In a nutshell: The Commission President von der Leyen presented her State of the Union speech. The European Commission published 2025 Strategic Foresight Report, guidelines under the CER Directive and opened a call for evidence on the Digital Omnibus. The European Parliament adopted a resolution on the IGF, and a report on the revision of the public procurement framework. The CJEU dismissed a case against the EU-US data transfer framework, and clarified the scope of personal data in data transfers. The EDPB published guidelines on the interplay between the DSA and the GDPR. The EDPS adopted an opinion on the UN Cybercrime treaty.
The European Commission President von der Leyen delivered 2025 State of the Union speech
On 10 September, the European Commission’s President Ursula von der Leyen delivered 2025 State of the Union address to the European Parliament. This is an opportunity for the President to share her vision for the EU, take stock of achievements and to announce major upcoming initiatives. Within the digital area, von der Leyen promised to “massively invest in digital and clean tech”, through the future Competitiveness Fund (see our previous reporting here) and a doubled Horizon Europe programme. In addition, von der Leyen reiterated the European Commission’s plans to propose the Digital Omnibus, a simplification agenda “to make business in Europe easier”. Von der Leyen also highlighted the need for a “European AI” that is essential for Europe’s tech sovereignty, as well as introducing a “made in Europe” criteria in public procurement. The Commission will also look into introducing restrictions for children’s access to social media, based on the example of social media ban for children under 16, introduced in Australia in 2024.
The European Commission published 2025 Strategic Foresight Report
On 9 September, the European Commission published its 2025 Strategic Foresight Report. In its report, the Commission notes increasing geopolitical tensions, where the EU must integrate security and strategic autonomy into its economic policies. Pursuing both competitiveness and strategic autonomy requires careful policy design, according to the European Commission. Excessive dependency on key digital services provided by non-EU entities “exposes the EU to risks, including data security vulnerabilities, service disruptions, espionage and economic coercion”, notes the Commission. The EU regulatory approach prevents unchecked access to personal data of Europeans. At the same time the EU model might potentially hinder innovation and market entry. A key challenge in EU’s globally competitive innovation “is the fragmentation of EU technology governance and related policies, between the EU and its Member States”. The report also notes “the effects of a new global oligarchy, with a few tech billionaires increasingly influencing politics”. Fast and uncontrolled technological development might only further complicate the challenge posed by disinformation, according to the European Commission. As a result, the report notes that a particular attention should be given inter alia to “developing and putting into practice the EU-sourced strategic enablers, such as secure digital infrastructures[...]”. The EU should also strive to be the global standard-setter on AI, so that “AI’s disruptive power becomes a driver of prosperity, inclusiveness, safety, security, and democratic trust.” The EU also needs to “address policy fragmentation in technology governance”, according to the report.
The European Commission opened a call for evidence on Digital Omnibus
On 16 September, the European Commission published a call for evidence on “Digital Omnibus – Digital Package on simplification”. It complements ongoing reviews of the Data Union Strategy, the Cybersecurity Act and the upcoming Apply AI strategy. The call for evidence focuses on inter alia simplifying rules on cookies and other tracking technologies under the ePrivacy Directive. In relation to cybersecurity, the Digital Omnibus recognises the burden of incident reporting obligations arising from different EU legislation. The European Commission should, therefore, streamline reporting processes. With regards to the European Digital Identity Framework (EUDI), the Digital Omnibus should lead to reduced compliance costs and enhance legal clarity for relying parties and qualified trust service providers. In relation to the AI Act, the Commission should ensure a predictable and effective application with a focus on the needs of small mid-cap businesses. In addition, the European Commission will continue evaluating the “cumulative effect, the coherence and the opportunities” of the EU digital rules across the EU Single Market through the upcoming Digital Fitness Check.
Internet governance
The European Parliament adopted a resolution on renewing the mandate of the IGF
On September 10, the European Parliament in plenary session adopted the resolution on governance of the internet – renewal of the mandate of the Internet Governance Forum. MEPs call for the internet to remain “open, free, global, interoperable, reliable, secure and governed for all by all”, and call on the UN General Assembly to “permanently renew the mandate of the IGF, and to strengthen its resources and the multistakeholder model of internet governance”. MEPs also consider that despite the IGF not adopting formal conclusions, “the EU’s responsibility is to support this process”. According to the resolution, the IGF offers a positive context for shaping the internet’s future on the basis of a multistakeholder approach. MEPs underline the importance of preserving an open and interoperable internet “as a global public resource” and condemn “any effort to fragment the internet or to replace multistakeholder governance with intergovernmental control”.
Cybersecurity
The European Commission published guidelines under the CER Directive
On 11 September, the European Commission published non-binding guidelines and a reporting template for the purposes of supporting compliance with the Directive in the resilience of critical entities (CER Directive). Specifically, the guidelines give effect to Article 5(5) regarding a template for the provision of certain information to the Commission, and to Article 6(6) regarding recommendations and guidelines to support Member States in identifying critical entities. According to the guidelines, those entities that provide essential service, are located on the territory of a Member State (i.e., infrastructure is physically being situated) and whose incidents can have a significant disruptive effect on the provision of essential services, may be considered critical entities under the CER Directive. Risks that are of a cross-sectoral or cross-border nature should be given particular weight in the process of identifying critical entities, according to the guidelines. A close cooperation with the supervisory authorities under the NIS 2 Directive, as well as consideration of relevant European and international standards in cybersecurity are encouraged.
Data protection
The CJEU dismissed a case against the EU-US data transfer framework
On 3 September, the General Court of the Court of Justice of the EU (CJEU) dismissed an action for annulment of the EU-US framework for transfers of personal data. The General Court considers that under the current framework, the data of EU citizens are adequately protected in the United States. The current EU-US framework includes the US Data Protection Review Court (DPRC), which has the power to investigate complaints from EU individuals and can take binding remedial decisions. The DPRC was added to the latest EU-US framework as a way to comply with the EU’s data protection safeguards, the lack of which led to the annulment of the previous two EU-US frameworks, as a result of the CJEU rulings in Schrems I and II. The General Court dismissed the action, as the DPRC is seen as an independent institution. Furthermore, the DRPC oversees the activities of US intelligence agencies via ex-post judicial review. The ruling can be appealed at the Court of Justice of the CJEU.
The CJEU clarified the scope of personal data in the context of data transfers
On 4 September, the CJEU clarified the scope of personal data in the case of a transfer of pseudonymised data to third parties. The case revolved around the EU Single Resolution Board (SRB), which, in the process of adopting a decision regarding the resolution of a bank, received comments from the bank’s shareholders and creditors. The SRB then decided to transfer some of the pseudonymised comments to an external consultancy, without informing the data subjects. The affected shareholders and creditors subsequently submitted a complaint to the European Data Protection Supervisor (EDPS). The matter was referred to the CJEU. In its ruling, the CJEU found that personal opinion or point of view shared in the form of the pseudonymised comments constitutes personal data, as the comments are an expression of a person’s thinking and are linked to that person. Whether pseudonymised data should be seen as personal data depends on the specific circumstances. The Court noted that it would depend on whether the third party is reasonably likely to re-identify the pseudonymised data. According to the CJEU, “data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified”. Finally, the CJEU found the SRB in breach of its transparency obligations. The controller must inform the data subjects about the sharing of personal data with third parties at the moment of data collection. This also applies even if the data would later be pseudonymised, and when the third party processing the data would not be able to identify the individual data subjects.
The EDPB published guidelines on the interplay between the DSA and the GDPR
On 11 September, the European Data Protection Board (EDPB) published guidelines on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). Specifically, the guidelines focus on the provisions under the DSA that have implications for the processing of personal data by intermediary service providers. Amongst other things, the document also outlines how intermediary service providers may undertake voluntary own-initiative investigations under Article 7 of the DSA in compliance with the GDPR. Automated or non-automated own-initiative efforts to detect, identify, and address illegal content may rely on machine learning techniques that often require large amounts of data to train. Both in the training and deployment of such measures, providers need to demonstrate compliance with data protection principles, such as the minimisation and data protection by design and default. Systematic monitoring of data subjects’ activities through automated methods may generate inaccurate results about a data subject’s involvement in abuse. As a result, providers must conduct processing for the purposes of Article 7 of the DSA lawfully, fairly and in a transparent manner towards data subjects. In case such processing is done to comply with a legal obligation under other EU and national legislation, service providers should determine the extent to which processing of personal data is necessary to comply with their existing legal obligations. The guidelines also note that, depending on the level of automation involved in the processing, the own-initiative activities may qualify as a prohibited practice under the GDPR.
Public procurement
The European Parliament adopted its priorities for the upcoming revision of the public procurement framework
On 9 September, the European Parliament adopted its own-initiative report on public procurement. The adopted text marks the final step of the non-legislative process that aims to share the European Parliament’s perspective on the review of EU public procurement rules expected by the end of 2025 (see our previous coverage here). The text calls for a targeted public procurement reform that would contribute to “resilient, secure and strategic supply chains”. It should be used as a strategic lever to bolster European industrial sovereignty and know-how. The contracting authorities should be allowed to give preference to bids that include a significant proportion of added value produced within the EU. The public procurement process should also be more accessible to SMEs and micro-enterprises. However, the report does not propose strict sovereignty criteria for bidders.
e-Evidence
The EPDS published an opinion on the adoption of the UN Cybercrime treaty
On 9 September, the EDPS published an opinion on the two proposals for the Council Decisions on the signing and conclusion of the United Nations Convention against Cybercrime (see our previous coverage here). The treaty establishes mutual legal assistance for access to e-evidence on serious crimes, punishable by at least 4 years of imprisonment under domestic laws. The e-evidence under the scope of the treaty includes electronic data, subscriber information, traffic and content data processed or collected by service providers. The EDPS welcomes the provisions that do not require State Parties to transfer personal data if it cannot be provided to the requesting party in compliance with data protection laws. The EDPS suggests that EU Member States should first assess whether the conditions of the EU Law Enforcement Directive, which lays down conditions for the transfer of personal data to third countries, are fulfilled. The EDPS further notes that EU Member States should refuse cooperation in cases where the data is sought in an investigation for a crime that does not exist in their legal system, or if Member States’ competent authorities would not be allowed to carry out such action in their own jurisdiction. The next step in the process of ratification is the adoption of the treaty by the Council of the EU and subsequent expression of consent by the European Parliament. Afterwards, individual EU Member States can start the process of signing and ratifying the treaty.
