Introduction

With the beginning of a new European Commission mandate at the end of 2024, digital policy in the European Union entered a new phase. The new European Commission was expected to be an “implementation Commission” focused on ensuring that the recently introduced regulations are now successfully enforced. The Commission, with its recent digital policy omnibus simplification proposal is now also seeking to simplify the existing regulatory rulebook and to reduce regulatory burdens. Nonetheless, some important new pieces of legislation are expected to be proposed under the new mandate, potentially including a Digital Fairness Act and a Digital Networks Act. Another focus for the new European Commission is the promotion of Europe’s digital economy through various initiatives, especially in areas such as Artificial Intelligence and Quantum Technology. In a potentially significant sign, the Commission has chosen to re-emphasise technological sovereignty which seems to have become an important principle in many recent EU strategies. This blog sets out some of the new digital policy developments that occurred in 2025 and that may be expected in 2026.

Digital Omnibus Proposal

On 19 November 2025 the European Commission proposed the Digital Omnibus package which forms a part of the EU’s simplification agenda to reduce regulatory burdens. The omnibus includes a delay of the AI Act’s obligations for up to 16 months to December 2027. For cybersecurity, the omnibus is intended to simplify reporting requirements by dealing with current overlaps between legislation such as the NIS2 Directive, the General Data Protection Regulation (GDPR), and the Digital Operational Resilience Act (DORA). Perhaps most controversial are the proposed changes to the GDPR, which amongst other changes, may involve modifying the definition of personal data.

Regulating Artificial Intelligence

On 1 August 2024 the EU’s landmark Artificial Intelligence Act (AI Act) entered into force. The Act mainly focuses on what is categorised as high-risk AI that could pose significant risks to health, safety, or fundamental rights. In November 2025 the Commission proposed delaying some key parts of the AI Act. This includes provisions relating to high-risk AI which may potentially be delayed until December 2027. There is still ongoing uncertainty about what the exact timelines will be. For AI that is deemed to be high-risk, the regulation would impose obligations relating to:

• The quality, representativeness, and suitability of datasets;
• Record-keeping of the AI system’s functioning throughout its lifecycle;
• The transparency and interpretability of how an AI system operates;
• Human oversight of AI systems and;
• The accuracy, robustness and security of AI systems.

Developers of high-risk AI must ensure quality management and risk assessment systems for the entire lifecycle of an AI application. For some categories of entities deploying AI, such as public services, a fundamental rights impact assessment is required to assess any human rights risks posed by the AI system. High-risk AI applications must undergo a conformity assessment before being placed on the market and again each time the application is deemed to have been ‘substantially modified’.

Furthermore, certain types of technologies will be highly restricted or prohibited under the AI Act – including the use of remote biometric identification by law enforcement or the use of social scoring technologies by public services. For AI that is considered ‘low-risk’, there will be few or no new regulations, although a voluntary code of standards will be established. 

The Commission had originally intended to  propose an AI Liability Directive which would provide protection to consumers and help to provide legal clarity regarding obligations at different levels of the AI value chain e.g. between the developers and deployers of an AI application. Although initially expected to be part of the Commission’s 2025 work programme, the proposal has been withdrawn but there is an ongoing debate about the need for an AI Liability Directive which could mean it is reintroduced. Also relevant for AI regulation is the EU’s updated Product Liability Directive which entered into force on 8 December 2024. The Directive sets out rules regarding the legal responsibility of producers for defective products and how consumers can seek compensation. The updated Directive expands the definition of “product” to include digital products such as software, and it will also apply to AI.

Promoting AI

The European Commission has launched a number of initiatives and strategies to promote AI development and uptake in Europe. This includes the AI Continent Action Plan, released in April 2025, which seeks to drive AI development in Europe. Complementing the Action Plan is the AI Factories and AI Gigafactories initiatives to support AI development in Europe by facilitating access to supercomputing capacity and data and providing hubs to foster an ecosystem that facilitates AI innovation. The Commission also announced a €50 billion investAI initiative in February 2025, which will seek to invest in public-private partnerships to drive AI innovation and investment.

The Commission also adopted the “Apply AI Strategy” in October 2025 which seeks to promote AI uptake in eleven key sectors and promotes an “AI-first approach” in which AI should be “considered as a potential solution whenever organisations make strategic or policy decisions, taking into careful consideration the benefits and the risks of the technology.” This was accompanied by a Strategy for AI in Science to ensure that AI is harnessed for European scientific progress. The Commission is also preparing to propose a “Cloud and AI Development Act” which may seek to promote investments in data centres and set standards for cloud computing services, and is currently expected in Q1 2026.

Cybersecurity policies

The Cyber Resilience Act (CRA) entered into force in December 2024 and most of its obligations will begin to apply from December 2027. The CRA aims to promote high cybersecurity standards for products or applications with digital aspects, including both hardware and software, and including products such as phones, computers, toys or household appliances. The Act also imposes responsibilities on manufacturers to consider the security of the product throughout the duration of its lifecycle. The Cyber Solidarity Act was adopted in December 2024 and entered into force in February 2025. The Act aims to promote the cybersecurity preparedness of EU Member States and to enhance the capacity of Member States to cooperate in the event of cybersecurity incidents. The Act creates a European Cybersecurity Alert System based on a network of national and cross-border centres for cybersecurity which will work to detect cybersecurity threats. Furthermore, it establishes a Cybersecurity Emergency Mechanism to help Member States to support each other in responding to and recovering from cybersecurity incidents. A European Cybersecurity Incident Review Mechanism will enable the review and analysis of cybersecurity incidents so that lessons and recommendations can be drawn to improve European cybersecurity. Another cybersecurity initiative is the “European action plan on the cybersecurity of hospitals and healthcare providers” which was adopted on 15 January 2025. This action plan seeks to strengthen cybersecurity in the critical public service of healthcare, which has been exposed to high-profile cybersecurity incidents in recent years.

The European Data Union Strategy

Following on from the European Commissions’ initiatives to promote data sharing in the previous mandate – such as the Data Strategy, the Data Act and the Data Governance Act – the European Commission unveiled its new European Data Union Strategy in November 2025. This strategy seeks to draw on the existing rules on data sharing to further promote legal clarity and data sharing incentives. The Strategy also seeks to launch Data Labs and further build upon the European Commission’s Data Strategy with regards to the creation of sectoral specific common European Data Spaces. The Strategy priorities access to data for the training and development of AI and also seeks to safeguard the EU’s data sovereignty.  

European Democracy Shield

The European Democracy Shield communication was published in November 2025 and is an EU strategy to counter threats to democracy in Europe. The strategy has a major focus on disinformation and foreign information manipulation, with the strategy relying heavily on existing digital policy tools such as the Digital Services Act and the European Digital Meida Observatory. As part of the Democracy Shield, the Commission has promised to develop a Digital Services Act incidents and crisis protocol to facilitate coordination and swift reactions against foreign information operations. The Commission will also establish a European Centre for Democratic Resilience alongside a European Network of Fact-Checkers to help fight disinformation and foreign information manipulation.

Digital Fairness Act

A proposal for a Digital Fairness Act is expected to update consumer protection law for the digital environment. The Act will target so-called “dark patterns” in which online interfaces are designed to manipulatively influence consumer choices. This may include targeting online service providers who make it unduly difficult to terminate subscriptions or who use unfair autorenewal practices. Addiction-inducing digital practices may also be targeted by the Act, which could include recommender algorithms. The Act could also provide protection in relation to virtual products, such as products within games or virtual in-app currencies. The Act may also target the use of personal data by businesses when consumers lack adequate control or if such data is used to the consumers detriment. Other areas that the Act may address include unfair digital contracts, transparency in influencer marketing, and unfair dynamic pricing practices. The Act is currently expected in the second half of 2026.

Digital Networks Act

Some initial concepts for a Digital Networks Act were set out by the European Commission in a White Paper in 2024. The Digital Networks Act proposal that will be developed by the new European Commission is intended to seek ways to promote the development of digital infrastructures, including high-speed broadband. The Act may do so by incentivising investment, promoting a single market for telecommunications, and setting security standards for networks. One of the most controversial debates in relation to the Act is whether it will include so-called “fair share” or “fair contribution” provisions, which may force some providers of online content to contribute to the costs of internet service providers. A legislative proposal was originally expected in 2025 but is now expected in early 2026 due to controversies about some of the possible features of the forthcoming act.

A Quantum Strategy and a Quantum Act

Unlike some other areas of the digital economy, the EU is considered to be a competitive player in the space of quantum technology. The Commission released its Quantum Strategy in July 2025 and it seeks to make Europe’s the world’s quantum technology leader by 2030. To support this ambition the strategy contains plans to support research and innovation; develop quantum infrastructures and ecosystems; and to promote quantum skills. To support this strategy a European Quantum Act proposal is expected in 2026 and it is expected to coordinate research cooperation, promote European quantum technology industrial capacity; and strengthen supply chain resilience. This may include measures to address fragmentation between Member State initiatives, and to address issues of dependency on non-EU sources for relevant technology.

Well-being in the digital age

The European Commission is assessing steps to protect well-being and mental health in the digital environment. This includes a proposal for an “Action plan against cyberbullying” expected in 2026; an expert panel and  inquiry on the impacts of social media on well-being; and a promise to take action of an unspecified type in relation to the “addictive design of online services”. The precise nature of these various initiatives is yet to be seen, including how they will relate to the Digital Services Act, which already includes provisions relating to the effects of social media for mental well-being. It is also possible that there may be overlap with the proposed Digital Fairness Act (discussed above) which may also include provisions in relation to digital addiction. There is also likely to be debate about restricting access to social media for teenagers under the age of 16.

Conclusion

Although the new European Commission is widely regarded as being an “implementation Commission” rather than a Commission focused on proposing more digital policy regulations, the outline above shows some significant new proposals can still be expected. However, at the same time, the Commission is seeking to simplify the existing digital policy rulebook. It is nonetheless likely that enforcing the digital policy regulations of recent years will be the Commission’s priority. Some of the initiatives above may rely on harnessing the existing regulations that are already in place. For example the Democracy Shield and actions in relation to addictive social media design may rely on harnessing the Digital Services Act. The Data Union Strategy proposal is likely to build on the Data Act and Data Governance Acts. In some cases, there is a possibility that some of the new initiatives may introduce further legislative overlap. For example dark patterns are an expected focus for the Digital Fairness Act, but also already covered in other legislation including the Digital Services Act, the Digital Markets Act and the GDPR. There is a potential risk that confusion or uncertainty could arise if such overlaps are introduced without sufficient care. Ultimately, the 2025-2029 term for the Commission will be a key period to demonstrate whether it can succeed at turning its regulatory agenda into a reality.