digital economy regulation

The European Commission noted that it has received the vast majority of the draft standards in support of the Cyber Resilience Act (CRA). It also stated that the EU single reporting platform for incident notifications is expected to be ready before reporting obligations apply (i.e. 11 September 2026). The CRA sets baseline cybersecurity requirements for the design, development and maintenance of products with digital elements.

Members of the co-lead committees adopted on 18 March 2026 all compromise amendments to the draft report on the AI Omnibus proposal amending the Artificial Intelligence Act. Such amendments include expanding the scope of prohibited AI practices and delaying the application of the rules for high-risk AI systems.

This report gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services during the last week. It also lists events taking place this week.

The European Parliament proposed to restrict voluntary detection to previously identified child sexual abuse material, unknown material flagged by other users, and targeting of suspects. It also clarified that the derogation of the e-Privacy Directive should not apply to end-to-end encrypted communications. Trilogue negotiations can now start.

The Commission aims to provide operators with timely guidance to support compliance with the EU Cyber Resilience Act (CRA). While the CRA will apply from 11 December 2027, incident reporting obligations will become applicable in September 2026. The consultation will be open for feedback until 31 March 2026.

This report gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services during the last week. It also lists events taking place this week.