In a nutshell: The European Commission presented a proposal for the EU budget, launched calls for evidence on the 28th regime, for revising Europol’s mandate, and the Digital Fairness Act. It also published a roadmap on FOSS. Eight Member States have yet to transpose the NIS 2 Directive into their national legal frameworks. The NIS Cooperation Group has launched a public consultation on post-quantum cryptography and published its annual report about NIS incidents in 2024. The ENISA Advisory Group published an opinion paper on the NIS 2 implementation. The Dutch government published a non-paper on the Cyber Security Act. The EDPB and the EDPS published a joint opinion on the proposal for GDPR simplification. The EDPS closed its investigation into the European Commission’s use of Microsoft 365.
The European Commission unveiled the proposal for the EU budget 2028-2034
On 16 July, the European Commission presented its proposal for the Multiannual Financial Framework (MFF) for the period 2028-2034. The EU budget will total 2 trillion EUR and is divided into four main categories: 1) resources for national and regional partnership plans; 2) the European Competitiveness Fund (ECF); 3) support for education and civic space through Erasmus+ and AgoraEU, and 4) funding for international partnerships through Global Europe. The ECF will total 409 billion EUR and represent 21% of the EU overall budget. The ECF will support EU efforts in digital leadership with 54.8 billion EUR, and focus on resilience, security, defence and space with 131 billion EUR. Funding for digital leadership aims to enhance the competitiveness and innovation of the EU digital sector, particularly within AI technologies and achieving technological sovereignty by building resilient digital ecosystems. Furthermore, the fund will also support the deployment and uptake of the EU Digital Identity Wallets and reinforce interoperability across the EU. The ECF will also introduce an “EU preference” conditionality for funding allocation. The upcoming work programme and investment guidelines may set out eligibility conditions in order to protect EU economic interests and autonomy. The final form of the MFF proposal may change during negotiations between the European Parliament and the Council of the EU.
Data protection
The EDPB and EDPS published a joint opinion on the proposal of GDPR simplification
On 9 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the Proposal for a Regulation on simplification measures for SMEs and ‘small mid-cap enterprises’ (SMCs), in particular the record-keeping obligation under Aricle 30(5) GDPR. The proposal would modify Article 30(5) GDPR by providing that the record-keeping obligation would not apply to companies and organisations employing fewer than 750 persons, unless the processing they carry out is likely to result in a “high risk to data subjects’ rights and freedoms”. The EDPB and the EDPS support the objective of the proposal to reduce the administrative burden for SMEs and SMCs. However, the EDPB and the EDPS note that the proposal does not include an assessment of the consequences on fundamental rights of the proposed changes to the GDPR. The EDPB and the EDPS propose to the co-legislators to clarify that a record of processing would only be mandatory for those processing activities ‘likely to result in a high risk’. Furthermore, the EDPB and the EDPS would welcome further clarifications on why the new threshold of companies and organisations employing fewer than 750 persons would be appropriate under the GDPR. In addition, they recommend the co-legislators to clarify that the term ‘organisation’ falling within the proposed derogation under Article 30(5) GDPR does not include public authorities.
The EDPS closed its investigation into the European Commission’s use of Microsoft 365
On 28 July, the EDPS concluded its enforcement proceeding against the European Commission after the latter demonstrated the necessary level of compliance with data protection in its use of Microsoft 365. The EDPS initiated an investigation in March 2024, after finding that the European Commission had infringed data transfer rules (see our previous coverage here). In response to the EDPS concerns, the European Commission specified that Microsoft and its sub-processors may only process data based on documented instructions from the European Commission and for specified purposes in the public interest. Furthermore, this processing can only take place in the European Economic Area (EEA) or in third countries that ensure an equivalent level of protection. Transfers of personal data outside the EEA are limited to countries listed in the amended Microsoft contract, either relying on adequacy decisions or on the “derogation for important reasons of public interest”. Finally, an additional contractual provision ensures that the European Commission is notified about personal data disclosure requests originating from non-EU countries.
Cybersecurity
Eight Member States have yet to transpose the NIS 2 Directive into their national legal frameworks
According to the latest data from the European Commission and reports by Euractiv, Bulgaria, France, Ireland, Luxembourg, the Netherlands, Portugal, Spain, and Sweden have not yet adopted their national cybersecurity rules per the NIS 2 Directive. The deadline for transposing the NIS 2 Directive into national legislation expired on 17 October 2024. In May 2025, the European Commission asked nineteen Member States to issue a reasoned opinion within two months for failing to notify the full transposition of the NIS 2 Directive. Eleven Member States have since finalised their national transposition, but the remaining eight face potential further action by the Commission, including referral to the CJEU.
The NIS Cooperation Group launched a public consultation on post-quantum cryptography
On 11 August, the NIS Cooperation Group launched a survey asking for feedback on EU roadmap on Post-Quantum Cryptography. The roadmap was published on 23 June and includes a timeline to start using the post-quantum cryptography (PQC). PQC is particularly relevant in the context of compliance with the NIS 2 Directive, as all essential entities are required to implement cybersecurity risk management measures, including the use of state-of-the-art cryptography. The roadmap recommends performing a quantum risk analysis to help prioritise the transition process to PQC. In the future, the quantum risk should be integrated into the regular risk management. The roadmap also suggests certain “no-regret” moves for EU Member States to initiate the creation of national PQC roadmaps. These include but are not limited to: 1) identifying and engaging with national stakeholders, such as CISOs and CTOs from critical entities; 2) supporting the mature management of cryptographic assets by critical and essential entities; 3) encouraging entities to create dependency maps for applications, products, platforms, and operations; 4) encouraging essential entities to perform quantum risk analysis; 5) raising national awareness of PQC as a matter of priority. The public consultation on the roadmap is open until 29 September.
The NIS Cooperation Group published its annual report on NIS incidents for 2024
In August, the NIS Cooperation Group (NIS CG) published the annual report for NIS Directive incidents in 2024. According to the report, the number of reported cybersecurity incidents has increased by 18% compared to the previous year. The majority of reported incidents in 2024 targeted the health, energy and transport sectors, accounting for 50% of the total number of reports. In the digital infrastructure sector, a total of 162 incidents were reported, mainly relating to system failures and malicious actions. The underlying technical causes of these incidents were primarily DDoS attacks and software bugs. According to the report, the most affected technical assets within the digital infrastructure sector were websites and servers/domain controllers. The 2024 report marks the final year of cybersecurity incident reporting under the NIS Directive. From 2025 onwards, the NIS 2 Directive reporting will apply, under which Member States will submit a summary of incidents on a quarterly basis, and ENISA will prepare reports for the CSIRT network and the NIS CG every six months.
ENISA Advisory Group published an opinion paper on the NIS 2 implementation
In June, the outgoing ENISA Advisory Group (AG) published an opinion paper containing 17 recommendations for the successful implementation of the NIS 2 Directive. The paper highlights the inconsistent implementation of the NIS 2 Directive across EU Member States due to overlap in the scope of sector-specific regulations. This overlap leads to duplication and conflicting requirements. For example, DORA, NIS 2 and GDPR establish three different breach notification regimes. The AG proposes simplifying and aligning cyber incident reporting by creating a single template for affected entities. According to the AG, ENISA should also share its analysis of reported incidents with different horizontal and sectoral stakeholders, and facilitate the exchange of good practices between different sectoral authorities. To better harmonise the implementation of the NIS 2 across EU Member States, the Directive should be reviewed with a view to it becoming a Regulation. As the term of the AG ends in August 2025, ENISA has selected a new Advisory Group to serve until January 2028. AG members represent various stakeholders from the ICT industry, SMEs, academia and “operators of essential services”.
The Dutch government published a non-paper on the Cyber Security Act
On 1 July, the Dutch government published a non-paper on the review of the Cyber Security Act (CSA). The document outlines three priority areas for the Dutch government in the context of revising the CSA: 1) ENISA’s mandate 2) the European Cybersecurity Certification Framework (ECCF); and 3) simplification of regulatory burden. Firstly, the Dutch government wishes for ENISA to remain a future-proof institution. The document recognises ENISA as an enabler and promoter of the effective implementation of EU cybersecurity legislation. Secondly, it notes that the ECCF should remain voluntary, as mandatory certification would lead to increased administrative costs, overlapping audits, and a reduced focus on actual security improvements. Furthermore, the cybersecurity certification schemes should not be used to address concerns about the sovereignty, integrity or trustworthiness of certain supply chain actors. Instead, the upcoming Data Union Strategy and the EU Cloud and Development Act are considered more appropriate for addressing broader data governance and resilience issues. Another alternative is to develop a separate “Evaluation Mechanism based on Trustworthiness”, focusing on evaluating risks of supply chains of non-European providers and vendors in terms of their geopolitical, legal and operational trustworthiness. This mechanism could operate in parallel to CSA certification schemes. This mechanism could incorporate security and legislative criteria, including rules on extraterritorial legislation and data transfers, and could be incorporated into the CSA's broader legislative framework. Finally, the non-paper supports the Commission’s efforts to simplify reporting obligations in the digital sector by merging those under NIS 2 and the CER Directives.
e-Evidence
The European Commission launched a call for evidence for revising Europol’s mandate
In July, the European Commission ran a call for evidence on revising Europol’s mandate. The European Internal Security Strategy (see our previous reporting here) highlighted that Europol's resources were insufficient and that its current mandate was too narrow to cover new security threats, such as hybrid threats or information manipulation. Given the growing demand from national law enforcement agencies for Europol’s support, the revision should address the inadequate allocation and deployment of human, financial, and IT resources, as well as the technical and legal obstacles to the processing and sharing of operational data between Europol and Member States. Europol should further develop its role as the EU’s criminal information hub, covering all emerging forms of crime and threats, ensuring more effective operational support, fostering law enforcement cooperation at the EU level, and improving its technological expertise. A public consultation is planned for Q3-Q4 2025, with adoption of the Commission proposal expected for Q2 2026.
Competitiveness
The European Commission launched a call for evidence for new rules for innovative companies
On 8 July, the European Commission launched a call for evidence and a public consultation on the 28th regime, “a single harmonised set of rules for innovative companies throughout the EU”. This initiative is one of several proposed under the Competitiveness Compass (see our previous coverage here) to improve the competitiveness of the European economy. The initiative aims to support companies looking to expand and grow within the EU market by eliminating unnecessary complexity and costs related to company incorporation due to diverging national legal frameworks. It should harmonise the relevant aspects of corporate law, insolvency, labour and tax law across the EU. Applications for a “28th regime” company should be digital by default and build on upcoming initiatives, e.g., the EU Business Wallet. It would also determine the structure and core elements of 28th regime companies, such as who can create them and how, the minimum capital requirements, and whether they can have a distinct name and abbreviation. The call for evidence and public consultations are open until 30 September, with the initiative due to be presented by the European Commission in Q1 2026.
The European Commission published a roadmap on open source and EU digital sovereignty and competitiveness
On 8 July, the European Commission published a roadmap on the use on the use of Free and Open Source software (FOSS) for the EU digital sovereignty and competitiveness, authored by the European Alliance for Industrial Data, Edge and Cloud. The roadmap focuses on achieving digital sovereignty in the cloud, edge, and Internet of Things (IoT) technologies. The document recognises FOSS as a “key asset in driving European innovation, competitiveness, and independence from excessive control from non-EU technology providers”. It sets out an approach to strengthen the EU’s digital autonomy, economic resilience, and environmental sustainability by promoting FOSS technologies “developed in, and governed from, the EU”. The dominance of non-EU hyperscalers and technology providers is considered a “direct threat to Europe’s ability to control its digital destiny”. The roadmap presents a range of proposals, including support for FOSS and interoperable solutions based on open standards. It emphasises the strategic use of public procurement to prioritise “European Open Source”. Public procurement would act as a catalyst for digital sovereignty and interoperability. Additionally, the roadmap proposes setting up dedicated funding mechanisms to support the development and maintenance of FOSS projects in the cloud, edge and IoT.
Consumer protection
The European Commission launched a public consultation on the Digital Fairness Act
On 17 July, the European Commission launched a public consultation on the upcoming Digital Fairness Act (DFA). The consultation follows the fitness check of EU consumer law on digital fairness, which was carried out in 2024 (see our previous coverage here). The fitness check concluded that the existing consumer protection rules remain necessary to ensure the effective functioning of the digital single market. However, legal gaps remain in areas, such as deceptive or manipulative interface design (dark patterns), addictive features, unfair personalisation practices and misleading marketing by online influencers. The DFA should address these gaps by laying down clear rules for businesses, tackling market fragmentation and obstacles to cross-border trade, and unfair competition, particularly from non-EU traders. The upcoming impact assessment will also consider how EU Digital Identity and European Business Wallets could facilitate the implementation of the DFA. The consultation is open until 9 October. The DFA is expected to be presented as a legislative measure in Q3 2026.
