14-21 November 2025
HIGHLIGHT OF THE WEEK
Digital draught: When the cloud goes offline
The culprit was an internal misconfiguration. A routine permissions change in a ClickHouse database led to a malformed ‘feature file’ used by Cloudflare’s Bot Management tool. That file unexpectedly doubled in size and, when pushed across Cloudflare’s global network, exceeded built‑in limits — triggering cascading failures.
As engineers rushed to isolate the bad file, traffic slowly returned. By mid‑afternoon, Cloudflare halted propagation, replaced the corrupted file, and rebooted key systems; full network recovery followed hours later.
The bigger picture. The incident is not isolated. Only last month, Microsoft Azure suffered a multi-hour outage that disrupted enterprise clients across Europe and the US, while Amazon Web Services (AWS) experienced intermittent downtime affecting streaming platforms and e-commerce sites. These events, combined with the Cloudflare blackout, underscore the fragility of global cloud infrastructure.
The outage comes at a politically sensitive moment in Europe’s cloud policy debate. Regulators in Brussels are already probing AWS and Microsoft Azure to determine whether they should be designated as ‘gatekeepers’ under the EU’s Digital Markets Act (DMA). These investigations aim to assess whether their dominance in cloud infrastructure gives them outsized control — even though, technically, they don’t meet the Act’s usual size thresholds.
This recurring pattern highlights a major vulnerability in the modern internet, one born from an overreliance on a handful of critical providers. When one of these central pillars stumbles, whether from a misconfiguration, software bug, or regional issue, the effects ripple outward. The very concentration of services that enables efficiency and scale also creates single points of failure with cascading consequences.
IN OTHER NEWS LAST WEEK
This week in AI and data governance
Singapore. Singapore has launching a Global AI Assurance Sandbox, now open to companies worldwide that want to run real-world pilot tests for AI systems.
Russia. At Russia’s premier AI conference (AI Journey), President Vladimir Putin announced the formation of a national AI task force, framing it as essential for minimising dependence on foreign AI. The plan includes building data centres (even powered by small-scale nuclear power), and using these to host generative AI models that protect national interests. Putin also argued that only domestically developed models should be used in sensitive sectors — like national security — to prevent data leakage.
The USA. The shadow of regulation-limiting politics looms large in the USA. Trump-aligned Republicans have again pushed for a moratorium on state-level AI regulation. The idea is to block states from passing their own AI laws, arguing that a fragmented regulatory landscape would hinder innovation.
One version of the proposal would tie federal broadband funding to states’ willingness to forego AI rules — effectively punishing any state that tries to regulate. Yet this pushback isn’t unopposed: more than 260 state lawmakers from across the US, Republican and Democrat alike, have decried the moratorium.
The EU. A big political storm is brewing in the EU. The European Commission has rolled out what it calls the Digital Omnibus, a package of proposals aimed at simplifying its digital lawbook — a move welcomed by some as needed to improve the competitiveness of the EU’s digital actors, and criticised by others over potentially negative implications in areas such as digital rights. The package consists of the Digital Omnibus Regulation Proposal and the Digital Omnibus on AI Regulation Proposal.
What’s making waves., The Digital omnibus on AI Regulation Proposal delays the implementation of ‘high-risk’ rules under the EU’s AI Act until 2027, giving Big Tech more time before stricter oversight takes effect. The entry into force of high-risk AI rules will now align with the availability of support tools, giving companies up to 16 months to comply. SMEs and small mid-cap companies will benefit from simplified documentation, broader access to regulatory sandboxes, and centralised oversight of general-purpose AI systems through the AI Office.
Cybersecurity reporting is also being simplified with a single-entry interface for incidents under multiple laws, while privacy rules are being clarified to support innovation without weakening protections under the GDPR. Cookie rules will be modernised to reduce repetitive consent requests and allow users to manage preferences more efficiently.
Data access will be enhanced through the consolidation of EU data legislation via the Data Union Strategy, targeted exemptions for smaller companies, and new guidance on contractual compliance. The measures aim to unlock high-quality datasets for AI and strengthen Europe’s innovation potential, while saving businesses billions and improving regulatory clarity.
The Digital Omnibus Regulation Proposal has implications for data protection for the EU. Proposed changes to the General Data Protection Regulation (GDPR) a would redefine the definition of personal data, weakening the safeguards on when companies can use it — especially for AI training. Meanwhile, cookie-consent is being simplified into a ‘one click’ model that lasts up to six months.
Ring the alarm. Privacy and civil rights groups expressed concern that the proposed GDPR changes disproportionately benefit large technology firms. A coalition of 127 organisations has issued a public warning that this could become ‘the biggest rollback of digital fundamental rights in EU history.’
These proposals must go through the EU’s co-legislative process — Parliament and Council will debate, amend, and negotiate them. Given the controversy (support from industry, pushback from civil society), the final outcome could look very different from the Commission’s initial proposal.
Privacy in motion
In the EU, policymakers are making adjustments to improve the implementation of the General Data Protection Regulation (GDPR). The Council of the EU has adopted new measures to accelerate the handling of cross-border data protection complaints. Among the key changes is the introduction of harmonised criteria for determining whether a complaint is admissible, ensuring that citizens receive the same treatment no matter where they file a GDPR complaint. The rules also strengthen the rights of both complainants and companies under investigation, including clearer procedures for participation in the case and access to preliminary findings. To reduce administrative burdens, the regulation introduces a simplified cooperation procedure for straightforward cases, allowing authorities to close cases more quickly without relying on the full cooperation framework.
India has begun implementing its new national data protection system, marking a significant step toward a more structured privacy framework. The Digital Personal Data Protection Act 2023 is now in force, following the approval of implementing rules that outline how the law will be applied. These rules establish initial institutional and procedural requirements, including the creation of a Data Protection Board, while giving organisations additional time to comply with other obligations such as consent management and breach reporting.
The common thread. Regulators in the EU and India are moving from writing the data protection rules to the rather complex task of implementing them.
Europe’s push for digital independence
France and Germany jointly hosted the Summit on European Digital Sovereignty in Berlin to accelerate action on Europe’s digital independence. The two countries introduced a joint roadmap highlighting seven strategic priorities:
- Regulatory simplification: A more innovation-friendly EU framework, including a proposed 12-month postponement of AI Act high-risk requirements and targeted GDPR simplification.
- Fairer digital markets: Continued efforts to ensure contestable cloud and digital markets, including the European Commission’s market investigation into cloud hyperscalers.
- Data sovereignty: Stronger safeguards for sensitive data, protection from non-EU extraterritorial risks, and mandatory privacy-enhancing technologies aligned with cybersecurity rules.
- Digital commons: Advancement of the Digital Commons-EDIC initiative with partner countries.
- Digital public infrastructure & open source: Support for the European Digital Identity Wallet and wider deployment of open-source tools in public administrations.
- Digital Sovereignty Task Force: A new Franco-German body to define sovereignty indicators and propose concrete policy measures by 2026.
- Frontier AI: Actions to create a world-leading European environment for breakthrough AI innovation.
The summit also served as a catalyst for major private-sector commitments, with more than €12 billion in investment pledged toward key digital technologies.
German Chancellor Friedrich Merz called the summit ‘an important milestone’ toward a more sovereign and competitive digital Europe, while French President Emmanuel Macron emphasised a ‘historic convergence’ of European digital ambition.
A major development accompanying the summit was the launch of the European Network for Technological Resilience and Sovereignty (ETRS). This new coalition of leading think tanks and experts aims to enhance Europe’s capacity for innovation and reduce its reliance on foreign technologies. Founding members include Bertelsmann Stiftung (Germany), CEPS (Belgium), the AI & Society Institute (France), and the Polish Economic Institute.
The ETRS will act as a shared knowledge engine connecting academia, civil society, industry, and public institutions to support evidence-driven policymaking. From 2026 onward, it will launch expert workshops, strategic mapping of technology dependencies, and an international pool of specialists focused on digital sovereignty. The network is open to new participants, with more than a dozen already joining.
The gist of it. ‘Europe currently relies on the United States and China for more than 80 percent of its critical digital technologies, ranging from cloud computing and artificial intelligence to semiconductors,’ ETRS noted in a statement. That figure illustrates why the EU is taking this approach. For years, the EU has been a world leader in rule-making — but it has also been playing a high-stakes game of catch-up in developing the technologies it regulates. Now, the bloc is aiming to become a master of both.
Cotonou Declaration sets ambitious 2030 digital goals for West and Central Africa
West and Central African digital economy ministers have launched an ambitious initiative for digital transformation with the Cotonou Declaration, adopted at a regional summit in Cotonou, Benin, on November 17–18, 2025. The Declaration sets targets for 2030, including a Single African Digital Market, 90% broadband coverage, interoperable digital infrastructures like IDs and payments, doubled intra-African e-commerce, and harmonised frameworks for cybersecurity, data governance, and AI.
Human capital is central: 20 million people are expected to gain basic digital skills, and two million new digital jobs or entrepreneurial opportunities will be created, especially for youth and women. Ministers also pledged to strengthen innovation ecosystems and promote African-led AI, building regional cloud and data infrastructure to drive economic growth.
Investment coordination will be facilitated through national digital compacts aligning reforms, funding, and partnerships.
Dutch retreat calms Nexperia chip dispute with China
The Dutch government has suspended its takeover of Nexperia, a Netherlands-based chipmaker owned by China’s Wingtech, following constructive talks with Chinese authorities.
Dutch Economy Minister Vincent Karremans stated that the pause in the takeover is intended as a goodwill gesture, and that dialogue with China will continue — the decision was made in consultation with the EU and international partners.
The EU’s trade chief, Maroš Šefčovič, welcomed the move, saying it could help stabilise chip supply chains.
China has also begun releasing stockpiled chips to ease the shortage.
The heart of the matter. The episode underscored the fragility of global semiconductor supply chains.
LAST WEEK IN GENEVA
The UN Commission on Science and Technology for Development (CSTD) held its 2025–2026 inter-sessional panel on 17 November at the Palais des Nations in Geneva. The agenda focused on science, technology and innovation in the age of AI, with expert contributions from academia, international organisations, and the private sector. Delegations also reviewed progress on WSIS implementation ahead of the WSIS+20 process, and received updates on the implementation of the Global Digital Compact (GDC) and ongoing data governance work within the dedicated CSTD working group. The findings and recommendations of the panel will be considered at the twenty-ninth session of the Commission in 2026.
The CSTD’s multi-stakeholder working group on data governance at all levels met for the fourth time from 18 to 19 November. Delegates reviewed recent inputs, discussed principles, interoperability, benefit-sharing, and secure data flows, and planned next steps for the Working Group’s progress report to the UN General Assembly.
LOOKING AHEAD
The G20 Leaders’ Summit is scheduled for 22 and 23 November in Johannesburg, South Africa. This annual meeting brings together the heads of state and government from the 19 member countries, plus the African Union and the EU. Expected on the agenda: AI. data governance, and critical minerals. Not expected: the USA’s attendance.
The second half of ITU’s World Telecommunication Development Conference 2025 (WTDC‑25) in Baku, Azerbaijan, will be held next week. The conference brings together governments, regulators, industry, civil society, and other stakeholders to discuss strategies for universal, meaningful, and affordable connectivity. Participants are also reviewing policy frameworks, investment priorities, and digital development initiatives. They will also adopt a Declaration, Strategic Plan, and Action Plan to guide global ICT development through 2029.
On 24 November, UNIDIR will host its Innovations Dialogue on neurotechnologies and their implications for international peace and security in Geneva and online. Experts from neuroscience, law, ethics, and security policy will discuss developments such as brain-computer interfaces and cognitive enhancement tools, exploring both their potential applications and the challenges they present, including ethical and security considerations. The event includes a poster exhibition on responsible use and governance approaches.
Several national and regional IGFs will also be held next week: the Polish IGF (24-25 November), the North African IGF (24-26 November), and the Nigerian IGF (24-27 November).
DiploFoundation is inviting civil society organisations to apply by 30 November 2025 for the CADE Capacity Development Programme 2025–2026. The programme helps CSOs strengthen their role in digital governance through a mix of technical courses, diplomatic skills training, and expert guidance. Participants can specialise in AI, cybersecurity, or infrastructure policy, receive on-demand helpdesk support, and the most engaged will join a study visit to Geneva. Fully funded by the EU, the programme offers full scholarships to selected organisations, with a special welcome to those from the Global South and women-led groups.
READING CORNER
ITU’s Measuring digital development: Facts and Figures 2025 offers a snapshot of the most important ICT indicators, including estimates for the current year.
EU data protection law and competitiveness are struggling to work cohesively, according to senior Union leaders. That is why the GDPR and ePD are next on the digital omnibus’ chopping…
Is AI destroying the value of learning? From elementary classrooms to universities, educators face a new reality: students using AI to bypass critical thinking. Read Part 1 of this series
The alarmism that followed the 1972 ‘Limits of Growth’ report, which predicted civilisation’s collapse by c. 2040, pushed policy towards centralisation, token gestures, and factional debate. Aldo Matteucci analyses.