GDPR blocks growth opportunities 

/in , ,

The EU’s General Data Protection Regulation (GDPR) promised harmonised rules and a stronger internal market. In reality, interpretations vary between member states, and case law is inconsistent. Companies live in uncertainty about which rules to follow in which country and this undermines the competitiveness of the entire economic area. 

The obligations of the GDPR are in many respects overly detailed and rigid. Contractual requirements, the 72-hour breach notification, and unclear rules on anonymisation and pseudonymisation create extra bureaucracy without real added value for data protection. Supervisory authorities treat guidelines as binding regulations, leaving risk-based thinking aside. 

Excessively strict interpretations also prevent the use of data in healthcare, research, and new digital services. When pseudonymisation cannot be applied flexibly, innovation stalls and international cooperation dries up. For example, telecom operators have enormous opportunities to develop business by using pseudonymised data generated by their networks: mobility patterns could be used in urban planning, service capacity, or tourism development without compromising individual privacy. Current restrictive interpretations, however, make this nearly impossible. 

The situation is made worse by conflicts between the GDPR and ePrivacy rules, as well as by authorities’ low notification threshold, which burdens oversight and wastes resources. In addition, the sanction mechanism is unbalanced: companies may face heavy penalties, while the public sector rarely faces administrative fines, even though authorities handle massive amounts of personal data. This is neither acceptable for citizens’ legal protection nor for equal treatment. 

A correction to the GDPR is essential. We need more consistent interpretations, risk-based regulation, sanctions that also apply to the public sector, and proportionality – so that data protection genuinely works for citizens rather than stalling European companies’ growth and the development of new business models. 

Elina Ussa

President of EuroISPA

and FiCom Managing Director

EuroISPA Monthly Report – July/August 2025

/in , ,

July and August saw continued progress on the EU’s digital policy agenda despite the summer break.  AI featured prominently, as the Commission finalised the General-Purpose AI code of practice, published the Guidelines on the scope of obligations for providers of GPAI under the AI Act, and launched a stakeholder consultation and call for expression of interest to support the development of guidelines and a code of practice on transparency obligations under the AI Act. Parliamentary debates and studies on generative AI, copyright, and AI liability continued to shape the political agenda.  

There were significant developments on the child protection front, as the Danish presidency continued negotiations on the Child Sexual Abuse Regulation proposal. The Commission also published the Guidelines under Article 28 of the DSA on the protection of minors online, accompanied by an Age Verification Blueprint, and launched calls for tenders for studies on online risks for children and the alignment of national measures with the DSA, as well as a consultation on its cyberbullying strategy.  

A political agreement on the EU-US trade deal was reached, with a Joint Statement confirming that there will be no network fees measures from the EU, and that the DSA and DMA were excluded from the negotiations. Its publication, however, was followed by threats of additional tariffs from President Trump towards countries adopting digital taxes or regulations harming US tech companies, drawing strong EU reactions. 

The EuroISPA Secretariat is closely monitoring these developments and is currently gathering input for key consultations, including on Data Retention and the upcoming Digital Fairness Act. Relevant deadlines are listed in the “Recent and ongoing activities” section of this newsletter. 

ONLINE CONTENT 

Denmark publishes latest version of the CSAR compromise text 

In its latest compromise text dated 24 July, to be discussed at the Council’s Law Enforcement Working Party on 12 September, the Danish Presidency maintains the core structure of its CSAR proposal from July 1st, notably preserving mandatory detection orders for high-risk services as the long-term solution, while extending the Temporary Regulation permitting voluntary detection for up to 72 months after the CSAR enters into force. It also maintains the same approach on encryption, prohibiting any requirement to decrypt or weaken encryption and introducing consent-based pre-transmission scanning as a condition for detection in encrypted environments. The latest text introduces a new requirement for providers to describe age-verification and age-assessment tools in their terms and conditions, while also mandating that details undermining their effectiveness not be disclosed (Article 4(4)).  

Global Encryption Coalition warns CSAR compromise text threatens encryption  

The Global Encryption Coalition (GEC) Steering Committee has issued a statement criticizing the Danish Presidency’s 1 July compromise text on the proposed EU Child Sexual Abuse Regulation (CSAR), warning it undermines end-to-end encryption. GEC argues that requiring service providers to scan for both known and unknown CSAM, including in encrypted environments, is ineffective, creates new vulnerabilities, and breaks the core principle of strong encryption that safeguards human rights. The coalition, which includes CDT Europe, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla, urges EU ministers to reject any form of mandated scanning, including client-side scanning, and to instead pursue measures that are technically sound, rights-respecting, and capable of effectively protecting children. 

The European Parliament to push for new legislation to fight online piracy 

On 16 July, the CULT committee adopted its own initiative report on the Role of EU policies in shaping the European Sport Model, coordinated by MEP Bogdan Zdrojewski (EPP, PL). Amendments calling the Commission for further legislation to combat piracy and for an extension of the KYBC provision were adopted. The finalised report is expected to be voted during one of the upcoming Plenary sessions. 

The European Commission issued guidelines on protecting minors under Article 28 of the DSA 

On July 14, the Commission published the guidelines clarifying Article 28(4) of the DSA, which sets out obligations for online platforms accessible to minors. According to the guidelines, platforms must implement proportionate measures to ensure high levels of privacy, safety, and security, including a ban on profiling-based advertising using minors’ data. The guidelines also mandate AI safeguards, user support tools, guardian controls, and transparent terms of service. While serving as a compliance reference for Article 28(1), they also emphasize alignment with the GDPR, AI Act, and BIK+ Strategy, with a review scheduled for December 2026. The guidelines were published alongside the Commission’s Age Verification Blueprint, which provides technical solutions to help platforms meet the DSA’s child protection requirements. 

EU Commission adopts Delegated Act on Data Access under the DSA 

On July 2 the Commission adopted a delegated act establishing harmonised rules and technical conditions for granting vetted researchers access to data from very large online platforms (VLOPs) and very large online search engines (VLOSEs), as required under the DSA. The aim of the delegated act is to facilitate research on systemic risks such as disinformation, algorithmic amplification, and online harms. It sets out which information should be published by platforms and Digital Services Coordinators (DSCs) to assist researchers in applying for access to data. Alongside the delegated act, the Commission also launched the DSA Data Access Portal, a central hub where researchers will find guidance, submit applications, and engage with platforms and regulators.  

European Commission opens consultation on Digital Fairness Act 

On 17 July, the European Commission launched the call for evidence to support an impact assessment on the upcoming Digital Fairness Act (DFA), open until 24 October. According to the text of the call for evidence, the DFA is expected in Q3 2026, may take the form of a Directive or Regulation, and will aim to address issues such as manipulative digital practices, addictive design (especially affecting minors), exploitative personalisation, and harmful influencer and pricing tactics. It will also seek to reduce legal fragmentation and compliance burdens for businesses across the EU. The impact assessment will explore strengthening consumer protection and trust online, with additional input to be gathered via surveys, stakeholder meetings, and public events, including the European Consumer Summit 2025. 

Commission launches consultation and call for evidence on its Action Plan against Cyberbullying 

On 22 July, the European Commission opened a public consultation and call for evidence to support the development of the Action Plan against Cyberbullying, running until 29 September 2025. The consultation invites input from stakeholders, including youth, educators, civil society, and online platforms, and is meant to complement other EU actions such as the Better Internet for Kids Strategy, age-verification solutions, and guidelines under the DSA. The call for evidence seeks input on definitions, national legislations and policies, and best practices related to cyberbullying.  

Commission launches call for tenders for a study on the compatibility of national measures with DSA. 

On 24 July 2025, the European Commission also launched a call for tenders for a study to assess how Member States have adapted their national legislation following the full application of the DSA. The study aims to map existing and upcoming legally binding national measures applicable to providers of online intermediary services and identify any overlaps or conflicts with the DSA that could lead to fragmentation of the Single Market.  

European Commission issues call for tenders to study risks and harms to minors online 

On 1 August 2025, the Commission launched a call for tenders to secure a support contract aimed at tracking the evolution of risks, harms, and benefits that children face on online platforms across the EU. This contract will provide comprehensive data and a monitoring framework to identify trends related to children’s online experiences, supporting enforcement and policy initiatives under the DSA, including the recent Guidelines on article 28(1). It will also gather insights into children’s perceptions and their needs from very large online platforms and search engines to enhance privacy, safety, and well-being online. The deadline to submit tenders is 15 September 2025.  

European Commission seeks experts to join Network for the Prevention of Child Sexual Abuse 

On 5 August the Commission launched a call for applications to join the newly established Network for the Prevention of Child Sexual Abuse, aimed at enhancing cooperation among Member States, researchers, practitioners, and stakeholders to support the implementation of EU policies and legislation on child sexual abuse and exploitation. The Network will focus on all aspects of prevention, including reducing risks of offending and of children becoming victims, promoting research, sharing best practices, and fostering international collaboration. The initiative is meant to deliver on a commitment under the EU Strategy for a more effective fight against child sexual abuse (2020-2025). The call is open to individual experts and organisations active in the field until 15 September.  

DATA ECONOMY 

EU court upholds EU-U.S. Data Privacy Framework despite legal challenge 

On 3 September, the EU’s General Court rejected a case brought by French lawmaker Philippe Latombe (T-553/23 – Latombe v Commission), who challenged the European Commission’s July 2023 adequacy decision that found the US provided “essentially equivalent” protection for personal data under GDPR. Latombe argued that the EU-U.S. Data Privacy Framework fails to prevent bulk collection of Europeans’ data by U.S. intelligence services and that the Data Protection Review Court (DPRC) created to address EU privacy complaints lacks independence. The court found instead that safeguards are in place to ensure the DPRC’s independence and that U.S. intelligence activities are subject to its oversight, meeting the requirements set out in Schrems II. It also underlined that the European Commission must continue to monitor whether the U.S. legal framework changes. Latombe has two months and ten days to appeal the ruling to the Court of Justice, limited to points of law. 

European Data Protection Board and European Data Supervisor support GDPR simplification and request clarifications 

On 9 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion supporting proposed amendments to the GDPR aimed at reducing administrative burdens for smaller companies. They welcomed the extension of the record-keeping exemption (Article 30(5)) to organisations with fewer than 750 employees, provided the data processing does not pose a high risk to individuals’ rights and freedoms. However, they requested clarification on the choice of this threshold and recommended aligning it with newly introduced definitions of small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). They also supported extending the scope of Articles 40(1) and 42(1), concerning codes of conduct and certification, to both SMEs and SMCs. In addition, they called for confirmation that public bodies are not covered by the proposed exemption. Both authorities emphasised that simplification must not come at the expense of fundamental rights.  

LIBE Committee approves GDPR enforcement trialogue agreement  

Following the provisional agreement reached by the European Parliament and the Polish Presidency of the Council on 16 June to clarify and speed up cross-border enforcement of the GDPR, the Parliament’s LIBE committee adopted the text on July 15, with the plenary vote expected in October. 

European Commission publishes conclusions of Implementation Dialogue on Data Policy 

The Commission published the conclusions of the 1 July 2025 Implementation Dialogue on Data Policy. According to the conclusions, stakeholders including SMEs and larger tech companies agreed on the need to improve data access to foster innovation and welcomed horizontal legislation like the Data Act to reduce legal complexity. They also highlighted key challenges including fragmented enforcement, overlapping regulations, and issues related to interoperability and quality of data, and suggested potential solutions such as support through regulatory guidance and sandboxes, especially for SMEs. The feedback from stakeholders will inform the upcoming Digital Package on simplification and the European Data Union Strategy (for which the public consultation closed on 20 July).  

European Parliament study challenges Commission’s withdrawal of AI Liability Directive 

The EP’s Policy Department for Justice, Civil Liberties and Institutional affairs, at the request of the JURI Committee, released another study on artificial intelligence and civil liability, strongly criticizing the European Commission’s decision to withdraw the AI Liability Directive (AILD). The study argues that the original AILD proposal may have been so flawed that no legislation would have been preferable but still calls for a revamped approach. It recommends either introducing strict liability for high-risk AI systems through a revised directive (Option 4) or establishing a fault-based rule limited to high-risk AI (Option 3), while also suggesting the possibility of adopting a regulation instead of a directive. The study also argues that the revised Product Liability Directive (PLD) fails to adequately address AI-related risks. In a related development, MEP Tiemo Wölken (S&D, Germany) announced on 22 July his intention to bring a case before the CJEU against the Commission over its withdrawal of the AILD, following allegedly unanswered access-to-document requests. In August, the Commission officially confirmed its withdrawal of the Directive. 

Commission finalises GPAI code of practice and AI Act GPAI obligations come into force 

On July 10, the Commission published the final version of the GPAI code of practice, organised into three chapters on transparency, copyright, and safety and security. The Commission and the AI Board officially endorsed the Code of Practice on August 1. On August 2, GPAI obligations under the AI Act came into force (Chapter 5, Article 78 on data confidentiality and enforcement of intellectual property rights) but the application of the rules will be gradual, with the Commission enforcing full compliance with fines as of 2 August 2026, and models placed on the market before 2 August 2025 required to comply by 2 August 2027. 

Commission publishes Guidelines on the scope of obligations for providers of GPAI under the AI Act  

In a related development, on July 18, the Commission also published the guidelines on the scope of obligations for providers of general-purpose AI models. The Guidelines on GPAI aim to clarify key concepts, such as the terms of ‘GPAI model’, ‘provider of a GPAI model’ and ‘placing on the market of a GPAI model’, and how to estimate the computational resources used for training a GPAI model. 

Commission starts work on second Code of Practice on transparency obligations under AI Act 

At the end of August, the Commission held a workshop with stakeholders to present the framework, objectives and future drafting process for a new code of practice on transparency obligations, as provided by Article 50 of the AI Act. The AI Act requires AI providers to have labelling solutions that meet certain requirements: effectiveness, interoperability, robustness and reliability. To inform the discussions, the Commission shared three studies carried out by independent experts on the labelling of AI-generated text, audio and audiovisual content, analysing metadata labelling, watermarking and digital fingerprinting. The studies are meant as starting points and do not predetermine the code’s content. The drafting process is expected to begin this autumn, with the code and accompanying guidelines scheduled to enter into force on 2 August 2026. In early September, the Commission launched a stakeholder consultation and call for expression of interest to support the development of the code and the accompanying guidelines (both with deadlines on October 2).  

JURI Committee debated draft report on copyright and generative AI  

On 15 July, the JURI Committee discussed Axel Voss’s (EPP, DE) draft report on copyright and generative AI. Several MEPs raised concerns about a centralised EUIPO register, suggesting alternatives such as opt-in systems, blockchain, or collective management. MEPs Farreng (Renew, FR) and Cormand (Greens, FR) called for full transparency of training data and a reversed burden of proof, but criticising the proposed 5-7% lump-sum remuneration. EPP and S&D warned of generative AI’s threat to press plurality and cultural sovereignty. Axel Voss also organised a stakeholder roundtable to discuss his report on September 1, ahead of the deadline for amendments which is set for September 12 at 11am.   

CYBERSECURITY AND INFRASTRUCTURE 

Network fees in the EU-US Framework Agreement 

On August 21st, the EU and US issued the Joint Statement on the EU-US trade agreement, setting a 15% US tariff ceiling on most EU exports such as cars, pharmaceuticals, semiconductors. The statement follows the July 27 political agreement between Presidents von der Leyen and Trump, and suspends the EU’s recently adopted countermeasures. In paragraph 17, the statement indicates that the EU will not adopt or maintain network usage fees and that the US and the EU will not impose customs duties on electronic transmissions. 

EU Alliance unveils roadmap to advance digital sovereignty through open-source cloud, edge & Internet of Things 

On 8 July, the European Alliance for Industrial Data, Edge and Cloud released a thematic roadmap emphasizing how European open-source cloud, edge, and IoT technologies are essential to strengthening the EU’s digital sovereignty and global competitiveness. Titled “The Open-Source Way to EU Digital Sovereignty & Competitiveness”, the roadmap outlines how open-source solutions can improve security, cost-efficiency, innovation, flexibility, and sustainability. The Alliance also submitted recommendations on Common Trust Principles to the European Data Innovation Board, identifying gaps and calling for standardised, trustworthy frameworks for data sharing in cloud-edge ecosystems and data spaces.  

Commission proposes to sign and ratify the UN Convention against Cybercrime 

The Commission proposed to sign and ratify the United Nations Convention against Cybercrime, covering both substantive criminal law and judicial cooperation. For the first time, a global instrument will criminalise conduct related to child sexual abuse material, the grooming of children for sexual purposes, and the non-consensual dissemination of intimate images. The Convention also includes measures for international cooperation, including the extradition of suspects and the exchange of electronic evidence.  

It is now for the Council to adopt the Decisions authorising the Commission, on behalf of the EU, to sign and, with the consent of the European Parliament, conclude the Convention. Member States will also have to sign and ratify the Convention, in accordance with their national procedures. 

European Commission convenes High-Level Workshop on AI Compute Stack 

On 7 July, the Commission held a high-level multistakeholder workshop in Brussels on the AI Compute Stack, referring to the full range of infrastructure involved in AI development, from advanced chips to complete AI system integration. Organised as a targeted consultation, the event brought together stakeholders including chip designers, cloud infrastructure providers, and AI model developers. The workshop launched a discussion on strengthening Europe’s role in the AI compute landscape, where complex AI models require more integrated and sovereign technical solutions. Participants discussed current trends in AI hardware, systems, and models, shared insights on compute needs, and explored collaboration opportunities. The initiative aims to reduce external dependencies and contribute to Europe’s strategic autonomy in AI infrastructure.  

ENISA to operate the EU Cybersecurity Reserve 

The Commission and ENISA signed an agreement for the administration of the EU Cybersecurity Reserve of €36 million under the Cyber Solidarity Act. The Cybersecurity Reserve is designed to enhance the Union’s capacity to respond to and recover from major cyber incidents providing access to incident response services delivered by vetted providers. The Reserve will be available to entities operating in sectors deemed critical or highly critical under the NIS2 Directive, including areas such as healthcare and energy. 

MISCELLANEOUS 

EU-US trade agreement Joint Statement confirms DSA/DMA excluded from talks 

As mentioned above, the EU and US issued a Joint Statement on the EU-US trade agreement on 21 August. Interestingly, the Commission also confirmed that the DSA and DMA, were excluded from the EU-US trade talks but did not rule out their inclusion in future discussions. The publication of the Joint Statement was followed by threats of additional tariffs from President Trump towards countries adopting “digital taxes, legislation, rules or regulations” harming US tech companies, eliciting strong responses from European officials, including Prosperity and Industrial Strategy Commissioner Stéphane Séjourné, and Commissioner for Tech Sovereignty, Security, and Democracy Henna Virkunnen

EPP pushes for a “light” version of the GDPR for SMEs, stricter online ad rules, and digital sovereignty According to a document seen by Mlex, The European People’s Party (EPP), the EU’s largest political group, is preparing a position paper urging the European Commission to introduce a “light” version of the GDPR for small and medium-sized enterprises to ease compliance burdens, while also calling for tougher restrictions on online advertising. It also supports modernizing GDPR enforcement and addressing fragmented interpretations across member states. The draft highlights priorities including stronger protections for minors, greater transparency and accountability in algorithms, and reinforcing Europe’s digital sovereignty.  The paper stresses that these political objectives should be adopted swiftly through coordinated action within the group and across EU institutions, with a dedicated EPP team to lead the initiative. 

Franco-German agenda to boost cutting-edge tech, sovereignty and simplification 

At their 25th Council of Ministers, France and Germany launched an agenda to strengthen Europe’s technological sovereignty and competitiveness. They pledged deeper cooperation on cutting-edge technologies such as AI, quantum, cloud and space, with joint initiatives on generative AI models (IPCEI-AI), high-performance computing, and a quantum computing ecosystem. Both sides committed to reinforcing digital sovereignty through a high-level summit on November 18, and to presenting joint positions on AI, cyber and data regulation, including proposals to simplify the EU’s legal framework. They also stressed the need to reduce bureaucracy across the Single Market, backing the Commission’s simplification packages and urging a “new legislative mindset” to ease regulatory burdens for SMEs and scale-ups. Following this approach, they are pushing to ease GDPR obligations through the omnibus simplification package, seeking to go beyond the Commission’s proposal to raise the employee threshold under which companies are exempt from keeping GDPR records, by adopting a more general risk-based approach that reduces reporting requirements for SMEs  without undermining the regulation’s effectiveness. 

Austria presents digital sovereignty charter proposals 

Austria circulated a paper to Member States titled “Shaping Digital Sovereignty – Cornerstones for a Common Charter”. The paper highlights risks ranging from geopolitical tensions, cyberattacks, disinformation, and Europe’s dependence on non-European tech firms, which are amplified by rapid AI developments. Austria calls for a European strategy based on independence, innovation, data protection, and values, aligned with the Digital Decade 2030 goals. Proposals in the paper include a pan-European stocktaking exercise to identify best practices and hidden champions, stronger cooperation on joint open-source solutions, and promotion of open-source in public procurement. The paper also stresses the need to expand data sovereignty as a “strategic resource,” strengthen intra-EU cooperation on data protection, and invest in digital skills to retain top talent. Austria will ask EU Member States to share their goals and recommended actions to bolster Europe’s digital sovereignty in a dedicated dialogue during the TELECOM WP meeting of 12 September.  

Danish Presidency outlined digital priorities in the Parliament’s JURI, IMCO, CULT and ITRE Committees 

The Danish Presidency outlined its digital priorities across Parliament committees. Key digital priorities include simplifying the EU cyber legislation framework, updated copyright regulation to ensure fair remuneration or effective licensing in response to AI’s impact on the creative sector, and protecting minors online (including through the enforcement of the DSA, stronger age verification rules and action against addictive design). Digital Affairs Minister Caroline Stage Olsen also supported postponement of AI Act provisions to give small companies more time to comply.  

Promoting Sustainability through Digital Infrastructure

/in , ,

As underscored in EuroISPA‘s Position Paper on Sustainability, the role that digital technologies and infrastructure play in driving environmental responsibility across the economy is crucial. From reducing energy consumption in telecom networks to encouraging investments in sustainable data centres, the paper presents actionable strategies for driving a greener future powered by responsible digitalisation.  

Digitalisation already plays a key role in sustainability, replacing outdated, energy-intensive technologies with more efficient alternatives. For instance, 5G networks consume 80% less energy than 4G, and fiber optic cables use five times less energy than copper. This high-performance connectivity creates opportunities for energy savings across all sectors. 

However, more can be done. EuroISPA advocates for proactive measures, such as phasing out aging 2G and 3G equipment, fostering industry collaboration, and sharing best practices to optimise data distribution. Consistent regulation and increased investment in renewable energy infrastructure are also vital in ensuring that Europe’s digital ecosystem remains both competitive and sustainable. 

Data centres as the backbone of digitalisation, key to decarbonising the EU economy. EuroISPA encourages further investment in EU-based data centres, supported by renewable energy, to enhance both competitiveness and environmental sustainability. 

The digital infrastructure sector holds the key to a greener future, and we at EuroISPA are committed to leading that transition. By promoting energy-efficient technologies and investing in sustainable data centres, we can drive decarbonisation across Europe, ensuring both sustainability and digital resilience. 

By embedding sustainability into every level of the digital supply chain, EuroISPA envisions a future where responsible digitalisation powers a greener, more prosperous Europe. 

Lars Steffen

EuroISPA Vice President

Head of International, Digital Infrastructures & Resilience of eco – Association of the Internet Industry

EuroISPA publishes its Vision for the EU mandate 2024-2029

/in , , ,

EuroISPA is excited to publish its Vision for the 2024–2029 EU Mandate, a strategic document that outlines a clear, actionable roadmap to strengthen Europe’s digital resilience, competitiveness and innovation.

In a time of rapid technological evolution and increasing global competition, Europe must pivot from being a “regulatory hyperscaler” to a continent that fosters investment, entrepreneurship and forward-looking policymaking. Our Vision identifies six key strategic priorities:

  1. Completing the Digital Single Market to reduce fragmentation and scale innovation.
  2. Simplifying regulation to empower disruption and reduce compliance burdens, especially for SMEs.
  3. Building secure and resilient digital infrastructure that supports technologies like AI and quantum computing.
  4. Defending European rights and democratic values, including strong privacy and encryption protections.
  5. Maintaining openness to global cooperation while safeguarding strategic autonomy.
  6. Advancing the green transition through smart digital sustainability and energy efficiency.

EuroISPA and its members remain committed to working closely with EU institutions and stakeholders to help shape a digital Europe that is open, competitive and aligned with core democratic principles.

Read the full Vision for 2024–2029 here: EuroISPA Vision for the EU mandate 2024-2029

EuroISPA Monthly Report – May/June 2025

/in , ,

May and June saw continued movement across the EU’s digital policy agenda, with institutional work progressing on several fronts. Consultations on the upcoming Digital Networks Act gained pace, with a call for evidence launched on 6 June and open until 11 July, for which EuroISPA has prepared its own submission. Data protection also remained high on the agenda, as the GDPR enforcement package advanced through the legislative process and preparations began for a dedicated implementation dialogue with stakeholders. Work on data retention is also ongoing, with the Commission seeking input from stakeholders throughout the summer.  

Among content-related developments, the Commission requested clarification on Italy’s Piracy Shield, raising concerns about its alignment with the DSA and the risk of overblocking. Other developments included continued parliamentary discussions on generative AI and copyright, and the presentation of the EU’s International Digital Strategy, which emphasised the importance of global partnerships in key areas such as cybersecurity, AI and connectivity.  

The EuroISPA Secretariat has been closely monitoring these developments and continues to gather input from members to ensure their engagement across key consultation processes, with all relevant deadlines listed in the “Recent and ongoing activities” section at the end of this newsletter.

Finally, an important highlight for EuroISPA in the past month was also the second General Meeting of the year, hosted by FFT in Paris.

ONLINE CONTENT 

Denmark publishes its new CSAR compromise text 

In their compromise text from 1 July, to be discussed during the Law Enforcement Working Party of 11 July, the Danish Presidency introduced several key changes, the most significant one regarding the removal of the voluntary detection from the long-term Regulation, shifting responsibility entirely onto detection orders issued through judicial or administrative processes. At the same time, the Regulation significantly strengthens safeguards around encryption, detection technologies, and user rights. On E2EE particularly, the new draft clearly prohibits any requirement to decrypt or weaken encryption and introduces consent-based pre-transmission scanning as a condition for detection in encrypted environments. More precisely on encryption, orders may only apply to encrypted services if detection occurs before transmission and with the explicit consent of the user. Providers must allow non-consenting users to continue using parts of the service that do not involve the transmission of visual content or URLs. Overall, the proposal resembles strongly the Belgian one – including reinforced procedural checks and a narrower detection scope. 

Commission questions legality of Italy’s Piracy Shield under the DSA 

In a letter dated 13 June to the Italian Communications Authority (AGCOM), the European Commission raised concerns about Italy’s anti-piracy tool, the Piracy Shield, requesting further clarification. The Commission argued that the DSA does not provide a legal basis for national authorities to issue content removal orders, nor does it specify how such orders should be enforced. It also warned that the current Italian framework could lead to overblocking. Additionally, the Commission stressed third parties affected by the streaming of illegal online content and users of the services must be involved in tackling the issue.  

Implementing regulation on harmonised transparency reporting under the DSA now in effect

On 1 July the Commission’s implementing regulation on harmonised transparency reporting under the Digital Services Act entered into force. It sets a standard format and schedule for transparency reports by intermediary services, covering content removals, automated moderation, and account suspensions. Intermediary services must publish annual reports by February, while very large platforms and search engines must report twice a year, in February and August, starting in 2026.

European Parliament report on Generative AI & Copyright published  

The long-awaited own initiative report by MEP Axel Voss (EPP, DE) “Copyright and Generative artificial intelligence – opportunities and challenges” is set to be presented and discussed next week in the JURI committee, on 15 July (deadline for amendments: 12 September). The report, although discouraging the reopening of the Copyright Directive, affirms that the TDM Exception is not applicable to Generative AI systems, suggesting therefore an additional legal act to solve the impartiality that this creates between creators and AI developers. It also acknowledges the importance of AI for innovation, and therefore asks for more transparency when it comes to the training of AI systems with the intention to create a fairer remuneration system. This includes a standardised and machine-readable way for artists to opt-out from the training as well as the creation of quick mechanism of remuneration. The EUIPO is suggested as a mediator in this process, including the management an opt-out registry.  

Parliament focuses on strengthening minors’ protection: key amendments 

The European Parliament’s draft INI report on minors’ protection has attracted over 460 amendments, signaling a push to toughen rules. Major themes include stronger action against addictive social media features, calls for platform bans and personal liability for executives, and demands for greater transparency on advertising revenues targeting children. The Digital Fairness Act is frequently referenced as a key tool to address these harms. Lead MEP Christel Schaldemose (S&D, DK) plans to increase the report’s ambition based on this broad input. The CULT committee will hold an expert hearing in July to support the debate. 

Digital Fairness Act consultation still in the waiting 

The imminent consultation on the so-called DFA will include questions on topics like dark patterns, influencer marketing, advertising, vulnerable consumers and simplification and will be open for three months. 

For the stakeholders who would like to share their thoughts already, a good option is to submit some ideas via the Consumer Agenda 2025-2030 consultation, open until 31 August and which will also feed into the DFA. 

DSA Guidelines on Minors likely delayed until summer break 

Guidelines on the protection of minors under the Digital Services Act, initially expected in Q1 2025, are now likely to be finalised before the summer break, Commission officials said during a workshop on June 6. However, due to the high volume of stakeholder responses, officials acknowledged that further delays remain possible. 

Preparations on the European Democracy Shield resume 

In the draft Council conclusions “on access to reliable news as part of the European Democracy Shield,” Member States call for levelling the playing field between traditional media and digital platforms. In the document, EU countries invite the European Commission to examine how competition law can be used to make the advertising market more accessible to editorial media, to standardise prominence requirements under the Audiovisual Services Media Directive for digital platforms and gatekeepers to uniformly boost reliable journalism and to include “media-like actors,” i.e. influencers and content creators, into editorial accountability regimes. The draft conclusions will be discussed by the Council’s Audiovisual Working Party on Friday. As a reminder, the European Parliament is also working on an own-initiative report meant to feed into the European Commission proposal, set to be presented in the autumn. 

DATA ECONOMY 

Commissioner McGrath organises implementation dialogue with stakeholders 

On 16 July, Commissioner Michael McGrath will host an implementation dialogue on the application of the GDPR with civil society and business organisations. The discussion will be structured around four themes, namely simplification, compliance, interaction with other legislation and increasing legal certainty. 

European Commission presents Roadmap for effective and lawful access to data for law enforcement 

On June 25, the European Commission unveiled a new Roadmap aimed at improving law enforcement’s ability to access digital data in a lawful and efficient manner. This initiative is part of the ProtectEU Internal Security Strategy and responds to rising digital evidence needs in criminal investigations. The Roadmap outlines six priority areas: updating data retention rules, improving cross-border lawful interception, enhancing digital forensic capabilities, developing lawful decryption tools, standardising security practices, and supporting AI-driven evidence analysis. Key actions are scheduled between 2025 and 2030. The Commission invited Member States to discuss the Roadmap during the Informal Justice and Home Affairs Council on 22 and 23 July. 

Last draft of the Code of Practice on General Purpose AI models on the way 

On 7 July, the AI Office held a workshop to encourage Big Tech firms to endorse the voluntary Code of Practice on general-purpose AI. While industry welcomed the code’s alignment with the AI Act, civil society groups criticized their exclusion from the drafting process and raised concerns about missing provisions on transparency, whistleblower protections, and safety. 

The Commission is expected to publish the final draft on 10 July. It is also consulting Member States via the AI Board, which must confirm the code’s adequacy. A joint assessment by the Commission and AI Board is due by mid-August. The next AI Board meeting is set for 18 September. 

Henna Virkkunen launches first implementation dialogue on data policy 

At the beginning of July, the Finnish Commissioner launched her first implementation dialogue, a restricted consultation format focused on data policy (Data Act, the Data Governance Act, and the Open Data Directive). The objective of this dialogue was to identify solutions to streamline and simplify regulations. These results should inform discussions on the digital simplification omnibus and the new Data Union strategy, both expected at the end of the year.  

Negotiations on GDPR enforcement rules see the end 

On 16 June the European Parliament and the Polish Presidency of the Council reached a provisional agreement to clarify and speed up cross-border enforcement of the GDPR. The new rules set deadlines for investigations (15 months for complex cases and 12 months for simpler ones, with possible extensions), and introduce a streamlined cooperation process to resolve straightforward cases faster. The agreement also strengthens complainants’ rights by improving their access to information and ensuring they can be heard before decisions are made. The law encourages early consensus-building among data protection authorities to foster consistent GDPR enforcement across the EU.  

The European Parliament committee LIBE is set vote on the text on 14 July, while the plenary vote is planned to take place in October. 

European Data Union Strategy consultation published  

The Commission published the Call for Evidence and a Public Consultation for the Data Union Strategy, open for eight weeks until 18 July. The initiative presents three objectives: 1) stimulating investments into data technologies and make available certain data assets through voluntary measures or funding to scale-up data use and availability, for example, in the development of generative AI, 2) to simplify and consolidate the current framework and 3) to develop and ‘international data strategy’, which should include actions to safeguard the export of EU data, as well as actions to stimulate data import into the EU. 

The consultation is based on a questionnaire divided into sections asking for the potential review of the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive. Finally, it includes questions about the potential future EU actions when it comes to consolidation of data legislation, data availability in the EU, administrative burden reduction through data, international dimension, and data sharing standards.  

CYBERSECURITY & INFRASTRUCTURE 

Plum publishes study on negative impact of legally mandated dispute resolution in IP interconnection 

On 4 July, Plum Consulting published a CCIA-commissioned study warning against legally mandated dispute resolution in IP interconnection, arguing it is largely unnecessary and unworkable due to the technical complexity of interconnection and the prevalence of amicable commercial agreements. The study cautions that such mandates could normalise network fees, encourage strategic disputes by large ISPs, and lead to a “Sending Party Network Pays” model, increasing paid peering. This would disproportionately harm smaller content providers and ISPs, raise costs, reduce competition, fragment the EU digital market, and ultimately undermine innovation, SMEs, and consumers. 

Commission to present Data Centre Energy Efficiency Package in early 2026 

The European Commission will present a data centre energy efficiency package in Q1 2026, as part of a broader push to curb rising electricity use driven by AI and digitalisation. Indeed, Energy Commissioner Dan Jørgensen cited that data centres now account for nearly 3% of the EU’s total electricity demand. The initiative will be released alongside the Strategy Roadmap on Digitalisation and AI and forms part of a wider set of energy efficiency actions. For now, it remains unclear whether the package will include legislative proposals. In parallel, the Commission is working on a labelling scheme under the Energy Efficiency Directive and is considering fast-track permitting for highly efficient data centres under the forthcoming Cloud and AI Development Act. 

Germany rejects cloud protectionism, urges competition with U.S. providers 

Germany’s new digital minister Karsten Wildberger has called for a competitive, not protectionist, approach to cloud sovereignty in the EU. In an interview with Politico, he stressed that technological independence should not come from excluding U.S. hyperscalers, which currently dominate over two-thirds of the European market, but from building competitive European alternatives. In parallel, several Member States – including Germany, Poland, the Baltic States, the Czech Republic and Spain – are actively vying to host AI gigafactories, seen as a cornerstone of Europe’s ambition to boost computing power and strategic tech autonomy. 

EVP Henna Virkunnen and MEPs issue Joint Declaration at the 2025 IGF

Henna Virkkunen and five Members of the European Parliament (from EPP, S&D and ECR) in a joint declaration support of a multistakeholder, rights-based approach to internet governance. They called for the IGF to become a permanent, UN-funded body with inclusive participation from developing countries. The statement highlighted the need to address digital divides, adapt governance to technologies like AI, and align WSIS+20 efforts with the Sustainable Development Goals and the Global Digital Compact. The signatories opposed intergovernmental control and internet fragmentation, advocating innovation-friendly tools such as governance sandboxes. 

ENISA’s NIS2 issues Technical Implementation Guidance 

On 26 June, ENISA published its NIS2 Technical Implementation Guidance. The non-binding document covers 13 key concepts and cybersecurity practices and provides guidance and examples of evidence for each. Concepts of interest for EuroISPA include recommendations around security policy, risk management, incident handling and supply chain security. 

MISCELLANEOUS 

Denmark starts chairing the Council Presidency 

On 1 July, the Danish Presidency of the Council of the European Union kicked off. Under the Danish Presidency, several progress reports are expected, including on the digital aspects of the post-2027 Multiannual Financial Framework (MFF), scheduled for presentation on July 16. Other issues expected by end of year will be subject to mere “information” from the Presidency, such as the Digital Networks Act, the regulation on the development of cloud computing and AI, or the “omnibus” digital simplification package. While awaiting legislative initiatives, the Danes will also work on non-binding conclusions, notably on technological sovereignty. Finally, interior ministers will draw up a state of play on the issue of data access by law enforcement in mid-October. 

The European Commission is still aiming for an agreement with the United States by July 9 

Washington has now announced that, in the absence of an agreement, customs surcharges will apply starting August 1, suggesting that the negotiation window could still be extended. For the Europeans, the dilemma remains unchanged: either accept an “asymmetrical” deal that preserves U.S. tariffs or risk a confrontation that could lead to even higher duties. This choice was discussed at an ambassadors’ meeting on July 4. Aiming to remain conciliatory, the Commission has temporarily put on hold a list of retaliatory measures prepared in May and June, which currently excludes actions targeting services. “There are no immediate plans to act on this list, but that may change,” a Commission spokesperson noted. 

European Commission’s DG CONNECT gets a makeover 

The European Commission published the new organigramme of its Directorate-General for Communications Networks, Content and Technology (DG Connect) on 1 July. The new structure establishes the division into two separate directorates of the former “Platforms” directorate, previously responsible for the application of the DMA and DSA Regulations. Rita Wezenbeek, who takes over the new directorate responsible for the online platform economy, is also acting as head of the new “e-commerce” unit. Prabhat Agarwal, head of unit responsible for the DSA (“Risk Assessment and User Rights”) will be acting as head of his new directorate dedicated to the societal aspects of online platforms, as well as the new unit on the protection of minors. 

International Digital Strategy unveiled  

At the beginning of June, High Representative Kallas and EVP Virkkunen unveiled the International Digital Strategy: it stresses the EU’s necessity to collaborate with global players, such as U.S. companies, recognising the importance of international partnerships and remaining open to like-minded countries. 

It includes objectives such as deepening the existing Digital Partnerships and Dialogues, broadening the existing cooperation network and expanding the network of digital trade agreements, strengthening Security & Defence Partnerships as regards digital issues through Digital Trade Agreements. 

The strategy includes actions on secure connectivity, emerging technologies, artificial intelligence, 5G/6G, cybersecurity, digital identity and Digital Public Infrastructure (DPI), online platforms, internet governance. 

Trilogue talks begin on EU Foreign Direct Investment Screening   EU institutions launched trilogue negotiations on June 17 to revise the EU’s foreign investment screening framework, a key component of Commission President von der Leyen’s economic security strategy. The proposal would make screening mechanisms mandatory across all Member States and further harmonise rules on sensitive sectors. Tensions are expected between Parliament and Council: Member States seek a narrower list of critical technologies (e.g. semiconductors, AI), while Parliament- led by MEP Raphaël Glucksmann (S&D, FR) – advocates for a broader scope including aerospace, rail, and automotive. Another point of friction is the Commission’s role, with Parliament supporting greater oversight by the EU executive, which the Council opposes. The first trilogue served as an introductory meeting, with substantive negotiations set to follow. An agreement is targeted by year-end. 

EuroISPA Response to the Digital Networks Act Call for Evidence

/in , ,

EuroISPA contributed to the European Commission’s consultation on the upcoming Digital Networks Act (DNA) and emphasises the importance of a transparent, inclusive and proportionate approach to reforming the EU’s electronic communications framework.

EuroISPA’s key messages:

  • Defining limits to harmonise access regulation and network transition: Harmonised access products must remain optional and copper switch-off plans must reflect national readiness and diversity.
  • Advancing harmonisation and simplification: Simplification must lower administrative burdens without compromising national flexibility or increasing regulatory overlap.
  • Enabling technology-neutral connectivity framework: A level playing field for fibre, wireless and satellite is essential to closing the digital divide.
  • Aligning environmental legislations with existing EU frameworks: Environmental rules should align with existing horizontal ESG frameworks, avoiding telecom-specific duplication.
  • Distinguishing consumer protection from enterprise services: Enterprise and public sector services should be exempt from consumer protection rules due to their bespoke nature.
  • Ensuring proportional and non-redundant governance structures: Knowledge sharing is welcome, but expanded EU-level powers must respect the principle of subsidiarity.
  • Focusing on demand-side gaps and digital skills: Efforts should address adoption barriers and digital skills rather than expanding costly Universal Service Obligations.
  • Maintaining a consistent commitment to net neutrality: Net neutrality must remain a cornerstone of the open internet and be upheld without reinterpretation or compromise.

Read the full response to the European Commission here.

The future of digital infrastructure: what’s next after the European Commission’s White Paper

/in , ,

With the publication of its White Paper on digital infrastructure in 2024, the European Commission has finally launched a long-overdue debate on the future of the telecom regulatory framework. EuroISPA has taken an active role in these discussions, committed to shaping an ambitious vision for the sector. Engaging with policymakers to highlight the essential role of Internet Service Providers (ISPs) in fostering innovation, resilience, and the twin transition, we reaffirm our dedication to keeping telecom networks at the heart of Europe’s economic and technological leadership. 

As we move towards 2030, unlocking the necessary investments to achieve the Digital Decade connectivity targets remains a top priority. To this end, Europe must establish a regulatory framework that incentivises investment, notably through a comprehensive Digital Networks Act, ensuring a robust, sustainable, and competitive telecom ecosystem for the future. 

Achieving true internal market integration will largely depend on harmonising and streamlining regulations across multiple areas, including infrastructure investment, spectrum management, and taxation. This also requires assessing the relevance of existing sectoral rules alongside broader horizontal frameworks. The regulation of our sector must adopt a more coordinated approach and foster investment-friendly conditions while preserving effective national frameworks and ensuring fair competition. 

Prioritising network sustainability is also crucial to supporting the green transition of our economy. The telecom industry plays a key role in driving sustainability gains across sectors and reducing its own environmental footprint by replacing legacy technology with more energy-efficient infrastructure. The inclusion of connectivity networks in the EU Taxonomy for sustainable finance is a positive step toward securing funding for greener networks. Additionally, engaging with equipment suppliers and digital service providers across the entire value chain will be essential to adopting the most efficient technologies, achieving net-zero emissions, and ensuring optimal network efficiency. 

Looking ahead to 2025, we believe the Digital Networks Act must serve as a cornerstone for turning these priorities into concrete action. By simplifying regulation, securing investment, and strengthening network sustainability and security, Europe can build digital infrastructures that are both competitive and future-proof. EuroISPA and its members remain committed to working alongside European stakeholders and institutions to ensure these vital reforms become a reality. 

Romain Bonenfant

EuroISPA Board Member

Managing Director of FFTélécoms – Fédération Française des Télécoms

EuroISPA Letter to the European Commission on e-Evidence

/in , ,

In this letter to the European Commission, EuroISPA shares some key concerns, open questions and requests for clarification on the implementation of the e-Evidence Regulation and Directive, in anticipation of the upcoming implementing acts and the operationalisation of the decentralised IT system.

  • Clarify legal scope and applicability: EuroISPA calls for clear guidance on how the Regulation and Directive apply to service providers operating only within one Member State, especially to ensure legal certainty for smaller companies.
  • Ensure technical security and process integrity: Mandatory end-to-end encryption (E2EE), verified authentication of issuing authorities and provider-specific input fields are essential to safeguard data and streamline operations.
  • Define realistic implementation timelines: EuroISPA stresses the need for a clear roadmap, adequate lead times and technical support to avoid delays and operational disruptions during the transition to the decentralised IT system.
  • Provide fair and transparent cost reimbursement: The framework should cover both initial and ongoing compliance costs, with harmonised, accessible mechanisms for service providers to recover expenses and enforce payment.
  • Anticipate and manage request volumes: The Commission should publish request volume forecasts and engage continuously with ISPs to prepare for potential surges in legal data access requests.
  • Uphold fundamental rights: Strong safeguards, data minimisation, procedural clarity and full transparency must be upheld throughout implementation, especially to prevent over-reliance on emergency measures.

Read the full letter to the European Commission here.

EuroISPA Contribution to the Cybersecurity Act Review

/in ,

EuroISPA contributed to the online survey of the European Commission on the Cybersecurity Act, emphasising on the following considerations:

  • Preserve a technical focus in certification: Cybersecurity certification schemes should remain strictly technical, avoiding political or sovereignty-based criteria to maintain neutrality, credibility, and cross-border interoperability.
  • Reinforce ENISA’s role: ENISA should have a stronger mandate to harmonise standards across the EU, promote international standards, and ensure transparency and stakeholder involvement in certification development.
  • Simplify and harmonise regulatory frameworks: The CSA should align with other EU regulations (like NIS2, CRA, GDPR, DORA), introducing unified reporting thresholds and single incident-reporting points to reduce overlapping obligations.
  • Support SMEs with proportionate compliance: SMEs should be allowed to use simplified, self-declared compliance processes to avoid excessive regulatory burdens that could hinder their participation in the digital economy.
  • Exclude internal-use tools from certification: Software and tools developed in-house and not marketed externally should be exempt from certification, unless used in critical infrastructure, to prevent unnecessary regulation.
  • Protect open-source and small-scale developers: The CSA must account for the vital role of open-source and small developers by ensuring certification schemes are affordable, inclusive, and supportive of innovation and diversity.

Read more here.

EuroISPA General Meeting in Paris: a recap

/in , ,

Paris, June 16-17, 2025

Earlier this week, the EuroISPA community travelled to Paris for the second General Meeting of the year, bringing together our members, Board Officers and Secretariat, kindly hosted by our French member Fédération Française des Télécoms (FFT).  

Between committee updates, policy discussions, guest speakers, and strategy sessions, it was truly a pleasure to meet and work together to shape the future of the Internet, discussing on the most pressing issues and priorities and how our unique association can tackle them.  

We were delighted to host a roundtable discussion with experts from the Council of Europe on the Second Additional Protocol to the Budapest Convention, which aims to enhance cooperation on cybercrime and improve the ability of criminal justice authorities to collect electronic evidence. Big thank you to the CoE representatives who joined us for this fruitful exchange:  

Pedro Verdelho, Chair of the Cybercrime Convention Committee (T-CY) 

Jan Kralik, Programme Manager, T-CY 

Jutta Dinca, Programme Manager, CyberSPEX 

We also had the pleasure of welcoming high-level speakers from the Frech regulatory landscape, with whom our members had the opportunity to discuss and debate on relevant matters for the internet industry: 

•  Benoît Loutrel, Board member of the French Regulatory Authority for Audiovisual and Digital Communication (Arcom) on the implementation of the Digital Services Act and regulation of platforms 

•  Sandrine Elmi Hersi, Head of Unit at the French Regulatory Authority for Electronic Communications, Postal Services and Print Media Distribution (Arcep) on the eco-design of digital services, including data centers and AI 

The agenda included as usually exchanges on relevant updates at national level, as well as agreeing and joining forces for the strategic way forward for current topics of attention in our Committees’ work: 

📌 the Online Content Committee, tackling in particular the way forward on the Digital Services Act guidelines on the protection of minors, Piracy, Copyright and the Digital Fairness Act; 

📌 the Data Economy Committee, strategically focusing on the central topic of Data Retention and ProtectEU Strategy, the GDPR simplification and IV omnibus package and the state of play of the AI Act implementation; 

📌 the Cybersecurity & Infrastructure Committee, setting the agenda for relevant initiatives ahead such as the Cyber Blueprint, the energy data centre rules and the Digital Networks Act. The committee also adopted a EuroISPA letter to be sent to the European Commission on e-Evidence, a central topic for our association. 

You can read more about the work of our Committees here

Last but not least, following a strong collaborative effort and thoughtful deliberation, EuroISPA members have adopted the EuroISPA Vision 2024–2029. This document outlines key priorities and forward-looking recommendations for the new mandate and will be published on our website soon. 

In general, EuroISPA’s work on current relevant public consultations and positioning is thriving, therefore stay tuned for more updates and upcoming positions on our website and LinkedIn channel! 

Thank you to all our members who participated actively in the discussions and to our guest speakers for providing valuable insights. 

The next EuroISPA General Meeting will be held in Brussels in November – already looking forward to meeting our members again! 

Contact details

EuroISPA

38, Rue de la Loi
1000 Brussels

+32 2 789 6618

[email protected]

General contact information | Privacy policy