European Digital Compliance: Key Digital Regulation & Compliance Developments

To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the second quarter of 2025.

This report follows our previous updates on European digital regulation and compliance developments for 2023 (Q1, Q2, Q3, Q4), 2024 (Q1, Q2, Q3 and Q4) and 2025 (Q1).

In this issue, we highlight new and proposed laws in the EU and UK relating to digital network infrastructure management, e-commerce and trade modernization, and automated vehicles, as well as roundups of key updates on major frameworks such as the EU AI Act, EU NIS2, EU DORA, and the UK Online Safety Act.

EU

1. Digital Networks Act: The Road to the EU Commission’s Proposal

2. Revising the Union Customs Code to Target e-Commerce and Trade Modernization

3. Updates on the EU AI Act

4. DORA Settles Down: A General Update on Recent Developments

5. NIS2: Guidance on Implementing Regulations and Member Statement Implementation

6. Digital Decade Check-in: How Far Has the EU Come?

UK

7. The UK Online Safety Act is in Full Swing: An Overview of Latest Updates

8. The UK Forges a New Path in its Data Protection Framework: The Data (Use and Access) Act 2025

9. The UK Government Progresses Reforms Regarding the Safety and Marketing of Automated Vehicles

Germany

10. Cybersecurity Compliance: The Latest German Draft NIS2 Implementation

11. The Draft Digital Media State Treaty Is Here

EU

1. Digital Networks Act: The Road to the EU Commission’s Proposal

The upcoming Digital Networks Act aims to update the EU’s current electronic communications regulatory framework by replacing the 2018 European Electronic Communications Code (EECC) with a more harmonised and future-proof structure. This reform is the EU’s response to several mounting challenges and seeks to better align regulation with the fast-evolving digital landscape.

What’s New?

Following a public consultation in 2023, the EU Commission (Commission) published a white paper on How to Master Europe’s Digital Infrastructure Needs? in February 2024 (White Paper). Alongside insights from the Letta, Draghi, and Niinistö reports, the White Paper identified key challenges:

• adapting to rapid technological and economic developments, such as in cloud computing and artificial intelligence;
• addressing substantial investment needs in digital infrastructure;
• overcoming a fragmented internal market, which hinders fast roll-out and economies of scale;
• reducing technological and economic dependency on foreign suppliers; and
• tackling growing geopolitical and cybersecurity risks.

To meet these challenges, the Commission now proposes a range of measures in its call for evidence paper, including:

• accelerating fibre network deployment and implementing copper switch-off plans;
• streamlining spectrum licensing; and
• simplifying and harmonizing authorization and access regulation.

What’s Next?

The stakeholder consultation period closed on 11 July 2025. The Commission is expected to publish its proposal for the Digital Networks Act in Q4 2025. Following legislative scrutiny and trilogue negotiations, adoption is to be expected in 2026, with implementation and compliance deadlines likely extending over the years that follow.

Back to Top

2. Revising the Union Customs Code to Target e-Commerce and Trade Modernization

The EU is taking significant steps to revise the Union Customs Code (UCC) to address emerging challenges and modernize customs procedures, particularly in response to the dramatic increase in e-commerce transactions.

What’s New?

As e-commerce transactions continue to grow at an unprecedented rate, customs authorities are finding themselves increasingly challenged by the influx of low-value consignments being shipped individually from third countries to consumers within the EU – and the EU considers that reform is needed.

Key features of the revised draft UCC include the centralization of functions within the EU Customs Authority, enhanced access to, and processing of, data through the establishment of an EU Customs Data Hub, and – perhaps, most importantly – the adaptation of customs legislation to accommodate e-commerce transactions. The proposed changes include:

• Online Platforms to Be Treated as Official Importers: The reallocation of customs responsibilities to online platforms, which will be treated as the official importers of the goods they sell in the EU. This means that platforms, rather than individual consumers, will be responsible for ensuring compliance with customs obligations, allowing consumers to receive parcels without unexpected fees or paperwork.
• Eliminating the EUR 150 Customs Duties Threshold: The abolition of the exemption for goods valued under EUR 150, a provision that has been exploited by fraudsters through undervaluing and splitting consignments. Approximately 65% of e-commerce consignments are undervalued to avoid customs duties.
• Simplified Customs Calculations: The introduction of a simplified method for calculating import duties on low-value goods sold via distance sales, easing the processing of the estimated one billion e-commerce parcels entering the EU each year.

What’s Next?

In June 2025, the EU Council adopted its negotiating mandate on a core element to reform the EU customs framework, paving the way for trilogue negotiations with the Commission and the EU Parliament. Pending agreement and final legislative approval, the abolition of the customs exemption threshold is expected to take effect in March 2028. However, the success and timeline of the reform’s implementation will depend heavily on the negotiation outcomes.

Back to Top

3. Updates on the EU AI Act

The EU AI Act continues to keep organizations busy with ongoing updates. On 10 July 2025, the final version of the General-Purpose AI Code of Practice (Code) was published. It refines and streamlines previous drafts to clarify expectations for providers of general-purpose AI (GPAI) models under the EU AI Act. Though voluntary, the Code may serve as a recognized compliance tool if formally endorsed by EU institutions. Complementing the Code, the Commission issued guidelines on 18 July 2025 to clarify to whom the Code obligations apply, and how they should be fulfilled.

What’s New?

The Commission’s guidelines within the Code introduce clear technical criteria to (i) identify GPAI models, (ii) distinguish between minor and significant model modifications to define who qualifies as a provider, and (iii) set conditions for open-source exemptions. These elements are intended to support compliance while maintaining flexibility for innovation.

The Code sets baseline obligations for all GPAI model providers, focusing on three main areas: transparency, copyright, and safety and security for systemic-risk models. Legal language has been refined throughout for clarity and consistency.

• The transparency chapter introduces a standardized documentation form capturing essential details such as training data sources, intended use, and model characteristics. Safeguards protect trade secrets and define response timelines for requests from regulators and downstream providers.
• In accordance with the copyright chapter, providers must implement a unified policy across all models placed on the EU market. This includes respecting machine-readable rights reservations, excluding infringing data sources, and meeting specific duties for open-source models.
• For systemic-risk models, the Code establishes a full-lifecycle safety and security framework. Providers must define tailored security goals, perform structured risk assessments, implement safeguards, and monitor for incidents after deployment.

What’s Next?

Looking ahead, the Commission and Member States will review the Code by 2 August 2025 and may approve it via an adequacy decision. If adopted through an implementing act, the Code would gain general validity, serving as a recognized method for demonstrating compliance, though not establishing a legal presumption of conformity.

Starting on 2 August 2025, GPAI model providers must comply with the EU AI Act for models placed on the market thereafter. Systemic-risk models must be reported to the AI Office. Enforcement powers begin in August 2026, and all models placed on the market before August 2025 must comply by August 2027.

Back to Top

4. DORA Settles Down: A General Update on Recent Developments

Since the EU’s Digital Operational Resilience Act (DORA) came into force at the beginning of 2025, financial entities have been putting into place compliance regimes and seeking to renegotiate their relationships with their ICT service providers.

While financial institutions have previously had to comply with broad EU cybersecurity requirements, DORA raises the bar by introducing even more prescriptive management liability and additional ICT risk management and contracting elements (see our client alert on understanding DORA for financial institutions). This has caused a downstream effect, with ICT service providers facing contract remediation and confusion regarding their classification under DORA (see our client alert for myth busting on this topic).

What’s New?

Throughout July 2025, a suite of regulatory technical standards (RTS) has come into force, rounding out the regime put in place by the European Supervisory Authorities (i.e., the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities & Markets Authority (ESMA); together, the ESAs).

Most recently, the RTS on subcontracting ICT services “supporting critical or important functions” (CIF) came into force on 22 July 2025. These RTS are contained in Commission Delegated Regulation (EU) 2025/532. They specify the conditions and the criteria to be taken into account by financial entities when subcontracting ICT services supporting CIF throughout the lifecycle of contractual arrangements between financial entities and ICT service providers. The EC had rejected the previous draft of these RTS. As a result, the finalized RTS are less rigorous than previously anticipated – in particular, the requirement to monitor subcontracting chains was deemed out of scope of DORA Article 30(5) and removed.

Additionally, the RTS on threat-led penetration testing (TLPT) came into force on 8 July 2025, and is contained in the Commission Delegated Regulation (EU) 2025/1190 (see the RTS). The RTS set out criteria for identifying financial entities required to conduct TLPT, its methodology, scope and process, as well as how it will be supervised.

What’s Next?

Financial entities and ICT service providers have likely been digesting these RTS. Now, interested parties are watching carefully to see how the enforcement regime takes shape. In particular, the Commission has not yet published the list of ICT service providers deemed as “critical” providers. Critical ICT service providers will be subject to a regulatory oversight regime; the first designations by the ESAs are expected in the second half of 2025. ICT service providers designated as such will have until around mid-September to dispute their categorization.

Back to Top

5. NIS2: Guidance on Implementing Regulations and Member Statement Implementation

Since our last NIS2 update in Q4 2024, which covered the Commission’s draft implementing regulations (IR) on cybersecurity risk management measures and reporting obligations, ENISA has published its technical guidance on the IR (Technical Guidance). The Commission has also cranked up its oversight of the regime by taking action against 19 Member States for failing to notify it about full transposition of the NIS2 Directive into national law.

What’s New?

The Technical Guidance was published on 26 June 2025 and offers non-binding guidance to in-scope NIS2 entities on the following areas:

1. Security for network and information systems;
2. Risk management;
3. Incident handling;
4. Business continuity and crisis management;
5. Supply chain security;
6. Security in network and information systems’ acquisitions, developments, and maintenance;
7. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
8. Basic cyber hygiene practices and security training;
9. Cryptography;
10. Human resources security;
11. Access control;
12. Asset management; and
13. Environmental and physical security.

ENISA concurrently issued guidance to further help organizations meet their NIS2 obligations, specifically regarding cybersecurity roles and skills. The guidance maps NIS2 obligations to the European Cybersecurity Skills Framework (ECSF) role profiles.

In relation to implementation, many Member States have still not transposed the NIS2 Directive into national law. This delay has not gone unnoticed by the Commission, which sent a reasoned opinion on 7 May 2025 to 19 Member States – namely, Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Ireland, Latvia, Luxembourg, the Netherlands, Poland, Portugal, Slovenia, Spain, and Sweden. These Member States had two months to respond and take necessary measures to address their failure to notify the Commission that they had completed transposition of the NIS2 Directive. Interestingly, the Commission explicitly flagged that it could refer cases to the Court of Justice of the European Union if Member States do not respond appropriately to its notification.

What’s Next?

We continue to monitor the developments of Member State implementation, which can be found on our implementation tracker.

Back to Top

6. Digital Decade Check-in: How Far Has the EU Come?

With 2025 marking the halfway point of the EU’s Digital Decade, the Commission has published its annual report on the State of the Digital Decade (SDD Report). The SDD Report identifies areas of improvement and challenges for EU countries in meeting their Digital Decade targets, and its publication on 16 June 2025 was also accompanied by an overview factsheet, as well as summaries and full reports for each of the 27 EU countries.

What’s New?

The SDD Report highlighted various digital weaknesses and identified excessive dependencies in the EU, including:

• risks relating to quantum technologies and research security;
• the EU’s lack of significant domestic semiconductor manufacturers and foundational AI model development, which is predominantly driven by the U.S.; and
• over-reliance on non-EU satellite systems and international card schemes.

In response to the Special Eurobarometer survey, additional issues were also identified as areas of concern for Europeans. This survey flagged the protection of children online, support of EU companies by public authorities, increasing research and innovation, and digitalization of daily services as particular topics for consideration.

What’s Next?

The EU will continue to enact its Digital Decade Policy Programme. The Commission has identified specific next steps as part of its upcoming plan to achieve digital transformation. These steps were set out in the Commission’s overview factsheet and included:

• adopting a “28th regime” for innovative companies to benefit from a single set of harmonised rules;
• revising the Cybersecurity Act to address security challenges in the ICT supply chain;
• introducing a Quantum Act and Quantum Strategy;
• adopting a Digital Networks Act to reduce regulatory burden and strengthen competition (see our comments on this above); and
• presenting a Cloud & AI Development Act to increase the number of EU data centres with a low climate footprint.

Further updates on the EU’s digital progress can be expected next year as part of the Commission’s 2026 SDD Report.

Back to Top

UK

7. The UK Online Safety Act is in Full Swing: An Overview of Latest Updates

While providers of user-to-user (U2U) and search services have been busy this year digesting the various codes of practice on issued by the UK’s Office of Communications (Ofcom), the regulator has been equally busy in proposing updates and improvements to such guidance.

The much-debated Protection of Children Code of Practice for U2U services came into force in July 2025, following the Illegal Harms Code of Practice in March 2025. However, there’s always room for improvement, and Ofcom is now consulting on additional safety measures to incorporate user safety into service design, in light of the government’s final Statement of Strategic Priorities for online safety (SSP).

What’s New?

The SSP sets out strategic priorities, which indicate the government’s focus areas in the online safety space:

• Safety by Design: Embedding of safety measures to ensure safe online experiences, especially for children, women, and girls, and tackle illegal activities like fraud, child exploitation and abuse, and illegal disinformation.
• Transparency and Accountability: Promoting industry transparency and accountability to enhance trust in services and provide safer user experiences.
• Agile Regulation: Implementing flexible regulations to address emerging harms, including AI-generated content, and increasing barriers for technologies enabling online harm.
• Inclusivity and Resilience: Developing an inclusive digital society resilient to potential harms.
• Technology and Innovation: Encouraging innovation in online safety technologies to improve user safety and drive growth.

Ofcom has opened a consultation on its resulting proposed safety measures. These aim to strengthen the existing codes of practice to meet the SSP. The themes of their proposals include:

• Stopping Illegal Content From Going Viral: Reducing the spread of illegal content by making improvements to recommender systems and crisis response protocols.
• Tackling Harms at the Source: Consulting on measures such as the use of proactive technologies to detect illegal harms before they spread.
• Affording Protections to Children: Prioritising protection for children including additional measures relating to livestreaming, highly effective age assurance processes, and interactions between users.

What’s Next?

The consultation is open until 20 October 2025, and Ofcom is seeking views from a range of stakeholders including service providers, civil society, law enforcement, and members of the public. Ofcom will annually review its work against the SSP going forward, and following the consultation, will update the various codes of practice affected.

In addition to this, the UK government, Ofcom, and service providers are anticipating the judgment of Wikimedia Foundation v DSIT, a judicial review case that was brought before the UK courts in July. This judicial review seeks to challenge the government’s categorization regulations, which determine which large services will be subject to more onerous duties and obligations. This has delayed Ofcom’s publishing of the register of categorized service providers.

Back to Top

8. The UK Forges a New Path in its Data Protection Framework: The Data (Use and Access) Act 2025

Substantial amendments to the UK’s data protection framework, as set out in the Data (Use and Access) Act 2025 (DUA Act), have started to take legal effect. In June 2025, the DUA Act received royal assent following extended debates in Parliament which significantly saw proposals regarding AI and copyright removed during its final reading.

What’s New?

Rather than overhauling the UK’s existing data protection and e-Privacy regimes, the DUA Act supplements and amends the previous framework while also containing numerous additional provisions. Some particularly noteworthy developments include:

• Automated Decision-Making: Automated decisions under Article 22 of the UK GDPR based entirely or partly on sensitive (i.e., special category) personal information will now be prohibited. Exceptions to this prohibition are aligned with the position for all automated decision-making under Article 22 of the EU GDPR (such as with explicit consent).
• Complaint Processes: Controllers must facilitate the submission of complaints (e.g., by providing online complaint forms). Controllers will also need to acknowledge complaints from individuals within 30 days and respond to such complaints without undue delay (in addition to responding to other individual rights requests).
• Cookies and Direct Marketing: The ICO can now fine a company up to £17.5 million or 4% of global turnover (whichever is larger) for non-compliance with e-Privacy requirements under the Privacy and Electronic Communications Regulations 2003. However, the DUA Act also expands the types of cookies and similar technologies that an organization can use without obtaining opt-in consent, including audience measurement/statistical cookies and cookies designed to adapt appearances or functions in accordance with someone’s preferences.
• ICO Reforms: The ICO will have the power to compel witnesses and require the production of expert reports during an investigation, and there will also be other procedural reforms to the ICO (which will become the “Information Commission”).

What’s Next?

Much of the DUA Act has not yet entered into force. It is expected that most provisions will be phased in as secondary legislation in the coming year. The UK government expects that most substantive data protection related provisions will enter into force within six months. The provisions for controller complaint processes are expected to enter into force within 12 months.

The removal of AI and copyright provisions has not resolved these issues. Under the DUA Act, the Secretary of State for the Department of Science, Innovation and Technology must publish (i) an assessment of the economic impact of the four policy option included in a Copyright and AI Consultation published in December 2024, and (ii) a report, to be brought before UK parliament, regarding the use of copyright systems in developing AI systems. These must be provided by March 2026.

Back to Top

9. The UK Government Progresses Reforms Regarding the Safety and Marketing of Automated Vehicles

The Automated Vehicles Act 2024 (AVA) received royal assent in May 2024, providing the legal framework to allow driverless vehicles onto the roads in the UK. As part of a wider programme to implement secondary legislation, the government has now published a call for evidence on the safety standards, alongside a consultation seeking views on protecting certain terms used in the marketing of automated vehicles.

What’s New?

On 10 June 2025, the government launched a call for evidence to seek views on what safety standards should be sought for automated vehicles. Through this call, they wish to understand how the safety principles may be used, how the safety standard may be described, and how safety performance could be measured.

Under the AVA, the Secretary of State for Transport is required to prepare a Statement of Safety Principles (Statement). This Statement will be used in different ways including:

• When authorization authorities carry out vehicle type approval and authorization checks (pre-deployment);
• When regulators carry out in-use monitoring and regulatory compliance checks (post-deployment); and 
• For annual assessments on the overall performance of automated vehicles. 

Alongside the call for evidence, the government opened a consultation relating to the protection of certain terms used in the marketing of automated vehicles. This aims to ensure that only automated vehicles authorised under the AVA can be marketed as such, namely those that drive themselves without being controlled or monitored by a human; it is hoped that this approach will avoid misleading consumers into thinking that their vehicles can travel autonomously.

Both the Statement and the secondary legislation protecting marketing terms will apply in England, Wales, and Scotland.

What’s Next?

The call for evidence and consultation are open until the 1 September 2025 deadline. The government is aiming to fully implement the regulatory framework in the second half of 2027.

Back to Top

Germany

10. Cybersecurity Compliance: The Latest German Draft NIS2 Implementation

Delayed in part due to the collapse of the federal government in November 2024, Germany continues to lag behind in implementing the NIS2 Directive (Directive (EU) 2022/2555), which was due in October 2024. A newly leaked draft from the Federal Ministry of the Interior (June 2025) offers a clearer picture of the future German cybersecurity landscape.

What’s New?

Similar to the NIS2 Directive, the draft legislation is expected to expand obligations for entities deemed essential or important, including robust cybersecurity risk management, mandatory incident response planning, and a new three-stage incident notification regime – with fines for breaches of up to 2% of global annual turnover.

Key changes in the new draft from previous drafts include:

• Expanded Scope of Covered Sectors: Section 2, No. 24 of the draft Act now explicitly includes additional sectors, such as Social Security, under the list of essential services.
• Minor Operations: Activities that are insignificant in relation to the overall scope of an entity’s business operations may be disregarded under Section 28(3) of the draft Act when determining its classification.
• Digital Energy Services Oversight: Section 5c of the EnW-Act is expanded to bring operators of digital energy services under the supervision of the Federal Network Agency (BNetzA).

What’s Next?

Legislative adoption is anticipated in the coming months. Meanwhile, the EU’s cybersecurity agency ENISA has published technical guidance (26 June 2025) to support implementation of the NIS2 Directive and Implementing Regulation (EU) 2024/2690 (see above under #5).

Back to Top

11. The Draft Digital Media State Treaty Is Here

In June 2025, the Broadcasting Commission of the Federal States in Germany published a discussion draft for the anticipated first part of the Digital Media State Treaty (DMStV), updating the existing Interstate Media Treaty (MStV).

What’s New?

The media and digital sectors have seen several additional new regulations, including the European Media Freedom Act (EMFA), the Regulation on Transparency and Targeting of Political Advertising, and the EU’s AI Act. The DMStV discussion draft proposes media law changes to align with European requirements, aiming to coordinate state, federal, and EU rules to address current challenges. Key proposals include:

• National Database on Media Ownership: The draft requires the Commission for the Determination of Concentration in the Media Sector (KEK) to maintain a publicly accessible, regularly updated database on media ownership and participation, implementing Article 6(2) EMFA. The existing KEK media database would be recognized as the national database under the DMStV.
• Use of Technical Means in Supervision: State media authorities would be permitted to use technical tools to automatically monitor text, image, audio, and video content in broadcasting and telemedia for DMStV violations. The research tool “KIVI” is already in use and would now have a clear legal basis, especially regarding data protection. The draft sets guidelines on data processing duration and prohibits exclusively automated content reviews.
• Jurisdictional Regulations: The draft introduces jurisdictional rules for supervising obligations from EU media acts. Supervision of AI Act compliance in broadcasting and telemedia would be assigned to state media authorities.

What’s Next?

The proposals are provisional and subject to further expert review and political approval. Submissions will be reviewed and published. Moreover, a further discussion draft on the other parts of the DMStV, including those pertaining to media mergers, is expected in the near future.

We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Angus Irving and Jane Xiu, London office trainee solicitors; and Philipp Hornung, Felicitas Lampe, and Edis Uemit Teke, Berlin office research assistants.

Back to Top