The Department for Education and Department of Health and Social Care have announced plans to publish guidance on mobile device use for children aged 5 to 16. The guidance, due to be published this autumn, aims to provide parents with practical advice on issues including screen time, social media use, sleep and smartphone habits.
A three-week call for evidence has been launched to help shape the guidance, supported by an independent expert group co-chaired by Children’s Commissioner Dame Rachel de Souza and Professor Russell Viner. The review will also examine how children use screens in schools and at home.
The government said technology can support learning, creativity and inclusion, particularly for children with special educational needs and disabilities. It added that the guidance will focus on helping families make informed decisions about online safety rather than imposing blanket restrictions on technology use.
Alongside the guidance, the government plans additional measures relating to technology in education, including the possible introduction of safety certification for certain school technology products and the creation of an AI Youth Advisory Board.
Ministers are also considering measures such as app curfews, time limits and other tools aimed at improving children’s online safety. The announcement was made in the UK, where ministers said technology used in schools should be safe, effective and supported by evidence.
Why does it matter?
Governments around the world are increasingly examining the impact of smartphones, social media and digital platforms on children’s wellbeing, safety and development. While technology can provide educational and social benefits, concerns have grown over excessive screen time, online harms, sleep disruption and the effects of digital services on young people.
The UK’s approach reflects a broader policy trend towards evidence-based guidance and targeted safeguards rather than outright restrictions. The review may also influence future discussions on digital wellbeing, online safety, parental controls and the role of technology in education.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The National Human Rights Commission of India (NHRC) held an open house discussion on safeguarding human rights against digital arrest scams, highlighting their growing impact on individual rights, dignity and personal security.
The NHRC Chairperson said cybersecurity-enabled fraud has caused significant financial losses and noted that digital arrest scams often exploit fear of law enforcement authorities to coerce victims into transferring money. Participants also highlighted the challenges victims face in recovering stolen funds and obtaining effective redress.
Speakers stressed the need for stronger protections for vulnerable groups, particularly older adults, alongside improved data protection, public awareness campaigns and faster support mechanisms for victims. Participants also reviewed existing government measures, AI-powered detection tools and industry initiatives aimed at preventing and detecting fraud.
Key recommendations included recognising digital arrest scams as a distinct criminal offence, strengthening measures against mule accounts and the fraudulent misuse of official identities, improving compensation and recovery mechanisms, and enhancing cooperation among government agencies, industry and other stakeholders in India.
Why does it matter?
Digital arrest scams have emerged as a growing form of cyber-enabled fraud, combining social engineering techniques with the impersonation of law enforcement and government authorities. By exploiting fear and urgency, such scams can cause significant financial losses and psychological harm, particularly among vulnerable groups.
The discussion highlights the increasing intersection between cybersecurity, consumer protection and human rights. As digital fraud becomes more sophisticated, policymakers are placing greater emphasis on prevention, victim support, data protection and coordinated responses involving government agencies, technology providers and financial institutions.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Anthropic has launched Claude Fable 5, a new general-purpose AI model, alongside Claude Mythos 5, a more capable version reserved for selected cyber defence and infrastructure partners.
The company described Fable 5 as its most capable generally available model to date, with strong performance across software engineering, knowledge work, vision and scientific research. Anthropic said the model’s advanced capabilities pose misuse risks, particularly in cybersecurity and research biology.
To reduce those risks, Fable 5 includes additional safety classifiers designed to detect potential misuse, including attempts to bypass safeguards. When certain high-risk requests are detected, users may receive a response from Anthropic’s next-most-capable model, Claude Opus 4.8, rather than Fable 5.
Anthropic said the safeguards have been tuned conservatively and may sometimes block benign requests. According to the company, the fallback mechanism is triggered in less than 5% of sessions on average.
Claude Mythos 5 uses the same underlying model as Fable 5, but with some safeguards lifted in specific areas. Anthropic said it will initially deploy Mythos 5 through Project Glasswing, in collaboration with the US government, for a limited group of cyber defenders and critical software infrastructure providers.
The launch highlights a growing model governance approach in which access to frontier AI capabilities is tiered according to use case and risk. Anthropic said it plans to expand trusted access to Mythos 5 while continuing to refine safeguards for broader public use.
Why does it matter?
The release shows how frontier AI providers are increasingly linking capability deployment to access controls, model routing and domain-specific safeguards. As advanced systems become more useful for software engineering, cybersecurity and scientific research, companies face pressure to provide broad access while limiting misuse in dual-use areas. Anthropic’s split between Fable 5 and Mythos 5 reflects a wider governance question: who should receive access to the most capable AI systems, under what conditions, and with what oversight.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!
The measures require Meta to reinstate access to the WhatsApp Business Solution for third-party AI assistant providers under the same terms that applied before 15 October 2025. Meta must comply within five working days and maintain access until the Commission adopts a final decision.
The Commission opened the investigation in December 2025 after Meta changed the terms of its WhatsApp Business Solution to restrict AI providers from using the service when AI was the primary service offered. In February 2026, the Commission sent Meta a Statement of Objections setting out its preliminary view that the conduct could breach the EU antitrust rules.
According to the Commission, Meta appears at first sight to hold a dominant position in the EEA-wide market for consumer communication applications through WhatsApp. It also said Meta may have abused that position by preventing competing general-purpose AI assistants from accessing and interacting with users on WhatsApp.
Meta revised its policy in March 2026 to allow third-party AI assistants back onto WhatsApp, but introduced a fee that the Commission said was, at first sight, equivalent in practice to the previous ban. The Commission warned that the conduct could harm competition at a critical stage in the development of the market for general-purpose AI assistants.
The substantive investigation remains ongoing, and the interim measures do not prejudge the Commission’s final decision. The Commission said it may impose fines or daily penalty payments if Meta fails to comply.
Why does it matter?
The case shows how the EU competition enforcement is moving into the emerging market for general-purpose AI assistants. WhatsApp is not only a messaging service, but also a major access point for businesses and users. If dominant platforms can limit rival AI assistants’ access to such channels, competition in AI services could be shaped before the market fully matures. The interim measures also signal that the Commission is willing to act quickly where it believes platform conduct may create serious and irreparable harm to competition.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
According to the Polish Press Agency, negotiations between the European Commission and EU member states on the development of AI gigafactories could conclude in June. The planned facilities are expected to be financed through the EU’s €20 billion InvestAI fund.
The initiative aims to establish five AI gigafactories across the EU to support the development of large-scale AI models and applications. Discussions intensified after revisions to the funding model required member states to commit financial support before the launch of a tender process limited to private companies and consortia.
Polish Deputy Minister of Digitisation Dariusz Standerski said Poland led a coalition of seven member states that opposed the revised framework and pushed for changes. He said negotiations are now close to a compromise that could strengthen the EU’s digital sovereignty and AI infrastructure ambitions.
Separately, Standerski said the Ministry of Digitisation is finalising proposals for a digital services tax of up to 3% on revenues generated by large technology companies operating in Poland. The draft legislation is expected to be published by early July in Poland.
Why does it matter?
The AI gigafactory initiative is a central component of the EU’s broader effort to strengthen its AI infrastructure and reduce dependence on non-European providers of computing capacity. Access to large-scale computing resources is increasingly viewed as a prerequisite for developing advanced AI models and competing in the global AI ecosystem.
The negotiations also highlight the governance challenges associated with large industrial policy initiatives. Questions around funding, public-private participation and member state involvement will shape how effectively the EU can translate its AI ambitions into operational infrastructure.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
Cybersecurity researchers have demonstrated an AI-powered computer worm capable of identifying vulnerabilities, generating attack strategies and spreading autonomously across networks. The study suggests that advances in AI agents could enable a new class of adaptive cyber threats capable of operating with minimal or no direct human intervention.
The research, conducted by teams from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow, describes malware that uses large language models to tailor its behaviour to each target. Unlike traditional worms, the system can adapt its attack methods in real time instead of relying solely on pre-programmed exploits.
Testing in a controlled virtual environment showed the system could successfully compromise multiple machines and replicate across a simulated network over several days. The worm also operated without relying on cloud infrastructure, running AI models locally on infected systems and using those resources to support its operations.
Researchers warned that such capabilities could signal a shift towards what they describe as ‘autonomous generative adversaries’ and stressed the need for stronger detection systems, evaluation frameworks and governance mechanisms. While details were limited to reduce misuse risks, the authors said the findings reflect how rapidly AI-enabled cyber capabilities are evolving.
Why does it matter?
The research signals a shift in cyber risk from static, signature-based malware to autonomous systems capable of reasoning, adapting, and scaling attacks without human input.
As AI models become more capable and widely deployed, the line between tool and autonomous threat blurs, increasing pressure on cybersecurity systems, patching cycles, and regulation to keep up with real-time, evolving attacks.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!
The Kenya Defence Forces (KDF) has completed the Service Members Basic Artificial Intelligence Course 01/26, a training programme aimed at strengthening AI capabilities among military personnel. The course concluded with a graduation ceremony at the National Military Command Centre in Nairobi.
Delivered by the Defence Intelligence Academy in partnership with the Moran AI and Cyber Centre of Excellence and other technology partners, the programme provided participants with foundational knowledge of AI and emerging technologies. The course aimed to equip participants with practical skills relevant to increasingly data-driven security and defence environments.
According to KDF, the initiative supports broader efforts to modernise military capabilities and prepare personnel for the growing role of data, automation and digital technologies in defence operations. Officials described technological literacy as an increasingly important competency in modern military service.
The programme forms part of KDF’s wider strategy to strengthen digital skills and innovation capacity. The military said the programme also supports regional cooperation and technological capacity development through partnerships with institutions across Africa.
Why does it matter?
AI is increasingly influencing defence planning, intelligence analysis, logistics and operational decision-making. As armed forces around the world integrate data-driven technologies into their activities, developing AI literacy and digital skills among personnel is becoming a strategic priority.
The KDF initiative reflects a broader trend in which military organisations are investing in AI-related capacity building to ensure personnel can effectively understand, manage and operate alongside emerging technologies while supporting long-term defence modernisation efforts.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
Canada’s Cyber Centre has warned that the FIFA World Cup 2026 will almost certainly attract cyber threat activity from cybercriminals, non-state actors and state-sponsored actors.
The tournament will run from 11 June to 19 July 2026 across Canada, the US and Mexico, with 104 matches in 16 cities. The Cyber Centre said the event’s global visibility, complex supporting infrastructure and broad ecosystem of suppliers and services create a large attack surface.
According to the bulletin, cybercriminals are expected to exploit public interest in the tournament through phishing, social engineering, ticket scams, fraudulent travel offers, fake livestreaming services, malicious apps and other forms of online fraud. The Cyber Centre cited research identifying more than 4,300 likely fraudulent domain registrations linked to the tournament as of August 2025.
Organisations connected to the event, including travel, hospitality, ticketing, broadcasting, telecommunications, utilities and transport providers, could also face ransomware, distributed denial-of-service attacks and website defacement. The Cyber Centre said attackers may target entities in the wider tournament ecosystem to maximise publicity, even when their targets are not part of the core World Cup infrastructure.
The bulletin also warned that threat actors are very likely to use the event for disinformation and influence activity, including campaigns involving AI-generated articles, images, videos and deepfakes. It found that there is roughly an even chance of disruptive state-sponsored cyber activity, depending on geopolitical tensions involving host nations or participating countries.
Canadian authorities urged fans, attendees, athletes, government officials and organisations linked to the tournament to strengthen cybersecurity practices and prepare for scams, disruptive attacks and information manipulation during the event.
Why does it matter?
The bulletin treats the World Cup as more than a sports event. It frames major tournaments as digitally dependent public safety environments involving ticketing systems, broadcasters, transport networks, hotels, mobile communications, local authorities and critical infrastructure. Cyber incidents during such events can cause financial loss, service disruption, data exposure, emergency communication risks and information manipulation, making cybersecurity part of event resilience and public trust.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Commission framed the initiative as a fundamental shift in the EU’s approach to technology, underpinned by the recognition that digital dependence is no longer a market inefficiency to be tolerated, but a strategic vulnerability to be corrected through legislation.
Commission President Ursula von der Leyen stated that Europe cannot afford to depend on others for the technologies that keep its hospitals running, its energy grids stable, and its services secure, calling on the EU to convert its research excellence, industrial base and single market into technological sovereignty.
The package is designed to broaden choice in core technologies for EU businesses, citizens and public administrations, and to position Europe to capture a larger share of a global semiconductor market projected to reach EUR 1.37 trillion by 2030, with AI-related components accounting for roughly 70% of that growth.
The timing reflects a specific convergence of pressures. The rapid spread of AI applications is driving a sharp increase in demand for data centre and cloud capacity that EU infrastructure cannot currently meet at scale. At the same time, longstanding dependence on non-EU suppliers for advanced semiconductor manufacturing, chip design and cloud services has become increasingly difficult to ignore as geopolitical tensions have demonstrated the economic risk of concentrated supply chains.
The 2022 US CHIPS and Science Act, generous subsidy regimes in Asia and tightening export controls on advanced semiconductor equipment have accelerated the global race for technological self-sufficiency, prompting Europe to adopt a more active industrial policy response.
Chips Act 2.0
The Chips Act 2.0 revises and expands the 2023 European Chips Act, which has mobilised more than EUR 52 billion in public and private investment, created an estimated 46,000 direct and indirect jobs and strengthened Europe’s research and innovation capacity in semiconductors. Despite this progress, the EU remains dependent on third countries for advanced chip manufacturing and semiconductor design.
The revised regulation is designed to accelerate Europe’s position across the entire semiconductor value chain, from raw materials and design to manufacturing and packaging, and to ensure that Europe captures a greater share of the growth in AI-related chip demand.
The proposal is structured around four objectives. On investment and competitiveness, the Act would cap permitting approvals at 12 months, introduce ‘Grand Challenges’ to support the development of strategically important chip types such as AI processors, and formalise Strategic Partnerships on Semiconductors with international allies.
To stimulate demand, it establishes Demand Accelerators to align new products with industry needs, expands innovation procurement, notably for European start-ups and scale-ups, and creates structural synergies with CADA to benefit from the data centre and AI Gigafactory buildout planned under that regulation.
On the supply side, the Act enables state aid for ‘First-of-a-Kind’ facilities not yet present in the Union, covering the full semiconductor value chain, designates strategic projects to unlock EU and member state co-investment, and creates a ‘Semiconductor Regions of Excellence’ label to attract investment at the regional level. To strengthen resilience, it establishes a business-to-business semiconductor supply chain platform and provides sector-specific guidance on risk assessment and mitigation.
The explicit linkage between Chips Act 2.0 and CADA reflects a deliberate industrial logic: European-made chips powering European cloud infrastructure, with demand from that infrastructure in turn supporting European chipmakers.
Cloud and AI Development Act
The Cloud and AI Development Act (CADA) forms a central part of the Commission’s AI Continent Action Plan and simultaneously addresses two structural problems: insufficient EU cloud and data centre capacity to meet AI-driven demand, and strategic dependence on a small number of non-EU cloud providers.
The Act is designed to facilitate and accelerate the deployment of sustainable cloud and data centre infrastructure, while ensuring the EU accelerates the rollout of cloud and AI in critical sectors and retains meaningful control over the infrastructure on which that rollout depends.
The Act focuses on three main areas. On research, development and innovation, it supports next-generation cloud and AI technologies, including frontier AI, industrial AI, and physical AI, introduces grand challenges to drive R&D efforts, and promotes adoption in strategic sectors through national cloud and AI strategies and new Experience and Acceleration Centres for AI in member states.
On capacity, it targets at least a tripling of EU data centre capacity within five to seven years, simplifies and accelerates permitting, and improves access to energy, land, water and financing. On sovereignty and autonomy, it establishes a single EU-wide sovereignty classification framework, promotes open source solutions as a tool for resilience, and introduces a common EU-level procurement framework for public administrations.
The sovereignty classification system merits particular attention. It introduces four assurance levels for cloud and AI services, to be applied by public sector bodies based on their own risk assessments. Level 1 requires data to be processed and stored within the EU. Level 2 requires providers to demonstrate independence from third countries and transparency over their software supply chain.
Level 3 requires providers to be owned and controlled from within the EU and to meet additional criteria including personnel citizenship, although the Commission retains the ability to recognise third-country providers at this level. Level 4 requires full transparency and control over the software supply chain with no third-country interference.
Cloud service providers seeking recognition under this framework must undergo an independent audit conducted by member state authorities. The framework is significant because it creates, for the first time, a legally grounded and progressive definition of what it means for a cloud service to be sovereign, moving the concept from political rhetoric to a procurement-relevant standard.
EU Open Source Strategy
The EU Open Source Strategy is the non-legislative pillar of the package most directly aimed at reducing dependence on proprietary, non-EU software. It places open source at the centre of the EU’s technological sovereignty approach, arguing that open ecosystems reduce supplier lock-in, increase transparency and give European developers and public administrations greater control over their digital infrastructure.
The strategy addresses a persistent structural weakness: the economic value generated by open source projects has historically been captured outside Europe, limiting the ability of European developers and companies to benefit fully from their own contributions.
The strategy is organised around four objectives. The first, Open Source for Tech Sovereignty, focuses on scaling the Open Internet Stack, a Commission-curated catalogue of EU-aligned open source solutions, and promoting alternatives to dominant proprietary products in areas such as cloud platforms, workplace tools, secure e-mail and decentralised social media.
The work will be carried out in cooperation with member states through the European Digital Infrastructure Consortium for Digital Commons. The second objective, Vibrant Open Source Ecosystem, targets start-up support through accelerators and procurement access, alongside a stewardship toolkit for critical open source assets and investment in digital skills across schools, universities, and civil services.
The third objective, Open Source in Public Administration, sets out procurement guidelines that favour open standards, reinforces the Commission’s Open Source Programme Office (OSPO) and the EU Public Sector OSPO Network, and seeks to embed openness and sovereignty-by-design in digital investment decisions across EU institutions and member states.
The fourth objective, Reinforced Standards and International Outreach, promotes EU open source developers and solutions internationally through the EU Tech Business Offer, supports uptake in partner countries and integrates open source communities into standardisation processes, including through a forthcoming revision of the EU Standardisation Regulation.
The strategy also intersects directly with the other package components. On semiconductors, it targets open hardware development through the Chips Joint Undertaking’s RISC-V programme. On AI, it supports the GenAI4EU initiative and promotes open source tooling for public sector AI adoption through the Apply AI Strategy.
On digital identity, it prioritises open source implementation of the European Digital Identity Wallet (EUDI Wallet) and the European Business Wallet. The strategy also interacts with the recently enacted Cyber Resilience Act (CRA), which imposes new security obligations on open source projects that have generated concern in the developer community. The Open Source Maintenance Instrument and critical dependency mapping exercises set out in the strategy are designed in part to address those obligations, though reconciling the CRA’s security requirements with the growth objectives of the strategy will be a key implementation challenge.
Strategic Roadmap for Digitalisation and AI in Energy
The Strategic Roadmap for Digitalisation and AI in Energy is the least legally binding element of the package but arguably the one that determines whether its ambitions are physically realisable. The targets set by CADA, particularly the goal of at least tripling EU data centre capacity within five to seven years, cannot be achieved without a corresponding expansion in reliable, affordable power supply.
Data centres are energy-intensive by nature, and the AI workloads they are increasingly required to process are even more demanding. The roadmap addresses this constraint by setting out how AI and digital technologies can improve the efficiency and flexibility of Europe’s energy systems while also enabling the energy infrastructure that these systems need.
The roadmap connects the package’s digital ambitions to the EU’s energy transition objectives, creating a mutually reinforcing relationship: cleaner, smarter energy systems create more viable conditions for data centre expansion, while AI-enabled demand management and grid optimisation tools reduce the cost and environmental impact of that expansion. The roadmap is also relevant as a governance document, since the deployment of AI in critical energy infrastructure raises its own questions about cybersecurity, data sovereignty and the concentration of control over systems on which entire economies depend.
Governance and policy implications
The Tech Sovereignty Package raises several governance issues that extend beyond its immediate legislative content. The most significant concerns the model it establishes for EU industrial policy. The package marks a clear departure from the long-standing assumption in EU competition policy that market mechanisms and trade openness are the primary tools for achieving efficient and innovative technology markets.
The explicit use of state aid for strategic semiconductor projects, the joint procurement frameworks in CADA and the deliberate promotion of EU-origin suppliers both in public procurement and sovereign cloud classification illustrate a greater role for public intervention in the technology sector. Whether the EU’s trading partners, particularly the United States and major Asian semiconductor producers, will treat these provisions as proportionate industrial policy or as market-distorting intervention is likely to become a significant diplomatic issue.
The package also has important implications for the governance of AI in Europe. It operates in parallel to the EU AI Act and the work of the EU AI Office, but addresses a different layer of the AI ecosystem. While the AI Act focuses on the risk profile and compliance obligations of AI systems once deployed, the Tech Sovereignty Package governs the infrastructure and supply chains that enable AI development in the first place.
The relationship between the two frameworks matters as decisions taken at the infrastructure layer, such as the cloud sovereignty level applied to a given public sector AI deployment, can have downstream consequences for compliance with AI Act requirements. The relationship between these frameworks will be an important area to monitor as implementation progresses.
A further coordination challenge arises internally. The package spans multiple policy domains and directorates-general within the Commission, including DG CONNECT for semiconductors, cloud and open source, and DG ENERGY for the energy roadmap.
It also interacts with DG COMP on State aid approvals and with DG TRADE on the trade implications of sovereignty-oriented procurement rules. Ensuring coherence across these areas during the legislative process, and subsequently during implementation, will require stronger-than-usual inter-institutional coordination.
Legislative process and upcoming milestones
The two legislative proposals, the Chips Act 2.0 and CADA, need to enter the ordinary legislative procedure, meaning they will be negotiated separately by the European Parliament and the Council of the European Union before trilogue negotiations between the two institutions and the Commission can begin.
Given the political and economic stakes involved, and the number of member states with competing interests in semiconductor investment locations and cloud market access, the negotiations are likely to be protracted. The original European Chips Act took approximately two years from proposal to final adoption, and CADA, which touches on the politically sensitive question of digital sovereignty vis-à-vis key trading partners, may encounter comparable friction.
Several near-term milestones are already in view. The Commission is expected to launch a call for AI Gigafactories in July 2026, following the European High Performance Computing Joint Undertaking (EuroHPC JU) Governing Board’s agreement in principle on 1 June 2026. AI Gigafactories are large-scale, purpose-built AI training facilities and represent one of the most concrete and immediately actionable elements of the broader AI infrastructure agenda.
Their deployment is intended to provide European researchers, start-ups and industry with access to the kind of computing capacity currently concentrated in the United States, and the July call will be an early test of the Commission’s ability to move from legislative ambition to operational delivery.
The Commission will also launch a consultation with member states, the European Investment Bank Group and other key stakeholders to design a European equity capacity at scale for financing tech sovereignty ambitions. This implies that the Commission does not believe grant funding and state aid alone will be sufficient to mobilise the investment required, and that a blended finance model, combining public equity with private capital, will be needed.
The EIB Group’s involvement points towards the kind of risk-sharing instruments it has used in other strategic sectors, although the specific structures and governance arrangements have yet to be designed through the consultation process.
Broader context
The package does not emerge in isolation. It sits within a cluster of interconnected EU strategic frameworks that have, over the past two to three years, progressively shifted the EU’s economic policy stance from market liberalisation towards what the Commission calls ‘open strategic autonomy’: the maintenance of trade openness where possible, combined with targeted interventionism to reduce strategic dependencies where necessary.
The Competitiveness Compass, adopted earlier in 2025 and drawing heavily on the 2024 Draghi report on European competitiveness, identifies reducing strategic dependencies as one of three pillars for restoring European economic dynamism. The Tech Sovereignty Package is the most operationally specific expression of that pillar to date.
The Economic Security Strategy, adopted in 2023, provided the risk-assessment framework within which the package sits, identifying advanced semiconductors, AI, quantum computing and biotechnology as the technological areas posing the most significant dual-use and strategic dependency risks for the EU. The Tech Sovereignty Package translates that risk assessment into concrete legislative and policy instruments, with semiconductors and AI infrastructure receiving the most direct regulatory attention.
The Commission’s AI Continent Action Plan, which positions Europe to become a global AI leader by focusing on computing infrastructure, data, skills, and adoption, provides the most direct policy antecedent for CADA in particular. The Tech Sovereignty Package fast-tracks the infrastructure ambitions of the Action Plan and adds the supply chain governance dimension that the Action Plan did not fully address.
Taken together, these documents represent a sustained and internally consistent shift in EU digital and industrial policy, one in which technological leadership is treated not merely as an economic aspiration but as a precondition for political and regulatory autonomy in an increasingly contested global technological order.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The process of developing a supplementary protocol to the UN Convention against Cybercrime has begun, with early state submissions already showing competing views over its scope and timing.
The Ad Hoc Committee Secretariat invited preliminary written inputs on the possible scope, objectives and structure of a draft protocol supplementary to the Convention, also known as the ‘Hanoi Convention’. The mandate follows UN General Assembly resolution 79/243, which asked the Committee to negotiate a draft protocol addressing, among other issues, additional criminal offences.
The United States questioned the exercise’s premise, arguing that discussions on a supplementary protocol are premature because the Convention has not yet entered into force and its implementation has not yet been tested. Washington called for the Committee first to address whether a protocol is needed at all before discussing its scope, objectives and structure.
Russia, by contrast, submitted a draft protocol text covering a broad range of offences, including terrorism financing, extremism, arms and drug trafficking, critical information infrastructure, unauthorised access to personal data and crimes involving AI. The proposal reflects a wider approach to criminalisation, including content-related offences that are likely to be contested by states concerned about overreach, legal certainty and human rights safeguards.
Other early submissions appear more cautious. Brazil, Nigeria, and Ecuador broadly support advancing the protocol process, while signalling the need to limit its scope and maintain attention to safeguards. Brazil warned against including offences where there is insufficient international consensus, while Ecuador proposed a structure that includes emerging offences, digital evidence, public-private cooperation, proportionality and human rights.
The early inputs point to a familiar divide in UN cybercrime negotiations: whether the treaty framework should remain focused on classical cybercrime, electronic evidence and criminal justice cooperation, or expand further into content-based offences, national security concerns and politically sensitive forms of online conduct.
Why does it matter?
A supplementary protocol could shape the evolution of the UN cybercrime framework after the adoption of the main Convention. If states use the protocol to add broad or content-related offences, the treaty system could move beyond core cybercrime and electronic evidence cooperation into areas with direct implications for freedom of expression, human rights safeguards, political speech, platform governance and state sovereignty. The early submissions suggest that those unresolved tensions are already resurfacing before the Convention has entered into force.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
