In a nutshell: Cyprus took over the presidency in the Council of the EU. The EU institutions agreed on the EU legislative priorities. The European Commission is seeking input on tackling online fraud, open-source strategy and is assessing further steps to curb online piracy of sports and other live events. The Commission also published its proposals for the Cybersecurity Act 2.0, NIS2 amendments, and the Digital Networks Act. The Council of the EU published a statement on European competitiveness. The European Parliament is finalising its views on the upcoming 28th regime for innovative companies. Crafts and industrial GIs can be registered under the new protection scheme.
Cyprus is in charge of the presidency in the Council of the EU
On 1 January 2026, Cyprus took over the rotating presidency at the Council of the EU and published its programme for the upcoming six months. Within areas relevant for digital infrastructure, the presidency intends to prioritise “secure and resilient connectivity while advancing the EU’s competitiveness and digital sovereignty”. It should focus on the protection of critical infrastructure and other key digital services. During its presidency, Cyprus intends to advance the negotiations on the Cybersecurity Act 2.0 (CSA 2.0), the Digital Omnibus (see our previous reporting here), and continue the trilogue negotiations on the Financial Data Access Regulation (FiDA). The Cypriot presidency also wants to steer the discussions on the European Competitiveness Fund (see our previous reporting here), initiate work on the Cloud and AI Development Act, and promote a systematic use of impact assessments in new EU legislation. The Cypriot presidency will also promote efforts at the EU level for the implementation of technological solutions enabling lawful access to data. Cyprus will be at the helm of the Council of the EU until the end of June, when it will be replaced by Ireland.
The EU institutions issued a joint declaration on EU legislative priorities for 2026
On 23 December 2025, the EU institutions published a joint declaration on the EU legislative priorities for 2026. The European Commission, the European Parliament and the Council of the EU pledge to steer the simplification, including to “double down on […]efforts to tackle the bottlenecks holding back […]competitiveness”. The institutions promise to “accelerate the work, as a matter of utmost priority, on all proposals with a simplification and competitiveness dimension”. The institutions also pledge to “focus on ensuring a safe and inclusive online environment, especially to protect minors.” Particular attention will be paid to the legislative proposals listed in the accompanying document to the joint declaration, which the three institutions commit to prioritising in 2026. Progress on these proposals should be regularly monitored throughout the year. The list of priority proposals relevant for digital infrastructure actors includes the 28th Regime for Innovative Companies (see our previous reporting here and below) and the Digital Omnibus.
Cybersecurity
The European Commission is seeking input on tackling online fraud
On 23 January 2026, the European Commission published a call for evidence for the upcoming action plan on “Fighting online fraud” to gather public feedback in support of the Commission’s efforts on “fraud prevention measures, more effective law enforcement action, and victim protection, including through assistance with the recovery of funds lost to fraud”. According to the accompanying text of the call for evidence, online fraud has reached “unprecedented levels” and represents the “fastest-growing segment of organised crime”. More specifically, DNS abuse is “often how online fraud is committed”. Phishing, farming, botnet attacks and spam distribution are growing in scale and frequency, according to the European Commission. The aim of the action plan is to address the use of AI in large-scale fraud strategies; money laundering and crypto-asset services; victim support; lack of coordination and collaboration between public and private sectors; data sharing for prevention and investigations; advertising fraud, amongst other areas. Additionally, improving cross-border and multistakeholder cooperation is also seen as one of the priority areas that the future action plan should address. The call for evidence is open until 13 February.
The European Commission published the Cybersecurity Act 2.0 and further NIS2 amendments
On 20 January 2026, the European Commission unveiled its proposal for the CSA 2.0 and targeted amendments to the NIS2 Directive. The CSA 2.0 proposal aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns. It sets out a “trusted ICT supply chain security framework” based on a risk-based approach that will enable the EU and Member States to jointly identify and mitigate risks across the EU's 18 critical sectors, including digital infrastructure. The CSA 2.0 will introduce mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, and considers the DNS to be part of both “core of the open internet” and “core network functions” of electronic communications networks. Targeted NIS2 Directive amendments suggest removing micro- and small DNS service providers from the scope of the NIS2 Directive obligations; and will allow all essential entities to demonstrate their compliance with the NIS2 Directive by seeking certification under EU cybersecurity certification schemes.
Competitiveness
The European Commission published the proposal for the Digital Networks Act
On 20 January 2026, the European Commission published its proposal on the Digital Networks Act (DNA). The proposal underlines the critical role of cutting-edge digital network infrastructure for the future competitiveness of the EU economy, security, and social welfare. The DNA will harmonise spectrum authorisation rules and require Member States to submit national plans for fully deploying fibre networks. The DNA proposes to adopt an EU Preparedness Plan for the digital infrastructure and measures to avoid or reduce dependencies in the connectivity ecosystem and to ensure network and service in case of incidents and attacks. BEREC will be in charge of adopting such a plan and providing further operational recommendations and crisis management practices. The draft plan must be prepared in consultation with the NIS Cooperation Group and ENISA. BEREC will also be required to publish guidelines to assist providers of electronic communications networks or “closely related sectors” for facilitating cooperation on “technical and commercial matters related to the provision of electronic communications services[…] in an efficient, economically sustainable and reliable way”. National authorities shall offer “voluntary conciliation” meetings between two providers on “technical or commercial arrangements”, according to the proposal.
JURI adopted its report on the 28th Regime
On 20 January, the Legal Affairs Committee (JURI) of the European Parliament adopted its non-binding report with recommendations on the 28th regime (see our previous reporting here). The 28th regime should establish a new legal framework for incorporating businesses across the EU Member States to reduce administrative costs. The JURI report notes the difficulties start-ups and scale-ups are facing on the EU internal market, mainly with access to finance and compliance with different legal regimes across the EU Member States. The report calls for the upcoming legislative proposal to have a uniform application across the EU. Hence, the Commission should consider proposing a regulation or a maximum harmonisation directive. It should take 48 hours to digitally establish a 28th regime company, according to JURI. The European Commission should tentatively present the legislative proposal on 18 March 2026.
The European Commission seeks input on the European open digital ecosystems
On 6 January, the European Commission opened a call for evidence on the upcoming strategy on the European open digital ecosystems. The document notes that the EU is dependent on non-EU countries in the digital sphere, leading, amongst others, to potential supply chain security issues. EU stakeholders struggle with “high entry barriers and network effects of dominant players” both in public procurement and in the private sector. The strategy should address the role of Free and Open-Source Software (FOSS) as a “crucial contribution to a strategic framework for EU technological sovereignty, competitiveness and cybersecurity.” It should also set out actions to strengthen the EU FOSS ecosystem, including in critical sectors, such as internet technologies, cloud, AI, open hardware and industrial applications. The strategy will also review the potential supporting actions to: 1) encourage greater adoption of FOSS by public and private users, 2) boost the development and competitiveness of the emerging EU FOSS sector, and 3) strengthen the position of start-ups in the innovation ecosystems. The call for evidence is open until 3 February. On 11 December, the European Commission also launched a European Digital Infrastructure Consortium (EDIC) on Digital Commons. The European Commission considers the DC EDIC a strategic instrument to reduce EU dependency on global platforms and provide a digital choice to Europeans.
The Council of the EU published a statement on European competitiveness
On 5 December 2025, the Council of the EU published its conclusions on European Competitiveness in the Digital Decade. The document underlines the importance of a common understanding of the principles of digital sovereignty and its implications for competitiveness. The Council of the EU invites the Commission to reflect, among other elements, on “enhancing transparency, interoperability and competition, while reducing vendor lock-in and reliance on single providers, including through open standards, open-source and interoperable solutions” in key digital areas, including quantum, cloud, AI, cybersecurity and connectivity. The Council also proposes to support research and development of these technologies to increase the demand and market share of EU suppliers, including through public procurement. In the context of the forthcoming Cloud and AI Development Act, the document suggests developing common criteria for sovereign cloud services, which shall address risks of highly critical use cases.
Intellectual property
EU opened registration for crafts and industrial products under the new GI protection scheme
From 1 December 2025, crafts and industrial geographical indications (Gis) can be registered under the new protection scheme (see our previous reporting here). Producers may apply through a recognised association or individually. Each application should be submitted to the relevant national authority in the EU Member States. The GI registration procedure has two steps: 1) National level – the authority reviews the application and runs a national opposition procedure; 2) EU level – the application is then assessed by the EUIPO, which decides on protection and registration. Denmark, Finland, Lithuania, Luxembourg, Malta, the Netherlands and Sweden have obtained a derogation for the national phase, and producers will exceptionally be able to apply directly to the EUIPO, which manages the whole procedure. The craft/industrial GI regulation allows producers to stop the misuse of their GIs and secures international protection. By 2 June 2026, the Commission shall carry out an evaluation of the feasibility of an information and alert system against the abusive use of craft/industrial GIs in the DNS, and submit a report with its main findings to the European Parliament and the Council. That report shall be accompanied by a legislative proposal, where appropriate. As reported earlier, the European Commission has already published a similar report under the sister regulation concerning the protection of agricultural products.
The European Commission is assessing further steps to curb online piracy of sports and other live events
On 20 November 2025, the European Commission published its assessment of the effects of the Recommendation on combating online piracy of sports and other live events (see our previous reporting here). The Recommendation encourages the relevant stakeholders to take measures and use dynamic injunctions in Member States to tackle the unauthorised retransmissions of live events. Overall, the assessment notes that “piracy [..]is on the rise, with forms of […]IPTV and app-based piracy increasing”, including an increasing number of piracy cases delivered via CDNs. Online platforms are the most responsive in implementing notice-and-takedown mechanisms, according to the gathered evidence, as opposed to other hosting service providers subject to the notice-and-takedown regime under the Digital Services Act. The rightsholders’ feedback notes a possibility to extend “trusted flagger” obligations to, inter alia, domain registrars in order to more effectively address live piracy. Overall, the assessment shows that the Recommendation has had positive effects. However, given its non-binding nature, these effects have not allowed to significantly curb the volume of online piracy. The Commission will examine the areas for possible further action to better address the piracy of live events at the EU level, including further the contribution of different online intermediaries. The Commission will also explore whether new measures are needed to ensure a wider and more consistent use of dynamic injunctions across Member States and a more systematic cross-border cooperation among national authorities.
