In a nutshell: The European Commission published the proposals on Digital Omnibus and the European Business Wallet and unveiled the strategy of the European Democracy Shield. The Commission also published its report on the necessity of a domain name information and alert system for the agricultural geographical indications, and launched a call for applications for a Multi-Stakeholder Forum on Internet Standards Deployment. In addition, the European Commission is seeking views from the public on the upcoming reform of EU public procurement, and on further Digital Fitness Check in line with its simplification agenda. The EU institutions reached an agreement on the Insolvency Directive proposal and the Payment Services Regulation. EU Member States signed a declaration for European Digital Sovereignty.
The European Commission published the Digital Omnibus
On 19 November, the European Commission published the Digital Omnibus (see our previous reporting here). The Digital Omnibus introduces changes to the NIS2 Directive, Directive on the resilience of critical entities (CER), GDPR, European Digital Identity Regulation (EUID) and Digital Operational Resilience Act (DORA), amongst others. One of the main highlights relevant for the internet infrastructure sector is the proposed single-entry point for incident reporting, which should become the main way of reporting cybersecurity incidents and data breaches under the EU cybersecurity legislation. The single-entry point will be developed and maintained by ENISA and will be used to transfer the incident reports to the respective national supervisory authorities. Except for the GDPR, the respective reporting timelines are not amended. The initial data breach notification deadline under the GDPR is to be extended from 72 to 96 hours. The Digital Omnibus also proposes an increased threshold for reporting data breaches that are “likely to result in a high risk to the rights and freedoms of natural persons.” Additionally, the European Data Protection Board shall prepare a common template for notifying a personal data breach to the competent supervisory authority, as well as a list of the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person. As the next steps in the legislative process, the European Parliament and the Council of the EU start working on their respective positions.
The European Commission launched a Digital Fitness Check consultation
On 19 November, the European Commission opened a call for evidence and a public consultation on the Digital Fitness Check (see our previous reporting here). The goal of the Digital Fitness Check is to map how the digital legislation covers EU strategic sectors, and to inform the Commission’s work in the second half of the current legislative cycle. The European Commission will examine which areas of the legislation could be further aligned and streamlined. The consultation does not indicate an exhaustive list of areas under scrutiny but suggests a wide mapping of digital legislation, including rules on data, cybersecurity, and online services. The call for evidence and public consultations will remain open until 11 March 2026. The tentative date of publishing the (most likely) legislative initiative is in Q1 2027.
Geographical indications
The European Commission published a report on a domain name alert system for geographical indications
On 10 November, the European Commission published a report on the necessity and feasibility of a domain name information and alert system for the agricultural geographical indications (GIs). The report follows the requirement put forward in the Regulation on GIs for wine, spirit drinks and agricultural products (see our previous reporting here). The report notes that while the cases of GI misuse in domain names appear to be limited, this fact might be the result of a limited monitoring capacity of GI producers, who are often SMEs. EUIPO will be tasked with developing the system, relying mainly on publicly available DNS tools, such as the name server (NS) lookups. The system can be further complemented by automated WHOIS/RDAP queries and a voluntary cooperation with EU ccTLD registries. The report notes that the EUIPO-managed system based on publicly available DNS tools is “the most proportionate and technically viable”. This model does not require any technical adaptations on the side of the EU ccTLD registries. Any further legislative changes will be taken into consideration together with the upcoming report on a similar system for the protection of crafts and industrial GIs, which is due in June 2026. The sources for the report included a study commissioned by the European Commission, as well as consultations with EU ccTLDs and the CENTR position paper.
Data protection
The EU institutions reached an agreement on the Insolvency proposal
On 19 November, the European Parliament and the Council of the EU reached a provisional agreement on the EU Insolvency directive during trilogue negotiations (see our previous reporting here). The proposed rules should facilitate the tracing of cross-border assets of insolvent enterprises. The directive introduces “pre-pack proceedings”, which will allow the sale of a debtor’s business before opening an insolvency proceeding. According to the latest publicly available text, the provisional agreement removes “registers of internet domains” from the list of national asset registers, effectively excluding domain registration databases from the scope of the directive. The provisions on simplified winding-up proceedings, such as auctioning off the assets of the insolvent microenterprises, are likewise removed from the scope of the directive, according to the latest available text. The final version of the text is not yet publicly available, so the status of transfers of contracts without the consent or notification of the third-party during pre-pack proceedings remains unclear. According to the latest available text, the co-legislators agree on the substance of the exception to that provision at the national level, i.e., that the consent of the counterparty may be needed, depending on the contract. The next step in the legislative process is the formal adoption of the text by the European Parliament and the Council of the EU. Afterwards, the Member States will have two years and nine months to transpose the directive into national law.
Financial regulation
The European Parliament and the Council of the EU reached an agreement on the Payment Services Regulation
On 27 November, the European Parliament and the Council of the EU agreed on the Payment Services Regulation (PSR) during the trilogue negotiations (see our previous reporting here). The regulation aims to harmonise payment services, strengthen fraud prevention across the EU and boost transparency on fees. It applies to payment services provided by banks, post-office giro and payment institutions, as well as technical service providers supporting payment services, and in some cases, electronic communications providers and online platforms. According to the Parliament’s press release, if payment services fail to implement appropriate fraud prevention mechanisms, they will be liable for covering customers’ losses. Online platforms will be liable to payment services that have reimbursed defrauded customers if they are informed of fraudulent content on their platform and fail to remove it. This builds on and adds to the protection in the Digital Services Act. According to the Council’s press release, the new rules allow major online platforms and search engines to advertise financial services to consumers in a given Member State only if the company providing those services is duly regulated and authorised within that Member State. The final text of the agreement is not yet made publicly available, so the status of domain enforcement mechanisms, as proposed by the Council of the EU, is currently unknown.
Cybersecurity
The European Commission launched a call for applications for a Multi-Stakeholder Forum on Internet Standards Deployment
On 10 November, the European Commission opened a public call for applications for a newly established Multi-Stakeholder Forum on Internet Standards Deployment. The Forum should guide the deployment of key internet standards under the NIS2 security measures, as detailed in the NIS2 Implementing Act on cybersecurity risk-management measures (see our previous reporting here). It will be tasked to develop guidance on the deployment of the relevant internet standards and best practices, and further specifications of the cases in which an incident can be considered significant. The guidance should support both the regulatory compliance and voluntary industry adoption. The Forum will have four separate workstreams: 1) transition to the latest-generation network-layer communication protocols; 2) deployment of internationally agreed and interoperable modern e-mail communication standards; 3) application of best practices for DNS security; 4) measures for internet routing security and routing hygiene. The intended participants are sectoral experts and representatives of entities falling in the scope of the NIS2 Implementing Act, including DNS service providers and TLD registries. The Forum is planned to complete its work in 2 years by Q1 2028. The call for membership is open until 12 December.
Content moderation
The European Commission published the European Democracy Shield
On 12 November, the European Commission published the non-legislative European Democracy Shield (EUDS). The strategy aims to safeguard the integrity of the information space, strengthen free media and elections, and boost societal resilience and citizens' engagement. The Commission, together with the European Board for Digital Services, will prepare a Digital Services Act (DSA) protocol on incidents and crises that should “facilitate coordination among relevant authorities and ensure swift reactions to large-scale and potentially transnational information operations”, mainly intended for major online platforms and search engines. The Commission will also work on preparing the Blueprint for countering foreign information manipulation and interference (FIMI) and disinformation, intended as a capacity-building measure for Member States. The EUDS underlines the importance of the NIS2 Directive and of the Cyber Resilience Act in ensuring that critical sectors and digital products are secure within electoral processes in the EU, and for the overall preparedness for cyber threats in the context of elections. The strategy envisages the establishment of a new European Centre for Democratic Resilience that should become a dedicated hub for exchange and operational cooperation among the EU institutions and Member States. It should work to develop practices and methodologies on the threat prevention, detection and analysis.
Public procurement
The European Commission seeks input on public procurement
On 3 November, the European Commission opened a call for evidence and a public consultation on public procurement, open until 26 January. The value of the EU public procurement is approximately 600 billion EUR. The call for evidence notes that the current EU public procurement faces challenges in its ability to channel public investment and support EU strategic policy priorities to strengthen EU competitiveness, resilience and economic security. The revised procurement framework should make public investments more efficient and strengthen EU sovereignty and resilience by introducing “Made in Europe” criteria. By promoting a coordinated approach to public procurement, the EU can create a faster, more coordinated framework to increase the efficiency of the investments, reduce its external dependence and ensure that critical infrastructures, goods, and services are resilient and secured, according to the European Commission. A high-level conference on the topic will be held in 2026 in preparation for the public procurement revision.
EU Member States signed a declaration for European Digital Sovereignty
On 18 November, EU Member States signed a non-binding declaration for European Digital Sovereignty. The declaration defines digital sovereignty as “the ability of Member States to be able to regulate their digital infrastructure, data and technologies.” It includes the ability of European individuals, businesses and institutions to make autonomous decisions about the use, governance, and development of digital systems. The declaration puts forward 14 priorities, such as support for climate and a clear, predictable and fair regulatory framework. The declaration highlights the importance of standardisation and interoperability in order to promote European interests and solutions on a global scale. The declaration notes that Europe’s technological independence relies on investment in strategic areas such as high-performance computing, quantum technologies, cybersecurity, cloud and AI, but also on promoting education and research, digital skills and digital literacy. Targeted use of public procurement can also support the market share of EU suppliers. Open-source solutions should be included, among others, in the “European common assets” that should strengthen the critical infrastructure of the EU. The governance framework of EU digital sovereignty should avoid duplication of existing initiatives, while being inclusive and based on the multistakeholder approach. The declaration was made independently of the EU institutions but signed by ministers of all 27 EU Member States.
eID
The European Commission unveiled the European Business Wallet proposal
On 19 November, the European Commission presented a proposal for a Regulation on establishing the European Business Wallet. The proposal intends to provide a single interoperable cross-border digital identity solution to businesses and public sector bodies. Currently, the identification documents and other credentials are often shared via email or proprietary portals, which could lead to increased exposure to fraudulent practices, such as invoice scams. The European Business Wallet should facilitate business-to-business and business-to-government interaction in a transparent and traceable way to support risk management, compliance and fraud prevention. The European Business Wallet builds on and extends the European Digital Identity Framework (EUDI) and, as such, should be fully interoperable with the European Digital Identity Wallets. The European Business Wallet will be a market-driven tool that should not conform to a single business model or a technical design. Instead, the proposal should set a framework that combines interoperability with flexibility, fostering competition. The European Parliament and the Council of the EU will start working on their respective positions.
