INSIGHT: AI and Copyright: Building a Balanced Framework for Europe’s Digital Future 

As Europe navigates the next phase of its digital transformation, the intersection of artificial intelligence and copyright is emerging as a defining issue for policymakers and digital industry stakeholders alike. For Internet Service Providers and digital infrastructure operators at the heart of Europe’s online ecosystem, ensuring a regulatory environment that is both balanced and innovation-friendly is essential.  

The ability to train AI systems efficiently and transparently depends on access to large and diverse datasets, many of which include works protected by copyright. In this context a clear, harmonised European approach to text and data mining (TDM), grounded in the principles of legal certainty and technological neutrality is essential. Fragmented national interpretations or overly restrictive licensing requirements risk hindering innovation, undermining Europe’s digital competitiveness, and discouraging smaller players from participating in AI development. 

The European Commission’s recent Digital Omnibus proposal—aimed at streamlining overlaps between the GDPR, the AI Act, and other digital regulations—signals a welcome step toward greater regulatory coherence. By recognising AI training as a legitimate basis for data processing, subject to robust safeguards, the proposal also aligns with EuroISPA’s longstanding position that innovation and rights protection are not mutually exclusive. At the same time, coordinated definitions of data use and clearer compliance pathways will help providers across the internet value chain to fulfil obligations responsibly and efficiently. 

The way forward must rest on open standards, proportional obligations, and shared accountability. Intermediaries and service providers play a vital enabling role in Europe’s digital economy but should not be overburdened with copyright enforcement duties that go beyond their technical and legal capacity. Instead, collaboration between rights holders, developers, and policymakers—supported by transparency mechanisms and fair attribution practices—can create a sustainable foundation for both creation and innovation. 

Ultimately, Europe has the opportunity to shape a futureproof digital copyright and AI framework that supports creativity, safeguards fundamental rights, and ensures that European networks remain the trusted backbone of digital progress. That balance—between trust, freedom, and innovation—is the cornerstone of a resilient and competitive European internet. 

Stefan Ebenberger

Member of the Board of EuroISPA

Secretary General of ISPA Austria

EuroISPA Position Paper on the CSAM Regulation

As trilogue negotiations on the CSAM Regulation continue, EuroISPA considers that the final framework should fully reflect the overall aim of protecting children online while preserving the security and privacy safeguards that already apply across the digital ecosystem. It should also enable effective and consistent application of the legal and technical framework already in place, addressing genuine gaps without duplicating existing legislation. Our members, from hosting providers to CDN operators, access providers, and VPN services, already run detection and reporting systems and act as trusted flaggers under the Digital Services Act, and the Regulation should build on that engagement rather than override it.

Before introducing new obligations, the Commission and co-legislators should ensure that the technical and legal conditions for compliance are firmly established, starting with a permanent legal basis for voluntary detection rather than one based on temporary derogations. Any new obligations should remain proportionate, targeted, and technologically neutral, and grounded in evidence of a genuine gap rather than assumption.

The Commission should first assess whether the objectives can be achieved through closer alignment with existing instruments, such as the DSA, NIS2, and the e-Evidence Regulation, rather than through additional, overlapping requirements. Coherence with this existing framework, not the creation of a parallel one, should guide the Regulation’s final shape.

Our key positions:

  • Ensure the Regulation does not weaken, circumvent, or disable encryption even on a voluntary basis.
  • Include a permanent legal basis for voluntary detection directly in the Regulation, rather than relying on the temporary ePrivacy derogation.
  • Adopt a cascade approach so only the provider with direct control over the content is obligated to act.
  • Remove provisions that duplicate or conflict with the DSA, the e-Evidence Regulation, the Cybersecurity Act, NIS2, and the GDPR.
  • Align user notification and transparency requirements with the DSA instead of creating separate obligations.
  • Streamline risk assessment and categorisation using the DSA’s staggered, proportionate approach.
  • Strengthen and adequately resource national reporting hotlines and the INHOPE network.
  • Ensure judicial oversight for competent authorities and keep any list of approved technologies voluntary.
  • Avoid regulating data retention separately from the Commission’s ongoing data retention initiative.
  • Treat age assurance as an optional mitigation measure, not a mandatory obligation.
  • Align provider liability with the DSA and protect good-faith voluntary detection efforts from penalty.
  • Conduct a renewed impact assessment given how substantially the text has changed since 2022.

We invite you to read our full position paper below.

EuroISPA published its position paper on the Digital Omnibus Package

EuroISPA welcomes the European Commission’s objective to simplify the EU digital regulatory framework. A coherent simplification agenda is essential to strengthen Europe’s competitiveness, increase legal certainty for businesses, and ensure that the EU digital acquis remains fit for the next decade.


While the proposed measures represent a constructive step, EuroISPA would like to draw attention to the need for further efforts to address overlapping obligations, fragmentation across legal instruments, and inconsistencies in implementation. Simplification should therefore go beyond adjustments to individual provisions and focus on improving coherence across the broader digital regulatory framework.


Among our key recommendations:
• Greater coherence between the GDPR and the ePrivacy framework
• Reducing unnecessary consent fatigue while maintaining strong privacy protections
• Clearer rules on pseudonymisation and scientific research
• A harmonised EU reporting framework for cybersecurity incidents
• An effective ENISA Single Entry Point that simplifies reporting through aligned definitions, thresholds and timelines across EU cybersecurity legislation

EuroISPA looks forward to engaging with EU policymakers to ensure the Digital Omnibus delivers meaningful simplification for Europe’s digital ecosystem while maintaining coherence across the digital regulatory landscape.

INSIGHT: The Future of Connectivity: A Joint Vision from eco and EuroISPA 

Europe stands at a pivotal moment in its digital transformation. Connectivity is no longer a convenience – it is the backbone of economic growth, innovation, and societal resilience. As eco – Association of the Internet Industry and EuroISPA, we share a common mission: to ensure that Europe’s digital infrastructure is secure, sustainable, and future-ready. This article outlines our joint vision for the next era of connectivity, addressing technological, regulatory, and societal challenges. 

From Copper to Fiber: Building the Foundation 

The transition from copper-based networks to fiber-optic infrastructure is essential for Europe’s competitiveness. Fiber offers unmatched bandwidth, ultra-low latency, and resilience – capabilities that copper cannot deliver in an era of cloud computing, IoT, and real-time applications. Accelerating fiber deployment, particularly in rural and underserved regions, is critical to closing the digital divide. Both eco and EuroISPA advocate for investment-friendly policies and streamlined permitting processes to make this transition a reality. 

6G: The Intelligent Network of Tomorrow 

While 5G rollout continues, 6G research is already shaping the next frontier. Expected by 2030, 6G will deliver terabit-per-second speeds, sub-millisecond latency, and AI-driven network orchestration. It will enable holographic communication, digital twins, and immersive extended reality, transforming sectors from healthcare to manufacturing. To achieve this, Europe must invest in terahertz spectrum, edge computing, and global standards, ensuring interoperability and security.

Quantum Networking: Reinventing Security 

Cybersecurity is a cornerstone of trust in the digital age. Quantum networking, through technologies like Quantum Key Distribution (QKD), will make data interception virtually impossible. This is vital for protecting critical infrastructures systems. Europe must lead in quantum research and pilot projects to safeguard digital sovereignty. 

Satellites: Bridging the Last Mile 

 

Fiber and terrestrial networks will dominate urban connectivity, but satellite Internet – especially Low Earth Orbit (LEO) constellations – will play a key role in connecting remote regions. Integrating satellite solutions into Europe’s connectivity strategy ensures inclusivity and resilience, supporting economic development and social cohesion 

The Backbone: Data Centers, IXPs, and DNS  

  • Behind every digital service lies a robust infrastructure: 
  • Data Centers: The engines of the digital economy. Scaling sustainably with energy-efficient technologies and renewable energy is non-negotiable. 
  • IXPs: Internet Exchange Points reduce latency and strengthen resilience. Expanding Europe’s IXP ecosystem enhances performance and digital sovereignty. 
  • DNS: A stable and secure Domain Name System is fundamental. Implementing DNSSEC and redundancy measures is essential to prevent outages and attacks. 

Sustainability and Security: Our Shared Priorities 

Both eco and EuroISPA champion green digital infrastructure, aligning with EU climate goals. Energy efficiency, heat reuse, and renewable integration are critical for data centers and networks. At the same time, cybersecurity must evolve with zero-trust architectures, AI-driven threat detection, and strong encryption standards. 

Encryption: A Non-Negotiable for Trust 

EuroISPA has consistently defended end-to-end encryption as a cornerstone of privacy and security. Proposals to weaken encryption under initiatives like ProtectEU or e-Evidence risk undermining trust and exposing users to cyber threats. Our joint position is clear: encryption must remain robust and uncompromised. Any legislative approach should balance law enforcement needs with fundamental rights and technological realities. 

Policy and Collaboration: The Road Ahead 

The future of connectivity requires coordinated action. Policymakers must create frameworks that encourage investment, innovation, and sustainability without imposing disproportionate burdens. Industry associations like eco and EuroISPA play a vital role in shaping balanced regulations, from the Digital Networks Act to cybersecurity standards. Public-private partnerships will be the cornerstone of Europe’s digital success. 

Conclusion: A Connected, Secure, and Sustainable Europe 

Connectivity is not just about speed – it is about enabling opportunity, resilience, and trust. From fiber to 6G, from satellites to quantum networks, and from data centers to DNS, every component matters. Together, eco and EuroISPA are committed to driving this transformation and ensuring that Europe remains a global leader in digital innovation. 

Lars Steffen

Vice-President of EuroISPA

Head of International, Digital Infrastructures & Resilience of eco – Association of the Internet Industry

2026: What’s ahead

EU Digital Agenda for 2026: from strategy to action 

The time for action has arrived. Over the last months, the European Commission has defined broad policy guidelines for the current mandature (2024-2029): simplification, competitiveness, and innovation. The European executive has learned from the Mario Draghi and Enrico Letta reports – a welcome shift toward pragmatism for Internet Service Providers.  

In 2026, the Commission will translate these priorities into concrete proposals. Its work program directly impacts EuroISPA members across connectivity, data protection, cybersecurity, AI and platform regulation – making active engagement essential.  

KEY LEGISLATIVE PRIORITIES

The future Digital Networks Act is one of the major priorities for EuroISPA members. As Europe recasts its Electronic Communications Code, the stakes could not be higher: ensuring sustainable investment models while meeting connectivity demands for decades ahead. We expect the Commission to deliver a framework that balances regulatory certainty with technological evolution, incentivizing investment in digital infrastructures.  

EuroISPA welcomed the October 2025 Digital Omnibus Package. Aligning e-Privacy with GDPR is critical – reducing administrative burdens while clarifying legal obligations. Ensuring AI Act implementation is innovation-friendly similarly heads in the right direction. For our members, simplification here means tangible operational relief.  

On the revision of the Cybersecurity Act, EuroISPA supports a targeted revision of the Regulation.  

On the Digital Fairness Act: while we support strong consumer protection, creating new legislation risks regulatory fragmentation. Existing frameworks can achieve these goals more efficiently.  

On online piracy of sports and other live events, following its evaluation of the 2023 Recommendation, the Commission has concluded that this non-binding instrument is insufficient to tackle this illegal phenomenon. It is likely that a new legislative initiative is being considered to harmonise cooperation tools and EuroISPA will carefully follow how the issue may evolve, ensuring any framework respects technical feasibility and fundamental rights.

COOPERATION BETWEEN INTERNET SERVICE PROVIDERS AND JUDICIAL AUTHORITIES   

EuroISPA remains committed to ongoing discussions on the CSAM regulation which is at the final stage of negotiations. It welcomes the Council’s general approach adopted under the Danish Presidency, which excluded detection obligations from the scope of the future regulation.   

The August 2026 e-evidence regulation implementation presents significant operational challenges, particularly the decentralized IT system. EuroISPA will facilitate dialogue between members and the Commission to ensure workable compliance pathways.  

On metadata retention, we await the early 2026 impact assessment. Any legislative initiative must avoid imposing requirements that compromise EU competitiveness, digital sovereignty, or cybersecurity – outcomes that benefit neither security nor innovation.  

Finally, encryption remains paramount. As the Commission launches its expert group, EuroISPA’s co-signed global statement underscores our position: encryption is foundational to digital trust and economic security. Proposals weakening encryption to facilitate law enforcement access would fundamentally undermine these objectives – a tradeoff Europe cannot afford.  

EuroISPA’s strength lies in our diverse membership – representing the full value chain from infrastructure providers to content platforms. Our established relationships with European institutions (Commission, Parliament, Council) and agencies (EUIPO, BEREC) position us to effectively advocate for balanced, evidence-based policies. As 2026’s legislative agenda unfolds, our collective voice will be essential in shaping Europe’s digital future. 

Romain Bonenfant

President of EuroISPA

Managing Director of FFTélécoms – Fédération Française des Télécoms

EuroISPA Monthly Report – November 2025

The institutional agenda is wrapping up before the end of the year, after a very busy month of November.

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text. Political trilogues started on 9 December, and technical meetings are expected to start on the week of 12 January, with the aim of having a second round of political trilogues by the end of February. The Commission is also expected to submit a proposal to extend the interim derogation to the ePrivacy Directive before its expiry on 3 April 2026, in order to give more breathing space to negotiators.

The Digital Omnibus package was published on 19 November, proposing amendments to existing legislation on data, cybersecurity and AI. The package consists of a proposed regulation to simplify cybersecurity incident reporting and data protection obligations, and another regulation on AI, with targeted amendments to the AI Act. Along with the package, the European Commission introduced a proposal for the European Business wallet and also the Data Union Strategy.

Stakeholders are also discussing key topics on the online content front, such as the AI & Copyright own-initiative report in the European Parliament, and two ongoing consultations concerning protocols for TDM rights and a call for evidence to support the upcoming review of the Audiovisual Media Services Directive.

The beginning of next year is expected to be particularly busy, marked by the review of the Cybersecurity Act on 14 January and the publication of the Digital Networks Act proposal on 20 January, as well as the CSAM Regulation trilogues.

The EuroISPA Secretariat is monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below.

ONLINE CONTENT 

Council adopts position on CSAM Regulation and trilogues start 

At the end of November, the Council adopted its position on the CSAM Regulation, dropping mandatory detection orders from the final text, and introducing language in the recitals to indicate that nothing in the Regulation should be interpreted as mandating detection or “prohibiting, weakening or circumventing, requiring to disable, or making end-to-end encryption impossible”.  The first political trilogue between the co-legislators took place on 9 December, with technical negotiations reportedly set to begin on the week of 12 January, and a second political trilogue epxetcted by the end of February. A tense exchange of views between Commissioner Brunner and MEPs in the LIBE committee on 4 December indicated that discussions on core issues, including encryption, are likely to be contentious, but there were reports that the first political trilogue was constructive, and that the Commission will submit a proposal to extend the e-Privacy derogation which expires in early April 2026, to ensure that a legal gap is avoided. 

EP plenary adopts own initiative report on the protection of minors 

On 26 November, the EP plenary approved without amendments IMCO’s own-initiative report on the protection of minors online. The report’s key recommendations include calls for effective, privacy-preserving age-verification and for a harmonised EU-wide digital age limit of 16 for social media, below which parental consent would be required. Discussions on the topic of age verification and the protection of children online are continuing in the context of the CULT committee’s on own-initiative report on the impact of social media and the online environment on youth mental health. The expert panel announced by von der Leyen in her State of the European Union speech, which is meant to provide recommendations on the best approach at EU level on social media age limits, has still not been convened.  

European Commission publishes evaluation of its Recommendation on Piracy 

Last month, the European Commission published its awaited evaluation concluding that the recommendation has had limited effects on the prompt treatment of notices relating to live events. The report stresses the increasing number of notices being addressed to other intermediaries, such as CDNs and reverse proxies, which are not subject to the DSA rules on notices. 

On dynamic injunctions, the assessment revealed a mixed picture among Member States, even though the report notes that some countries are taking effective measures while providing safeguards against over-blocking.  

On the issue of overblocking, the Italian Piracy Shield and LaLiga/Telefonica cases are referenced and the complaints from users experiencing over-blocking have been reflected even though the Commission indicates that the available information suggests that the number of reported incidents related to the blocking of legitimate content appears to be very limited compared with the total number of dynamic injunctions. The Commission is nevertheless of the view that give more time to DSA implementation is needed. 

Commission opens targeted consultation on DSA Article 18 notifications 

The Commission launched a targeted consultation on how providers of hosting services (including cloud and online platforms) should notify law-enforcement or judicial authorities when they become aware of information indicating suspected criminal offences that threaten life or safety (e.g., incitement to terrorism, child sexual abuse/exploitation, human trafficking). Run via the European Board for Digital Services’ Working Group 7, the exercise seeks feedback on the functioning of the notification process and areas needing clarification, including which offences fall in scope. Stakeholders with relevant experience (DSCs, law-enforcement and judicial authorities, hosting providers, researchers, civil society, trusted flaggers and internet hotlines) are invited to submit input by 19 December 2025. 

European Commission publishes Digital Services Act evaluation report 

On 17 November, the Commission published its DSA evaluation report, focusing on the interaction of the DSA with other legislation. The report finds that the DSA largely complements other EU laws, while acknowledging a complex legal landscape and pledging to reflect this in upcoming discussions (incl. fitness check of digital acquis, AVMSD, DFA) in line with the EC better regulation and simplification agenda. It confirms the VLOPs/VLOSEs thresholds and core definitions are fit for purpose but notes future designation challenges where services bundle multiple functionalities. The report flags a number of instances where the DSA rules apply in parallel to other similarly crafted EU law provisions, giving raise to potential legal uncertainty or undue compliance burdens, for example regarding the transparency of terms and conditions and of the ranking parameters of recommender systems,  transparency reporting obligations, content moderation obligations, dark patterns and SMEs. 

European Board for Digital Services 16th meeting focuses on IP rights, systemic risks, and scams 

On 18 November 2025, the Board had its 16th regular meeting. According to the statement published after the meeting, it discussed tackling online intellectual-property infringements under the DSA, adopted its 13-month Annual Work Plan, and the first Article 35(2) report on prominent and recurrent systemic risks and related mitigation measures. It also launched a coordinated initiative against online scams and fraud, with authorities sharing intelligence and guidance, and the Commission preparing a pan-EU awareness campaign before year-end. The Board further submitted views on the Commission’s preliminary findings in ongoing DSA transparency investigations into TikTok, Facebook and Instagram, and discussed key elements of the Commission’s Article 91(1) DSA report on the interaction between the DSA and other EU laws.   

Publication of Digital Services Act annual report on systemic risks 

On 20 November 2025, the Commission and the Board of DSCs published the first annual report outlining prominent and recurrent risks on VLOPs and VLOSEs. It identifies systemic risks (including the spread of illegal content and threats to fundamental rights), highlights issues such as impacts on mental health and minors, generative AI’s effects on platforms, and IP challenges on marketplaces, and summarizes mitigation measures reported under the DSA (i.e., automated detection of emojis used to code illegal drug sales). Drawing on platforms’ risk assessments, audits, transparency reports, independent research and civil-society input, the report is meant to serve as a reference point for transparency and accountability and will expand over time as more data and best practices become available.  

Vote in Legal Affairs committee on AI & Copyright postponed 

Leaks of the ongoing negotiations in the European Parliament on the own-initiative report on AI & Copyright announce that finding an agreement on certain provisions (TDM applied to AI, EUIPO role, is taking more time than expected. The JURI Committee in fact postponed its vote to the end of January, which should give enough time to MEPs to find an agreement on the most controversial parts of the report. In addition, the European Commission launched on 1 December a consultation on protocols for TDM rights reserving under the AI Act and the GPAI Code of Practice (deadline on 9 January 2026).  The consultation invites stakeholders to express their views on TDM opt-out solutions and enquires their interest in participating in two follow-up workshops (Q1 2026). 

Commission seeks input for 2026 evaluation of the Audiovisual Media Services Directive 

On 24 November 2025, the Commission launched a call for evidence to assess the AVMSD’s effectiveness in a fast-changing media landscape and to gather views on possible updates. The evaluation will consider visibility and prominence of European media, a more level playing field between traditional and digital players, protections for viewers (especially minors) when viewing content online, and possible simplification of advertising rules. Inputs are invited from regulators, academia, broadcasters, VOD providers, video-sharing platforms, influencers, and advertisers. The consultation is open until 21 December and will feed into the 2026 evaluation of the AVMSD, which is part of the European Democracy Shield commitments. 

DATA ECONOMY 

Digital Omnibus on Data: Member States flag risks in GDPR/ePrivacy revisions 

A group of Member States criticised the European Commission’s proposal on the data strand of the Digital Omnibus, arguing that the proposed changes went beyond technical simplification, and that the revised definition of personal data could weaken rights safeguards, complicate data transfers, and strain supervisory authorities.  

On data-subject requests, Belgium, the Netherlands, Slovenia and Poland cautioned that tighter “abuse-of-rights” rules could ease rejections. Slovenia also warned that controllers might infer motives, and Germany questioned whether the changes would lead to more complaints to authorities.   

On the proposed ePrivacy and GDPR framework for device access, the Netherlands said it could incentivize the processing of personal data by companies just to benefit from GDPR exemptions. France queried how enforcement would be split between GDPR and ePrivacy, and Latvia also asked for a clear boundary between rules on data protection and communications confidentiality. Finland and Poland wanted more details on how default browser settings would work, and on consent withdrawal and media exemptions.   

On changes to the definition of personal data, Belgium and Slovenia warned “non-personal” labels could still allow re-identification. Germany asked how regulators were supposed to assess re-identification risks. Germany, Finland, the Netherlands and Austria questioned shifting tasks from national regulators/EDPB to the European Commission. Slovenia and Slovakia criticised the lack of a fundamental-rights impact assessment.  

Digital Omnibus on AI: Member States flag legal gaps and seek clarifications 

In their initial set of questions to the European Commission on its AI Omnibus proposal, Member States seek clarifications on AI literacy, the legal basis for processing sensitive data for developers of high-risk AI, centralization of enforcement, oversight gaps caused by removing a registration obligation, recognition of conformity assessment bodies, regulatory privileges, the legal value of codes of practice and the purpose of an EU-level sandbox. On the legal basis for processing personal data for high-risk AI, France noted that the suggested revision is not aligned with the related technical standard. The Netherlands was critical of the proposal in substance, arguing that it conflicts with fundamental rights. On centralized enforcement, Germany, the Netherlands and Poland asked the Commission to clarify how the new enforcement structure would be compatible with the requirement that high-risk AI systems in justice, law enforcement and migration control should be supervised by data protection authorities or an equivalently independent regulator. On the removal of the Commission’s power to adopt codes of practice via secondary regulation, Spain asks if this creates legal uncertainty and whether codes of practice are sufficient to ensure compliance.  

Digital Omnibus on AI: European Parliament committee allocation disputed 

According to reports in the press, IMCO and LIBE were initially slated to co-lead the AI strand of the Digital Omnibus, but ITRE and JURI have challenged that allocation and want a leading role. Committee coordinators were scheduled to confirm the committee responsibilities on 4 December. Because of the challenge, the decision is being escalated to the presidents of the EP’s political groups. All four committees have postponed appointing a lead MEP until their next file-assignment meetings (some only happening after the holidays), so substantive work on the AI Omnibus may not start before January. For the data strand of the Digital Omnibus, LIBE and ITRE are expected to lead, with JURI seeking at least an “opinion” role. Allocations can still be contested.  

CYBERSECURITY AND INFRASTRUCTURE 

Coalition of Member States against the Digital Networks Act proposal 

On 26 November, delegations from Austria, France, Germany, Hungary, Italy and Slovenia shared a non-paper on the Digital Networks Act, including their perspectives on the upcoming proposal. Member States stressed that national markets differ, and only a Directive ensures the right of flexibility and preserves sovereignty in areas like lawful interception. The delegations also mentioned that the spectrum should remain nationally managed to reflect market needs, avoiding unjustified centralization. They argued that ex-ante tools remain necessary during the copper-to-fiber transition and that the copper switch-off needs careful assessment to avoid distortions. Finally, they noted that BEREC and RSPG already work well with distinct roles and should not be merged or redesigned. As regards the next steps, the document underlines the importance of maintaining engagement with the Council, with priority preferably given to the Member States that co-signed the non-paper. 

Implementing Regulation Cyber Resilience Act 

The European Commission published an implementing regulation defining what “important” and “critical” products are under the Cyber Resilience Act. The list includes password managers, ID checking software, cybersecurity software, virtual private networks, operating systems, routers and others. 

ENISA provides a NIS2 requirement guidance report 

ENISA has published  a report provides technical guidance to support the implementation of the NIS2 Directive for several types of entities covered under NIS2.  ENISA’s guidance offers practical advice, examples of evidence, and mappings of security requirements to help companies implement the regulation. 

Commission calls on Member States to comply with the EU Cyberattacks Directive 

The Commission has launched enforcement steps against Estonia, Hungary, and Poland for failing to correctly implement the EU Directive on Attacks against Information Systems. The Directive obliges Member States to maintain strong national cybercrime laws, criminal sanctions for large-scale attacks, and 24/7 contact points for cross-border cooperation. The Commission has sent reasoned opinions to Estonia and Poland and a further notice to Hungary, giving them two months to address gaps related to illegal interception and misuse of tools, or risk escalation to the Court of Justice.   

Commission seeks participants for the NIS2 Forum on the deployment of internet technical standards 

The Commission has launched a new forum to develop a set of guidelines to inform relevant stakeholders and support compliance with network security measures laid out in the NIS2 Implementing Act. The main goal is to boost the deployment of standards and use of best practices in four areas, including: network layer communication protocols, e-mail security protocols, DNS security, and internet routing. The Forum is expected to start its work by early 2026 (with a tentative kick-off meeting planned for 21-22 January 2026) and publish its outputs within the timeframe of two years. Applications for participation are now open, with priority for submissions by 12 December 2025. 

Member States concerns on the single-entry point mechanism 

According to a document dated 28 November seen by MLex, EU member states are broadly sceptical of the Commission’s plan for a single-entry point for cyber-incident reporting, warning that a central EU platform run by ENISA could threaten national sovereignty, create security vulnerabilities, and clash with existing national reporting systems. Governments question whether the system might become a single point of failure, interfere with national threat-awareness processes, or complicate compliance across different EU laws. They also posed questions on the interoperability with national tools, data retention policies, encryption, storage, and language support, stressing that many countries have already invested heavily in their own reporting platforms and that SMEs might not be benefited by the introduction of this mechanism. Several warn that concentrating sensitive incident information at EU level could create major risks and ask how national control over security-relevant data and effective incident response will be preserved. 

Council and Parliament reach provisional deal on Payments Package 

Trilogues have been ongoing and a provisional political agreement was reached on 27 November. According to the press release online platforms would be liable to payment service providers that reimbursed customers if they were notified of fraudulent content and did not remove it. It is unclear to what extent the set of proposed measures affecting electronic communication services (mainly in the Parliament’s position) has been adopted in the final deal, as the text is not available yet. Next steps are technical work by co-legislators followed by formal adoption. 

MISCELLANEOUS

Commission seeking feedback for the 2030 Digital Decade targets and objectives 

The European Commission has launched a call for evidence to examine whether the Digital Decade objectives and targets for 2030 remained aligned with the current tech landscape. This reviewing exercise will assess the relevance of the current 2030 objectives and targets ensuring flexibility, effectiveness, and resilience as the EU navigates its digital future. The exercise will explore ways to further align policy with funding opportunities and evaluate how to improve engagement through channels for regions, cities, and local actors. The call for evidence is open for views until 23 December. 

The Council Conclusions on European Competitiveness in the Digital Decade  

The European Council has published its conclusions, stressing that the EU remains far away from meeting its 2030 targets, particularly in the areas of artificial intelligence, SME digitalization, and digital skills. The document highlights the importance of the Digital Decade Policy Programme in advancing Europe’s digital transformation, strengthening technological sovereignty, and enhancing competitiveness. The conclusions call for the strategic use of European funding programs to achieve these goals and identify several priority areas crucial for digital sovereignty, notably semiconductors, quantum technologies, cloud, artificial intelligence, cybersecurity, and connectivity.  The Ministers expressed interest in developing common criteria for cloud services to increase market transparency and reduce risks arising from strategic dependencies. The forthcoming Cloud and AI Development Act, expected in the first quarter of 2026, may provide an effective means of addressing this issue. 

EuroISPA signs MoU with RIPE NCC

Brussels, 28 November 2025 – EuroISPA, the pan European association of Internet Service Provider Associations, last week signed a Memorandum of Understanding with RIPE NCC, The Regional Internet Registry for Europe, Middle East, and Central Asia. The agreement aims to enhance collaboration to support Internet stability in Europe.

“This agreement represents another step in EuroISPA’s efforts to contribute to a reliable future for European Digital Users,” said EuroISPA President Romain Bonenfant.

The agreement, signed at the RIPE 91 Meeting in Bucharest by Hans Petter Holen, RIPE NCC Managing Director and CEO, and Alex de Joode, EuroISPA Board Member, and later, at the EuroISPA General Meeting, by Romain Bonenfant, EuroISPA President, focuses on developing technical insights and educational materials on how the Internet functions, promoting best practices and technical standards, and encouraging evidence-based policymaking in line with a multistakeholder approach to Internet governance.

EuroISPA Board Member Alex de Joode affirmed that, “The value of bringing together the resources including knowledge, talents, and practices that EuroISPA and RIPE NCC have been developing over many years is essential to ensure Internet stability in Europe. EuroISPA and RIPE NCC are two of the most important organisations in this area, and such a collaboration can only bring good things for Europe’s Digital Future.”

About EuroISPA

Established in 1997, EuroISPA is the world’s largest association of Internet Services Providers Associations, representing over 3,300 Internet Service Providers (ISPs) across the EU and EFTA countries. EuroISPA is recognised as the voice of the EU ISP industry, reflecting the views of ISPs of all sizes from across its member base.

Download the Press Release here

EuroISPA Brussels General Meeting: A Recap  

Brussels, November 17-18, 2025

Last week, EuroISPA brought together its members, partners, and guest experts for a two-day General Meeting filled with exchange, insights, and collective planning for the year ahead. Participants joined both in Brussels and online. 

The meeting opened with the confirmation of the new President Romain Bonenfant and Board. Members also marked an important milestone with the signing of a new Memorandum of Understanding with a key industry partner RIPE NCC, a sign of EuroISPA’s ongoing commitment to strengthening cooperation across the internet ecosystem. 

Across both days, national associations shared updates on digital developments in their respective countries, highlighting trends on cybersecurity, infrastructure, data policy, and evolving regulatory priorities. These exchanges remain one of the most valuable elements of EuroISPA meetings, offering a real snapshot of the challenges and opportunities across Europe. 

The programme also featured several guest speakers who provided timely perspectives on topics such as AI and copyright, data retention, the protection of children online, and online piracy. These sessions sparked constructive discussions among members, especially around emerging technological shifts and what they mean for ISPs and the wider digital sector. Among these we had the pleasure of welcoming high-level speakers such as BEREC Co-Chairs Amédée von Moltke and Christoph Mertens, who provided a clear overview of the 2024 BEREC Report on the IP Interconnection ecosystem, Stephan Edelbroich from the EUIPO Observatory, presenting the EUIPO study “The development of Generative Artificial Intelligence from a Copyright perspective,” and several experts from the European Commission. We thank all the speakers for their valuable input. 

Internally, members reviewed ongoing work, administrative updates, and policy priorities for 2026. The agenda included as usually exchanges on our Committees’ work areas: 

📌the Online Content Committee, tackling in particular the way forward on the Regulation to Prevent and Combat Child Sexual Abuse, age verification, piracy, copyright, and the Digital Fairness Act.    

📌 the Cybersecurity & Infrastructure Committee, setting the agenda for relevant initiatives ahead such as the Europol regulation, the ICT tool box and the Digital Networks Act. The committee also informed members of the e-Evidence IT decentralised system implementation and the upcoming Cybersecurity Act Review.  

📌 the Data Economy Committee, focusing on the strategically important topic of Data Retention, GDPR simplification and the e-privacy and AI components of the Digital Omnibus package.   

You can read more about the work of our Committees here.  

As always, EuroISPA’s General Meeting was a valuable moment to connect, coordinate, and look ahead together. With several key regulatory files on the horizon and new initiatives in development, 2026 is shaping up to be an important year and the collaboration across the association continues to be one of its greatest strengths. 

This General Meeting was yet another reminder of the strength of EuroISPA’s community: diverse perspectives, constructive dialogue, and a shared commitment to shaping a fair, secure and open internet environment in Europe. 

A warm thank you to all members who participated and contributed to the discussions, both in person and remotely. We look forward to continuing this important work together, and to meeting again at the first General Meeting of 2026! 

EuroISPA signs Global Statement on the Role of Encryption in Securing Trust and Enabling the Digital Economy

Last Monday, EuroISPA, along with over 60 other organisations, endorsed a Global Statement a Global Statement on the Role of Encryption in Securing Trust and Enabling the Digital Economy.

We believe that strong encryption is essential to the global digital economy. Encryption safeguards user privacy, protects sensitive data, and enables trust, which are foundations of commerce, communication, and innovation.

Any effort to undermine encryption, whether through backdoors, key escrow systems, or technical mandates, undermines that trust. Weakening encryption introduces systemic vulnerabilities that criminals and hostile actors can exploit.

We call on governments around the globe to advance policies that protect encryption as a vital enabler of digital trust and economic prosperity. Policymakers should strengthen, not weaken, the tools that protect our shared digital infrastructure

EuroISPA appointed new Board at General Meeting

Brussels, 18 November 2025 – EuroISPA, the pan-European association of Internet Service Provider Associations, appointed its new Board, including the Association’s President, Vice-President, and Treasurer, during its latest General Meeting in Brussels.

The new Board leadership includes Romain Bonenfant of Fédération Française des Télécoms as President, Lars Steffen of eco as Vice-President, and Dalia Coffetti of AIIP as Treasurer, alongside Stefan Ebenberger from ISPA Austria and Alex de Joode from AMS-IX as Board members. The Board is responsible for coordinating the activities and budget of the Association.

Romain Bonenfant spoke on his appointment as President of EuroISPA: “I am honored to take on the role of President after several years of active involvement on EuroISPA’s Board. We will stay true to our mission to represent Internet Service Providers by providing our technical expertise to EU institutions and stakeholders, and supporting our members through shared knowledge and best practices. Our strength lies in collaboration; Internet Service Providers need a strong, informed and united voice in Europe.”.

Lars Steffen highlighted EuroISPA’s role in uniting ISPs across Europe, noting that collaboration enables common approaches and clear positions to shape balanced frameworks. Newly appointed Treasurer Dalia Coffetti added that she looks forward to supporting EuroISPA’s priorities and working with the Board to ensure their efforts deliver meaningful impact.

About EuroISPA

Established in 1997, EuroISPA is the world’s largest association of Internet Services Providers Associations, representing over 3,300 Internet Service Providers (ISPs) across the EU and EFTA countries. EuroISPA is recognised as the voice of the EU ISP industry, reflecting the views of ISPs of all sizes from across its member base.

Download the Press Release here