In a nutshell: European Commission started the review of the EU Cybersecurity Act, held a conference on the governance of Web 4.0 and Virtual Worlds, opened consultations on the International Digital Strategy, AI initiatives and EUID specifications. European Parliament’s committees presented draft reports on insolvency, product safety and regulatory compliance in e-commerce, and on public procurement. ENISA launched the EU Vulnerability Database. Polish presidency published a note on disinformation and threats in cyberspace to young people.
Cybersecurity
European Commission started the review of the EU Cybersecurity Act
On 11 April, the European Commission started the revision process of the EU Cybersecurity Act (CSA). CSA which adopted in 2019, established a permanent mandate for ENISA and a European cybersecurity certification framework (ECCF) for ICT products, services and processes. The revision process aims to reflect the evolving cybersecurity landscape by adapting ENISA’s mandate, to “address the increasing cybersecurity challenges in a volatile geopolitical landscape and to better support EU cybersecurity stakeholders”. Furthermore, the revision should improve the ECCF, namely the effectiveness, clarity and allocation of roles and responsibilities in the adoption process and the maintenance phase of certification schemes. Finally, the Commission wants to use the CSA revision as an opportunity to simplify cybersecurity relevant requirements across horizontal and sector-specific acts to facilitate effective implementation, reduce administrative burden and ensure a “business-friendly” environment. While the option of maintaining the status quo as a result of the review process is possible, the Commission expects a legislative initiative in the form of a regulation as a likely outcome. Commission should present the chosen initiative in Q4 2025.
ENISA published the European Union Vulnerability Database
In April, ENISA unveiled the European Union Vulnerability Database, which it was tasked with developing under the NIS 2 directive. The publicly available database enables companies, suppliers of network and information systems as well as competent authorities to voluntarily disclose and register publicly known vulnerabilities to allow their users to take appropriate mitigation measures. The database aims to serve as a trusted source for enhanced situational awareness by aggregating and referencing vulnerability information from existing databases, such as MITRE’s Common Vulnerabilities and Exposures database, GitHub’s Advisory Database, JVN iPedia or GSD-Database. The database also references additional information such as alerts issued by national CSIRTs or mitigation and patching guidelines published by vendors.
Internet Governance
European Commission held a conference on the governance of Web 4.0 and Virtual Worlds
On 31 March and 1 April, the European Commission held a Global Multistakeholder High-level Conference on Governance of Web 4.0 and Virtual Worlds. The conference took place in the context of the European Commission work on Web 4.0 and Virtual Worlds which started with a strategy. The conference intended to open discussion on topics related to the policy and technical aspects of Web 4.0 and Virtual Worlds, also in the context of the WSIS+20 Review. The result of the conference is an outcome document outlining six policy and technical principles and recommendations on the values, governance and on operational and technological features of Web 4.0 and Virtual Worlds. The outline document notes that the “maintenance of an open, distributed and interoperable global internet that upholds human rights, rather than allowing it to fragment into disconnected ‘splinternets’” is the essential issue. The evolution to Web 4.0 and Virtual Worlds depends on global internet infrastructure. Among the policy principles is the “inclusive and collaborative multistakeholder approach, building on established governance mechanisms”, prioritisation of privacy and data protection, “ensuring a predictable and transparent regulatory environment, interoperability and counterbalancing monopolistic practices to foster innovation”. Technical principles include support for “open, global and distributed internet […] as well as interoperability across diverse infrastructures” and for the development of standards in “legitimate multistakeholder organisations”.
European Commission opened a consultation on the International Digital Strategy
On 7 May, the European Commission opened a public consultation on the International Digital Strategy. The strategy comes in the context of attempts to improve the EU competitiveness within the global tech race. It will outline how the EU should become a stronger digital player on the world stage, pursuing its strategic interests in the field of technology and digital transformation and supporting a secure and human-centric digital transformation of partner countries. The consultation notes that mastering digital technologies not only improves competitiveness and efficiency but also can strengthen national defence and security. International tech cooperation and trade with key partners and allies, coupled with diversification and risk mitigation policies are therefore needed to support EU tech and digital agenda. The strategy aims to leverage digital cooperation with partner countries; present concrete action on international cooperation in emerging technologies, cybersecurity and Internet Governance and lead to a better coordination of EU position across multilateral fora. The public consultation will close on 21 May.
Data protection
European Parliament Committee presented insolvency proposal draft report
On 9 April, the European Parliament Committee on Legal Affairs (JURI) published a draft report on the insolvency directive (see our previous reporting here and here). The Insolvency proposal intends to establish a more uniform insolvency framework across EU Member States to ensure legal clarity and better protection for business, creditors and other stakeholder in cross-border insolvency proceedings. Similarly to Council of the EU version of the text, the JURI report amends provisions on the access by insolvency practitioners to national asset registers by removing the reference to “registers of internet domains” from the Annex. This change would effectively remove domain name registries from the scope of cross-border access procedures in insolvency proceedings. The draft report also amends provisions on the termination of executory contracts, which would, unlike in the original Commission proposal, enable the court to ask for the consent of debtor’s counterparty before assigning the executory contracts to the acquirer. Finally, the draft report deletes Title VI of the proposal in its entirety, removing provisions on the winding-up procedures of insolvent microenterprises. Several JURI members filed amendments to the proposal, among them are amendments that would see the deletion of the provisions on the assignment or termination of executory contracts. In addition, several JURI members have individually proposed to delete Title VI of the proposal (you may find the amendments here). The next step is a consideration of amendments to the proposal on 13 May in the JURI committee and a subsequent committee vote on the draft report and the amendments at the end of June.
Artificial Intelligence
European Commission opened consultations on two AI initiatives
On 9 April, the European Commission opened two consultations on Cloud and AI Development Act and Apply AI Strategy. The Cloud and AI Development Act is one of the headline digital policies outlined in the 2025 Competitiveness Compass and listed in the Mission letter to the Executive Vice-President Henna Virkkunen, together with a EU-wide cloud policy for public administrations and public procurement (see our previous coverage here). The initiative aims to advance research and innovation in resource-efficient data processing, infrastructures, software and services; triple the EU’s data centre capacity within the next 5-7 years; ensure that there is a highly secure EU-based cloud capacity for highly critical use cases with particularly high security needs as found in various economic sectors and the public sector. The set of potential outcomes of this initiative ranges from non-legislative guidelines to a comprehensive regulatory approach which would include creating a distinct independent agency. The indicative timeline is Q4 2025 – Q1 2026 for the publication of the (non)legislative initiative. The second released document, the Apply AI Strategy, should serve as a blueprint for the adoption of AI in EU strategic sectors. According to the document, the EU is facing several challenges, namely the fact that most AI development takes place in non-EU countries, EU dependence on foreign technology, SMEs lack AI adoption, and the lack of private investment in AI. The Strategy intends to help integrating AI technologies in the EU leading strategic industrial sectors, help EU companies to become global AI frontrunners and help integrating AI solutions in the public sector to improve the quality of services provided to the public. The Strategy should identify policy actions and concrete milestones to be achieved in the coming three to five years. The AI adoption should be promoted by funding programmes, data spaces, testing and experimentation facilities, among other. The indicative timeline for the publication of the strategy is Q3 2025.
Online content
Polish presidency published a note on disinformation and threats in cyberspace to young people
On 24 April, the Polish presidency of the Council of the EU published a steering note to other EU Council of the EU delegations on disinformation, manipulation and threats in cyberspace and their impact on the lives of young people. The document notes that disinformation as the deliberate spread of false or misleading content has become a pervasive issue in which online platforms serve as major amplifiers. Issues such as algorithmic targeting, echo chambers and misuse of generative AI further exacerbate the issue as young people are subsequently less exposed to diverse perspectives. In addition to disinformation, young people are also facing risks from cyberbullying, hate speech and online radicalisation. These issues are facilitated by the anonymity the internet provides. The document notes that EU’s commitment to inclusion and equality must extend to digital literacy initiatives and for this reason a coordination action at both EU Member State and EU level is necessary. Initiatives such as the Digital Education Action Plan, the upcoming 2030 Roadmap on the future of digital education and skills, EU Preparedness Union Strategy, European Democracy Shield and the upcoming EU Action Plan against cyberbullying are highlighted as crucial to address these challenges (see our previous coverage here and here).
Consumer protection
European Parliament published a draft report on product safety and regulatory compliance in e-commerce
In March, the European Parliament Internal Market and Consumer Protection (IMCO) Committee released a non-legislative own-initiative draft report on Product safety and regulatory compliance in e-commerce and non-EU imports. The draft report takes stock of the increased imports of non-compliant goods from third countries ordered through e-commerce service providers. The high volume of orders makes it difficult for market surveillance, customs and consumer protection authorities to take effective measures against the non-compliant products. Among other actions, the draft report suggests strengthening the EU consumer law enforcement, including enforcement power over non-EU traders and platforms, better coordination of EU and national actions and the exchange of information among authorities, in the context of the review of the Consumer Protection Cooperation Regulation. The Commission should also “strongly enforce the DSA” with regard to the responsibility of online marketplaces and the “know your business customer” obligation. The members of the IMCO Committee proposed several amendments, among them is an amendment that calls for the broadening of the “know your business customer” obligation under the DSA to all intermediary service providers, including “domain name registrars” (you may find the amendments here). The Committee will consider compromise amendments on 19-20 May, which will be followed by a vote at the end of June.
Public procurement
European Parliament published a draft report on public procurement
In April, the European Parliament IMCO Committee released a draft report on public procurement. The draft report is a non-legislative own-initiative procedure of the European Parliament that comes in expectation of the upcoming review of the already applicable public procurement directives, which is due Q3 2025. The draft report notes that procurement represents a fundamental mechanism for economic growth and innovation, which is, however, inefficient due to the administrative complexity and different national implementations. The current framework also poses challenges to effective participation of SMEs. IMCO committee members have already filed a large number of amendments to the draft report, some of which highlight the importance of using public procurement to support EU technological sovereignty and supply chain security, also by procuring ICT systems and services under exclusive European jurisdiction (you may find the amendments here, here and here). The amendments will be discussed on 20 May during a discussion on compromise amendments and subsequently voted in the IMCO committee on 25-26 June.
eID
European Commission opened a range of EUID-related public consultations
On 15 April, the European Commission opened a number of public consultations on draft implementing acts under the EUID Regulation. The consultations cover the following issues:
- qualified certificates for electronic signatures and electronic seals;
- qualified preservation services for qualified electronic signatures and electronic seals;
- notification of information on certified qualified electronic signature and seal creation devices;
- procedures for peer reviews of electronic identification schemes and for cooperation on the organisation of such reviews within the EUID Cooperation Group;
- format and procedures for notification of intention and verification with regard to the initiation of qualified trust providers;
- format and procedures for annual reports by supervisory bodies;
- reference standards for processes for sending and receiving data in qualified electronic registered delivery services;
- binding of date and time to data and establishing the accuracy of the time sources for the provision of qualified electronic time stamps;
- qualified validation services for qualified electronic signatures and seals;
- validation of qualified electronic signatures and seals, and the validation of advanced electronic signatures and seals based on qualified certificates;
- management of remote qualified electronic signature and seal creation devices as qualified trust services;
- reference standards for the verification of the identity and attributes of person to whom the qualified certificate or electronic attestation of attributes is to be issued;
The consultations are open until 13 May.
