In a nutshell: The European Commission presented a plan for better enforcement of EU rules, awarded a tender for a sovereign cloud, published the final reports of the Virtual Worlds Observatory and the Interactive Data Explorer, and partnered with EUIPO on DSA enforcement. The Cypriot presidency published a non-paper on FiDA negotiations. The Council of the EU published a compromise position on the Payment Services Regulation. EU institutions agreed on a roadmap to strengthen the EU Single Market, and are finalising the AI Omnibus negotiations. BEREC published an early assessment of the Digital Networks Act. The European Economic and Social Committee published an opinion on the Cybersecurity Act 2.0. Europol published the IOCTA 2026 report. The EDPB published a Data Protection Impact Assessment template. The Council of Europe issued a recommendation on online safety and empowerment of users and content creators.
Financial regulation
The Council of the EU published a compromise position on the Payment Services Regulation
On 17 April, the Council of the EU published the latest compromise text of the Payment Services Regulation (PSR, see our previous reporting here). The latest text includes domain-level enforcement provisions, enabling competent public authorities, as designated by Member States, to order domain name registries or registrars to delete a fully qualified domain name belonging to a non-compliant service provider and to allow the competent authority concerned to register it. It also adds references to domain names in its anti-fraud provisions. Since payment service providers are obliged to mitigate their ICT risks under DORA, they should also have in place adequate technical measures and tools to prevent the fraudulent replication and misuse of their domain name. A victim of a “spoofing” fraud, in which fraudsters impersonate a payment service provider’s domain name, should be entitled to a refund of the full amount of the fraudulent payment. Final approval of the text should take place during the Council’s ministerial meeting on 5 May 2026.
The Cypriot presidency published a non-paper on FiDA negotiations
On 6 April, the Council of the EU presented a non-paper outlining possible ways to finalise the interinstitutional negotiations on FiDA (see our previous reporting here). The Council responds to months of stalled negotiations since the last trilogue meeting in June 2025, with the aim of reaching a political agreement in the near future. The non-paper focuses solely on the issue of gatekeepers’ potential access to customers’ data held by financial service providers under the data-sharing arrangements. This issue, however, remains contentious within the Council. As a path forward in the negotiations, the Cypriot presidency presents a timeline for the phased application of the data-holders’ obligations to make customers’ data available. The non-paper does not indicate the expected timeline for the finalisation of interinstitutional negotiations.
Competitiveness
The European Commission presented a plan for better enforcement of EU rules
On 28 April, the European Commission presented a strategy on better regulation and enforcement. The strategy covers themes such as ensuring the simplicity of new legislative proposals, so they are easy to understand, apply and enforce; improving stakeholder engagement through revised calls for evidence and impact assessments; and faster, more effective enforcement of existing rules. The Commission will prioritise “exhaustive regulations and complete harmonisation when regulating single market-related matters, where legally feasible and appropriate”, and set realistic transposition and implementation timelines. The Commission also intends to ensure a consistent application of the principles of proportionality and subsidiarity in EU law and to prevent EU legislation from becoming too long, complex and costly by adopting more focused implementing rules. The strategy was complemented by a “Regulatory Deep Cleaning Action Plan”, which outlines upcoming simplification efforts across different sectors. With regard to the digital sector, the Action Plan references the ongoing preparation of the Digital Fitness Check (see our previous reporting here) and the simplification efforts of the Digital Omnibus (see our previous reporting here). The European Parliament’s internal think tank also prepared an overview of eTools for regulatory simplification and consistency. The overview maps current practices and provides options for the adoption and further development of eTools, many of them AI-based, within the EU context.
EU institutions agreed on a roadmap to strengthen the EU Single Market
On 24 April, the presidents of the European Commission, Parliament and Council signed a Joint Declaration committing to achieving “One Europe, One Market”. The Declaration responds to geopolitical pressures, technological disruption, and economic uncertainty, and aligns with the objectives set out by the European Council in March 2026 (see our previous reporting here). The three institutions commit to simplifying existing rules, reducing barriers in the Single Market, promoting strong trade, lowering energy prices and decarbonising, and driving the digital and AI transformation. The three institutions also commit to prioritising the finalisation of the following legislative initiatives by the end of 2027 at the latest: AI Omnibus, EU Inc., Public Procurement Act, review of the Consumer Protection Cooperation Regulation, Cybersecurity Act 2.0, Cloud and AI Development Act, amongst others.
BEREC published an early assessment of the Digital Networks Act
On 30 March, the Body of European Regulators for Electronic Communications (BEREC) published an early assessment of the Digital Networks Act (DNA) proposal (see our previous reporting here). BEREC welcomes the ambition to modernise the regulatory framework for Europe’s connectivity sector and to strengthen the competitiveness of the EU digital sector. The document cautions that the general authorisation procedure for electronic communications operators may introduce greater operational complexity, administrative burden and legal uncertainty. BEREC welcomes the commitment to net neutrality and transparency obligations, but notes that narrowing Member States’ ability to maintain or introduce stricter measures poses risks to consumer rights, accessibility and affordability. BEREC welcomes the clarification and harmonisation of the core tasks of national regulatory authorities, as well as the assignment of new roles to BEREC, including issuing guidance on ecosystem cooperation between the connectivity and adjacent digital sectors, and on the preparedness and resilience of the electronic communications sector.
Cybersecurity
The European Economic and Social Committee published an opinion on the Cybersecurity Act 2.0
On 29 April, the European Economic and Social Committee (EESC) published an opinion on the Cybersecurity Act 2.0. The EESC welcomes the proposal and emphasises that cybersecurity and ICT supply chain security must be treated as matters of economic security and geopolitical resilience. The opinion underlines that measures on ICT supply chain security must be based on clear, predictable and transparent requirements, and calls for full consideration of the economic and downstream impacts of supply chain interventions, including feasibility, availability of alternatives, and lifecycle constraints. The EESC notes that the EU should not procure or integrate critical ICT components from countries that actively undermine European security interests.
Europol published the IOCTA 2026 report
On 28 April, Europol published the annual Internet Organised Crime Threat Assessment. The report focuses on cybercrime enablers, the criminal infrastructure behind online fraud schemes, cyber-attacks, and online child sexual exploitation. It notes that as new AI tools become more accessible, they lower entry barriers for cybercriminals. Law enforcement faces difficulties with end-to-end encrypted platforms and “restrictive or inadequate” data retention policies across EU Member States, which impair their ability to track suspects or disrupt criminal operations. The report notes that “technical DNS abuse and website content abuse are tightly intertwined in the criminal process”. For example, “criminals register domains to harvest user credentials through imitations of legitimate websites (e.g., financial institutions)”, or abuse DNS for the delivery and operation of botnets, according to the report. The document mentions that criminal networks exploit the period between domain name registration and law enforcement intervention. The “absence of automated reporting interfaces and the reliance on slow, cross-border judicial assistance protocols prevent the mitigation (e.g. blocking or take-down of malicious domains) required to stop automated fraud and malware distribution campaigns”, according to the report.
The European Commission awarded a tender for a sovereign cloud
On 17 April, the European Commission awarded a tender for EU institutions, bodies, offices and agencies to procure cloud services for up to EUR 180 million over a 6-year period. The Commission selected four European companies on the basis of their alignment with the Commission’s Cloud Sovereignty Framework (see our previous reporting here). The Commission notes that “non-European technologies, when operated within a strict and appropriate framework, can meet the minimum level of sovereignty required”. The Commission will also update the existing Cloud Sovereignty Framework to include specific criteria for assessing a supplier's sovereignty. The intention is that the Framework may be reused by other interested public or private organisations.
Content moderation
The European Commission partnered with EUIPO on DSA enforcement
On 1 April, the European Commission partnered up with the European Union Intellectual Property Office (EUIPO) in the context of the Digital Services Act (DSA) enforcement. The five-year agreement focuses on combating online counterfeiting and piracy. As a key action, the EUIPO will assist the European Commission with the oversight of the Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). The EUIPO will help analyse internal reports submitted by VLOPs and VLOSEs to assess their efficiency in tackling IP infringements. Furthermore, the EUIPO will organise specialised training for national DSA enforcement authorities, develop best practices and tools to help online platforms prevent the misuse of their services, and help build expertise among judicial authorities, IP rights holders and smaller online intermediaries.
Data protection
The EDPB published a Data Protection Impact Assessment template
On 14 April, the European Data Protection Board (EDPB) published a draft template for Data Protection Impact Assessments (DPIA). Preparing a DPIA is required under the GDPR for processing personal data that may pose a high risk to data subjects' rights. The DPIA helps identify and reduce risks to individual rights. In addition to the template, the EDPB published an explanatory guide on how to complete it. Controllers are, however, free to choose the DPIA methodology they see fit, as they are not obliged to use the EDPB’s template. The template is open to feedback through a public consultation until 9 June.
AI & virtual worlds
The European Commission published the final reports of the Virtual Worlds Observatory and an Interactive Data Explorer
On 22 April, the European Commission launched a Virtual Worlds Data Explorer and presented Virtual Worlds Observatory reports. The Data Explorer provides an overview of the Virtual Worlds ecosystem in Europe and globally, including a comparison of regions, sectors, use cases and technologies. The Virtual Worlds Observatory reports focus on EU strengths and global interdependencies, structured assessment of virtual worlds applications and analysis of skills, challenges and emerging trends. The reports note that EU’s leadership in Virtual World research contrasts with its lag in business innovation and patent activity, raising risks of dependency on non-EU tech giants and having a limited influence over global standards, values and governance in the immersive environment.
The EU institutions are finalising the AI Omnibus negotiations
In April, the AI Omnibus proposal entered its final interinstitutional negotiations phase. The Commission presented the proposal in November 2025. As a modification of the AI Act, the Omnibus postponed the application of rules on high-risk AI systems by 16 months, relaxed registration requirements for AI systems in the EU database for high-risk systems, extended SME exemptions, extended the use of personal data for bias detection, and shifted the obligation to provide AI literacy from providers and deployers of AI systems to the Commission and Member States, among other measures. The Council of the EU’s version adds a prohibition on AI-generated non-consensual sexual and intimate content or child sexual abuse material. It also proposes reinstating the obligation for providers of AI systems to register in the EU database of high-risk AI systems, and for the Commission to assist economic operators of high-risk AI systems in complying with the AI Act. The European Parliament’s version supported a ban on AI-generated non-consensual intimate or sexually explicit images. The file remains a priority for the co-legislators, and its adoption is expected in the coming months.
Outside of the EU
The Council of Europe issued a recommendation on online safety and empowerment of users and content creators
On 8 April, the Committee of Ministers of the Council of Europe (CoE) published a non-binding Recommendation on online safety and empowerment of users and content creators. The Recommendation emphasises the need to create the conditions for a free, open and accessible internet for all. The Recommendation notes that states have an obligation to effectively address harm online, including specifying intermediary liability rules. Furthermore, the Recommendation states: “the blocking or banning of an entire online service, domain or website[…] is an exceptionally severe interference with the right to freedom of expression.” Actions such as domain blocking should be ordered by a judicial authority or another independent public authority whose decisions are subject to judicial review and conform to a high standard of justification. The operators and directly affected users should receive a meaningful explanation of the action taken and have access to an effective remedy. Enforcement of content-specific restrictions should be limited to what is necessary and proportionate. The Recommendation also notes that states should ensure, both in law and in practice, that internet intermediaries are not held liable for third-party content which they merely give access to, transmit or store. Intermediaries may be held responsible for content they store if they do not act expeditiously to restrict access to such content or service as soon as they become aware of its illegality, including via notice-based procedures.
