Back to the overview
05-05-2025 Article

New developments in EU Digital Law

Update Data Protection No. 207

At the beginning of the new legislative period, the European Commission set a number of digital policy priorities aimed at the structural development of the European single digital market. The focus is on issues of cyber security, technological sovereignty and a more precise organization of the market and consumer order in the digital space. In contrast to the previous legislative period, in which fundamentally new legal acts were created with the DSA, DMA, Data Act and AI Regulation, the focus is currently on the operational specification of the existing frameworks and the strategic promotion of key technologies. This article is intended to provide an overview of current developments and construction sites.

I. Security and resilience

1. Cybersecurity in the healthcare sector

One of the Commission's first initiatives is to strengthen cybersecurity in the healthcare sector. In January 2025, the Commission published a European Action Plan for the Cybersecurity of Hospitals and Healthcare Providers. Although the action plan is not legally binding, it sends a clear political signal and marks the starting point for coordinated measures that are likely to lead to more binding regulations in the coming years.

The action plan aims to systematically expand the digital security architecture in the European healthcare sector. Among other things, it provides for closer integration of national CERT structures with the EU's early warning system, harmonized requirements for IT and medical technology systems and targeted funding instruments for institutions with limited human or technical resources. The role of ENISA is also to be strengthened, particularly with regard to the development and enforcement of sector-specific security standards. The Commission also emphasizes the need for horizontal coordination with existing regulatory frameworks such as the NIS-2 Directive and the Cybersecurity Act.

For operators of medical facilities, but also for companies active in the field of digital healthcare services, medical technology or healthcare IT, this results in a concrete need for action. While larger hospital groups generally already have professional security architectures in place, smaller providers are also increasingly faced with the question of operational and strategic connectivity to European security standards. The expected introduction of new interoperability specifications, certification requirements and reporting obligations suggests that corresponding planning and investment decisions should be prepared promptly.

2. E-commerce platforms

In parallel to cybersecurity in the healthcare sector, the Commission is also pursuing legislative projects in the area of e-commerce. In February 2025, a comprehensive strategy for the regulation of e-commerce was presented. The background to this is the dramatic increase in small consignments delivered directly to consumers from third countries: In 2024 alone, over 4.6 billion such parcels were imported into the EU – predominantly from China. This poses considerable risks in terms of product safety, distortions of competition and the overburdening of national control authorities

The toolbox that has now been published addresses three levels: Firstly, customs and market surveillance systems are to be modernized and digitalized. Among other things, it envisages the abolition of the duty-free limit for shipments up to 150 euros and the introduction of a flat-rate handling fee for e-commerce goods. Secondly, existing legal frameworks – such as the Digital Services Act or the Product Safety Regulation – are to be applied and enforced more consistently. Thirdly, the Commission is aiming for a closer integration of platform responsibility, sustainability goals and consumer rights.

For companies, this means a noticeable tightening of compliance requirements. Platform operators are obliged to systematically check commercial traders, label products and react quickly to illegal offers. Violations can lead to consequences under liability law and investigations by the authorities.

In addition, the adaptation of the Product Liability Directive from 2026 is intended to ensure that there is a liable party within the EU for imported goods from third countries. The focus is also on environmental requirements, for example in the area of packaging disposal and take-back obligations.

It is advisable for suppliers involved in cross-border online trade to critically review existing compliance and sales structures. Those who focus on transparency, traceability and sustainable product design at an early stage can minimize regulatory risks.

II. Cyber Security Act

As part of the further development of the European cybersecurity architecture, the Cybersecurity Act, which came into force in 2019, is once again coming into focus. The Act, which in particular created the role of ENISA and a European framework for cybersecurity certifications, is once again up for discussion in light of the growing threat situation. On April 18, 2023, the Commission already proposed a targeted amendment to the certification regulation, which was adopted on January 15, 2025.

An evaluation was launched in spring 2024 and covers both the role of ENISA and the effectiveness of the voluntary certification framework. Initial discussion papers from the Member States and a public consultation show that the slowness of the certification process, unclear responsibilities and insufficient penetration of the requirements across the economy are seen as weaknesses. The Commission is therefore aiming for a reform by 2025, which will include a transition to sector-specific and mandatory certification regimes and an institutional strengthening of ENISA.

At the same time, the Commission presented a new Council Recommendation for an "EU Blueprint on Cybersecurity Crisis Management" in February 2025. The aim is to transfer the principles set out in the previous blueprint recommendation from 2017 to the current situation and the expanded legal framework – in particular through the NIS 2 Directive – and to sharpen them operationally. With the new Blueprint, the Commission emphasizes that cyber crises of European significance can no longer be controlled by isolated national measures, but require coordinated crisis management across all levels of action.

To this end, standardized procedures for crisis classification, reporting channels and information flows between actors such as the Commission, the Council, ENISA, EU-CyCLONe, CERT-EU and the member states should be developed. The recommendation also aims to improve the link between the technical, operational and political levels, for example through the role of the Integrated Political Crisis Response (IPCR) mechanism. The Commission attaches particular importance to horizontal coherence with other crisis protocols – such as the EU Hybrid Toolbox, the Cyber Solidarity Act or sectoral emergency plans – as well as the exchange of information with strategic partners such as NATO.

For companies, the changes are particularly relevant where private actors act as operators of critical infrastructures or as manufacturers of security-relevant digital products. The strengthening of coordinated reporting obligations, the expansion of sectoral early warning systems and the standardization of secure communication channels in the event of a crisis show that companies are becoming increasingly involved in the EU's common security structure. The involvement of private sector partners in exercises and simulation scenarios is also expressly planned for the future.

III. AI infrastructure & guidelines

The European Commission is also currently driving forward several initiatives to promote and regulate the development and application of artificial intelligence (AI) in Europe. Two current projects are the establishment of AI factories and the finalization of a practical guide for general purpose AI models.

In March 2025, the European High Performance Computing Joint Undertaking (EuroHPC JU) announced the selection of six new AI factories in the EU. These facilities will serve as innovation hubs to accelerate the development and application of AI technologies in various sectors.

In addition, the EU is planning significant investment in AI infrastructure as part of the InvestAI initiative. More than 20 major international investors have earmarked 150 billion euros for AI-related projects in Europe over the next five years. A significant portion of this funding is earmarked for the development of AI gigafactories, which will provide start-ups, researchers and industry with access to state-of-the-art computing power.

In addition, the Commission is currently finalizing the AI Practice Guidance for AI models. general purpose After several draft phases and consultations with stakeholders, the final version of this guidance is expected any time. The Code aims to provide clear guidance on transparency, risk assessment and mitigation measures in the development and use of AI models. It will play a crucial role in the implementation of the provisions of the AI Regulation, whose provisions for general AI models will enter into force in August 2025.

IV. New digital laws

In the area of the digital economy, the Commission is currently preparing two key legislative initiatives: the Digital Networks Act (DNA) to reorganize the telecommunications infrastructure and the Digital Fairness Act (DFA) to reform digital consumer protection law.

With the DNA, the Commission wants to respond to a lack of investment and inconsistent rules in the area of network infrastructures. The aim is to create a more uniform, investment-friendly framework for cross-border telecommunications networks. Among other things, new requirements for network access, market integration and possible contributions from large content providers to the network infrastructure - the so-called "fair share" debate - are being discussed.

For companies in the telecommunications and platform industry, the planned rules could change a lot – both in terms of legal requirements and competition in the market. Infrastructure operators, network operators and large digital intermediaries in particular should follow the further development closely and make strategic positions in good time.

The DFA is also intended to close gaps in consumer protection for digital services. Based on a comprehensive "fitness check", existing guidelines are to be reviewed, standardized and adapted to new technological business models. The focus is on price transparency, algorithmic control of user behavior, manipulative design elements and effective law enforcement.

From a corporate perspective, this is doubly relevant: On the one hand, there is increasing pressure to review internal compliance structures in the areas of marketing, design and sales and to make them compatible with future transparency standards. On the other hand, a European standardization of digital consumer protection also offers the opportunity to reduce country-specific legal uncertainties and bureaucratic burdens.

V. Further proposals

In addition to the current legislative projects, the EU Commission is also planning other projects in the digital sector. Among others, a Cloud and AI Development Act and a Quantum Chips Act have not yet been specified, but have been announced politically. The former is intended to bundle investments in energy-efficient cloud infrastructures and scalable AI applications, create interoperable standards and reduce Europe's gap with the USA and China. With the Quantum Chips Act, the EU Commission aims to better coordinate national funding programs for quantum technologies and promote the industrial use of these technologies throughout Europe.

With the digital euro, the European Central Bank is working in parallel on an electronic central bank money that will act as a supplement to cash and serve as an infrastructural foundation for digital payment systems.

In addition, with the European Innovation Act and the European Research Area Act, the Commission is planning two frameworks for the targeted promotion of innovation ecosystems and for strengthening the European Research Area. Both projects aim to improve the availability of capital, regulatory testing grounds and cross-border research cooperation.

Even if these legislative projects are still in the planning stage, they show that the EU wants to focus its technology policy more strongly on attractive locations, more investment and better competitive opportunities in future. For companies, this opens up strategic opportunities to help shape and position themselves – over and above the pure legal framework.

VI. Conclusion

Current developments in EU digital law show that the Commission's focus is shifting from major fundamental reforms to specific implementation issues and detailed technical regulations. This not only results in new obligations – for example in the areas of cyber security, platform regulation or AI – but also in targeted funding and investment programs for key technologies. For companies, this means that those who check at an early stage where new requirements apply can not only react in good time, but in many cases actively shape them. This applies, for example, to participation in pilot projects, the integration of new standards into existing processes or the development of digital infrastructure with a view to future requirements. Even without major new regulations, the need for adaptation remains high in many areas – and the opportunity to position yourself strategically beyond regulatory conformity is correspondingly great.

 

Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Related articles

06-12-2025
EUR 45 million GDPR-fine against Vodafone – What are the conclusions for EU-companies?
06-11-2025
Minimum contract terms for end customer contracts – decisions by the ECJ and the Hamburg Higher Regional Court with consequences for practice
06-03-2025
News about identifying the authors of negative reviews on review platforms
05-27-2025
Ensuring Security and Compliance in the Space Industry – Key Takeaways and Action Points
05-27-2025
Meta blocks Facebook account of an association – Higher Regional Court of Düsseldorf sees this as a violation of antitrust law
05-23-2025
New plans from the EU Commission: The Digital Fairness Act
05-22-2025
New Technical Guideline BSI TR-03184-2 – Cybersecurity for the ground segment of space systems
05-21-2025
Prohibition of advertising using the terms "environmentally friendly" and "climate-friendly": Legality of an injunction under fair trading law at the request of an authority from an EU Member State
05-21-2025
Removal of a Works Council Member for Forwarding Personal Employee Data to a Private Email Account
05-14-2025
Compliance dilemma: Data Act forces companies to walk a tightrope between data disclosure and data protection. Will the politically motivated guidance from the HmbBfDI help?
05-08-2025
Intellectual property in space – A review from a German perspective
05-07-2025
Artificial Intelligence: These Transparency Obligations must be observed

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.