EU Digital Networks Act: The Commission’s Proposal
On 21 January 2026, the European Commission published its proposal for a Digital Networks Act (DNA), which would repeal and replace the European Electronic Communications Code (EECC) in its entirety. The EECC currently forms the core of EU regulation for electronic communications, governing the provision of electronic communications networks and services, including fixed and mobile […]
The European Commission finds TikTok’s design in breach of the Digital Services Act
The European Commission has concluded that TikTok may be violating the Digital Services Act because of design features that encourage compulsive use. These include infinite scrolling, autoplay, push notifications, and a highly personalised recommendation system. According to the Commission, TikTok has not sufficiently assessed the risks these features pose to users’ mental and physical wellbeing, […]
Swedish DPA: Priorities for 2026
The Swedish Authority for Privacy Protection (“IMY“) has published its priorities for guidance and supervisory activities in 2026. IMY will focus its efforts on three areas where it identifies heightened privacy risks and a need for increased compliance with data protection rules. The overarching objective is to ensure that individuals can act safely and independently […]
EDPB–EDPS Joint Opinion on the Commission’s proposed AI Act amendments (Digital Omnibus on AI)
On 19 November 2025, the European Commission proposed a Regulation as regards the simplification of the implementation of harmonised rules on artificial intelligence, aiming at simplify implementation of the EU AI Act. The EDPB and EDPS were formally consulted on 25 November 2025 and issued a Joint Opinion focusing on changes that could materially affect […]
New EU Regulation on Cross-Border GDPR Enforcement Procedures
On 12 December 2025, a new EU Regulation was published, setting harmonised procedural rules for the handling of cross-border GDPR enforcement cases by data protection authorities. The Regulation standardises the procedural framework for complaint-based investigations and investigations initiated by data protection authorities on their own motion, involving cross-border processing. It structures the full enforcement lifecycle, […]
Cyber Resilience Act: Technical Descriptions for Important and Critical Products Are Published
The European Commission has adopted Implementing Regulation (EU) 2025/2392, providing the technical descriptions for the categories of important and critical products with digital elements under the Cyber Resilience Act (Regulation (EU) 2024/2847). The CRA establishes a tiered regulatory framework, whereby the required level of assurance depends on a product’s core functionality and the associated cybersecurity […]
The European Commission Publishes Model Contractual Terms and Standard Сontractual Clauses Under the Data Act
The European Commission has released a package of non-binding model contractual terms (MCTs) and standard contractual clauses (SCCs) intended to simplify and harmonise how organisations contract for data access, data sharing and data processing services under the Data Act (Regulation (EU) 2023/2854). The package aims to reduce fragmentation, strengthen legal certainty, minimise negotiation friction and […]
ESAs Publish First List of Critical ICT Third-Party Providers Under DORA
The European Supervisory Authorities (the ESAs) have published the first list of critical ICT third-party providers (CTPPs) designated under the Digital Operational Resilience Act (DORA). This marks a key step in rolling out the DORA oversight framework, following a multi-stage assessment based on financial-entity registers, cross-sector criticality analysis and providers’ right to be heard. The […]
The Digital Omnibus: Targeted Amendments to the EU Digital Rulebook
The European Commission has unveiled a new digital package designed to cut administrative burdens for companies across the EU and streamline the Union’s fragmented digital rulebook. The package centres on, amongst other things, amending existing requirements relating to GDPR, AI Act, Data Act, e-privacy directive and other data legislation such as the Data Governance Act. […]
EDPB Publishes Opinion on European Commission’s Proposal to Extend UK Adequacy Decision for Data Transfers to December 2031
On 22 July 2025, the European Commission proposed draft decisions to extend the United Kingdom’s GDPR adequacy status until December 2031. This would allow EU organisations to continue transferring personal data to the UK without additional safeguards such as Standard Contractual Clauses. The European Data Protection Board (EDPB) has now issued its opinion, welcoming the […]