To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the third quarter of 2024.
This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3, Q4), 2022 (Q1, Q2, Q3, Q4), 2023 (Q1, Q2, Q3, Q4), and 2024 (Q1, Q2, Q3, and Q4).
In this issue, we report on key developments in the EU and UK, highlighting significant digital regulatory updates and consultations. The EU continues its ambitious digital agenda with the final expert report on B2B data sharing under the Data Act, public consultations on the proposed “AI Continent” Cloud Act, and a review of the EU Cybersecurity Act. We also cover fresh guidance under the AI Act for general-purpose AI (GPAI) models and the latest updates to the Digital Operational Resilience Act (DORA). In the UK, key developments include implementation of the new consumer enforcement regime under the DMCCA, Online Safety Act enforcement updates, and progress in cybersecurity reform. From Germany, we report on the long-awaited signing of the Interstate Treaty on Youth Media Protection, the new cookie consent ordinance now in effect, and the digital compliance implications of the new coalition agreement.
2. Cloud Act: Public Consultation on the EU “AI Continent – New Cloud and AI Development Act”
3. EU Cybersecurity Act Under Review and Consultation
1. Online Safety Act Developments
2. The New Consumer Enforcement Regime Under the DMCCA Takes Effect
3. The Latest in UK Cyber Developments
1. New Interstate Treaty on Youth Protection in the Media Has Finally Been Signed
2. German Cookie Consent Management Ordinance Entered into Force
3. The New German Coalition Agreement and Its Impact on Digital Compliance Initiatives
On 2 April 2025, the European Commission’s Expert Group on B2B Data Sharing and Cloud Computing Contracts published its final report, containing guidelines and model contractual terms (MCTs) for data sharing and standard contractual clauses (SCCs) for cloud computing contracts. Both MCTs and SSCs are non-binding in nature and aim to facilitate the implementation of the Data Act, whose provisions will largely apply from 12 September 2025.
The MCTs cater to various relationships, e.g., data holders and users or data holders and data recipients, and are crafted to align with the Data Act’s goals of boosting data availability while upholding protection measures. They also address key aspects such as compensation for data use and sharing, as well as outlining remedies for the involved parties. Importantly, the MCTs are intended to be considered alongside other relevant legislation, including, e.g., the Data Governance Act and the Trade Secret Directive. While applicable in both B2B and B2C contexts, the report notes that additional provisions might be necessary to ensure adequate consumer protection in B2C relationships. Moreover, the MCTs do not prejudice existing rights and obligations under EU and national law, notably the GDPR. Thus, parties should pay particular attention when sharing mixed datasets or personal data.
The SCCs for cloud computing contracts are designed for service agreements between cloud providers and their customers. These SCCs address critical contractual elements, including, e.g., switching and exit, termination, and security and business continuity obligations. Unlike the standalone MCTs, these SCCs are intended to be integrated into broader service agreements.
This final report from the Expert Group now serves as the foundation for an upcoming Commission Recommendation, addressing both MCTs and SCCs.
The European Commission unveiled the AI Continent Action Plan in April, aiming to position the EU as a global leader in AI and promote the development and deployment of AI solutions that ultimately benefit society and the economy. Central to this strategy is the proposal of the EU Cloud and AI Development Act, which was launched for public consultation at the same time; the consultation period will end on 4 June 2025.
The EU Cloud and AI Development Act is one of the headline digital policies outlined in the 2025 Competitiveness Compass, particularly as the EU currently lags behind the U.S. and China in terms of available data center capacity. Indeed, previous projections (especially the Draghi Report; see our Q3 2024 coverage) have indicated a significant gap between Europe’s current computing capacity and its future AI needs. Therefore, the Act aims to tackle the current unfavorable conditions for the private sector and close this capacity gap. To do this, the Act is seeking to prioritize highly sustainable solutions and develop sufficient cloud and high-performance computing infrastructure to meet the growing demands of modern AI technologies. Moreover, the European Commission is considering actions to increase the secure processing capacity of EU-based cloud providers, namely by requiring that certain critical use cases can only be operated using highly secure, EU-based cloud capacity.
For now, the European Commission is asking for feedback from a variety of stakeholders, including financial institutions, investors, digital infrastructure funds, cloud providers, data center operators, and AI developers.
After the evaluation of the consultation feedback, the European Commission aims to adopt a legislative draft of the Cloud and AI Development Act in Q4 2025.
The EU Cybersecurity Act (CSA) was adopted in 2019 to grant a permanent mandate to ENISA – the EU’s cyber agency – and also establish the European Cybersecurity Certification Framework (ECCF). Since then, the role of ENISA has evolved following numerous pieces of cybersecurity legislation that have come into force and the European Commission has even acknowledged that the ECCF has room for improvement.
The European Commission has opened a consultation to revise and simplify the CSA. As part of this process, the European Commission is considering the following changes to the CSA:
To better inform its review of the CSA, the European Commission has invited various stakeholders to provide their opinions on: (i) the areas of revision for the current ENISA mandate and current ECCF; (ii) the challenges related to ICT supply chain security; and (iii) the need to simplify cybersecurity measures and reporting obligations.
Interested parties have until 20 June 2025 to share their views via the portal or survey.
Following the release of the first and second draft in November and December 2024 (see our Q4 update), the European AI Office published the third draft of the General-Purpose AI Code of Practice (the CoP) on 11 March 2025. Not long after, on 22 April 2025, the European Commission launched a multi-stakeholder consultation and published preliminary GPAI guidelines (the “Guidelines”).
These two guidance documents address complementary aspects of the regulation of general purpose AI (GPAI) models: while the CoP clarifies how providers should meet their obligations under Articles 53 and 55 of the EU AI Act, the Guidelines specifies who will be subject to these obligations in the first place.
By incorporating feedback to the second draft CoP, the third draft is drafted in a more transparent and practical manner, setting out nuanced commitments for GPAI model providers that are better aligned with the AI Act’s obligations. Key elements include:
The Guidelines provide clarifications on:
Feedback on the Guidelines can be submitted until 22 May 2025. The final versions of both the CoP and the Guidelines are expected to be published in May/June 2025. The obligations for providers of GPAI models will start applying from 2 August 2025 (subject to exceptions for GPAI models already on the EU market by this date).
The EU’s Digital Operational Resilience Act (DORA) became fully applicable on 17 January 2025. Relevant financial entities in the EU – including banks, insurers, and investment firms – and their third-party ICT service providers are now required to implement ICT risk management, resilience testing, and third-party risk management provided by DORA.
During Q1, the European Commission adopted additional regulations to supplement DORA, confirming further regulatory technical standards (RTS) and implementing technical standards (IST) that organizations must adhere to:
However, two bits of further regulation remain unenforced as of 12 May 2025:
The Eurosystem updated its framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to algin with the RTS for threat-led penetration testing, providing detailed guidance on how to complete such testing and encouraging authorities to implement the TIBER-EU framework.
The European Supervisory Authorities (ESAs) are also advancing the implementation of a framework overseeing “critical ICT third-party service providers” (CTPPs). The ESAs announced that they will collect a register of information and determine which providers qualify as CTPPs under DORA before providing oversight. CTPPs will be subject to enhanced oversight (consistent with the current position under DORA), as well as additional rules and costs.
The outstanding Delegated Regulations are expected to be enforced in the coming months, provided both the European Parliament and EU Council do not object to the proposals.
The ESAs expect to notify CTPPs of their status by the end of July 2025. Designation will trigger a six-week period in which providers may object.
The UK Office of Communications (“Ofcom”) has recently launched enforcement programmes that aim to assess industry compliance with the illegal harm duties under the Online Safety Act 2023 (OSA). Additionally, Ofcom finalized children’s safety measures on the 24 April 2025, following their consultation on the matter that concluded in July 2024.
A consultation on draft guidance on measures to improve women and girls’ safety online is currently open and will close on 23 May 2025, with publication of the final guidance expected at the end of the year. This guidance (which Ofcom is required to finalize and issue) will set out how regulated service providers can take action against harmful content and activity that disproportionately affects women and girls.
We covered the new timelines, considered regulations and proposed guidance in our last update on the the UK’s Digital Markets, Competition and Consumers Act (DMCCA). But now, the moment has finally arrived and certain consumer aspects of the DMCCA have come into force!
For a summary of the DMCCA, please refer to our updates covering its infancy as a bill and as it passed into law. Since our last update, the Minister for Employment Rights, Competition and Markets has issued a statement setting out the UK government’s DMCCA implementation timeline, and consultations from each of the UK Competition & Markets Authority (CMA) and the Department for Business and Trade (DBT) have closed.
On 6 April 2025, the consumer law enforcement regime and unfair commercial practices regime – Part 3 and Part 4, Chapter 1 of the DMCCA – began to take effect. As a reminder, under Part 3 of the Act, the CMA has new direct powers to enforce consumer protection law. This has been introduced alongside a court-based enforcement regime which gives the courts power to impose remedies after receiving applications from the CMA and other authorized enforcers.
With this, the UK CMA has published various updates and guidance, which have been refined by consultations:
The CMA has stated that, over the next year, it will target conduct that is the most harmful to consumers, and that represents clear infringements of the law. In light of the enhanced enforcement regime and limited case law available, the CMA also plans to engage with businesses to further develop guidance to assist with compliance.
So, what is an ‘enhanced enforcement regime’? It’s a big boost to the CMA’s powers, which now include information-gathering abilities, investigations, the ability to procure compliance and sanctions. What’s more, these powers are backed by significant fines:
*(Separate limits apply to individuals.)
For the other key dates, see our last update for further information.
The UK government announced its intention to strengthen the UK’s cyber defences and critical industry resilience in the July 2024 King’s Speech. As a result, the first quarter of 2025 has seen a variety of proposals and measures released in support of this goal.
A public consultation on measures to address ransomware was run from January to April. Proposals included a ban on ransomware payments by public sector bodies and critical infrastructure operators, mandatory incident reporting within 72 hours, and a “payment prevention regime” requiring victims to notify authorities prior to any ransom payment. The Home Office is expected to release a response paper in due course.
The government has also published a Policy Statement setting out details regarding its proposed Cyber Security and Resilience Bill. The key proposals include increasing the number of regulated entities, introducing stricter cyber incident reporting requirements and enhancing the role of regulators, with particular focus on the digital service sector and general cost-recovery and enforcement. These echo the oversight powers given to UK financial regulators in January to regulate services critical to banks.
The UK’s legislative approach is purposefully similar to the EU’s NIS2 Directive, aiming to align the UK’s cyber security and resilience with that of its continental neighbours, whilst maintaining flexibility for UK-specific threats. It is therefore likely that changes to legislation will be influenced by what happens in this space in the EU.
The Department for Science, Innovation and Technology (DSIT) has published an AI Cyber Security Code of Practice, covering baseline security requirements through the life of an AI system. The Code has been developed with the intention that it will form the basis of a new global standard for secure AI through the European Telecommunications Standards Institute.
Similarly, the DSIT has also published a Cyber Governance Code of Practice, outlining the cyber governance actions for which directors are responsible and which form part of a government support package for both public and private organizations. Organizations should be aware that the Code is “the foundational code” in the DSIT’s wider collection of cyber security codes of practice.
Both codes are entirely voluntary but provide practical steps that are likely to be considered as important benchmarks by regulators going forward. Both are further supported by implementation guidance, which can be found here (AI) and here (Cyber Governance).
The Cyber Security and Resilience Bill will be presented to Parliament later this year.
On March 31, 2025, the German Federal States signed the final version of their revision of the German Youth Protection State Treaty. The draft sparked controversies with the European Commission concerning its compatibility with fundamental principles of the e-Commerce Directive and the Digital Services Act (DSA) (see our Q1, 2024 update).
Under the revised Treaty, in-scope operating systems will now have to set up a parental control mechanism that allows parents to set a device-wide age level, blocking access to and installation of apps with an age rating higher than that age level. To facilitate this mechanism, the relevant propriety app store must collect age ratings for all available apps. The parental control mechanism must also deactivate app installations from non-system app stores, noting that the final draft now permits such third-party app stores if they have a similar age-rating mechanism.
Apps that have their own built-in youth protection mechanisms approved by a recognized self-regulatory body are privileged, as these apps must be made available regardless of the OS-level age setting.
Once ratified by the German Federal States, the new provisions of the revised German Youth Protection State Treaty are set to take effect on December 1, 2025, with varying compliance deadlines for the newly introduced obligations. Concurrently, the question remains whether the European Commission will continue to view the Treaty as infringing upon the e-Commerce Directive or the DSA, potentially leading to an infringement procedure against Germany before the European Court of Justice, as discussed in our Q2, 2024 update.
The Germany’s Cookie Consent Management Ordinance (Einwilligungsverwaltungsverordnung, or EinwV) came into force on 1 April 2025 and aims to simplify how users manage their cookie preferences across digital services. EinwV allows users to make their choices once, reducing the need for repetitive consent requests. Consent management services, often referred to as Personal Information Management Systems (PIMS), interact with websites or cookie banners to convey user preferences and provide this information to digital services upon request. This approach also aims to reduce the presence of cookie banners, which are often seen as annoying or disruptive. PIMS providers can seek recognition from the Federal Data Protection Commissioner by submitting an application and a security concept that meets specific requirements, as outlined in Sec. 10 EinwV.
The German Consent Management Ordinance is based on Sec. 26(2) of the Telecommunications Digital Services Data Protection Act and is designed to enable the central management of consent across websites and devices. The intention is to make individual cookie consent banners redundant by utilizing “recognized consent management services.” These services are expected to offer a more efficient and user-friendly alternative to traditional cookie banners.
The ordinance applies to both PIMS providers and digital services. However, digital services have the discretion to decide whether to integrate these recognized consent management systems, as stated in Sec. 18(1) EinwV. The management includes storing, transmitting and revoking user settings, as specified in Sec. 2(1) No. 1 EinwV.
Recognized consent management service providers must store users’ cookie preferences to prevent repeated consent requests on the same service, such as those that occur when a service is used for the first time or when previously unmanaged information is requested (Sec. 3(1) EinwV). As stated in Sec. 3(2) EinwV, before consent is managed, users must be informed about who is responsible for data storage, what data is stored, how long data is stored and why the data is stored. This information should be easily accessible and exportable (Sec. 3(2) EinwV). Consent and the underlying information must be documented and made easily accessible (Sec. 3(3) EinwV).
User-friendly features should be implemented. The user interface must be transparent and understandable, enabling users to make free and informed decisions (Sec. 4 EinwV).
Since the implementation of the Cookie Consent Management Ordinance is voluntary, significant changes are not anticipated. If Sec.25(2) of the TDDDG is already being adhered to, the ordinance will not introduce anything new. Additionally, it is unlikely that existing consent management providers will be replaced, as this involves a different area altogether.
Elections held on 23 February 2025, following the collapse of the German government as reported in our Q4 2024 update, have led to the recent formation of a new coalition government. The newly published coalition agreement has set the stage for significant developments in the area of digital compliance, providing some clarity on the digital regulatory initiatives that the future German government will prioritize.
On 9 April 2025, the new government’s coalition agreement was published, establishing the foundation for the government’s work in Germany while outlining its political objectives. With the new coalition agreement in place, the German government has laid out a comprehensive plan to push legislation forward in several digital compliance areas, enhancing the regulatory framework governing digital activities. Key initiatives include:
As the new government begins to function, it remains to be seen whether the implementation of the discussed digital regulatory initiatives will build upon previous drafts and proposals of the former government. The published coalition agreement confirms that the intended legislation of the new government will involve significant changes in digital compliance requirements for a wide range of companies.
We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Angus Irving and Jane Xiu, London office Trainee Solicitors; and Lotta Ströhlein, and Felicitas Lampe, Berlin office Research Assistants.