In a nutshell: The European Commission published the review of the progress towards the Digital Decade targets, published a roadmap on access to data and opened a data retention consultation and a call for evidence on the Standardisation Regulation. The Danish Presidency of the Council of the EU outlined its priorities. The Council of the EU included a domain-level enforcement measure in the Payment Services Regulation and reached a general approach on the Insolvency Directive. The JURI Committee of the European Parliament adopted its version of the Insolvency Directive. ENISA published two NIS 2-related guidance documents and launched a call for experts on the Managed Security Services. Europol published a new Internet Organised Crime Threat Assessment 2025.
The European Commission published the State of the Digital Decade report
On 16 June, the European Commission published the State of the Digital Decade 2025, an annual report evaluating the progress of the EU’s progress in the Digital Decade targets for the year 2030. The report underlines the importance of digital transformation to make the EU competitive, resilient and enhance its technological sovereignty. The EU’s dependence on third countries for the import of critical goods and services, such as advanced microchips or cloud services, is seen as a strategic vulnerability. EU companies relying on US hyperscalers are exposed to the application of US laws. The upcoming Cloud and AI Development Act should support the EU's sovereign ambitions. The revision of the public procurement directive also offers an opportunity for the strategic use of public procurement. Furthermore, EU Digital Identity (EUDI) Wallets and European Business Wallets are one of the key enablers of the Digital Decade targets, according to the report. The European Business Wallet will build on the EUDI Framework and will aim to simplify business-to-business and business-to-government interactions. Further simplification of the digital landscape should arrive in Q4 2025 in the form of the Digital Package, an upcoming legislative proposal that should include the review of the Cybersecurity Act (CSA) and simplification of cybersecurity reporting obligations.
The Danish Presidency of the Council of the EU unveiled its programme
On 19 June, the Danish government published a programme, outlining Denmark’s priorities during its Presidency of the rotating seat of the Council of the EU. The programme underlines the need for the EU to increase its democratic resilience through initiatives like the European Democracy Shield and promoting digital literacy. The Presidency will also focus on access to data for effective law enforcement, including the obligation of providers to process data for law enforcement purposes. In relation to the internal market, the Presidency will prioritise the evaluation of the public procurement directives as well as the upcoming Consumer Agenda 2025-2030, which should strengthen consumer rights and enforcement. The Presidency wants to work on EU digital competitiveness and technological sovereignty by building “capabilities in key digital technologies” including AI, cloud and data. In addition, the presidency wants to start the preparatory work on the revision of the CSA. Besides strengthening ENISA’s mandate and improving the European cybersecurity certification framework, the CSA revision will offer a “potential focus on introducing further security obligations in relation to supply chain security”. The priorities also include improved coordination in response to cyber incidents and strengthened civilian and military cooperation in cyberspace. The Presidency will also work towards the thorough implementation of the NIS 2 Directive and will continue negotiations on the Insolvency Directive and Framework for Financial Data Access.
Data protection
The Council of the EU reached a general approach on the Insolvency proposal
On 12 June, the Council of the EU finalised its negotiations on the proposal for the Insolvency Directive (see our previous coverage here). The reference to “registers of internet domains” was deleted from the Annex, taking the ccTLD registries out of the scope of the article. Another relevant article is Article 27 on the “Assignment or termination of executory contracts”, which details the transfer of executory contracts from the debtor’s business to the acquirer. Article 27 does not require the consent of the debtor’s counterparty to assign the executory contracts necessary for the continuation of the business in the insolvency proceeding. However, Member States may further provide that the consent of the debtor’s counterparty is required depending on “the quality of the parties, or the interest of the business”, according to the Council’s position. Finally, the general approach removes Title VI on winding up insolvent microenterprises in its entirety, removing Article 50 on “Electronic auction systems for the sale of the assets of the debtor”. The next step is interinstitutional trilogue negotiation with the European Parliament and Commission.
JURI adopted its report on the Insolvency proposal
On 24 June, the Committee on Legal Affairs of the European Parliament (JURI) adopted its version of the Insolvency proposal. The document is similar to the Council of the EU version (see above). The reference to “registers of internet domains” is deleted from the Annex, taking registries out of the scope of Article 18. Article 27 is amended to enable Member States to provide conditions on which consent of the debtor’s counterparty is required, depending on the “type of contract, the legal status of the parties or the interest of the business”. Finally, the JURI Committee suggests deleting Title VI of the proposal, similarly to the Council’s position. The next step in the legislative process is a vote in the plenary sitting of the European Parliament, which is likely to take place in September. Afterwards, the European Parliament will enter the interinstitutional negotiations.
Cybersecurity
ENISA published more NIS 2 implementation guidance
On 26 June, ENISA published two documents – a guidance on NIS2 technical implementation, and a guidance on cybersecurity roles and skills for NIS2 essential and important entities. The first document relates to the NIS 2 Implementing Regulation on the technical and methodological requirements for cybersecurity risk-management measures for, among others, TLD name registries. It comes after a period of public consultation in winter 2024 (see our blogpost here). The document provides non-binding guidance to the 13 technical and methodological requirements listed in the Annex of the Regulation. Each requirement is mapped to requirements of European and international standards and frameworks (ISO, IEC, NIST, CEN/TS) and to the NIS 2 national frameworks, the latter of which is available on ENISA’s website. Each requirement is also followed by specific actionable guidance, examples of evidence and tips. The guidance is seen as a living document that should be jointly reviewed by ENISA, the European Commission and the NIS Cooperation Group on a regular basis to reflect the latest European and international standards and national cybersecurity management frameworks. The second document, on the cybersecurity roles and skills for NIS 2 essential and important entities, provides guidance on the different skills and roles for the cybersecurity professionals needed to help effectively meet the NIS 2 obligations within their organisations. The guidance is based on the European Cybersecurity Skills Framework (ECSF) and provides a detailed mapping of ECSF profiles to the obligations under NIS 2.
ENISA is looking for experts on Managed Security Services
On 25 June, ENISA launched a call for expression of interest for the EU Managed Security Services (EUMSS) Ad Hoc Working Group. The Working Group will support the preparation of the candidate EUMSS certification scheme. The scheme itself comes as a reaction to the growing importance of MSS. Organisations across all sectors and infrastructures outsource their cybersecurity functions to the MSS Providers, which in turn makes them a more interesting target for cyberattacks. The EUMSS certification scheme should provide a flexible model setting out service-oriented requirements for the MSS delivery. It should be composed of a horizontal layer, which would include minimum requirements for all MSS, and multiple vertical layers tailored to the different MSS types. The first vertical under the forthcoming MSS certification scheme will focus on the incident management lifecycle. The Ad Hoc Working Group will take applications from experts in the area of cybersecurity certification until 20 July.
E-evidence
The European Commission published a roadmap on access to data
On 24 June, the European Commission published a roadmap for effective and lawful access to data for law enforcement. The document comes as one of the deliverables under the ProtectEU European Internal Security Strategy, which was unveiled in April 2025 (see our previous coverage here). The roadmap focuses on six areas – data retention, lawful interception, digital forensics, decryption, standardisation and AI solutions for law enforcement. The chapter on data retention relates to the retention of non-content communication data critical for investigations and prosecutions. The non-content data includes, for example, subscriber information, location data, and information on the sender and receiver. Data retention rules for law enforcement purposes are not harmonised at the EU level since the invalidation of the EU Data Retention Directive in 2014. The European Commission is currently soliciting feedback in a public consultation for an impact assessment with a view to updating data retention rules. The consultation closes on 12 September.
Europol published Internet Organised Crime Threat Assessment 2025
On 12 June, Europol published the annual Internet Organised Crime Threat Assessment (IOCTA) 2025. The report examines the central role data plays in the cybercrime economy, as well as the different methods cybercriminals use to gain access to it. The report notes that users often willingly share data about themselves, which can then be used in targeted phishing attacks against them. On the other hand, the reliance of cybercriminals on end-to-end encrypted environments for their illicit activities makes lawful access to data challenging. The report notes that retention of metadata, such as subscriber information or IP logs, then becomes essential for the mapping of networks and the identification of suspects. The lack of harmonisation at the EU level results in short and inconsistent data retention periods, frequently leading to the deletion of the retained data before it could be used in cross-border investigations. The report therefore proposes to establish clear and harmonised EU standards for “targeted and/or expedited access to essential metadata”, targeting serious crimes and ensuring compliance with the principles of necessity and proportionality.
Financial regulation
The Council of the EU included domain-level enforcement in the Payment Services Regulation
On 18 June, the Council of the EU adopted the general approach on the Payment Services Regulation. Among others, the proposal intends to combat and mitigate payment fraud, enhance consumer protection, improve the functioning of open banking and strengthen the harmonisation and enforcement. The agreed-upon general approach amends Article 91 on competent authorities and their investigatory powers. The Council suggests including a supervisory and investigatory power for competent authorities to order domain registries or registrars to “delete a fully qualified domain name and to allow the competent authority concerned to register it” in order to prevent or stop an infringement of the Regulation. The affected entities include payment service providers, including credit institutions, technical service providers, which support the payment services infrastructure, and interpersonal communication services, such as messaging apps. Similar enforcement measures involving domain name deletion are also present in other financial legislation, such as the Markets in Crypto Assets or the Framework for Financial Data Access. The next step is the interinstitutional negotiations with the European Parliament, which has already agreed on its position in April 2024.
Standardisation
The European Commission opened a call for evidence on the Standardisation Regulation
On 23 June, the European Commission launched a call for evidence for the upcoming review of the Standardisation Regulation. The call for evidence comes in the context of the EU Competitiveness Compass (see our previous coverage here). The document identifies the lengthiness and complexity of the standardisation processes, as well as the difficulties in ensuring balanced stakeholder participation, as the key challenges. The objective of the initiative is to embolden the EU’s ability to be a global standard-setter, which is seen as crucial for the EU’s enduring competitiveness and technological sovereignty, and to accelerate and simplify the standard-development process. The call for evidence explores additional options for obtaining harmonised standards and specifications through public procurement and open-source implementation. The revision process will consider governance and oversight needs to ensure effective implementation. The call for evidence is open until 21 July. It will be followed by a public consultation, which is expected to open in the third quarter of 2025.
