EU Policy Intelligence Monitor

Digital Networks Act Q4 2025 Pipelinemedium risk

EU Digital Sovereignty — AI Act + Digital Networks Act + Data Act

Digital Networks Act Q4 2025 in legislative pipeline. Data Act live. DG CONNECT, EP ITRE central. Covers AI governance, digital infrastructure, data sovereignty.

6.8

/10 risk index

Stable

Baseline: 5.9 → Now: 6.8

Key Institutional Actors

6 bodies

DG CONNECT

Commission Directorate-General

Digital Networks Act, Data Act, Digital Decade programme, cloud/AI policy

EP ITRE Committee

European Parliament

Lead committee for Digital Networks Act, Chips Act oversight, energy-digital nexus

EP IMCO Committee

European Parliament

DSA/DMA enforcement oversight, consumer protection in digital markets

ENISA

EU Cybersecurity Agency

NIS2 implementation support, EUCS cloud certification scheme, threat landscape reports

EU AI Office

Commission body (est. 2024)

AI Act enforcement for GPAI models, codes of practice, AI Pact coordination

ECCC

European Cybersecurity Competence Centre

Cybersecurity R&D funding, national coordination centres network

Risk Score Breakdown

5.9 → 6.8

Baseline Risk

5.9

Net Change

+0.9

Current Risk

6.8

Intel Magdeburg cancellation impact on 20% chips target

+1.2

NIS2 transposition failure (23/27 states)

+0.8

EUCS sovereignty tier uncertainty

+0.6

DMA enforcement proving effective (Apple fine)

-0.4

Data Act in force — cloud switching rights live

-0.3

AI Act implementation on track

-0.2

Digital Networks Act still in proposal stage

+0.5

Primary Law

9 instruments

REGULATION

AI Act (Regulation 2024/1689)

2024-08-01EUR-Lex

Stage:In force — Phased implementation Aug 2024–Aug 2027

World's first comprehensive AI governance framework. Risk-based classification: unacceptable (banned), high-risk (conformity assessment), limited (transparency), minimal. GPAI model obligations for providers of general-purpose AI. EU AI Office established for GPAI oversight. Penalties up to €35M or 7% global turnover. Central pillar of EU digital sovereignty strategy.

Watch: High-risk AI obligations apply Aug 2026; Member state market surveillance authorities due

NEW

PROPOSAL

Digital Networks Act (Proposal)

2025-02-21European Commission DG CONNECT

Stage:Commission proposal published Feb 2025

Overhauls EU telecoms framework for 5G/6G era. Enables cross-border spectrum coordination, incentivises fiber investment, addresses telecom-Big Tech fair share debate. Controversial: telcos want Big Tech to pay for network usage; tech companies oppose. €174B investment gap to meet 2030 Digital Decade targets.

Watch: EP ITRE committee opinion (Q2 2026)

REGULATION

Data Act (Regulation 2023/2854)

2023-12-22EUR-Lex

Stage:In force — Sep 2025 application date

Harmonises rules on fair access to and use of data. IoT data portability, cloud switching rights (within 30 days), government access to private sector data in emergencies. Directly impacts hyperscaler cloud providers. Cloud switching provisions key for EU sovereign cloud alternatives.

Watch: First enforcement action / interoperability framework (Q2 2026)

REGULATION

Data Governance Act (Regulation 2022/868)

2022-06-23EUR-Lex

Stage:In force — Applicable since Sep 2023

Creates framework for voluntary data sharing across EU. Establishes rules for re-use of public sector data, data intermediaries, and data altruism organisations. European Data Innovation Board coordinates national practices. Commission published first review report late 2025; identified low uptake of data intermediary registration. Foundation layer for EU data sovereignty — ensures data sharing on European terms rather than US/CN hyperscaler platforms.

Watch: Commission review report published late 2025 — next: data intermediary compliance enforcement actions (H1 2026)

REGULATION

EU Chips Act (Regulation 2023/1781)

2023-09-21EUR-Lex

Stage:In force — Implementation tracking

€43B mobilised (public + private) to double EU semiconductor market share to 20% by 2030. Intel suspended/cancelled its €30B Magdeburg fab in Sep 2024, severely undermining the 20% target. Remaining strategic projects: TSMC Dresden (ESMC JV), GlobalFoundries Dresden expansion, STMicro Agrate (IT). EU currently at 8% global chip production. Crisis response mechanism for supply disruptions.

Watch: TSMC Dresden fab operational (expected late 2027); Commission mid-term review H2 2026

DIRECTIVE

EU Cybersecurity Act / NIS2 Directive Implementation

2022-12-27EUR-Lex

Stage:In force — Transposition deadline was Oct 2024

Extends cybersecurity obligations to 18 sectors including cloud, data centers, DNS providers. Mandatory incident reporting within 24 hours. As of early 2026, only ~10 of 27 member states fully transposed NIS2 by the Oct 2024 deadline. Commission launched infringement proceedings against 23 member states in Nov 2024. Belgium, Germany, France, Spain among those that missed the deadline. Directly applies to all major DC operators in EU.

Watch: Commission infringement proceedings against non-transposing states (ongoing); compliance assessment Q3 2026

REGULATION

Digital Services Act (Regulation 2022/2065) & Digital Markets Act (Regulation 2022/1925)

2022-10-27EUR-Lex

Stage:In force — Full enforcement since Feb 2024 (DSA) / Mar 2024 (DMA)

DSA: platform accountability for illegal content, algorithmic transparency, risk assessments for VLOPs. DMA (EUR-Lex: CELEX:32022R1925): designates 7 gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, Samsung) with strict obligations: interoperability, data portability, no self-preferencing. Commission actively enforcing — Apple fined €1.84B, multiple non-compliance investigations. Core instruments for EU digital sovereignty against dominant US/CN platforms.

Watch: DMA non-compliance fines against Apple/Meta/Google (ongoing proceedings); DSA first annual transparency reports due

NEW

PROPOSAL

EU Cloud Certification Scheme (EUCS) — under ENISA

2024-03-22ENISA

Stage:Under development — Sovereignty level debated

Voluntary (initially) EU-wide cloud security certification. Controversy: original 2024 draft included "High+" sovereignty tier requiring EU-headquartered providers and no extraterritorial data access (targeting CLOUD Act). Under industry/US pressure, sovereignty provisions were weakened in leaked Mar 2024 draft. France, Germany push to restore strong sovereignty requirements. Critical for determining whether EU institutions can use US hyperscaler clouds.

Watch: Final scheme adoption (expected H2 2026); sovereignty tier decision pending

REGULATION

European Media Freedom Act (EMFA) (Regulation 2024/1083)

2024-04-11EUR-Lex

Stage:In force — Phased application Aug 2025

Protects media pluralism and editorial independence. Bans spyware against journalists. Requires transparency on media ownership and state advertising allocation. Obliges VLOPs to notify media before content removal. European Board for Media Services operational since Aug 2025. Full application since Aug 2025 — now in enforcement phase. Directly relevant to information sovereignty and countering foreign information manipulation.

Watch: First Commission implementation report (expected H2 2026); first enforcement action under VLOP media notification obligations

Digital Networks Act Q4 2025 Pipelinemedium risk

EU Digital Sovereignty — AI Act + Digital Networks Act + Data Act

Digital Networks Act Q4 2025 in legislative pipeline. Data Act live. DG CONNECT, EP ITRE central. Covers AI governance, digital infrastructure, data sovereignty.

6.8

/10 risk index

Stable

Baseline: 5.9 → Now: 6.8

Key Institutional Actors

6 bodies

DG CONNECT

Commission Directorate-General

Digital Networks Act, Data Act, Digital Decade programme, cloud/AI policy

EP ITRE Committee

European Parliament

Lead committee for Digital Networks Act, Chips Act oversight, energy-digital nexus

EP IMCO Committee

European Parliament

DSA/DMA enforcement oversight, consumer protection in digital markets

ENISA

EU Cybersecurity Agency

NIS2 implementation support, EUCS cloud certification scheme, threat landscape reports

EU AI Office

Commission body (est. 2024)

AI Act enforcement for GPAI models, codes of practice, AI Pact coordination

ECCC

European Cybersecurity Competence Centre

Cybersecurity R&D funding, national coordination centres network

Risk Score Breakdown

5.9 → 6.8

Baseline Risk

5.9

Net Change

+0.9

Current Risk

6.8

Intel Magdeburg cancellation impact on 20% chips target

+1.2

NIS2 transposition failure (23/27 states)

+0.8

EUCS sovereignty tier uncertainty

+0.6

DMA enforcement proving effective (Apple fine)

-0.4

Data Act in force — cloud switching rights live

-0.3

AI Act implementation on track

-0.2

Digital Networks Act still in proposal stage

+0.5

Primary Law

9 instruments

REGULATION

AI Act (Regulation 2024/1689)

2024-08-01EUR-Lex

Stage:In force — Phased implementation Aug 2024–Aug 2027

Watch: High-risk AI obligations apply Aug 2026; Member state market surveillance authorities due

NEW

PROPOSAL

Digital Networks Act (Proposal)

2025-02-21European Commission DG CONNECT

Stage:Commission proposal published Feb 2025

Watch: EP ITRE committee opinion (Q2 2026)

REGULATION

Data Act (Regulation 2023/2854)

2023-12-22EUR-Lex

Stage:In force — Sep 2025 application date

Watch: First enforcement action / interoperability framework (Q2 2026)

REGULATION

Data Governance Act (Regulation 2022/868)

2022-06-23EUR-Lex

Stage:In force — Applicable since Sep 2023

Watch: Commission review report published late 2025 — next: data intermediary compliance enforcement actions (H1 2026)

REGULATION

EU Chips Act (Regulation 2023/1781)

2023-09-21EUR-Lex

Stage:In force — Implementation tracking

Watch: TSMC Dresden fab operational (expected late 2027); Commission mid-term review H2 2026

DIRECTIVE

EU Cybersecurity Act / NIS2 Directive Implementation

2022-12-27EUR-Lex

Stage:In force — Transposition deadline was Oct 2024

Watch: Commission infringement proceedings against non-transposing states (ongoing); compliance assessment Q3 2026

REGULATION

Digital Services Act (Regulation 2022/2065) & Digital Markets Act (Regulation 2022/1925)

2022-10-27EUR-Lex

Stage:In force — Full enforcement since Feb 2024 (DSA) / Mar 2024 (DMA)

Watch: DMA non-compliance fines against Apple/Meta/Google (ongoing proceedings); DSA first annual transparency reports due

NEW

PROPOSAL

EU Cloud Certification Scheme (EUCS) — under ENISA

2024-03-22ENISA

Stage:Under development — Sovereignty level debated

Watch: Final scheme adoption (expected H2 2026); sovereignty tier decision pending

REGULATION

European Media Freedom Act (EMFA) (Regulation 2024/1083)

2024-04-11EUR-Lex

Stage:In force — Phased application Aug 2025

Watch: First Commission implementation report (expected H2 2026); first enforcement action under VLOP media notification obligations