Greece begins parliamentary debate on EU AI Act implementation

Greece has introduced a draft law to implement the EU AI Act, becoming one of the first EU member states to establish a comprehensive national governance framework for enforcing the regulation.

The legislation aims to promote the safe, trustworthy and human-centred use of AI while protecting fundamental rights and supporting innovation, entrepreneurship and economic competitiveness.

The draft law designates the Hellenic Data Protection Authority as the national market surveillance authority and national contact point under the AI Act, while assigning the Hellenic Telecommunications and Post Commission as the notifying authority.

It also establishes an Artificial Intelligence Coordination and Know-how Centre to provide technical expertise to regulators, alongside a unified complaints mechanism and an administrative sanctions framework to support enforcement.

To encourage responsible innovation, the proposal introduces an AI regulatory sandbox, allowing startups and small and medium-sized enterprises to test AI applications under regulatory supervision.

The legislation also creates a Unified Registry of Public Artificial Intelligence Systems to strengthen transparency and accountability, while expanding the role of Greece’s AI Observatory in monitoring implementation of the National AI Strategy.

According to the Ministry of Digital Governance, the framework follows the AI Act’s risk-based approach by applying oversight measures proportionate to the risks posed by different AI systems.

The proposal builds on Greece’s broader AI strategy, including the creation of the Special Secretariat for Artificial Intelligence and Data Governance, with the aim of balancing innovation, economic development and the protection of fundamental rights.

Why does it matter?

Greece is positioning itself among the first EU member states to translate the AI Act into operational national institutions and enforcement mechanisms. By establishing supervisory authorities, a regulatory sandbox and governance structures ahead of key implementation deadlines, the country aims to provide greater legal certainty for businesses while supporting responsible AI innovation.

The legislation also illustrates how the AI Act will increasingly be implemented through national institutions rather than EU bodies alone. As other member states develop their own enforcement frameworks, differences in implementation could shape how consistently the regulation is applied across the European Union.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Parliament advances child safety privacy balance

The European Parliament has adopted amendments to a temporary exemption from the EU’s ePrivacy rules, seeking to preserve voluntary detection of child sexual abuse material while strengthening protections for end-to-end encrypted communications.

MEPs voted to exclude communications protected by end-to-end encryption from the scope of the temporary derogation, reinforcing privacy protections while maintaining support for voluntary detection measures.

The amendments were adopted during Parliament’s second reading of the proposal. Although a simple majority initially voted to reject the Council’s position, the motion failed because it did not reach the required absolute majority of 360 votes. Parliament therefore proceeded to adopt amendments instead.

The amended text now returns to the Council, which has three months to approve or reject Parliament’s changes. If the Council does not accept all of the amendments, the proposal will move to conciliation negotiations.

The temporary derogation is intended to prevent a legal gap following the expiry of the previous exemption in April 2026. It allows electronic communications providers to continue voluntarily detecting, removing and reporting child sexual abuse material while EU institutions negotiate a permanent legal framework.

Earlier negotiations between the European Parliament and the Council failed to produce an agreement, allowing the previous temporary framework to expire before the proposal returned for a second reading.

At the same time, Parliament and the Council continue negotiations on a permanent legislative framework to combat child sexual abuse online. Most elements have already been agreed, with discussions continuing on issues such as the balance between child protection and fundamental rights, including privacy and secure communications.

Why does it matter?

The vote highlights the EU’s continuing effort to balance child protection with fundamental rights. By excluding end-to-end encrypted communications from the temporary derogation, Parliament is signalling that stronger safeguards against child sexual abuse should not come at the expense of weakening secure communications.

The decision also keeps voluntary detection measures in place while negotiations continue on a permanent framework. The outcome of those talks is likely to shape how the EU reconciles online safety, privacy and encryption in future digital regulation.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission takes four countries to EU court over NIS2 delays

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive fully into national law.

The Directive strengthens the EU cybersecurity rules and sets common requirements for organisations operating in critical sectors.

Member states were required to transpose NIS2 by 17 October 2024, but the four countries have not notified the Commission of full implementation.

The referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.

The Commission is asking the Court to impose financial sanctions, including a lump sum and daily penalties until the countries notify complete transposition.

NIS2 applies to entities in 18 critical sectors, including health, energy, transport and public administration.

The Directive aims to improve national and EU-wide cyber resilience by strengthening risk management, incident response and security obligations for public and private entities.

The Commission said full implementation is essential for improving the EU’s overall resilience and the incident response capacity of organisations operating in critical sectors.

Why does it matter?

The referral shows that the Commission is prepared to enforce cybersecurity law against member states that fail to meet implementation deadlines. NIS2 is designed to create a more consistent baseline of cyber resilience across the EU, but delays in national transposition can leave organisations facing fragmented obligations and uneven enforcement. For critical sectors, consistent implementation is central to risk management, incident response and cross-border resilience.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

South Korea opens antitrust proceedings over Google app market practices

South Korea’s Fair Trade Commission has begun formal deliberation procedures over allegations that Google abused its dominant position in the Android app market.

The case follows an examiner’s report submitted to the Commission, which outlines suspected violations of the country’s Fair Trade Act.

According to the report, Google used its Games/Google Velocity Program, known internally as Project Hug, to provide financial support for services such as Google Cloud, Google Ads and YouTube.

In return, participating game developers were allegedly required to launch games on Google’s app marketplace on terms at least as favourable as those offered to rival platforms.

The examiner concluded that the programme reduced incentives for developers to distribute games through competing app marketplaces, including ONE store, while strengthening Google’s position in the Android app ecosystem.

The allegedly affected revenue was estimated at 14.16 trillion won, or about $9.1 billion. If violations are confirmed, potential penalties could reach up to 6% of that amount.

Google will have an opportunity to respond before the Commission reaches a final decision.

The case adds to wider global scrutiny of app-store competition and the ways dominant platforms use developer incentives, contracts and ecosystem services to shape market access.

Why does it matter?

The case shows how antitrust scrutiny of app stores is expanding beyond commission fees and payment systems into developer incentive programmes and platform-service bundles. If KFTC confirms the allegations, the decision could influence how dominant platforms structure support packages for developers and whether such programmes are treated as loyalty-inducing conduct. It also reinforces South Korea’s role as an active jurisdiction in digital-platform competition enforcement.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

ITU showcases AI tools to strengthen digital trust

The International Telecommunication Union (ITU) has highlighted a new generation of AI researchers developing practical tools to strengthen digital trust, improve content authenticity and combat misinformation.

Ahead of the AI for Good Global Summit in Geneva, the Young Researcher Associate Programme is showcasing projects designed to improve multimedia authenticity, helping people identify manipulated content while supporting creativity and innovation in the age of generative AI.

The initiative operates under the AI and Multimedia Authenticity Standards Collaboration, established in 2024 by the World Standards Cooperation, which brings together the International Electrotechnical Commission (IEC), the International Organization for Standardization (ISO) and the ITU.

The programme brings together early-career researchers from universities around the world to develop solutions addressing content authenticity, provenance and digital rights as AI-generated media becomes increasingly common online.

Three flagship projects illustrate the programme’s multidisciplinary approach. STOP&SCAN promotes critical thinking through a five-step framework that encourages people to assess the source, content and context of digital information before sharing it.

AMITO provides an AI-powered multimedia integrity toolkit through Telegram and WhatsApp, analysing suspicious images and videos while explaining its findings in plain language rather than simply labelling content as authentic or fake.

Meanwhile, the Policy-as-Code project maps AI-related regulations across jurisdictions, helping creators, businesses and policymakers understand how AI-generated content is regulated while laying the foundations for machine-readable compliance mechanisms.

The researchers will present their work at the AI for Good Global Summit on 9 July, demonstrating how technical innovation, behavioural science and regulatory frameworks can work together to build more trustworthy digital ecosystems. According to the ITU, strengthening digital trust requires collaboration across generations, disciplines and countries.

According to ITU, designing digital trust requires collaboration across generations, disciplines and countries to ensure AI strengthens rather than undermines confidence in online information.

Why does it matter?

As generative AI makes it easier to create convincing synthetic media, verifying the authenticity and provenance of digital content is becoming increasingly important for governments, businesses and the public. Technical tools alone are unlikely to solve the problem, making user education, common standards and transparent governance equally important.

The initiative also highlights the growing role of international standards organisations in shaping AI governance. By combining authenticity technologies, regulatory mapping and practical educational tools, the ITU and its partners are helping develop a shared foundation for trusted digital ecosystems that can operate across platforms and national borders.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Council of the EU backs interim rules on online child abuse detection

The Council of the European Union has adopted its position on interim legislation that would restore a legal basis for online service providers to voluntarily detect, report and remove child sexual abuse material (CSAM) from their platforms.

The proposal aims to restore legal certainty after the previous temporary framework expired on 3 April 2026, while negotiations continue on a permanent EU regulation to combat online child sexual abuse.

The interim regulation introduces a limited derogation from the EU’s electronic communications privacy rules, allowing online platforms to voluntarily detect child sexual abuse material and report suspected offences to law enforcement authorities.

According to the Council, these voluntary measures are essential for identifying children at risk, supporting criminal investigations, prosecuting offenders and reducing the circulation of child sexual abuse material online.

The Council proposes extending the temporary framework until 3 April 2028 to avoid a prolonged legal gap while negotiations continue on the long-term Child Sexual Abuse Regulation.

Irish Minister for Justice, Home Affairs and Migration Jim O’Callaghan said restoring providers’ ability to detect online child sexual abuse is essential to protecting victims and bringing offenders to justice. The proposal will now move to the European Parliament for a second reading, where MEPs may approve, amend or reject the Council’s position.

If adopted, the measure would restore the legal basis for voluntary detection activities while policymakers continue negotiations on a permanent framework governing the detection of child sexual abuse material across digital services in the European Union.

Why does it matter?

The proposal addresses a legal gap that emerged after the previous temporary framework expired, creating uncertainty for online platforms that voluntarily detect and report child sexual abuse material. Restoring a clear legal basis would allow providers to continue supporting law enforcement while longer-term legislation is negotiated.

The debate also reflects the EU’s continuing effort to balance child protection with privacy and fundamental rights. While the interim proposal focuses on voluntary detection, negotiations on a permanent framework are expected to continue raising questions about the appropriate balance between online safety, privacy and the responsibilities of digital platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK CMA consults on Apple and Google app store payment rules

The UK Competition and Markets Authority has opened consultations on new requirements for Apple and Google under the country’s digital markets competition regime.

Proposed steering requirements would allow app developers to direct UK users to payment options outside Apple’s App Store and Google’s Play Store. The CMA said Apple currently bans steering in the UK, while Google restricts it.

According to the regulator, allowing developers to communicate with customers about off-platform options could increase competition, reduce payment costs and support innovation across mobile services.

Consultation proposals also cover principles to ensure that any steering fees charged by Apple and Google are fair and reasonable. The CMA said such fees should be based on evidence and should be lower than current app store charges.

Alongside the steering proposals, officials are seeking views on a potential requirement for Apple to provide developers with access to near-field communication functionality on iOS.

Broader NFC access could allow UK fintechs and developers to support contactless payments from within their own apps. It could also support future payment methods, including account-to-account payments, digital currencies and stablecoins, as well as non-financial uses such as digital ID and car keys.

Responses to the steering conduct requirement are due by 28 July 2026, while views on the potential NFC requirement are due by 21 July 2026. The CMA will decide later this year whether to impose new obligations.

Why does it matter?

The consultations show the UK’s digital markets regime moving into targeted conduct rules for major mobile platforms. If adopted, the measures could weaken Apple and Google’s control over in-app payments and give developers more freedom to offer alternative purchasing channels. The NFC proposal also widens the debate beyond app store commissions, addressing Apple’s control over device functionality that can shape competition in mobile payments, digital identity and other services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Microsoft and Europol disrupt Amadey and StealC malware infrastructure

Microsoft has disrupted more than 200 command-and-control servers linked to Amadey and StealC, two widely used cybercrime tools that support credential theft, fraud and ransomware attacks.

The company’s Digital Crimes Unit said the action targeted the shared infrastructure behind the two tools rather than treating them as separate threats. In the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers worldwide.

Amadey is often used to gain access to devices, while StealC is used to steal passwords and sensitive information. Microsoft said the tools form part of a wider cybercrime supply chain in which specialised malware services help attackers turn initial access into fraud, ransomware, espionage or other operations.

Microsoft said investigators used AI, including Copilot, to analyse malware and identify connections between the two tools more quickly. The company said the analysis helped its legal team treat both malware families as part of a single conspiracy under the US Racketeer Influenced and Corrupt Organizations Act.

The action was carried out with Europol and industry partners, including ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Europol’s European Cybercrime Centre also investigated StealC as part of Operation Endgame, alongside European law enforcement partners and cybersecurity companies, including IBM X-Force and Proofpoint.

Microsoft said it has identified more than 18,000 victim computers since the start of the operation and is working with telecommunications providers to help protect affected users.

The company said findings from the case will feed into its Statutory Automated Disruption programme, which accelerates the removal of malicious domains and infrastructure.

Why does it matter?

The operation reflects a shift in cybercrime disruption strategy. Instead of targeting one malware family or service at a time, Microsoft and its partners focused on the shared infrastructure that allows criminal tools to work together. That matters because modern cybercrime increasingly operates as a modular supply chain: one tool gains access, another steals credentials, and other actors monetise that access through fraud, ransomware or espionage. The use of AI to accelerate malware analysis also points to how defenders are trying to match the speed and scale of cybercriminal operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EU targets cross-border crime cooperation

The European Commission has proposed new measures to strengthen EU cooperation against cross-border crime, organised criminal networks, terrorism and hostile actors.

The Commission said crime is becoming more sophisticated, international and digital, requiring closer cooperation between police, customs authorities, prosecutors and courts from the start of investigations through to final judgments.

The package would strengthen the roles of Europol and Eurojust, the EU agencies that support national authorities in cross-border criminal investigations and judicial cooperation.

For Europol, the proposal would enable faster and more automated information sharing to support real-time collaboration during investigations. It would also create Europol Support Offices, staffed by former Europol officers, to provide operational assistance to the EU countries.

The Commission also wants to establish a technology and innovation hub within Europol to map law enforcement capability needs across the EU and support the use of new tools against cross-border crime.

Eurojust would receive stronger operational powers, including the ability to act on its own initiative to identify links between cases. Its mandate would also expand into emerging areas of crime, including cybercrime and gender-based violence.

The package would strengthen cooperation between Europol, Eurojust and the European Public Prosecutor’s Office, while also expanding international cooperation with third countries.

The Commission is also proposing to update the European Investigation Order, the EU procedure for gathering evidence across borders in criminal cases. A new European Remote Participation Order would allow suspects, accused persons and victims to take part remotely in criminal court hearings from another EU country.

Why does it matter?

Cross-border crime is increasingly digital and difficult for national authorities to tackle on their own. The Commission’s proposal aims to make EU investigations faster and more coordinated by improving data sharing, evidence gathering and cooperation between police, prosecutors and courts. The cybercrime and technology-hub elements are especially relevant because law enforcement agencies need technical capacity, legal tools and cross-border coordination to respond to digital criminal networks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!