotiations and developments continue to draw significant attention from industry stakeholders, political actors and member states’ representatives. These include the still-uncertain outcome of the negotiations on the CSA Regulation, the delays and developments surrounding the implementation of the AI Act, and the growing momentum around the upcoming evaluation of the Recommendation on combating online piracy of sports and other live events. 

This continued engagement is reflected in the active collection of input by the Secretariat from EuroISPA members and the Board’s strong presence in various meetings. You can find all relevant deadlines for calls for input listed at the end of each corresponding update, as well as in the “Ongoing Activities” section at the end of the newsletter. 

ONLINE CONTENT 

Polish Presidency compromise text on the CSA Regulation 

As reported in the previous edition of the monthly report, the Polish Presidency has been working on a new compromise text for the CSAR, dated 4th of April. As main takeaways from the draft text, we take note of the wording on ‘voluntary’ scanning orders for messaging services as well as on the safeguards around encryption, referencing that ‘the legislation should not be interpreted as prohibiting, weakening or circumventing end-to-end encryption’. 

Member States appear divided in this new version of the compromise text, as some countries argue for stronger language on detection orders making it obligatory for messaging services, while others raise privacy concerns. In a recent document, Spain, Hungary, Ireland and Estonia claimed that the voluntary approach is ‘insufficient to provide security for minors’ and that it ‘represents a significant step backwards’. On the other side, Poland appears to remain firm in its position on voluntary scanning. 

The Polish Presidency might not conclude the negotiations by the end of its term, meaning that the discussions will move on under the Danish Presidency (July-December 2025).

Panel on DSA during the EUIPO Conference on live event piracy 

On 30 April, European Commission’s DG CNECT representative Maria Tubasa touched upon the interplay of the Recommendation of live events piracy and key-provisions of the DSA relevant to the topic in a dedicated panel. She noted that by November 2025 the Commission, within the exercise of the evaluation of the Recommendation, will also assess the impact of the DSA on the unauthorised transmissions of live events. 

She reiterated that the European Commission’s work is guided by some enforcement priorities: protections of minors, consumers and electoral integrity. 

At the same conference, two EuroISPA Board members, Alex de Joode (AMS-IX) and Dalia Coffetti (AIIP), participated as guest speakers to a panel on IPTV piracy, debating with other stakeholders challenges and existing solutions of this specific issue. 

Work on DSA’s annual risk assessments resumes 

Today, 7 May, the Commission is holding a day-long workshop on risk assessments under the Digital Services Act, directed to Very Large Online Platforms and Search Engines, and to which civil society, academia and national authorities are also expected to participate. The yearly risk assessments, required under Articles 34 and 35, are a key transparency pillar of the DSA and mandate VLOPs and VLOSEs to identify, assess, and mitigate systemic risks, like disinformation or minors’ protection, posed by their services.  

As a reminder, the Commission has commissioned a study to be delivered to the Board of Digital Services Coordinators (the national authorities implementing the regulation) on the risk assessments.  

Age verification controversy continues 

In the wait of the (delayed) publication of European Commission’s guidelines on minors’ protection, controversy on age verification continues to spark debate in Europe. While everyone seems to agree on the need to implement age verification, it is not clear whose responsibility this should be: the app stores or the apps. The Meta-owned social media platform Instagram rolled out a campaign on 6 May to ask for EU regulation that would require age verification to happen on the App Store and not by the apps themselves. According to a Meta spokesperson talking to Politico, the campaign will run in Belgium, Denmark, France and Italy until the end of June.  

The U.S. are also working on the issue. Utah’s App Store Accountability Act takes effect today, 7 May, allocating the responsibility to mobile app stores to verify ages. Similar bills have been introduced by Republicans in the U.S. Congress and Senate.  

DATA ECONOMY 

Axel Voss hosts first roundtable in view of INI report on AI & Copyright 

On 6 May, German MEP from the EPP group Axel Voss held an online stakeholder roundtable to gather input on his upcoming own-initiative report on AI and Copyright. The MEP shared that a presentation of the EUIPO study on the Development of Generative AI from a Copyright Perspective will take place on 12 May (agenda), and that the presentation of the European Parliament’s study requested by JURI will happen sometime in June. Despite no official timeline, the draft report is foreseen by mid-July. 

MEP Voss noted the need to strike a balance between AI developers and copyright holders and invited stakeholders to share their views on the preferred direction for the INI report. Among the issues to be tackled in the report, he suggested transparency, (unfitness of) TDM exception, opt-out standard, licensing, liability. 

Given the high level of participation and the imbalance in representation, the MEP will organise another roundtable and has invited stakeholders to coordinate by “sector” in order to streamline their messages more effectively. 

The EuroISPA Secretariat took part in the meeting and will provide more details to members during the Joint Committee Meeting planned for next week (15 May, 14:00-16:00). 

Digital rights groups and scientists concerned about encryption in Internal Security Strategy 

In a letter addressed to European Commission’s Executive Vice-President Henna Virkkunen, civil society organisations, academics and relevant experts raised concerns over the Commission’s recently published Internal Security Strategy “ProtectEU,” particularly regarding the foreseen framework for law enforcement access to encrypted data. The stakeholders argue that the proposed Technology Roadmap on encryption risks undermining fundamental rights and collective cybersecurity. In the letter, dated 5 May, they also point out that technologies like client-side scanning, presented as secure and privacy-preserving, are actually privacy invasive and increase security risks. The stakeholders requested a meeting with EVP Henna Virkkunen and offered to provide expert technical briefings to support the Commission’s objectives. 

At national level, European governments argue that E2EE hampers law enforcement’s ability to combat serious crimes such as murder, drug trafficking, and child exploitation. The Danish Justice Minister and Europol warn that authorities are “fighting crime blindfolded.” National governments are also pursuing their own initiatives, with France, Spain, and the Nordics pushing legislation.  

Commission outlines details on GDPR simplification plans in email to experts 

In an email to an expert group at the end of April, the Commission’s DG JUST confirmed to its GDPR Multistakeholder Group that the simplification of GDPR will be part of a simplification package called the Fourth Omnibus, due to be published on 21 May. 

According to the email, the Commission is planning to extend the scope of Article 30(5) to cover “mid-cap” companies with fewer than 500 employees and with a certain annual turnover, as well as organisations such as nonprofits with fewer than 500 employees. Other changes might affect Article 35 (impact assessments) and Articles 40(1) and 42(1), relating to codes of conduct and certification mechanisms. 

The EuroISPA Secretariat is currently collecting input from members by 13 May CoB on member’s case studies related to GDPR implementation challenges (especially for SMEs) with the aim to send them to the European Commission and elaborating an answer to any upcoming consultation on the topic. 

European Data Union Strategy to streamline existing data legislation to support the AI development 

According to an input note from the Commission on the upcoming Data Union Strategy, part of the AI Continent Action Plan recently published, the main priority will be to streamline the existing data legislation with the aim of fostering AI development. The four pillars to be addressed are: 1) Data availability, access and use, 2) Simplification with an evaluation of the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive, 3) Administrative burden reduction and 4) International data flows. 

On GDPR, the Commission will look for feedback on the balance between data protection and technological innovation; on ePrivacy, the Commission wants to understand if the framework should be adapted. The consultation is due to be launched in Q2 2025, and the strategy to be published in Q3 2025.  

The input note also reports the intention of the Commission to come up with an “Internal Data Strategy,” to be presented alongside the Data Union Strategy expected for the second half of the year, focusing on “the fight against unjustified barriers to international data flows.”  

General-purpose AI models to be the subject of guidelines, Code of Practice delayed 

On 22 April, the Commission opened a public consultation in order to draft Guidelines for General-purpose AI models, to complement the Code of Practice. According to the working document, the Guidelines will focus on several key-concepts of the AIA including what is a ‘GPAI model’, who is the ‘provider’ and when is a downstream modifier a provider. They aim also at clarifying what constitutes a ‘placing on the market of a GPAI model, and when do the open-source exemptions apply as well as how to estimate the computational resources used to train or modify a model. 

The consultation is open until 22 May and the new Guidelines are expected “in May or June 2025.” In an email sent by the Commission to stakeholders involved in the drafting of the Code of Practice, which had a publication deadline of 2 May, the executive said that the code “should be published before August”. The Commission has also announced that it wants to open a targeted consultation on the classification of high-risk AIs. 

EDPB adopts guidelines on processing personal data through blockchain 

Following the plenary in April, the EDPB adopted Guidelines on processing of personal data through blockchain technologies, relevant to support the secure handling and transfer of data with traceability. With the guidelines, the EDPB is assessing the different architectures and their implications for the processing of personal data and clarifies the roles and responsibilities of the different actors. With the publication of the guidelines, the Board opened a public consultation and sending feedback is possible until 9 June.  

In addition, the EDPB also confirmed to closely cooperate with the AI Office on the drafting of the Guidelines on the interplay between the AI Act and the GDPR.  

CYBERSECURITY & INFRASTRUCTURE 

EU urged to address foreign ownership risks in subsea cable infrastructure 

EU Member States have flagged a regulatory gap concerning the protection of submarine telecom cables from foreign ownership, according to feedback submitted to the European Commission. As part of broader efforts to bolster the cybersecurity of critical infrastructure, governments see tighter control over subsea cables as a necessary next step to safeguard European connectivity and digital sovereignty. 

 

EU states push for sovereign cloud in key sectors 

EU Member States are calling for prioritised deployment of sovereign cloud solutions in strategic sectors such as health, finance, and defence, according to a summary of expert discussions under the Polish Council Presidency dated 25 April. For “highly critical use cases,” cloud services should be EU-controlled and cybersecurity-certified. Member States also stress the need to avoid vendor lock-in for public entities. Key barriers to new data centre deployment include access to reliable, renewable, and affordable electricity. Proposals include mapping strategic locations for data centres and exploring innovation in water management, cooling systems, component recycling, and AI-assisted load balancing. Harmonising permitting rules at EU level is also suggested to speed up infrastructure deployment. 

Bundeskartellamt reasserts need for strict merger control 

Germany’s Bundeskartellamt backed a joint statement by six national competition authorities reaffirming the need for strict competition enforcement, even amid calls to ease merger rules to boost EU competitiveness — particularly in telecoms. While recognising that mergers can support company growth, the BKartA stressed the importance of assessing impacts on market competition across all sectors. The debate, reignited by a recent Financial Times article, shows telecoms firms continue to press for more lenient treatment, but authorities are holding firm. 

The European Commission publishes outcome document of the conference on the governance of web.4.0  

The Global Multistakeholder High-Level Conference on Governance for Web 4.0 and Virtual Worlds set forth critical principles to ensure an open, secure, and inclusive digital future. The document emphasizes the need for multistakeholder governance in managing transformative technologies such as AI, XR, IoT, and blockchain. Key policy goals include protecting human rights, privacy, and accessibility, while encouraging fair competition and preventing digital monopolies. Technically, it highlights the importance of maintaining a global, distributed internet architecture and evolving core protocols like IPv6 to meet increasing demands. The document stresses the urgency of adopting security standards such as RPKI to safeguard internet infrastructure and prevent fragmentation. Sustainability, interoperability, and privacy-by-design are also central tenets. The recommendations call for stronger global coordination, anticipatory governance via sandbox environments, and equitable participation, especially from underrepresented groups, to build a trustworthy, resilient Web 4.0. 

European Single Market Strategy leak reveals plans to remove internal barriers and boosting services  

According to a draft of the European Commission’s upcoming Single Market Strategy, planned to be released on 21 May, the institution asks EU governments to appoint dedicated officials to identify and address the problems and obstacles that prevent the EU’s single market from functioning smoothly. 

“While the world is plunging into a period of economic uncertainty caused by trade tensions, our European market is a safe haven,” the draft document reads. It calls on EU governments to take joint ownership of the single market and make it a political priority by appointing officials, or “sherpas,” within national prime ministers’ or presidents’ offices “with authority towards all parts of the government.” 

European Commission’s International Digital Strategy leaked 

This new strategy, expected to be presented on 4 June, will lay out how the EU should work with other regions to protect its own assets and speed up innovation. The document suggests the EU to develop further cooperation with Japan on chips, quantum computing, AI safety and 6G, besides enhancing the international cooperation between digital regulators. On this in particular, the plan is to establish by 2030 two forums of digital regulators, hosted by the EU, on digital services and digital markets. The Strategy mentions the promotion of trusted digital networks and infrastructures as well as developing submarine and terrestrial cables. International coordination on cyber resilience, law enforcement and anti-money laundering efforts are also mentioned, together with continuing the protection of an inclusive multistakeholder approach to Internet Governance by opposing initiatives of state-controlled Internet architectures; here the upcoming editions of the IGF and WSIS+20 are mentioned as critical in proactively defending the general availability and integrity of the Internet. 

MISCELLANEOUS 

EuroStack report outlines next steps 

“Buy European”, “Sell European”, “Fund European”: this is what the new report out today, 7 May, reiterates to European policymakers. Tech experts and economists behind the EuroStack initiative reinforce their asks to the EU to drastically reduce dependence on U.S. technology. In an open letter to the Commission accompanying the report, they suggest that “European governments and institutions spending public money should have an obligation to invest in Europe’s economic future,” besides reminding the urgency of the actions to be taken for this effort to be successful. The letter directly references ongoing and upcoming initiatives such as the European Commission’s plan for European digital strategic autonomy and the European Parliament’s own-initiative report on digital sovereignty. 

Italy and the U.S. issue joint statement on “discriminatory” digital services taxes 

On April 18, the two countries issued a joint statement opposing “discriminatory” taxes on digital services after Italian Prime Minister Giorgia Meloni met Trump in DC. This adds Italy to the list of EU countries dissenting from the threat to tax digital services if trade talks with the United States collapse. 

The joint statement also mentions that “President Trump accepted Prime Minister Meloni’s invitation to pay an official visit to Italy in the very near future. There is also consideration to hold, on such occasion, a meeting between U.S. and Europe.” 

Germany and Ireland have already been vocal against this potential digital services tax, while France has been favourable to this solution.  

Telecom operators must not become content police

Telecommunications companies are the backbone of the Internet, akin to road maintenance operators tasked with ensuring smooth and functional infrastructure. Just as road operators are not expected to monitor vehicles for illegal goods, telecom operators should not be burdened with policing Internet content. Their role would shift drastically from facilitators to enforcers if tasked with such responsibilities.

Intermediaries Are Not Responsible for Data Content

Under the EU’s Digital Services Act (DSA), intermediaries like telecom companies are not liable for content transmitted or stored by their users under certain conditions. The DSA also prohibits general monitoring obligations. However, recent EU legislative initiatives have started imposing new responsibilities on intermediaries, stretching the limits of this limited liability.

For instance, under Article 17 of the DSM Directive, online content-sharing service providers might be held accountable for copyright infringements. Other regulations increasingly require telecom operators to block or monitor online content, such as those addressing terrorist content or child sexual abuse. Even seemingly unrelated laws, onto the operators, like those governing payment services, propose shifting liabilities, such as financial losses from spoofing.

Protecting Communications Secrecy

Commission proposals like the CSAM Regulation suggest requiring all communication services to inspect users’ messages, undermining encryption. Scanning messages before encryption negates its purpose, much like obliging postal workers to read letters before sealing them. The European Court of Human Rights ruled in Podchasov v. Russia (2024) that weakening encryption violates human rights. Yet, Europol and Member States’ police chiefs recently called for breaking encryption for investigations.

These proposals often lack technical understanding, expecting telecom companies to assess the legality of all communications—an impossible and intrusive task. Content regulation should target platforms or sources, not infrastructure providers.

Legislation that weakens communication secrecy threatens human rights, risking a surveillance state akin to China. Good intentions cannot justify such erosion of freedoms.

Asko Metsola

Former legal advisor of FiCom

EuroISPA Monthly Report – March 2025

March and early April have seen significant movement in the EU’s push for digital sovereignty, as tensions with the U.S. escalate over trade and tech policy. The EU is ramping up efforts to reduce its reliance on American tech giants, with proposals for a digital services tax to fund a European “sovereignty fund” aimed at building alternatives to U.S. platforms. The Commission is also exploring consolidating data legislation to simplify regulations and foster innovation. Meanwhile, calls for investing in European cloud infrastructure, AI, and semiconductor production are gaining traction, reflecting a broader strategy to strengthen Europe’s digital autonomy. As you will read further in this edition, these developments signal an intensifying debate and growing momentum for reshaping EU digital policy in the face of shifting global dynamics. 

ONLINE CONTENT 

Commission reassures about the ongoing data collection on the Recommendation on combating online piracy of sports and other live events  

During a meeting at the European Parliament, Sabina Tsakova, Deputy Head of the Copyright Unit in DG CNECT, provided insights regarding the monitoring of the 2023 Recommendation on combating online piracy of sports and other live events, whose assessment is expected by 17 November 2025. 

The Commission is looking at how unauthorised retransmission has evolved, what is the volume within the Member States, whether there a prompt treatment of notices by the different market players, the use of dynamic injunctions and the availability and awareness raising of the legal offer.  

There will be a second data collection exercise in the next months that will cover the beginning of 2025. The dedicated network of national authorities under the EUIPO Observatory will also convene a third meeting at the end of April.  

Representatives of EuroISPA Board will attend in person the EUIPO Conference in Alicante on 30 April. 

Latest reports under DSA Code of Conduct on Disinformation were released 

The latest reports from the signatories of the Code of Conduct on Disinformation have been published at the end of March. These detail the signatories’ actions taken under the code to combat the spread of disinformation online and their responses to ongoing crises such as the war in Ukraine and the Hamas-Israel conflict, as well as the measures they took to ensure the integrity of elections, including in the context of the Romanian presidential elections. The Code of Conduct will serve as a relevant benchmark for determining DSA compliance under Article 35 from 1 July 2025, following the entry into effect of its conversion in the DSA.  

The Commission promises not to duplicate the DSA in the DFA to protect minors  

Maria-Myrto Kanellopoulou, Head of Unit in DG JUST, assured the European Parliament at the beginning of April that the future Digital Fairness Act (DFA) will extend its rules for the protection of minors to other online services, since platforms are already tackled by the DSA. Besides protection of minors, the Commission is also considering new rules on influencer marketing. Prabhat Agarwal, the Head of Unit at DG CNECT responsible for implementing the DSA, emphasized the importance of upcoming “soft law,” particularly the guidelines on the protection of minors expected by the summer. 

The steering group dedicated to the future Digital Fairness Act is expected to be formalised in the coming weeks, while the public consultation is due to be launched at the end of May, around the annual consumer summit scheduled for 20 May. The proposal is expected in mid-2026. 

CSAM Proposal Shifts Further Toward Voluntary Detection 

EU governments are reviewing a revised draft of the CSAM regulation that reinforces a voluntary-only approach to detection, dropping the controversial mandatory scanning obligations. The updated text, dated April 4, clarifies that providers like WhatsApp and Signal are not required to scan for child sexual abuse material (CSAM), with detection possible only if done voluntarily. It also safeguards end-to-end encryption, stating the regulation cannot be used to weaken or bypass it. The new draft removes risk categorization requirements to cut administrative burden and streamlines enforcement by relying on existing national rules. It retains the Commission’s review clause to assess the feasibility of mandatory detection after three years, including an evaluation of detection technologies and false positive risks. The updated compromise marks a continued stalemate in Council, despite the European Parliament having finalised its position back in 2023. 

DATA ECONOMY 

Commission presents the Continent AI Action Plan and launches two public consultations 

On 9 April, the European Commission presented its ‘AI Continent Action Plan’ aiming at promoting initiatives around five key areas: Computing infrastructure, Data, Development of algorithms and fostering AI adoption, Skills, Regulatory simplification.  

Alongside the release of the strategy, the EC launched two public consultations on the AI Apply Strategy (deadline: 4 June) and the Cloud and AI Development Act (deadline: 4 June). On the latter, the issues to be tackled are, among others, the unfavourable conditions for the private sector to close the available data centre capacity gap in a way that prioritises highly sustainable solutions and the lack of a competitive EU-based offer of cloud computing services at sufficient scale to serve highly critical use cases with particularly high security needs. 

The Commission is considering five possible policy options, among which non-legislative, soft regulation and regulation. The initiative is expected to land in Q4 2025 / Q1 2026. 

Moreover, a Call for expression of interest on AI Gigafactories (deadline: 20 June) was released. 

EU Democracy Shield consultation opens 

The consultation on the Democracy Shield initiative opened on March 31 (deadline: 16 May). The shield will include measures to fight disinformation, foreign interference and to promote integrity of elections, societal resilience and citizens’ participation to democratic processes.  

During an exchange of views with the dedicated committee in the European Parliament, Commissioner McGrath did not exclude that the findings and recommendations present in the Shield (expected in the third quarter of 2025) will lead to a legislative proposal. 

CYBERSECURITY & INFRASTRUCTURE 

Sovereignty Push Reshapes EUCS Debate 

Momentum is building within the EU toward embedding sovereignty considerations into the EU Cybersecurity Certification Scheme for cloud services (EUCS), as political winds shift in favour of limiting reliance on non-European providers. The European Commission’s new internal security strategy hints at supporting “Europe-only” preferences, encouraging critical sectors to weigh not just technical but also strategic risks and dependencies when choosing cloud services — a nod to long-standing calls from France and others to restrict hyperscalers like Amazon, Microsoft, and Google from the most sensitive sectors. 

Meanwhile, the launch of the Commission’s consultation (deadline: 4 June) on the upcoming Cloud and AI Development Act reinforces this trend, directly questioning the influence of third-country tech providers and risks of vendor lock-in. National governments are also pivoting: the Netherlands, historically U.S.-cloud friendly, has now committed to building a sovereign government cloud by 2028, citing the need to safeguard sensitive data and digital continuity amid geopolitical uncertainty. With these developments, pressure mounts on the Commission to break the EUCS deadlock and favour sovereignty-aligned certification requirements. 

EU cable stakeholders urge for subsea infrastructure security 

Telecom operators and subsea cable stakeholders, including Orange, Telefónica, Telenor, Vodafone and more, have called on the EU, UK and NATO to enhance coordination on protecting subsea infrastructure, warning that rising hybrid threats pose significant risks to Europe’s digital resilience, economic stability and defense preparedness. In an open letter, the group endorsed the EU’s Action Plan on Cable Security but stressed the need for stronger public-private cooperation, increased funding, and faster implementation of protective measures. 

Commission announces upcoming International Digital Strategy 

The European Commission has announced an upcoming consultation on the International Digital Strategy with an adoption planned for the Second Quarter of 2025. To be titled “Strengthening the EU’s leadership in Global Digital Affairs”, should be issued on 6 May in the form of a non-legislative initiative. The paper will explain how reinforcing the EU’s security, tech sovereignty, democracy and competitiveness require efforts both in internal markets and with international partners. While the exact scope of the strategy remains unclear, it is expected to cover internet governance and cybersecurity. However, the level of emphasis on internet governance remains uncertain: there are concerns that it may receive limited attention, as questions such as the WSIS+20 review and the IGF mandate have yet to be clarified. 

Commission announces the 5GMEC4EU project driving 5G and edge computing 

Funded under the CEF Digital programme, the 5GMEC4EU is a Coordination and Support Action that will contribute to building a cohesive European 5G ecosystem. The action will integrate Multi-access Edge Computing into 5G Smart Communities and 5G Transport Corridors to ensure service continuity, cross-border seamless connectivity and open standards. 

D9+ Ministerial Declaration on digital technology and connectivity 

Following the D9+ Ministerial Meeting that took place in Amsterdam on 26-27 March, a leak of the Ministerial draft declaration calls the EU to ‘increase its digital competitiveness and tech sovereignty in an open manner’ through increased private investments and public-private partnerships. The declaration highlights a strategic approach to key technologies like AI, cloud and connectivity, while simplifying EU rules to foster innovation. 

The D9+ group includes the Ministers of the Netherlands, Denmark, Estonia, Ireland, Luxembourg, Poland, Portugal, Slovenia, Spain, the Czech Republic, Sweden, Belgium and Finland, yet the draft doesn’t detail which countries are to sign up to the final declaration. 

Commission opens the Cybersecurity Act consultation  

As mentioned last month, the Commission has now opened the consultation on the Cybersecurity Act. The initiative will revise the Cybersecurity Act, clarify the mandate of the EU Agency for Cybersecurity (ENISA) and improve the European Cybersecurity Certification Framework to achieve better resilience. The initiative also aims to streamline, simplify and supplement EU legislation to make the implementation of the EU cybersecurity framework more user and business friendly and to prioritise measures to support the EU objectives of developing a secure and resilient supply chain, including the EU cybersecurity industrial base. The feedback on the draft regulation is open until 20 June 2025. 

MISCELLANEOUS 

EU-US Trade Tensions: Digital Tax and Sovereign Tech Push 

April marked a significant chapter in the EU-US trade tensions, starting with former President Trump’s announcement of a 20 percent tariff on all EU goods, which was later dialled back to 10 percent after market reactions. In response, the European Commission, led by President Ursula von der Leyen, paused retaliatory measures to allow for negotiations, but tensions remained high. The EU’s countermeasures are expected to target the tech sector, where Europe holds substantial leverage over the U.S. Amid these developments, the French government proposed stricter regulations on U.S. tech firms’ data handling and even floated the idea of taxing digital services, though opposition emerged, particularly from Ireland. 

In parallel, EU efforts to reduce reliance on U.S. technology gained momentum, with proposals for increasing local cloud infrastructure, semiconductor production, and AI development. This includes revisiting the “fair share” concept, which would require major tech providers to contribute to network rollout costs. As part of this push, the EU is also exploring digital taxation options, with discussions around a European Digital Sovereignty Fund that could fund initiatives to reduce dependency on U.S. firms. The Digital Networks Act, currently under discussion, may offer a renewed opportunity for this proposal. Meanwhile, the European Parliament continues to engage in high-level talks in Washington, signalling that despite the tensions, transatlantic cooperation remains ongoing. 

European Socialists present plan on a Gafam tax 

On April 10 the S&D group presented their plan to fight ‘tech oligarchs’. The S&D proposes six actions to ‘protect Europeans online’, which are intended to serve as the basis for an agreement with other pro-European groups. Among these actions, they propose a new tax on digital services, intended to feed the Commission’s own resources, and ultimately a European “tech sovereignty fund.” This fund is to be used to build infrastructure “rooted in European values,” ranging from decentralized social networks to cloud services. This vision appears to be compatible with that of EuroStack, according to MEP Alex Agius Saliba. This tax, which is to resume work abandoned several years ago in Brussels, could apply to both consumer services (advertising and social networks) and business services. “It’s the right political moment” to revisit it, in the face of the Trump administration”, believes Alex Agius Saliba, who also plans to favor European players in public procurement.  

Berlin joins the Digital Sovereignty club  

The Christian Democrats of future Chancellor Friedrich Merz and his Social Democratic coalition partners reached a programmatic agreement on April 9. Its digital component emphasises regulatory simplification and, in a sign of the times, digital sovereignty, a topic that is usually not very popular in Germany, reports Contexte. 

Piracy Shield: A flawed approach in the fight against online piracy

ISPs understand the need to protect copyright and fight piracy. However, it is critical that the administrative, legal and technical systems deployed to achieve this shared goal are proportionate, efficient, non-discriminatory and not harmful to the proper functioning of the Internet network.

Italy was one of the first EU Member States to be equipped with a filtering platform, called “Piracy Shield”, whose primary objective is to tackle online piracy related to live broadcast sporting events. It was introduced by Law No. 93 of 2023, amended by the so-called Omnibus Decree (DL no. 113 of 9 August 2024) and completed by two AGCOM resolutions that better detail its functioning.

In a nutshell, Piracy Shield is an asynchronous platform designed to allow copyright holders (so-called flaggers) to quickly report domains or IP addresses hosting pirated content. Upon receiving the report on the portal, AGCOM can order Italian ISPs to block access to the sites involved within a maximum of 30 minutes.

Leaving aside the fact that this sort of “mega-firewall” is easily bypassed by means of VPN or by switching from a private DNS to a public DNS, and that it entails considerable costs for ISPs, it goes without saying that, from the very beginning, its functioning has revealed many limitations and criticalities, which have been exacerbated by the recent change in the law:

• there is a high risk of affecting lawful resources, since AGCOM can order the blocking of IP addresses that are predominantly (and not uniquely, as originally intended) used for unlawful activities;

• filtering obligations are potentially unlimited, after the legislator intervened to remove the filtering limits on IP/FQDN addresses agreed between the NRA and the operators during the technical tables;

• ISPs are found to perform filtering and tasks that collide with individual freedoms. This is contrary to European legislation that qualifies fundamental ISPs services as mere-conduit and therefore exempt them from liability. On the contrary, in Italy criminal liability has been expressly established for ISPs;

• marked asymmetry between the blocking procedures that must be carried out in a timely manner and total uncertainty as to the timing for unblocking: Uncertainty that disproportionately affects small operators or foreign providers who – not always being aware of the EU Member State’s regulatory framework – have difficulty enforcing their rights.

While we are witnessing initiatives that aim at combating piracy, it is useful to remember that any system activated at national level has strong impacts outside the borders, as content and resources located in third countries are filtered. In addition, a massive multiplication of asynchronous platforms would pose threats and create vulnerabilities to the proper functioning of the Internet, as intervening with potentially unlimited filtering creates high collateral damage even greater than the social benefit of combating piracy.

There are better tools to fight piracy, including criminal Law, cooperation between States, and digital solutions that downgrade the quality of the signal broadcast via illegal streaming websites or IPtv. European ISPs are ready to play their part in the battle against piracy, but the solution certainly does not lie in filtering and blocking IP addresses.

Dalia Coffetti

EuroISPA Board Member and Head of Regulatory and EU Affairs of AIIP – Association of Italian Internet Providers

EuroISPA General Meeting in Brussels: a recap

Brussels, March 27-28, 2025

Last week, the EuroISPA community convened in Brussels for the first General Meeting of the year, bringing together Council and Forum members, Board Officers and Secretariat, in the EuroISPA offices for a very fruitful exchange.

Our members gathered to recap the activities of the association in 2024 and discuss the next steps in the new mandate of the European institutions, identifying priority areas for EuroISPA to focus on in 2025 and beyond, as well as revamped ways of working.

The agenda included as usually exchanging insights on the strategic way forward of current topics of attention for our Committees’ work:

📌 in the Online Content Committee, we discussed the ongoing developments around child protection and CSAM Regulation negotiations and the ongoing and upcoming activities of the association on piracy, especially in close coordination with the EUIPO.

📌 the Data Economy Committee, focusing on the ongoing and upcoming work of the institutions around, among others, the Internal Security Strategy, the Digital Fairness Act, and debated on the future of the Data Privacy Framework, ePrivacy and AI.

📌 the Cybersecurity & Infrastructure Committee, with updates on critical past and upcoming institutional works such as the DNA, CRA and CSA consultations, NIS2 and the Council Conclusions on reliable and resilient connectivity.  The Committee was delighted to appoint its new Chair – Elisabeth Debar from FFT. We are confident that her experience in cyber policies, both at the French and the European level, will bring invaluable expertise to the Committee.

Read more about the work of our Committees here.

During the two days, EuroISPA had the pleasure of welcoming high-level speakers, with whom members had the opportunity to exchange and debate on relevant matters for the internet industry:

🔹 Kia Slæbæk Jensen, Defence, Cyber and Hybrid Threats Attachée at the Danish Permanent Representation to the EU, on cyber and infrastructure resilience as well as Denmark’s cyber priorities, ahead of the upcoming Danish EU Presidency
🔹 Werner Stengg, Cabinet Expert of Executive-Vice President of the European Commission for Tech Sovereignty, Security and Democracy Henna Virkkunen, on Opportunities and challenges of the new EU institutional mandate
🔹 Katinka Clausdatter Worsøe, Telecom Attachée at the Danish Permanent Representation to the EU on Denmark’s Digital and Telecom Priorities, ahead of the upcoming Danish EU Presidency​

Finally, we had the pleasure of having with us Keilin Tammepärg, Head of Policy and Legal affairs of the Estonian Association of Information Technology and Telecommunications, bringing one more national association’s perspective to the table.

Thank you to all our members who participated actively in the discussions and to our guest speakers for providing valuable insights.

The next EuroISPA General Meeting will be held in Paris in June – stay tuned!

EuroISPA Annual Policy Report 2024 – Brussels Outlook 2025

EuroISPA is delighted to present to you its Annual Policy Report 2024 – Brussels Outlook 2025, which provides an overview of the Association’s main activities in 2024, insights into what’s ahead in 2025, and a deep dive into its key policy focus areas.

In 2024, EuroISPA played a pivotal role in shaping discussions on digital policies affecting European ISPs. The Association and its committees worked on critical areas such as online content, data economy, and cybersecurity & infrastructure, ensuring that the voice of ISPs was heard in EU policymaking.

Beyond a reflection on the past year’s work, this report highlights EuroISPA’s recommendations for a competitive and fair European Internet ecosystem. Additionally, it offers an outlook on the evolving EU policy landscape and its implications for the ISP sector.

Our officers, committee chairs, and members provide expert insights on pressing topics such as combating online piracy, the impact of artificial intelligence, cybersecurity in the EU, the future of digital infrastructure, and the role of ISPs in driving innovation and sustainability.

Once again, EuroISPA is proud to have worked alongside its members to foster a safer, more resilient, and forward-thinking digital environment in Europe.

We hope you enjoy reading our Annual Policy Report 2024 – Brussels Outlook 2025!

Joint industry call for allowing the continuation of current Child Sexual Abuse detention practices

Together with other industry associations, EuroISPA is calling on EU Member States to allow the continuation of current Child Sexual Abuse detection practices.

Building on our previous joint statement welcoming the extension of the temporary ePrivacy Directive derogation, we reaffirm that proactive measures against CSA have been instrumental in protecting children online over the past decade.

EuroISPA on Internet governance

Rising geopolitical tensions threaten the open and global Internet on several levels. We see global fragmentation and threats to the physical infrastructure, global fragmentation at the regulatory level, and increasing cybersecurity threats from bad actors, including states.

At the same time, overly restrictive regulations or centralised control mechanisms could stifle innovation and exclude smaller operators, which also face challenges when it comes to combatting advanced threats such as nation-state actors, ransomware, and distributed denial-of-service (DDoS) attacks.

EuroISPA strongly supports the EU’s commitment to the multi-stakeholder model of Internet governance, which has been instrumental in maintaining an open, free and secure Internet. The EU can strengthen the multistakeholder model through strong participation in and compliance with the processes of the relevant organisations, such as IGF, ICANN, IETF, etc. Future EU legislation should always be assessed in the light of extraterritoriality and its impact on the global competitiveness of the European IT industry.

At the same time, we invite the EU to encourage diversity in operators by cutting red tape and streamline cybersecurity compliance requirements, ensuring they are proportionate to the size and resources of the operators, without compromising security standards. In fact, developing and adhering to open, universally adopted standards would ensure that security measures are interoperable, scalable, and accessible to operators of all sizes.

Building collaborative frameworks that provide shared threat intelligence, affordable mitigation tools, and capacity-building support is essential to levelling the playing field and enhancing the overall security and resilience of the Internet.

EuroISPA also believe it is key to take into account emerging technologies risks, such as quantum computing ad switching, artificial intelligence, and the Internet of Things (IoT). Preparing for quantum-resilient cryptography, securing IoT devices, and ensuring ethical AI use must be priorities to prevent vulnerabilities from compromising the integrity of the Internet.

EuroISPA recently submitted its response to the European Commission’s targeted consultation on its stance on Internet
governance.

EuroISPA signs open letter in response to the Going Dark report

As part of our response to the High-Level Group on Access to Data for Effective Law Enforcement (HLG “Going Dark”), and following our reaction to their 42 recommendations, we raise our concerns about the HLG’s final report, together with a broad coalition of civil society groups, industry and professional associations,

As a matter of fact, the group recently presented recommendations that could pose a substantial threat to digital security and privacy for the EU and its citizens.

An EU security policy fit for the digital age must address the challenges we face today. Secure communications and legal certainty are imperative for citizens and law enforcement alike. In the light of potential threats by criminals, foreign state-sponsored agencies and even some authoritarian actors within the EU, people expect the institutions to prioritise policies that protect their IT-security and fundamental rights. That is why we recommend:

  • Support a safe, trustworthy and diversified digital ecosystem. Citizens need technology that empowers them instead of putting them at risk.
  • Ensure the security and confidentiality of digital spaces because the possibility for people to exercise their fundamental rights depend on it.
  • Uphold the right to privacy and inviolability of protected information. This is required by the Charter of Fundamental Rights and case law of the Court of Justice of the EU and the European Court of Human Rights.

PRESS RELEASE: EuroISPA elects new leadership at General Meeting

Elina Ussa (FiCom) reconfirmed as President, Dalia Coffetti (AIIP) joins Lars Steffen (eco), Alex de Joode (AMS-IX) and Romain Bonenfant (FFTélécoms) as Officer of the EuroISPA Board

Brussels, 21 November 2024EuroISPA, the pan-European association of Internet Services Providers (ISPs) associations, elects new Board configuration during the General Meeting held on November 21, 2024, in Brussels.

EuroISPA is the representative body of over 3,300 Internet Services Providers across the European continent. Since 1997, EuroISPA functions as an ‘umbrella’ association representing ISP associations on policy and legislative issues and facilitates the exchange of best practices between members.

EuroISPA Council members gathered in Brussels for their last General Meeting of 2024, which saw the election of new members of the Board. Dalia Coffetti, of EuroISPA’s Italian member AIIP, was unanimously elected Board Member. She joins Elina Ussa (FiCom, President), Lars Steffen (eco, Vice-President), Alex de Joode (AMS-IX, Treasurer), and Romain Bonenfant (FFTélécoms, Board Member), who have been reconfirmed in their respective roles for another mandate of 2 years. The new Board will be leading the Association’s work until the end of 2026.

Dalia Coffetti, newly elected EuroISPA Board Member on behalf of AIIP, stated: “I am honoured to be chosen to serve in the Board of EuroISPA, to actively contribute to the day-to-day activities of the Association and promote the interests of its members. I am looking forward to sharing the experience, vision and needs of all ISPs daily engaged in the digitalisation of the European Union and who, over the last decades, have contributed to building a competitive and innovative ecosystem that is close to the needs of European consumers”.

EuroISPA is committed to fostering the growth of an innovative and fair European Internet ecosystem, encouraging the continued development of a free and open telecommunications market, as highlighted in the EuroISPA Manifesto for the EU 2024-2029 Mandate. The work of the Association in 2025 will focus on engaging with newly-elected EU policymakers to work together towards achieving a fully functioning internal market, a long-term vision on privacy online, a harmonised European strategy for cybersecurity, and legislative coherence for digital infrastructure.

Elina Ussa, re-appointed President of the Association, said: “I am honoured by the trust that EuroISPA members have decided to put in me once again. I am looking forward to continuing working with this dedicated group of Officers to contribute to the ambitious goals that we have put forward in our Manifesto. Continuity in leadership will be beneficial to the work of the Association in times of changing EU landscape our members are navigating in. I am also delighted to welcome Dalia to the Board of EuroISPA, our members can count on one more expert to lead the Association into 2025 and beyond”.

/