To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the fourth quarter of 2025.
This report follows our previous updates on European digital regulation and compliance developments for 2023 (Q1, Q2, Q3, Q4), 2024 (Q1, Q2, Q3, Q4), and 2025 (Q1, Q2, Q3)
In this issue, we highlight key EU, German, and UK developments in digital, media, and cybersecurity regulation. This includes progress on the CSAM Regulation, new EU digital initiatives and consultations, Germany’s implementation of NIS2 and media law reforms, and major UK updates on cybersecurity, online safety enforcement, and automated vehicles.
For further details, read our client alert.
1. EU Council finally adopts its position on the proposed Regulation
2. Digital Fitness Check: Is the EU’s Digital Rulebook Overweight?
3. Simplification: Commission publishes proposals for Digital Omnibus Package
4. Revision of the Product Liability Directive: Implementation is Approaching
5. Commission initiated revision of the Audiovisual Media Serviced Directive
6. Germany finally adopted its NIS2 Implementation law
7. Germany adopts its draft implementation of the EU’s new Withdrawal Button
8. Digital Media State Treaty: Key Discussion Points Adopted for Second Reform Package
9. New German Minor Safety Rules in Force & raising Doubts on Extraterritorial Enforcement
10. The UK Cyber Security and Resilience Bill: Scope, Key Changes and Next Steps
11. The UK Online Safety Act: Showing its teeth
12. UK Government Calls for Evidence on Automated Vehicles
On November 26, 2025, the Council of the European Union adopted its long-awaited general approach on the proposed Regulation laying down rules to prevent and combat child sexual abuse material (“CSAM Regulation”). The Council’s position marks a notable shift compared to the Commission’s original proposal, particularly with regard to detection obligations (see also our Q2, 2022 and Q4, 2023 updates).
Most importantly, the Council refrained from endorsing mandatory detection orders as proposed by the Commission. Instead, the Council advocates for an unlimited extension of the current Interim Regulation (Regulation (EU) 2021/1232). This would continue to allow providers of over-the-top (OTT) messaging and other communication services to voluntarily scan communications for known CSAM and related indicators.
By relying on a permanent extension of the interim regime, the Council seeks to preserve the status quo for providers, avoiding the introduction of a new obligation to deploy detection technologies pursuant to binding orders issued by national authorities. This approach reflects ongoing concerns around proportionality, encryption, and fundamental rights, which have dominated the legislative debate since the Commission first tabled its proposal in 2022.
With the Council’s general approach now adopted, trilogue negotiations between the Council, the European Parliament, and the Commission are ongoing. Given that the Parliament has also expressed strong opposition to mandatory detection orders in the form originally proposed by the Commission, further changes to the draft Regulation are likely. As a result, the final text of the CSAM Regulation may diverge significantly from the Commission’s initial proposal.
On November 19, 2025, the European Commission launched a “Digital Fitness Check” by publishing a call for evidence and opening a public consultation. The exercise is positioned as the second step in the Commission’s digital simplification agenda (alongside the Digital Omnibus proposals, see our Q3 2025 update) and is intended to “stress test” how the EU’s digital rulebook performs in practice, particularly from a competitiveness and administrative burden perspective.
The Digital Fitness Check takes a broad view of the EU’s “digital rulebook,” encompassing both EU legislation with a significant digital dimension and its implementation in practice. Through the call for evidence, the Commission seeks to assess how these rules operate together, with a particular focus on identifying synergies, gaps, overlaps, and inconsistencies. The exercise will examine the coherence of key legal concepts and obligations, the cumulative impact of digital regulation (including combined costs, benefits, and potential duplication), and the effectiveness of governance and supervisory arrangements at the national and EU level. It will also consider tools, guidance, and practices that enhance legal certainty, reduce administrative burdens, or support the application of rules in innovative contexts.
The call for evidence and the public consultation will be conducted in parallel over a sixteen-week period, with submissions open until March 11, 2026, during which all stakeholders are invited to share their views. After evaluation, the Commission will organize further consultation activities in this context, including “reality checks” and implementation dialogues, focusing on specific issues. The Commission adoption is planned for Q1 2027.
On November 19, 2025, the European Commission published its long-awaited proposal for a Digital Omnibus package (see our Q3 update, 2025). The package includes (i) the Digital Omnibus on AI and (ii) the Digital Omnibus on the Digital Acquis, proposing amendments to data, privacy, and cyber laws.
The Digital Omnibus on AI proposes, inter alia,
Through the Digital Omnibus on the Digital Acquis several existing instruments would be repealed and consolidated with the Data Act. Furthermore, it proposes targeted amendments, including:
The Digital Omnibus package is currently under consideration by the European Parliament and Council. The text is expected to be heavily debated and likely to be amended during the legislative process.
On November 18, 2024, the EU published in the Official Journal the revised Product Liability Directive. It replaces the 1985 Product Liability Directive and aims to make the EU’s strict (no-fault-based) regime workable for software-enabled and AI-driven products, as well as modern supply chains.
The Product Liability Directive, which entered into force on December 8, 2024, extends liability to digital products. The “products” explicitly include software (including AI systems and updates), digital manufacturing files, and digital services treated as components. Manufacturers may be held liable where damage results from missing or inadequate software updates or insufficient cybersecurity safeguards. The New Directive also removes the current deductibles and maximum liability limits and substantially modified products are treated as new products.
The Directive applies to products placed on the market or put into service after December 9, 2026. Member States must transpose it into their national laws and implement changes by December 2026. The 1985 Directive continues to apply to earlier products. Businesses should use the runway to inventory in-scope products and services, harden software update and cyber governance, and revisit documentation, supply-chain traceability, contractual allocations, and insurance.
The European Commission has initiated the formal evaluation process for the Audiovisual Media Services Directive (AVMSD), with a view to a potential revision. The initiative aims to assess whether the existing framework remains fit for its purpose in light of the rapid technological, market, and behavioral changes since the last revision in 2018.
The evaluation is currently ongoing, following the Commission’s publication of the call for evidence.
The Commission aims to assess the AVMSD’s effectiveness, efficiency, relevance, EU added value, and coherence, including its interaction with newer horizontal legislation such as the Digital Services Act (DSA). The evaluation covers a broad range of core elements of the Directive, including its scope, prominence of media services of general interest, audiovisual commercial communications, rules on the protection of minors applicable to video-sharing platforms and promotion of European works.
From a substantive perspective, the evaluation examines whether the existing framework remains fit for purpose in light of evolving markets, and technological and regulatory developments, in particular whether the current rules continue to be appropriate given:
The Commission plans to continue its preparatory work in Q1 2026 and to publish a factual summary report. A possible proposal for revisions is expected to follow in Q3 2026.
On December 6, 2025, Germany’s Act implementing the NIS2 Directive (Directive (EU) 2022/2555) entered into force, more than one year after the Directive’s transposition deadline expired. The Act completes Germany’s NIS2 legislative package by comprehensively revising the BSI Act (BSI-Gesetz) and formally integrating the NIS2 framework into the country’s existing cybersecurity regime centered around the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI), see also our Q2, 2025 update) and our BSI deep dive).
For many organizations operating in Germany, the Act introduces new and expanded compliance obligations, including mandatory registration, enhanced cybersecurity risk management measures, and strengthened governance and enforcement mechanisms.
In-scope entities will now need to register within three months of the Act’s entry into force, i.e., before April 2026. Companies that were not previously subject to KRITIS or sector-specific cybersecurity rules should now assess whether their existing cybersecurity programs meet the new requirements under the BSI Act and address any gaps promptly.
Following a delayed transposition beyond the EU deadline of December 19, 2025, the Act amending German consumer contract law and insurance contract law, as well as certain provisions of treatment contracts (Gesetz zur Änderung des Verbrauchervertrags- und des Versicherungsvertragsrechts sowie zur Änderung des Behandlungsvertragsrechts), was published in the Federal Law Gazette on February 5, 2026. The Act implements, inter alia, Directive (EU) 2023/2673 (the “Directive”) amending the Consumer Rights Directive 2011/83/EU, which we previously covered in our Q1 2023 and Q4 2023 updates. Most importantly, it provides for an electronic withdrawal function, also often called a withdrawal button, in a new section 356a of the German Civil Code (BGB).
The adopted legislation requires traders, inter alia, to provide consumers with an electronic withdrawal function for all distance contracts implemented by means of an online interface, such as a website or app. Consumers must be able to exercise their right of withdrawal via the same interface used to enter into the contract.
Withdrawal must be enabled by a clearly identifiable function, like a button, that is permanently available throughout the withdrawal period. The function must be clearly visible, easily accessible, and prominently placed, and it must be labeled in a legible manner using the wording “withdraw from contract here” or an unambiguous equivalent. Once a withdrawal is submitted via the withdrawal function, traders are required to immediately confirm its receipt on a durable medium. These requirements are intended to ensure that consumers can withdraw from a contract just as easily as they can start it.
In Germany, the withdrawal function will apply alongside the cancellation button (Kündigungsbutton) that has been in place for several years. While the requirements for the function and the button may appear similar at first glance, they differ in important details, including that the existing design and implementation approaches for the withdrawal function cannot be the same as the cancellation button.
The provisions introducing the withdrawal button will enter into force on June 19, 2026, meaning that Germany will at least meet the application deadline set out in Directive (EU) 2023/2673. Affected businesses will have until June 19 to implement the withdrawal function.
Following the publication of the discussion draft for the first part of the Digital Media State Treaty (DMStV) in June 2025, the key discussion points adopted by the Broadcasting Commission of the Federal States in Germany on October 22, 2025 now constitute the basis for the second part of the reforms under the DMStV, further consolidating and modernizing Germany’s existing Interstate Media Treaty (MStV).
As previously mentioned in our Q2 Update, 2025, the first part of the DMStV primarily addresses the implementation of EU media legislation, in particular the European Media Freedom Act (EMFA). By Comparison, the changes discussed under the second reform package aim to adapt media regulation to technological developments, safeguard freedom of expression and media pluralism in the digital environment, and address emerging questions relating to AI oversight.
Key points outlined by the Broadcasting Commission include:
The discussion points adopted in October 2025 do not yet constitute binding law but serve as reform proposals and options for the drafting of concrete legislative provisions for Part II of the DMStV. The Broadcasting Commission has tasked the state representatives with further developing these proposals and has announced its intention to adopt a formal decision in summer 2026.
The revised amendment to the Interstate Treaty on the Protection of Minors in the Media (Jugendmedienschutz-Staatsvertrag, “JMStV”) entered into force on December 1, 2025. The amendment strengthens youth protection obligations for providers of media services and platforms, including obligations applicable to services commonly used by minors (see our previous Q4, 2024 update).
Shortly after its entry into force, new administrative case law has addressed the applicability of the JMStV to providers established outside Germany.
In recent interim proceedings, the Administrative Court of Düsseldorf (VG Düsseldorf, case no. 27 L 1350/24) ruled on enforcement measures taken against a pornographic website operated by a provider established in Cyprus, based on a claim brought against an internet access provider that was ordered to restrict access to that website. German authorities had prohibited the offering of the website in Germany on the grounds that the content was not made available within a closed user group, as required under Section 4(2) sentence 1 no. 1 in conjunction with sentence 2 JMStV. In addition, the authority issued a blocking order against Germany-based internet access providers.
Without consideration of the JMStV’s rules on territoriality under Section 2 JMStV, the court found the relevant JMStV provisions to constitute an abstract and generally applicable rule that directly imposes obligations on all service providers, including those established in other EU Member States. Referring to recent case law of the Court of Justice of the EU (Airbnb Ireland, Cases C-662/22 and C-667/22; Google Ireland, Case C-376/22), the court held that abstract-general obligations are not compatible with Article 3(4) of the e-Commerce Directive, which permits derogations from the country-of-origin principle only on a case-by-case basis.
The decision raises questions as to how the revised JMStV can be enforced against providers established in other EU Member States. It remains to be seen how German media authorities will apply the JMStV in cross-border cases and whether higher courts will further clarify the relationship between the JMStV and the country-of-origin principle under EU law.
The first draft of the Cyber Security and Resilience Bill (the “Bill”) has landed! First introduced to UK Parliament on November 12, 2025, the Bill aims to strengthen cyber defenses for essential public services like healthcare, transport, and energy. It arrives with a policy paper outlining its objectives.
Building on the UK Network and Information Systems Regulations 2018 (UK NIS), the Bill expands the scope of regulated entities, tightens incident reporting requirements, and increases enforcement powers and penalties. While UK NIS broadly mirrored the EU’s NIS1 regime, the Bill aligns more closely (although not entirely) with the EU Network and Information Systems Directive (EU) 2022/2555 (EU NIS2).
Unlike EU NIS2, the Bill does not introduce personal liability for board or management members or mandatory cyber security training.
The Bill is progressing through Parliament and is expected to come into force in phases from the first half of 2026. Certain provisions will take effect on Royal Assent, with some regulatory powers commencing one month later. The remaining measures will be brought into force through secondary legislation, and of course, the SoS will have the power to extend the regulations as they see fit.
However, the Bill is subject to further consultations with stakeholders. The ICO’s response indicates broad support for the Bill, while flagging areas likely to be refined during parliamentary scrutiny. Notably, the definition of “significant impact,” assessment criteria for critical suppliers and the scope of enhanced information-gathering powers.
Since our last update, the UK’s regulator for the Online Safety Act (OSA), Ofcom, has shifted its emphasis away from establishing and clarifying the OSA’s regulatory architecture, towards active supervision and enforcement. Ofcom has not abandoned its prior objectives (in Q4 2025 alone, Ofcom published three sets of guidance in fairly short order), but its commencement of early enforcement action and implementation of the OSA’s fees and penalties framework via the Qualifying Worldwide Revenue (QWR) threshold indicates that the focus is now on showing the OSA’s teeth.
What has Ofcom been doing?
Ofcom has taken a number of steps that collectively demonstrate its intention to move rapidly from guidance into supervision and enforcement, including the following:
This is not to say that Ofcom has entirely stopped supporting in-scope companies. It is clear that the regulator wants to encourage compliance and is still seeking to make it as easy as possible for companies to engage with and adhere to their obligations, as demonstrated by the following:
Are there any imminent deadlines for in-scope companies?
Ofcom has signaled that the work to implement and enforce the OSA will continue in 2026, with further provisions becoming live, and guidance, regulatory tools and supervisory activity planned, as follows:
The Department for Transport and Centre for Connected and Autonomous Vehicles has published a call for evidence (“Consultation”) on developing the regulatory framework for automated vehicles (AVs).
The Consultation is likely to be particularly relevant for organizations in the automotive, insurance, technology, manufacturing, or logistics sectors. In particular, liability for AVs is expected to shift from human drivers to authorized organizations and vehicle keepers, which will undoubtedly have an existential impact on the accountability chain.
What is the background?
The Automated Vehicles Act 2024 (the “Act”) established the foundation for the authorization, deployment, and use of AVs on roads, including the safety and transparency measures required for usage on public roads. However, the Act itself largely relies on implementation by secondary legislation and governmental guidance. The Consultation forms part of the transition from high-level legislation to practical implementation, with its purpose being to inform the secondary legislation, regulatory guidance, and oversight mechanisms that will govern AVs.
The Consultation seeks the input of those within the AV industry (including equipment manufacturers and technology providers), experts (including road safety experts and academics), and users.
What does the Consultation cover?
The Consultation is split into two main chapters:
Chapter 1: “Getting AVs on the Road”
Chapter 2: “Once AVs are on the Road”
The Consultation is open until March 5, 2026, after which the government is expected to publish a summary of responses in July 2026 (i.e., within 12 weeks of the end of the consultation period).
Additional formal consultations are expected once more detailed proposals are developed, contributing to full implementation of the Act in 2027, with the enactment of secondary legislation due by the second half of 2027.
We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Diya Gupta and Elena Pourghadiri, London office trainee solicitors; Darius Schulz, Felicitas Lampe and Mireille Thierfelder, Berlin office research assistants.