July-August 2025’s European Digital Policy Roundup

Hi there ☕

Summer moved fast. Here’s what changes for operators in EU tech:

• AI: an industrial appetite for "gigafactories", a Code of Good Practice and guidelines on general-purpose models.

• GDPR: legal battles around the "pay or consent" model, tensions over simplification and initial implementation dialogues.

• Cybersecurity: progress on NIS2, a review of the Cybersecurity Act to include geopolitical risks, German debates on "digital sovereignty".

• Competition: a first evaluation of the DMA and an attempt to recentralise national competition tools.

• Online content: the French saga of pornographic sites, first DSA risk analyses, and a parliamentary consensus on protecting minors.

• Industrial policy: the European quantum strategy and a consultation on the 28th regime.

Reading time: 8 minutes (1,922 words)

A dense summer, with an enormous number of announcements, plot twists and even delays. Here's a selection 👇

AI still in the spotlight

Whilst debates on European strategic autonomy intensify and the AI race fuels speculation about a potential "AI bubble" comparable to the "dotcom bubble", the current European dynamic is sketching the emergence of a genuine continental AI ecosystem. This structuring rests on a combination of massive investment intentions, a well-developed regulatory architecture and a political sequence that accommodates existing players' adaptation to the new legal framework.

The Commission announced the quantitative success of "AI gigafactories", which are intended to train and deploy generative AI models. The industrial response has exceeded all expectations, with 76 expressions of interest received, far surpassing the five gigafactories initially targeted by the Commission. The amounts at stake reveal the scale of the perceived economic challenges: €230 billion in investment intentions over 3-5 years, as announced by respondents.

After several months of geopolitical tensions and pressure from interest groups, the AI Code of Good Practice finally saw the light of day on July 10th. The signatures reveal contrasting engagement strategies: Mistral, OpenAI, Anthropic, and Microsoft signed the Code in its entirety; X limited itself to the "Safety and Security" section; Meta refused to sign; and Google maintains suspense over its final position.

Two weeks before the entry into force of the AI Act provisions on general-purpose models (2nd August), the relevant guidelines were also published. They clarify fundamental notions such as "AI system provider", "placing a model on the market" and open source derogation conditions. The implementation timetable remains staggered: supervision by the Commission will commence on August 2, 2026, while compliance of existing models is expected to be achieved by August 2027.

New developments for personal data

Recent developments have a significant systemic impact, structured around two dynamics: legal battles testing the "pay or consent" advertising model and GDPR simplification efforts that are gaining traction.

The European Data Protection Board (EDPB) had published its opinion on the "pay or consent" advertising model, which imposes monetary payment as an alternative to advertising targeting. This summer, Meta launched an appeal before the EU Court of Justice challenging the legal validity of this opinion. This strategy circumvents the procedural obstacle of the EU General Court (which had judged the opinion non-binding and therefore non-challengeable) by questioning the very notion of ‘challengeable act’. The stakes go beyond the Meta case: this legal battle could permanently redefine the scope for challenging EDPB opinions.

Meanwhile, other companies are experimenting with this model with varying degrees of success. Austria has just consolidated its anti-"pay or consent" jurisprudence: the Federal Administrative Court confirmed the illegality of the "pay or consent" system used by the newspaper DerStandard[.]at, consolidating 2023 national jurisprudence. The established legal principle is now clear: a "pay or consent" system violates GDPR consent granularity, as the binary choice fails to meet the requirements for free and informed consent.

The EDPB and EDPS are navigating the troubled waters of GDPR simplification. In a joint position, both bodies contest raising the exemption threshold from 250 to 750 employees without a "fundamental rights impact assessment". They highlight a justification deficit from the Commission and demand clarification on the threshold choice and its "appropriateness in the GDPR context".

The Commission has launched its Implementation Dialogues to gather feedback from various stakeholders on ongoing simplification efforts. Digital matters are part of these efforts; thus, dedicated Implementation Dialogues are being held where a Commissioner responsible for the subject matter exchanges with invited stakeholders. (See a recap of the Commission’s work programme for 2025.) The Dialogue on GDPR simplification took place on 16th July, led by Justice Commissioner McGrath; he is responsible for GDPR simplification. A consensus emerges from the contributions of civil society and various companies: against reopening the Regulation too broadly. Identified pressure points include reconsidering legitimate interest "as a legal basis favourable to innovation" or integrating e-Privacy Directive provisions relating to cookies.

Cybersecurity (NIS2) and certification (Cybersecurity Act)

In the depths of summer, Germany transposed the NIS2 directive (although the transposition law has not yet been promulgated). This brings the total to 13 Member States that have finalised the transposition process. This devoted author still follows transposition bills: for countries where the process is ongoing, texts are being discussed, and the negotiated details are limited to subjects not concerning cybersecurity measures. You really should look into the implementation. Concerning France: we were expecting a public session in the National Assembly in September; ultimately this will not take place, with no date confirmed for the time being.

Since the Commission's start and under the impetus of the Polish Council Presidency, the Commission has begun revising the 2019 Cybersecurity Act (CyberAct for those in the know). As a reminder, this regulation institutionalised ENISA and gave it a mandate to develop European cybersecurity certifications. We are notably aware of two: the EUCC (for which certified products already exist) and the EUCS (the hotly debated "cloud cert"). The Commission has expressed its intention to include, in the revision of the Act, measures to manage "non-technical risks". These delicate, even modest terms designate, amongst other things, laws such as the American CLOUD Act and FISA, which have extraterritorial reach. The consultation concluded this summer; the Commission is currently developing the revised CyberAct proposal ("CyberAct 2"). An Implementation Dialogue on CyberAct is scheduled for September 15th.

💎 September's thematic dossier from La tech est politique 💎 will analyse responses to the Commission's public consultation on the revision of the Cybersecurity Act.

Speaking of Germany and "digital sovereignty", an epistolary exchange deserves our attention: these are the interpellations between Claudia Plattner, head of the BSI (the German federal cybersecurity agency), and the Open Source Business Alliance, a professional federation of free and open source software players in Germany. Ms Plattner apparently misspoke by telling the German AFP that "digital sovereignty is unattainable", a statement which provoked the Alliance's ire. In an open letter, the latter called for making open source and open standards "a priority". In response, Ms Plattner published a detailed missive where she explains the BSI's vision on the subject, emphasising the importance of "having a choice" and regretting that "unfortunately, in the current state of affairs, we cannot rely on national or European solutions in certain areas."

Competition Corner (DMA)

The Commission launched the consultation for the mandatory three-yearly first evaluation of the DMA (deadline 3rd May 2026), covering the "achievement of general objectives" and impact on users and dependent businesses. The Commission is exploring two avenues for expansion: extending interoperability obligations to social networks; and adding "new service categories" to the regulatory scope.

During this "summer of consultations", the Commission is also interested in ways to recentralise national competition tools. It identifies national adaptations of competition law, notably those concerning the abuse of a dominant position, as potentially threatening to "fragment" the European Single Market. A public consultation should help it choose between two levers: a better coordination system for national authorities or the outright abolition of their room for manoeuvre.

Online content regulation (DSA)

This summer has been hot as blazes 😅

The saga opposing French rules to the European framework applicable to pornographic sites continues. The conclusions of the CJEU Advocate General (due 18th September) will cover compatibility between French rules and the country of origin principle, and could redefine national margins. The CJEU's conclusions will determine member states' capacity to regulate pornographic content hosted in other European countries.

A first: Pornhub, Stripchat and XVideo, designated Very Large Online Platforms (VLOPs) under the DSA, have published their risk analyses, required as part of their DSA compliance. The evaluations reveal contrasting assessments: for example, Pornhub considers the risk of distributing child sexual abuse material "unlikely" (thanks to its moderation) where Stripchat considers this risk "critical".

On the online protection of minors front, a notable consensus emerges in the European Parliament, with the Culture Committee (CULT) and Internal Market Committee (IMCO) converging on amendments. Shared priorities include combating ‘addictive design’, deploying online age verification and enforcing screen time control. This strong dynamic calls for an "ambitious" Digital Fairness Act to guarantee sufficient means and rules for protecting consumers (including minors) online.

Industrial policy and competitiveness

The first Implementation Dialogue on digital matters took place on 1st July and covered the implementation of the Data Act, Data Governance Act (DGA) and Open Data directive. The objective: "identify solutions to streamline and simplify regulation". These exchanges will feed into digital simplification work and the new Data Union Strategy (both expected in Q4 2025).

At the beginning of July, the Commission published its strategy for a Quantum Europe, described as "a dynamic starting point" to place the EU "at the forefront" of the field. A structured cooperation framework between member states will ensure the coherent implementation of European and national programmes. The Quantum Act, initially planned for 2025, is postponed to 2026.

The Commission has opened a consultation on developing the 28th regime (harmonised regime for European companies), with a text proposal expected early 2026. Three main areas of work: structure and access conditions, simplified registration procedures, and facilitating access to investment. For its part, MEP René Repasi (Germany, S&D), author of an own-initiative report on the subject, favours the regulatory vehicle of a directive to introduce into national law a new form of mutually recognised company, the ESSU (European Start-Up and Scale-Up).

💎Unlock Premium Insights: Stay Ahead in EU Tech Policy

Our Premium 💎 subscribers have already gained exclusive access to:

• A complete analysis of the Danish Council Presidency programme and its priorities;

• Actionable guides on the AI Act for SaaS publishers and the Cyber Resilience Act for digital product manufacturers;

• A concrete Resilience Brief for executives to help them guard against false transfer fraud.

Become Europe-proof now: secure your strategic advantage: don't miss out on the insights shaping the future of tech in Europe! 👇

👉 Free subscribers receive a concise monthly recap. Premium 💎 includes analyses, visuals, and toolkits.

🙏 Thank you for reading this edition of La tech est politique!

If you have any comments or questions about this edition, please get in touch.

🌞 If you enjoyed this edition, please share it with your colleagues. Let's help spread a solid understanding of Digital Europe and its implications for innovation.

See you in a month!

💌 Questions, comments or secrets to share? Contact me: [email protected]