Written by Cathy Kremer

Dear reader,

Welcome to Publyon’s EU Digital Policy Update (DPU). As 2025 winds down, it’s time to unwrap a busy year for EU digital and tech policy. This festive edition shines a spotlight on a year-in-review of three key European Commissioners: Henna Virkkunen, Michael McGrath, and Ekatarina Zaharieva. In our geopolitical corner, we explore the latest on fines under the DSA, digital border controls, and the new US National Security Strategy. And as always, we dive into the latest AI, cyber, and other digital policy news. So grab a cup of cocoa, settle in, and let’s recap the year in digital policy together!

Europe’s bold plan for sustainable growth, the “Clean Industrial Deal”, represents a major shift for EU businesses, especially in energy-intensive sectors. Don’t miss your chance to engage with the Commission to shape this deal and influence the policy direction for the next five years.

LEARN HOW
The spotlight

The spotlight

Year in review: How did the European Commissioners do?

Executive Vice-President or Technological Sovereignty, Security and Democracy, Henna Virkkunen

In the first 365 days of her mandate, Virkkunen focused on strengthening Europe’s competitiveness, security and democratic resilience.

She advanced Europe’s innovation agenda with the AI Continent Action Plan, InvestAI, Apply AI Strategy, and a growing network of AI Factories, now 19 across 16 Member States, alongside the launch of a call for AI Gigafactories. Support for startups followed with the EU Startup and Scaleup Strategy, the Digital Omnibus package, the Data Union Strategy, and progress on European Digital Identity and Business Wallets.

On security, Virkkunen presented the Defence Readiness Roadmap 2030 and the Defence Industry Transformation Roadmap, strengthened cybersecurity efforts on the national level, and acted to protect critical infrastructure such as submarine cables. To safeguard democracy, she enforced the Digital Markets Act (DMA) and Digital Services Act (DSA), launched the European Democracy Shield, and introduced new measures to improve online safety and platform accountability.

Some work remains in progress: clear liability rules for AI are still missing, the long-awaited Cloud and AI Development Act (CAIDA) will come early in 2026, and technical standards and legal certainty under the AI Act are pending. Europe’s industrial base (like homegrown AI chips) remains weak. Virkkunen also faced pressure this year to engage more visibly on external challenges such as U.S. threats to EU digital laws. Meanwhile, simplification of the digital rulebook and concrete enforcement outcomes are still unfolding, with business groups urging faster action.

 

European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath

In his first year in office, Commissioner McGrath concentrated on tightening Europe’s digital rulebook while trying to make it more workable for consumers, regulators and businesses alike. His portfolio gravitated around three pillars: digital governance, consumer protection, and democratic resilience.

The digital omnibus and targeted GDPR amendments were framed as a course correction: less procedural box-ticking, more legal clarity, and fewer friction points for innovation. Proposals to streamline data-breach notifications, clarify what actually counts as personal data, and rein in cookie-banner excesses signalled a willingness to confront long-standing compliance fatigue. This was reinforced by hands-on engagement, notably the GDPR Implementation Dialogue, and by concrete follow-through on data governance, including the DSA Delegated Act granting vetted researchers access to non-public platform data on systemic risks.

He also leaned heavily into democracy and consumer trust. The launch of the European Democracy Shield and the EU Strategy for Civil Society positioned digital integrity, election fairness and societal resilience as standing policy priorities rather than crisis responses. In parallel, the 2030 Consumer Agenda set a forward-looking framework for consumer protection, with a strong emphasis on digital fairness, cross-border access and enforcement, backed by an action plan rather than abstract principles.

On AI McGrath’s approach was pragmatic rather than visionary. He supported the rollout of the AI Continent Action Plan and the Apply AI Strategy, and backed softer governance tools such as the General-purpose AI Code of Practice and the AI Pact to corral industry cooperation while the AI Act beds in. That said, the year exposed clear limits. Simplification promises now need to survive legislative negotiation and national implementation. The voluntary AI Code of Practice buys time, but does not resolve hard questions around liability, accountability and enforcement. Overall, McGrath has set direction and tone; whether this translates into lasting regulatory credibility and real reductions in burden will be the real test of his next phase.

 

European Commissioner for Startups, Research and Innovation, Ekaterina Zaharieva

In her first year, Zaharieva focused on strengthening Europe’s research and science ecosystem. She supported the launch of RAISE, the new AI institute for science. She worked to make Horizon Europe easier to navigate through structured dialogues with universities, research organisations and startups on reducing administrative burden.

A central part of her work has been advancing the European Research Area, including efforts to attract talent, deepen cooperation with associated countries and promote Europe as a destination for scientific excellence through initiatives such as Choose Europe. While progress on research, AI and talent has been evident, other parts of her mandate, including concrete support for startups, scale-ups and innovation legislation, have moved more slowly and remain areas to watch in the coming year.

Impact analysis for your business

Impact analysis for your business

Our free policy updates keep you informed, but is that enough? With our tailored EU Digital Policy Updates you’ll receive:

  • Custom insights on how upcoming policy changes might impact your business;
  • Strategic advice from your dedicated policy consultant on how to turn challenges into opportunities;
  • Early warnings about key legislative developments.
Schedule a free consultation
Geopolitical corner

Geopolitical corner

In Publyon’s geopolitical corner, this month underlined how Europe’s digital rulebook is no longer just a regulatory project, but a geopolitical stress test. What might once have been treated as a technical enforcement action under the Digital Services Act (DSA) has instead landed like a Christmas present nobody asked for. Elon Musk got his €120 million “gift”, and EU–US relations promptly moved from awkward to positively wintry.

 

DSA enforcement triggers US backlash and personal pressure

The Commission’s fine against X sent shockwaves well beyond Brussels. Musk’s public outburst, framing the decision as a personal attack and hinting at retaliation against those involved, has had a chilling effect on EU officials and lawmakers working on digital files. MEPs and Commission staff now openly question whether routine travel to the US remains risk-free, with some quietly considering burner phones and stricter data hygiene. This is no longer abstract “platform pushback”, but perceived intimidation of regulators themselves, blurring the line between corporate lobbying, political pressure and personal security.

Washington’s reaction amplified the unease. Public criticism from senior US figures reinforced the sense that EU digital enforcement is increasingly viewed not as an internal market measure, but as a strategic irritant. The timing is awkward: just as DSA enforcement is meant to scale up, the political temperature around it is dropping fast.

 

Border controls, but make it digital

Adding to the seasonal chill, US authorities are simultaneously tightening the screws on inbound travellers. A Department of Homeland Security notice published in December confirms plans to expand data collection under the ESTA and I-94 systems, including mandatory disclosure of social-media accounts covering the past five years, biometric selfies, geolocation data, and a shift toward mobile-only applications. Digital enforcement disputes in Brussels are now colliding directly with border, data and security practices on the other side of the Atlantic.

 

A harsher US strategic frame for Europe

All of this lands against a wider strategic backdrop that is anything but festive. The US National Security Strategy published in December portrays Europe as economically declining, over-regulated and politically fragile, openly criticising EU-style regulation as “regulatory suffocation” and signalling a tougher, more transactional approach to transatlantic relations. A subsequent European Parliamentary Research Service analysis notes that Europe has been downgraded in US strategic priorities and framed less as a partner to be shaped jointly, and more as a continent that needs to “correct its trajectory” under US pressure.

For EU digital policy, the implications are clear. Enforcement of the DSA, DMA and related files now sits squarely within a broader US narrative that treats EU regulation as both an economic constraint and an ideological provocation. As the year closes, Europe may be entering the holiday season, but it is very much a cold winter rather than a warm Christmas.

Policy updates

Policy updates

Commission and EIB Group partner to advance AI Gigafactories

On 4 December, the European Commission and the European Investment Bank Group signed a Memorandum of Understanding to support the development of AI Gigafactories in the EU. The EIB Group will provide advisory support to consortia preparing proposals for large-scale AI computing facilities ahead of the formal call in early 2026.

The partnership builds on InvestAI, a €20 billion initiative to fund up to five AI Gigafactories. It aims to accelerate Europe’s AI infrastructure and strengthen the EU’s technological sovereignty.

 

Commission prepares guidance to support AI Act implementation

On 4 December, the European Commission, through the EU AI Office, announced it is preparing a set of practical guidelines to support the implementation of the AI Act. The work forms part of the proposed Digital Omnibus and responds to stakeholder calls for clearer, more predictable rules.

The guidance, to be developed during 2026, will cover areas such as high-risk AI classification, transparency obligations, fundamental rights impact assessments and the interaction between the AI Act and other EU legislation. Research exemptions will be treated as a priority.

 

Commission opens call for evidence on Digital Decade 2030 review

On 25 November, the European Commission launched a call for evidence to assess whether the Digital Decade 2030 targets still reflect today’s rapidly evolving tech landscape. The results will inform a full review planned for 2026. The Digital Decade has already mobilised over €288 billion through national roadmaps. The review will look at how to keep the targets relevant, accelerate digital transformation and simplify digital legislation.

The call is open until 23 December 2025, with an online workshop on 26 November for regional and local actors.

 

Commission launches whistleblower tool to support enforcement of the AI Act

On 24 November, the European Commission launched a new whistleblower tool under the AI Act, allowing individuals to securely report suspected breaches directly to the EU AI Office. Reports can be submitted in any EU language and format, with strong guarantees on confidentiality, data protection and anonymity.

The tool is designed to help detect potential violations that may threaten fundamental rights, health or public trust. Whistleblowers can securely follow up on their reports and respond to questions from the AI Office without revealing their identity.

 

First DSA report maps systemic risks on major online platforms

On 20 November, EU regulators published the first-ever Digital Services Act (DSA) report on systemic risks found on very large online platforms and search engines. The report highlights issues such as illegal content, risks to minors and mental health, challenges linked to generative AI, and intellectual property concerns.

It also outlines early mitigation measures, including automated tools that detect emojis used as codes for illegal activities. This is the first in an annual series that will track recurring risks and assess how platforms’ mitigation efforts evolve over time.

 

EU invests €389 million in cable, 5G and quantum infrastructure

On 20 November, the Commission selected 56 projects under the CEF Digital programme to receive €389 million for new backbone networks, 5G pilots along transport corridors and expanded quantum communication infrastructure (EuroQCI).

The funding supports new terrestrial and submarine cables, standalone 5G networks and cross-border quantum links, with co-financing rates of 30 to 75%. The investment strengthens Europe’s secure and resilient digital infrastructure.

Request a tailored policy update for your organisation

Fill out the form below to schedule a free consultation with our team to discuss how Publyon can help guide you through policy developments that affect your business.

    * required field