CoE Framework Convention signatory
This content is for informational and educational purposes only and does not constitute legal advice.
On 14 April 2026, the European Data Protection Board opened a consultation on a template for data protection impact assessments under the General Data Protection Regulation (GDPR), until 9 June 2026. The template applies to controllers undertaking high-risk processing activities, including large-scale processing of special categories of personal data, systematic monitoring of publicly accessible areas, automated decision-making with legal or similarly significant effects on individuals, profiling, matching or combining datasets, and processing involving vulnerable data subjects. It requires controllers to document a systematic description of the processing activity covering data types, purposes, data flows, and supporting technical assets, and analyse lawfulness under Article 6 of the GDPR, including legitimate interests balancing tests where applicable. It also requires controllers to demonstrate compliance with data minimisation, retention, and data quality obligations and detail measures supporting data subjects' rights, data protection by design and by default, and security of processing. Controllers must further assess the necessity and proportionality of the processing, conduct an inherent risk assessment identifying threats arising both from deliberate design choices and from accidental or unlawful events, and develop an action plan setting out additional mitigating measures alongside a residual risk assessment. The template also requires documentation of the Data Protection Officer's advice and, where appropriate, the views of data subjects or their representatives, before concluding with a formal decision to approve, conditionally approve, reject, or refer the processing to the relevant supervisory authority.
On 14 April 2026, the European Commission opened a consultation on the draft implementing regulation laying down the minimum metadata elements and their characteristics to be provided by health data holders for dataset descriptions for the secondary use of electronic health data until 12 May 2026. The implementing regulation was issued in line with Article 77(1) of Regulation 2025/327 establishing the European Health Data Space. The draft implementing regulation requires health data holders to express minimum metadata elements using the definitions, structure, cardinalities, and controlled vocabularies set out in the HealthDCAT-AP. The minimum metadata elements, listed in Part B of the Annex, include access rights, applicable legislation, coding system, custodian, distribution, geographical coverage, health category, health data access body, identifier, provenance, temporal coverage, and variables. The HealthDCAT-AP builds on the general DCAT-Application Profile and is developed and maintained by the Commission to support the description of health datasets made available for the secondary use of electronic health data.
On 9 April 2026, the European Data Protection Board (EDPB) published its annual report 2025. The report covers the EDPB's activities during the year, including the adoption of guidelines on pseudonymisation, blockchain technologies, and the interplay between the General Data Protection Regulation (GDPR) and other digital legislation, including the Digital Services Act and Digital Markets Act. It also highlights opinions on adequacy decisions for the United Kingdom, Brazil, and the European Patent Organisation. The report includes enforcement actions of organisations across the European Economic Area, with enforcement data covering 30 jurisdictions and total fines of over EUR 1.14 billion issued by national data protection authorities during the year. It also documents progress under the Helsinki statement on enhanced clarity, support and engagement, the coordinated enforcement action on the right to erasure, and the work of the support pool of experts on Artificial Intelligence (AI) and data protection. It was also stated that the report will be followed by a series of deliverables in 2026, including a data protection impact assessment template, a common data breach notification template, and joint guidelines on the interplay between the AI Act and data protection law.
On 9 April 2026, the European Commission closes the consultation on the draft Implementing Regulation on detailed arrangements for the conduct of certain proceedings pursuant to the Artificial Intelligence Act. The draft stipulates that when the Commission adopts a decision requesting access, the provider must furnish all necessary elements in a timely and effective manner. This access may include application programming interfaces (APIs), internal access, source code, model weights, and the infrastructure used for hosting the model. The Commission may also require providers to disable logging measures that could track or record the Commission's access. The draft mandates that providers allow the Commission to inspect and modify system state interactions. Furthermore, the draft clarifies that the access granted should match the levels available to the provider's own employees. The Implementing Regulation is set to enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
On 9 April 2026, the European Commission closes the consultation on the draft Implementing Regulation on detailed arrangements for the conduct of certain proceedings pursuant to the Artificial Intelligence Act. The draft outlines the procedures for initiating and concluding proceedings against providers of general-purpose AI models. It also provides for the possibility of interim measures in urgent situations where risks to health or safety may arise. The draft sets out procedural safeguards, including the right of addressees to submit written observations on preliminary findings within a minimum period of 14 days. The draft further establishes rules on the identification and protection of business secrets, allowing non-confidential versions of documents to be disclosed to legal counsel and experts under specified conditions. It also sets limitation periods for enforcement, including a five-year period for the Commission to impose fines for infringements. In addition, the draft specifies requirements for digital communication with the Commission, including the use of qualified electronic signatures for submitted documents. It outlines criteria for assessing the independence of experts involved in evaluations, requiring that they have no shared ownership, governance, or contractual relationships with AI providers during the 12 months preceding the evaluation. Appointed experts must also commit to safeguarding the confidentiality, availability, and integrity of sensitive information and business secrets accessed during testing activities. The text indicates that experts should generally be selected through open and transparent procedures, while allowing the Commission to appoint members of the scientific panel established under Article 68 of the Artificial Intelligence Act directly. It also provides that such appointments may be made in accordance with the procedure set out in Article 167 of the EU Financial Regulation. The draft is expected to enter into force on the twentieth day following its publication in the Official Journal of the European Union.
On 8 April 2026, the European Union and Morocco announced the launch of a digital dialogue on strategic cooperation. It covers several areas, including the rollout of secure and trusted digital networks and artificial intelligence (AI) compute infrastructure, the exchange of practices related to AI ecosystems, collaboration between Moroccan AI research institutes and EU AI Factories, e-governance and digital public infrastructure partnerships, and support for start-ups. It also addresses interoperability between EU and Moroccan digital frameworks, including digital wallets. The dialogue is linked to Morocco's "Digital Morocco 2030" strategy and to commitments set out in the EU's Pact for the Mediterranean.
On 30 March 2026, the European Commission closes the consultation on the second draft Code of Practice on Transparency of AI-Generated Content. The Code of Practice addresses obligations under Article 50 of the AI Act for providers and deployers of AI systems generating content. It comprises two sections, one covering rules for marking and detection of AI-generated and manipulated content applicable to providers of generative AI systems under Article 50(2) and (5) AI Act, and another covering rules for labelling of deepfakes and AI-generated and manipulated published text applicable to deployers of AI systems under Article 50(4) and (5) AI Act. The second draft incorporates feedback from stakeholders. The transparency obligations under the AI Act become applicable on 2 August 2026.
On 26 March 2026, the European Parliament adopted its position on the Digital Omnibus on AI Regulation, including provisions banning nudifier apps. The position proposes postponing the application of several rules on high-risk AI systems due to delays in the development of relevant standards, while setting fixed application dates to provide predictability and legal certainty. Under the joint position, requirements for high-risk AI systems explicitly listed in the regulation would apply from 2 December 2027, and those covered under existing EU sectoral safety legislation would apply from 2 August 2028. It also provides additional time for providers to meet watermarking obligations for AI-generated content, with a revised extension until 2 November 2026. Furthermore, the position introduces a ban on applications that use AI to generate or manipulate sexually explicit or intimate images resembling identifiable individuals without consent, while exempting systems that include safeguards to prevent such use. Additionally, measures are included to increase flexibility and support smaller market actors, including permitting the processing of personal data to detect and correct bias in AI systems under several conditions, and extending certain support measures to small mid-cap enterprises. The Parliament will now start negotiations with the Council.
On 18 March 2026, the Internal Market and Consumer Protection (IMCO) and Civil Liberties (LIBE) committees of the European Parliament adopted their joint position on the proposal for a Digital Omnibus on AI Regulation. The joint position proposes postponing the application of several rules on high-risk AI systems due to delays in the development of relevant standards, while setting fixed application dates to provide predictability and legal certainty. Under the joint position, requirements for high-risk AI systems explicitly listed in the regulation would apply from 2 December 2027, and those covered under existing EU sectoral safety legislation would apply from 2 August 2028. It also provides additional time for providers to meet watermarking obligations for AI-generated content, with a revised extension until 2 November 2026. Furthermore, the position introduces a ban on applications that use AI to generate or manipulate sexually explicit or intimate images resembling identifiable individuals without consent, while exempting systems that include safeguards to prevent such use. Additionally, measures are included to increase flexibility and support smaller market actors, including permitting the processing of personal data to detect and correct bias in AI systems under several conditions, and extending certain support measures to small mid-cap enterprises. Following plenary approval, anticipated on 26 March, the Parliament will start negotiations with the Council.
On 18 March 2026, the European Union and Kenya announced the launch of a Digital Dialogue at the EU Tech Business Offer Forum in Nairobi, marking Kenya as the first country in Africa to establish such a framework with the EU. The EU–Kenya Digital Dialogue is expected to focus on telecommunications and digital network infrastructure, artificial intelligence development and innovation ecosystems, and e-governance, including Digital Public Infrastructure (DPI). Identified areas for cooperation include investment in expanding Kenya’s aerial fibre network, the potential extension of the Blue Raman submarine cable to Kenya, collaboration on artificial intelligence between European AI facilities and Kenyan stakeholders, and partnerships on e-governance solutions drawing on European experience in interoperable public services and secure data governance. The initiative is intended to contribute to the EU’s Global Gateway strategy and will be situated within the broader EU–Kenya Strategic Dialogue established in 2021.
On 17 March 2026, the European Data Protection Supervisor (EDPS) adopted a compass outlining how it will implement its new mandate under the European Union's Artificial Intelligence (AI) Act as both market surveillance authority and notified body for AI systems used by EU institutions, bodies, offices and agencies. It applies to AI systems deployed within the EU public administration, particularly high-risk systems, including biometric and recruitment tools. It establishes a two-tier supervisory framework, combining ex ante conformity assessments for certain high-risk systems and ex post market surveillance and enforcement, alongside four strategic pillars covering supervision, regulatory coordination, institutional capacity-building, and international cooperation. It was stated that the EDPS will introduce enforcement procedures, audits, sandbox testing, and knowledge-sharing mechanisms while strengthening technical expertise and ensuring independence between its roles.
On 13 March 2026, the Council reached its general approach on the Digital Omnibus proposal for AI Regulation (2025/0359). The Council’s position introduces a prohibition on AI practices generating non-consensual sexual or intimate content and child sexual abuse material. It sets fixed application dates for high-risk AI rules, 2 December 2027 for stand-alone systems and 2 August 2028 for embedded systems, and requires providers to register high-risk AI systems even if they consider them exempt. The approach maintains standards for processing sensitive personal data for bias mitigation and postpones the establishment of national AI regulatory sandboxes to 2 December 2027. Furthermore, it clarifies the AI Office’s supervision of general-purpose AI systems with specific exceptions and tasks the Commission with issuing guidance to help economic operators comply with high-risk AI requirements.
On 12 March 2026, the European Commission opened a consultation on the draft Implementing Regulation on detailed arrangements for the conduct of certain proceedings pursuant to the Artificial Intelligence Act, until 9 April 2026. The draft outlines the procedures for initiating and concluding proceedings against providers of general-purpose AI models. It also provides for the possibility of interim measures in urgent situations where risks to health or safety may arise. The draft sets out procedural safeguards, including the right of addressees to submit written observations on preliminary findings within a minimum period of 14 days. The draft further establishes rules on the identification and protection of business secrets, allowing non-confidential versions of documents to be disclosed to legal counsel and experts under specified conditions. It also sets limitation periods for enforcement, including a five-year period for the Commission to impose fines for infringements. In addition, the draft specifies requirements for digital communication with the Commission, including the use of qualified electronic signatures for submitted documents. It outlines criteria for assessing the independence of experts involved in evaluations, requiring that they have no shared ownership, governance, or contractual relationships with AI providers during the 12 months preceding the evaluation. Appointed experts must also commit to safeguarding the confidentiality, availability, and integrity of sensitive information and business secrets accessed during testing activities. The text indicates that experts should generally be selected through open and transparent procedures, while allowing the Commission to appoint members of the scientific panel established under Article 68 of the Artificial Intelligence Act directly. It also provides that such appointments may be made in accordance with the procedure set out in Article 167 of the EU Financial Regulation. The draft is expected to enter into force on the twentieth day following its publication in the Official Journal of the European Union.
On 12 March 2026, the European Commission opened a consultation on the draft Implementing Regulation on detailed arrangements for the conduct of certain proceedings pursuant to the Artificial Intelligence Act, until 9 April 2026. The draft stipulates that when the Commission adopts a decision requesting access, the provider must furnish all necessary elements in a timely and effective manner. This access may include application programming interfaces (APIs), internal access, source code, model weights, and the infrastructure used for hosting the model. The Commission may also require providers to disable logging measures that could track or record the Commission's access. The draft mandates that providers allow the Commission to inspect and modify system state interactions. Furthermore, the draft clarifies that the access granted should match the levels available to the provider's own employees. The Implementing Regulation is set to enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
On 10 March 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a joint opinion on the proposal for a Regulation on establishing a framework of measures for strengthening the Union's biotechnology and biomanufacturing sectors, particularly in the area of health (European Biotech Act). The EDPB and the EDPS support the Proposal's objective to harmonise how sponsors and investigators process personal data in clinical trials under Regulation (EU) No 536/2014 (Clinical Trials Regulation) (CTR) by establishing a single legal basis for such processing. The opinion provides recommendations to enhance clarity, including specifying that the 25-year minimum retention period applies only to personal data in the clinical trial master file, requiring pseudonymisation where direct identification is unnecessary, and clarifying that proposed Article 93(6) CTR would provide a legal basis for further processing under Article 6(1)(e) of the General Data Protection Regulation (GDPR). The EDPB and the EDPS also recommend that the European Medicines Agency (EMA) cooperate with the EDPB when developing guidance on AI use in medicinal product development. Regarding regulatory sandboxes established under Articles 40, 56, and 61 of the Proposal, the EDPB and the EDPS note that these provisions do not provide a legal basis for processing personal data, which would require a valid basis under the GDPR.
On 10 March 2026, the Court of Justice of the European Union (CJEU) heard arguments from Like Company in its case against Google. Like Company alleged that Google Search, Gemini, AI Overviews, and AI Mode had continuously and unlawfully used, communicated to the public, and reproduced its protected press publications without consent or payment. Like Company relied on Article 15 of the Copyright in the Digital Single Market (CDSM) Directive as the legal basis for the protection of EU online publishers against such uses, arguing that the law should be applied to make protection practical and effective. Like Company submitted that Hungarian law governed, as the jurisdiction where the works were first made public, under Article 8 of Rome II. Like Company further submitted that, given the general, continuous, and systemic nature of the alleged use, publishers should not be required to prove each individual user interaction. Like Company also cited Article 53 of the AI Act and alleged potential breaches of the Digital Markets Act (DMA).
On 10 March 2026, the European Parliament adopted a series of recommendations aimed at protecting copyrighted creative work from use by artificial intelligence (AI) systems. The recommendations, passed by 460 votes to 71, state that European Union copyright law should apply to all generative AI systems on the market, regardless of where they were trained. The recommendations aim to ensure transparency and fair remuneration for rights holders whose protected content is used in AI training processes. Under these recommendations, AI providers and deployers must maintain an itemised list of all copyrighted works used for training and records of crawling activities. Failure to provide such documentation could be classified as copyright infringement, with providers bearing all legal costs if a court rules in favour of the rights holder. The Parliament also calls for the creation of a new licensing market, including voluntary collective licensing agreements for individual creators and small and medium-sized enterprises. Furthermore, the recommendations propose that the European Union Intellectual Property Office (EUIPO) manage an opt-out list allowing rights holders to exclude their work from AI training datasets. The policy specifies that content fully generated by AI should not be protected by copyright. Additionally, the news media sector should receive compensation for traffic or revenue diverted by AI systems and retain the right to refuse the use of their content for training. Parliament also highlights the importance of maintaining media pluralism in AI news aggregation. Finally, Parliament prioritises the protection of the public from manipulated or AI-generated content.
On 5 March 2026, the European Commission opened a consultation on the second draft Code of Practice on Transparency of AI-Generated Content until 30 March 2026. The Code of Practice addresses obligations under Article 50 of the AI Act for providers and deployers of AI systems generating content. It comprises two sections, one covering rules for marking and detection of AI-generated and manipulated content applicable to providers of generative AI systems under Article 50(2) and (5) AI Act, and another covering rules for labelling of deepfakes and AI-generated and manipulated published text applicable to deployers of AI systems under Article 50(4) and (5) AI Act. The second draft incorporates feedback from stakeholders. The transparency obligations under the AI Act become applicable on 2 August 2026.
On 5 March 2026, the European Commission closes the consultation on the draft implementing regulation as regards applicable standards and specifications. The draft implementing regulation amends the 2025/848 rules on registering wallet-relying parties to align with updated technical specifications for European Digital Identity Wallets. It updates standards and procedures to ensure security, reliability, and cross-border interoperability, including accepting WebAuthn for pseudonym authentication and linking pseudonym registration to electronic attribute attestations. Annexes I, II, IV, and V are revised, a new Annex VI is added, and the Regulation will be binding and directly applicable in all Member States twenty days after publication.
On 4 March 2026, the European Data Protection Board (EDPB) released the Data Brokers Market Study, commissioned by the Belgian Supervisory Authority (BE SA) through the EDPB Support Pool of Experts Programme. The study identified data brokers and data providers with a presumed main establishment in Belgium, as defined under Article 4(16)(a) of the General Data Protection Regulation (GDPR). It established a working definition of a data broker and a set of selection criteria based on Article 4(1) GDPR, covering the collection of data from multiple sources, processing to develop consumer profiles, monetisation, and the absence of meaningful control by individuals. A three-step methodology was applied, comprising a literature review, a search strategy using NACEBEL codes and keyword-based online searches, and a selection process. Eight types of data brokers and data providers were identified: personal data brokers, AI platforms integrating personal data, business data brokers, data pools and cleanrooms, data marketplaces, self-generated data providers, data brokers with user control, and aggregated data providers with re-identification risk. More than 40 data brokers and providers active in Belgium were identified.
On 19 February 2026, the European Ombudswoman opened an inquiry (Case 3162/2025/MIK) into possible discrepancies between the guidelines on the AI Act and the AI Code of Practice. The inquiry follows a complaint from a Member of the European Parliament. While the AI Act mandates that providers maintain current information on energy consumption during the development of general-purpose AI models, the Code of Practice allegedly contains exemptions for certain circumstances. The complainant raised concerns after the Commission stated its authority was restricted to evaluating the adequacy of the Code in its entirety rather than amending specific provisions to ensure alignment with the AI Act. The Ombudswoman has requested that the Commission clarify its legal position regarding its power to assess individual elements of the Code. Furthermore, the inquiry seeks the Commission's reasoning for deciding whether to adopt the Code via an implementing act, a measure suggested by the complainant to provide "general validity" across the European Union and ensure uniform application. The Commission is also required to address specific concerns regarding energy consumption reporting requirements.
On 12 February 2026, obligations regarding in-building physical infrastructure and fibre wiring set out in the Regulation on measures to reduce the cost of deploying electronic communications networks begin to apply. All newly constructed buildings and buildings undergoing major renovation works, for which applications for building permits have been submitted, must be equipped with a fibre-ready in-building physical infrastructure and in-building fibre wiring, including connections up to the physical point where the end user connects to the public network. Additionally, all newly constructed multi-dwelling buildings and multi-dwelling buildings undergoing major renovation works, for which building permit applications have been submitted, must be equipped with an access point. Buildings undergoing major renovations (as defined in Directive 2010/31/EU) must also be equipped with fibre-ready in-building physical infrastructure and in-building fibre wiring, including connections up to the public network connection point, if it is technically feasible and does not disproportionately increase the costs of the renovation. Such multi-dwelling buildings undergoing major renovations must also be equipped with an access point. Member States were required to adopt relevant standards or technical specifications for implementing these obligations by 12 November 2025.
On 6 February 2026, the European Commission issued preliminary findings in its investigation into TikTok, concluding that the platform breached its obligations under the Digital Services Act with regard to the assessment and mitigation of the addictive design of its service. The Commission found that TikTok had failed to adequately assess the systemic risks arising from the design and operation of its service. These risks were associated with features such as infinite scrolling, autoplay, push notifications, and highly personalised recommendation systems. The Commission also found that TikTok had failed to consider the potential negative effects of these features on users' physical and mental well-being, particularly among minors and vulnerable users. The Commission also found that TikTok did not sufficiently consider indicators of compulsive use, such as nighttime usage by minors and frequent app opening. Furthermore, the Commission preliminarily concluded that TikTok had not implemented reasonable, proportionate, and effective mitigation measures to address these risks, as existing screen time management and parental control tools were insufficient to reduce the risks associated with addictive behaviour. TikTok has been granted the opportunity to respond in writing to the preliminary findings and exercise its rights of defence. After this, the Commission may adopt a non-compliance decision, which could lead to fines of up to 6% of TikTok’s total worldwide annual turnover.
On 5 February 2026, the European Commission opened a consultation on the draft implementing regulation as regards applicable standards and specifications until 5 March 2026. The draft implementing regulation amends the 2025/848 rules on registering wallet-relying parties to align with updated technical specifications for European Digital Identity Wallets. It updates standards and procedures to ensure security, reliability, and cross-border interoperability, including accepting WebAuthn for pseudonym authentication and linking pseudonym registration to electronic attribute attestations. Annexes I, II, IV, and V are revised, a new Annex VI is added, and the Regulation will be binding and directly applicable in all Member States twenty days after publication.
On 2 February 2026, the AI Office announced the establishment of the Signatory Taskforce of the General-Purpose AI Code of Practice, with the aim of facilitating the coherent application of the Code as a voluntary tool supporting compliance with European Union rules for general-purpose AI models under the Artificial Intelligence Act. The Taskforce is chaired by the AI Office and provides participating Signatories with a forum to exchange views relevant to implementation of the Code. It may provide input on guidance documents without prejudice to ongoing public consultations, facilitate exchanges on technological developments, and gather and share research, independent expert input, and evidence relevant to the Code’s commitments and measures. The Taskforce meets as required to carry out its objectives, at least yearly, with meetings convened and facilitated by the AI Office.
On 1 February 2026, the European Insurance and Occupational Pensions Authority (EIOPA) adopted a report detailing the adoption and implementation of generative Artificial Intelligence (Gen AI) within the insurance sector of the European Union. Based on responses from 347 undertakings across 25 countries to a consultation conducted in 2025, the inquiry noted that nearly two-thirds of insurers are actively utilising the technology, primarily in proof-of-concept stages. The stated aims for adopting Gen AI tools include improving operational efficiency, reducing costs, and enhancing both customer experience and decision-making processes. The report indicated that 64% of current use cases focused on back-end productivity, such as data extraction from medical reports and content generation for emails or contracts, while 36% involved customer-facing applications like chatbots. Respondents identified data privacy, regulatory compliance, and a lack of skilled personnel as primary obstacles to deployment. Hallucinations were cited as the most significant technical risk, followed by cybersecurity and data protection concerns. The report highlighted that insurers increasingly rely on third-party providers and pre-trained models, referencing the Artificial Intelligence Act (AI Act) and the Digital Operational Resilience Act (DORA) as relevant regulatory frameworks for managing these dependencies. To mitigate risks, the report showed that 49% of surveyed undertakings have established dedicated AI policies, an increase from approximately 25% in 2023. The EIOPA stated that it would continue to monitor the effects of the implementation of the EU AI Act and the Digital Operational Resilience Act on the insurance sector.
On 28 January 2026, the European Parliament adopted a resolution regarding copyright and generative artificial intelligence (AI) (2025/2058(INI)) to address the use of protected works in training datasets and the status of AI-generated content. The resolution recommends that the European Commission conduct an assessment of whether the current European Union (EU) copyright framework addresses legal uncertainties and competitive effects from the use of protected works for training AI systems. The aim is to uphold a framework where remuneration mechanisms support artistic production. The resolution calls for an immediate remuneration obligation for providers of general-purpose AI models using content protected by copyright or related rights until specific reforms are enacted. It supports raising awareness on copyright among developers and clarifying the text and data mining exception under the Directive on copyright and related rights in the Digital Single Market (CDSM Directive) to establish machine-readable standards for opt-outs. Furthermore, it suggests establishing a legal framework for generative AI through a dedicated exception or by expanding existing provisions, ensuring compatibility with the three-step test of the InfoSoc Directive. The resolution recommends that the European Union Intellectual Property Office (EUIPO) manage a central register for opt-outs and licenses. It calls for transparency and source documentation from AI providers regarding all copyright-protected works used for training or fine-tuning. If transparency obligations are not met, an irrebuttable presumption would apply that protected works were used, making the provider liable for legal costs. The text insists that AI-generated content remain ineligible for copyright protection and remain in the public domain. Finally, the Commission is tasked with exploring measures to counter the infringement of rights through generative AI outputs, and the resolution will be forwarded to the Council and Member States.
On 23 January 2026, the European Commission closes the consultation as part of an initiative to formulate guidance on machine-readable opt-out protocols specified in the copyright chapter of the General-Purpose AI (GPAI) Code of Practice, following an extension of the deadline from 9 January to 23 January. Measure 1.3 of the Code of Practice commits signatories to identifying and complying with machine-readable protocols expressing opt-outs adopted by European or international standardisation organisations, as required by Article 53(1)(c) of the EU AI Act. The consultation asks stakeholders for input regarding existing solutions for rights reservation and calls for expressions of interest for participating in the identification of opt-out protocols, which the Commission will publish as a list.
On 23 January 2026, the European Commission closes the consultation on the first draft of the Code of Practice on marking and labelling of AI-generated content. The draft code aims to assist providers and deployers in fulfilling obligations under Article 50 of the AI Act, which requires providers to mark AI-generated or manipulated content in a machine-readable format and users deploying generative AI systems for professional purposes to label deepfakes and AI-text publications on matters of public interest. The Code of Practice comprises two sections, one for providers of generative AI systems, covering rules for marking and detecting AI content, and another for deployers, addressing the labelling of deepfakes and specific AI-generated or manipulated text concerning public interest matters. The finalisation of the Code is expected by June 2026, with the transparency rules covering AI-generated content under the AI Act becoming applicable on 2 August 2026.
On 20 January 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 1/2026 regarding the proposal for a Regulation as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI). The aim of the joint opinion is to evaluate proposed amendments to the Artificial Intelligence Act (AI Act) to ensure that the simplification of rules does not undermine the fundamental rights of individuals or the protection of personal data. The EDPB and the EDPS recommended clearly circumscribing processing of special categories of personal data for bias detection and correction purposes and maintaining the standard of strict necessity for the processing of special categories of personal data for bias detection and correction across all artificial intelligence (AI) systems and models. The authorities also advised against removing the registration obligation for providers of AI systems deemed not high-risk, noting that public registration is essential for transparency and accountability. Furthermore, the opinion suggested that competent national data protection authorities should be associated with the operation of European Union-level AI regulatory sandboxes and recommends that the EDPB be granted an advisory role to ensure consistency. Finally, the EDPB and the EDPS expressed concern regarding the proposed postponement of the implementation timeline for high-risk AI rules, invited legislators to consider whether it would be appropriate to maintain the original timeline for certain obligations, such as transparency, and requested that delays, even if necessary, be minimised.
On 30 December 2025, the European Commission closes the consultation on the draft Implementing Regulation on Artificial Intelligence Regulatory Sandboxes. The draft regulation establishes rules for the creation, operation, and supervision of AI regulatory sandboxes under the EU AI Act. It outlines general terms and conditions for participation, prioritising Small and Medium-sized Enterprises (SMEs), including start-ups, with free participation for them, while allowing for cost recovery for larger companies. The draft regulation details the application and selection process, requiring proposals to be eligible for an AI system not yet placed on the market or undergoing substantial modification. It mandates that competent authorities record sandbox activities, publish compliance tools, and agree on a sandbox plan with participants, specifying objectives, timelines, and risk management safeguards. Upon completion, a written proof and an exit report will be issued for documentation and regulatory learning purposes, although these do not carry the same legal effect as a declaration of conformity. The draft regulation also addresses the suspension of projects and requires annual reports on sandbox activities to be publicly available.
On 17 December 2025, the European Commission opened a consultation on the first draft of the Code of Practice on marking and labelling of AI-generated content until 23 January 2026. The draft code aims to assist providers and deployers in fulfilling obligations under Article 50 of the AI Act, which requires providers to mark AI-generated or manipulated content in a machine-readable format and users deploying generative AI systems for professional purposes to label deepfakes and AI-text publications on matters of public interest. The Code of Practice comprises two sections, one for providers of generative AI systems, covering rules for marking and detecting AI content, and another for deployers, addressing the labelling of deepfakes and specific AI-generated or manipulated text concerning public interest matters. The finalisation of the Code is expected by June 2026, with the transparency rules covering AI-generated content under the AI Act becoming applicable on 2 August 2026.
On 17 December 2025, the European Commission closes a public consultation on the upcoming revision of the European Union Standardisation Regulation. The consultation is intended to help shape future policy measures designed to strengthen the European standardisation system. A primary goal is to safeguard Europe's leadership in the development of high-quality, trusted standards, thereby ensuring their efficiency and effectiveness. The revision of the regulation, which implicitly covers quality of service requirements through standardisation, was initially announced in the competitiveness compass in January 2025. Standard-setting delays have been identified as barriers within the single market strategy, and this revision aims to assist in addressing this challenge and improving the single market's overall effectiveness. Additionally, it seeks to enhance the European Union's competitiveness by encouraging innovation, enabling greater access to new technologies, and bolstering the European Union's influence in international standardisation discussions. The revised regulation, which is projected for adoption in 2026, aims to make the standard-setting process faster, more responsive to evolving policy needs, and more inclusive for various entities, notably small and medium-sized enterprises and start-ups. The European Commission had previously detailed the key priorities for this revision in its evaluation document, published in July 2025.
On 8 December 2025, the European Union and Canada signed a Memorandum of Understanding on Artificial Intelligence (AI) to advance cooperation on trustworthy AI that supports fundamental rights, innovation, and economic growth. The parties will work together on AI standards, regulatory approaches, skills development, and adoption in strategic sectors. The parties also plan to collaborate on large AI infrastructures, improve access to compute capacity for industry and academia, and explore joint research on advanced AI models for public-benefit applications such as climate and extreme-weather monitoring. A structured dialogue on data spaces will support the development of large AI models.
On 5 December 2025, the Transport, Telecommunications and Energy Council adopted the Council Conclusions on European Competitiveness in the Digital Decade. The conclusions recall a broad set of Union instruments and reports covering digital policy, competitiveness, skills, artificial intelligence, and industrial strategy. They provide a common reference for ongoing work on competitiveness and digital transformation. The conclusions set out actions to support European competitiveness using the Digital Decade as a strategic reference. They stress the role of digitalisation, data, and artificial intelligence as drivers of competitiveness. They outline the need for a simplified and coordinated regulatory framework and call for innovation and uptake of digital technologies. They also describe measures to support digital sovereignty in an open manner and invite further assessment of Digital Decade targets and simplification of the digital acquis.
On 4 December 2025, the European Union Agency for Fundamental Rights (FRA) published a report on assessing high-risk Artificial Intelligence (AI) Fundamental Rights Risks, examining how the Artificial Intelligence Act governs high-risk AI systems and how these systems affect fundamental rights. The report makes a number of recommendations. These recommendations include the application of a broad interpretation by regulators of the Article 3(1) definition of an AI system to avoid the exclusion of less complex AI systems from the Act's regulatory scope. Further, the report recommends a narrow interpretation of Article 6(3) filter on Annex III high-risk systems and emphasises the need for continued monitoring of the application of this filter. Further recommendations concern the provision of more guidance regarding the use of fundamental rights impact assessments, the establishment of an evidence base for assessing and mitigating fundamental rights risks, and proper oversight by bodies with fundamental rights expertise.
On 2 December 2025, the European Commission opened a consultation on the draft Implementing Regulation on Artificial Intelligence Regulatory Sandboxes, until 30 December 2025. The draft regulation establishes rules for the creation, operation, and supervision of AI regulatory sandboxes under the EU AI Act. It outlines general terms and conditions for participation, prioritising Small and Medium-sized Enterprises (SMEs), including start-ups, with free participation for them, while allowing for cost recovery for larger companies. The draft regulation details the application and selection process, requiring proposals to be eligible for an AI system not yet placed on the market or undergoing substantial modification. It mandates that competent authorities record sandbox activities, publish compliance tools, and agree on a sandbox plan with participants, specifying objectives, timelines, and risk management safeguards. Upon completion, a written proof and an exit report will be issued for documentation and regulatory learning purposes, although these do not carry the same legal effect as a declaration of conformity. The draft regulation also addresses the suspension of projects and requires annual reports on sandbox activities to be publicly available.
On 1 December 2025, the European Commission opened a consultation as part of an initiative to formulate guidance on machine-readable opt-out protocols specified in the copyright chapter of the General-Purpose AI (GPAI) Code of Practice until 9 January 2026. Measure 1.3 of the Code of Practice commits signatories to identifying and complying with machine-readable protocols expressing opt-outs adopted by European or international standardisation organisations, as required by Article 53(1)(c) of the EU AI Act. The consultation asks stakeholders for input regarding existing solutions for rights reservation and calls for expressions of interest for participating in the identification of opt-out protocols, which the Commission will publish as a list.
On 28 November 2025, the Republic of Korea and the European Union issued a joint statement following the third meeting of the Digital Partnership Council. The statement outlined cooperation to advance emerging digital technologies, competitiveness, innovation, resilience, and economic security, and reaffirmed a human-centric and values-based approach to global digital governance. It noted the conclusion of equivalence recognition, enabling the free flow of personal data based on mutual adequacy findings, and the completion of negotiations for the Digital Trade Agreement. It also acknowledged the signing of the agreement on the Republic of Korea’s association with Horizon Europe. The statement highlighted progress in semiconductors, 5G/6G, and quantum technologies, as well as discussions on artificial intelligence, data, and cybersecurity. It described cooperation on collaborative research projects, supply-chain information exchange, standardisation, regulatory information sharing, data-ecosystem interoperability, cyber-threat information sharing, and international ICT standardisation. The joint statement indicated that the fourth meeting is scheduled to take place in the second half of 2026 in Brussels.
On 25 November 2025, the European Parliament adopted a resolution on the impact of Artificial Intelligence (AI) on the financial sector. The resolution outlines the Parliament's position on AI adoption in financial services, acknowledging opportunities for innovation, fraud detection, and regulatory compliance whilst noting risks including data quality issues, discriminatory outcomes, and cybersecurity vulnerabilities. It notes the existing sectoral legislation to govern current AI deployment but recommends that the Commission provide guidance on applying existing financial services legislation to AI use and that supervisory authorities strengthen coordination and promote consistent application of regulations. The resolution calls for financial competent authorities to serve as market surveillance bodies for high-risk AI systems and to assess concentration risks from reliance on third-party technology providers. It supports building AI literacy in the financial workforce, boosting the European Union's AI development, strengthening international framework compatibility, and encouraging regulatory sandboxes and testing environments for AI innovation.
On 24 November 2025, the European Commission announced the launch of a whistleblower tool for the AI Act. According to the Commission, the tool provides a confidential channel for direct reporting of AI Act breaches to the EU AI Office. The whistleblower tool is intended to provide a mechanism that can help the AI Act in detecting violations as early as possible.
On 19 November 2025, the European Commission proposed targeted simplification measures to amend the EU AI Act (Regulation 2024/1689), strengthening AI regulatory sandboxes and expanding real-world testing of high-risk AI systems. The initiative addresses providers and prospective providers of high-risk AI systems under Annex III and Annex I, small and medium-sized enterprises (SMEs) and small mid-caps (SMCs), as well as Member State authorities that supervise AI-enabled products and infrastructures. The Regulation would allow the AI Office to set up an EU-level sandbox for AI systems falling under Article 75(1), with priority access for SMEs and start-ups. Sandbox plans would have to be integrated into real-world testing plans, and national sandboxes would need to be coordinated more closely on the basis of common implementing rules. Real-world testing outside sandboxes would be extended to high-risk AI systems covered by Union harmonisation legislation in Annex I Section A. For AI-enabled products under Annex I Section B, a voluntary regime would be created based on written real-world testing agreements between interested Member States and the Commission that set out the conditions, access to public infrastructure and the detailed testing plan. The Proposal would also alter the implementation timeline of general testing requirements for high-risk AI systems, calculating implementation periods by reference to the Commission adopting a decision confirming that adequate measures in support of compliance were available. High-risk AI systems classified according to Annex III would be required to comply 6 months after the Commission decision, while high-risk AI systems classified according Article 6(1) would be required to comply 12 months after the Commission decisions. In any case, the provisions would apply at the latest from 2 December 2027 for Annex III high-risk systems, and from 2 August 2028 for Article 6(1) high-risk systems.
On 19 November 2025, the European Commission announced a Proposal for the Digital Omnibus on AI Regulation (2025/0359), which amends the EU AI Act by amending the registration requirements for providers of certain AI systems. Specifically, the Proposal would amend Article 6(4) of the AI Act to remove the need for providers of AI systems referred to in Annex III of that Act to register a system that they do not consider to be high-risk. Further, the Proposal would expand the scope of the simplified technical documentation requirements under Article 11 to include SMCs alongside SMEs, while also noting that the proportionality principle applying to the quality management system in Article 17 is especially relevant to SMCs and SMEs. The Proposal would also alter the implementation timeline of conformity assessment and business registration requirements for high-risk AI systems, calculating implementation periods by reference to the Commission adopting a decision confirming that adequate measures in support of compliance were available. High-risk AI systems classified according to Annex III would be required to comply 6 months after the Commission decision, while high-risk AI systems classified according Article 6(1) would be required to comply 12 months after the Commission decisions. In any case, the provisions would apply at the latest from 2 December 2027 for Annex III high-risk systems, and from 2 August 2028 for Article 6(1) high-risk systems.
On 19 November 2025, the European Commission announced a Proposal for the Digital Omnibus on AI Regulation (2025/0359), which amends the EU AI Act by altering the implementation timeline of design requirements for high-risk AI systems. These requirements include risk management obligations as well as record keeping, and human oversight features. The implementation period would be calculated by reference to the Commission adopting a decision confirming that adequate measures in support of compliance were available. High-risk AI systems classified according to Annex III would be required to comply 6 months after the Commission decision, while high-risk AI systems classified according Article 6(1) would be required to comply 12 months after the Commission decisions. In any case, the provisions would apply at the latest from 2 December 2027 for Annex III high-risk systems, and from 2 August 2028 for Article 6(1) high-risk systems.
On 19 November 2025, the European Commission announced its Proposal for a Digital Omnibus Regulation (EU 2025/0360) on the simplification of the digital legislative framework. The Digital Omnibus would amend a number of existing regulations, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive, while repealing the Regulations on non-personal data, the P2B Regulation, the Data Governance Act, and the Open Data Directive. The Digital Omnibus would amend the Data Act's legal framework concerning the obligation for private data holders to make data available to public sector bodies on the basis of exceptional need. The Digital Omnibus would redefine the obligation to make it applicable to the response to, mitigation of, or recovery from a public emergency. Where requested data is necessary to respond to a public emergency, the public sector body request would concern non-personal data by default, and, where non-personal data is insufficient, further requests can be made for personal data, which should be made available in pseudonymised form where possible. Where data is necessary to mitigate or support the recovery from a public emergency, the public sector body may request specific non-personal data. The Digital Omnibus would also amend the provisions regarding compensation for data provision allowing microenterprises and small enterprises to claim compensation for providing data necessary to respond to a public emergency.
On 19 November 2025, the European Commission published the Data Union Strategy - Unlocking Data for AI, presenting a strategic framework that identifies three priority areas for increasing the availability of data for AI development. The three priorities consist of scaling up access to data for artificial intelligence, streamlining data rules to facilitate data sharing, and strengthening the European Union’s global position on international data flows by tackling unjustified trade barriers. These priorities are based on challenges identified by the Commission, namely data scarcity, regulatory complexity, and global competition. For each priority, the Commission set out planned actions, including scaling up common European data spaces and data labs, synthetic data resources, proposing a Cloud and AI Development Act focused on data centres, sovereign cloud, and AI services, streamlining existing data rules, and promoting fair cross-border data flows and the protection of sensitive non-personal data.
On 19 November 2025, the European Commission announced a Proposal for the Digital Omnibus on AI Regulation (2025/0359), which amends the EU AI Act to include a legal basis for processing special categories of personal data for bias detection and mitigation in a proposed Article 4a. The Proposal would permit providers of high-risk AI systems to process special categories of personal data to the extent necessary to ensure bias detection and correction, subject to safeguards and additional conditions. The conditions include when bias detection cannot reasonably be achieved with other, less intrusive data such as synthetic or anonymised data, the implementation of strict access controls, limits on re-use, a ban on onward disclosure and deletion once the bias is corrected or the retention period ends. The Proposal would also alter the implementation timeline of data governance obligations for high-risk AI systems, calculating implementation periods by reference to the Commission adopting a decision confirming that adequate measures in support of compliance were available. High-risk AI systems classified according to Annex III would be required to comply 6 months after the Commission decision, while high-risk AI systems classified according Article 6(1) would be required to comply 12 months after the Commission decisions. In any case, the provisions would apply at the latest from 2 December 2027 for Annex III high-risk systems, and from 2 August 2028 for Article 6(1) high-risk systems.
On 19 November 2025, the European Commission announced a Proposal for the Digital Omnibus on AI Regulation (2025/0359), which amends the EU AI Act to reinforce the governance and enforcement role of the EU Artificial Intelligence Office (AI Office). The draft Regulation would make the AI Office the exclusive authority for supervising and enforcing AI Act obligations for AI systems based on general-purpose AI models under certain conditions. In carrying out this function, the AI Office's powers would be aligned with those of market surveillance authorities. The Regulation would also provide the Commission with a mandate to adopt an implementing act that sets out the AI Office’s enforcement powers and penalty procedures, while requiring the Commission to carry out pre-market conformity assessments for the AI systems based on general-purpose models under the purview of the AI Office. The AI Office would further be given the power to establish and operate an EU-level AI regulatory sandbox for the systems it supervises and support the cross-border coordination of national sandboxes. The Regulation would also require EU and national authorities to take the needs of SMEs and SMCs into account in their oversight functions.
On 19 November 2025, the EU Commission announced its Proposal for a Digital Omnibus Regulation (EU 2025/0360) on the simplification of the digital legislative framework. The Digital Omnibus would amend a number of existing regulations, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive, while repealing the Regulations on non-personal data, the P2B Regulation, the Data Governance Act, and the Open Data Directive. The Digital Omnibus would amend the Data Act by including provisions for the establishment of the European Data Innovation Board, intended as an advisor to the Commission in ensuring the enforcement of the Act and a form for discussion regarding the development of a European data economy and data policies. Currently, the legislative basis for the European Data Innovation Board is contained in the Data Governance Act.
On 19 November 2025, the European Commission announced its Proposal for a Digital Omnibus Regulation (EU 2025/0360) on the simplification of the digital legislative framework. The Digital Omnibus would amend a number of existing regulations, including the GDPR, the Data Act, the EU AI Act, and the NIS 2 Directive, while repealing the Regulations on non-personal data, the P2B Regulation, the Data Governance Act, and the Open Data Directive. The Digital Omnibus would amend the GDPR by extending the definition of personal data to specify that an entity is reasonably likely to have the means to identify a person, exempting certain biometric data and data used by AI from the restrictions on processing special categories of personal data, and specifying that processing of personal data that is necessary for the interests of a controller in the development or operation of an AI system can be pursued for legitimate interests. The Digital Omnibus would also alter the requirements for cookie banners by exempting personal data processing from the cookie requirements under the ePrivacy Directive. Instead, it would amend the GDPR to maintain consent requirement, while specifying that certain processing activities, such as electronic communications transmissions, service provision, audience measurement solely for an online service provider, and maintaining or restoring security, would be considered lawful. The Digital Omnibus proposes changes to the Data Act allowing trade secret holders to refuse requests for access to data in certain situations. The amended Data Act would also include provisions for the registration of digital intermediation services and digital altruism organisations. Further, the Data Act would be amended to provide for the reuse of data held by public bodies, the reuse of open government data, encouraging the open availability of research data, and specifying rules regarding the availability of high-value datasets.
Last updated: 14/04/2026