In a nutshell: The European Commission published a Submarine Cable Security Toolbox and Cable Projects of European Interest, 2026 Annual Single Market and Competitiveness Report, an IPRED study, and a counter terrorism strategy. The European Parliament held a hearing on CPC Regulation reform. The Council of the EU adopted a position on the 2030 Consumer Agenda. EDPB adopted a report on the right to be forgotten. EDPB, jointly with EDPS, adopted an opinion on the Digital Omnibus proposal. NIS Cooperation Group adopted an ICT supply chain toolbox. EU Member States published non-papers on competitiveness.
Cybersecurity
The European Commission published a ProtectEU counter terrorism strategy
On 26 February, the European Commission published its strategy to prevent and counter terrorism. With respect to protecting people online, the Commission wants to strengthen its enforcement of the Digital Services Act and potentially revise the Terrorist Content Online Regulation (TCO) by the end of 2026. Voluntary cooperation with service providers, including via the EU Internet Forum, is indispensable in reacting to the evolving digital landscape, according to the European Commission. The strategy also highlights the importance of securing critical infrastructure in the EU. In this regard, the European Commission is urging the Member States to transpose and implement the Critical Entities Resilience (CER) Directive and the NIS 2 Directives. The Commission also plans to organise EU-level exercises, in cooperation with the Member States, to test the physical and cyber resilience of critical infrastructure in significant cross-border incidents. The Commission will make available EUR 15 million for projects to strengthen the cross-border and cross-sectoral resilience of critical infrastructure against man-made threats, and it will adopt guidelines to support critical entities in their resilience-enhancing measures.
The NIS Cooperation Group adopted an ICT supply chain security toolbox
On 13 February, the NIS Cooperation Group published a risk-mitigation toolbox on ICT supply chain security. The document provides non-binding guidance to EU Member States to secure ICT supply chains by identifying potential risk scenarios and providing recommendations to strengthen them. The toolbox follows the all-hazard approach and divides the ICT supply chain threats in accordance with the NIS 2 Directive into four categories of malicious action, system failure, human error and natural phenomena/external event. The document notes that the NIS 2 Directive and the related Commission Implementing Regulation already specify the technological and methodological requirements for cybersecurity risk management in the digital infrastructure sector. The recommendations of the toolbox intend to complement and enhance these measures. In a year, the NIS Cooperation Group will assess progress, identify challenges and propose adjustments to the toolbox.
The European Commission published a Submarine Cable Security Toolbox and Cable Projects of European Interest
On 5 February, the Submarine Cable Infrastructures Expert Group of the European Commission presented the Cable Security Toolbox. The document follows the EU Action Plan on Cable Security and the Commission’s Recommendation on Secure, Resilient Submarine Cable Infrastructures (see our previous coverage here and here). The non-binding toolbox presents a set of recommendations to mitigate risks for submarine cables, such as coordinated physical sabotage, disruption of the supply chain or power cuts that cause a regional network outage. Risk mitigation recommendations for operators and EU Member States include, for example, reinforcing cable redundancy with additional connections, diversification of routes and landing locations, and reducing exposure to non-EU suppliers. The toolbox also identifies Cable Projects of European Interest (CPEI) to improve network resilience and redundancy. The toolbox should be implemented by EU Member States through coordinated efforts at the EU and international levels.
Competitiveness
EU Member States published non-papers on competitiveness
On 6 February, Estonia, Finland, Latvia, Lithuania, the Netherlands and Sweden jointly published a non-paper on European Strategic Competitiveness. The non-paper presents key issues that, if addressed, should enhance the EU's competitiveness. Among them is the support for the upcoming proposals for the 28th regime (see our previous reporting here), and the review of the Standardisation Regulation. Furthermore, the document supports the “real simplification” agenda, where the European Commission should exercise “legislative restraint” and base its proposals on comprehensive impact assessments. The non-paper welcomes the ambition of the Digital Omnibus, but calls for more action. The EU legislation must prohibit double reporting and enable the cross-use of data in the EU. In relation to the “simplification”, the document cautions against a “European preference” in access to public finance. In the course of February, Spain also published its non-paper on European competitiveness, supporting simplification and further harmonisation through regulations, rather than directives. Unlike the abovementioned Member States, Spain supports “European preference”, provided it is “carefully calibrated”, strengthens Europe’s “strategic value chains”, and is in line with the EU regulatory framework and WTO rules. Spain also supports a “European technology stack” and prioritises Free and Open Source Software solutions in public procurement to reduce vendor lock-in.
The European Commission published the 2026 Annual Single Market and Competitiveness Report
On 30 January, the European Commission published its Annual Single Market and Competitiveness Report for 2026. The focus of the report is on the “main drives for Europe’s competitiveness”, with particular emphasis on tracking progress in the implementation of the Single Market Strategy. According to the report, “significant progress has already been made to reduce administrative burdens”, by ten proposed omnibus packages and the European Business Wallet Regulation proposal that “has a potential to contribute significantly to the overall administrative cost reduction for businesses and public administrations, with minimum EUR 13.5 bn.” The EU business wallet “will allow companies to securely identify and exchange data with governments and other businesses across the EU with full legal effect and trust”, according to the Commission (see our previous reporting here). Within the R&D market, the report notes that “the EU is a frontrunner in green inventions, and performs well in health, biotech and pharmaceuticals, while it continues to score low in the area of digital”. Europe’s supply chains continue to “show significant external dependencies, with increasing risk and evidence of these being weaponised”. In sensitive ecosystems, such as raw materials, the EU is heavily dependent on a single supplier country: more than half of the EU’s dependencies originate from China. Other competitiveness priorities for 2026 include the Public Procurement Act, which will ensure “best use of the 15% of GDP spent via public procurement”. The Cybersecurity Act, the Quantum Act and the Cloud and AI Development Act will strengthen the sovereignty and security of European technologies and infrastructures, according to the European Commission.
Data protection
The EDPB adopted a report on the right to be forgotten
On 18 February, the European Data Protection Board (EDPB) adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten. The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand how controllers comply with this right in practice. Throughout 2025, 32 supervisory authorities across the EEA launched coordinated investigations into the compliance of controllers with the right to erasure. The overall level of compliance of the responding controllers has been assessed as “average”. Seven recurring issues were identified, such as the absence of a documented internal procedure for erasure requests; absence of training; misuse of a legal uncertainty to deny erasure requests; difficulties in defining and implementing data retention periods; deletion of personal data in the context of back-ups; and difficulties with anonymisation, amongst others. With regard to data retention, the EDPB identified the best practice to “specify in privacy notices[…] the specific data retention periods and the criteria for determining it (e.g. the applicable legal obligation)”, as well as using “a data deletion matrix” that cross-indexes the type of processed data and associated legal basis. With regard to the back-up, some controllers replace the personal data they wish to delete with strings of random characters to mitigate the structural impact deletion brings to back-ups, or rely on tools that automatically extract all personal data from internal systems and transfer them to back-ups inaccessible to employees. The EDPB will consider awareness-raising actions at the EU level, including additional practical guidance with use cases on the right to be forgotten, in line with numerous existing national-level guidance.
The EDPB and EDPS adopted a joint opinion on the Digital Omnibus proposal
On 11 February, the EDPB and the EDPS adopted a joint opinion on the Digital Omnibus proposal (see our previous reporting here). The EDPB and EDPS welcome the intention of the Digital Omnibus to simplify compliance. However, the EDPB and EDPS note their concern with the proposed changes to the definition of personal data and pseudonymisation, which risk affecting the level of protection and creating legal uncertainties. The document notes that the proposed change to the definition of personal data would narrow the concept of personal data to the detriment of data protection. Furthermore, the amendment does not accurately reflect and goes beyond the CJEU EDPS v SRB judgement (see our previous reporting here). The EDPB and EDPS are also critical of empowering the Commission to adopt implementing acts to specify whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. As a result, it would be the Commission, not independent supervisory authorities, potentially changing the material scope of the GDPR. The document states that these amendments should be rejected as they go beyond “technical amendments” and do not increase legal clarity. The joint opinion welcomes the extension of the deadline to notify data breaches from 72 to 96 hours, as it would give more time to act and collect evidence for controllers, leading to better reporting to the supervisory authorities. The EDPB and the EDPS also recommend more harmonisation between the notification timelines under different EU rules, namely the NIS 2 Directive, DORA, EUID and CER Directive. In a similar vein, the document “strongly supports” the establishment of the single-entry point at the EEA level for the notification of personal data breaches and other incidents. Furthermore, the joint document supports the use of legitimate interest in the context of AI, an exception for incidental and residual processing of special categories of data in the context of AI, and limitation to the right of access, among others.
Intellectual Property
The European Commission published an IPRED study
On 9 February, the European Commission published a study on the application of the Directive on the Enforcement of Intellectual Property Rights (IPRED). The primary objective of the study is to assess the implementation of IPRED provisions across the EU Member States and provide an updated overview of IPR enforcement. The study focuses on dynamic blocking injunctions (DBIs), which target intermediaries to prevent repeated identical or similar infringement of IPR without the need for a new judicial procedure to obtain additional injunctions. The DBIs typically include DNS and URL blocking as common measures, however, most of the Member States worded their national implementation in a technologically neutral way. The study notes significant differences in the application and use of DBIs across Member States. As one of the highlighted best practices, the consulted IPR stakeholders pointed to Denmark, France, Italy, Spain and the Netherlands, in which DBIs can be effectively enforced due to a clear legal basis, cooperative authorities assisting the process and/or governments facilitating dialogues between rights holders and intermediaries. The study notes that in the absence of effective remedies targeting infringers directly, DBIs against intermediaries have become an effective tool for rightsholders. Harmonising the process for issuing DBIs across the EU would further enhance their effectiveness. The consulted IPR stakeholders underlined that the identification of primary infringers online remains difficult, but improvements are expected with the implementation of the NIS 2 Directive. As one of the potential opportunities for improvement of the IPRED, the study mentions extending the scope of information that may be requested by IP rightsholders from technical intermediaries such as domain services, hosting or payment services.
Consumer Protection
The European Parliament held a hearing on CPC Regulation reform
On 25 February, the Committee on the Internal Market and Consumer Protection (IMCO) held a public hearing on the upcoming revision of the Consumer Protection Cooperation (CPC) Regulation. The European Commission highlighted the enforcement challenges in a rapidly growing e-commerce market, such as addictive designs, fake discounts or false scarcity claims. The current enforcement regime is lengthy, as CPC coordination actions often take more than 18 months. The European Commission would like to strengthen enforcement against non-EU traders to ensure a level-playing field for compliant traders, increase the systems' effectiveness through improving the CPC coordinated actions, and possibly centralise the enforcement at the EU level for some cases with an EU-wide dimension. The points on tackling lengthy and complex enforcement were also supported by representatives of consumer rights organisations and national consumer protection authorities present at the hearing. The remaining issues outside of the scope of the CPC Regulation might be tackled by transforming the Unfair Commercial Practices Directive into a Regulation. Issues such as dark patterns should be addressed by the upcoming Digital Fairness Act, which will accompany the CPC Regulation reform proposal in Q4 2026.
The Council of the EU adopted conclusions on the 2030 Consumer Agenda
On 26 February, the Council of the EU adopted conclusions on the European Commission's 2030 Consumer Agenda. The conclusions note the need to address existing regulatory gaps in enforcement, building on the findings of the Fitness Check of EU Consumer Law on Digital Fairness (see our previous reporting here). Consumer protection should be strengthened in addressing dark patterns, addictive design features, problematic practices by influencers, unfair personalisation, and non-transparent dynamic pricing. The Council also emphasises the importance of having a consistent and effective implementation of EU consumer and product safety rules by fostering closer cooperation among EU institutions and Member States' administrative and judicial authorities. The Council calls on the European Commission to ensure that newly proposed consumer protection initiatives preserve the horizontal nature of consumer law, and that they are accompanied by an appropriate impact assessment in accordance with the principles of better regulation. New initiatives should follow the simplification objective and not result in an unnecessary administrative burden for SMEs.
