To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the first quarter of 2026.
This report follows our previous updates on European digital regulation and compliance developments for 2023 (Q1, Q2, Q3, Q4), 2024 (Q1, Q2, Q3, Q4), and 2025 (Q1, Q2, Q3, Q4).
In this issue, we cover a busy first quarter for European digital regulation. On the AI front, we examine the UK CMA’s new guidance on agentic AI and consumer protection, the UK government’s report on copyrights and AI, and the EU AI Omnibus Regulation as it enters trilogue negotiations. In online safety, we report on Ofcom’s increasingly assertive enforcement posture under the UK Online Safety Act, a joint ICO-Ofcom statement on age assurance, the UK government’s consultation on children’s digital wellbeing, and the expiry of the EU’s interim CSAM regulation. We also track significant developments in cybersecurity and infrastructure resilience, including the European Commission’s proposals for a revised Cybersecurity Act, a Digital Networks Act, and NIS2 simplification measures, alongside draft guidance on the Cyber Resilience Act and the entry into force of Germany’s KRITIS Umbrella Act.
1. CMA Research Note on Agentic AI and Consumers
2. Ofcom’s Online Safety Bulletin: “The Industry Has Not Done Enough.”
3. UK Government’s Report and Impact Assessment on Copyright and AI
4. ICO and Ofcom’s Joint Statement on Age Assurance
5. UK Government’s Digital Wellbeing Consultation
6. AI Omnibus Regulation: Co-Legislators Align as Trilogue Negotiations Begin
7. Cybersecurity Act 2: Commission Proposes Overhaul of the EU Cybersecurity Framework
8. CSAM Regulation: European Parliament Blocks Extension as Derogation Expires
9. Digital Networks Act: New Commission Proposal to Update EU Telecoms Rules
10. NIS2: Brussels Moves to Ease the Compliance Burden with Proposed Amendment
11. Cyber Resilience Act: Commission Sets the Tone for Enforcement with Draft Guidance
On 9 March 2026, the UK Competition and Markets Authority (CMA) released two agentic AI publications: (1) a research paper on how agentic systems may reshape consumer markets; and (2) business guidance on using AI agents in compliance with consumer law. Taken together, the publications adopt a pro-innovation approach, while making it clear that existing consumer protection rules still apply when companies use agentic AI in consumer-facing contexts.
The CMA describes agentic AI as a potential shift from AI merely assisting consumers to AI acting on consumers’ behalf (e.g., searching across services, recommending products, handling complaints, processing refunds, and, in some cases, executing transactions). In the CMA’s view, this development could reduce consumer friction, lower search costs, and improve personalization. However, it could also intensify familiar risks such as consumer manipulation and over-reliance, inaccurate outputs or hallucinations, decision-making opacity and bias, and reduced consumer choice caused by lack of interoperability and data mobility. New risks may also arise through agentic collusion in relation to algorithmic pricing, potentially dampening competitive pressure (see CMA blog post on AI and collusion).
For companies, the key legal takeaway is that they must not mislead, manipulate, or exert undue pressure on consumers, regardless of whether outcomes are driven by human decisions, AI algorithms, or interface design. Organizations remain responsible for what their agentic AI says or does, even where the system is supplied by a third party. The CMA highlights the following key compliance considerations:
The CMA’s guidance signals its expectations regarding agentic AI and its intention to assess compliance through established consumer law principles. Businesses should address the CMA’s compliance considerations, particularly when deploying agentic AI in marketing, customer service, comparison tools, refunds, or pricing. The CMA reminds organizations that failure to comply with consumer protection laws may result in fines of up to 10% of worldwide turnover or orders to compensate affected consumers.
On March 17, 2026, the UK regulator for the Online Safety Act (OSA), Ofcom, published its industry bulletin (the “Bulletin”), which provided a (somewhat stern) update on its enforcement action to date, reiterated current OSA obligations for in-scope services, and outlined what interested parties can expect next from Ofcom’s online safety agenda.
Ofcom has continued to place its emphasis firmly on enforcement. On March 12, 2026, it publicly demanded that tech firms “keep underage children off [their] platforms,” and cited “continued failings” to enforce minimum age rules with highly effective age checks, tackle grooming, make feeds safer, and test products rigorously. It came as no surprise therefore when, a few days later in its Bulletin, Ofcom highlighted its many ongoing enforcement actions, which are primarily focused on the services that present the highest risk to UK users.
Ofcom made its dissatisfaction clear regarding the current efforts employed by some of the largest services, stating that 72% of underage children are still accessing services in breach of supposed age restrictions. And, if you couldn’t read between the lines or had any doubt about Ofcom’s willingness to escalate matters of non-compliance, the Bulletin is clear: Ofcom is “not hesitating to take enforcement action if [it identifies] failings.” If you need further convincing, the information below is a whistle-stop tour of just some of Ofcom’s enforcement activities:
But, as is proving typical for Ofcom, with raised compliance expectations comes greater support and guidance: an overhauled OSA compliance guide was published on February 27, 2026 (and has been regularly updated thereafter). This guide, which now incorporates feedback from numerous services across a range of jurisdictions and signposts to other resources and available support, is a clear first port of call for services that may be unsure about what the OSA is and how it might apply to them.
After launching its consultation on AI and copyright in December 2024 (see our article), the UK government (the “Government”) has now considered the consultation responses and published its Report on Copyright and Artificial Intelligence (the “Report”) on March 18, 2026. No conclusions have yet been reached on reform of the regime—instead, the Government has stepped back from its previously favored opt-out exception.
The Report covers the use of copyrighted works in the development of AI systems and considers whether the current regime should be revised to allow AI developers to have greater access to copyrighted material. It also addresses transparency, technical measures, and the enforcement of restrictions related to the use of copyrighted works by AI developers.
The initial consultation sets out four options for consideration:
The Government has not adopted a settled alternative. Instead, it will continue gathering evidence on how copyright law affects the development and deployment of AI across the economy as discussed above, while considering alternative approaches and monitoring legal, market, and regulatory developments in the UK and abroad.
The UK Information Commissioner’s Office (ICO) and Ofcom issued a joint statement in March 2026 clarifying how age assurance obligations should be implemented under the Online Safety Act 2023 (OSA) alongside UK data protection law. The statement responds to longstanding industry uncertainty about how to reconcile child safety duties—particularly the requirement to prevent children from accessing harmful content—with core privacy principles under the UK GDPR. The statement is directed at providers of online services that are likely to be accessed by children and reflects a coordinated regulatory effort to ensure that age assurance measures are both effective and respectful of individuals’ data protection rights.
The statement sets out a shared, risk-based, and proportionate framework for managing age assurance. The ICO and Ofcom emphasize that organizations must calibrate their approach based on the level of risk their services pose to children, particularly where content is harmful to children or age restricted.
Notably, the regulators signal that low-friction methods such as self-declaration will rarely meet the threshold of “highly effective” age assurance in higher-risk contexts. At the same time, the statement underscores that stronger age checks do not displace data protection obligations. Instead, organizations must embed privacy by design, ensuring that any age assurance solution complies with core principles such as data minimization, purpose limitation, and security. The statement also stresses a technology-neutral approach, avoiding endorsement of specific tools while setting clear outcome-based expectations.
The statement signals increased scrutiny of age assurance practices as Ofcom’s OSA enforcement regime comes into force. Organizations should (i) reassess their current age assurance mechanisms, particularly if they rely on self-declaration methods, and (ii) expect further cross-regulatory guidance and codes of practice detailing what constitutes “highly effective” age assurance in specific sectors.
On March 2, 2026, the UK government launched its “Growing Up in the Online World” consultation (the “Consultation”), opening a broader policy discussion on the regulation of children’s use of digital services in the UK.
In contrast to approaches in other jurisdictions that focus primarily on age thresholds or platform bans, the Consultation addresses a broader set of issues, including:
The Consultation closes on May 26, 2026, and the UK government has indicated that it intends to act quickly thereafter. For providers, the trajectory points towards increased scrutiny of age assurance practices, service design, and protections for younger users.
Following the adoption of their respective positions on the AI Omnibus Regulation, trilogue negotiations between the Council of the European Union (“Council”), the European Parliament (EP) and the European Commission (EC) commenced, marking a critical phase in the process of amending and simplifying the AI Act (see our Q1 2025 update).
The EP and the Council are aligned on several key points:
Key areas of divergence include:
A political agreement is expected in April or May 2026, followed by formal adoption in June and publication in the Official Journal before the end of July 2026.
On January 20, 2026, the European Commission published its proposal for a revised Cybersecurity Act (the “Cybersecurity Act 2”) as part of a broader cybersecurity package. The proposal would replace the existing 2019 framework, addressing gaps exposed by a rapidly evolving threat landscape, including rising cyberattacks and supply chain risks.
The proposal focuses on three core areas: simplifying the EU cybersecurity certification framework (ECCF), strengthening the role of the European Union Agency for Cybersecurity (ENISA), and introducing a new approach to information and communications technology (ICT) supply chain security.
First, the revised framework seeks to streamline the certification system through clearer procedural rules and improved alignment across existing schemes—for example, by providing that national certification schemes covering the same subject matter as an EU cybersecurity certification scheme would cease to apply. While certification remains voluntary, its scope may expand beyond ICT products, services, and processes to include organizational cybersecurity practices, thereby enabling the certification of a company’s cybersecurity risk management.
Second, ENISA’s mandate would be significantly expanded, transforming it into a “single point of expertise for cybersecurity at Union level.” Its enhanced role would include new operational tasks such as developing cyber threat intelligence repositories, issuing early warnings on major or cross-border threats, and managing a ransomware help desk to support essential and important entities in responding to cyber incidents.
Third, and perhaps most notably, is the introduction of far-reaching mechanisms for securing ICT supply chains. The proposal establishes EU-level coordinated risk assessments to identify “key ICT assets,” threat actors, and vulnerabilities. Based on these assessments, the Commission may impose mitigation measures, including restrictions or outright bans on components from suppliers deemed “high risk,” potentially leading to costly and complex infrastructure replacements. Importantly, the framework goes beyond technical cybersecurity considerations when assessing supply chain risk and explicitly incorporates non-technical risk factors such as geopolitical tensions as well as legal and organizational dependencies.
The proposal now enters the EU legislative process, requiring adoption by both the European Parliament and the Council. In the meantime, companies should begin assessing their ICT supply chains, including mapping components and supplier origins, to prepare for potential future restrictions and obligations.
On April 3, 2026, the Interim CSAM Regulation expired after the European Parliament and the Council failed to reach agreement on a further extension. The Regulation had permitted providers of interpersonal communication services to voluntarily detect, remove, and report child sexual abuse material (CSAM), including within private communications, by way of a limited derogation from the principle of confidentiality under the ePrivacy Directive.
On March 26, 2026, the European Parliament rejected a proposal to extend the Interim Regulation. The vote reflects continued concerns among lawmakers regarding the proportionality of voluntary scanning measures, particularly in relation to privacy and the potential scope of surveillance.
The Interim Regulation was originally adopted in 2021 as a short-term measure to bridge the gap until the adoption of a permanent legislative framework on CSAM, and was subsequently extended in 2024 for the same purpose. However, negotiations on the proposed CSAM Regulation have been ongoing for several years and remain subject to significant disagreement, particularly regarding detection obligations and safeguards for fundamental rights (see also our Q4 2025 update).
With the expiry of the Interim Regulation, providers no longer benefit from the specific EU-level derogation that permitted voluntary CSAM detection in private communications. This creates significant legal uncertainty for providers that had relied on the derogation for their detection activities.
Negotiations on the proposed CSAM Regulation remain ongoing. Given the continued divergence of views among the co-legislators, further delays and substantive changes to the Commission’s original proposal are to be expected.
On January 21, 2026, the European Commission published its long-anticipated proposal for a Digital Networks Act (DNA), setting out a comprehensive overhaul of the EU’s telecommunications regulatory framework. The proposal would fully replace the European Electronic Communications Code (EECC), marking a significant step towards a more harmonized, modern, and simplified approach to digital connectivity across the European Union.
The DNA responds to the increasing demand for high-capacity networks driven by artificial intelligence, cloud computing, and other emerging technologies. It introduces a broad set of reforms designed to incentivize infrastructure investment and support high-performance, secure, and resilient network services.
Key proposals include:
The proposal now enters the EU legislative process, with the European Parliament and the Council developing their positions ahead of trilogue negotiations. While the final outcome remains uncertain, the DNA signals a clear policy direction towards reducing regulatory and administrative burdens and strengthening the Single Market for connectivity.
On January 20, 2026, the European Commission published a proposal to amend the NIS2 Directive as part of its broader cybersecurity package, even before many Member States have fully transposed the Directive into national law (see our client alert). The proposal signals a pragmatic shift: preserving core cybersecurity obligations while reducing regulatory friction for affected entities.
The proposed reform focuses on narrowing the scope of the Directive, harmonizing requirements across Member States, and recalibrating supervisory approaches. The Commission acknowledges that divergent national transpositions and broad scoping criteria have created legal uncertainty and disproportionate compliance burdens across the EU.
The proposal would refine which entities fall within scope, with a more proportionate allocation of obligations—particularly for organizations with limited systemic relevance. It also introduces elements of maximum harmonization to curb Member State “gold-plating.”
Supervision would become more risk-based, easing oversight for lower-risk entities while maintaining stricter scrutiny where systemic relevance is highest. In parallel, the proposal envisages more consistent technical requirements and streamlined compliance, including through implementing acts and standardized measures.
As a result, an estimated 29,000 companies could fall out of scope or face lighter-touch supervision.
Political agreement on the proposal will likely be tied to the Commission’s broader cybersecurity package, including the Cybersecurity Act 2 reforms. The timing is notable: changes could take effect just as national NIS2 regimes are stabilizing, creating a moving compliance target through at least 2027.
For businesses operating across multiple Member States, the trajectory points towards greater convergence, but also continued transition risk. Companies should assess whether their current compliance programs are disproportionately shaped by national “gold-plating” that may not survive the reform process.
More broadly, the proposed reforms reflect a wider shift in EU digital regulation: simplification is becoming a policy priority, but only insofar as it strengthens—rather than dilutes—strategic resilience.
The European Commission is moving the Cyber Resilience Act (CRA) from principle to practice. Its draft guidance, published on March 3, 2026, offers the first substantive indication of how core concepts will be applied in enforcement. For companies, the takeaway is immediate: compliance will hinge less on the text of the regulation and more on how it is interpreted.
The CRA itself sets binding obligations, including risk-based cybersecurity requirements, vulnerability handling, and life cycle support. The draft guidance does not change these rules but clarifies how they should be operationalized.
Much of the focus is on scope. The Commission provides detailed interpretation of when software is “placed on the market” and how integrated hardware/software products are treated as a single product—a distinction of particular relevance for digital supply chains.
Regarding open source, the CRA already defines concepts such as “open-source software stewards.” The guidance builds on this by drawing practical boundaries between non-commercial activity (generally out of scope) and monetized models that trigger full obligations.
It also provides granular direction on “substantial modifications,” confirming that not all software updates reset compliance, but risk-relevant changes will.
The draft guidelines were open for consultation until April 13, 2026, and the Commission is now expected to move towards formal adoption.
National authorities across the EU will likely rely heavily on this non-binding guidance to ensure consistent enforcement, particularly given the CRA’s reliance on risk assessments and technical documentation. However, divergence risks remain where interpretation leaves room for discretion.
In the meantime, companies should treat the draft guidance as a near-final benchmark: mapping products, software update practices, and open-source dependencies against these interpretations will be critical ahead of the CRA’s application in 2027.
On March 12, 2026, Germany’s KRITIS Umbrella Act (KRITIS-Dachgesetz) entered into force, establishing a comprehensive legal framework for the protection and resilience of critical infrastructure across sectors. The Act complements existing cybersecurity legislation, in particular the revised BSI Act implementing the NIS2 Directive, and broadens the regulatory focus to include physical resilience and cross-sector risk management.
The KRITIS Umbrella Act introduces harmonized requirements for operators of critical infrastructure aimed at enhancing resilience against a wide range of risks, including natural disasters, technical failures and malicious acts. The Act applies across multiple sectors, such as energy, transport, health, water, food, and digital infrastructure, and aligns Germany’s framework with the EU Critical Entities Resilience (CER) Directive (see also our Q1 2023 update).
In-scope entities are required to implement comprehensive risk management measures, conduct regular risk assessments and maintain business continuity and crisis management capabilities. They must also report significant disruptions to the competent authorities. The Act further provides for closer coordination between federal and state authorities and establishes clearer supervisory structures.
Compared to the previous sector-specific approach, the new framework introduces more consistent and, in part, more stringent obligations, particularly regarding documentation, preparedness, and cooperation with authorities.
Operators of critical infrastructure must register with the competent authority within three months of an installation qualifying as a critical facility, but no earlier than July 17, 2026. Businesses should therefore assess at an early stage whether they fall within the scope of the Act and prepare to meet the registration requirement, alongside reviewing and, where necessary, updating their risk management and resilience measures.
We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Felicitas Lampe and Mireille Thierfelder, Berlin office research assistants.