digital economy regulation

This edition features news about a joint roadmap by EU institutions for the agreement of key digital legislative initiatives; round-up of ENISA’s annual cybersecurity certification conference; a new Cullen International benchmark on sovereign cloud schemes across Europe. It also lists events taking place this week.

Final agreement on the Digital Networks Act (DNA) is foreseen for 4Q 2027. Agreement on the Cybersecurity Act 2 (CSA2) would be expected earlier, in 4Q 2026. The review of EU merger guidelines must also be finished by end 2026

The EU cybersecurity agency’s (ENISA) annual certification conference outlined the main changes to the certification framework under the proposed update to the EU cybersecurity certification law (CSA2). On the topic of certification schemes, ENISA is expected to launch a public consultation on the candidate scheme on managed security services on 1 July 2026. Stakeholders also highlighted challenges under the EU cybersecurity law for products with digital elements (CRA), in particular the lack of harmonised standards for accrediting bodies responsible for assessing conformity.

This edition features news about the progress on introducing an EU-wide age verification app; the European providers chosen by the European Commission to procure sovereign cloud services from; the Commission's preliminary findings to further specify Google Search data access obligations under the Digital Markets Act; and a public consultation on the template for data protection impact assessments under the GDPR. It also lists events taking place this week.

The Luxembourg administrative court annulled a 2021 decision by the national data protection authority (CNPD) fining Amazon €746m for violations of the EU General Data Protection Regulation (GDPR) relating to its processing of user data across the EU. This was the second highest fine imposed on a digital platform under the GDPR. The company was primarily fined for using the personal data of users for purposes of targeted advertising without a valid legal basis. The court found that the CNPD failed to undertake a proper assessment of the GDPR by imposing a fine automatically and without examining whether the company had the necessary degree of fault. The court nevertheless confirmed and upheld the CNPD’s finding that the company’s processing activities infringed several provisions of the GDPR.

This report gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services during the last week. It also lists events taking place this week.