EU Law and Regulatory

On June 3, the European Commission published its Tech Sovereignty Package, a set of legislative and policy initiatives designed to address what the Commission characterizes as Europe’s technological dependencies on non-European suppliers. The Package marks a further step in the evolution of the EU’s technology policy, with initiatives spanning the full tech stack—from chips and infrastructure to software, cloud, and artificial intelligence. Through this “ecosystem” approach, the Commission seeks to reduce supply-side dependencies by strengthening domestic capabilities in Europe and stimulating demand in downstream sectors.

The Package comprises four components: two legislative proposals—(i) the Cloud and AI Development Act (CADA), and (ii) the Chips Act 2.0—as well as two non-legislative initiatives—(iii) the EU Open Source Strategy and (iv) a Strategic Roadmap for Digitalisation and AI in Energy.

Continue Reading EU Tech Sovereignty Package

On April 17, 2026, the Italian data protection authority (the “Garante”) published Provision No. 284 setting out guidelines on the use of “tracking pixels” in emails (the “Guidelines”). This publication closely follows the recommendation issued by the French data protection authority on the same topic, which is discussed in a separate blog post available here.

Tracking pixels are commonly used to measure email open rates and to enable marketing automation tools. Under Italian law, the use of tracking pixels generally requires the recipient’s prior consent, unless a specific exemption applies. In its Guidelines, the Garante provides practical examples to help organizations assess when consent is (and is not) required and clarifies the compliance obligations applicable to businesses relying on these technologies in email communications. This post summarizes the key takeaways.

Continue Reading Italian DPA Publishes Guidelines on Email Tracking Pixels

(“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators.

Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.

AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.

Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.

Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

On 4 March 2026, the European Commission (the “Commission”) published its proposal for a regulation establishing a framework for the acceleration of its industrial capacity and decarbonisation in strategic sectors (“Proposed Industrial Accelerator Act”, or “Proposed IAA”), accompanied by four annexes. The initiative is intended to strengthen the EU’s industrial base while accelerating decarbonisation in key manufacturing sectors considered strategically important (i.e., energy-intensive industries, net-zero technology manufacturing, and the automotive manufacturing ecosystem). These sectors currently represent less than 15% of EU GDP, and the Commission’s objective is to increase this share to 20% by 2035. The Proposed IAA was delayed three times before publication and underwent significant rewriting, which reflects both internal debates within the Commission and diverging reactions from Member States.  It also reflects the challenges posed by the broader geopolitical context, as the Commission aims to address economic security concerns through industrial policies whilst navigating international trade relationships and commitments.

The Proposed IAA introduces a regulatory framework combining three policy tools. First, it establishes demand-side measures designed to create “lead markets” for low-carbon and “Made in EU” industrial products through public procurement and certain public support schemes. Second, it introduces conditions for allowing certain foreign direct and indirect investments (“FDI”) in strategic sectors, aimed at maximising the industrial benefits of such investments within the EU. Third, it includes measures to streamline permitting procedures and facilitate industrial clustering, with the objective of accelerating the deployment of manufacturing projects.

This blog summarises the key aspects of each tool and their potential implications for companies active in the covered industries or looking to invest in the covered industries.

Continue Reading European Commission Publishes the Proposed Industrial Accelerator Act

On February 26, 2026, the European Union published Directive (EU) 2026/470 on the simplification of the Corporate Sustainability Due Diligence Directive (“CSDDD”) and the Corporate Sustainability Reporting Directive (“CSRD”) in its Official Journal, clearing the final step in the Omnibus I legislative process.

This blog post: (i) summarizes the substance

Continue Reading EU CSDDD/CSRD Omnibus Published in Official Journal: Transposition, Delegated Acts, and Guidelines Are Next

On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.

The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.

Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.

Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws

On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.

Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions

Germany has kicked off a new Pharma and MedTech Dialogue that aims to develop new policies and regulatory reform proposals to re‑establish Germany as a competitive, innovation‑friendly location for life sciences R&D and manufacturing. The outcome of this dialogue shall be the basis for a new German Pharma and MedTech Strategy.

Continue Reading German Government launches new Pharma & MedTech Dialogue – Broad agenda, big hopes but unclear prospects

On 16 December 2025, the European Commission presented the Automotive Package (the “Package”), a set of interlinked legislative and policy initiatives aimed at supporting the European automotive sector’s transition to clean mobility. The Package has four core components: (i) a proposal to revise the CO₂ emission performance standards for cars and vans, (ii) the so-called “Battery Booster Strategy”, (iii) a proposal on greening corporate vehicle fleets, and (iv) a proposal for an “Automotive Omnibus” regulation that would amend several pieces of automotive legislation to simplify regulations for vehicle manufacturers. Together, these initiatives signal a material recalibration of the EU’s approach to vehicle decarbonization.

Continue Reading The EU Automotive Package: Increased Compliance Flexibility, but Growing “Made in the EU” Conditionality