The Organisation for Economic Co-operation and Development (OECD) has launched the AI Policy Toolkit, a practical guide intended to help governments translate AI principles into policy action. Released by the OECD under the Global Partnership on Artificial Intelligence, the first version is designed as a non-prescriptive resource for policymakers working across the AI policy cycle.
Building on the OECD AI Principles, the toolkit is intended to help governments identify policy priorities, compare international approaches and adapt guidance to national circumstances. The platform incorporates AI-powered semantic search to help users identify relevant policy examples and practical approaches drawn from real-world experience.
The OECD developed the AI Policy Toolkit through co-creation with end-users across regions, including targeted interviews and workshops in Southeast Asia, Latin America, and Africa. Policymakers, industry representatives and experts helped shape the platform around implementation challenges, including balancing innovation and regulation, addressing infrastructure gaps and supporting AI adoption in sectors such as agriculture, education and healthcare.
According to the OECD, the development process highlighted two key lessons: AI policy is heavily influenced by national context, institutional capacity and levels of digital maturity, while challenges such as advanced AI risks and linguistic and cultural representation often require international cooperation. Contributors included governments and organisations from Costa Rica, Italy, France, South Korea, Japan, the United Kingdom, the European Union, the French Development Agency, and the Inter-American Development Bank.
The OECD says the toolkit will continue to evolve through feedback, additional policy examples, and expanded coverage of emerging issues, including sector-specific guidance, infrastructure, and regulatory approaches. The OECD said the toolkit’s broader objective is to help governments move from high-level AI principles to practical implementation while managing risks and promoting trustworthy AI.
Why does it matter?
Many governments have adopted AI principles and strategies, but translating these commitments into practical policies remains a challenge. The OECD’s toolkit seeks to bridge that gap by providing policymakers with implementation guidance, real-world examples and policy options tailored to different national contexts.
The initiative also reflects growing recognition that effective AI governance requires both domestic policymaking capacity and international cooperation, particularly as countries confront shared challenges related to advanced AI systems, infrastructure needs and regulatory approaches.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The European Commission has published a Strategic Roadmap for Digitalisation and AI in the Energy Sector, outlining how digital technologies could support a more resilient, competitive and secure European energy system.
The roadmap outlines how digital tools and AI could help consumers and businesses reduce energy costs through greater efficiency, smarter energy consumption and improved management of electricity demand. It also highlights the role of digital technologies in supporting the integration of renewable energy into electricity grids.
The Commission has structured the roadmap around three main priorities. These priorities include integrating data centres into energy systems in a sustainable manner, accelerating the deployment of digital and AI-enabled technologies such as smart meters and intelligent grid solutions, and establishing a framework for secure cross-border energy data sharing.
The Commission said the plan will also focus on cybersecurity, AI trust, digital skills and international cooperation. As part of the next phase, the Commission plans to support industry cooperation initiatives and launch the AI.grids community, which will focus on developing AI models for energy network management across the EU.
Why does it matter?
The energy sector is becoming increasingly dependent on digital technologies to manage growing electricity demand, integrate renewable energy sources and maintain grid stability. AI and advanced data analytics could help improve efficiency, reduce costs and support more flexible energy systems.
At the same time, greater digitalisation introduces new challenges related to cybersecurity, data governance and infrastructure resilience. The roadmap signals the EU’s intention to ensure that digital transformation in the energy sector supports both sustainability goals and long-term energy security.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The European Commission has proposed Chips Act 2.0, a new framework intended to strengthen Europe’s semiconductor ecosystem and build on the original European Chips Act.
The proposal aims to boost the EU’s competitiveness, technological sovereignty, and resilience while improving crisis preparedness in semiconductor supply chains. It forms part of the Commission’s wider European Technological Sovereignty Package, alongside the Cloud and AI Development Act, an Open Source Strategy, and a roadmap for digitalisation and AI in the energy sector.
The Commission says the EU remains structurally dependent on third countries for semiconductor design and manufacturing, including advanced and leading-edge chips needed for AI. It also points to gaps in crisis preparedness, noting that existing mechanisms rely heavily on voluntary information sharing outside crises and do not provide sufficient, timely supply-chain intelligence.
Chips Act 2.0 would support both mainstream and advanced semiconductors, including AI chips. Measures are expected to include stronger research and innovation support, faster permitting, supply-chain information tools, Semiconductor Regions of Excellence, skills investment, strategic projects, and innovation procurement.
The proposal also places greater emphasis on demand-side measures, including support for public procurement and industrial uptake of European semiconductor technologies. The Commission argues that stronger local demand can reinforce local supply, shorten supply chains, and better align European production capacity with the needs of strategic sectors.
The initiative complements the EU’s broader technological sovereignty agenda. The Commission says Chips Act 2.0 should help reduce strategic dependencies, improve security of supply, support industrial scale-up, and strengthen Europe’s role in semiconductor technologies needed for AI, cloud, defence, automotive, energy, and other critical sectors.
Why does it matter?
The Chips Act 2.0 shows how the EU is shifting from an emergency response to the global chip shortage to a broader semiconductor industrial strategy. The proposal links chip policy directly to AI competitiveness, cloud infrastructure, defence, energy, automotive supply chains, and technological sovereignty. Its emphasis on demand-side measures also matters: Europe is not only trying to attract semiconductor production, but also to create stronger domestic markets for European chip technologies.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The General Court of the European Union has annulled the European Commission’s decision designating Meta as a gatekeeper for Marketplace under the Digital Markets Act, while upholding the company’s designation for Messenger.
The case concerned the Commission’s 5 September 2023 decision designating Meta as a gatekeeper for several core platform services, including Facebook, Messenger, and Marketplace. Meta challenged the decision in part, contesting the classification of Messenger and Marketplace as important gateways under the DMA.
The General Court upheld the Commission’s assessment of Messenger, finding that the service is a number-independent interpersonal communications service distinct from Facebook. The court said Messenger is available through standalone applications, can be used independently of Facebook, and includes tools that allow businesses to engage with users.
The court also found that the Commission did not have to count only Messenger users who were not also Facebook users when assessing whether the quantitative threshold under the DMA was met. It also said the Commission was not required to open a market investigation in the absence of sufficiently substantiated arguments from Meta calling the DMA presumptions into question.
For Marketplace, the court found that the Commission erred in law by relying only on data from the three years preceding designation without taking account of changes made at the end of July 2023. Those changes limited the number of listings that could be published per user and led to the disappearance of the criterion used by the Commission to identify business users.
The court also found that the Commission had not provided sufficient reasoning for classifying Marketplace as an online intermediation service. It said the Commission failed to provide a concrete analysis of the July 2023 changes or to explain their effect on whether Marketplace-enabled business users could offer goods and services to consumers.
As a result, the decision was annulled only to the extent that it designated Meta as a gatekeeper for Marketplace. Meta’s Messenger designation remains in place.
Why does it matter?
The judgement is an important test of how the EU courts will review Digital Markets Act gatekeeper designations. It confirms that the Commission can rely on DMA presumptions where companies do not provide sufficiently substantiated counterarguments, as seen with Messenger. But it also shows that the Commission must properly assess relevant changes and provide sufficient reasoning when classifying a service as a core platform service, as the Marketplace annulment demonstrates.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The proposal is intended to support broader deployment and adoption of AI by expanding cloud and data centre capacity across Europe. The Commission said the ongoing deployment of AI factories and AI gigafactories is designed to provide European businesses and researchers with access to high-capacity, next-generation computing resources.
The Cloud and AI Development Act is intended to complement those efforts by supporting the wider diffusion of AI through expanded cloud and data centre infrastructure. It will also complement the Apply AI strategy, which aims to boost AI and cloud adoption across Europe.
The proposal focuses on three objectives. The first is research, development, and innovation, supporting the next generation of cutting-edge and sustainable cloud and AI technologies. The second is capacity, accelerating the deployment of data centres across the EU, with a focus on facilities that enhance essential public sector functions.
The third objective is autonomy. The proposal would introduce a single EU-wide assessment framework for cloud and AI sovereignty, accompanied by a public-sector adoption mechanism.
The Commission said the Cloud and AI Development Act complements other initiatives, including Chips Act 2.0 and the EU Open Source Strategy, as part of efforts to build a more competitive, secure, and resilient European digital economy.
Why does it matter?
The proposal shows how the EU is treating cloud and data centre capacity as core infrastructure for AI competitiveness and digital sovereignty. AI factories and gigafactories may provide high-capacity computing resources, but wider AI adoption also depends on cloud infrastructure, sustainable data centres, and public-sector access to trusted services. The sovereignty assessment framework is especially important because it points to a more structured EU approach to assessing dependence, control, and trust in cloud and AI infrastructure.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
Finland’s national cyber resilience law entered into force on 1 June, establishing national procedures for implementing the European Union’s Cyber Resilience Act. The Cyber Resilience Act establishes cybersecurity requirements for software and hardware products placed on the EU market.
The law assigns responsibility for implementing key provisions of the Cyber Resilience Act to the National Cyber Security Centre Finland, which operates within the Finnish Transport and Communications Agency (Traficom). The act covers market surveillance, vulnerability reporting, notification of conformity assessment bodies, administrative sanctions, and provisions linked to EU cybersecurity certification.
From 11 September 2026, manufacturers will be required to notify the National Cyber Security Centre Finland of actively exploited vulnerabilities and serious security incidents affecting their products. Notifications must be submitted within 24 hours of the manufacturer becoming aware of the vulnerability or incident.
Products covered by the Cyber Resilience Act must comply with its requirements from 11 December 2027. The requirements apply to manufacturers, importers, distributors, and open-source software stewards, while high-risk AI systems in Finland will be supervised by the authorities responsible for the Artificial Intelligence Act in their respective sectors.
Finland has also amended its Act on Electronic Communications Services to support the implementation of domain name registration requirements under the NIS2 Directive. The new obligations will apply after a three-month transition period and will extend to domain name resellers and certain domain names other than .fi and .ax, where the entity’s main establishment or designated representative is located in Finland.
Why does it matter?
The Cyber Resilience Act represents one of the EU’s most significant efforts to improve cybersecurity across connected products and software. By introducing security-by-design requirements, vulnerability reporting obligations and market surveillance mechanisms, the regulation aims to reduce cybersecurity risks throughout the digital supply chain.
Finland’s implementation measures provide the national framework needed to enforce these requirements, while the related NIS2 amendments further strengthen oversight of critical digital infrastructure and domain name services.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!
The Computers, Privacy and Data Protection (CPDP) conference is an annual gathering that brings together academics, policymakers, industry representatives, civil society, students, and EU institutions to discuss emerging digital policy challenges. This year’s theme was ‘Competing Visions, Shared Futures’, the 19th in the series, and it hosted approximately 150 panels over the span of 3 days in Brussels.
What is CPDP?
CPDP’s value lies in its multidisciplinary approach. With academics presenting their work or debating topical issues, as well as with industry and policy experts bringing their expertise to the table, the event creates a space for honest conversations among participants.
The conference is sponsored by organisations such as Google, TikTok, Apple, as well as the European Data Protection Supervisor (EDPS), European Union Agency for Fundamental Rights (FRA) and VBU. Google even presented its Banana AI model in a photo booth, allowing participants to modify photos they took in the booth.
Alongside panels, CPDP hosts an array of workshops, short films, artwork, radio programming, promotion booths, dedicated DPO, youth, finance and IT tracks, book launches, and pop-up exhibitions. The event always closes the day in style with an open bar and a party to chat and network at.
CPDP is not a typical conference with just panels, attendees, moderators, and lengthy speeches. The conference inspires creativity and gives the freedom to achieve it. This was proven by the diverse topics showcased in the event’s schedule over the three days.
From a fireside chat with the artist, Simon Denny, behind the conference’s art, who uses AI as a medium in some of his work, to typical discussions about the Digital Omnibus or tracking period apps, all the way to an exiled journalist talking about Russian internet censorship. There was something for everyone.
Image via Magnific
What was presented?
The breadth of topics discussed at CPDP offers insight into the issues currently shaping Europe’s digital policy agenda. There were approximately 150 panels in total, with data protection, AI, the Digital Omnibus and the topics of digital sovereignty receiving the most attention. Data protection received the most attention overall, as 33 panels were dedicated to the topic. This was followed by 26 panels on AI, 12 on the Digital Omnibus, 10 on digital sovereignty, and 7 on child-related protection.
The distribution of panels reflects the growing prominence of AI in digital policy discussions. However, data protection topics, including privacy and the GDPR, are still the frontrunners in terms of topic relevance. Newer and emerging topics reveal what is topical in the digital world.
Growing concerns over US tech reliance have intensified discussions about EU digital sovereignty. Alongside this, another heavily debated and sensitive topic is child protection in the online context and its generative AI implications, which raises questions about how to better protect children online.
Emerging topics at CPDP
Digital sovereignty is a challenging topic as it encompasses a lot and has yet to be defined, meaning that taking action can look different for a wide variety of actors. Several discussions framed digital sovereignty as a pathway towards greater digital independence and reduced reliance on external technology providers. In order to try to achieve digital sovereignty, public procurement should be steered away from non-EU actors and towards EU businesses to develop a European stack.
Yes, private partnerships are important, but public ones set the tone. Several participants argued that public procurement choices will play an important role in determining whether EU can strengthen domestic digital capabilities and reduce strategic dependencies. Digital sovereignty needs to come from all corners of the market and society; that is the challenge.
A very interesting panel on data protection and AI, the GDPR, and privacy occurred. In Academic Session I, Stephanie von Maltzan presented findings about her groundbreaking research on LLM unlearning. The larger the LLM, the more data points it will be trained on and the more complex its ‘web’ will be.
Removing data points is not a common practice, given how data points interact with each other, meaning that complexity overrides certain fundamental rights. For example, when data subjects invoke their right to erasure under Article 17 of the GDPR, they may request that certain data be deleted in an LLM, yet this request is difficult to carry out in practice.
The research highlights one of the emerging challenges at the intersection of AI governance and data protection. She presents a two tier model in which the actively deployed LLM is accompanied by a parallel ‘shadow’ model.
After receiving a valied erasure request, the ‘shadow model’ would undergo the necessary unlearning processes to remove the relevant data. In the second tier, in a scheduled update, the ‘shadow’ model, which had undergone unlearning, would replace the initial LLM, thereby upholding data subject requests.
Apart from these insightful exchanges of knowledge on AI, digital sovereignty and data protection, the conference offered practical workshops on how to brainstorm re-writing the proposed Article 88b of the Omnibus, data protection officer and cybersecurity crisis scenarios, as well as open conversations about how to protect children in online environments.
Remaining questions
The conference also highlighted several unresolved policy questions that continue to shape European digital governance debates.
Regarding the Digital Omnibus, would companies scale up overnight if we removed regulations?
Does digital sovereignty need/have a definition, or should it be left to the meaning of ‘digital independence’?
Open markets vs data protection, where is the balance?
Regarding digital sovereignty, which clouds should be used in the EU?
Should simplification mean using the once-used definition of personal data by the CJEU, or sticking to the definition relied on in law, cases, and practice?
In order to protect EU sovereignty, should parts of the stack be a public utility?
Why does it matter?
CPDP 2026 demonstrated that while privacy and data protection remain central pillars of European digital policy, debates around AI governance, digital sovereignty and online child protection are rapidly gaining prominence.
The discussions highlighted the growing challenge of balancing innovation, competitiveness, fundamental rights and strategic autonomy as Europe defines its digital future.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
NGI Commons has outlined expectations for the European Union’s forthcoming Tech Sovereignty Package, a policy initiative aimed at strengthening Europe’s control over critical digital technologies and reducing reliance on non-European providers.
The initiative is expected to focus on semiconductors, cloud computing, AI and open-source software. According to NGI Commons, the package aims to align and simplify existing policies rather than introduce a new layer of regulation.
The framework builds on recommendations from Mario Draghi’s report on European competitiveness and seeks to support innovation, competitiveness and the EU’s broader objective of open strategic autonomy. A central element of the proposal is the recognition of open technologies as digital commons that underpin Europe’s digital ecosystem.
The analysis argues that open-source software should be treated as strategic infrastructure and supported through long-term funding, coordinated development efforts and greater public-sector adoption to strengthen digital resilience and security.
The report notes that challenges remain, including securing long-term funding, managing the growing energy demands of AI infrastructure and attracting investment, as policymakers seek to balance technological sovereignty with competitiveness.
Why does it matter?
The Tech Sovereignty Package is expected to shape how Europe approaches critical technologies such as semiconductors, cloud services, AI and open-source software in the coming years.
By treating open technologies as strategic infrastructure, policymakers could strengthen digital resilience, reduce external dependencies and support the EU’s broader goal of technological sovereignty while maintaining competitiveness in the global digital economy.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The European Commission has appointed two new expert bodies to support the implementation and enforcement of the EU’s AI Act. The Scientific Panel and Advisory Forum will provide independent expertise to the Commission’s AI Office and national authorities responsible for supervising compliance with the regulation.
The Scientific Panel comprises 60 independent experts from fields including frontier AI research, engineering, technical auditing, industry, and societal impact assessment. The panel will focus on general-purpose AI (GPAI) models and systems, systemic risk assessment, model classification, evaluation methodologies, and cross-border market surveillance.
Alongside the panel, the Commission has established an Advisory Forum bringing together representatives from academia, civil society, industry, startups and SMEs. The forum will provide technical advice on implementation challenges, standardisation efforts, and broader issues related to the enforcement of the AI Act.
Several EU agencies will hold permanent seats in the forum, including the European Union Agency for Fundamental Rights (FRA) and the European Union Agency for Cybersecurity (ENISA). Members of both bodies will serve two-year terms and are expected to contribute to the consistent application of the AI Act across the European Union.
Why does it matter?
The AI Act introduces a comprehensive regulatory framework for AI systems in the EU, including specific obligations for general-purpose AI models.
The new expert bodies are intended to strengthen the Commission’s technical capacity, support coordinated enforcement across Member States, and provide independent expertise on emerging risks, standards, and compliance challenges as AI technologies continue to evolve.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
The Greek Parliament has approved a bill from the Ministry of Digital Governance and Artificial Intelligence to expand digital public services, reduce bureaucracy, and strengthen cybersecurity.
The legislation implements the EU rules on the cross-border automated exchange of supporting documents through the once-only principle, allowing citizens and businesses to avoid repeatedly submitting the same documents to public authorities across the EU.
Greece’s new framework establishes technical and operational measures enabling public authorities to retrieve official documents securely and automatically, with the user’s consent. The system will operate through the European interoperability infrastructure and in line with the EU data protection requirements.
The General Secretariat for Information Systems and Digital Governance will oversee technical coordination and implementation.
Beyond cross-border services, the legislation introduces several domestic digital initiatives. These include a Defective Vehicle Recall Registry to notify vehicle owners about critical safety issues, upgrades to the MyStreet application with electric vehicle charging points and emergency gathering locations, and a customer relationship management platform on gov.gr that will allow citizens to track public service requests through a single interface.
The bill also includes measures to accelerate the launch of more than 800 new public-sector interoperability services and strengthen protections against online fraud. A National Malicious Website Blocking List will be established through Greece’s National Cybersecurity Authority to support faster blocking of phishing websites, scam portals, and malicious online services.
Why does it matter?
The legislation shows how EU interoperability rules are being translated into national digital government reforms. Greece is combining the once-only principle for cross-border public services with domestic service integration, citizen-facing digital tools, and cybersecurity measures against online fraud. The result is a broader shift towards public administration built around automated document exchange, consent-based data retrieval, and shared digital infrastructure.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!
