European Digital Compliance: Key Digital Regulation & Compliance Developments

To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the third quarter of 2024.

This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3, Q4), 2022 (Q1, Q2, Q3, Q4), 2023 (Q1, Q2, Q3, Q4), and 2024 (Q1, Q2, Q3, and Q4).

In this issue, we report on key developments in the EU and UK, highlighting significant digital regulatory updates and consultations. The EU continues its ambitious digital agenda with the final expert report on B2B data sharing under the Data Act, public consultations on the proposed “AI Continent” Cloud Act, and a review of the EU Cybersecurity Act. We also cover fresh guidance under the AI Act for general-purpose AI (GPAI) models and the latest updates to the Digital Operational Resilience Act (DORA). In the UK, key developments include implementation of the new consumer enforcement regime under the DMCCA, Online Safety Act enforcement updates, and progress in cybersecurity reform. From Germany, we report on the long-awaited signing of the Interstate Treaty on Youth Media Protection, the new cookie consent ordinance now in effect, and the digital compliance implications of the new coalition agreement.

EU

1. Data Act: Final report of COM Expert Group on B2B Data Sharing and Cloud Computing Contracts Published

2. Cloud Act: Public Consultation on the EU “AI Continent – New Cloud and AI Development Act”

3. EU Cybersecurity Act Under Review and Consultation

4. Navigating GPAI-Model Regulation Under the AI Act: The EU’s Updated Draft Code of Practice and New Guidelines

5. DORA Updates

UK

1. Online Safety Act Developments

2. The New Consumer Enforcement Regime Under the DMCCA Takes Effect

3. The Latest in UK Cyber Developments

Germany

1. New Interstate Treaty on Youth Protection in the Media Has Finally Been Signed

2. German Cookie Consent Management Ordinance Entered into Force

3. The New German Coalition Agreement and Its Impact on Digital Compliance Initiatives

EU

1. Data Act: Final Report of COM Expert Group on B2B Data Sharing and Cloud Computing Contracts Published

On 2 April 2025, the European Commission’s Expert Group on B2B Data Sharing and Cloud Computing Contracts published its final report, containing guidelines and model contractual terms (MCTs) for data sharing and standard contractual clauses (SCCs) for cloud computing contracts. Both MCTs and SSCs are non-binding in nature and aim to facilitate the implementation of the Data Act, whose provisions will largely apply from 12 September 2025.

What’s New?

The MCTs cater to various relationships, e.g., data holders and users or data holders and data recipients, and are crafted to align with the Data Act’s goals of boosting data availability while upholding protection measures. They also address key aspects such as compensation for data use and sharing, as well as outlining remedies for the involved parties. Importantly, the MCTs are intended to be considered alongside other relevant legislation, including, e.g., the Data Governance Act and the Trade Secret Directive. While applicable in both B2B and B2C contexts, the report notes that additional provisions might be necessary to ensure adequate consumer protection in B2C relationships. Moreover, the MCTs do not prejudice existing rights and obligations under EU and national law, notably the GDPR. Thus, parties should pay particular attention when sharing mixed datasets or personal data.

The SCCs for cloud computing contracts are designed for service agreements between cloud providers and their customers. These SCCs address critical contractual elements, including, e.g., switching and exit, termination, and security and business continuity obligations. Unlike the standalone MCTs, these SCCs are intended to be integrated into broader service agreements.

What’s Next?

This final report from the Expert Group now serves as the foundation for an upcoming Commission Recommendation, addressing both MCTs and SCCs.

Back to Top

2. Cloud Act: Public Consultation on the EU “AI Continent – New Cloud and AI Development Act”

The European Commission unveiled the AI Continent Action Plan in April, aiming to position the EU as a global leader in AI and promote the development and deployment of AI solutions that ultimately benefit society and the economy. Central to this strategy is the proposal of the EU Cloud and AI Development Act, which was launched for public consultation at the same time; the consultation period will end on 4 June 2025.

What’s New?

The EU Cloud and AI Development Act is one of the headline digital policies outlined in the 2025 Competitiveness Compass, particularly as the EU currently lags behind the U.S. and China in terms of available data center capacity. Indeed, previous projections (especially the Draghi Report; see our Q3 2024 coverage) have indicated a significant gap between Europe’s current computing capacity and its future AI needs. Therefore, the Act aims to tackle the current unfavorable conditions for the private sector and close this capacity gap. To do this, the Act is seeking to prioritize highly sustainable solutions and develop sufficient cloud and high-performance computing infrastructure to meet the growing demands of modern AI technologies. Moreover, the European Commission is considering actions to increase the secure processing capacity of EU-based cloud providers, namely by requiring that certain critical use cases can only be operated using highly secure, EU-based cloud capacity.

For now, the European Commission is asking for feedback from a variety of stakeholders, including financial institutions, investors, digital infrastructure funds, cloud providers, data center operators, and AI developers.

What’s Next?

After the evaluation of the consultation feedback, the European Commission aims to adopt a legislative draft of the Cloud and AI Development Act in Q4 2025.

Back to Top

3. EU Cybersecurity Act Under Review and Consultation

The EU Cybersecurity Act (CSA) was adopted in 2019 to grant a permanent mandate to ENISA – the EU’s cyber agency – and also establish the European Cybersecurity Certification Framework (ECCF). Since then, the role of ENISA has evolved following numerous pieces of cybersecurity legislation that have come into force and the European Commission has even acknowledged that the ECCF has room for improvement.

What’s New?

The European Commission has opened a consultation to revise and simplify the CSA. As part of this process, the European Commission is considering the following changes to the CSA:

• Streamlining reporting obligations and potentially simplifying cybersecurity measures;
• Addressing ICT supply chain security challenges, including non-technical risk factors, to strengthen supply chain security;
• Amending the mandate of ENISA to reflect its tasks under other cybersecurity legislation; and
• Clarifying the framework under the ECCF and formalizing procedures regarding the maintenance phase of certification schemes.

What’s Next?

To better inform its review of the CSA, the European Commission has invited various stakeholders to provide their opinions on: (i) the areas of revision for the current ENISA mandate and current ECCF; (ii) the challenges related to ICT supply chain security; and (iii) the need to simplify cybersecurity measures and reporting obligations.

Interested parties have until 20 June 2025 to share their views via the portal or survey.

Back to Top

4. Navigating GPAI-Model Regulation Under the AI Act: The EU’s Updated Draft Code of Practice and New Guidelines

Following the release of the first and second draft in November and December 2024 (see our Q4 update), the European AI Office published the third draft of the General-Purpose AI Code of Practice (the CoP) on 11 March 2025. Not long after, on 22 April 2025, the European Commission launched a multi-stakeholder consultation and published preliminary GPAI guidelines (the “Guidelines”).

These two guidance documents address complementary aspects of the regulation of general purpose AI (GPAI) models: while the CoP clarifies how providers should meet their obligations under Articles 53 and 55 of the EU AI Act, the Guidelines specifies who will be subject to these obligations in the first place.

What’s New?

By incorporating feedback to the second draft CoP, the third draft is drafted in a more transparent and practical manner, setting out nuanced commitments for GPAI model providers that are better aligned with the AI Act’s obligations. Key elements include:

• A removal of all key performance indicators and instead clearer reporting commitments;
• The introduction of a user-friendly Model Documentation Form within the CoP; and
• A reduction in provider obligations to make publicly available model documentation and copyright policy and to mitigate copyright infringement risks.

The Guidelines provide clarifications on:

• Key definitions, including what constitutes a GPAI model, who qualifies as a provider, and when downstream modifications trigger new compliance obligations; and

• The impact of adhering to the CoP. Providers who sign up to the CoP will benefit from a streamlined enforcement approach by the European Commission, while non-signatories must demonstrate effective alternative compliance measures and may therefore be subject to increased scrutiny.

What’s Next?

Feedback on the Guidelines can be submitted until 22 May 2025. The final versions of both the CoP and the Guidelines are expected to be published in May/June 2025. The obligations for providers of GPAI models will start applying from 2 August 2025 (subject to exceptions for GPAI models already on the EU market by this date).

Back to Top

5. DORA Updates

The EU’s Digital Operational Resilience Act (DORA) became fully applicable on 17 January 2025. Relevant financial entities in the EU – including banks, insurers, and investment firms – and their third-party ICT service providers are now required to implement ICT risk management, resilience testing, and third-party risk management provided by DORA.

Delegated and Implementing Regulation

During Q1, the European Commission adopted additional regulations to supplement DORA, confirming further regulatory technical standards (RTS) and implementing technical standards (IST) that organizations must adhere to:

• Delegated Regulation (EU) 2025/301: RTS on the content and time limits for initial notification for major ICT-related incidents and the contents of intermediate and final reports. The regulation also provides the content of the voluntary notification for significant cyber threats.
• Implementing Regulation (EU 2025/302): ITS on standard forms, templates regarding reporting a major ICT-related incident and notification of a significant cyber threat.
• Delegated Regulation (EU) 2025/420: RTS on criteria for determining the makeup of a joint examination team.

However, two bits of further regulation remain unenforced as of 12 May 2025:

• Delegated Regulation C(2025) 885: Draft RTS for threat-led penetration testing. Although initially adopted on 13 February 2025, the regulation was subject to a correction on 10 April.
• Delegated Regulation C(2025) 1682: Draft RTS on what relevant entities must assess when subcontracting ICT services supporting critical or important functions. The regulation was adopted by the European Commission on 24 March 2025.

Additional Updates

The Eurosystem updated its framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to algin with the RTS for threat-led penetration testing, providing detailed guidance on how to complete such testing and encouraging authorities to implement the TIBER-EU framework.

The European Supervisory Authorities (ESAs) are also advancing the implementation of a framework overseeing “critical ICT third-party service providers” (CTPPs). The ESAs announced that they will collect a register of information and determine which providers qualify as CTPPs under DORA before providing oversight. CTPPs will be subject to enhanced oversight (consistent with the current position under DORA), as well as additional rules and costs.

What’s Next

The outstanding Delegated Regulations are expected to be enforced in the coming months, provided both the European Parliament and EU Council do not object to the proposals.

The ESAs expect to notify CTPPs of their status by the end of July 2025. Designation will trigger a six-week period in which providers may object.

Back to Top

UK

1. Online Safety Act Developments

The UK Office of Communications (“Ofcom”) has recently launched enforcement programmes that aim to assess industry compliance with the illegal harm duties under the Online Safety Act 2023 (OSA). Additionally, Ofcom finalized children’s safety measures on the 24 April 2025, following their consultation on the matter that concluded in July 2024.

• Enforcement programmes – Service providers had until 16 March 2025 to complete their illegal harms risk assessment. Their duties under the OSA relating to illegal harms came into force on 17 March 2025, which means platforms are now required to implement appropriate measures to deal with illegal content. In particular, Ofcom identified sharing of child sexual abuse material (CSAM) on file-sharing and file-storage services to be an area of priority. Ofcom has recently launched two enforcement programmes to monitor service providers’ compliance with these duties and recordkeeping, and providers’ duty to protect users encountering CSAM.
• Children’s online safety regime – Ofcom has published the Protection of Children Codes of Practice (the “Codes”) and final guidance that sets out how service providers can protect their users from illegal content and harmful content for children. Service providers were asked to undertake a children’s access assessment by 16 April 2025. Those that concluded their service was likely to be accessed by children are now required to complete a children’s risk assessment by 24 July 2025. After this date, the Codes will become enforceable, provided they receive approval from Parliament, and providers will be required to implement the safety measures set out in the Codes.

What Else Is New?

• The Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025 came into force on 27 February 2025. The Regulations establish the thresholds for when in-scope services become “categorized services” which are then subject to additional obligations under the OSA.
• Ofcom launched an investigation into whether a provider of an online suicide forum had failed to comply with its duties under the OSA to protect its users from illegal content. This is the first investigation of this kind under the OSA. Ofcom has previously stated that it would first focus on ensuring providers were able to comply with their new duties under the OSA; however, because the service provider did not adequately engage with Ofcom’s request to provide information, Ofcom decided to launch an investigation.

What’s Next

A consultation on draft guidance on measures to improve women and girls’ safety online is currently open and will close on 23 May 2025, with publication of the final guidance expected at the end of the year. This guidance (which Ofcom is required to finalize and issue) will set out how regulated service providers can take action against harmful content and activity that disproportionately affects women and girls.

Back to Top

2. The New Consumer Enforcement Regime Under the DMCCA Takes Effect

We covered the new timelines, considered regulations and proposed guidance in our last update on the the UK’s Digital Markets, Competition and Consumers Act (DMCCA). But now, the moment has finally arrived and certain consumer aspects of the DMCCA have come into force!

For a summary of the DMCCA, please refer to our updates covering its infancy as a bill and as it passed into law. Since our last update, the Minister for Employment Rights, Competition and Markets has issued a statement setting out the UK government’s DMCCA implementation timeline, and consultations from each of the UK Competition & Markets Authority (CMA) and the Department for Business and Trade (DBT) have closed.

What’s New?

On 6 April 2025, the consumer law enforcement regime and unfair commercial practices regime – Part 3 and Part 4, Chapter 1 of the DMCCA – began to take effect. As a reminder, under Part 3 of the Act, the CMA has new direct powers to enforce consumer protection law. This has been introduced alongside a court-based enforcement regime which gives the courts power to impose remedies after receiving applications from the CMA and other authorized enforcers.

With this, the UK CMA has published various updates and guidance, which have been refined by consultations:

• CMA58: Guidance on the enforcement of consumer protection.
  
  Provides a high-level summary of the regime and setting out the various powers held by the CMA and civil enforcers.
• CMA200: Guidance on the direct consumer enforcement regime.
  
  Sets out the CMA’s powers and how it will approach judgments and fines.
• CMA207: Guidance on unfair commercial practices.
  
  Provides practical guidance on the core concepts underpinning unfair commercial practices, such as misleading actions/omissions and the 32 banned practices.
• CMA208: Guidance on fake reviews.
  
  Provides practical guidance on the newly banned practice of submitting, commissioning, publishing or procuring fake reviews or concealed incentivized reviews.
• The CMA’s approach to consumer protection.
  
  Sets out the CMA’s strategy to enforcing the DMCCA, especially in the first 12 months.

What’s Next?

The CMA has stated that, over the next year, it will target conduct that is the most harmful to consumers, and that represents clear infringements of the law. In light of the enhanced enforcement regime and limited case law available, the CMA also plans to engage with businesses to further develop guidance to assist with compliance.

So, what is an ‘enhanced enforcement regime’? It’s a big boost to the CMA’s powers, which now include information-gathering abilities, investigations, the ability to procure compliance and sanctions. What’s more, these powers are backed by significant fines:

• 10% of global annual turnover for businesses* in relation to breaches of consumer protection laws;
• 5% of a business’* annual global turnover for breaches of undertakings and directions (don’t forget the additional daily penalties for continued non-compliance); and
• 1% of a business’* annual global turnover for non-compliance with information notices (and, again, additional daily penalties for continued breaches).

*(Separate limits apply to individuals.)

For the other key dates, see our last update for further information.

Back to Top

3. The Latest in UK Cyber Developments

The UK government announced its intention to strengthen the UK’s cyber defences and critical industry resilience in the July 2024 King’s Speech. As a result, the first quarter of 2025 has seen a variety of proposals and measures released in support of this goal.

Addressing Cyber Threats

A public consultation on measures to address ransomware was run from January to April. Proposals included a ban on ransomware payments by public sector bodies and critical infrastructure operators, mandatory incident reporting within 72 hours, and a “payment prevention regime” requiring victims to notify authorities prior to any ransom payment. The Home Office is expected to release a response paper in due course.

The government has also published a Policy Statement setting out details regarding its proposed Cyber Security and Resilience Bill. The key proposals include increasing the number of regulated entities, introducing stricter cyber incident reporting requirements and enhancing the role of regulators, with particular focus on the digital service sector and general cost-recovery and enforcement. These echo the oversight powers given to UK financial regulators in January to regulate services critical to banks.

The UK’s legislative approach is purposefully similar to the EU’s NIS2 Directive, aiming to align the UK’s cyber security and resilience with that of its continental neighbours, whilst maintaining flexibility for UK-specific threats. It is therefore likely that changes to legislation will be influenced by what happens in this space in the EU.

Best Practice Guidance

The Department for Science, Innovation and Technology (DSIT) has published an AI Cyber Security Code of Practice, covering baseline security requirements through the life of an AI system. The Code has been developed with the intention that it will form the basis of a new global standard for secure AI through the European Telecommunications Standards Institute.

Similarly, the DSIT has also published a Cyber Governance Code of Practice, outlining the cyber governance actions for which directors are responsible and which form part of a government support package for both public and private organizations. Organizations should be aware that the Code is “the foundational code” in the DSIT’s wider collection of cyber security codes of practice.

Both codes are entirely voluntary but provide practical steps that are likely to be considered as important benchmarks by regulators going forward. Both are further supported by implementation guidance, which can be found here (AI) and here (Cyber Governance).

What’s Next?

The Cyber Security and Resilience Bill will be presented to Parliament later this year.

Back to Top

Germany

1. New Interstate Treaty on Youth Protection in the Media Has Finally Been Signed

What’ s New?

On March 31, 2025, the German Federal States signed the final version of their revision of the German Youth Protection State Treaty. The draft sparked controversies with the European Commission concerning its compatibility with fundamental principles of the e-Commerce Directive and the Digital Services Act (DSA) (see our Q1, 2024 update).

Under the revised Treaty, in-scope operating systems will now have to set up a parental control mechanism that allows parents to set a device-wide age level, blocking access to and installation of apps with an age rating higher than that age level. To facilitate this mechanism, the relevant propriety app store must collect age ratings for all available apps. The parental control mechanism must also deactivate app installations from non-system app stores, noting that the final draft now permits such third-party app stores if they have a similar age-rating mechanism.

Apps that have their own built-in youth protection mechanisms approved by a recognized self-regulatory body are privileged, as these apps must be made available regardless of the OS-level age setting.

What’s Next?

Once ratified by the German Federal States, the new provisions of the revised German Youth Protection State Treaty are set to take effect on December 1, 2025, with varying compliance deadlines for the newly introduced obligations. Concurrently, the question remains whether the European Commission will continue to view the Treaty as infringing upon the e-Commerce Directive or the DSA, potentially leading to an infringement procedure against Germany before the European Court of Justice, as discussed in our Q2, 2024 update.

Back to Top

2. German Cookie Consent Management Ordinance Entered into Force

What’s New?

The Germany’s Cookie Consent Management Ordinance (Einwilligungsverwaltungsverordnung, or EinwV) came into force on 1 April 2025 and aims to simplify how users manage their cookie preferences across digital services. EinwV allows users to make their choices once, reducing the need for repetitive consent requests. Consent management services, often referred to as Personal Information Management Systems (PIMS), interact with websites or cookie banners to convey user preferences and provide this information to digital services upon request. This approach also aims to reduce the presence of cookie banners, which are often seen as annoying or disruptive. PIMS providers can seek recognition from the Federal Data Protection Commissioner by submitting an application and a security concept that meets specific requirements, as outlined in Sec. 10 EinwV.

The German Consent Management Ordinance is based on Sec. 26(2) of the Telecommunications Digital Services Data Protection Act and is designed to enable the central management of consent across websites and devices. The intention is to make individual cookie consent banners redundant by utilizing “recognized consent management services.” These services are expected to offer a more efficient and user-friendly alternative to traditional cookie banners.

Voluntary Implementation

The ordinance applies to both PIMS providers and digital services. However, digital services have the discretion to decide whether to integrate these recognized consent management systems, as stated in Sec. 18(1) EinwV. The management includes storing, transmitting and revoking user settings, as specified in Sec. 2(1) No. 1 EinwV.

Key Responsibilities

Recognized consent management service providers must store users’ cookie preferences to prevent repeated consent requests on the same service, such as those that occur when a service is used for the first time or when previously unmanaged information is requested (Sec. 3(1) EinwV). As stated in Sec. 3(2) EinwV, before consent is managed, users must be informed about who is responsible for data storage, what data is stored, how long data is stored and why the data is stored. This information should be easily accessible and exportable (Sec. 3(2) EinwV). Consent and the underlying information must be documented and made easily accessible (Sec. 3(3) EinwV).

User-friendly features should be implemented. The user interface must be transparent and understandable, enabling users to make free and informed decisions (Sec. 4 EinwV).

What’s Next?

Since the implementation of the Cookie Consent Management Ordinance is voluntary, significant changes are not anticipated. If Sec.25(2) of the TDDDG is already being adhered to, the ordinance will not introduce anything new. Additionally, it is unlikely that existing consent management providers will be replaced, as this involves a different area altogether.

Back to Top

3. The New German Coalition Agreement and Its Impact on Digital Compliance Initiatives

Elections held on 23 February 2025, following the collapse of the German government as reported in our Q4 2024 update, have led to the recent formation of a new coalition government. The newly published coalition agreement has set the stage for significant developments in the area of digital compliance, providing some clarity on the digital regulatory initiatives that the future German government will prioritize.

What’s New?

On 9 April 2025, the new government’s coalition agreement was published, establishing the foundation for the government’s work in Germany while outlining its political objectives. With the new coalition agreement in place, the German government has laid out a comprehensive plan to push legislation forward in several digital compliance areas, enhancing the regulatory framework governing digital activities. Key initiatives include:

• Amendment of the BSI-Act: As part of the implementation of the NIS-2 Directive, the government intends to amend the German Federal Office for Information Security Act (“BSI-Act”). The former parliamentary procedure for this initiative, attempting to enact an NIS-2 Implementation and the Cybersecurity Strengthening Act, was interrupted due to the early elections, causing further delay.
• KRITIS Umbrella Law: A KRITIS umbrella law, which is expected to regulate the resilience and security of critical infrastructures and impose additional obligations on operators of critical facilities, is set to be enacted soon.
• Centralization of Data Protection Supervision: The coalition agreement proposes the reform and centralization of data protection supervision under the Federal Data Protection Commissioner, ensuring consistent enforcement across the country.
• Alignment with the Digital Services Act: Plans are in place to align the Act for the protection of minors with the DSA and the Interstate Treaty on the Protection of Minors from Harmful Media. The alignment seeks to create a consistent legal framework across Europe, the federal government, and the states, thereby eliminating parallel structures and enabling effective legal enforcement.
• Digital Protection Against Violence Act: Another measure brought forward by the coalition agreement is the introduction of a Digital Protection Against Violence Act, aiming to improve the legal status of affected individuals. This will also require platforms to provide interfaces to law enforcement agencies for the automated and rapid retrieval of relevant data.

What’s Next?

As the new government begins to function, it remains to be seen whether the implementation of the discussed digital regulatory initiatives will build upon previous drafts and proposals of the former government. The published coalition agreement confirms that the intended legislation of the new government will involve significant changes in digital compliance requirements for a wide range of companies.

Back to Top

We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Angus Irving and Jane Xiu, London office Trainee Solicitors; and Lotta Ströhlein, and Felicitas Lampe, Berlin office Research Assistants.