Legal Update: What’s Been and What’s Coming in EU Digital Law

Understanding the rapidly evolving landscape of European data protection, AI regulation, and digital legislation

The Ever-Expanding Digital Rulebook

At the Nordic Privacy Arena, I presented a comprehensive overview of the current state and future trajectory of EU digital and data legislation. With over 80 new laws enacted since 2015, the regulatory landscape has transformed dramatically – and shows no signs of slowing down.

Part 1: Global Enforcement Trends & Recent Developments

Key Enforcement Actions Making Headlines

The presentation highlighted several critical enforcement trends from August to September 2025:

• Meta’s AI Training Controversy: German courts confirmed that Meta’s AI training includes children’s data despite protections, raising serious questions about safeguarding minors in the AI era
• LinkedIn’s Return to AI Training: After previous hesitations, LinkedIn has resumed training AI models on EU and UK users’ data
• Italy’s Pioneering AI Law: Italy enacted comprehensive AI legislation covering privacy, oversight, and child access – potentially setting a template for other member states
• Microsoft 365 Copilot for Education: New DPIAs reveal ongoing challenges in balancing innovation with student privacy protection

Landmark CJEU Judgments Shaping the Future

The Court of Justice continues to be instrumental in defining data protection boundaries:

Protecting Minorities and Gender Identity

• Deldits (C-247/23): Gender identity data rectification cannot be conditional on proof of surgery
• Mousse (C-394/23): Gender identity is not necessary data for transport ticket purchases
• Mirin (C-4/23): Member States must recognize gender and name changes lawfully acquired in other EU countries

Pseudonymization and Personal Data The SRB v Deloitte case introduced nuanced thinking about pseudonymized data, confirming it doesn’t always constitute personal data for all recipients – a significant development for data sharing practices.

Health Data Expansion The Lindenapotheke case broadened the definition of health data to include customer information when ordering pharmacy-only products online, even without prescriptions.

Part 2: The Digital Rulebook Update

Understanding the Regulatory Framework

The EU’s digital transformation operates under several interconnected policy umbrellas:

1. A Europe Fit for the Digital Age – The overarching vision
2. European Data Strategy – Creating a single market for data
3. EU Cybersecurity Strategy – Strengthening digital resilience
4. Digital-Green Transition – Linking sustainability with digitalization

Critical Compliance Areas for 2025-2026

NIS2 Directive – The C-Suite Wake-Up Call With potential personal liability for executives, the NIS2 Directive demands a comprehensive 10-step approach:

• Risk mapping and analysis
• Access control policies
• Business continuity planning
• Incident response procedures
• Cyber hygiene training
• System management protocols
• Supply chain security assessment
• Encryption implementation
• Multi-factor authentication
• Regular testing and validation

Cyber Resilience Act (CRA) Covering standard software, mobile apps, and hardware with digital elements, the CRA introduces lifecycle obligations for manufacturers and distributors. Key procurement considerations include open-source status, third-party testing, and minimum 5-year maintenance periods.

AI Act Implementation While most AI isn’t classified as “high-risk,” the intersection with GDPR creates complex compliance requirements. Organizations need to develop:

• Personal AI awareness across teams
• Collaborative governance structures
• Values-based implementation frameworks
• Industry-specific codes of conduct

Data Act This landmark legislation addresses the fundamental question of data ownership and access, establishing that data should not be underestimated as a valuable asset requiring careful governance.

Digital Services Act (DSA) Creating a tiered approach from very large online platforms down to intermediary services, each with specific obligations and responsibilities.

What’s Coming Next?

The presentation outlined several anticipated developments:

• AI Act: Implementation challenges around standards and stop-the-clock provisions
• GDPR Review: Procedural rules for enforcement harmonization
• Digital Fairness Act: Addressing dark patterns and consumer protection
• Cloud & AI Development Act: Fostering European digital sovereignty
• Cookie Rules Revision: Potential omnibus packages addressing consent fatigue
• Data Space Regulations: Sector-specific implementations

Key Statistics That Tell the Story

• 49 pending CJEU cases on GDPR and data protection (as of September 2025)
• 35+ judgments expected in 2025 alone
• 80+ new laws enacted since 2015
• Exponential growth in regulatory complexity, with annual legislation increasing from single digits in 2000 to over 80 laws in 2024

Why This Matters for Your Organization

The convergence of these regulations creates a complex compliance landscape where:

• Privacy professionals need continuous education
• Cross-functional collaboration becomes essential
• Strategic planning must account for regulatory evolution
• Investment in compliance infrastructure is no longer optional

Joost Gerritsen is CEO of Digibeetle, Affiliate Researcher at Utrecht University (Data School), Co-author of publications for the Rathenau Institute, and Co-founder of the Dutch Association for AI-Lawyers.

Contact him directly: joost@digibeetle.eu | LinkedIn: JBAGerritsen