EU Law and Regulatory

(“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators. Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.

AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.

Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

On 4 March 2026, the European Commission (the “Commission”) published its proposal for a regulation establishing a framework for the acceleration of its industrial capacity and decarbonisation in strategic sectors (“Proposed Industrial Accelerator Act”, or “Proposed IAA”), accompanied by four annexes. The initiative is intended to strengthen the EU’s industrial base while accelerating decarbonisation in key manufacturing sectors considered strategically important (i.e., energy-intensive industries, net-zero technology manufacturing, and the automotive manufacturing ecosystem). These sectors currently represent less than 15% of EU GDP, and the Commission’s objective is to increase this share to 20% by 2035. The Proposed IAA was delayed three times before publication and underwent significant rewriting, which reflects both internal debates within the Commission and diverging reactions from Member States.  It also reflects the challenges posed by the broader geopolitical context, as the Commission aims to address economic security concerns through industrial policies whilst navigating international trade relationships and commitments.

The Proposed IAA introduces a regulatory framework combining three policy tools. First, it establishes demand-side measures designed to create “lead markets” for low-carbon and “Made in EU” industrial products through public procurement and certain public support schemes. Second, it introduces conditions for allowing certain foreign direct and indirect investments (“FDI”) in strategic sectors, aimed at maximising the industrial benefits of such investments within the EU. Third, it includes measures to streamline permitting procedures and facilitate industrial clustering, with the objective of accelerating the deployment of manufacturing projects.

This blog summarises the key aspects of each tool and their potential implications for companies active in the covered industries or looking to invest in the covered industries.Continue Reading European Commission Publishes the Proposed Industrial Accelerator Act

On February 26, 2026, the European Union published Directive (EU) 2026/470 on the simplification of the Corporate Sustainability Due Diligence Directive (“CSDDD”) and the Corporate Sustainability Reporting Directive (“CSRD”) in its Official Journal, clearing the final step in the Omnibus I legislative process.

This blog post: (i) summarizes the substance

Continue Reading EU CSDDD/CSRD Omnibus Published in Official Journal: Transposition, Delegated Acts, and Guidelines Are Next

On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.

The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.

Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws

On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions

Germany has kicked off a new Pharma and MedTech Dialogue that aims to develop new policies and regulatory reform proposals to re‑establish Germany as a competitive, innovation‑friendly location for life sciences R&D and manufacturing. The outcome of this dialogue shall be the basis for a new German Pharma and MedTech Strategy.Continue Reading German Government launches new Pharma & MedTech Dialogue – Broad agenda, big hopes but unclear prospects

On 16 December 2025, the European Commission presented the Automotive Package (the “Package”), a set of interlinked legislative and policy initiatives aimed at supporting the European automotive sector’s transition to clean mobility. The Package has four core components: (i) a proposal to revise the CO₂ emission performance standards for cars and vans, (ii) the so-called “Battery Booster Strategy”, (iii) a proposal on greening corporate vehicle fleets, and (iv) a proposal for an “Automotive Omnibus” regulation that would amend several pieces of automotive legislation to simplify regulations for vehicle manufacturers. Together, these initiatives signal a material recalibration of the EU’s approach to vehicle decarbonization.Continue Reading The EU Automotive Package: Increased Compliance Flexibility, but Growing “Made in the EU” Conditionality

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm

On December 18, 2025, the UK Government passed the Employment Rights Bill, which will now be referred to as the Employment Rights Act 2025 (the “Act“). This represents the “biggest upgrade in employment rights for a generation” and introduces a wide-ranging suite of reforms to be

Continue Reading UK Employment Rights Act Finally Becomes Law