DNA, International Digital Strategy, NIS2 Forum and More - EU Regulation Update, June 2025

Summary:

• The European Commission is welcoming stakeholder views and contributions in reviewing telecoms rules as part of its Digital Network Act (DNA) initiative
• The Commission has published its State of the Digital Decade 2025 report, providing new data on the EU's digital transformation journey
• A new joint EU International Digital Policy Strategy reaffirms Multistakholder Internet Governance principles but calls for evolution of the model ahead of WSIS+20
• The Commission is planning to launch a dedicated NIS2 Multistakeholder Forum on the deployment of relevant Internet standards after summer
• The EU Cybersecurity Act is under review, which is of particular relevance for European cyber certification, cloud policy, and ENISA’s future mandate
• The Council of the EU has adopted a Cyber Blueprint including recommendations to improve cyber crisis management and coordination amid heightened focus on the protection of European communication networks infrastructure
• The Commission and ENISA are setting up a dedicated EU Vulnerability Database (EUVD) to support organisations in improving cyber risk management
• A call for evidence on Data Retention is open, as the Commission is eyeing possible action to harmonise EU rules to access and retain digital evidence
• Ongoing efforts to simplify regulation led to discussions on a possible GDPR revision which would create a lighter regime for “mid-caps"

DNA Call for Evidence

The European Commission has opened a ‘Call for Evidence’ for the DNA to gather stakeholder input and inform the EU’s executive branch on possible next steps. The deadline to submit input is 11 July 2025.

The accompanying explanatory briefing reveals that the DNA initiative should aim to address several elements, including shortcomings in the implementation (or lack thereof) of the European Electronic Communication Code (EECC) and the fragmentation of the EU connectivity sector along national borders.

As such, the initiative would mainly seek to support EU telecom operators and end-users to “reap the full potential of the single market” focussing on the following areas: regulatory simplification and cutting red tape, spectrum policy harmonisation, access regulation and governance such as reviewing the role of national regulatory authorities (NRAs), and EU-level coordination through the Body of European Regulators for Electronic Communications (BEREC) and the Radio Spectrum Policy Group (RSPG).

While evidence brought in by BEREC reveals that the IP interconnection market generally functions well, the Commission is anticipating future possible trends and issues, pointing to some alleged imbalances affecting various market players. The Commission is considering ways to create more "effective cooperation" among players in the "broader connectivity ecosystem" and may give national regulators and BEREC more sway in facilitating such cooperation. Questions over whether - and if so how - Open Internet regulation should be adjusted to accommodate future network deployment also features among the hot topics.

The DNA proposal will land on the desk of the upcoming EU Council Presidency held by Denmark starting in July, while a proposal is expected for December 2025. The debate on the relation between investment and market consolidation in the telecom sector remains a heated one. The DNA’s purpose is to simplify some of the regulatory regime applying to telecom operators, but it could potentially merge the existing rules on telecoms, net neutrality and governance into a single, directly binding regulation, placing particular emphasis on authorisation procedures and spectrum management, which are seen as key drivers of market fragmentation.

State of the Digital Decade

Meanwhile, it is a timely moment for the Commission to publish the State of the Digital Decade report for 2025. The report provides an annual assessment of progress towards the 2030 targets outlined in the Digital Decade Policy Programme.

The situation across the EU shows a positive trend, although significant disparities exist between member states. The EU is making notable progress in providing high-speed mobile connectivity and is on track to achieve 100% coverage by 2030. Similarly, the digitalisation of public services and administration is progressing well.

The report discusses several data points and identifies some persistent challenges in the EU's digital transformation journey. These include a shortage of skills and the need for improvements in areas such as full fibre and standalone 5G deployment, as well as the digital transformation of businesses, especially SMEs. Furthermore, the report points out a "cloud computing capacity gap," which contributes to the EU falling behind major global competitors like the US and China.

The report is pledging for more strategic and targeted funding to support skills development and innovation in key areas such as cloud, AI, high capacity networks, semiconductors, quantum, and more.

EU International Digital Strategy and WSIS+20

On 5 June, the European Commission and the EU’s High Representative released a new International Digital Strategy, which repositions the EU on several issues spanning digital diplomacy, cyber security, and Internet governance.

For the Internet technical community, what stands out is the renewed positioning on Internet governance ahead of the key negotiation cycles taking place throughout the year. At the UN level, it is about the upcoming twenty-year review of the World Summit for the Information Society (WSIS+20) and the implementation of the Global Digital Compact (GDC), as well as the development of global cyber norms.

Regarding WSIS+20, the EU states that it will continue to promote an inclusive multistakeholder approach to Internet Governance and push against any initiatives of state-controlled Internet architectures that could fragment and undermine the principles of openness and security enshrined in the Tunis Agenda. It also explicitly acknowledges the central role of ICANN in managing the foundations of Internet architecture.

Whereas the EU takes a positive stance towards inclusive multistakeholder governance, notably from partner countries and youth communities, it also clearly calls for an evolution of the current model, saying global Internet Governance must adapt to new geopolitical challenges and invoking the risks of fragmentation. However, the document falls short on identifying the sources and drivers of such fragmentation, nor does it suggest any concrete actions to mitigate it. Instead, the EU calls out against any misuse of digital tools, Internet shutdowns and censorship while emphasising the risks of widening digital divides.

Along similar lines, the document states the EU will pursue both a multilateral and multistakeholder approach in the spirit of the São Paulo Guidelines – the main outcome document of the NETmundial+10 conference led by Brazil in April 2024. While the joint strategy does not take a clear stance on the future format and mandate of the Internet Governance Forum (IGF), the Commission has repeatedly voiced support for establishing a permanent and stable financial model for the IGF.

Additionally, the accompanying annex document stresses the EU’s intention to leverage the WSIS+20 Review negotiations to uphold “an open, human-centric Internet based on human rights, enhance multistakeholder Governance, and bridge the new digital divides by establishing an operational connection with the Sustainable Development Goals (SDGs) and the Global Digital Compact (GDC)”.

The expression of the EU’s position on these matters comes at a time when several countries have voiced support for a more State-led approach to exert more control over core functions of the global Internet – such as the naming and numbering management system and the standards development processes which for now remains essentially led by the community of Internet technical experts.

In its input to the consultation preceding the publication of the strategy, the RIPE NCC presented WSIS+20 as an opportunity to reinforce the foundational principles of the Internet as an open, distributed, and globally interoperable architecture, which has enabled innovation and connectivity for billions of users – and stressed the need to do more to close the widening digital divides. We also called on the EU to strengthen its multistakeholder approach, and in particular, to promote norms and standards in collaboration with the global Internet technical community in order to ensure that the Internet continues to serve as a powerful catalyst for innovation, economic and social development, and empowerment worldwide.

The RIPE NCC also organised an Open House webinar on WSIS+20 and published some materials, including a dedicated Fact Sheet and Vision document highlighting what the whole review process is about, as well as the contribution of the technical community and the role of Regional Internet Registries.

NIS2 Multistakeholder Forum on Internet Standards Deployment

The European Commission has also announced plans to set up a so-called ‘Multistakeholder Forum on Internet Standards Deployment’ as specified in Recital 8 of the NIS2 Implementing Act adopted in October 2024. This relates to the specific provisions laid down in the implementing regulation and its accompanying annex – including the technical and the methodological requirements of the cybersecurity risk-management measures applying to certain digital and Internet market operators such as DNS service providers, TLD name registries, cloud service providers, data centre service providers, CDNs, and more.

This new initiative, primarily led and implemented by the Commission’s Joint Research Center (JRC), aims to identify, support, and accelerate the adoption of best practices in deploying existing and widely accepted internet standards across the following areas:

(i) The transition towards latest generation network layer communication protocols

(ii) The deployment of internationally agreed and interoperable modern e-mail communications standards

(iii) The application of best practices for DNS security, and for Internet routing security and routing hygiene entail specific challenges regarding the identification of best available standards and deployment techniques.

The Forum should be organised around four main workstreams: network layer communication protocols, e-mail security, DNS security, routing security and hygiene. One key objective is to produce guidelines on the deployment of relevant standards for market operators under NIS2. In terms of practical steps, the Commission will publish an open call for interest in the coming weeks and organise a kick-off event in September 2025 – for more detailed information, watch out the presentation given during the Cooperation WG at RIPE90.

Cybersecurity Act

Another key file currently under review is the EU Cybersecurity Act (CSA) – not only because it may lead to redefining the future mandate of ENISA, but also because it underpins the European Cybersecurity Certification Framework in a context where digital sovereignty and value chain security are topping the EU agenda across many areas. Discussions on cloud sovereignty, as well as the ongoing implementation of the Cyber Resilience Act (CRA) are expected to influence this review process quite significantly against a backdrop where notable 'Cyber Dialogues' and trade and technology negotiations are taking place on a bilateral basis.

As a reminder, the EU Cloud Services Certification Scheme (EUCS) was a key initiative which has been put on hold for some time now mostly due to member states disagreeing on whether or not restricting market access on the basis of ‘sovereignty requirements’ for cloud service providers should be the way forward.

While the Commission is signalling that it is aiming for regulatory simplification and burden reduction, it also leans towards a pretty strong digital sovereignty approach. In this context, EU member states are currently implementing NIS2 and may seek to leverage the concept of ‘trustworthiness’ (or ‘trusted partners’) to give preferential treatment to European companies, including through public sector procurement.

EU Cyber Blueprint and Protection of Communication Infrastructure

The Council of the EU has adopted the so-called Cyber Blueprint including recommendations on how to improve cyber crisis management. During the TTE Council meeting held on 6 June, ministers welcomed the swift adoption of the blueprint and stressed the need for strategic alignment and engagement across technical, operational, and diplomatic actors amid heightened geopolitical pressures. This initiative complements the previously published Preparedness Union strategy which aims to boost the EU's capacity to proactively anticipate and respond to major crises, with high attention given to those stemming from cyber and hybrid threats.

Back in March, the Warsaw Call on Cybersecurity Challenges led by the Polish EU Council Presidency urged for a swift adoption of the draft recommendations, alongside the issuing of a Joint Communication laying out measures to strengthen the security and resilience of submarine cables.

On this particular topic, it is worth flagging that the RIPE NCC gave several presentations - including this one during RIPE90 covering the impact of cable damage on Internet traffic, which was also presented at the ENISA Telecom and Digital Infrastructure Security Forum 2025. You can see our colleague Emile Aben’s presentation (and full podcast) on How the Internet Routed Around Damage in the Baltic Sea.

ENISA Vulnerability Database

Another key development in cybersecurity policy was the launch of the European Vulnerability Database (EUVD) which is developed and maintained by ENISA to help entities meet supply chain and vulnerability management requirements, notably under the NIS2 Directive.

The EUVD platform is also meant to support CRA implementation, aiming to improve the security of products with digital elements as defined under the new CRA framework. To achieve this, the EUVD is intended to collect vulnerability information from ‘trusted sources’ and offers specific tools and guidance such as the Common Vulnerabilities and Exposures (CVE) Programme or the Common Security Advisory Framework (CSAF) aimed at providing ready-to-use remediation mechanisms.

Internal Security Strategy and Data Retention

The Commission is currently working on an impact assessment on "Retention of Non-Content Data by service providers for criminal proceedings” – for which a ‘Call for Evidence’ is up and running until 18 June. In addition, the Commission’s DG HOME is conducting targeted consultation with the industry, which will remain open until 4 August. It is also having a dedicated workshop on June 24 to exchange views to help the Commission weigh and assess the necessity and proportionality of different legislative and non-legislative options.

Discussion on the retention and access to traffic and location data held by Internet companies for law enforcement purposes is taking place in the context of developments involving high-profile court cases across the EU and new political momentum as part of the ProtectEU Strategy. The EU will assess feasibility and needs for such an EU-level initiative since the last attempt on the EU Data Retention Directive was struck down by the CJEU in 2014. A legislative proposal aiming to harmonise the existing patchwork of national laws may see the light in 2026.

Interestingly, the Commission’s Joint Research Center (JRC) has published a report on ‘New technologies, new risks, new opportunities: internal security and law enforcement in 2030’, in which they explore how emerging and converging technologies - such as AI, quantum computing, and advanced sensing - are reshaping the landscape and posing both new risks and opportunities for internal security in the EU.

The report emphasises the key role of robust encryption, secure data access, and ethical governance to address new vulnerabilities and persistent threats.

Simplification and GDPR Omnibus

On 21 May, the Commission published a new Single Market strategy which emphasises the need to remove market barriers and cut red tape to ease the lives of European businesses. The document identifies a “complex and costly” regulatory environment and the “fragmentation of legal rules” as putting a big strain on European organisations, especially those smaller ones that struggle to strive and scale up.

Enhancing market access, legal harmonisation and simplifying regulation is how the EU aims to boost competitiveness, innovation and economic resilience. Building on this, discussions on a possible revision of the General Data Protection Regulation (GDPR) are taking place, notably through a so-called ‘Omnibus Package’ which would include specific amendments to the GDPR – potentially exempting companies with fewer than 750 employees from some record-keeping obligations.

The push for simplification is also featured in several other strategy documents such as the Competitiveness Compass, a new startup and scaleup strategy, as well as an updated Data Union strategy which is also open for contribution until 18 July 2025!