On May 28, 2026, the European Union Agency for Cybersecurity (“ENISA”) published the third edition of its NIS360 report, an annual benchmarking tool that assesses the cybersecurity maturity of entities in the sectors set out in Annex I of the NIS2 Directive (which includes certain entities in the energy, transport, healthcare, digital infrastructure, and space sectors), as well as the relative criticality of the relevant sectors. The NIS360 is designed to support national authorities, policymakers, and other stakeholders in understanding where sectors stand in terms of cybersecurity readiness, including where more support or oversight might be needed.
Continue Reading ENISA’s NIS360 2026 report highlights both the criticality of the European space sector, and flags a persistent cybersecurity maturity gap
Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future
On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below.
Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK.
Continue Reading Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future
CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required
On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation.
AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property.
Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here.
Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required
UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security
On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.
The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)
Continue Reading UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data SecuritySeven Major Changes in the European Commission’s Proposal for an EU Digital Networks Act
On 21 January 2026, the European Commission (“Commission”) unveiled its landmark proposal for the Digital Networks Act (“DNA Proposal”), an ambitious attempt to overhaul the framework for the regulation and development of electronic communications networks and services across the EU. The Commission’s stated aim with the DNA Proposal is to establish a “modern and simplified legal framework that incentivises the transition from legacy networks to fibre, high quality 5G and 6G networks, and cloud-based infrastructures, as well as increased scale through service provision and cross-border operation.” To do this, the DNA Proposal would replace and consolidate several existing EU laws, including the European Electronic Communications Code (“EECC”), the BEREC Regulation, and parts of the Open Internet Regulation and e-Privacy Directive.
A key theme of the proposal is harmonization of rules—arising first and foremost from the fact that this is a directly-applicable Regulation rather than a Directive like the current European Electronic Communications Code. Several of the substantive provisions in the DNA Proposal may take a significant amount of influence over the communications networks and services away from Member State governments and up to EU level. In turn, the Commission clearly hopes to promote larger-scale communications network and service providers that can operate across the EU, and that have the funds to invest in modern communications infrastructure. The DNA Proposal could, therefore, have a substantial and long-lasting impact on the connectivity and communications markets in the EU, although we anticipate significant debate about many of the provisions of the DNA Proposal throughout the legislative process.
Below, we summarize seven of the most eye-catching changes to the regulatory framework for communications providers in the DNA Proposal.
Continue Reading Seven Major Changes in the European Commission’s Proposal for an EU Digital Networks ActEuropean Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms
On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the
Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification ReformsEuropean Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2
On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.
The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.
With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.
Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.
Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2UNESCO Adopts First Global Framework on Neurotechnology Ethics
On November 12, 2025, UNESCO’S General Conference adopted its Recommendation on the Ethics of Neurotechnology (“the Recommendation”)–the first attempt at establishing a global legal framework for the ethical development and use of neurotechnology. The Recommendation aims to set out a comprehensive rights-based framework for the entire life cycle of neurotechnology, from the design of neurotechnology products and services to their disposal.
While not legally-binding, the Recommendation states that its provisions should be considered by, among others, UNESCO Member States, research organizations, and private companies involved in neurotechnology, and that they establish how best to honor fundamental human rights in the development, deployment and disposal of this technology. It is therefore possible that in the future, they may be a starting point for binding legislation, or could be used as persuasive authority to support enforcement actions arising under existing legislation protecting fundamental human rights, e.g., the GDPR and other privacy laws around the world. In that regard, it is notable that the EU AI Act was inspired, at least in part, on UNESCO’s November 2021 Recommendation on the Ethics of Artificial Intelligence. There is, therefore, a real possibility that private sector companies developing neurotechnologies will be subject to rules specifically regulating such technologies in the future.
Continue Reading UNESCO Adopts First Global Framework on Neurotechnology EthicsFive major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill
As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.
The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).
The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:
- Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
- Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
- Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.
Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.
Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience BillEuropean Commission publishes its plan to enable more effective law enforcement access to data
On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November 2024 recommendations of the High-Level Group on Access to Data for Effective Law Enforcement.
Of most immediate relevance to electronic communications service (“ECS”) providers, the Commission intends to propose new data retention requirements, is considering changes to better enable cross-border live interception of communications, and will support the development of tools enabling law enforcement authorities (“LEAs”) to access encrypted data. We describe these proposals, and other elements of the Roadmap, in more detail below.
Continue Reading European Commission publishes its plan to enable more effective law enforcement access to data