EuroISPA Monthly Report – October 2025

Institutional activity intensified in October, with negotiations progressing on many files. 

The Danish presidency announced its intention to drop mandatory detection orders from its compromise text on the CSAM Regulation and continue negotiations on the basis of a permanent extension of the interim derogation permitting voluntary scanning. The Commission, Council and Parliament were also very active on the protection of children online, debating the way forward on age verification and a digital age of majority. The public consultation on the Digital Fairness Act closed on 24 October, with EuroISPA submitting its position.  

Stakeholders continued to discuss key topics on the data economy front, including the implementation of the AI Act and the GDPR, as well as the ongoing impact assessment on data retention. On cyber and infrastructure, the Commission unveiled the Cloud Sovereignty Framework, and there are ongoing discussions in the Council on the common criteria for sovereign cloud services. The Cybersecurity Act Review and the Digital Networks Act proposals have been postponed until 20 January 2026. 

Ahead of the publication of the upcoming Digital Omnibus Package, which is due on 19 November, leaked DG CNECT documents suggest the package will be divided into two separate proposals: one on data and cyber, and another on AI.  

The EuroISPA Secretariat is closely monitoring these developments, with recent and ongoing EuroISPA activities listed in the corresponding section below. The Secretariat is also preparing EuroISPA’s third annual General Meeting, which will take place at our offices in Brussels on 17-18 November.  

ONLINE CONTENT 

Danish presidency dropping mandatory detection orders from CSAM Regulation compromise text 

In a note shared with Member States on Thursday, 30 October, Denmark proposed dropping mandatory detection orders from its compromise text and permanently extending the interim derogation permitting voluntary scanning, which is currently expiring in April 2026. Under the revised approach, companies would still have to conduct risk assessments, with voluntary detection listed as a possible mitigation measure, while some components of the previous text would retained, notably the ability to issue blocking and removal orders, reporting obligations, and the creation of the EU Centre. Denmark also intends to include a review clause which would allow the Commission to reassess, in light of technological progress, whether mandatory detection orders could become necessary and feasible in the future. At the Coreper II meeting on 5 November, Member States gave their green light to continue negotiations on this basis, with the caveat that they hadn’t seen a full legal text yet. Denmark is expected to prepare a revised text ahead of discussions at the 12 November Law Enforcement Working Party.  

EU debates continue on the protection of minors online and a digital age of majority 

At EU level, the Commission is aiming to convene, by the end of the year, an expert panel assessing the best approach to a digital majority age at EU level, and said that its recommendations should be evidence-based. The European Council conclusions on 23 October also stressed the importance of a “digital age of majority for accessing social media, respecting national competences”. On the European Parliament side, the IMCO committee adopted its own-initiative report on the protection of minors on 16 October, calling for an EU-wide digital age limit of 16 for access to social media, below which parental consent would be required. The CULT committee is working on its own draft initiative report on the impact of social media for youth mental health, on which IMCO, LIBE and FEMM are preparing opinions.

Stakeholders and institutions continue working on piracy of live content 

On 21 October, 35 rightsholders signed a letter urging EVP Virkkunen and Commissioner Micallef to legislate against live-content piracy, citing criminal threats, weak results from the 2023 Recommendation, and data suggesting that 81% of detected illegal streams weren’t suspended. They ask for legislative measures ensuring infringing content is taken down immediately and at least within 30 minutes, making live dynamic blocking which addresses mirror sites and successor domains available in Member States, and imposing KYBC policies on intermediaries (incl. platforms, hosts, VPNs, CDN and app stores). The letter also calls for enforcement of the DSA and calls on Digital Services Coordinators to award private bodies trusted flagger status when requested. The Commission is expected to release its assessment of the 2023 Recommendation no later than the 17th of November. 

New compromise amendments (CAs) to JURI committee’s draft AI & Copyright own-initiative report 

Following amendments published in September, Euractiv circulated a batch of leaked draft CAs to Axel Voss’s own-initiative report. In the CAs document, Axel Voss says this batch of CAs covers areas on which there is (in principle) a general agreement, and the CAs that will follow will be more specific. Of relevance for EuroISPA members, one of the CAs calls to push for full and mandatory transparency for a coherent licensing framework for the novel use of copyright-protected works, noting that trade secrets should not be invoked to prevent an AI model provider from offering full transparency. The same CA notes that the current opt-out system is impractical and may not cover all relevant acts of TDM, lacking necessary transparency.  

Commission preliminarily finds TikTok and Meta in breach of DSA transparency obligations 

On 24 October, the Commission issued preliminary findings on TikTok and Meta, finding them in breach of the obligation to grant researchers adequate access to public data under the DSA. The findings also conclude that Meta (both Facebook and Instagram) is breaching its obligations to provide users with simple mechanisms to notify illegal content (child sexual abuse material and terrorist content are given as examples), and to allow them to effectively challenge content moderation decisions.  

Commission is not considering simplification of the DSA 

At a press briefing after the informal meeting of EU telecom ministers on 10 October, Virkkunen stated that there is little bureaucracy to remove from the DSA. She underlined that the DSA already provides exemptions for SMEs and that its most stringent obligations apply only to VLOPs. The Commission instead plans to assess the DSA’s interaction with other EU legislative frameworks in November, which could lead to the withdrawal of the Platform-to-Business (P2B) Regulation and targeted amendments to other instruments, notably the AVMSD. According to her statement, moving forward, the Commission will consider how to address new technological developments like AI services through the DSA, although Virkkunen also noted that AI tools embedded in platforms are already covered by the DSA.   

Commission launches investigations of platforms on the protection of minors under the DSA 

The Commission launched its first investigative actions following the adoption of the DSA’s Guidelines on the protection of minors, requesting information from Snapchat, YouTube, Apple App Store, and Google Play about their age verification systems and content controls. The Commission also announced further measures on children protection: the European Board for Digital Services’ Working Group on the protection of minors has been asked to ensure DSA compliance by smaller online platforms, identifying those posing the greatest risks to children, and develop common tools to coordinate investigations and enforcement across the EU.  

Commission publishes guidelines on political advertising transparency as Regulation takes effect  

On 8 October, the Commission issued guidelines on the Regulation on the Transparency and Targeting of Political Advertising, which entered into force on 10 October, introducing new disclosure requirements for paid political ads, including information on targeting, costs, and links to elections or legislative processes.  

DATA ECONOMY 

Danish Presidency circulates questionnaires on data retention and access to data 

The Danish Minister of Justice noted that laws regarding access to data are one of the top priorities for the Presidency of the Council of the EU. As part of these efforts, the Danish Presidency circulated two documents dated 17 September and 2 October. The first document invited Member States to provide written input to help the Commission shape a new legal framework on data retention. The second document outlines how the Council Standing Committee on Operational Cooperation on Internal Security (COSI) and the Coordinating Committee on Police and Judicial Cooperation (CATS) will monitor the implementation of the Roadmap for Lawful Access to Data. 

Apply AI Strategy addresses AI adoption across EU industries 

On 8 October, the Commission unveiled the Apply AI strategy, building on the AI Act and AI Continent Plan, to promote AI adoption and a “buy European” approach across the EU. The strategy outlines several measures of interest, including: on electronic communications (section 2.6), the creation of a European Telco AI Platform for collaborative AI stack development and the promotion of edge AI devices; and on cultural and creative industries (section 2.10), support for investment in European AI models for storytelling and the discoverability of European online content, as well as a study on the legal challenges of AI-generated content, particularly on copyright (expected Q1 2027, see Annex III). The strategy also mentions the preparation of guidelines on high-risk AI classification and guidelines on AI Act interplay with other EU laws (reportedly expected by Q3 2026).  

Commission presentation to AI Board indicates a tight schedule for AI Act transparency guidelines 

At the 24 October meeting of the AI Board, the Commission reportedly indicated to Member States that a first draft of the code of practice for AI transparency rules is due in December, a second in March (with comments in April and May), a final draft in June, and a Commission adequacy check for approval in July, ahead of the 2 Aug 2026 deadline. The Commission’s presentation also highlighted pressure from stakeholders to align the application date for the AI Act’s high-risk requirements with the availability of the related technical standards, and stakeholder concerns over readiness to comply with the AI Act’s transparency rules on labelling deepfakes and watermarking AI-generated content.  

CEN/Cenelec suspends consensus process on AI standards  

In the context of ongoing delays with the development of the AI-Act standards, European standardisation organisations CEN and Cenelec exceptionally suspended the usual consensus method for adoption and appointed a drafting group of “already active experts” to finalize the six least-advance standards.  

McGrath simplification report suggests DG Just will examine targeted modifications to the GDPR 

In the annex to his annual simplification report for 2025, Commissioner McGrath indicates that DG JUST will focus over the next twelve months on identifying “targeted modifications” to the GDPR. The Commission intends to rely on the main conclusions of the late-July implementation dialogue. The annex also says that DG JUST will work on simplification and reducing burdens through the 2030 Consumer Agenda, and through the simplification component of the DFA, following input from the digital fitness check and the DFA consultation.  

Lawmakers approve Regulation on GDPR enforcement 

The European Parliament has approved new procedural rules to accelerate and simplify the European Union’s most complex data protection investigations under the General Data Protection Regulation (GDPR).These rules are designed to streamline cross-border investigations into personal data breaches and, for the first time, set overall deadlines for handling such cases. The finalized text, agreed upon on 16 June, has already been endorsed by the Parliament’s civil liberties committee and EU ambassadors. 

The law now awaits formal approval by EU member states, expected during a meeting of foreign and European affairs ministers on 17 November. Once officially adopted, the rules will come into force and take full effect 15 months after the date of adoption. 

Commission sends questionnaire to DMA gatekeepers on data handling amid AI rollout 

The Commission reportedly sent questionnaires to all DMA gatekeepers on compliance with the DMA’s ban on combining personal data across services without consent and on user reactions to opt-out/consent choices. The questionnaires ask when users are served with a prompt over data combination, how many consent and how many refuse, how often a user can defer making a choice, how a gatekeeper notifies users that some services might not work without consent, and how often those warnings are shown.  

EDPB announces it will continue working on guidelines for “consent or pay” business models 

At its 109th plenary meeting on 7–9 October, the European Data Protection Board decided to continue developing guidelines on consent-or-pay models. Data protection authorities reportedly remain divided, with some considering that the models should be banned, and most agreeing that publishers and platforms should be allowed to use them under defined conditions. The forthcoming guidelines, developed by a subgroup of national data protection authorities, are expected to clarify the criteria under which consent-or-pay models can comply with EU data protection law.  

European Data Protection Supervisor guidelines on Generative Artificial Intelligence 

The EDPS published its updated guidelines on the use of generative artificial intelligence and processing of personal data by EU institutions, bodies, offices and agencies. These updated guidelines offer clearer and more practical instructions for the responsible development and deployment of generative AI tools. 

CYBERSECURITY AND INFRASTRUCTURE 

Negative opinion delays Digital Networks Act proposal 

On 22 October, the Regulatory Scrutiny Board (RSB) issued a negative opinion on the impact assessment for the upcoming Digital Networks Act (DNA), requiring a redraft within five working days which resulted in a postponement of the proposal. According to reports, the Digital Networks Act and the Cybersecurity Act Revision will be presented on 20 January. Discussions on the content of the DNA proposal have been challenging, particularly regarding copper switch-off and spectrum allocation. On network fees, the Commission is informally engaging with Parliament to seek amendments.  

Commission prepares proposal to revise the Europol Regulation 

The European Commission launched a public feedback period to support its review of the Europol Regulation, which is expected to be completed by the second quarter of 2026. The initiative aims to strengthen Europol’s ability to address growing cross-border criminal threats. The consultation, open until 15 January 2026, seeks input on expanding Europol’s mandate to cover emerging crimes such as hybrid threats and information manipulation, improving cooperation with EU and international partners, removing barriers to data sharing, and enhancing Europol’s technological and governance capacities to meet real-time operational needs. 

Cloud Sovereignty framework paper 

The Commission unveiled its Cloud Sovereignty Framework which will be integrated into the new Cloud III Dynamic Purchasing System (Cloud III DPS) procedure. The framework defines Sovereignty Objectives relevant for the provision of Cloud services requested in this procedure. They draw on European initiatives such as CIGREF’s Trusted Cloud Referential v2, Gaia-X policy rules and architecture, and the European Cybersecurity Certification Framework (ENISA, NIS2, DORA). In addition, they echo lessons from national cloud sovereignty strategies, as well as international practices in export controls, supply chain resilience, and security auditability. The result is a set of objectives that supplement security assurance requirements with sovereignty-specific safeguards defining clearly what sovereignty means. 

Council calls for common criteria for sovereign cloud services 

The TELECOM WP on 4 November called on the Commission to adopt “common criteria for sovereign cloud services” in response to the concerns about foreign countries accessing European citizens’ data via their surveillance agencies. The fourth compromise of the Council’s review of the EU’s Digital Decade policy framework now states that sovereign cloud criteria must address dependency risks, including the “extraterritorial effects” of US laws. The full text calls for common criteria to address market transparency and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries for highly critical use cases. The compromise will be voted on at Coreper I on 21 November, with EU telecommunication ministers expected to adopt the final text on 5 December. 

European Telcos call on the Commission to take urgent action on digital connectivity  

Leading European telecoms and tech companies expressed their concerns over the EU’s slow progress in implementing bold digital reforms, warning that Europe’s global competitiveness is at risk due to fragmented policies and underinvestment in digital infrastructure. They noted that only 2% of Europeans currently access 5G standalone networks, far behind the US and China, and argued that this gap threatens Europe’s industrial strength, innovation potential, and digital sovereignty. They called for ambitious measures through the DNA.  

Commission signs the UN Convention against cybercrime 

On 27 October, the Commission signed the UN Convention to step up the fight against Cybercrime on behalf of the EU. The Convention provides a framework for international cooperation, including extradition and electronic evidence exchange, while safeguarding fundamental rights such as privacy and data protection. Following the signature, the Council will discuss and decide on the conclusion of the Convention, which will also require the consent of the Parliament. Member States will sign and ratify the Convention in accordance with their national procedures. The Convention will enter into force once it is ratified by 40 parties. 

CRA: Commission opens consultation on delegated act for reporting security incidents 

On 16 October, the Commission launched a feedback period on the delegated act under the Cyber Resilience Act, outlining the terms and conditions under which a Member State’s designated CSIRT may delay the dissemination of vulnerability or incident notifications to other CSIRTS. The delegated act is expected to be adopted by 11 December, with reporting obligations under the CRA becoming applicable from 11 September 2026. 

TIC Council warns about the delayed implementation of NIS2 Directive 

The Testing, Inspection and Certification (TIC) Council has issued a call for urgent implementation of the NIS2 Directive, warning that delays in transposition by several Member States pose serious risks to Europe’s critical infrastructure. Addressing recent cyberattacks that disrupted airport operations, the Council notes the importance of robust cybersecurity frameworks and urges governments to designate competent authorities and adopt internationally recognized standards like ISO/IEC 27001. Early adopters such as Finland and Belgium are already leveraging certification to demonstrate compliance and enhance resilience. 

MISCELLANEOUS

Leak of Commission Digital Omnibus proposals  

According to two leaked documents from DG Connect, the Digital Omnibus will be composed of two separate proposals. The first proposal will introduce targeted amendments to the EU data rules and streamlining reporting obligations under cybersecurity legislation. The second proposal contains targeted amendments focused on the AI Act implementation, with some exemptions for both data and AI obligations applicable to small businesses. The Commission will officially present the Digital Omnibus on 19 November. 

Leaked Cyprus Council Presidency draft work programme for the first half of 2026 

News outlets published a leaked draft work programme (for January-June 2026) of the upcoming Cypriot presidency of the Council. Interestingly, the draft suggests that the protection of children online is of paramount importance and that Cyprus will aim to conclude negotiations on the CSAM Regulation before the expiry of the Interim Regulation in April 2026. On most other digital files, however, it appears to foresee no agreements. For example, Cyprus aims only to advance negotiations on the DNA and the revision of the Cybersecurity Act, and there is no target for the 19 November tech simplification omnibus beyond supporting efforts to simplify digital and data frameworks without deregulation. Law enforcement access to data is also slated for discussions.   

Virkunnen simplification report indicates Digital fitness check to run until mid-2027 

Virkkunen’s annual report on simplification and implementation says the digital acquis fitness check will run until mid-mandate, kicking off on 19 November alongside the digital simplification package; the process will examine digital laws beyond those in the first simplification omnibus (AI, data, cyber) and may lead to “potential additional simplification measures”; the report also confirms that the Commission will present on 19 November its first assessment of interactions between the DSA and other consumer-protection and product-safety laws.  

Franco-German Tech Summit on digital sovereignty 

France and Germany are organizing a summit on digital sovereignty taking place in Berlin on 18 November, where they will discuss Europe digital’s future. The agenda is now out, with the Executive Vice President of the European Commission Henna Virkkunen plans to present the long-awaited Digital omnibus during the morning. Other topics on the official programme include EUDI Wallet, Digital Commons as a Pillar of Digital Sovereignty, and the DMA.  

The Netherlands circulates paper on simplification, touching on AI, data protection and cookies 

The Dutch government circulated a document on simplification, emphasizing that EU digital law revisions should focus on legal clarity, coherence, and streamlined governance rather than extending deadlines. The paper also includes specific recommendations on AI and data protection simplification. On AI, it prioritizes simplifying the AI Act’s implementation over extending legal deadlines for high-risk requirements, proposing clearer definitions for critical infrastructure, flexible compliance options, and extended derogations for SMEs. On data protection, it advocates for more practical tools to ease compliance for smaller organizations, including the development of standardized lists of low-risk processing activities by supervisory authorities, greater use of codes of conduct, exemptions for cookies and similar technologies, and technical solutions such as centralized browser-level consent management.   

German contribution to the Digital Omnibus  

The German Federal Ministry for Digital Transformation presented a paper on the upcoming Digital Omnibus package calling for simplification measures, including on the Data Act, GDPR, e-Privacy Directive (e.g.  including an additional exemption for cookies in art.5 (3)). The paper also outlines many specific recommendations on the AI Act, including emphasising on innovation-friendly implementation, avoiding double regulation and reducing market entry barriers, extending implementation deadlines, and providing clear definitions and harmonized standards. 

ITRE publishes report on the interaction between AI act and other pieces of legislation 

The European Parliament’s Industry, Research and Energy Committee (ITRE) published a study outlining how the AI Act relates to other crucial pieces of EU digital legislation, such as the GDPR, Data Act and Cyber Resilience Act. The document also provides reflections and suggestions for possible evolutions of digital legislation, keeping in mind that Europe can establish a competitive AI industry. 

 

EuroISPA Response to the Public Consultation on the Digital Fairness Act

EuroISPA shares the European Commission’s objective to protect and empower consumers. Nevertheless, we emphasise that the EU already has the world’s most comprehensive consumer protection framework, strengthened by recent major legislative updates, including the Omnibus Directive, DSA, DMA, Data Act, and AI Act.

Should the Commission remain committed to proposing a DFA, such an initiative should fully reflect the overall aim of ensuring a simple, competitive, and innovation-friendly legal framework, which benefits both consumers and businesses. It should also enable effective and consistent enforcement of existing laws, addressing specific gaps without duplicating existing legislation. Hence, before considering any new rules, the Commission should conduct comprehensive impact assessments of existing legislation and its implementation.

Only where genuine gaps are demonstrated should evidence-based, targeted, and technologically neutral measures be considered. Even then, the Commission should first assess whether the objectives can be achieved by amending existing instruments—such as the DSA—instead of adopting a new legislative act.

EuroISPA’s specific recommendations address:

  • The relationship between regulators and businesses
  • Dark patterns
  • Addictive design
  • Unfair personalisation practices
  • Harmful practices by social media influencers
  • Issues with digital contracts
  • Simplification measures
  • Horizontal issues (age assurance, fairness by design, burden of proof, definition of consumer). 

EuroISPA Monthly Report – September 2025

September marked the start of the EU’s legislative push ahead of year-end, with the goal of streamlining current obligations, and considering the introduction of new legislation.

Despite being one of the main priorities for its mandate, the Danish Presidency failed to secure enough support in the Council to reach an agreement on its Child Sexual Abuse Regulation proposal, mainly due to Germany’s concerns over non-targeted scanning.  

The Commission is also considering delaying the AI Act’s implementation for high-risk systems due to setbacks in developing the necessary technical standards. The attention is mounting on the upcoming Digital Omnibus Package too, expected in November.

The EuroISPA Secretariat is closely monitoring these developments and will respond to the public consultation on the Digital Fairness Act and provide input to the Commission on GDPR implementation challenges. Relevant deadlines are listed in “Recent and ongoing activities” section of this newsletter.

ONLINE CONTENT 

Stalemate persists on CSAM Regulation despite Danish presidency efforts

Despite intensive negotiations throughout September and October, the Danish Presidency has so far been unable to secure agreement on its compromise text for the CSAM Regulation, which it had hoped to table for a vote at the Justice and Home Affairs Council on 14 October. The proposal was examined by Member States at the Law Enforcement Working Party on 12 September and again during a key meeting of Permanent Representatives (Coreper II) on 8 October, where it became evident that Germany could not support the text, leaving no immediate prospect for agreement. While many Member States have expressed appreciation for the Presidency’s efforts – and are under pressure to reach an agreement before the expiry of the Interim Regulation permitting voluntary scanning in April 2026 – significant concerns persist regarding the overall proportionality of the proposed detection order scheme and its impact on encryption.  

Denmark finalises Jutland Declaration on protection of minors online

The Jutland Declaration on the protection of minors, prepared by the Danish Presidency, was signed by 25 Member States (all except Estonia and Belgium) at the informal meeting of telecommunications ministers on 10 October. It calls for measures to complement the DSA on children protection, including requiring privacy-preserving age verification and addressing addictive design practices, and supports Commission President von der Leyen’s initiative to establish an expert panel to examine a potential EU-level approach on a digital age of majority. Compared to latest draft, the final version has been softened to attract broader support: the reference to the Digital Fairness Act was removed from the paragraph on safeguarding minors online; the text now states it would be “difficult” rather than “impossible” to prevent minors from being targeted with adult-oriented content without proper age verification; and it calls to “address” rather than “ban” addictive and manipulative design practices.  

Further push from European Parliament and Commission to fight online piracy

On 7 October, the European Parliament adopted in Plenary its report on the Role of EU policies in shaping the European Sport Model, which includes amendments calling for further legislation to combat piracy and for an extension of the KYBC provision. The press release of the Parliament identifies online piracy as one of the challenges face by the European Sport Model. During the debate that preceded the vote, Commissioner Micallef also called for urgent action to combat piracy of live sport events to ensure financial sustainability of the sector. The Commission is preparing a new strategic vision for sport and is consulting on this matter. As a reminder, by 17 November 2025, the Commission will assess the effects of the Recommendation, taking due account of the data collected by the EUIPO Observatory.

IMCO discusses amendments to its own-initiative report on the protection of minors online and CULT adopts its opinion

During the IMCO session on 24 September, MEPs discussed amendments to the draft own-initiative report on the protection of minors online, ahead of the vote scheduled for 16 October. Rapporteur MEP Christel Schaldemose (S&D, DK) noted progress but highlighted ongoing disagreements, particularly on whether age verification and age assurance should be mandatory. The CULT committee also adopted its opinion on IMCO’s own-initiative report. In parallel, the CULT committee also adopted its draft own-initiative report on the impact of social media and the online environment on young people, for which the LIBE, IMCO and FEMM committees are also preparing their opinions.  

AI & Copyright European Parliament draft report receives first amendments

The JURI committee MEPs have submitted 370 amendments to Axel Voss’ own initiative report on Generative AI & Copyright. Among the most controversial points: remuneration, the role of the EUIPO and the irrebuttable presumption. MEP Voss also tabled additional amendments co-signed by EPP colleagues, including Amendment 110, which aims to clarify that the TDM exceptions (both Articles 3 and 4) “were originally not designed to address generative AI training and therefore are not applicable”. The work on compromise amendments is already ongoing, with a consideration of amendments taking place on 13 October; the vote in committee is expected at the beginning of December.

Von der Leyen backs Australia’s social media age ban, considers approach on EU digital majority age

Speaking at the “Protecting Children in the Digital Age” event in New York on 24 September, Commission President von der Leyen praised Australia’s minimum age law for social media, calling it a “world-first, and world-leading” step, echoing her remarks at the State of the European Union speech. She said the EU is closely watching Australia’s implementation and cited growing concerns over children’s exposure to addictive algorithms, cyberbullying, and online predators. She also highlighted the EU’s pilot for a cross-border age-verification system being tested in five Member States and reiterated plans to convene an expert panel to assess the best approach on a digital majority age for social media at EU level.  

Commission probes costs of compliance with the DSA

The Commission asked VLOPs and VLOSEs to report the financial burden of complying with the DSA. A six-page questionnaire was reportedly sent to the relevant companies on 19 September asking how much they spend on transparency reports and compliance measures, including on IT systems and service providers. Through the questionnaire, companies can also share a qualitative assessment of the practical measures and underlying legal concepts which they consider to be driving the costs. The information collected will feed into the DSA Evaluation report, which is expected on 17 November, and is set to review how the DSA interacts with other legislation, and address the threshold, designation and scope of VLOPs and VLOSEs.  

European Board for Digital Services holds meeting on child protection, political ad rules, and DSA enforcement

At its 15th meeting in Brussels on 23 September 2025, the EBDS emphasized the priority of protecting minors online, agreeing to strengthen enforcement of Article 28(1) of the DSA and to streamline cross-border cooperation. WG 6 was tasked with advancing implementation of the DSA Art.28 Guidelines on minors’ protection, alongside coordinated action targeting pornographic platforms and complementing Commission cases against VLOPs such as TikTok, Instagram, and Facebook. The Board also discussed the upcoming European Democracy Shield (EUDS) and its interplay with the DSA and the political advertising transparency rules, which took full effect on 10 October 2025 (and for which the Commission issued guidelines). The Board also reacted to recent allegations against the DSA, reaffirming its commitment to impartial and effective enforcement.  

Commission, Council and Parliament continue working on the European Democracy Shield (EUDS): According to its latest calendar, the Commission expects to present its communication on the EUDS on 12 November. In the meantime, the European Parliament held a debate on the EUDS in its 10 September plenary session, and an exchange of views with Commissioner McGrath in the EUDS Committee on 23 September. On the Council side, discussions continued on the draft Council conclusions for the EUDS, with Member States asked to submit final input by 8 October.  

DATA ECONOMY 

Council works on access to data for effective law enforcement resume

Council’s Law Enforcement Working Party is hosting a series of presentations by Europol, CEPOL, ECTEG on access to data for effective law enforcement to facilitate cross-border cooperation in digital forensics. Also in the Council, in Coreper II and other bodies are discussing the state of play on the access to data for effective law enforcement.  

Commission and Council assessing possible delay of AI Act implementation for high-risk systems due to technical standards delay

Speaking at Politico’s Competitive Europe Summit on 1 October, Lucilla Sioli (head of the Commission’s AI Office), said the Commission is “still assessing” a potential delay in AI Act implementation for high-risk systems, suggesting this would stem from the delayed development of related technical standards required for compliance. She clarified that “it’s not a matter of pausing the AI Act, but of if and when the standards will be ready”. In parallel, the Danish Presidency raised concerns that the delayed standardisation process poses an urgent challenge for implementing the obligations for high-risk AI systems. To address this, the Presidency proposed using the upcoming digital omnibus package, due on 19 November, and has requested Member States’ input on what measures the Commission should take. Nooshin Amirifar, team lead for ICT standardization at CEN-Cenelec, the organisation responsible for developing the standards, told Politico that some documents could be published and submitted for national-level public inquiry by late 2025 or early 2026.

EU Ombudsman investigates transparency of AI Act standards development

In a related development, a transparency complaint from NGO Corporate Europe Observatory prompted an investigation from the EU Ombudsman on the process for the development of standards under the AI Act. On 1 October, Commission spokesperson Thomas Regnier said the Commission can only review standards once they are drafted to decide whether to endorse them. He emphasised that the Commission works closely with EU standardization organisations CEN and Cenelec but does not interfere in their processes. The Ombudswoman’s inquiry follows concerns that the drafting process lacked transparency, including unpublished participant names and meeting minutes, and that the Commission failed to ensure a balanced representation of interests in the process.  

European Commission releases draft guidance for serious incidents

The European Commission recently released draft guidance and a reporting template for serious incidents under the EU AI Act. The provisions will become applicable starting in August 2026. The consultation process will be open until 7 November.  

EDPS recommends safeguards for EU–US framework on personal data sharing for border and immigration purposes

The European Data Protection Supervisor (EDPS) issued an opinion on the negotiating mandate for a proposed EU-US framework agreement on exchanging information for security screenings and identity verifications. The framework would allow individual Member States to sign bilateral agreements for data exchange from national systems. Since this agreement would be the first EU deal to involve large-scale sharing of personal data for border and immigration control, the EDPS stressed that processing should be strictly necessary and proportionate. The opinion recommendations include narrowing the scope of data sharing, establishing accountability mechanisms, ensuring transparency and information obligations for both authorities, and providing access to judicial redress.  

GDPR access requests can only be refused if abusive, Advocate General opinion says

Advocate General Maciej Szpunar issued an opinion on 18 September stating that companies may refuse a data access request under the GDPR only if the request can be shown to be abusive. According to the opinion, abuse may include situations where an individual deliberately consents to data use to trigger an access request and claim damages. The opinion notes that even a first request can be considered excessive in exceptional cases, and that repeated claims alone are not sufficient to justify refusal.  

Guidelines on the interplay between the DMA and GDPR

On 9 October 2025, the European Data Protection Board and the European Commission have endorsed the first joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). There is a an open consultation till 4 December 2025 to gather comments from the industry or any public organisation with the spirit of reflecting the coherent application of the DMA and the GDPR and to increase the legal certainty for gatekeepers, business users, beneficiaries and individuals.

EDPB opened consultation on guidelines clarifying interplay between DSA and GDPR

The European Data Protection Board (EDPB) adopted its Guidelines 3/2025 on the interaction between the DSA and GDPR and launched a public consultation with a deadline of 31 October 2025. The guidelines, adopted during the EDPB’s plenary session in September, aim to ensure coherent application of both frameworks, as several DSA provisions on notice-and-action systems, recommender systems, protection of minors, transparency and profiling-based advertising relate to the GDPR. 

CYBERSECURITY AND INFRASTRUCTURE 

EU telecom rules to be “simplified” under DNA, Commission official says

Thibaut Kleiner (Director for Policy, Strategy and Outreach at DG CNECT) announced at the Connected Futures event on 23 September that Orange, Telefónica, and Deutsche Telekom will benefit from a simplification of EU telecom regulations with the DNA. He said the intention of DNA is to unlock market potential, and support innovation. He also emphasised that the DNA would complement the EU’s Applied AI Strategy and broader “EuroStack” ambition for digital sovereignty and added that telecom is “not just about networks anymore”, but also about data centers, cloud infrastructure, and additional services built on top of that.  

The fair share debate and the DNA developments

The Digital Network Act remains unclear in the discussion of the fair share debated. The details of the dispute resolution mechanism demanded by operators as an alternative to the fair shares need to be concretised.  On 22 October, the Commission Regulatory Scrutiny Board should receive the impact assessment of the Digital Networks Act to approve it. The final presentation of the text is expected between the 10 and the 16 of December.

Call for evidence on the Digital Package on Simplification

On 16 of September, The European Commission published a  call for evidence  on the Digital Package on simplification. The initiative seeks to simplify cookies and tracking regulations under the ePrivacy Directive, reduce overlapping cybersecurity reporting, lower compliance costs under the European Digital Identity Framework, and ensure the AI Act is applied effectively with a focus on the needs of small mid-cap businesses. Moreover, the European Commission will continue evaluating the digital rules through the upcoming Digital Fitness Check. According to the latest European Commission Agenda, the digital package will be announced on 19 November, being composed of multiple files including the European Business Wallet, the Digital Omnibus and the CSA.  

Cybersecurity remains high on the agenda

In addition, the EC opened a called for tenders for supporting ENISA for the provision of the EU Cybersecurity Reserve services to Union Entities. Finally, in the Council, the Horizontal WP on cyber issues  discussed on 9 October the priorities for the EU Cybersecurity Reserve, the Cyber Hubs and their interoperability.  

Results of the Consultation for the future Cloud and AI Development Act

The results of the European Commission’s consultation for the future Cloud and AI Development Act (CAIDA) that closed in July were made public showing that most respondents would like to see faster approved building permits and a one stop-shop mechanism. The European Commission highlighted in a meeting to national experts that they have “consistently” cited barriers to expansion, lack of “common EU definition of sovereign cloud” and called for a broad support to finalise the long-pending EUCS cybersecurity certification. The Commission is expected to present in the regulation together with a recommendation for the cloud policy for public administrations and procurement in the first quarter of next year.

Poland calls for separate legal act for ENISA

On 2 October, the Polish Delegation in the Horizontal Working Party on Cyber Issues  shared a paper on the upcoming revision of the EU Cybersecurity Act, calling for the splitting the legislation that will redefine the mandate of ENISA from the other provisions which are set to be controversial as it will address the development of cybersecurity certification schemes. Poland suggests for certification schemes recurring to technical specifications from industrial bodies or from ENISA.  They also suggest a simpler evaluation solution than those based on Common Criteria should be considered more often, where appropriate responding to the demands of the industry, in particular vendors.

European Cloud Sovereignty Discussion

On September 30, Digital experts from the 27 Member States presented to the Commission and other Member States the need to create a European sovereign cloud. This presentation showcased the results of the outcome of the public consultation conducted before summer considering the future regulation to be presented in the first quarter of 2026. The results showed that there should be a “mechanism enabling the federation of cloud services within public administration”, “the creation of public procurement guidelines” and “broad support for the finalisation of the EUCS certification scheme for the cloud and its integration into the public procurement framework”. The EUCS will be revised in November with a view to extending its scope to non-technical risks. Germany stays the only major Member State pushing for non-discriminatory treatment of foreign providers, while Spain, France and the Netherlands supported the Commission’s direction.

GDPR blocks growth opportunities 

The EU’s General Data Protection Regulation (GDPR) promised harmonised rules and a stronger internal market. In reality, interpretations vary between member states, and case law is inconsistent. Companies live in uncertainty about which rules to follow in which country and this undermines the competitiveness of the entire economic area. 

The obligations of the GDPR are in many respects overly detailed and rigid. Contractual requirements, the 72-hour breach notification, and unclear rules on anonymisation and pseudonymisation create extra bureaucracy without real added value for data protection. Supervisory authorities treat guidelines as binding regulations, leaving risk-based thinking aside. 

Excessively strict interpretations also prevent the use of data in healthcare, research, and new digital services. When pseudonymisation cannot be applied flexibly, innovation stalls and international cooperation dries up. For example, telecom operators have enormous opportunities to develop business by using pseudonymised data generated by their networks: mobility patterns could be used in urban planning, service capacity, or tourism development without compromising individual privacy. Current restrictive interpretations, however, make this nearly impossible. 

The situation is made worse by conflicts between the GDPR and ePrivacy rules, as well as by authorities’ low notification threshold, which burdens oversight and wastes resources. In addition, the sanction mechanism is unbalanced: companies may face heavy penalties, while the public sector rarely faces administrative fines, even though authorities handle massive amounts of personal data. This is neither acceptable for citizens’ legal protection nor for equal treatment. 

A correction to the GDPR is essential. We need more consistent interpretations, risk-based regulation, sanctions that also apply to the public sector, and proportionality – so that data protection genuinely works for citizens rather than stalling European companies’ growth and the development of new business models. 

Elina Ussa

President of EuroISPA

and FiCom Managing Director

EuroISPA Monthly Report – July/August 2025

July and August saw continued progress on the EU’s digital policy agenda despite the summer break.  AI featured prominently, as the Commission finalised the General-Purpose AI code of practice, published the Guidelines on the scope of obligations for providers of GPAI under the AI Act, and launched a stakeholder consultation and call for expression of interest to support the development of guidelines and a code of practice on transparency obligations under the AI Act. Parliamentary debates and studies on generative AI, copyright, and AI liability continued to shape the political agenda.  

There were significant developments on the child protection front, as the Danish presidency continued negotiations on the Child Sexual Abuse Regulation proposal. The Commission also published the Guidelines under Article 28 of the DSA on the protection of minors online, accompanied by an Age Verification Blueprint, and launched calls for tenders for studies on online risks for children and the alignment of national measures with the DSA, as well as a consultation on its cyberbullying strategy.  

A political agreement on the EU-US trade deal was reached, with a Joint Statement confirming that there will be no network fees measures from the EU, and that the DSA and DMA were excluded from the negotiations. Its publication, however, was followed by threats of additional tariffs from President Trump towards countries adopting digital taxes or regulations harming US tech companies, drawing strong EU reactions. 

The EuroISPA Secretariat is closely monitoring these developments and is currently gathering input for key consultations, including on Data Retention and the upcoming Digital Fairness Act. Relevant deadlines are listed in the “Recent and ongoing activities” section of this newsletter. 

ONLINE CONTENT 

Denmark publishes latest version of the CSAR compromise text 

In its latest compromise text dated 24 July, to be discussed at the Council’s Law Enforcement Working Party on 12 September, the Danish Presidency maintains the core structure of its CSAR proposal from July 1st, notably preserving mandatory detection orders for high-risk services as the long-term solution, while extending the Temporary Regulation permitting voluntary detection for up to 72 months after the CSAR enters into force. It also maintains the same approach on encryption, prohibiting any requirement to decrypt or weaken encryption and introducing consent-based pre-transmission scanning as a condition for detection in encrypted environments. The latest text introduces a new requirement for providers to describe age-verification and age-assessment tools in their terms and conditions, while also mandating that details undermining their effectiveness not be disclosed (Article 4(4)).  

Global Encryption Coalition warns CSAR compromise text threatens encryption  

The Global Encryption Coalition (GEC) Steering Committee has issued a statement criticizing the Danish Presidency’s 1 July compromise text on the proposed EU Child Sexual Abuse Regulation (CSAR), warning it undermines end-to-end encryption. GEC argues that requiring service providers to scan for both known and unknown CSAM, including in encrypted environments, is ineffective, creates new vulnerabilities, and breaks the core principle of strong encryption that safeguards human rights. The coalition, which includes CDT Europe, Global Partners Digital, the Internet Freedom Foundation, the Internet Society, and Mozilla, urges EU ministers to reject any form of mandated scanning, including client-side scanning, and to instead pursue measures that are technically sound, rights-respecting, and capable of effectively protecting children. 

The European Parliament to push for new legislation to fight online piracy 

On 16 July, the CULT committee adopted its own initiative report on the Role of EU policies in shaping the European Sport Model, coordinated by MEP Bogdan Zdrojewski (EPP, PL). Amendments calling the Commission for further legislation to combat piracy and for an extension of the KYBC provision were adopted. The finalised report is expected to be voted during one of the upcoming Plenary sessions. 

The European Commission issued guidelines on protecting minors under Article 28 of the DSA 

On July 14, the Commission published the guidelines clarifying Article 28(4) of the DSA, which sets out obligations for online platforms accessible to minors. According to the guidelines, platforms must implement proportionate measures to ensure high levels of privacy, safety, and security, including a ban on profiling-based advertising using minors’ data. The guidelines also mandate AI safeguards, user support tools, guardian controls, and transparent terms of service. While serving as a compliance reference for Article 28(1), they also emphasize alignment with the GDPR, AI Act, and BIK+ Strategy, with a review scheduled for December 2026. The guidelines were published alongside the Commission’s Age Verification Blueprint, which provides technical solutions to help platforms meet the DSA’s child protection requirements. 

EU Commission adopts Delegated Act on Data Access under the DSA 

On July 2 the Commission adopted a delegated act establishing harmonised rules and technical conditions for granting vetted researchers access to data from very large online platforms (VLOPs) and very large online search engines (VLOSEs), as required under the DSA. The aim of the delegated act is to facilitate research on systemic risks such as disinformation, algorithmic amplification, and online harms. It sets out which information should be published by platforms and Digital Services Coordinators (DSCs) to assist researchers in applying for access to data. Alongside the delegated act, the Commission also launched the DSA Data Access Portal, a central hub where researchers will find guidance, submit applications, and engage with platforms and regulators.  

European Commission opens consultation on Digital Fairness Act 

On 17 July, the European Commission launched the call for evidence to support an impact assessment on the upcoming Digital Fairness Act (DFA), open until 24 October. According to the text of the call for evidence, the DFA is expected in Q3 2026, may take the form of a Directive or Regulation, and will aim to address issues such as manipulative digital practices, addictive design (especially affecting minors), exploitative personalisation, and harmful influencer and pricing tactics. It will also seek to reduce legal fragmentation and compliance burdens for businesses across the EU. The impact assessment will explore strengthening consumer protection and trust online, with additional input to be gathered via surveys, stakeholder meetings, and public events, including the European Consumer Summit 2025. 

Commission launches consultation and call for evidence on its Action Plan against Cyberbullying 

On 22 July, the European Commission opened a public consultation and call for evidence to support the development of the Action Plan against Cyberbullying, running until 29 September 2025. The consultation invites input from stakeholders, including youth, educators, civil society, and online platforms, and is meant to complement other EU actions such as the Better Internet for Kids Strategy, age-verification solutions, and guidelines under the DSA. The call for evidence seeks input on definitions, national legislations and policies, and best practices related to cyberbullying.  

Commission launches call for tenders for a study on the compatibility of national measures with DSA. 

On 24 July 2025, the European Commission also launched a call for tenders for a study to assess how Member States have adapted their national legislation following the full application of the DSA. The study aims to map existing and upcoming legally binding national measures applicable to providers of online intermediary services and identify any overlaps or conflicts with the DSA that could lead to fragmentation of the Single Market.  

European Commission issues call for tenders to study risks and harms to minors online 

On 1 August 2025, the Commission launched a call for tenders to secure a support contract aimed at tracking the evolution of risks, harms, and benefits that children face on online platforms across the EU. This contract will provide comprehensive data and a monitoring framework to identify trends related to children’s online experiences, supporting enforcement and policy initiatives under the DSA, including the recent Guidelines on article 28(1). It will also gather insights into children’s perceptions and their needs from very large online platforms and search engines to enhance privacy, safety, and well-being online. The deadline to submit tenders is 15 September 2025.  

European Commission seeks experts to join Network for the Prevention of Child Sexual Abuse 

On 5 August the Commission launched a call for applications to join the newly established Network for the Prevention of Child Sexual Abuse, aimed at enhancing cooperation among Member States, researchers, practitioners, and stakeholders to support the implementation of EU policies and legislation on child sexual abuse and exploitation. The Network will focus on all aspects of prevention, including reducing risks of offending and of children becoming victims, promoting research, sharing best practices, and fostering international collaboration. The initiative is meant to deliver on a commitment under the EU Strategy for a more effective fight against child sexual abuse (2020-2025). The call is open to individual experts and organisations active in the field until 15 September.  

DATA ECONOMY 

EU court upholds EU-U.S. Data Privacy Framework despite legal challenge 

On 3 September, the EU’s General Court rejected a case brought by French lawmaker Philippe Latombe (T-553/23 – Latombe v Commission), who challenged the European Commission’s July 2023 adequacy decision that found the US provided “essentially equivalent” protection for personal data under GDPR. Latombe argued that the EU-U.S. Data Privacy Framework fails to prevent bulk collection of Europeans’ data by U.S. intelligence services and that the Data Protection Review Court (DPRC) created to address EU privacy complaints lacks independence. The court found instead that safeguards are in place to ensure the DPRC’s independence and that U.S. intelligence activities are subject to its oversight, meeting the requirements set out in Schrems II. It also underlined that the European Commission must continue to monitor whether the U.S. legal framework changes. Latombe has two months and ten days to appeal the ruling to the Court of Justice, limited to points of law. 

European Data Protection Board and European Data Supervisor support GDPR simplification and request clarifications 

On 9 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion supporting proposed amendments to the GDPR aimed at reducing administrative burdens for smaller companies. They welcomed the extension of the record-keeping exemption (Article 30(5)) to organisations with fewer than 750 employees, provided the data processing does not pose a high risk to individuals’ rights and freedoms. However, they requested clarification on the choice of this threshold and recommended aligning it with newly introduced definitions of small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). They also supported extending the scope of Articles 40(1) and 42(1), concerning codes of conduct and certification, to both SMEs and SMCs. In addition, they called for confirmation that public bodies are not covered by the proposed exemption. Both authorities emphasised that simplification must not come at the expense of fundamental rights.  

LIBE Committee approves GDPR enforcement trialogue agreement  

Following the provisional agreement reached by the European Parliament and the Polish Presidency of the Council on 16 June to clarify and speed up cross-border enforcement of the GDPR, the Parliament’s LIBE committee adopted the text on July 15, with the plenary vote expected in October. 

European Commission publishes conclusions of Implementation Dialogue on Data Policy 

The Commission published the conclusions of the 1 July 2025 Implementation Dialogue on Data Policy. According to the conclusions, stakeholders including SMEs and larger tech companies agreed on the need to improve data access to foster innovation and welcomed horizontal legislation like the Data Act to reduce legal complexity. They also highlighted key challenges including fragmented enforcement, overlapping regulations, and issues related to interoperability and quality of data, and suggested potential solutions such as support through regulatory guidance and sandboxes, especially for SMEs. The feedback from stakeholders will inform the upcoming Digital Package on simplification and the European Data Union Strategy (for which the public consultation closed on 20 July).  

European Parliament study challenges Commission’s withdrawal of AI Liability Directive 

The EP’s Policy Department for Justice, Civil Liberties and Institutional affairs, at the request of the JURI Committee, released another study on artificial intelligence and civil liability, strongly criticizing the European Commission’s decision to withdraw the AI Liability Directive (AILD). The study argues that the original AILD proposal may have been so flawed that no legislation would have been preferable but still calls for a revamped approach. It recommends either introducing strict liability for high-risk AI systems through a revised directive (Option 4) or establishing a fault-based rule limited to high-risk AI (Option 3), while also suggesting the possibility of adopting a regulation instead of a directive. The study also argues that the revised Product Liability Directive (PLD) fails to adequately address AI-related risks. In a related development, MEP Tiemo Wölken (S&D, Germany) announced on 22 July his intention to bring a case before the CJEU against the Commission over its withdrawal of the AILD, following allegedly unanswered access-to-document requests. In August, the Commission officially confirmed its withdrawal of the Directive. 

Commission finalises GPAI code of practice and AI Act GPAI obligations come into force 

On July 10, the Commission published the final version of the GPAI code of practice, organised into three chapters on transparency, copyright, and safety and security. The Commission and the AI Board officially endorsed the Code of Practice on August 1. On August 2, GPAI obligations under the AI Act came into force (Chapter 5, Article 78 on data confidentiality and enforcement of intellectual property rights) but the application of the rules will be gradual, with the Commission enforcing full compliance with fines as of 2 August 2026, and models placed on the market before 2 August 2025 required to comply by 2 August 2027. 

Commission publishes Guidelines on the scope of obligations for providers of GPAI under the AI Act  

In a related development, on July 18, the Commission also published the guidelines on the scope of obligations for providers of general-purpose AI models. The Guidelines on GPAI aim to clarify key concepts, such as the terms of ‘GPAI model’, ‘provider of a GPAI model’ and ‘placing on the market of a GPAI model’, and how to estimate the computational resources used for training a GPAI model. 

Commission starts work on second Code of Practice on transparency obligations under AI Act 

At the end of August, the Commission held a workshop with stakeholders to present the framework, objectives and future drafting process for a new code of practice on transparency obligations, as provided by Article 50 of the AI Act. The AI Act requires AI providers to have labelling solutions that meet certain requirements: effectiveness, interoperability, robustness and reliability. To inform the discussions, the Commission shared three studies carried out by independent experts on the labelling of AI-generated text, audio and audiovisual content, analysing metadata labelling, watermarking and digital fingerprinting. The studies are meant as starting points and do not predetermine the code’s content. The drafting process is expected to begin this autumn, with the code and accompanying guidelines scheduled to enter into force on 2 August 2026. In early September, the Commission launched a stakeholder consultation and call for expression of interest to support the development of the code and the accompanying guidelines (both with deadlines on October 2).  

JURI Committee debated draft report on copyright and generative AI  

On 15 July, the JURI Committee discussed Axel Voss’s (EPP, DE) draft report on copyright and generative AI. Several MEPs raised concerns about a centralised EUIPO register, suggesting alternatives such as opt-in systems, blockchain, or collective management. MEPs Farreng (Renew, FR) and Cormand (Greens, FR) called for full transparency of training data and a reversed burden of proof, but criticising the proposed 5-7% lump-sum remuneration. EPP and S&D warned of generative AI’s threat to press plurality and cultural sovereignty. Axel Voss also organised a stakeholder roundtable to discuss his report on September 1, ahead of the deadline for amendments which is set for September 12 at 11am.   

CYBERSECURITY AND INFRASTRUCTURE 

Network fees in the EU-US Framework Agreement 

On August 21st, the EU and US issued the Joint Statement on the EU-US trade agreement, setting a 15% US tariff ceiling on most EU exports such as cars, pharmaceuticals, semiconductors. The statement follows the July 27 political agreement between Presidents von der Leyen and Trump, and suspends the EU’s recently adopted countermeasures. In paragraph 17, the statement indicates that the EU will not adopt or maintain network usage fees and that the US and the EU will not impose customs duties on electronic transmissions. 

EU Alliance unveils roadmap to advance digital sovereignty through open-source cloud, edge & Internet of Things 

On 8 July, the European Alliance for Industrial Data, Edge and Cloud released a thematic roadmap emphasizing how European open-source cloud, edge, and IoT technologies are essential to strengthening the EU’s digital sovereignty and global competitiveness. Titled “The Open-Source Way to EU Digital Sovereignty & Competitiveness”, the roadmap outlines how open-source solutions can improve security, cost-efficiency, innovation, flexibility, and sustainability. The Alliance also submitted recommendations on Common Trust Principles to the European Data Innovation Board, identifying gaps and calling for standardised, trustworthy frameworks for data sharing in cloud-edge ecosystems and data spaces.  

Commission proposes to sign and ratify the UN Convention against Cybercrime 

The Commission proposed to sign and ratify the United Nations Convention against Cybercrime, covering both substantive criminal law and judicial cooperation. For the first time, a global instrument will criminalise conduct related to child sexual abuse material, the grooming of children for sexual purposes, and the non-consensual dissemination of intimate images. The Convention also includes measures for international cooperation, including the extradition of suspects and the exchange of electronic evidence.  

It is now for the Council to adopt the Decisions authorising the Commission, on behalf of the EU, to sign and, with the consent of the European Parliament, conclude the Convention. Member States will also have to sign and ratify the Convention, in accordance with their national procedures. 

European Commission convenes High-Level Workshop on AI Compute Stack 

On 7 July, the Commission held a high-level multistakeholder workshop in Brussels on the AI Compute Stack, referring to the full range of infrastructure involved in AI development, from advanced chips to complete AI system integration. Organised as a targeted consultation, the event brought together stakeholders including chip designers, cloud infrastructure providers, and AI model developers. The workshop launched a discussion on strengthening Europe’s role in the AI compute landscape, where complex AI models require more integrated and sovereign technical solutions. Participants discussed current trends in AI hardware, systems, and models, shared insights on compute needs, and explored collaboration opportunities. The initiative aims to reduce external dependencies and contribute to Europe’s strategic autonomy in AI infrastructure.  

ENISA to operate the EU Cybersecurity Reserve 

The Commission and ENISA signed an agreement for the administration of the EU Cybersecurity Reserve of €36 million under the Cyber Solidarity Act. The Cybersecurity Reserve is designed to enhance the Union’s capacity to respond to and recover from major cyber incidents providing access to incident response services delivered by vetted providers. The Reserve will be available to entities operating in sectors deemed critical or highly critical under the NIS2 Directive, including areas such as healthcare and energy. 

MISCELLANEOUS 

EU-US trade agreement Joint Statement confirms DSA/DMA excluded from talks 

As mentioned above, the EU and US issued a Joint Statement on the EU-US trade agreement on 21 August. Interestingly, the Commission also confirmed that the DSA and DMA, were excluded from the EU-US trade talks but did not rule out their inclusion in future discussions. The publication of the Joint Statement was followed by threats of additional tariffs from President Trump towards countries adopting “digital taxes, legislation, rules or regulations” harming US tech companies, eliciting strong responses from European officials, including Prosperity and Industrial Strategy Commissioner Stéphane Séjourné, and Commissioner for Tech Sovereignty, Security, and Democracy Henna Virkunnen

EPP pushes for a “light” version of the GDPR for SMEs, stricter online ad rules, and digital sovereignty According to a document seen by Mlex, The European People’s Party (EPP), the EU’s largest political group, is preparing a position paper urging the European Commission to introduce a “light” version of the GDPR for small and medium-sized enterprises to ease compliance burdens, while also calling for tougher restrictions on online advertising. It also supports modernizing GDPR enforcement and addressing fragmented interpretations across member states. The draft highlights priorities including stronger protections for minors, greater transparency and accountability in algorithms, and reinforcing Europe’s digital sovereignty.  The paper stresses that these political objectives should be adopted swiftly through coordinated action within the group and across EU institutions, with a dedicated EPP team to lead the initiative. 

Franco-German agenda to boost cutting-edge tech, sovereignty and simplification 

At their 25th Council of Ministers, France and Germany launched an agenda to strengthen Europe’s technological sovereignty and competitiveness. They pledged deeper cooperation on cutting-edge technologies such as AI, quantum, cloud and space, with joint initiatives on generative AI models (IPCEI-AI), high-performance computing, and a quantum computing ecosystem. Both sides committed to reinforcing digital sovereignty through a high-level summit on November 18, and to presenting joint positions on AI, cyber and data regulation, including proposals to simplify the EU’s legal framework. They also stressed the need to reduce bureaucracy across the Single Market, backing the Commission’s simplification packages and urging a “new legislative mindset” to ease regulatory burdens for SMEs and scale-ups. Following this approach, they are pushing to ease GDPR obligations through the omnibus simplification package, seeking to go beyond the Commission’s proposal to raise the employee threshold under which companies are exempt from keeping GDPR records, by adopting a more general risk-based approach that reduces reporting requirements for SMEs  without undermining the regulation’s effectiveness. 

Austria presents digital sovereignty charter proposals 

Austria circulated a paper to Member States titled “Shaping Digital Sovereignty – Cornerstones for a Common Charter”. The paper highlights risks ranging from geopolitical tensions, cyberattacks, disinformation, and Europe’s dependence on non-European tech firms, which are amplified by rapid AI developments. Austria calls for a European strategy based on independence, innovation, data protection, and values, aligned with the Digital Decade 2030 goals. Proposals in the paper include a pan-European stocktaking exercise to identify best practices and hidden champions, stronger cooperation on joint open-source solutions, and promotion of open-source in public procurement. The paper also stresses the need to expand data sovereignty as a “strategic resource,” strengthen intra-EU cooperation on data protection, and invest in digital skills to retain top talent. Austria will ask EU Member States to share their goals and recommended actions to bolster Europe’s digital sovereignty in a dedicated dialogue during the TELECOM WP meeting of 12 September.  

Danish Presidency outlined digital priorities in the Parliament’s JURI, IMCO, CULT and ITRE Committees 

The Danish Presidency outlined its digital priorities across Parliament committees. Key digital priorities include simplifying the EU cyber legislation framework, updated copyright regulation to ensure fair remuneration or effective licensing in response to AI’s impact on the creative sector, and protecting minors online (including through the enforcement of the DSA, stronger age verification rules and action against addictive design). Digital Affairs Minister Caroline Stage Olsen also supported postponement of AI Act provisions to give small companies more time to comply.  

Promoting Sustainability through Digital Infrastructure

As underscored in EuroISPA‘s Position Paper on Sustainability, the role that digital technologies and infrastructure play in driving environmental responsibility across the economy is crucial. From reducing energy consumption in telecom networks to encouraging investments in sustainable data centres, the paper presents actionable strategies for driving a greener future powered by responsible digitalisation.  

Digitalisation already plays a key role in sustainability, replacing outdated, energy-intensive technologies with more efficient alternatives. For instance, 5G networks consume 80% less energy than 4G, and fiber optic cables use five times less energy than copper. This high-performance connectivity creates opportunities for energy savings across all sectors. 

However, more can be done. EuroISPA advocates for proactive measures, such as phasing out aging 2G and 3G equipment, fostering industry collaboration, and sharing best practices to optimise data distribution. Consistent regulation and increased investment in renewable energy infrastructure are also vital in ensuring that Europe’s digital ecosystem remains both competitive and sustainable. 

Data centres as the backbone of digitalisation, key to decarbonising the EU economy. EuroISPA encourages further investment in EU-based data centres, supported by renewable energy, to enhance both competitiveness and environmental sustainability. 

The digital infrastructure sector holds the key to a greener future, and we at EuroISPA are committed to leading that transition. By promoting energy-efficient technologies and investing in sustainable data centres, we can drive decarbonisation across Europe, ensuring both sustainability and digital resilience. 

By embedding sustainability into every level of the digital supply chain, EuroISPA envisions a future where responsible digitalisation powers a greener, more prosperous Europe. 

Lars Steffen

EuroISPA Vice President

Head of International, Digital Infrastructures & Resilience of eco – Association of the Internet Industry

EuroISPA publishes its Vision for the EU mandate 2024-2029

EuroISPA is excited to publish its Vision for the 2024–2029 EU Mandate, a strategic document that outlines a clear, actionable roadmap to strengthen Europe’s digital resilience, competitiveness and innovation.

In a time of rapid technological evolution and increasing global competition, Europe must pivot from being a “regulatory hyperscaler” to a continent that fosters investment, entrepreneurship and forward-looking policymaking. Our Vision identifies six key strategic priorities:

  1. Completing the Digital Single Market to reduce fragmentation and scale innovation.
  2. Simplifying regulation to empower disruption and reduce compliance burdens, especially for SMEs.
  3. Building secure and resilient digital infrastructure that supports technologies like AI and quantum computing.
  4. Defending European rights and democratic values, including strong privacy and encryption protections.
  5. Maintaining openness to global cooperation while safeguarding strategic autonomy.
  6. Advancing the green transition through smart digital sustainability and energy efficiency.

EuroISPA and its members remain committed to working closely with EU institutions and stakeholders to help shape a digital Europe that is open, competitive and aligned with core democratic principles.

Read the full Vision for 2024–2029 here: EuroISPA Vision for the EU mandate 2024-2029

EuroISPA Monthly Report – May/June 2025

May and June saw continued movement across the EU’s digital policy agenda, with institutional work progressing on several fronts. Consultations on the upcoming Digital Networks Act gained pace, with a call for evidence launched on 6 June and open until 11 July, for which EuroISPA has prepared its own submission. Data protection also remained high on the agenda, as the GDPR enforcement package advanced through the legislative process and preparations began for a dedicated implementation dialogue with stakeholders. Work on data retention is also ongoing, with the Commission seeking input from stakeholders throughout the summer.  

Among content-related developments, the Commission requested clarification on Italy’s Piracy Shield, raising concerns about its alignment with the DSA and the risk of overblocking. Other developments included continued parliamentary discussions on generative AI and copyright, and the presentation of the EU’s International Digital Strategy, which emphasised the importance of global partnerships in key areas such as cybersecurity, AI and connectivity.  

The EuroISPA Secretariat has been closely monitoring these developments and continues to gather input from members to ensure their engagement across key consultation processes, with all relevant deadlines listed in the “Recent and ongoing activities” section at the end of this newsletter.

Finally, an important highlight for EuroISPA in the past month was also the second General Meeting of the year, hosted by FFT in Paris.

ONLINE CONTENT 

Denmark publishes its new CSAR compromise text 

In their compromise text from 1 July, to be discussed during the Law Enforcement Working Party of 11 July, the Danish Presidency introduced several key changes, the most significant one regarding the removal of the voluntary detection from the long-term Regulation, shifting responsibility entirely onto detection orders issued through judicial or administrative processes. At the same time, the Regulation significantly strengthens safeguards around encryption, detection technologies, and user rights. On E2EE particularly, the new draft clearly prohibits any requirement to decrypt or weaken encryption and introduces consent-based pre-transmission scanning as a condition for detection in encrypted environments. More precisely on encryption, orders may only apply to encrypted services if detection occurs before transmission and with the explicit consent of the user. Providers must allow non-consenting users to continue using parts of the service that do not involve the transmission of visual content or URLs. Overall, the proposal resembles strongly the Belgian one – including reinforced procedural checks and a narrower detection scope. 

Commission questions legality of Italy’s Piracy Shield under the DSA 

In a letter dated 13 June to the Italian Communications Authority (AGCOM), the European Commission raised concerns about Italy’s anti-piracy tool, the Piracy Shield, requesting further clarification. The Commission argued that the DSA does not provide a legal basis for national authorities to issue content removal orders, nor does it specify how such orders should be enforced. It also warned that the current Italian framework could lead to overblocking. Additionally, the Commission stressed third parties affected by the streaming of illegal online content and users of the services must be involved in tackling the issue.  

Implementing regulation on harmonised transparency reporting under the DSA now in effect

On 1 July the Commission’s implementing regulation on harmonised transparency reporting under the Digital Services Act entered into force. It sets a standard format and schedule for transparency reports by intermediary services, covering content removals, automated moderation, and account suspensions. Intermediary services must publish annual reports by February, while very large platforms and search engines must report twice a year, in February and August, starting in 2026.

European Parliament report on Generative AI & Copyright published  

The long-awaited own initiative report by MEP Axel Voss (EPP, DE) “Copyright and Generative artificial intelligence – opportunities and challenges” is set to be presented and discussed next week in the JURI committee, on 15 July (deadline for amendments: 12 September). The report, although discouraging the reopening of the Copyright Directive, affirms that the TDM Exception is not applicable to Generative AI systems, suggesting therefore an additional legal act to solve the impartiality that this creates between creators and AI developers. It also acknowledges the importance of AI for innovation, and therefore asks for more transparency when it comes to the training of AI systems with the intention to create a fairer remuneration system. This includes a standardised and machine-readable way for artists to opt-out from the training as well as the creation of quick mechanism of remuneration. The EUIPO is suggested as a mediator in this process, including the management an opt-out registry.  

Parliament focuses on strengthening minors’ protection: key amendments 

The European Parliament’s draft INI report on minors’ protection has attracted over 460 amendments, signaling a push to toughen rules. Major themes include stronger action against addictive social media features, calls for platform bans and personal liability for executives, and demands for greater transparency on advertising revenues targeting children. The Digital Fairness Act is frequently referenced as a key tool to address these harms. Lead MEP Christel Schaldemose (S&D, DK) plans to increase the report’s ambition based on this broad input. The CULT committee will hold an expert hearing in July to support the debate. 

Digital Fairness Act consultation still in the waiting 

The imminent consultation on the so-called DFA will include questions on topics like dark patterns, influencer marketing, advertising, vulnerable consumers and simplification and will be open for three months. 

For the stakeholders who would like to share their thoughts already, a good option is to submit some ideas via the Consumer Agenda 2025-2030 consultation, open until 31 August and which will also feed into the DFA. 

DSA Guidelines on Minors likely delayed until summer break 

Guidelines on the protection of minors under the Digital Services Act, initially expected in Q1 2025, are now likely to be finalised before the summer break, Commission officials said during a workshop on June 6. However, due to the high volume of stakeholder responses, officials acknowledged that further delays remain possible. 

Preparations on the European Democracy Shield resume 

In the draft Council conclusions “on access to reliable news as part of the European Democracy Shield,” Member States call for levelling the playing field between traditional media and digital platforms. In the document, EU countries invite the European Commission to examine how competition law can be used to make the advertising market more accessible to editorial media, to standardise prominence requirements under the Audiovisual Services Media Directive for digital platforms and gatekeepers to uniformly boost reliable journalism and to include “media-like actors,” i.e. influencers and content creators, into editorial accountability regimes. The draft conclusions will be discussed by the Council’s Audiovisual Working Party on Friday. As a reminder, the European Parliament is also working on an own-initiative report meant to feed into the European Commission proposal, set to be presented in the autumn. 

DATA ECONOMY 

Commissioner McGrath organises implementation dialogue with stakeholders 

On 16 July, Commissioner Michael McGrath will host an implementation dialogue on the application of the GDPR with civil society and business organisations. The discussion will be structured around four themes, namely simplification, compliance, interaction with other legislation and increasing legal certainty. 

European Commission presents Roadmap for effective and lawful access to data for law enforcement 

On June 25, the European Commission unveiled a new Roadmap aimed at improving law enforcement’s ability to access digital data in a lawful and efficient manner. This initiative is part of the ProtectEU Internal Security Strategy and responds to rising digital evidence needs in criminal investigations. The Roadmap outlines six priority areas: updating data retention rules, improving cross-border lawful interception, enhancing digital forensic capabilities, developing lawful decryption tools, standardising security practices, and supporting AI-driven evidence analysis. Key actions are scheduled between 2025 and 2030. The Commission invited Member States to discuss the Roadmap during the Informal Justice and Home Affairs Council on 22 and 23 July. 

Last draft of the Code of Practice on General Purpose AI models on the way 

On 7 July, the AI Office held a workshop to encourage Big Tech firms to endorse the voluntary Code of Practice on general-purpose AI. While industry welcomed the code’s alignment with the AI Act, civil society groups criticized their exclusion from the drafting process and raised concerns about missing provisions on transparency, whistleblower protections, and safety. 

The Commission is expected to publish the final draft on 10 July. It is also consulting Member States via the AI Board, which must confirm the code’s adequacy. A joint assessment by the Commission and AI Board is due by mid-August. The next AI Board meeting is set for 18 September. 

Henna Virkkunen launches first implementation dialogue on data policy 

At the beginning of July, the Finnish Commissioner launched her first implementation dialogue, a restricted consultation format focused on data policy (Data Act, the Data Governance Act, and the Open Data Directive). The objective of this dialogue was to identify solutions to streamline and simplify regulations. These results should inform discussions on the digital simplification omnibus and the new Data Union strategy, both expected at the end of the year.  

Negotiations on GDPR enforcement rules see the end 

On 16 June the European Parliament and the Polish Presidency of the Council reached a provisional agreement to clarify and speed up cross-border enforcement of the GDPR. The new rules set deadlines for investigations (15 months for complex cases and 12 months for simpler ones, with possible extensions), and introduce a streamlined cooperation process to resolve straightforward cases faster. The agreement also strengthens complainants’ rights by improving their access to information and ensuring they can be heard before decisions are made. The law encourages early consensus-building among data protection authorities to foster consistent GDPR enforcement across the EU.  

The European Parliament committee LIBE is set vote on the text on 14 July, while the plenary vote is planned to take place in October. 

European Data Union Strategy consultation published  

The Commission published the Call for Evidence and a Public Consultation for the Data Union Strategy, open for eight weeks until 18 July. The initiative presents three objectives: 1) stimulating investments into data technologies and make available certain data assets through voluntary measures or funding to scale-up data use and availability, for example, in the development of generative AI, 2) to simplify and consolidate the current framework and 3) to develop and ‘international data strategy’, which should include actions to safeguard the export of EU data, as well as actions to stimulate data import into the EU. 

The consultation is based on a questionnaire divided into sections asking for the potential review of the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive. Finally, it includes questions about the potential future EU actions when it comes to consolidation of data legislation, data availability in the EU, administrative burden reduction through data, international dimension, and data sharing standards.  

CYBERSECURITY & INFRASTRUCTURE 

Plum publishes study on negative impact of legally mandated dispute resolution in IP interconnection 

On 4 July, Plum Consulting published a CCIA-commissioned study warning against legally mandated dispute resolution in IP interconnection, arguing it is largely unnecessary and unworkable due to the technical complexity of interconnection and the prevalence of amicable commercial agreements. The study cautions that such mandates could normalise network fees, encourage strategic disputes by large ISPs, and lead to a “Sending Party Network Pays” model, increasing paid peering. This would disproportionately harm smaller content providers and ISPs, raise costs, reduce competition, fragment the EU digital market, and ultimately undermine innovation, SMEs, and consumers. 

Commission to present Data Centre Energy Efficiency Package in early 2026 

The European Commission will present a data centre energy efficiency package in Q1 2026, as part of a broader push to curb rising electricity use driven by AI and digitalisation. Indeed, Energy Commissioner Dan Jørgensen cited that data centres now account for nearly 3% of the EU’s total electricity demand. The initiative will be released alongside the Strategy Roadmap on Digitalisation and AI and forms part of a wider set of energy efficiency actions. For now, it remains unclear whether the package will include legislative proposals. In parallel, the Commission is working on a labelling scheme under the Energy Efficiency Directive and is considering fast-track permitting for highly efficient data centres under the forthcoming Cloud and AI Development Act. 

Germany rejects cloud protectionism, urges competition with U.S. providers 

Germany’s new digital minister Karsten Wildberger has called for a competitive, not protectionist, approach to cloud sovereignty in the EU. In an interview with Politico, he stressed that technological independence should not come from excluding U.S. hyperscalers, which currently dominate over two-thirds of the European market, but from building competitive European alternatives. In parallel, several Member States – including Germany, Poland, the Baltic States, the Czech Republic and Spain – are actively vying to host AI gigafactories, seen as a cornerstone of Europe’s ambition to boost computing power and strategic tech autonomy. 

EVP Henna Virkunnen and MEPs issue Joint Declaration at the 2025 IGF

Henna Virkkunen and five Members of the European Parliament (from EPP, S&D and ECR) in a joint declaration support of a multistakeholder, rights-based approach to internet governance. They called for the IGF to become a permanent, UN-funded body with inclusive participation from developing countries. The statement highlighted the need to address digital divides, adapt governance to technologies like AI, and align WSIS+20 efforts with the Sustainable Development Goals and the Global Digital Compact. The signatories opposed intergovernmental control and internet fragmentation, advocating innovation-friendly tools such as governance sandboxes. 

ENISA’s NIS2 issues Technical Implementation Guidance 

On 26 June, ENISA published its NIS2 Technical Implementation Guidance. The non-binding document covers 13 key concepts and cybersecurity practices and provides guidance and examples of evidence for each. Concepts of interest for EuroISPA include recommendations around security policy, risk management, incident handling and supply chain security. 

MISCELLANEOUS 

Denmark starts chairing the Council Presidency 

On 1 July, the Danish Presidency of the Council of the European Union kicked off. Under the Danish Presidency, several progress reports are expected, including on the digital aspects of the post-2027 Multiannual Financial Framework (MFF), scheduled for presentation on July 16. Other issues expected by end of year will be subject to mere “information” from the Presidency, such as the Digital Networks Act, the regulation on the development of cloud computing and AI, or the “omnibus” digital simplification package. While awaiting legislative initiatives, the Danes will also work on non-binding conclusions, notably on technological sovereignty. Finally, interior ministers will draw up a state of play on the issue of data access by law enforcement in mid-October. 

The European Commission is still aiming for an agreement with the United States by July 9 

Washington has now announced that, in the absence of an agreement, customs surcharges will apply starting August 1, suggesting that the negotiation window could still be extended. For the Europeans, the dilemma remains unchanged: either accept an “asymmetrical” deal that preserves U.S. tariffs or risk a confrontation that could lead to even higher duties. This choice was discussed at an ambassadors’ meeting on July 4. Aiming to remain conciliatory, the Commission has temporarily put on hold a list of retaliatory measures prepared in May and June, which currently excludes actions targeting services. “There are no immediate plans to act on this list, but that may change,” a Commission spokesperson noted. 

European Commission’s DG CONNECT gets a makeover 

The European Commission published the new organigramme of its Directorate-General for Communications Networks, Content and Technology (DG Connect) on 1 July. The new structure establishes the division into two separate directorates of the former “Platforms” directorate, previously responsible for the application of the DMA and DSA Regulations. Rita Wezenbeek, who takes over the new directorate responsible for the online platform economy, is also acting as head of the new “e-commerce” unit. Prabhat Agarwal, head of unit responsible for the DSA (“Risk Assessment and User Rights”) will be acting as head of his new directorate dedicated to the societal aspects of online platforms, as well as the new unit on the protection of minors. 

International Digital Strategy unveiled  

At the beginning of June, High Representative Kallas and EVP Virkkunen unveiled the International Digital Strategy: it stresses the EU’s necessity to collaborate with global players, such as U.S. companies, recognising the importance of international partnerships and remaining open to like-minded countries. 

It includes objectives such as deepening the existing Digital Partnerships and Dialogues, broadening the existing cooperation network and expanding the network of digital trade agreements, strengthening Security & Defence Partnerships as regards digital issues through Digital Trade Agreements. 

The strategy includes actions on secure connectivity, emerging technologies, artificial intelligence, 5G/6G, cybersecurity, digital identity and Digital Public Infrastructure (DPI), online platforms, internet governance. 

Trilogue talks begin on EU Foreign Direct Investment Screening   EU institutions launched trilogue negotiations on June 17 to revise the EU’s foreign investment screening framework, a key component of Commission President von der Leyen’s economic security strategy. The proposal would make screening mechanisms mandatory across all Member States and further harmonise rules on sensitive sectors. Tensions are expected between Parliament and Council: Member States seek a narrower list of critical technologies (e.g. semiconductors, AI), while Parliament- led by MEP Raphaël Glucksmann (S&D, FR) – advocates for a broader scope including aerospace, rail, and automotive. Another point of friction is the Commission’s role, with Parliament supporting greater oversight by the EU executive, which the Council opposes. The first trilogue served as an introductory meeting, with substantive negotiations set to follow. An agreement is targeted by year-end. 

EuroISPA Response to the Digital Networks Act Call for Evidence

EuroISPA contributed to the European Commission’s consultation on the upcoming Digital Networks Act (DNA) and emphasises the importance of a transparent, inclusive and proportionate approach to reforming the EU’s electronic communications framework.

EuroISPA’s key messages:

  • Defining limits to harmonise access regulation and network transition: Harmonised access products must remain optional and copper switch-off plans must reflect national readiness and diversity.
  • Advancing harmonisation and simplification: Simplification must lower administrative burdens without compromising national flexibility or increasing regulatory overlap.
  • Enabling technology-neutral connectivity framework: A level playing field for fibre, wireless and satellite is essential to closing the digital divide.
  • Aligning environmental legislations with existing EU frameworks: Environmental rules should align with existing horizontal ESG frameworks, avoiding telecom-specific duplication.
  • Distinguishing consumer protection from enterprise services: Enterprise and public sector services should be exempt from consumer protection rules due to their bespoke nature.
  • Ensuring proportional and non-redundant governance structures: Knowledge sharing is welcome, but expanded EU-level powers must respect the principle of subsidiarity.
  • Focusing on demand-side gaps and digital skills: Efforts should address adoption barriers and digital skills rather than expanding costly Universal Service Obligations.
  • Maintaining a consistent commitment to net neutrality: Net neutrality must remain a cornerstone of the open internet and be upheld without reinterpretation or compromise.

Read the full response to the European Commission here.

The future of digital infrastructure: what’s next after the European Commission’s White Paper

With the publication of its White Paper on digital infrastructure in 2024, the European Commission has finally launched a long-overdue debate on the future of the telecom regulatory framework. EuroISPA has taken an active role in these discussions, committed to shaping an ambitious vision for the sector. Engaging with policymakers to highlight the essential role of Internet Service Providers (ISPs) in fostering innovation, resilience, and the twin transition, we reaffirm our dedication to keeping telecom networks at the heart of Europe’s economic and technological leadership. 

As we move towards 2030, unlocking the necessary investments to achieve the Digital Decade connectivity targets remains a top priority. To this end, Europe must establish a regulatory framework that incentivises investment, notably through a comprehensive Digital Networks Act, ensuring a robust, sustainable, and competitive telecom ecosystem for the future. 

Achieving true internal market integration will largely depend on harmonising and streamlining regulations across multiple areas, including infrastructure investment, spectrum management, and taxation. This also requires assessing the relevance of existing sectoral rules alongside broader horizontal frameworks. The regulation of our sector must adopt a more coordinated approach and foster investment-friendly conditions while preserving effective national frameworks and ensuring fair competition. 

Prioritising network sustainability is also crucial to supporting the green transition of our economy. The telecom industry plays a key role in driving sustainability gains across sectors and reducing its own environmental footprint by replacing legacy technology with more energy-efficient infrastructure. The inclusion of connectivity networks in the EU Taxonomy for sustainable finance is a positive step toward securing funding for greener networks. Additionally, engaging with equipment suppliers and digital service providers across the entire value chain will be essential to adopting the most efficient technologies, achieving net-zero emissions, and ensuring optimal network efficiency. 

Looking ahead to 2025, we believe the Digital Networks Act must serve as a cornerstone for turning these priorities into concrete action. By simplifying regulation, securing investment, and strengthening network sustainability and security, Europe can build digital infrastructures that are both competitive and future-proof. EuroISPA and its members remain committed to working alongside European stakeholders and institutions to ensure these vital reforms become a reality. 

Romain Bonenfant

EuroISPA Board Member

Managing Director of FFTélécoms – Fédération Française des Télécoms