Digital regulation and enforcement in the EU are intensifying but the rulebook remains in flux. Our updated digital guide will help in-house teams stay agile as they tackle evolving frameworks with business decisions potentially triggering obligations across digital, privacy, cybersecurity, competition and consumer protection domains.

Background

Over the past few years, the EU's digital strategy has delivered several tangible results, marking a pivotal phase in digital enforcement. We are also seeing global alignment, as many jurisdictions have adopted, or are in the process of adopting, digital regimes similar to the EU's to regulate large online platforms. However, when divergences occur, the EU faces criticism that its fines on tech giants are punitive measures aimed specifically at successful US companies. Despite such challenges, the European Commission remains dedicated to ensuring the fair and objective application of digital rules.

Regulation and enforcement in full swing

Alongside the adoption of a plethora of new regulations and the resulting proliferation of rules, we continue to see enforcement in digital markets under ''traditional'' competition, consumer and data protection rules. In fact, competition enforcement against digital companies is intensifying as authorities across the EU move beyond coordination towards more substantive cooperation. In parallel, initial efforts to comply with the Digital Markets Act (DMA) have unfolded by the delivery of the first specification proceedings, non-compliance decisions and fines, alongside the start of several investigations and the first non-compliance decision and fine under the Digital Services Act (DSA).

Developments over the course of 2025 also underscore the reality that we are now well and truly in the age of AI, with businesses increasingly recognising the need to embed AI across their operations to drive efficiency, foster innovation and remain competitive. As a result, a pressing enforcement issue currently being addressed in the EU is the oversight of AI. Besides adopting the AI Act, this includes deliberations on how and to what extent the DMA's scope should be expanded to encompass AI-powered services.

Overall, both businesses and authorities face a challenging digital regulatory landscape that remains in flux, shaped by AI-related challenges and an ever-evolving rulebook. Against this backdrop, concerns have been expressed that the vast emerging body of EU laws regulating the digital economy hinders innovation and causes delays in the rollout of new features and services in Europe.

The fragmentation of digital regulation and enforcement across the EU due to the sheer volume of regulations and newly appointed national enforcers presents a significant challenge. This challenge is compounded by the emerging potential of private enforcement in national courts which can undermine the European Commission's efforts to harmonise, and normalise forum shopping. The risk of spillover and unintended effects from overlapping enforcement areas previously kept separate, persists as well. Nevertheless, following the Draghi report on EU competitiveness, there has been a call within the EU to simplify legislation, reduce administrative burdens for businesses, public authorities and citizens, and enhance competitiveness. The Commission proposes, among other things, to adjust and consolidate digital regulations and directives. A key initiative in this regard is the Digital Omnibus Proposal, published by the Commission in November 2025, which aims to rationalise the EU's complex digital legislative framework.

Digital Omnibus Proposal: a first step towards a streamlined EU digital rulebook

The proposal seeks to consolidate, simplify and update substantial portions of the existing digital rules, as part of the Commission's broader 2025–2029 simplification agenda. The initiative responds to mounting concerns that the cumulative effect of EU digital rules has generated overlapping obligations, interpretative inconsistencies and disproportionate administrative burdens for organisations dealing with multiple regulatory regimes. The proposal also aims to repeal rules – most notably the Platform-to-Business Regulation – that have been effectively superseded by more recent legislation such as the DMA and DSA.

Taken together, these reforms constitute the first phase of the Commission's plan to "stress-test" the digital rules. A broader Digital Fitness Check will follow, focusing on the cumulative impact of the digital rulebook on competitiveness and identifying further opportunities for alignment across definitions, governance structures and supervisory frameworks. Organisations should therefore anticipate continued legislative activity and prepare for a period in which simplification and consolidation become recurring features of EU digital regulation.

Compliance landscape for in-house counsel in 2026

The DMA and the DSA, two of the EU's most high-profile digital regulations, have now been in effect for some time. Competition teams should have resources set aside to understand the impact of these regulations on their businesses, engage in active regulatory dialogue and ensure ongoing compliance, including with EU and national competition rules.

For their part, consumer protection teams should prepare for the revised Product Liability Directive, adopted in November 2024 and set to apply from December 2026, and for the AI Act, which entered into force in August 2024 and creates obligations that phase into applicability from 2025 to 2027. With the AI Act now in force and the new Product Liability Directive adopted, the EU continues to shape a comprehensive framework for AI governance and liability. Having said that, and as an example of the state of flux in the regulatory landscape, the proposed AI Liability Directive has been abandoned.

While privacy compliance teams will have their hands full with the Data Act and the Data Governance Act, the Commission has finally withdrawn the ePrivacy Regulation, deadlocked since 2017. Meanwhile, information security and compliance teams will have to deal with the Cyber Resilience Act, the NIS 2 Directive and the Cyber Solidarity Act. Sector-specific rules must also be factored in; for instance, financial institutions are subject to the Digital Operational Resilience Act, which has applied since January 2025, while companies in the health sector must consider the effects of the European Health Data Space (EHDS) Regulation.

Due to a remarkable overlap of themes across these laws, compliance based on traditional legal silos may prove less effective. In-house teams must deal with multiple frameworks, as business decisions can trigger obligations across digital, privacy, competition and consumer protection domains, with possible overlaps among competition rules, DMA, DSA, GDPR, AI Act, Data Act and Data Governance Act, to name some. In this context, our updated digital guide highlights the most notable enforcement and legislative developments up to the end of 2025.