In a nutshell: The European Commission presented its 2026 work programme, the report on simplification, the Apply AI Strategy, a report on submarine cable security, the Cloud Sovereignty Framework, and together with EDPB published joint guidelines on DMA and GDPR. In addition, the European Commission is consulting on the upcoming EU Quantum Act. The European Council shared conclusions on simplification and sovereign digital transition. EU digital ministers agreed on a declaration on online protection of minors. ENISA published the annual Threat Landscape report. ESMA and EBA published the 2026 work programme.
The European Commission presented its 2026 work programme
On 21 October, the European Commission unveiled its annual work programme outlining the upcoming legislative and non-legislative initiatives in 2026. The European Commission will, amongst other things, focus on simplification of digital legislation, data protection and public procurement rules (see our previous coverage here). In 2026, the European Commission is planning to present the following legislative proposals relevant for digital sector: the 28th regime for innovative companies (Q1), the Cloud and AI development act (Q1), the public procurement act (Q2), revised Europol’s mandate (Q2), update of rules on standardisation (Q3) and Digital Fairness Act (Q4). The Commission also called on the European Parliament and the Council of the EU to find an agreement on the Multiannual Financial Framework.
The European Council published conclusions on simplification and sovereign digital transition
On 23 October, the European Council adopted its conclusions on simplification and sovereign digital transformation. The Council expressed support for the upcoming Digital Omnibus package (see our previous reporting here). The Council calls for the European Commission to consider additional simplification efforts, including the withdrawal of proposals. Furthermore, the Council calls for the advancement of Europe’s digital transformation and reinforcement of its sovereignty, which requires international partnerships and close collaboration with “international organisations on digital innovation and governance”. The Council also highlights that the EU’s “regulatory autonomy” should underpin EU action in the digital sphere. The EU must protect its “digital infrastructure and technological base”, avoid over-reliance on external suppliers and develop European technological capabilities, according to the Council.
Data protection
The European Commission presented a report on simplification
On 21 October, the European Commission presented its report on simplification, implementation and enforcement, which is the first annual overview report summarising the main results of the Commission’s work to achieve “a simpler and faster Europe”. On digital policy, the Commission will propose the Digital Omnibus by the end of 2025 covering data policy under the Free Flow of Non-Personal Data Regulation, the Data Governance Act, and the Open Data Directive. It will also cover incident reporting requirements in cybersecurity and “other targeted aspects” related to the GDPR. According to the report, targeted amendments to the GDPR will “reflect on how to modernise the data protection framework and improve its governance and implementation”. According to the individual simplification reports from the relevant Commissioners dealing with data policy, Virkkunen stated that the “targeted amendments will restructure the data acquis to overcome practical obstacles for innovation and data availability”, and McGrath “reaffirmed the Commission’s commitment to high standards of data protection and to a balanced approach that both fosters innovation and protects fundamental rights.” On the same day, the European Parliament approved new rules for GDPR procedural rules in cross-border cases (see our previous reporting here). The legislation still needs to be formally adopted by the Council of the EU.
The European Commission and the EDPB published joint guidelines on DMA and GDPR
On 9 October, the European Commission, together with the European Data Protection Board (EDPB), published joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The Guidelines, amongst other things, focus on the elements that gatekeepers should consider in order to comply with the requirements of valid consent under Article 5(2) DMA and the GDPR. The guidelines also focus on a right to portability under both legislations, including the authentication of end users and verification of the authorisation obtained by third parties, and transfers of personal data to third parties in non-EEA countries without an adequacy decision. The DMA also requires gatekeepers to offer interoperability to alternative service providers in relation to their number-independent interpersonal communication services. In this regard, gatekeepers should comply with data minimisation when making their services interoperable, and ensure that third-party service providers requesting interoperability do not endanger the integrity, security and privacy of their services.
The EDPS published comments on requirements for qualified trust service providers
On 21 October, the European Data Protection Supervisor (EDPS) published formal comments on the implementing act on requirements for qualified trust service providers. The draft implementing act specifies the requirements for notifications to the supervisory body, the risk management framework and the termination plan of the qualified trust service providers. Adherence to the reference standards and specifications listed in the implementing act is one of the ways of demonstrating compliance by the trust service provider with the European Digital Identity (EUID) Regulation. The EDPS welcomed the explicit acknowledgement of the applicability of the GDPR and the ePrivacy Directive to the personal data processing activities under the draft implementing act. The EDPS also appreciated that the draft implementing act acknowledges the potential future technological developments which could lead to its review. Finally, the EUID Regulation requires qualified trust service providers “to store data provided”, so that data is publicly available for retrieval only where the consent of the person has been obtained. The EDPS recommended adding to the draft implementing act a provision requiring the qualified trust service providers to document the procedure for managing such consent.
Artificial intelligence
The European Commission published the Apply AI Strategy
On 8 October, the European Commission published the Apply AI Strategy that focuses on “harnessing the transformative potential of AI”. It aims to boost the use of AI, particularly among SMEs, and to facilitate AI integration in strategic European industries, such as healthcare, robotics, manufacturing and mobility sectors, electronic communications and media, energy and climate, agriculture, as well as defence, security and space. The strategy encourages private and public sectors to adopt an “AI first policy” in order to foster the “development of European strategic presence at the various layers of the AI stacks”. The strategy encourages Member States through their national plans to invest in AI-powered cybersecurity and technologies, addressing threat and vulnerability detection, threat mitigation, incident recovery, data analysis and data sharing. The Commission also intends to promote the use of AI within the public sector. To that end, the European Commission plans to build an AI toolbox dedicated to public administrations, including the judiciary, “featuring a shared repository of practical, open-source and reusable tools and solutions to support AI interoperability”, and to revise the European Interoperability Framework, incorporating guidance on AI first policies within European public administrations. The Commission will also prioritise working on guidelines on the classification of AI systems as high-risk, and the AI Act’s interplay with other Union law, covering relevant sectoral legislation (e.g. transport, machinery, radio equipment).
Child protection
EU digital ministers agreed on a joint declaration on online protection of minors
On 10 October, EU digital ministers agreed on a joint ministerial declaration on the need for further EU measures to protect minors online: The Jutland Declaration. According to the declaration, “only through effective regulation, strong enforcement and shared responsibility” can there be a safer digital environment for minors. EU digital ministers commit to the enforcement of the DSA at the national level and to continuous close cooperation with the European Commission. EU digital ministers welcome the European Commission’s guidelines on the protection of minors online published in July 2025. Albeit these are targeting platforms, the basic principles and several measures “could also serve as an inspiration for improving the safety of other services”, according to the declaration. The declaration suggests that there is a need for “effective and privacy-preserving age verification on social media and other relevant digital services that pose a significant risk to minors” that can be ensured by the use of the voluntary European Digital Identity Wallet that “can provide commonly available, interoperable, seamless and privacy-preserving ways to verify age”. The declaration also supports President von der Leyen’s initiative to convene an expert panel to provide advice by the end of this year on the best approach for Europe.
Cybersecurity
The European Commission published a report on submarine cable security
On 23 October, the European Commission published a report on the security and resilience of EU submarine cable infrastructures, detailing risk assessments and stress tests. The report was prepared by the Submarine Cable Infrastructures informal Expert Group. According to the report, it is critical for the EU’s economic security to reduce its dependency on non-EU entities. Investment by traditional telecoms operators in regional cable systems has declined, constrained by financial pressures, according to the report, whereas US hyperscalers are steadily expanding their footprint. One of the primary challenges affecting submarine cable infrastructures is Europe’s sovereignty over cloud solutions. Given the dominance of US hyperscalers, the EU needs to strike a balance between fostering its domestic cloud industry and ensuring collaboration with non-EU players to access the required essential technologies. Since IXPs, data centres and cloud regions are directly connected to submarine cable infrastructures, improving the interconnection between these infrastructures is also essential for building a resilient digital economy, according to the report. In terms of current threats to submarine cables, the majority of incidents relate to unintentional activity by non-state actors as well as natural events. However, submarine cables are also “obvious targets for grey zone warfare[...] and hybrid threats”. Member States are encouraged to make entities operating submarine cable infrastructure subject to regular stress testing, and explore systemic risks by also covering the supply chain dimension and interdependencies. Authorities responsible for conducting stress tests for submarine cable infrastructures may refer to the Handbook for Cyber Stress Tests, published by ENISA in May 2025.
ENISA published the annual Threat Landscape report for 2025
On 1 October, ENISA published the annual Threat Landscape report analysing cyber incidents between July 2024 – June 2025. The report notes that the main initial infection vector is phishing at 60% of cases, followed by the exploitation of existing vulnerabilities at 21% of cases. The primary attack surface was mobile threats (42%). Supply chain risks represented 11% of the threat distribution method. The report also notes that 79% of the assessed incidents were driven by ideology, exclusively carried out by hacktivists through DDoS attacks. The most targeted sectors were public administration (38%), transport (8%), digital infrastructure and services (5%) and finance (5%). In total, incidents within the essential entities represent 54% of the total number of recorded incidents. Within the digital infrastructure, the most impacted sub-sector was telecommunications (25%), followed by digital services providers (13%). The report also mentions the Doppelgänger campaign that has evolved into a “multi-layered operation”, reportedly deploying large networks of fake domains impersonating legitimate outlets. The report notes that the Doppelgänger campaign has shown resilience by “refining its techniques and adapting to takedowns by hosting providers and social media platforms by re-registering websites under different Top-Level Domains (TLDs), migrating to different hosting providers and using disposable social media accounts to amplify content”.
ESMA and EBA published work programmes for 2026
In October, the European Supervisory Authorities (ESAs), namely the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA), published their respective work programmes as well as a joint work programme for 2026. ESAs, as the supervisory authorities for critical third-party providers (CTPPs) under Digital Operational Resilience Regulation (DORA), are designating CTPPs until the end of 2025. For 2026, ESAs intend to engage with CTPPs on their governance, strategy, and organisation, and outline individual annual oversight plans for each CTPP. These activities will be complemented by a strategic multiannual oversight plan. Additionally, EBA and ESMA plan to review the contracts and service level agreements between the CTPPs and EU financial entities, and carry out on-site inspections at select high-risk areas of CTPPs.
Public procurement
The European Commission published the Cloud Sovereignty Framework for cloud services procurement
On 10 October, the European Commission published the Cloud Sovereignty Framework in order to guide the procurement of cloud services for the European Commission. The framework will inform public procurement tender for sovereign cloud services for the use by the EU institutions over a 6-year period. It outlines a methodology for measuring the sovereignty of cloud services in terms of legal, jurisdictional, technological and supply chain objectives. Each sovereignty objective is assessed and awarded with a corresponding “Sovereignty Effectiveness Assurance Level” (SEAL). The SEALs range from “No sovereignty” to “Full Digital Sovereignty”, the latter defined as “technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies”. Alongside the SEAL assessment, the “Sovereignty Score” is used to sort the cloud services according to their respective sovereignty features. The score is a part of the award criteria. The Cloud Sovereignty Framework “is envisioned as a reference point for cloud providers and a catalyst for the growth of the EU cloud market, especially in the public sector”. In October, the European Commission also published an evaluation of the public procurement directives. The evaluation noted the uneven implementation of the directives across the EU. The next step will be for the European Commission to introduce the Public Procurement Act in Q2 2026. This should promote the strategic use of public procurement to boost EU competitiveness, resilience and economic security. It will most likely include a “made in Europe” preference for certain sectors, which have not yet been specified.
Quantum
The European Commission is consulting on the upcoming EU Quantum Act
On 29 October, the European Commission opened a call for evidence for the upcoming EU Quantum Act planned for Q2 2026. With the upcoming legislative proposal, the EU intends to deliver on its quantum ambition, with a focus on research and innovation, industrialisation, and the security and resilience of quantum supply chains. The EU has identified quantum as a critical technology, central to Europe’s innovation, competitiveness and economic security. It enables secure communications, advanced computing, precision sensing, and dual-use applications. Without coordinated EU-level monitoring and resilience measures, Europe will face strategic dependencies in technologies impacting its security. The risks include potential loss of intellectual property or talent and leakage of critical industrial know-how to foreign ecosystems undermining Europe’s future competitiveness. A common framework would: (i) reduce duplication between EU and national actions; (ii) strengthen supply-chain resilience; and (iii) ensure that Europe’s quantum research translates into long-term security for the EU. Through this consultation, the Commission would like to gather feedback that will inform the drafting of the future EU Quantum Act and collect evidence on the feasibility, acceptability and potential impacts of the proposed measures. The call for evidence is open until 26 November.
