digital economy regulation

The first edition of 2026 gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services during the last month. It also lists events taking place this week.

The UK bill proposes amendments to the existing UK NIS Regulations that would align the UK cybersecurity regime closer with the EU framework established under the NIS2 Directive. In particular, it would expand the scope of regulated entities and strengthen incident reporting requirements. However, the bill remains distinct in several aspects, including by relying more on secondary legislation to set out detailed security requirements.

A draft royal decree on network security and resilience would impose detailed security risk-management, incident reporting and service continuity obligations on operators of public electronic communications services (ECS) and networks (ECN) that meet certain criteria, and also underlying digital infrastructure such as data centres.

The new Cybersecurity Act and an ordinance designating NIS2 competent authorities will enter into force on 15 January 2026. The national telecoms authority (PTS) will specify the measures telecoms providers and digital entities (e.g. cloud, data centres) should implement to meet the obligations of the act. For digital entities, these measures might apply in addition to the Commission’s NIS2 implementing act.

While members of the European Parliament broadly welcomed the European Commission 2030 consumer agenda, many raised concerns about persistent market barriers and enforcement gaps.

BEREC, the assembly of European national regulatory authorities (NRAs), organised a public workshop following its report on submarine cable connectivity in Europe and the European Commission confirmed the timeline for delivering the submarine cable security toolbox.