INSIGHT: The Future of Connectivity: A Joint Vision from eco and EuroISPA 

/in , ,

Europe stands at a pivotal moment in its digital transformation. Connectivity is no longer a convenience – it is the backbone of economic growth, innovation, and societal resilience. As eco – Association of the Internet Industry and EuroISPA, we share a common mission: to ensure that Europe’s digital infrastructure is secure, sustainable, and future-ready. This article outlines our joint vision for the next era of connectivity, addressing technological, regulatory, and societal challenges. 

From Copper to Fiber: Building the Foundation 

The transition from copper-based networks to fiber-optic infrastructure is essential for Europe’s competitiveness. Fiber offers unmatched bandwidth, ultra-low latency, and resilience – capabilities that copper cannot deliver in an era of cloud computing, IoT, and real-time applications. Accelerating fiber deployment, particularly in rural and underserved regions, is critical to closing the digital divide. Both eco and EuroISPA advocate for investment-friendly policies and streamlined permitting processes to make this transition a reality. 

6G: The Intelligent Network of Tomorrow 

While 5G rollout continues, 6G research is already shaping the next frontier. Expected by 2030, 6G will deliver terabit-per-second speeds, sub-millisecond latency, and AI-driven network orchestration. It will enable holographic communication, digital twins, and immersive extended reality, transforming sectors from healthcare to manufacturing. To achieve this, Europe must invest in terahertz spectrum, edge computing, and global standards, ensuring interoperability and security.

Quantum Networking: Reinventing Security 

Cybersecurity is a cornerstone of trust in the digital age. Quantum networking, through technologies like Quantum Key Distribution (QKD), will make data interception virtually impossible. This is vital for protecting critical infrastructures systems. Europe must lead in quantum research and pilot projects to safeguard digital sovereignty. 

Satellites: Bridging the Last Mile 

 

Fiber and terrestrial networks will dominate urban connectivity, but satellite Internet – especially Low Earth Orbit (LEO) constellations – will play a key role in connecting remote regions. Integrating satellite solutions into Europe’s connectivity strategy ensures inclusivity and resilience, supporting economic development and social cohesion 

The Backbone: Data Centers, IXPs, and DNS  

  • Behind every digital service lies a robust infrastructure: 
  • Data Centers: The engines of the digital economy. Scaling sustainably with energy-efficient technologies and renewable energy is non-negotiable. 
  • IXPs: Internet Exchange Points reduce latency and strengthen resilience. Expanding Europe’s IXP ecosystem enhances performance and digital sovereignty. 
  • DNS: A stable and secure Domain Name System is fundamental. Implementing DNSSEC and redundancy measures is essential to prevent outages and attacks. 

Sustainability and Security: Our Shared Priorities 

Both eco and EuroISPA champion green digital infrastructure, aligning with EU climate goals. Energy efficiency, heat reuse, and renewable integration are critical for data centers and networks. At the same time, cybersecurity must evolve with zero-trust architectures, AI-driven threat detection, and strong encryption standards. 

Encryption: A Non-Negotiable for Trust 

EuroISPA has consistently defended end-to-end encryption as a cornerstone of privacy and security. Proposals to weaken encryption under initiatives like ProtectEU or e-Evidence risk undermining trust and exposing users to cyber threats. Our joint position is clear: encryption must remain robust and uncompromised. Any legislative approach should balance law enforcement needs with fundamental rights and technological realities. 

Policy and Collaboration: The Road Ahead 

The future of connectivity requires coordinated action. Policymakers must create frameworks that encourage investment, innovation, and sustainability without imposing disproportionate burdens. Industry associations like eco and EuroISPA play a vital role in shaping balanced regulations, from the Digital Networks Act to cybersecurity standards. Public-private partnerships will be the cornerstone of Europe’s digital success. 

Conclusion: A Connected, Secure, and Sustainable Europe 

Connectivity is not just about speed – it is about enabling opportunity, resilience, and trust. From fiber to 6G, from satellites to quantum networks, and from data centers to DNS, every component matters. Together, eco and EuroISPA are committed to driving this transformation and ensuring that Europe remains a global leader in digital innovation. 

Lars Steffen

Vice-President of EuroISPA

Head of International, Digital Infrastructures & Resilience of eco – Association of the Internet Industry

2026: What’s ahead

/in , ,

EU Digital Agenda for 2026: from strategy to action 

The time for action has arrived. Over the last months, the European Commission has defined broad policy guidelines for the current mandature (2024-2029): simplification, competitiveness, and innovation. The European executive has learned from the Mario Draghi and Enrico Letta reports – a welcome shift toward pragmatism for Internet Service Providers.  

In 2026, the Commission will translate these priorities into concrete proposals. Its work program directly impacts EuroISPA members across connectivity, data protection, cybersecurity, AI and platform regulation – making active engagement essential.  

KEY LEGISLATIVE PRIORITIES

The future Digital Networks Act is one of the major priorities for EuroISPA members. As Europe recasts its Electronic Communications Code, the stakes could not be higher: ensuring sustainable investment models while meeting connectivity demands for decades ahead. We expect the Commission to deliver a framework that balances regulatory certainty with technological evolution, incentivizing investment in digital infrastructures.  

EuroISPA welcomed the October 2025 Digital Omnibus Package. Aligning e-Privacy with GDPR is critical – reducing administrative burdens while clarifying legal obligations. Ensuring AI Act implementation is innovation-friendly similarly heads in the right direction. For our members, simplification here means tangible operational relief.  

On the revision of the Cybersecurity Act, EuroISPA supports a targeted revision of the Regulation.  

On the Digital Fairness Act: while we support strong consumer protection, creating new legislation risks regulatory fragmentation. Existing frameworks can achieve these goals more efficiently.  

On online piracy of sports and other live events, following its evaluation of the 2023 Recommendation, the Commission has concluded that this non-binding instrument is insufficient to tackle this illegal phenomenon. It is likely that a new legislative initiative is being considered to harmonise cooperation tools and EuroISPA will carefully follow how the issue may evolve, ensuring any framework respects technical feasibility and fundamental rights.

COOPERATION BETWEEN INTERNET SERVICE PROVIDERS AND JUDICIAL AUTHORITIES   

EuroISPA remains committed to ongoing discussions on the CSAM regulation which is at the final stage of negotiations. It welcomes the Council’s general approach adopted under the Danish Presidency, which excluded detection obligations from the scope of the future regulation.   

The August 2026 e-evidence regulation implementation presents significant operational challenges, particularly the decentralized IT system. EuroISPA will facilitate dialogue between members and the Commission to ensure workable compliance pathways.  

On metadata retention, we await the early 2026 impact assessment. Any legislative initiative must avoid imposing requirements that compromise EU competitiveness, digital sovereignty, or cybersecurity – outcomes that benefit neither security nor innovation.  

Finally, encryption remains paramount. As the Commission launches its expert group, EuroISPA’s co-signed global statement underscores our position: encryption is foundational to digital trust and economic security. Proposals weakening encryption to facilitate law enforcement access would fundamentally undermine these objectives – a tradeoff Europe cannot afford.  

EuroISPA’s strength lies in our diverse membership – representing the full value chain from infrastructure providers to content platforms. Our established relationships with European institutions (Commission, Parliament, Council) and agencies (EUIPO, BEREC) position us to effectively advocate for balanced, evidence-based policies. As 2026’s legislative agenda unfolds, our collective voice will be essential in shaping Europe’s digital future. 

Romain Bonenfant

President of EuroISPA

Managing Director of FFTélécoms – Fédération Française des Télécoms

EuroISPA Monthly Report – November 2025

/in , ,

The institutional agenda is wrapping up before the end of the year, after a very busy month of November.

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text. Political trilogues started on 9 December, and technical meetings are expected to start on the week of 12 January, with the aim of having a second round of political trilogues by the end of February. The Commission is also expected to submit a proposal to extend the interim derogation to the ePrivacy Directive before its expiry on 3 April 2026, in order to give more breathing space to negotiators.

The Digital Omnibus package was published on 19 November, proposing amendments to existing legislation on data, cybersecurity and AI. The package consists of a proposed regulation to simplify cybersecurity incident reporting and data protection obligations, and another regulation on AI, with targeted amendments to the AI Act. Along with the package, the European Commission introduced a proposal for the European Business wallet and also the Data Union Strategy.

Stakeholders are also discussing key topics on the online content front, such as the AI & Copyright own-initiative report in the European Parliament, and two ongoing consultations concerning protocols for TDM rights and a call for evidence to support the upcoming review of the Audiovisual Media Services Directive.

The beginning of next year is expected to be particularly busy, marked by the review of the Cybersecurity Act on 14 January and the publication of the Digital Networks Act proposal on 20 January, as well as the CSAM Regulation trilogues.

The EuroISPA Secretariat is monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below.

ONLINE CONTENT 

Council adopts position on CSAM Regulation and trilogues start 

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text, and introducing language in the recitals to indicate that nothing in the Regulation should be interpreted as mandating detection or “prohibiting, weakening or circumventing, requiring to disable, or making end-to-end encryption impossible”.  The first political trilogue between the co-legislators took place on 9 December, with technical negotiations reportedly set to begin on the week of 12 January, and a second political trilogue epxetcted by the end of February. A tense exchange of views between Commissioner Brunner and MEPs in the LIBE committee on 4 December indicated that discussions on core issues, including encryption, are likely to be contentious, but there were reports that the first political trilogue was constructive, and that the Commission will submit a proposal to extend the e-Privacy derogation which expires in early April 2026, to ensure that a legal gap is avoided. 

EP plenary adopts own initiative report on the protection of minors 

On 26 November, the EP plenary approved without amendments IMCO’s own-initiative report on the protection of minors online. The report’s key recommendations include calls for effective, privacy-preserving age-verification and for a harmonised EU-wide digital age limit of 16 for social media, below which parental consent would be required. Discussions on the topic of age verification and the protection of children online are continuing in the context of the CULT committee’s on own-initiative report on the impact of social media and the online environment on youth mental health. The expert panel announced by von der Leyen in her State of the European Union speech, which is meant to provide recommendations on the best approach at EU level on social media age limits, has still not been convened.  

European Commission publishes evaluation of its Recommendation on Piracy 

Last month, the European Commission published its awaited evaluation concluding that the recommendation has had limited effects on the prompt treatment of notices relating to live events. The report stresses the increasing number of notices being addressed to other intermediaries, such as CDNs and reverse proxies, which are not subject to the DSA rules on notices. 

On dynamic injunctions, the assessment revealed a mixed picture among Member States, even though the report notes that some countries are taking effective measures while providing safeguards against over-blocking.  

On the issue of overblocking, the Italian Piracy Shield and LaLiga/Telefonica cases are referenced and the complaints from users experiencing over-blocking have been reflected even though the Commission indicates that the available information suggests that the number of reported incidents related to the blocking of legitimate content appears to be very limited compared with the total number of dynamic injunctions. The Commission is nevertheless of the view that give more time to DSA implementation is needed. 

Commission opens targeted consultation on DSA Article 18 notifications 

The Commission launched a targeted consultation on how providers of hosting services (including cloud and online platforms) should notify law-enforcement or judicial authorities when they become aware of information indicating suspected criminal offences that threaten life or safety (e.g., incitement to terrorism, child sexual abuse/exploitation, human trafficking). Run via the European Board for Digital Services’ Working Group 7, the exercise seeks feedback on the functioning of the notification process and areas needing clarification, including which offences fall in scope. Stakeholders with relevant experience (DSCs, law-enforcement and judicial authorities, hosting providers, researchers, civil society, trusted flaggers and internet hotlines) are invited to submit input by 19 December 2025. 

European Commission publishes Digital Services Act evaluation report 

On 17 November, the Commission published its DSA evaluation report, focusing on the interaction of the DSA with other legislation. The report finds that the DSA largely complements other EU laws, while acknowledging a complex legal landscape and pledging to reflect this in upcoming discussions (incl. fitness check of digital acquis, AVMSD, DFA) in line with the EC better regulation and simplification agenda. It confirms the VLOPs/VLOSEs thresholds and core definitions are fit for purpose but notes future designation challenges where services bundle multiple functionalities. The report flags a number of instances where the DSA rules apply in parallel to other similarly crafted EU law provisions, giving raise to potential legal uncertainty or undue compliance burdens, for example regarding the transparency of terms and conditions and of the ranking parameters of recommender systems,  transparency reporting obligations, content moderation obligations, dark patterns and SMEs. 

European Board for Digital Services 16th meeting focuses on IP rights, systemic risks, and scams 

On 18 November 2025, the Board had its 16th regular meeting. According to the statement published after the meeting, it discussed tackling online intellectual-property infringements under the DSA, adopted its 13-month Annual Work Plan, and the first Article 35(2) report on prominent and recurrent systemic risks and related mitigation measures. It also launched a coordinated initiative against online scams and fraud, with authorities sharing intelligence and guidance, and the Commission preparing a pan-EU awareness campaign before year-end. The Board further submitted views on the Commission’s preliminary findings in ongoing DSA transparency investigations into TikTok, Facebook and Instagram, and discussed key elements of the Commission’s Article 91(1) DSA report on the interaction between the DSA and other EU laws.   

Publication of Digital Services Act annual report on systemic risks 

On 20 November 2025, the Commission and the Board of DSCs published the first annual report outlining prominent and recurrent risks on VLOPs and VLOSEs. It identifies systemic risks (including the spread of illegal content and threats to fundamental rights), highlights issues such as impacts on mental health and minors, generative AI’s effects on platforms, and IP challenges on marketplaces, and summarizes mitigation measures reported under the DSA (i.e., automated detection of emojis used to code illegal drug sales). Drawing on platforms’ risk assessments, audits, transparency reports, independent research and civil-society input, the report is meant to serve as a reference point for transparency and accountability and will expand over time as more data and best practices become available.  

Vote in Legal Affairs committee on AI & Copyright postponed 

Leaks of the ongoing negotiations in the European Parliament on the own-initiative report on AI & Copyright announce that finding an agreement on certain provisions (TDM applied to AI, EUIPO role, is taking more time than expected. The JURI Committee in fact postponed its vote to the end of January, which should give enough time to MEPs to find an agreement on the most controversial parts of the report. In addition, the European Commission launched on 1 December a consultation on protocols for TDM rights reserving under the AI Act and the GPAI Code of Practice (deadline on 9 January 2026).  The consultation invites stakeholders to express their views on TDM opt-out solutions and enquires their interest in participating in two follow-up workshops (Q1 2026). 

Commission seeks input for 2026 evaluation of the Audiovisual Media Services Directive 

On 24 November 2025, the Commission launched a call for evidence to assess the AVMSD’s effectiveness in a fast-changing media landscape and to gather views on possible updates. The evaluation will consider visibility and prominence of European media, a more level playing field between traditional and digital players, protections for viewers (especially minors) when viewing content online, and possible simplification of advertising rules. Inputs are invited from regulators, academia, broadcasters, VOD providers, video-sharing platforms, influencers, and advertisers. The consultation is open until 21 December and will feed into the 2026 evaluation of the AVMSD, which is part of the European Democracy Shield commitments. 

DATA ECONOMY 

Digital Omnibus on Data: Member States flag risks in GDPR/ePrivacy revisions 

A group of Member States criticised the European Commission’s proposal on the data strand of the Digital Omnibus, arguing that the proposed changes went beyond technical simplification, and that the revised definition of personal data could weaken rights safeguards, complicate data transfers, and strain supervisory authorities.  

On data-subject requests, Belgium, the Netherlands, Slovenia and Poland cautioned that tighter “abuse-of-rights” rules could ease rejections. Slovenia also warned that controllers might infer motives, and Germany questioned whether the changes would lead to more complaints to authorities.   

On the proposed ePrivacy and GDPR framework for device access, the Netherlands said it could incentivize the processing of personal data by companies just to benefit from GDPR exemptions. France queried how enforcement would be split between GDPR and ePrivacy, and Latvia also asked for a clear boundary between rules on data protection and communications confidentiality. Finland and Poland wanted more details on how default browser settings would work, and on consent withdrawal and media exemptions.   

On changes to the definition of personal data, Belgium and Slovenia warned “non-personal” labels could still allow re-identification. Germany asked how regulators were supposed to assess re-identification risks. Germany, Finland, the Netherlands and Austria questioned shifting tasks from national regulators/EDPB to the European Commission. Slovenia and Slovakia criticised the lack of a fundamental-rights impact assessment.  

Digital Omnibus on AI: Member States flag legal gaps and seek clarifications 

In their initial set of questions to the European Commission on its AI Omnibus proposal, Member States seek clarifications on AI literacy, the legal basis for processing sensitive data for developers of high-risk AI, centralization of enforcement, oversight gaps caused by removing a registration obligation, recognition of conformity assessment bodies, regulatory privileges, the legal value of codes of practice and the purpose of an EU-level sandbox. On the legal basis for processing personal data for high-risk AI, France noted that the suggested revision is not aligned with the related technical standard. The Netherlands was critical of the proposal in substance, arguing that it conflicts with fundamental rights. On centralized enforcement, Germany, the Netherlands and Poland asked the Commission to clarify how the new enforcement structure would be compatible with the requirement that high-risk AI systems in justice, law enforcement and migration control should be supervised by data protection authorities or an equivalently independent regulator. On the removal of the Commission’s power to adopt codes of practice via secondary regulation, Spain asks if this creates legal uncertainty and whether codes of practice are sufficient to ensure compliance.  

Digital Omnibus on AI: European Parliament committee allocation disputed 

According to reports in the press, IMCO and LIBE were initially slated to co-lead the AI strand of the Digital Omnibus, but ITRE and JURI have challenged that allocation and want a leading role. Committee coordinators were scheduled to confirm the committee responsibilities on 4 December. Because of the challenge, the decision is being escalated to the presidents of the EP’s political groups. All four committees have postponed appointing a lead MEP until their next file-assignment meetings (some only happening after the holidays), so substantive work on the AI Omnibus may not start before January. For the data strand of the Digital Omnibus, LIBE and ITRE are expected to lead, with JURI seeking at least an “opinion” role. Allocations can still be contested.  

CYBERSECURITY AND INFRASTRUCTURE 

Coalition of Member States against the Digital Networks Act proposal 

On 26 November, delegations from Austria, France, Germany, Hungary, Italy and Slovenia shared a non-paper on the Digital Networks Act, including their perspectives on the upcoming proposal. Member States stressed that national markets differ, and only a Directive ensures the right of flexibility and preserves sovereignty in areas like lawful interception. The delegations also mentioned that the spectrum should remain nationally managed to reflect market needs, avoiding unjustified centralization. They argued that ex-ante tools remain necessary during the copper-to-fiber transition and that the copper switch-off needs careful assessment to avoid distortions. Finally, they noted that BEREC and RSPG already work well with distinct roles and should not be merged or redesigned. As regards the next steps, the document underlines the importance of maintaining engagement with the Council, with priority preferably given to the Member States that co-signed the non-paper. 

Implementing Regulation Cyber Resilience Act 

The European Commission published an implementing regulation defining what “important” and “critical” products are under the Cyber Resilience Act. The list includes password managers, ID checking software, cybersecurity software, virtual private networks, operating systems, routers and others. 

ENISA provides a NIS2 requirement guidance report 

ENISA has published  a report provides technical guidance to support the implementation of the NIS2 Directive for several types of entities covered under NIS2.  ENISA’s guidance offers practical advice, examples of evidence, and mappings of security requirements to help companies implement the regulation. 

Commission calls on Member States to comply with the EU Cyberattacks Directive 

The Commission has launched enforcement steps against Estonia, Hungary, and Poland for failing to correctly implement the EU Directive on Attacks against Information Systems. The Directive obliges Member States to maintain strong national cybercrime laws, criminal sanctions for large-scale attacks, and 24/7 contact points for cross-border cooperation. The Commission has sent reasoned opinions to Estonia and Poland and a further notice to Hungary, giving them two months to address gaps related to illegal interception and misuse of tools, or risk escalation to the Court of Justice.   

Commission seeks participants for the NIS2 Forum on the deployment of internet technical standards 

The Commission has launched a new forum to develop a set of guidelines to inform relevant stakeholders and support compliance with network security measures laid out in the NIS2 Implementing Act. The main goal is to boost the deployment of standards and use of best practices in four areas, including: network layer communication protocols, e-mail security protocols, DNS security, and internet routing. The Forum is expected to start its work by early 2026 (with a tentative kick-off meeting planned for 21-22 January 2026) and publish its outputs within the timeframe of two years. Applications for participation are now open, with priority for submissions by 12 December 2025. 

Member States concerns on the single-entry point mechanism 

According to a document dated 28 November seen by MLex, EU member states are broadly sceptical of the Commission’s plan for a single-entry point for cyber-incident reporting, warning that a central EU platform run by ENISA could threaten national sovereignty, create security vulnerabilities, and clash with existing national reporting systems. Governments question whether the system might become a single point of failure, interfere with national threat-awareness processes, or complicate compliance across different EU laws. They also posed questions on the interoperability with national tools, data retention policies, encryption, storage, and language support, stressing that many countries have already invested heavily in their own reporting platforms and that SMEs might not be benefited by the introduction of this mechanism. Several warn that concentrating sensitive incident information at EU level could create major risks and ask how national control over security-relevant data and effective incident response will be preserved. 

Council and Parliament reach provisional deal on Payments Package 

Trilogues have been ongoing and a provisional political agreement was reached on 27 November. According to the press release online platforms would be liable to payment service providers that reimbursed customers if they were notified of fraudulent content and did not remove it. It is unclear to what extent the set of proposed measures affecting electronic communication services (mainly in the Parliament’s position) has been adopted in the final deal, as the text is not available yet. Next steps are technical work by co-legislators followed by formal adoption. 

MISCELLANEOUS

Commission seeking feedback for the 2030 Digital Decade targets and objectives 

The European Commission has launched a call for evidence to examine whether the Digital Decade objectives and targets for 2030 remained aligned with the current tech landscape. This reviewing exercise will assess the relevance of the current 2030 objectives and targets ensuring flexibility, effectiveness, and resilience as the EU navigates its digital future. The exercise will explore ways to further align policy with funding opportunities and evaluate how to improve engagement through channels for regions, cities, and local actors. The call for evidence is open for views until 23 December. 

The Council Conclusions on European Competitiveness in the Digital Decade  

The European Council has published its conclusions, stressing that the EU remains far away from meeting its 2030 targets, particularly in the areas of artificial intelligence, SME digitalization, and digital skills. The document highlights the importance of the Digital Decade Policy Programme in advancing Europe’s digital transformation, strengthening technological sovereignty, and enhancing competitiveness. The conclusions call for the strategic use of European funding programs to achieve these goals and identify several priority areas crucial for digital sovereignty, notably semiconductors, quantum technologies, cloud, artificial intelligence, cybersecurity, and connectivity.  The Ministers expressed interest in developing common criteria for cloud services to increase market transparency and reduce risks arising from strategic dependencies. The forthcoming Cloud and AI Development Act, expected in the first quarter of 2026, may provide an effective means of addressing this issue. 

EuroISPA signs MoU with RIPE NCC

/in , ,

Brussels, 28 November 2025 – EuroISPA, the pan European association of Internet Service Provider Associations, last week signed a Memorandum of Understanding with RIPE NCC, The Regional Internet Registry for Europe, Middle East, and Central Asia. The agreement aims to enhance collaboration to support Internet stability in Europe.

“This agreement represents another step in EuroISPA’s efforts to contribute to a reliable future for European Digital Users,” said EuroISPA President Romain Bonenfant.

The agreement, signed at the RIPE 91 Meeting in Bucharest by Hans Petter Holen, RIPE NCC Managing Director and CEO, and Alex de Joode, EuroISPA Board Member, and later, at the EuroISPA General Meeting, by Romain Bonenfant, EuroISPA President, focuses on developing technical insights and educational materials on how the Internet functions, promoting best practices and technical standards, and encouraging evidence-based policymaking in line with a multistakeholder approach to Internet governance.

EuroISPA Board Member Alex de Joode affirmed that, “The value of bringing together the resources including knowledge, talents, and practices that EuroISPA and RIPE NCC have been developing over many years is essential to ensure Internet stability in Europe. EuroISPA and RIPE NCC are two of the most important organisations in this area, and such a collaboration can only bring good things for Europe’s Digital Future.”

About EuroISPA

Established in 1997, EuroISPA is the world’s largest association of Internet Services Providers Associations, representing over 3,300 Internet Service Providers (ISPs) across the EU and EFTA countries. EuroISPA is recognised as the voice of the EU ISP industry, reflecting the views of ISPs of all sizes from across its member base.

Download the Press Release here

EuroISPA Brussels General Meeting: A Recap  

/in , ,

Brussels, November 17-18, 2025

Last week, EuroISPA brought together its members, partners, and guest experts for a two-day General Meeting filled with exchange, insights, and collective planning for the year ahead. Participants joined both in Brussels and online. 

The meeting opened with the confirmation of the new President Romain Bonenfant and Board. Members also marked an important milestone with the signing of a new Memorandum of Understanding with a key industry partner RIPE NCC, a sign of EuroISPA’s ongoing commitment to strengthening cooperation across the internet ecosystem. 

Across both days, national associations shared updates on digital developments in their respective countries, highlighting trends on cybersecurity, infrastructure, data policy, and evolving regulatory priorities. These exchanges remain one of the most valuable elements of EuroISPA meetings, offering a real snapshot of the challenges and opportunities across Europe. 

The programme also featured several guest speakers who provided timely perspectives on topics such as AI and copyright, data retention, the protection of children online, and online piracy. These sessions sparked constructive discussions among members, especially around emerging technological shifts and what they mean for ISPs and the wider digital sector. Among these we had the pleasure of welcoming high-level speakers such as BEREC Co-Chairs Amédée von Moltke and Christoph Mertens, who provided a clear overview of the 2024 BEREC Report on the IP Interconnection ecosystem, Stephan Edelbroich from the EUIPO Observatory, presenting the EUIPO study “The development of Generative Artificial Intelligence from a Copyright perspective,” and several experts from the European Commission. We thank all the speakers for their valuable input. 

Internally, members reviewed ongoing work, administrative updates, and policy priorities for 2026. The agenda included as usually exchanges on our Committees’ work areas: 

📌the Online Content Committee, tackling in particular the way forward on the Regulation to Prevent and Combat Child Sexual Abuse, age verification, piracy, copyright, and the Digital Fairness Act.    

📌 the Cybersecurity & Infrastructure Committee, setting the agenda for relevant initiatives ahead such as the Europol regulation, the ICT tool box and the Digital Networks Act. The committee also informed members of the e-Evidence IT decentralised system implementation and the upcoming Cybersecurity Act Review.  

📌 the Data Economy Committee, focusing on the strategically important topic of Data Retention, GDPR simplification and the e-privacy and AI components of the Digital Omnibus package.   

You can read more about the work of our Committees here.  

As always, EuroISPA’s General Meeting was a valuable moment to connect, coordinate, and look ahead together. With several key regulatory files on the horizon and new initiatives in development, 2026 is shaping up to be an important year and the collaboration across the association continues to be one of its greatest strengths. 

This General Meeting was yet another reminder of the strength of EuroISPA’s community: diverse perspectives, constructive dialogue, and a shared commitment to shaping a fair, secure and open internet environment in Europe. 

A warm thank you to all members who participated and contributed to the discussions, both in person and remotely. We look forward to continuing this important work together, and to meeting again at the first General Meeting of 2026! 

EuroISPA signs Global Statement on the Role of Encryption in Securing Trust and Enabling the Digital Economy

/in , ,

Last Monday, EuroISPA, along with over 60 other organisations, endorsed a Global Statement a Global Statement on the Role of Encryption in Securing Trust and Enabling the Digital Economy.

We believe that strong encryption is essential to the global digital economy. Encryption safeguards user privacy, protects sensitive data, and enables trust, which are foundations of commerce, communication, and innovation.

Any effort to undermine encryption, whether through backdoors, key escrow systems, or technical mandates, undermines that trust. Weakening encryption introduces systemic vulnerabilities that criminals and hostile actors can exploit.

We call on governments around the globe to advance policies that protect encryption as a vital enabler of digital trust and economic prosperity. Policymakers should strengthen, not weaken, the tools that protect our shared digital infrastructure

Read the joint statement

EuroISPA appointed new Board at General Meeting

/in , ,

Brussels, 18 November 2025 – EuroISPA, the pan-European association of Internet Service Provider Associations, appointed its new Board, including the Association’s President, Vice-President, and Treasurer, during its latest General Meeting in Brussels.

The new Board leadership includes Romain Bonenfant of Fédération Française des Télécoms as President, Lars Steffen of eco as Vice-President, and Dalia Coffetti of AIIP as Treasurer, alongside Stefan Ebenberger from ISPA Austria and Alex de Joode from AMS-IX as Board members. The Board is responsible for coordinating the activities and budget of the Association.

Romain Bonenfant spoke on his appointment as President of EuroISPA: “I am honored to take on the role of President after several years of active involvement on EuroISPA’s Board. We will stay true to our mission to represent Internet Service Providers by providing our technical expertise to EU institutions and stakeholders, and supporting our members through shared knowledge and best practices. Our strength lies in collaboration; Internet Service Providers need a strong, informed and united voice in Europe.”.

Lars Steffen highlighted EuroISPA’s role in uniting ISPs across Europe, noting that collaboration enables common approaches and clear positions to shape balanced frameworks. Newly appointed Treasurer Dalia Coffetti added that she looks forward to supporting EuroISPA’s priorities and working with the Board to ensure their efforts deliver meaningful impact.

About EuroISPA

Established in 1997, EuroISPA is the world’s largest association of Internet Services Providers Associations, representing over 3,300 Internet Service Providers (ISPs) across the EU and EFTA countries. EuroISPA is recognised as the voice of the EU ISP industry, reflecting the views of ISPs of all sizes from across its member base.

Download the Press Release here

EuroISPA Monthly Report – October 2025

/in , ,

Institutional activity intensified in October, with negotiations progressing on many files. 

The Danish presidency announced its intention to drop mandatory detection orders from its compromise text on the CSAM Regulation and continue negotiations on the basis of a permanent extension of the interim derogation permitting voluntary scanning. The Commission, Council and Parliament were also very active on the protection of children online, debating the way forward on age verification and a digital age of majority. The public consultation on the Digital Fairness Act closed on 24 October, with EuroISPA submitting its position.  

Stakeholders continued to discuss key topics on the data economy front, including the implementation of the AI Act and the GDPR, as well as the ongoing impact assessment on data retention. On cyber and infrastructure, the Commission unveiled the Cloud Sovereignty Framework, and there are ongoing discussions in the Council on the common criteria for sovereign cloud services. The Cybersecurity Act Review and the Digital Networks Act proposals have been postponed until 20 January 2026. 

Ahead of the publication of the upcoming Digital Omnibus Package, which is due on 19 November, leaked DG CNECT documents suggest the package will be divided into two separate proposals: one on data and cyber, and another on AI.  

The EuroISPA Secretariat is closely monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below. The Secretariat is also preparing EuroISPA’s third annual General Meeting, which will take place at our offices in Brussels on 17-18 November.  

ONLINE CONTENT 

Danish presidency dropping mandatory detection orders from CSAM Regulation compromise text 

In a note shared with Member States on Thursday, 30 October, Denmark proposed dropping mandatory detection orders from its compromise text and permanently extending the interim derogation permitting voluntary scanning, which is currently expiring in April 2026. Under the revised approach, companies would still have to conduct risk assessments, with voluntary detection listed as a possible mitigation measure, while some components of the previous text would retained, notably the ability to issue blocking and removal orders, reporting obligations, and the creation of the EU Centre. Denmark also intends to include a review clause which would allow the Commission to reassess, in light of technological progress, whether mandatory detection orders could become necessary and feasible in the future. At the Coreper II meeting on 5 November, Member States gave their green light to continue negotiations on this basis, with the caveat that they hadn’t seen a full legal text yet. Denmark is expected to prepare a revised text ahead of discussions at the 12 November Law Enforcement Working Party.  

EU debates continue on the protection of minors online and a digital age of majority 

At EU level, the Commission is aiming to convene, by the end of the year, an expert panel assessing the best approach to a digital majority age at EU level, and said that its recommendations should be evidence-based. The European Council conclusions on 23 October also stressed the importance of a “digital age of majority for accessing social media, respecting national competences”. On the European Parliament side, the IMCO committee adopted its own-initiative report on the protection of minors on 16 October, calling for an EU-wide digital age limit of 16 for access to social media, below which parental consent would be required. The CULT committee is working on its own draft initiative report on the impact of social media for youth mental health, on which IMCO, LIBE and FEMM are preparing opinions.

Stakeholders and institutions continue working on piracy of live content 

On 21 October, 35 rightsholders signed a letter urging EVP Virkkunen and Commissioner Micallef to legislate against live-content piracy, citing criminal threats, weak results from the 2023 Recommendation, and data suggesting that 81% of detected illegal streams weren’t suspended. They ask for legislative measures ensuring infringing content is taken down immediately and at least within 30 minutes, making live dynamic blocking which addresses mirror sites and successor domains available in Member States, and imposing KYBC policies on intermediaries (incl. platforms, hosts, VPNs, CDN and app stores). The letter also calls for enforcement of the DSA and calls on Digital Services Coordinators to award private bodies trusted flagger status when requested. The Commission is expected to release its assessment of the 2023 Recommendation no later than the 17th of November. 

New compromise amendments (CAs) to JURI committee’s draft AI & Copyright own-initiative report 

Following amendments published in September, Euractiv circulated a batch of leaked draft CAs to Axel Voss’s own-initiative report. In the CAs document, Axel Voss says this batch of CAs covers areas on which there is (in principle) a general agreement, and the CAs that will follow will be more specific. Of relevance for EuroISPA members, one of the CAs calls to push for full and mandatory transparency for a coherent licensing framework for the novel use of copyright-protected works, noting that trade secrets should not be invoked to prevent an AI model provider from offering full transparency. The same CA notes that the current opt-out system is impractical and may not cover all relevant acts of TDM, lacking necessary transparency.  

Commission preliminarily finds TikTok and Meta in breach of DSA transparency obligations 

On 24 October, the Commission issued preliminary findings on TikTok and Meta, finding them in breach of the obligation to grant researchers adequate access to public data under the DSA. The findings also conclude that Meta (both Facebook and Instagram) is breaching its obligations to provide users with simple mechanisms to notify illegal content (child sexual abuse material and terrorist content are given as examples), and to allow them to effectively challenge content moderation decisions.  

Commission is not considering simplification of the DSA 

At a press briefing after the informal meeting of EU telecom ministers on 10 October, Virkkunen stated that there is little bureaucracy to remove from the DSA. She underlined that the DSA already provides exemptions for SMEs and that its most stringent obligations apply only to VLOPs. The Commission instead plans to assess the DSA’s interaction with other EU legislative frameworks in November, which could lead to the withdrawal of the Platform-to-Business (P2B) Regulation and targeted amendments to other instruments, notably the AVMSD. According to her statement, moving forward, the Commission will consider how to address new technological developments like AI services through the DSA, although Virkkunen also noted that AI tools embedded in platforms are already covered by the DSA.   

Commission launches investigations of platforms on the protection of minors under the DSA 

The Commission launched its first investigative actions following the adoption of the DSA’s Guidelines on the protection of minors, requesting information from Snapchat, YouTube, Apple App Store, and Google Play about their age verification systems and content controls. The Commission also announced further measures on children protection: the European Board for Digital Services’ Working Group on the protection of minors has been asked to ensure DSA compliance by smaller online platforms, identifying those posing the greatest risks to children, and develop common tools to coordinate investigations and enforcement across the EU.  

Commission publishes guidelines on political advertising transparency as Regulation takes effect  

On 8 October, the Commission issued guidelines on the Regulation on the Transparency and Targeting of Political Advertising, which entered into force on 10 October, introducing new disclosure requirements for paid political ads, including information on targeting, costs, and links to elections or legislative processes.  

DATA ECONOMY 

Danish Presidency circulates questionnaires on data retention and access to data 

The Danish Minister of Justice noted that laws regarding access to data are one of the top priorities for the Presidency of the Council of the EU. As part of these efforts, the Danish Presidency circulated two documents dated 17 September and 2 October. The first document invited Member States to provide written input to help the Commission shape a new legal framework on data retention. The second document outlines how the Council Standing Committee on Operational Cooperation on Internal Security (COSI) and the Coordinating Committee on Police and Judicial Cooperation (CATS) will monitor the implementation of the Roadmap for Lawful Access to Data. 

Apply AI Strategy addresses AI adoption across EU industries 

On 8 October, the Commission unveiled the Apply AI strategy, building on the AI Act and AI Continent Plan, to promote AI adoption and a “buy European” approach across the EU. The strategy outlines several measures of interest, including: on electronic communications (section 2.6), the creation of a European Telco AI Platform for collaborative AI stack development and the promotion of edge AI devices; and on cultural and creative industries (section 2.10), support for investment in European AI models for storytelling and the discoverability of European online content, as well as a study on the legal challenges of AI-generated content, particularly on copyright (expected Q1 2027, see Annex III). The strategy also mentions the preparation of guidelines on high-risk AI classification and guidelines on AI Act interplay with other EU laws (reportedly expected by Q3 2026).  

Commission presentation to AI Board indicates a tight schedule for AI Act transparency guidelines 

At the 24 October meeting of the AI Board, the Commission reportedly indicated to Member States that a first draft of the code of practice for AI transparency rules is due in December, a second in March (with comments in April and May), a final draft in June, and a Commission adequacy check for approval in July, ahead of the 2 Aug 2026 deadline. The Commission’s presentation also highlighted pressure from stakeholders to align the application date for the AI Act’s high-risk requirements with the availability of the related technical standards, and stakeholder concerns over readiness to comply with the AI Act’s transparency rules on labelling deepfakes and watermarking AI-generated content.  

CEN/Cenelec suspends consensus process on AI standards  

In the context of ongoing delays with the development of the AI-Act standards, European standardisation organisations CEN and Cenelec exceptionally suspended the usual consensus method for adoption and appointed a drafting group of “already active experts” to finalize the six least-advance standards.  

McGrath simplification report suggests DG Just will examine targeted modifications to the GDPR 

In the annex to his annual simplification report for 2025, Commissioner McGrath indicates that DG JUST will focus over the next twelve months on identifying “targeted modifications” to the GDPR. The Commission intends to rely on the main conclusions of the late-July implementation dialogue. The annex also says that DG JUST will work on simplification and reducing burdens through the 2030 Consumer Agenda, and through the simplification component of the DFA, following input from the digital fitness check and the DFA consultation.  

Lawmakers approve Regulation on GDPR enforcement 

The European Parliament has approved new procedural rules to accelerate and simplify the European Union’s most complex data protection investigations under the General Data Protection Regulation (GDPR).These rules are designed to streamline cross-border investigations into personal data breaches and, for the first time, set overall deadlines for handling such cases. The finalized text, agreed upon on 16 June, has already been endorsed by the Parliament’s civil liberties committee and EU ambassadors. 

The law now awaits formal approval by EU member states, expected during a meeting of foreign and European affairs ministers on 17 November. Once officially adopted, the rules will come into force and take full effect 15 months after the date of adoption. 

Commission sends questionnaire to DMA gatekeepers on data handling amid AI rollout 

The Commission reportedly sent questionnaires to all DMA gatekeepers on compliance with the DMA’s ban on combining personal data across services without consent and on user reactions to opt-out/consent choices. The questionnaires ask when users are served with a prompt over data combination, how many consent and how many refuse, how often a user can defer making a choice, how a gatekeeper notifies users that some services might not work without consent, and how often those warnings are shown.  

EDPB announces it will continue working on guidelines for “consent or pay” business models 

At its 109th plenary meeting on 7–9 October, the European Data Protection Board decided to continue developing guidelines on consent-or-pay models. Data protection authorities reportedly remain divided, with some considering that the models should be banned, and most agreeing that publishers and platforms should be allowed to use them under defined conditions. The forthcoming guidelines, developed by a subgroup of national data protection authorities, are expected to clarify the criteria under which consent-or-pay models can comply with EU data protection law.  

European Data Protection Supervisor guidelines on Generative Artificial Intelligence 

The EDPS published its updated guidelines on the use of generative artificial intelligence and processing of personal data by EU institutions, bodies, offices and agencies. These updated guidelines offer clearer and more practical instructions for the responsible development and deployment of generative AI tools. 

CYBERSECURITY AND INFRASTRUCTURE 

Negative opinion delays Digital Networks Act proposal 

On 22 October, the Regulatory Scrutiny Board (RSB) issued a negative opinion on the impact assessment for the upcoming Digital Networks Act (DNA), requiring a redraft within five working days which resulted in a postponement of the proposal. According to reports, the Digital Networks Act and the Cybersecurity Act Revision will be presented on 20 January. Discussions on the content of the DNA proposal have been challenging, particularly regarding copper switch-off and spectrum allocation. On network fees, the Commission is informally engaging with Parliament to seek amendments.  

Commission prepares proposal to revise the Europol Regulation 

The European Commission launched a public feedback period to support its review of the Europol Regulation, which is expected to be completed by the second quarter of 2026. The initiative aims to strengthen Europol’s ability to address growing cross-border criminal threats. The consultation, open until 15 January 2026, seeks input on expanding Europol’s mandate to cover emerging crimes such as hybrid threats and information manipulation, improving cooperation with EU and international partners, removing barriers to data sharing, and enhancing Europol’s technological and governance capacities to meet real-time operational needs. 

Cloud Sovereignty framework paper 

The Commission unveiled its Cloud Sovereignty Framework which will be integrated into the new Cloud III Dynamic Purchasing System (Cloud III DPS) procedure. The framework defines Sovereignty Objectives relevant for the provision of Cloud services requested in this procedure. They draw on European initiatives such as CIGREF’s Trusted Cloud Referential v2, Gaia-X policy rules and architecture, and the European Cybersecurity Certification Framework (ENISA, NIS2, DORA). In addition, they echo lessons from national cloud sovereignty strategies, as well as international practices in export controls, supply chain resilience, and security auditability. The result is a set of objectives that supplement security assurance requirements with sovereignty-specific safeguards defining clearly what sovereignty means. 

Council calls for common criteria for sovereign cloud services 

The TELECOM WP on 4 November called on the Commission to adopt “common criteria for sovereign cloud services” in response to the concerns about foreign countries accessing European citizens’ data via their surveillance agencies. The fourth compromise of the Council’s review of the EU’s Digital Decade policy framework now states that sovereign cloud criteria must address dependency risks, including the “extraterritorial effects” of US laws. The full text calls for common criteria to address market transparency and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries for highly critical use cases. The compromise will be voted on at Coreper I on 21 November, with EU telecommunication ministers expected to adopt the final text on 5 December. 

European Telcos call on the Commission to take urgent action on digital connectivity  

Leading European telecoms and tech companies expressed their concerns over the EU’s slow progress in implementing bold digital reforms, warning that Europe’s global competitiveness is at risk due to fragmented policies and underinvestment in digital infrastructure. They noted that only 2% of Europeans currently access 5G standalone networks, far behind the US and China, and argued that this gap threatens Europe’s industrial strength, innovation potential, and digital sovereignty. They called for ambitious measures through the DNA.  

Commission signs the UN Convention against cybercrime 

On 27 October, the Commission signed the UN Convention to step up the fight against Cybercrime on behalf of the EU. The Convention provides a framework for international cooperation, including extradition and electronic evidence exchange, while safeguarding fundamental rights such as privacy and data protection. Following the signature, the Council will discuss and decide on the conclusion of the Convention, which will also require the consent of the Parliament. Member States will sign and ratify the Convention in accordance with their national procedures. The Convention will enter into force once it is ratified by 40 parties. 

CRA: Commission opens consultation on delegated act for reporting security incidents 

On 16 October, the Commission launched a feedback period on the delegated act under the Cyber Resilience Act, outlining the terms and conditions under which a Member State’s designated CSIRT may delay the dissemination of vulnerability or incident notifications to other CSIRTS. The delegated act is expected to be adopted by 11 December, with reporting obligations under the CRA becoming applicable from 11 September 2026. 

TIC Council warns about the delayed implementation of NIS2 Directive 

The Testing, Inspection and Certification (TIC) Council has issued a call for urgent implementation of the NIS2 Directive, warning that delays in transposition by several Member States pose serious risks to Europe’s critical infrastructure. Addressing recent cyberattacks that disrupted airport operations, the Council notes the importance of robust cybersecurity frameworks and urges governments to designate competent authorities and adopt internationally recognized standards like ISO/IEC 27001. Early adopters such as Finland and Belgium are already leveraging certification to demonstrate compliance and enhance resilience. 

MISCELLANEOUS

Leak of Commission Digital Omnibus proposals  

According to two leaked documents from DG Connect, the Digital Omnibus will be composed of two separate proposals. The first proposal will introduce targeted amendments to the EU data rules and streamlining reporting obligations under cybersecurity legislation. The second proposal contains targeted amendments focused on the AI Act implementation, with some exemptions for both data and AI obligations applicable to small businesses. The Commission will officially present the Digital Omnibus on 19 November. 

Leaked Cyprus Council Presidency draft work programme for the first half of 2026 

News outlets published a leaked draft work programme (for January-June 2026) of the upcoming Cypriot presidency of the Council. Interestingly, the draft suggests that the protection of children online is of paramount importance and that Cyprus will aim to conclude negotiations on the CSAM Regulation before the expiry of the Interim Regulation in April 2026. On most other digital files, however, it appears to foresee no agreements. For example, Cyprus aims only to advance negotiations on the DNA and the revision of the Cybersecurity Act, and there is no target for the 19 November tech simplification omnibus beyond supporting efforts to simplify digital and data frameworks without deregulation. Law enforcement access to data is also slated for discussions.   

Virkunnen simplification report indicates Digital fitness check to run until mid-2027 

Virkkunen’s annual report on simplification and implementation says the digital acquis fitness check will run until mid-mandate, kicking off on 19 November alongside the digital simplification package; the process will examine digital laws beyond those in the first simplification omnibus (AI, data, cyber) and may lead to “potential additional simplification measures”; the report also confirms that the Commission will present on 19 November its first assessment of interactions between the DSA and other consumer-protection and product-safety laws.  

Franco-German Tech Summit on digital sovereignty 

France and Germany are organizing a summit on digital sovereignty taking place in Berlin on 18 November, where they will discuss Europe digital’s future. The agenda is now out, with the Executive Vice President of the European Commission Henna Virkkunen plans to present the long-awaited Digital omnibus during the morning. Other topics on the official programme include EUDI Wallet, Digital Commons as a Pillar of Digital Sovereignty, and the DMA.  

The Netherlands circulates paper on simplification, touching on AI, data protection and cookies 

The Dutch government circulated a document on simplification, emphasizing that EU digital law revisions should focus on legal clarity, coherence, and streamlined governance rather than extending deadlines. The paper also includes specific recommendations on AI and data protection simplification. On AI, it prioritizes simplifying the AI Act’s implementation over extending legal deadlines for high-risk requirements, proposing clearer definitions for critical infrastructure, flexible compliance options, and extended derogations for SMEs. On data protection, it advocates for more practical tools to ease compliance for smaller organizations, including the development of standardized lists of low-risk processing activities by supervisory authorities, greater use of codes of conduct, exemptions for cookies and similar technologies, and technical solutions such as centralized browser-level consent management.   

German contribution to the Digital Omnibus  

The German Federal Ministry for Digital Transformation presented a paper on the upcoming Digital Omnibus package calling for simplification measures, including on the Data Act, GDPR, e-Privacy Directive (e.g.  including an additional exemption for cookies in art.5 (3)). The paper also outlines many specific recommendations on the AI Act, including emphasising on innovation-friendly implementation, avoiding double regulation and reducing market entry barriers, extending implementation deadlines, and providing clear definitions and harmonized standards. 

ITRE publishes report on the interaction between AI act and other pieces of legislation 

The European Parliament’s Industry, Research and Energy Committee (ITRE) published a study outlining how the AI Act relates to other crucial pieces of EU digital legislation, such as the GDPR, Data Act and Cyber Resilience Act. The document also provides reflections and suggestions for possible evolutions of digital legislation, keeping in mind that Europe can establish a competitive AI industry. 

 

EuroISPA Response to the Public Consultation on the Digital Fairness Act

/in ,

EuroISPA shares the European Commission’s objective to protect and empower consumers. Nevertheless, we emphasise that the EU already has the world’s most comprehensive consumer protection framework, strengthened by recent major legislative updates, including the Omnibus Directive, DSA, DMA, Data Act, and AI Act.

Should the Commission remain committed to proposing a DFA, such an initiative should fully reflect the overall aim of ensuring a simple, competitive, and innovation-friendly legal framework, which benefits both consumers and businesses. It should also enable effective and consistent enforcement of existing laws, addressing specific gaps without duplicating existing legislation. Hence, before considering any new rules, the Commission should conduct comprehensive impact assessments of existing legislation and its implementation.

Only where genuine gaps are demonstrated should evidence-based, targeted, and technologically neutral measures be considered. Even then, the Commission should first assess whether the objectives can be achieved by amending existing instruments—such as the DSA—instead of adopting a new legislative act.

EuroISPA’s specific recommendations address:

  • The relationship between regulators and businesses
  • Dark patterns
  • Addictive design
  • Unfair personalisation practices
  • Harmful practices by social media influencers
  • Issues with digital contracts
  • Simplification measures
  • Horizontal issues (age assurance, fairness by design, burden of proof, definition of consumer). 
Read the Position Paper

EuroISPA Monthly Report – September 2025

/in , ,

September marked the start of the EU’s legislative push ahead of year-end, with the goal of streamlining current obligations, and considering the introduction of new legislation.

Despite being one of the main priorities for its mandate, the Danish Presidency failed to secure enough support in the Council to reach an agreement on its Child Sexual Abuse Regulation proposal, mainly due to Germany’s concerns over non-targeted scanning.  

The Commission is also considering delaying the AI Act’s implementation for high-risk systems due to setbacks in developing the necessary technical standards. The attention is mounting on the upcoming Digital Omnibus Package too, expected in November.

The EuroISPA Secretariat is closely monitoring these developments and will respond to the public consultation on the Digital Fairness Act and provide input to the Commission on GDPR implementation challenges. Relevant deadlines are listed in “Recent and ongoing activities” section of this newsletter.

ONLINE CONTENT 

Stalemate persists on CSAM Regulation despite Danish presidency efforts

Despite intensive negotiations throughout September and October, the Danish Presidency has so far been unable to secure agreement on its compromise text for the CSAM Regulation, which it had hoped to table for a vote at the Justice and Home Affairs Council on 14 October. The proposal was examined by Member States at the Law Enforcement Working Party on 12 September and again during a key meeting of Permanent Representatives (Coreper II) on 8 October, where it became evident that Germany could not support the text, leaving no immediate prospect for agreement. While many Member States have expressed appreciation for the Presidency’s efforts – and are under pressure to reach an agreement before the expiry of the Interim Regulation permitting voluntary scanning in April 2026 – significant concerns persist regarding the overall proportionality of the proposed detection order scheme and its impact on encryption.  

Denmark finalises Jutland Declaration on protection of minors online

The Jutland Declaration on the protection of minors, prepared by the Danish Presidency, was signed by 25 Member States (all except Estonia and Belgium) at the informal meeting of telecommunications ministers on 10 October. It calls for measures to complement the DSA on children protection, including requiring privacy-preserving age verification and addressing addictive design practices, and supports Commission President von der Leyen’s initiative to establish an expert panel to examine a potential EU-level approach on a digital age of majority. Compared to latest draft, the final version has been softened to attract broader support: the reference to the Digital Fairness Act was removed from the paragraph on safeguarding minors online; the text now states it would be “difficult” rather than “impossible” to prevent minors from being targeted with adult-oriented content without proper age verification; and it calls to “address” rather than “ban” addictive and manipulative design practices.  

Further push from European Parliament and Commission to fight online piracy

On 7 October, the European Parliament adopted in Plenary its report on the Role of EU policies in shaping the European Sport Model, which includes amendments calling for further legislation to combat piracy and for an extension of the KYBC provision. The press release of the Parliament identifies online piracy as one of the challenges face by the European Sport Model. During the debate that preceded the vote, Commissioner Micallef also called for urgent action to combat piracy of live sport events to ensure financial sustainability of the sector. The Commission is preparing a new strategic vision for sport and is consulting on this matter. As a reminder, by 17 November 2025, the Commission will assess the effects of the Recommendation, taking due account of the data collected by the EUIPO Observatory.

IMCO discusses amendments to its own-initiative report on the protection of minors online and CULT adopts its opinion

During the IMCO session on 24 September, MEPs discussed amendments to the draft own-initiative report on the protection of minors online, ahead of the vote scheduled for 16 October. Rapporteur MEP Christel Schaldemose (S&D, DK) noted progress but highlighted ongoing disagreements, particularly on whether age verification and age assurance should be mandatory. The CULT committee also adopted its opinion on IMCO’s own-initiative report. In parallel, the CULT committee also adopted its draft own-initiative report on the impact of social media and the online environment on young people, for which the LIBE, IMCO and FEMM committees are also preparing their opinions.  

AI & Copyright European Parliament draft report receives first amendments

The JURI committee MEPs have submitted 370 amendments to Axel Voss’ own initiative report on Generative AI & Copyright. Among the most controversial points: remuneration, the role of the EUIPO and the irrebuttable presumption. MEP Voss also tabled additional amendments co-signed by EPP colleagues, including Amendment 110, which aims to clarify that the TDM exceptions (both Articles 3 and 4) “were originally not designed to address generative AI training and therefore are not applicable”. The work on compromise amendments is already ongoing, with a consideration of amendments taking place on 13 October; the vote in committee is expected at the beginning of December.

Von der Leyen backs Australia’s social media age ban, considers approach on EU digital majority age

Speaking at the “Protecting Children in the Digital Age” event in New York on 24 September, Commission President von der Leyen praised Australia’s minimum age law for social media, calling it a “world-first, and world-leading” step, echoing her remarks at the State of the European Union speech. She said the EU is closely watching Australia’s implementation and cited growing concerns over children’s exposure to addictive algorithms, cyberbullying, and online predators. She also highlighted the EU’s pilot for a cross-border age-verification system being tested in five Member States and reiterated plans to convene an expert panel to assess the best approach on a digital majority age for social media at EU level.  

Commission probes costs of compliance with the DSA

The Commission asked VLOPs and VLOSEs to report the financial burden of complying with the DSA. A six-page questionnaire was reportedly sent to the relevant companies on 19 September asking how much they spend on transparency reports and compliance measures, including on IT systems and service providers. Through the questionnaire, companies can also share a qualitative assessment of the practical measures and underlying legal concepts which they consider to be driving the costs. The information collected will feed into the DSA Evaluation report, which is expected on 17 November, and is set to review how the DSA interacts with other legislation, and address the threshold, designation and scope of VLOPs and VLOSEs.  

European Board for Digital Services holds meeting on child protection, political ad rules, and DSA enforcement

At its 15th meeting in Brussels on 23 September 2025, the EBDS emphasized the priority of protecting minors online, agreeing to strengthen enforcement of Article 28(1) of the DSA and to streamline cross-border cooperation. WG 6 was tasked with advancing implementation of the DSA Art.28 Guidelines on minors’ protection, alongside coordinated action targeting pornographic platforms and complementing Commission cases against VLOPs such as TikTok, Instagram, and Facebook. The Board also discussed the upcoming European Democracy Shield (EUDS) and its interplay with the DSA and the political advertising transparency rules, which took full effect on 10 October 2025 (and for which the Commission issued guidelines). The Board also reacted to recent allegations against the DSA, reaffirming its commitment to impartial and effective enforcement.  

Commission, Council and Parliament continue working on the European Democracy Shield (EUDS): According to its latest calendar, the Commission expects to present its communication on the EUDS on 12 November. In the meantime, the European Parliament held a debate on the EUDS in its 10 September plenary session, and an exchange of views with Commissioner McGrath in the EUDS Committee on 23 September. On the Council side, discussions continued on the draft Council conclusions for the EUDS, with Member States asked to submit final input by 8 October.  

DATA ECONOMY 

Council works on access to data for effective law enforcement resume

Council’s Law Enforcement Working Party is hosting a series of presentations by Europol, CEPOL, ECTEG on access to data for effective law enforcement to facilitate cross-border cooperation in digital forensics. Also in the Council, in Coreper II and other bodies are discussing the state of play on the access to data for effective law enforcement.  

Commission and Council assessing possible delay of AI Act implementation for high-risk systems due to technical standards delay

Speaking at Politico’s Competitive Europe Summit on 1 October, Lucilla Sioli (head of the Commission’s AI Office), said the Commission is “still assessing” a potential delay in AI Act implementation for high-risk systems, suggesting this would stem from the delayed development of related technical standards required for compliance. She clarified that “it’s not a matter of pausing the AI Act, but of if and when the standards will be ready”. In parallel, the Danish Presidency raised concerns that the delayed standardisation process poses an urgent challenge for implementing the obligations for high-risk AI systems. To address this, the Presidency proposed using the upcoming digital omnibus package, due on 19 November, and has requested Member States’ input on what measures the Commission should take. Nooshin Amirifar, team lead for ICT standardization at CEN-Cenelec, the organisation responsible for developing the standards, told Politico that some documents could be published and submitted for national-level public inquiry by late 2025 or early 2026.

EU Ombudsman investigates transparency of AI Act standards development

In a related development, a transparency complaint from NGO Corporate Europe Observatory prompted an investigation from the EU Ombudsman on the process for the development of standards under the AI Act. On 1 October, Commission spokesperson Thomas Regnier said the Commission can only review standards once they are drafted to decide whether to endorse them. He emphasised that the Commission works closely with EU standardization organisations CEN and Cenelec but does not interfere in their processes. The Ombudswoman’s inquiry follows concerns that the drafting process lacked transparency, including unpublished participant names and meeting minutes, and that the Commission failed to ensure a balanced representation of interests in the process.  

European Commission releases draft guidance for serious incidents

The European Commission recently released draft guidance and a reporting template for serious incidents under the EU AI Act. The provisions will become applicable starting in August 2026. The consultation process will be open until 7 November.  

EDPS recommends safeguards for EU–US framework on personal data sharing for border and immigration purposes

The European Data Protection Supervisor (EDPS) issued an opinion on the negotiating mandate for a proposed EU-US framework agreement on exchanging information for security screenings and identity verifications. The framework would allow individual Member States to sign bilateral agreements for data exchange from national systems. Since this agreement would be the first EU deal to involve large-scale sharing of personal data for border and immigration control, the EDPS stressed that processing should be strictly necessary and proportionate. The opinion recommendations include narrowing the scope of data sharing, establishing accountability mechanisms, ensuring transparency and information obligations for both authorities, and providing access to judicial redress.  

GDPR access requests can only be refused if abusive, Advocate General opinion says

Advocate General Maciej Szpunar issued an opinion on 18 September stating that companies may refuse a data access request under the GDPR only if the request can be shown to be abusive. According to the opinion, abuse may include situations where an individual deliberately consents to data use to trigger an access request and claim damages. The opinion notes that even a first request can be considered excessive in exceptional cases, and that repeated claims alone are not sufficient to justify refusal.  

Guidelines on the interplay between the DMA and GDPR

On 9 October 2025, the European Data Protection Board and the European Commission have endorsed the first joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). There is a an open consultation till 4 December 2025 to gather comments from the industry or any public organisation with the spirit of reflecting the coherent application of the DMA and the GDPR and to increase the legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB opened consultation on guidelines clarifying interplay between DSA and GDPR

The European Data Protection Board (EDPB) adopted its Guidelines 3/2025 on the interaction between the DSA and GDPR and launched a public consultation with a deadline of 31 October 2025. The guidelines, adopted during the EDPB’s plenary session in September, aim to ensure coherent application of both frameworks, as several DSA provisions on notice-and-action systems, recommender systems, protection of minors, transparency and profiling-based advertising relate to the GDPR. 

CYBERSECURITY AND INFRASTRUCTURE 

EU telecom rules to be “simplified” under DNA, Commission official says

Thibaut Kleiner (Director for Policy, Strategy and Outreach at DG CNECT) announced at the Connected Futures event on 23 September that Orange, Telefónica, and Deutsche Telekom will benefit from a simplification of EU telecom regulations with the DNA. He said the intention of DNA is to unlock market potential, and support innovation. He also emphasised that the DNA would complement the EU’s Applied AI Strategy and broader “EuroStack” ambition for digital sovereignty and added that telecom is “not just about networks anymore”, but also about data centers, cloud infrastructure, and additional services built on top of that.  

The fair share debate and the DNA developments

The Digital Network Act remains unclear in the discussion of the fair share debated. The details of the dispute resolution mechanism demanded by operators as an alternative to the fair shares need to be concretised.  On 22 October, the Commission Regulatory Scrutiny Board should receive the impact assessment of the Digital Networks Act to approve it. The final presentation of the text is expected between the 10 and the 16 of December.

Call for evidence on the Digital Package on Simplification

On 16 of September, The European Commission published a  call for evidence  on the Digital Package on simplification. The initiative seeks to simplify cookies and tracking regulations under the ePrivacy Directive, reduce overlapping cybersecurity reporting, lower compliance costs under the European Digital Identity Framework, and ensure the AI Act is applied effectively with a focus on the needs of small mid-cap businesses. Moreover, the European Commission will continue evaluating the digital rules through the upcoming Digital Fitness Check. According to the latest European Commission Agenda, the digital package will be announced on 19 November, being composed of multiple files including the European Business Wallet, the Digital Omnibus and the CSA.  

Cybersecurity remains high on the agenda

In addition, the EC opened a called for tenders for supporting ENISA for the provision of the EU Cybersecurity Reserve services to Union Entities. Finally, in the Council, the Horizontal WP on cyber issues  discussed on 9 October the priorities for the EU Cybersecurity Reserve, the Cyber Hubs and their interoperability.  

Results of the Consultation for the future Cloud and AI Development Act

The results of the European Commission’s consultation for the future Cloud and AI Development Act (CAIDA) that closed in July were made public showing that most respondents would like to see faster approved building permits and a one stop-shop mechanism. The European Commission highlighted in a meeting to national experts that they have “consistently” cited barriers to expansion, lack of “common EU definition of sovereign cloud” and called for a broad support to finalise the long-pending EUCS cybersecurity certification. The Commission is expected to present in the regulation together with a recommendation for the cloud policy for public administrations and procurement in the first quarter of next year.

Poland calls for separate legal act for ENISA

On 2 October, the Polish Delegation in the Horizontal Working Party on Cyber Issues  shared a paper on the upcoming revision of the EU Cybersecurity Act, calling for the splitting the legislation that will redefine the mandate of ENISA from the other provisions which are set to be controversial as it will address the development of cybersecurity certification schemes. Poland suggests for certification schemes recurring to technical specifications from industrial bodies or from ENISA.  They also suggest a simpler evaluation solution than those based on Common Criteria should be considered more often, where appropriate responding to the demands of the industry, in particular vendors.

European Cloud Sovereignty Discussion

On September 30, Digital experts from the 27 Member States presented to the Commission and other Member States the need to create a European sovereign cloud. This presentation showcased the results of the outcome of the public consultation conducted before summer considering the future regulation to be presented in the first quarter of 2026. The results showed that there should be a “mechanism enabling the federation of cloud services within public administration”, “the creation of public procurement guidelines” and “broad support for the finalisation of the EUCS certification scheme for the cloud and its integration into the public procurement framework”. The EUCS will be revised in November with a view to extending its scope to non-technical risks. Germany stays the only major Member State pushing for non-discriminatory treatment of foreign providers, while Spain, France and the Netherlands supported the Commission’s direction.

Contact details

EuroISPA

38, Rue de la Loi
1000 Brussels

+32 2 789 6618

[email protected]

General contact information | Privacy policy