European Parliament advances child safety privacy balance

The European Parliament has adopted amendments to a temporary exemption from the EU’s ePrivacy rules, seeking to preserve voluntary detection of child sexual abuse material while strengthening protections for end-to-end encrypted communications.

MEPs voted to exclude communications protected by end-to-end encryption from the scope of the temporary derogation, reinforcing privacy protections while maintaining support for voluntary detection measures.

The amendments were adopted during Parliament’s second reading of the proposal. Although a simple majority initially voted to reject the Council’s position, the motion failed because it did not reach the required absolute majority of 360 votes. Parliament therefore proceeded to adopt amendments instead.

The amended text now returns to the Council, which has three months to approve or reject Parliament’s changes. If the Council does not accept all of the amendments, the proposal will move to conciliation negotiations.

The temporary derogation is intended to prevent a legal gap following the expiry of the previous exemption in April 2026. It allows electronic communications providers to continue voluntarily detecting, removing and reporting child sexual abuse material while EU institutions negotiate a permanent legal framework.

Earlier negotiations between the European Parliament and the Council failed to produce an agreement, allowing the previous temporary framework to expire before the proposal returned for a second reading.

At the same time, Parliament and the Council continue negotiations on a permanent legislative framework to combat child sexual abuse online. Most elements have already been agreed, with discussions continuing on issues such as the balance between child protection and fundamental rights, including privacy and secure communications.

Why does it matter?

The vote highlights the EU’s continuing effort to balance child protection with fundamental rights. By excluding end-to-end encrypted communications from the temporary derogation, Parliament is signalling that stronger safeguards against child sexual abuse should not come at the expense of weakening secure communications.

The decision also keeps voluntary detection measures in place while negotiations continue on a permanent framework. The outcome of those talks is likely to shape how the EU reconciles online safety, privacy and encryption in future digital regulation.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU court upholds Apple’s DMA gatekeeper designation

The General Court of the European Union has dismissed Apple’s legal challenges to its designation as a gatekeeper under the Digital Markets Act (DMA). The court confirmed that the App Store and iOS qualify as core platform services, meaning Apple must comply with the regulation’s competition obligations.

Apple argued that the different versions of the App Store available across its devices should be treated as separate services. The court rejected that argument, concluding that they all perform the same function of connecting app developers with end users.

The court also dismissed Apple’s claims relating to iMessage as inadmissible. It ruled that the Commission’s decision not to designate iMessage as a core platform service subject to DMA obligations did not produce binding legal effects that Apple could challenge before the courts. The related decisions opening and closing the Commission’s investigation were likewise found to be inadmissible.

The judgement therefore upholds the European Commission’s assessment that the App Store operates as a single core platform service across Apple’s ecosystem. As a result, Apple remains subject to the DMA’s interoperability and fair competition requirements.

The ruling marks an important enforcement milestone for the Digital Markets Act. Apple must continue complying with the obligations imposed under the regulation, which is designed to promote fair competition in digital markets. The judgement was delivered in Luxembourg on 8 July 2026.

Why does it matter?

The ruling strengthens the EU’s enforcement of the Digital Markets Act by confirming the European Commission’s broad interpretation of what constitutes a core platform service. It also signals that courts are prepared to uphold gatekeeper obligations imposed on the largest digital platforms.

For developers and consumers, the decision reinforces the legal basis for measures intended to increase competition within Apple’s ecosystem, including interoperability requirements and greater opportunities for alternative app distribution. More broadly, the judgment may shape future legal challenges brought by other companies designated as gatekeepers under the DMA.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

EU unveils AI cybersecurity Action Plan

The European Commission has published an Action Plan to address the cybersecurity risks and opportunities created by advanced AI models. Released on 7 July 2026, the initiative sets out a coordinated approach to strengthening Europe’s cyber resilience as AI capabilities continue to advance.

The Action Plan brings together member states, industry and EU institutions to coordinate responses to AI-related cybersecurity challenges. Rather than introducing new legislation, it builds on the EU’s existing regulatory framework while adapting it to risks posed by increasingly capable AI systems.

The Commission says the plan will strengthen defences against vulnerabilities that AI systems may introduce or exploit. It also promotes closer cooperation between public and private stakeholders, reflecting the view that AI governance and cybersecurity must increasingly be treated as interconnected policy areas.

The Action Plan forms part of the EU’s broader strategy to strengthen digital resilience while maintaining technological competitiveness. Its implementation will depend on cooperation between governments, regulators, businesses and cybersecurity organisations across the Union.

Why does it matter?

The Action Plan reflects growing recognition that advanced AI models are changing the cybersecurity landscape by strengthening defensive capabilities while also creating new opportunities for attackers. As AI systems become more capable and autonomous, policymakers are increasingly treating AI safety and cybersecurity as part of the same strategic challenge.

The initiative also reinforces the EU’s broader digital sovereignty agenda. Rather than creating separate policies for AI and cybersecurity, the Commission is integrating the two into a common governance framework. That approach could influence how organisations deploy AI in critical sectors and provide a model for other jurisdictions developing AI cybersecurity strategies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission takes four countries to EU court over NIS2 delays

The European Commission has referred Ireland, Spain, France and the Netherlands to the Court of Justice of the European Union for failing to transpose the NIS2 Directive fully into national law.

The Directive strengthens the EU cybersecurity rules and sets common requirements for organisations operating in critical sectors.

Member states were required to transpose NIS2 by 17 October 2024, but the four countries have not notified the Commission of full implementation.

The referrals follow earlier infringement steps. The Commission sent letters of formal notice on 28 November 2024 and reasoned opinions on 7 May 2025.

The Commission is asking the Court to impose financial sanctions, including a lump sum and daily penalties until the countries notify complete transposition.

NIS2 applies to entities in 18 critical sectors, including health, energy, transport and public administration.

The Directive aims to improve national and EU-wide cyber resilience by strengthening risk management, incident response and security obligations for public and private entities.

The Commission said full implementation is essential for improving the EU’s overall resilience and the incident response capacity of organisations operating in critical sectors.

Why does it matter?

The referral shows that the Commission is prepared to enforce cybersecurity law against member states that fail to meet implementation deadlines. NIS2 is designed to create a more consistent baseline of cyber resilience across the EU, but delays in national transposition can leave organisations facing fragmented obligations and uneven enforcement. For critical sectors, consistent implementation is central to risk management, incident response and cross-border resilience.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ESRB urges EU action on frontier AI cyber risks in finance

The European Systemic Risk Board has warned that frontier AI models could strain cyber resilience in the EU financial system by increasing the speed, scale and sophistication of cyberattacks.

The warning follows the ESRB General Board’s assessment that systemic cyber risk has risen to ‘severe’, up from ‘elevated’ earlier this year.

The ESRB defines frontier AI models as advanced AI models capable of materially affecting offensive or defensive cyber operations.

According to the Board, these models may eventually strengthen cyber resilience, but in the short to medium term, they are likely to give threat actors an advantage.

The ESRB said frontier AI can help attackers discover vulnerabilities and execute cyberattacks more quickly and at greater scale.

It also warned that the concentration of leading AI providers outside the EU creates strategic dependency and geopolitical risks.

The Board called on the EU to scale up capacity, expertise and strategic autonomy in frontier AI and cybersecurity.

It said the response should involve AI providers, software providers, security firms, open-source maintainers, financial institutions and authorities at the national and the EU level.

The ESRB said it will continue monitoring the development and use of frontier AI models with cyber capabilities and their impact on the financial sector from a systemic risk perspective.

Why does it matter?

The ESRB warning puts frontier AI into the financial stability debate. If advanced AI models help attackers identify vulnerabilities and launch cyberattacks more quickly, financial institutions could face shorter response windows and greater systemic risk. The warning also links cybersecurity to the EU strategic autonomy, because dependence on non-EU AI providers could affect the resilience of Europe’s financial infrastructure during crises.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Finland opens consultation on platform work legislation implementing EU rules

Finland’s Ministry of Economic Affairs and Employment has opened a public consultation on a draft Platform Work Act that would transpose the EU Platform Work Directive into national law.

The consultation runs from 8 July to 28 August 2026.

A tripartite working group with representatives from government ministries, employer organisations, trade unions and occupational safety authorities prepared the draft act. The group did not reach a unanimous position.

The proposed act would introduce a legal presumption of an employment relationship for people working through digital labour platforms.

Its purpose is to make it easier to determine whether platform workers are employees or self-employed by shifting the burden of proof from the worker to the platform company.

The proposal also includes measures to increase transparency in algorithmic management, including automated decision-making and monitoring systems.

It would strengthen the protection of platform workers’ personal data and require the impact of automated systems to be considered when safeguarding workers’ health and safety.

Occupational safety and health authorities would be able to impose fines on platform companies and intermediaries that breach the rules. The draft also includes a prohibition on reprisals.

Additional national rules would require platform companies to verify workers’ identities and take reasonable steps to ensure contractual terms are appropriate.

The act is intended to enter into force on 2 December 2026 and would apply to platform work carried out in Finland, regardless of where the digital labour platform is established.

Why does it matter?

Finland’s proposal shows how the EU member states are beginning to turn the Platform Work Directive into national rules. The draft addresses two central issues in the gig economy: employment status and algorithmic management. By shifting the burden of proof to platform companies and increasing transparency around automated decision-making, the proposal could give workers stronger protections while forcing platforms to document how their systems manage work, data and safety.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU calls for evidence-based AI governance at UN dialogue

The European Union has called for evidence-based AI governance and stronger international cooperation during the first UN Global Dialogue on AI Governance in Geneva.

Speaking on behalf of the EU and its member states, European Commission Director-General Roberto Viola said the meeting was the first dedicated UN gathering on AI governance involving all members of the organisation.

The EU said broad stakeholder participation was essential for the relevance of the Dialogue’s outcomes and could help lay the foundation for stronger international cooperation.

The statement said frontier AI is advancing quickly, creating opportunities in biotechnology, industrial AI, robotics and public-interest innovation.

It also pointed to the EU investments in AI Factories, AI Gigafactories, computing capacity and a sovereign AI ecosystem.

At the same time, the EU warned that rapid AI development creates societal, economic and security risks.

The statement highlighted risks to children’s safety and rights, possible misuse of AI against critical infrastructure, the environmental footprint of AI systems and concerns over generative AI’s impact on cultural creators and journalism.

The EU described its AI governance approach as human-centric, risk-based and grounded in international human rights law.

It also emphasised the role of the Independent International Scientific Panel on AI, arguing that political debates on AI are moving faster than the evidence base.

The EU said independent, peer-reviewed and internationally validated evidence should provide a factual baseline for AI policy decisions.

Why does it matter?

The EU statement shows how Brussels wants to shape global AI governance around trust, human rights, scientific evidence and multistakeholder cooperation. Its focus on frontier AI risks also reflects a growing concern that policy processes are struggling to keep pace with advances in capability. By backing the Independent International Scientific Panel on AI, the EU argues that global AI governance should be grounded in evidence rather than projections, lobbying, or geopolitical competition.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Europol denies bypassing EU data protection rules

Europol has rejected allegations that it operated a ‘secret’ or ‘shadow’ database outside the EU data protection rules.

In a new fact-check, the agency said recent reports misrepresented two long-established operational environments used to support digital investigations and online information analysis.

Europol said its Computer Forensic Network is used to analyse complex digital evidence securely in support of criminal investigations.

It also said the Internet-Facing Operational Environment is used to collect and triage publicly available online information before relevant material is transferred to Europol’s operational systems in accordance with applicable legal requirements.

The agency said neither environment was created to bypass oversight or data protection obligations.

Europol also published a timeline showing that both systems have existed for many years and have evolved alongside changes to its legal framework, governance and supervisory arrangements.

The agency said it has worked with the European Data Protection Supervisor on governance improvements, technical modernisation and safeguards, including after regulatory changes introduced in 2022.

Europol said public debate on law enforcement and privacy should be based on accurate descriptions of operational systems and their oversight.

Why does it matter?

The dispute highlights the tension between law enforcement’s need to process large volumes of digital evidence and the privacy safeguards required under the EU law. Europol’s response is important because operational data systems used in cybercrime, terrorism and serious organised crime investigations can affect fundamental rights if oversight, retention and access rules are unclear. The case also shows why transparency about investigative infrastructure matters for public trust, especially as law enforcement agencies modernise their data-processing capabilities.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

EU urged to cover platform monetisation in Digital Fairness Act

A coalition of civil society organisations, academics, and advocates has published an open letter urging the European Commission to ensure that forthcoming Digital Fairness Act rules on influencer marketing extend beyond third-party advertising payments to include income generated through platform monetisation services.

The signatories welcome the Commission’s proposal to require influencers to disclose payments received for their content but argue that it leaves a significant transparency gap. They note that social media platforms increasingly provide creators with monetisation tools such as subscriptions, donations, affiliate marketing, branded partnerships and platform-funded bonus programmes, many of which would fall outside rules focused solely on third-party advertising payments.

The letter proposes minimum transparency measures including labels identifying content that benefits from platform monetisation, account-level labels showing participation in monetisation programmes, public monetisation libraries to support independent oversight, and disclosures explaining platforms’ monetisation policies, moderation practices and enforcement.

The coalition, whose members include AlgorithmWatch, Bits of Freedom, Corporate Europe Observatory, and the Digital Rights Foundation, together with academic experts including an associate professor from Finland’s Hanken School of Economics, has invited the Commission to discuss ways of incorporating these proposals into the Digital Fairness Act before it is finalised.

Why does it matter?

The debate reflects a broader shift in how online influence is financed. Increasingly, creators earn income not only from advertisers but also through platform-designed monetisation systems that reward engagement, subscriptions and other forms of user activity. Without transparency around these incentives, audiences may struggle to distinguish between organic content and content shaped by commercial rewards built into platform design.

The Digital Fairness Act, therefore, presents an opportunity to broaden consumer protection beyond traditional advertising disclosure. Extending transparency requirements to platform monetisation could improve accountability for creators and platforms alike while giving regulators, researchers and users greater visibility into the financial incentives shaping online content.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

MEPs to debate EU AI cybersecurity strategy

Members of the European Parliament are set to question the European Commission on its latest AI and cybersecurity proposals, including a new AI cybersecurity strategy expected to be unveiled on 7 July.

According to the European Parliament’s plenary newsletter, the Commission’s action plan is expected to include measures to help EU member states and companies address AI-related cybersecurity risks.

The strategy is also expected to strengthen Europe’s AI cybersecurity capabilities as policymakers examine how AI is reshaping both cyber threats and cyber defence.

The debate follows the European Commission’s welcome of the G7 cybersecurity declaration on strengthening global cyber resilience. Parliament is also considering two legislative proposals collectively referred to as the ‘Cybersecurity Act 2‘.

The proposals are expected to address issues including the NIS2 framework, the role of the EU Agency for Cybersecurity (ENISA), the EU cybersecurity certification framework and ICT supply chain security.

The debate is scheduled for 7 July, as part of a European Commission statement followed by parliamentary scrutiny.

Why does it matter?

The debate shows that AI-related cybersecurity risks are becoming part of the EU’s broader cyber resilience agenda. By linking AI policy with NIS2, ENISA, certification and supply chain security, the EU is preparing to treat AI not only as an innovation priority but also as a cybersecurity concern.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!