European Commission accepts X commitments on DSA transparency requirements

The European Commission has accepted corrective measures proposed by X to address alleged breaches of the Digital Services Act (DSA) relating to advertising transparency and researchers’ access to public data.

The action plan requires X to improve its advertising repository so that researchers, civil society organisations and users can more effectively examine advertisements and assess the platform’s systemic risks.

X will introduce new search filters based on advertising content and targeting criteria, display search results directly within the repository, improve response times and provide more complete information about advertisements, including their full content and destination URLs. The company will also make the repository accessible through an application programming interface (API).

The platform will provide additional information about advertisements, including their full content and the URLs to which users are redirected. It will also make the repository accessible through an application programming interface.

The commitments also strengthen researchers’ access to public data. X must improve its application process, provide eligible researchers with timely access to appropriate volumes of data free of charge and avoid unnecessary procedural delays.

The platform will also update its terms and conditions to clarify that eligible researchers are not contractually prohibited from scraping publicly available data.

X now has six months to implement the commitments under an enhanced supervision regime. The Commission said implementation will be verified through an independent audit and close monitoring, following concerns from the Board for Digital Services that the company’s original proposal did not sufficiently address several requirements.

The Commission said it will closely monitor X’s DSA compliance, particularly in areas the Board identified as insufficiently addressed.

Why does it matter?

The commitments strengthen two key pillars of the DSA: transparency in online advertising and independent scrutiny of very large online platforms. Better access to advertising data and public platform information could improve research into systemic risks, political advertising and platform accountability.

The case also demonstrates that accepting corrective measures does not end regulatory oversight. The Commission’s enhanced supervision and independent audit requirements show that compliance under the DSA will increasingly be judged by implementation rather than commitments alone.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom finalises tougher rules against mobile messaging scams

Ofcom has finalised new rules requiring mobile providers to block, limit and disrupt mobile messaging scams, alongside strengthened guidance to tackle international calls that spoof UK mobile numbers.

The regulator said criminals increasingly use text messages and business messaging services to impersonate friends, companies and public bodies, pressuring victims to transfer money, disclose sensitive information or click malicious links.

Fraud accounted for an estimated 45% of reported crime incidents in England and Wales, with £1.28 billion lost to criminals in 2025. Ofcom also found that 40% of UK mobile users had received at least one suspicious message during the previous three months.

The measures target two main forms of messaging fraud: person-to-person messages sent through SIM cards and mass business messages distributed through commercial messaging infrastructure.

For person-to-person scams, mobile providers must collect intelligence on fraudulent messages, malicious links and phone numbers from customers and anti-fraud organisations. They must use that information to block numbers associated with scammers and stop messages containing malicious links or phone numbers from being delivered across their networks.

Providers must also impose volume limits on pay-as-you-go SIM cards, making it harder for criminal groups to send large numbers of fraudulent messages. The measures complement the government’s proposed ban on SIM farms and commitments made by operators under the Fraud Sector Charter.

Business messaging providers and aggregators must carry out initial and ongoing Know Your Customer (KYC) checks on organisations sending messages and monitor their activity through Know Your Traffic controls.

Providers will also verify alphanumeric sender IDs, which display company names instead of telephone numbers. The checks are intended to prevent scammers from impersonating trusted businesses, delivery services and government agencies.

Where providers identify fraudulent messaging activity, they must investigate its source, apply incident management procedures, and block malicious sender IDs, links and telephone numbers. Companies that fail to carry out appropriate checks may also face regulatory action.

Ofcom has separately strengthened its guidance on international calls that spoof UK mobile numbers. Telecoms companies should withhold the caller ID for calls that appear to originate from a UK mobile number roaming abroad unless they can verify that the number is genuine.

The regulator said spoofing makes overseas calls appear more trustworthy and increases the likelihood that potential victims will answer. However, it cautioned that legitimate organisations may also use withheld numbers, meaning users should continue to assess unexpected calls carefully.

Mobile providers already block more than 600 million suspected scam messages each year, but Ofcom said inconsistent protections across the sector continue to leave consumers exposed.

Consumers can report suspicious calls and messages by forwarding them to 7726, enabling mobile operators to update their fraud-detection and network-protection systems.

Why does it matter?

The new rules shift greater responsibility onto mobile providers to prevent scams before they reach consumers. By requiring stronger customer verification, sender authentication, network-level filtering and SIM controls, Ofcom is moving fraud prevention further upstream rather than relying primarily on users to recognise suspicious messages.

The measures also reflect a broader regulatory trend towards placing more accountability on communications providers to combat digital fraud. If successful, the framework could reduce large-scale messaging scams while serving as a model for other jurisdictions seeking to strengthen telecoms security.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

South Korea to launch free national AI service

South Korea’s Ministry of Science and ICT has announced plans to launch the ‘AI for Everyone’ project this year, providing a homegrown AI service that anyone in the country can use free of charge without usage limits.

The ministry will select participating companies through an open call for proposals. A beta version is scheduled for late September, followed by the launch of a general-purpose AI chatbot and an AI agent to help users search for and apply for public services.

According to the ministry, the project aims to reduce reliance on overseas AI services while narrowing the digital divide. It also responds to concerns about restrictions on free AI services and possible changes by global technology companies. The nationwide service is expected to launch before the end of 2026.

Why does it matter?

The initiative combines digital inclusion with technological sovereignty by offering unrestricted access to a domestically developed AI service. Removing cost and usage limits could broaden AI adoption while integrating generative AI more closely into public services.

The project also reflects a wider international trend of governments investing in national AI capabilities to reduce dependence on foreign providers. As AI becomes part of essential digital infrastructure, countries are increasingly seeking greater control over the services, platforms and data that underpin public-sector AI deployment.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK to introduce AI for police evidence disclosure

The UK Home Office has announced major reforms to criminal evidence disclosure that will introduce AI tools to automatically review and summarise police evidence, modernising procedures that have remained largely unchanged since 1996.

The reforms respond to the growing volume of digital evidence in criminal investigations. According to the Home Office, a single fraud case can now involve more than four million documents, while some investigations contain digital material equivalent to 500,000 e-books. Existing guidance often requires officers to manually review and summarise potentially relevant material before prosecutors determine whether it is needed.

The government’s National Centre for Police AI, backed by £75 million in funding, will pilot AI tools capable of automatically summarising digital evidence. The technology will help officers identify, organise and process large volumes of files currently reviewed manually. According to the Home Office, the reforms could free up around six million hours annually by 2028, equivalent to approximately 3,000 additional UK frontline officers.

The government has also accepted recommendations to establish centralised procurement of police technology and create a national disclosure governance forum bringing together representatives from policing, the judiciary, prosecutors and government to oversee the introduction of new technologies. The Director of the Serious Fraud Office described the reforms as an important step towards modernising disclosure practice.

Why does it matter?

The reforms recognise that criminal justice systems increasingly struggle to manage the volume of digital evidence generated by smartphones, cloud services and online communications. Automating routine evidence review could allow investigators to spend more time on investigations while improving the speed of case preparation.

The initiative also illustrates a growing approach to AI adoption in the public sector, where AI supports administrative and analytical tasks rather than replacing human judgement. By introducing governance arrangements alongside the technology, the UK is attempting to balance efficiency gains with accountability in one of the justice system’s most sensitive areas.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EDPB orders Belgian regulator to examine VRT cookie complaint

The European Data Protection Board (EDPB) has instructed the Belgian Data Protection Authority to examine a complaint about VRT cookie banners on its merits rather than dismissing it as an alleged abuse of rights under the GDPR.

The EDPB published its binding decision of 28 May 2026 following a dispute between the Belgian and Austrian data protection authorities. The case concerns cookie banners used by Belgium’s public broadcaster, Vlaamse Radio-en-Televisieomroeporganisatie (VRT).

Austrian privacy organisation Noyb lodged the complaint with the Austrian Data Protection Authority on behalf of an individual. Because VRT is based in Belgium, the Belgian authority acted as the lead supervisory authority under the GDPR’s one-stop-shop mechanism.

The Belgian regulator proposed dismissing the VRT cookie banner complaint, arguing that the complainant had abused the rights provided under Articles 77 and 80(1) of the GDPR.

The Austrian DPA objected, arguing that the complaint should not be rejected on procedural grounds. Instead, it said the Belgian authority should assess the substance of the allegations and determine whether VRT’s cookie banners complied with the GDPR.

After the Belgian DPA declined to follow the objection, it referred the dispute to the EDPB under Article 65(1)(a) of the GDPR.

The EDPB concluded that the Austrian authority’s objection was both relevant and reasoned. Applying the Court of Justice of the European Union’s test for abuse of rights, the Board found that neither the objective nor the subjective element required to establish abuse had been demonstrated.

The decision does not determine whether VRT’s cookie banners violate the GDPR. Instead, it requires the Belgian DPA to assess the complaint on its merits and submit a new draft decision to the other supervisory authorities involved under Article 60(3) of the GDPR.

Why does it matter?

The decision reinforces the principle that GDPR complaints should generally receive a substantive assessment rather than being dismissed on procedural grounds without clear evidence of abuse. It also clarifies the high threshold regulators must meet before concluding that individuals have misused their rights under the GDPR.

The ruling further strengthens the GDPR’s cross-border enforcement system by confirming the role of the EDPB in resolving disputes between national data protection authorities and promoting consistent application of EU data protection law.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Parliament committee backs stronger online protections for children

The European Parliament’s Committee on Culture and Education has adopted a report calling for stronger enforcement of existing EU digital legislation to create a safer online environment, particularly for children and young people.

MEPs argue that platforms should be held more accountable for the impact of their services through stronger safeguards, greater algorithmic transparency and stricter protections against addictive digital design.

The European Parliament report calls for a ban on the most harmful addictive platform features and supports introducing a dedicated ‘youth mode’ that would disable targeted advertising and reduce minors’ exposure to addictive design practices.

MEPs also propose greater transparency around recommender systems so users can better understand why content is promoted, restricted or removed. They further suggest introducing personal liability for serious and persistent failures to comply with child protection obligations.

Beyond platform design, the report recommends an EU-wide code of conduct for influencers and stronger safeguards against practices such as kidfluencing and sharenting, where children are used in commercial content or exposed excessively online.

MEPs also call for mandatory ethical standards for AI companions, greater transparency around AI model training, measures against AI-generated impersonation scams, stronger protection against synthetic child sexual abuse material, and systematic monitoring of children’s digital habits across the EU.

The committee said these measures should complement existing legislation, including the Digital Services Act, AI Act, GDPR and Audiovisual Media Services Directive, creating a more coherent EU framework for protecting minors online. The report will now be submitted to Parliament’s plenary session in September 2026.

Why does it matter?

The report signals growing political support for strengthening children’s online safety by making platforms more accountable for the design and operation of their services. Rather than relying solely on new legislation, MEPs are urging stronger enforcement of existing EU rules alongside targeted measures addressing addictive design, recommender systems and AI-powered services.

Although the report is not legally binding, it could influence future EU legislation and enforcement priorities by reinforcing the shift towards safety-by-design, greater transparency and stronger protections for minors across digital platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

AI is beginning to carry out live cyberattacks, Check Point warns

AI is moving beyond assisting cybercriminals to carrying out operational tasks during live intrusions, according to Check Point Research’s Annual AI Security Report 2026.

The report argues that AI-enabled cyber operations are entering a new phase in which AI systems can execute parts of an attack rather than simply helping attackers write code, research targets or prepare phishing campaigns. The shift could make cyber operations faster and less dependent on continuous human oversight.

Check Point said it observed AI carrying out hands-on tasks during incidents ranging from China-linked campaigns to a criminal breach affecting several Mexican government agencies. According to the company, these capabilities are spreading beyond state-backed actors to financially motivated cybercriminals.

AI is also being used to create deployment-ready malware and offensive frameworks. One developer reportedly used an AI coding environment to build VoidLink, an 88,000-line command-and-control framework, in less than a week. Check Point noted that AI involvement may be difficult to identify once the finished tool is deployed.

According to the report, attackers increasingly favour commercial AI models over self-hosted alternatives. Rather than relying solely on jailbreak prompts, some are targeting agentic architectures by planting configuration files that AI agents continue to trust across multiple sessions.

The market supporting AI cyberattacks is also becoming more established. Check Point identified phishing-as-a-service products that embed language models with built-in restrictions bypasses, alongside conversational voice-agent services used for vishing and one-time-password theft.

The report warns that synthetic identities are weakening traditional trust signals. Convincing imitations of voices, faces, identity documents, and live video can now be combined across multiple channels, making social engineering operations more coordinated and harder to detect.

AI systems themselves are also emerging as an important attack surface. Models may struggle to distinguish instructions from the content they process, allowing attackers to manipulate AI agents through malicious files, webpages and other external data sources.

Indirect prompt injection is emerging as one of the most important threats to AI systems. Check Point said detections of longer malicious payloads increased roughly fivefold between March and May 2026, reaching close to 1% of observed prompts. Longer payloads are commonly associated with content-based and agentic attack paths.

Enterprise data leakage through generative AI also remains a growing concern. The share of prompts classified as high risk doubled from 2% to 4% over the previous year, while organisations used an average of ten AI applications each month, including tools that had not received official approval.

Exposure varied considerably by sector. Business services recorded the highest rate of high-risk generative AI prompts, at 5.91%, meaning approximately one in every 17 interactions presented a significant risk of exposing sensitive information.

The findings suggest organisations must prepare for threats from two directions: adversaries using AI to automate cyber operations and employees or AI systems exposing sensitive data through insecure adoption.

Why does it matter?

The report suggests AI is reshaping cybersecurity on both sides of the equation. Attackers are increasingly using AI to automate complex tasks, while organisations adopting AI are creating new attack surfaces and data security risks.

As AI systems become more autonomous, cybersecurity strategies will need to extend beyond traditional endpoint and network protection to include AI agents, model security, prompt injection defences, identity verification and governance over how AI is deployed across the enterprise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Two in five UK children say they bypass online age checks

Nearly two in five UK children aged 11 to 17 say they have successfully bypassed an online age check, according nationally representative research commissioned by the Department for Science, Innovation and Technology (DSIT).

The study surveyed 2,299 children in May 2026 to examine their experiences with age assurance, VPN use and methods of bypassing age checks. It also included an additional sample of recent VPN users.

Overall, 39% said they had successfully bypassed an age check at least once, while another 14% had tried unsuccessfully. Success rates rose from 28% among 11- to 12-year-olds to 43% among older teenagers.

Many children avoided age checks altogether by choosing websites, apps or games that either had no age verification or appeared easy to bypass. Among those who successfully circumvented checks, 63% said they simply pretended to be older, most commonly by entering a false date of birth.

Most successful circumvention involved simple self-declaration systems such as tick boxes and date-of-birth fields, which children also rated as the least effective.

By contrast, 86% of respondents who had encountered government ID verification considered it effective, while third-party identity services, payment card verification and facial age estimation also received substantially higher ratings.

Privacy was the most common reason for using a VPN. However, 22% of VPN users said they had used one to access age-restricted websites, apps or games, equivalent to 7% of all children surveyed.

Parents were involved in some VPN use. Among children who had used one, 22% received help from a parent to set it up, while 43% of current users said a parent paid for the service. However, older teenagers were more likely to install VPNs without parental knowledge.

Friends were the main source of information about bypassing age checks, cited by half of children who had done so. Practical consequences appeared to be the strongest deterrents, including harder-to-defeat checks, permanent account bans, and notifying parents about circumvention attempts.

The report also found an association between bypassing age checks and exposure to harmful content. Among children who had circumvented age checks, 51% reported later encountering at least one form of harmful material, including explicit content, contact from unknown adults and requests for personal information.

The researchers cautioned that the findings rely on self-reported behaviour and do not establish that VPN use or circumvention directly caused exposure to harmful content.

Why does it matter?

The findings suggest that basic self-declaration systems provide limited protection for children and are easily circumvented. As regulators increasingly require stronger age assurance under frameworks such as the UK’s Online Safety Act, the challenge will be deploying systems that are both effective and proportionate while protecting users’ privacy.

The research also highlights that technology alone is unlikely to solve the problem. Children’s motivations, platform design, parental involvement and digital literacy all influence whether age restrictions are respected, suggesting that meaningful online safety will require a combination of technical safeguards, regulation and education.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Greece adds digital passport to Gov.gr Wallet

The Greek Ministry of Digital Governance and Artificial Intelligence has added the national passport to the Gov.gr Wallet, allowing citizens with active ordinary passports to store a secure digital version on their mobile devices.

The digital passport can be used for identification and as a travel document within Greece. Diplomatic and service passports are not currently supported.

The passport becomes the thirteenth document available through the Gov.gr Wallet, joining digital identity cards, driving licences, disability cards, unemployment cards, academic IDs, insurance information, vehicle records, driver penalty points, pet records, the Athens Ring Road permit and the Real Estate File.

According to the Ministry, more than 2.5 million digital identity cards and almost 2 million digital driving licences have already been added to the application.

The Gov.gr Wallet is available on both Android and iOS devices through wallet.gov.gr. The service was developed by the General Secretariat for Information Systems and Digital Governance and GRNET, in cooperation with the Ministry of Citizen Protection and the Hellenic Police.

Citizen data is retrieved through the government’s Interoperability Centre.

Why does it matter?

The addition of the passport further expands Greece’s digital identity ecosystem and reflects the country’s continued investment in digital public services. By enabling citizens to carry more official documents securely on their mobile devices, the government is reducing reliance on physical credentials while improving access to public services.

The initiative also aligns with wider European efforts to strengthen digital identity infrastructure. As more governments develop interoperable digital wallets and electronic identity systems, mobile credentials are expected to play an increasingly important role in public administration and cross-border digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Saudi Arabia launches AI tool for national data insights

Saudi Arabia’s Ministry of Economy and Planning has launched the beta version of INSAIGHTS, an agentic AI tool integrated into the Data Saudi Platform. The system is designed to improve how users access, analyse, and interact with national economic and social data.

INSAIGHTS allows users to convert questions into instant insights and analytics by drawing on more than 7,500 indicators available through the platform. The tool aims to support decision-makers, researchers, analysts and the public with faster access to reliable information for data-driven decisions.

The launch forms part of Saudi Arabia’s wider digital transformation agenda under Vision 2030 and the National Transformation Program. The Ministry plans to continue expanding the tool’s capabilities while using emerging technologies to improve transparency, innovation and user experiences across its digital ecosystem.

Why does it matter?

The INSAIGHTS highlights Saudi Arabia’s growing focus on AI as a tool to improve public data accessibility and strengthen evidence-based decision-making. By combining AI capabilities with extensive national datasets, the platform could help organisations and individuals extract insights more efficiently.

The initiative also demonstrates how governments are increasingly adopting agentic AI systems to enhance digital services and economic planning. As the technology develops, platforms like INSAIGHTS may become important models for using AI to improve transparency, research capabilities and public-sector innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!