From pivotal court decisions on personal data to guidance oversight frameworks for digital infrastructure and AI governance, Europe’s regulatory landscape is rapidly evolving. This week, key developments highlight the EU's sharpened focus on data protection, operational resilience, legislative transparency, and ethical AI. Below, we’ve compiled some of the most relevant updates shaping the EU’s regulatory agenda.
EU Judges to Rule on Personal Data in Banco Popular Español Case: This is highly relevant as it involves the definition of personal data and whether data controllers must inform users when their data is transferred to a third party. The EU Court of Justice will rule on September 4 on how pseudonymized data is treated under EU data protection law. This case is closely watched because it could significantly affect how organizations handle data sharing when using third-party service providers.
The case number is C-413/23 P — EDPS v SRB. CURIA - List of results
ESAs publish guide on DORA Oversight activities: The European Supervisory Authorities (EBA, EIOPA, ESMA – the ESAs) on July 15th published a guide on oversight activities under the Digital Operational Resilience Act (DORA). The aim of this guide is to provide an overview of the processes used by the ESAs through the Joint Examination Teams (JET) to oversee Information and communication technology (ICT) critical third party service providers (CTPPs).
This guide provides high-level explanations to external stakeholders regarding the CTPP Oversight framework. Furthermore, it provides an overview of the governance structure, the oversight processes, the founding principles and the tools available to the overseers.
However, the guide is not a legally binding document and does not replace the legal requirements laid down in the relevant applicable EU law.
ESAs publish guide on DORA Oversight activities | European Banking Authority
European Commission Asked Why It Skipped Steps in Sustainability Simplification: The EU's Ombudswoman, Teresa Anjinho, has asked the European Commission to explain why it bypassed key procedural steps till September 15th—such as an impact assessment, public consultation, or climate consistency assessment—in a legislative package aimed at simplifying sustainability rules for companies. The Ombudswoman also questioned why an internal consultation on the draft proposal lasted only 24 hours instead of the usual 10 days or even a fast-track 48 hours. This inquiry is important for businesses as it relates to regulatory compliance and the transparency of legislative processes that affect corporate sustainability reporting and due diligence directives. The outcome could influence how future legislative proposals impacting businesses are prepared. EU executive asked to reply by Sept. 15 as part of probe into sustainability law | MLex | Specialist news and analysis on legal risk and regulation Leading EU lawmakers give blessing to AI Act’s code of practice for AI models
EU's voluntary Code of Practice for General-Purpose AI (GPAI) models has received the "blessing" of leading EU lawmakers, who see it as a "compromise that retains core protections" despite intense lobbying and geopolitical tensions. Finalized on July 10th, 2025, the Code serves as a necessary first layer of safeguards, offering structured, practical guidance for GPAI providers to comply with the EU’s AI Act obligations, particularly those for "GPAI with Systemic Risk" (GPAISR) models. While voluntary, participation is encouraged to demonstrate alignment with European values and offers signatories early regulatory clarity. The Code addresses key concerns such as transparency, risk monitoring, and fundamental rights, aiming to manage systemic risks and build public trust. Its effectiveness hinges on the AI Office being empowered with robust oversight, sufficient resources, and the political will to audit, investigate, and sanction. Experts involved in drafting the Code's Safety & Security Chapter have called for regular reviews and updates (e.g., every two years), clearer enforcement priorities, and a significant increase in the AI Office's staff and resources. The AI Act's obligations on GPAI models are set to enter into force on August 2, 2025. The General-Purpose AI Code of Practice | Shaping Europe’s digital future
Write a comment