Simplification Proposals, NIS2 Forum, Post-Quantum – EU Regulation Update November 2025

Summary:

• The European Commission unveiled its Omnibus proposals on 19 November, and outlined priorities around tech sovereignty, security and competitiveness in its 2026 work programme.
• EU and national authorities are preparing their decentralised IT system to facilitate cooperation in the context of the E-evidence framework.
• The Commission has announced the launch of its NIS2 Multi-Stakeholder Forum, focusing on the deployment of relevant Internet standards – a kickoff meeting is scheduled on 21-22 January 2026.
• The Joint Research Centre (JRC) has published new reports on the deployment of Internet standards, including IPv6, Mutually Agreed Norms for Routing Security (MANRS), and email.
• The implementation of the Cyber Resilience Act is supported by harmonised standards being currently developed by the European standardisation organisations.
• Post-quantum cryptography is becoming a priority for several EU member states, while the EU is also seeking comments on its upcoming Quantum Act.
• The Digital Network Act proposal is now expected to be published by the end of January 2026.

Omnibus proposals

Discussions about simplifying the EU’s digital rulebook are gaining momentum as the European Commission has introduced its Digital Package. The package includes a Digital Omnibus, which aims to amend multiple existing laws, as well as the Omnibus on AI, which focuses on revising the Artificial Intelligence Act.

Some of the most controversial proposed changes involve amending the definition of personal data under the General Data Protection Regulation (GDPR). One aspect is to clarify that data is not to be considered as personal data for a particular entity, in cases where this entity does not have the means that can likely be used to identify the individual whom the data relates to. Supporters of the proposed changes view them as a valuable effort to modernise data protection laws in order to promote digital innovation. In contrast, privacy advocates believe these changes threaten to weaken EU data protection standards. Rather than providing clarity and simplification, critics argue that the new package introduces additional complexity and could create legal uncertainty regarding the applicability of EU regulations.

Nevertheless, one significant proposed change relates to the creation of a Single-Entry Point (SEP) that will enable unified cybersecurity incident reporting under multiple legal frameworks, including NIS2, GDPR, DORA, eIDAS and CER. Under the proposed new framework, ENISA would pilot the SEP platform within 18 months of the proposal’s entry into force.

The digital package also included a third legislative proposal for a European Business Wallet focused on reducing administrative burden on SMEs, as well as an updated Union Data Strategy.

These proposals will have to go through the ordinary legislative procedures and be negotiated in the European Parliament and Council before a final text is agreed upon.

EC work programme

Published on 21 October, the Commission's 2026 work programme highlights simplification and tech sovereignty as key drivers to boost Europe's competitiveness and innovation. It outlines new legislative initiatives to support the development of quantum technology, cloud and AI, scheduled for the first quarter of 2026. Other key priorities include internal security, law enforcement, and cybersecurity, with plans to strengthen agencies such as Europol, Eurojust, and ENISA.

Finally, the Commission has initiated a new call for evidence running until 11 March 2026 as part of yet another evaluation process, known as the “Digital Fitness Check”, aiming to assess the coherence, efficiency, and effectiveness of the whole EU digital regulatory framework.

Law enforcement

With the E-evidence package taking effect in August 2026, EU member states are now prioritising the development of a decentralised IT system that should help exchange data between competent authorities and service providers.

Member States must ensure that designated establishments or legal representatives of service providers can access the decentralised IT system via a national IT system to receive European Production Orders or European Preservation Orders. The Commission has adopted the Implementing Regulation laying out the technical specification for establishing the decentralised IT system in July 2025, with full implementation expected by August 2026.

Meanwhile, the Commission also plans to review the mandate of Europol by Q2 2026 with a view to improve cooperation in the context of cross-border criminal investigations, and has launched a public consultation open until 15 January 2026 to inform possible scenarios.

NIS2 Multi-Stakeholder Forum

The European Commission has published a call for participation ahead of the launch of its NIS2 Multi-Stakeholder Forum on Internet Standards Deployment.

The Forum's main objective is to develop multi-stakeholder guidance identifying the relevant Internet standards and best practices for deployment, while defining suitable timeframes for fulfilling the network security requirements defined under the Commission Implementing Regulation (EU) 2024/2690.

The Annex to the Implementing Regulation defines the “technical and methodological requirements” for subject entities and outlines specific network security measures in Point 6.7.2, covering: (j) the transition to latest-generation network-layer communication protocols; (k) the deployment of internationally agreed and interoperable modern e-mail communication standards; and (l) the application of best practices for DNS security, and measures for Internet routing security and routing hygiene.

The initiative was presented during its conceptual phase at RIPE 90, where the Commission invited community experts to join and contribute. The Draft Terms of Reference document contains more details about the rules of engagement and the guidelines drafting process.

The Forum’s activities will be structured around 4 main work streams: 1) IPv6, 2) E-mail, 3) DNS, and 4) Routing. Each of these will have a small Technical Editorial Group (TEG) responsible for drafting the guidelines, which will then undergo a “commenting process” and a “consensus validation process.” Finally, a Coordination Group will be in charge of the final adoption of the deliverables, ensuring they accurately reflect the consensus achieved among the participants.

The Forum’s kick-off meeting is scheduled for 21-22 January 2026 and applications to participate can be submitted by 12 December 2025. The Forum will remain open for future participation and is expected to run until Q1 2028.

IPv6 adoption

The Joint Research Centre (JRC) published a study on IPv6 adoption in EU Member States, comparing global trends and identifying main barriers to adoption. It uses various data sources, including JRC's own measurements, to assess adoption from end-user and server-side perspectives.

The report indicates that IPv6 adoption in the EU increases at a slow but steady pace, with wide disparities across member states. On average, end-user uptake is at 38.8% and server-side adoption at 17.8% in the third quarter of 2025. Belgium, France, Germany, Greece, Hungary, and Portugal lead in end-user adoption, while Slovakia, Lithuania, Denmark, and Germany excel in server-side use. Overall, the EU ranks in the middle tier globally, lagging behind India and Brazil in end-user adoption but outperforming others on the server side. To address barriers to adoption, the report suggests aligning regulatory frameworks, offering strategic incentives, and developing educational initiatives to promote IPv6 deployment.

This report is part of a series published by the JRC on Internet Standards, including one on Mutually Agreed Norms for Routing Security (MANRS), web communication standards, and email security standards.

EU Member States are also exploring ways to promote the adoption of IPv6 at the national level. In France, the regulatory authority Arcep has established requirements for both fixed and mobile networks to ensure they are IPv6-compatible, as detailed in their annual barometer on the transition to IPv6 in France.

CRA implementation

The implementation of the Cyber Resilience Act (CRA) is underway to ensure the security of products with digital elements (PDEs). The European Telecommunications Standards Institute (ETSI), along with its Technical Committee on Cybersecurity (TC CYBER), has started developing harmonised standards. These include draft vertical standards that outline essential cybersecurity requirements for devices such as routers, modems intended for Internet connections, and switches, as well as for public key infrastructure and digital certificate issuance software. Meanwhile, the JTC13 committee of CEN-CENELEC is focusing on horizontal standards such as for vulnerability handling.

We expect the Implementing Act that will define what qualifies as "important" or "critical" products to be released before the end of the year. This will be accompanied by the Delegated Act outlining the specific conditions under which a national Computer Security Incident Response Team (CSIRT) may delay sharing an incident notification with other EU CSIRTs to prevent spreading actively exploited vulnerabilities.

Post-quantum cryptography (PQC)

With the prospect of quantum computers becoming commercially available in the near future, governments are already starting to develop regional and national strategies to promote investment in quantum technology. They are also developing national roadmaps for the implementation of post-quantum cryptography (PQC) protocols, which are becoming key priorities.

The latest European Work Programme on Standardisation emphasizes the need to prepare for quantum-safe cryptography (QSC). This aligns with the recently adopted Commission’s Coordinated Implementation Roadmap, which encourages Member States to establish their national strategy by the end of 2026. The Dutch government has announced the launch of a dedicated programme including tools for managing the risks that quantum technology poses to cryptography. Meanwhile, Belgium has initiated a consultation on the post-quantum transition in the telecoms sector.

In addition, the Commission has launched a call for evidence to inform its upcoming EU Quantum Act proposal tabled for Q2 2026. Quantum technologies are described as instrumental for the future of Europe’s competitiveness which is central to the recently released Quantum Europe Strategy.

Digital Network Act

Some EU Member States have expressed concerns regarding elements of the Commission’s forthcoming Digital Networks Act (DNA) proposal – specifically regarding the harmonisation of spectrum allocation at the EU level, and the concentration of telecom markets.

Ireland, which will hold the Presidency of the Council of the European Union (following Cyprus) starting in July 2026, circulated a non-paper in support of a dynamic and competitive connectivity ecosystem in Europe. It outlined the importance of keeping users at the centre of any telecom regulatory reform, and raised concerns about cross-border mergers and changes to existing universal service obligations. After being rejected by the Regulatory Scrutiny Board, the DNA proposal is now expected to be published at the end of January.