EMEA Tech Regulation

On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below. Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK. Continue Reading Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future
On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation. AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property. Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here. Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.

Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

On November 19, 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). In our previous blog post (see here), we explained that this initiative, which represents a comprehensive update to the EU’s digital regulatory landscape, consisted of two proposed regulations: a “Digital

Continue Reading Digital Omnibus Package Series: European Commission’s Proposal to Revise the EU’s AI Rules

On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French).  The Recommendation is open for public consultation until May 20, 2025.

Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles

Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.

Continue Reading NIS2: Commission Publishes Long-Awaited Draft Implementing Regulation On Technical And Methodological Requirements And Significant Incidents

Earlier this week, Members of the European Parliament (MEPs) cast their votes in favor of the much-anticipated AI Act. With 523 votes in favor, 46 votes against, and 49 abstentions, the vote is a culmination of an effort that began in April 2021, when the EU Commission first published its proposal for the Act.

Here’s what lies ahead:

Continue Reading EU Parliament Adopts AI Act

From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Continue Reading Draft Delegated and Implementing Acts Pursuant to the Digital Services Act

On August 22, 2023, the Spanish Council of Ministers approved the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (“AESIA”) thus creating the first AI regulatory body in the EU. The AESIA will start operating from December 2023, in anticipation of the upcoming EU AI Act (for a summary of the AI Act, see our EMEA Tech Regulation Toolkit). In line with its National Artificial Intelligence Strategy, Spain has been playing an active role in the development of AI initiatives, including a pilot for the EU’s first AI Regulatory Sandbox and guidelines on AI transparency.
Continue Reading Spain Creates AI Regulator to Enforce the AI Act