European Union

What to Watch in 2026: Key Developments in EMEA Consumer Protection

By Jane Pinho, Dan Cooper, Cándido García Molyneux, Anna Sophia Oberschelp de Meneses, Seán Finan & Faisal Hijjawi on February 4, 2026

Posted in Consumer, European Union, Middle East, United Kingdom

Consumer protection law across EMEA continues to evolve rapidly in response to digitalization, emerging technologies (particularly AI) and the continued expansion of online commerce. As we move into 2026, regulators are preparing significant reforms that will reshape business obligations and strengthen consumer‑protection enforcement. Below is an overview of the most important developments to watch this year.Continue Reading What to Watch in 2026: Key Developments in EMEA Consumer Protection

European Data Protection Authorities Issue Joint Opinion on the Digital Omnibus on AI

By Dan Cooper & Alix Bertrand on January 29, 2026

Posted in Artificial Intelligence (AI), European Union, Policy and Legislation, Privacy

On January 20, 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) (together, the “Authorities”) adopted Joint Opinion 1/2026 on the European Commission’s proposal to amend the EU AI Act (hereafter the “Proposal”, summarized in our previous blog). Overall, the Authorities acknowledge the complexity of the AI Act and agree that targeted simplifications can support legal certainty and efficient administration. However, they warn that simplification should not result in lowering the protection of fundamental rights, including data protection rights. This blog outlines some of the Authorities’ main recommendations as expressed in their Joint Opinion.Continue Reading European Data Protection Authorities Issue Joint Opinion on the Digital Omnibus on AI

European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms

By Mark Young, Dan Cooper, Paul Maynard, David Brazil & Anna Sophia Oberschelp de Meneses on January 23, 2026

Posted in European Union, Telecommunications

On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the Commission’s parallel proposal to amend Directive (EU) 2022/2555 (NIS2). We cover that proposal in a separate blog post.

CSA2 covers two main areas that will be relevant to private companies. First, it would introduce the EU’s first horizontal framework for ICT supply chain security—this is an entirely new addition that is not contained in the Cybersecurity Act, and could have significant implications for organizations in sectors that procure components from providers located in high-risk jurisdictions (e.g., telecoms). Second, it would update and expand the existing framework for cybersecurity certifications (the European Cybersecurity Certification Framework, or ECCF). In addition, it would significantly expand the role of the EU cybersecurity agency, ENISA.

Below, we summarize the main elements of the proposal.Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms

European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2

By Mark Young, Dan Cooper, Paul Maynard, Anna Sophia Oberschelp de Meneses & David Brazil on January 23, 2026

Posted in Cybersecurity, European Union

On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.

The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.

With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.

Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2

Seven Major Changes in the European Commission’s Proposal for an EU Digital Networks Act

By Paul Maynard on January 23, 2026

Posted in Electronic Communications Networks and Services, European Union, Telecommunications

On 21 January 2026, the European Commission (“Commission”) unveiled its landmark proposal for the Digital Networks Act (“DNA Proposal”), an ambitious attempt to overhaul the framework for the regulation and development of electronic communications networks and services across the EU. The Commission’s stated aim with the DNA Proposal is to establish a “modern and simplified legal framework that incentivises the transition from legacy networks to fibre, high quality 5G and 6G networks, and cloud-based infrastructures, as well as increased scale through service provision and cross-border operation.” To do this, the DNA Proposal would replace and consolidate several existing EU laws, including the European Electronic Communications Code (“EECC”), the BEREC Regulation, and parts of the Open Internet Regulation and e-Privacy Directive.

A key theme of the proposal is harmonization of rules—arising first and foremost from the fact that this is a directly-applicable Regulation rather than a Directive like the current European Electronic Communications Code. Several of the substantive provisions in the DNA Proposal may take a significant amount of influence over the communications networks and services away from Member State governments and up to EU level. In turn, the Commission clearly hopes to promote larger-scale communications network and service providers that can operate across the EU, and that have the funds to invest in modern communications infrastructure. The DNA Proposal could, therefore, have a substantial and long-lasting impact on the connectivity and communications markets in the EU, although we anticipate significant debate about many of the provisions of the DNA Proposal throughout the legislative process.

Below, we summarize seven of the most eye-catching changes to the regulatory framework for communications providers in the DNA Proposal.Continue Reading Seven Major Changes in the European Commission’s Proposal for an EU Digital Networks Act

Germany Transposes NIS 2 Directive – Increased Cybersecurity Requirements for Businesses

By Moritz Hüsch, Lars Lensdorf & Clemens Jaaks on January 12, 2026

Posted in Cybersecurity, European Union, Germany

On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) (see here, in German only), roughly 29,500 companies will have to comply with the increased cybersecurity requirements adopted by the NIS2UmsG.Continue Reading Germany Transposes NIS 2 Directive – Increased Cybersecurity Requirements for Businesses