EU cyber sanctions amended; European Parliament renews ePrivacy CSAM derogation
The Council of the EU amended its cyber sanctions regime on 13 July 2026 via Decision 2026/1713 and adopted Implementing Regulation 2026/1714, requiring immediate asset-freeze screening for newly listed entities. The European Parliament adopted a temporary derogation from the ePrivacy Directive on 9 July 2026, obliging messaging and communications platforms to reassess their CSAM-detection practices for compliance with the renewed framework. The UK Government enacted the Central Counterparties (Equivalence) Regulations 2026, requiring firms clearing through non-UK CCPs to verify whether their CCP's home jurisdiction has received equivalence recognition.
For you: Dual UK-EU operators should immediately run sanctions screening against the updated EU cyber listings under Regulation 2026/1714 while also checking non-UK CCP equivalence status under the new UK statutory instrument.
How to read this digest
▼
Enforcement
Fines, sanctions, rulings
Legislation
New laws, statutory instruments
Consultation
Calls for evidence
Guidance
Frameworks, codes of practice
β Divergence
UK-EU moving apart
Commentary
Background, no action needed
Click a domain tile to expand, then click a category tag to see individual items.
What matters today
Enforcement
EU Council amends cyber sanctions listings via Implementing Regulation 2026/1714
Mandatory asset-freeze and transaction-screening obligations apply immediately to any entity dealing with newly listed parties under the amended regime.
Cybersecurity
Legislation
EU Council Decision 2026/1713 updates cyber-attack restrictive measures framework
Revised travel-ban and asset-freeze triggers under the amended Decision require compliance teams to update counterparty due-diligence procedures without delay.
Cybersecurity
Legislation
European Parliament adopts temporary ePrivacy derogation for CSAM detection
Renewed derogation requires messaging and communications platform providers to reassess whether existing CSAM-detection practices satisfy the updated legal basis.
Data Protection
Legislation
UK enacts Central Counterparties (Equivalence) Regulations 2026
Firms clearing through non-UK CCPs must confirm their CCP's home jurisdiction has received UK equivalence recognition or risk regulatory exposure.
Financial Markets
Guidance
EU Cybersecurity Reserve operationally activated to support Moldova via Decision 2026/1725
First confirmed activation of the EU Cybersecurity Reserve signals that the incident-response mechanism is now operational, relevant for regulated entities modelling EU-level crisis support scenarios.
The European Commission consultation on draft guidelines for classifying high-risk AI systems remains open after the deadline was extended to 23 July 2026.
The government is committed to decarbonising road transport. A visible charging network is essential for successful electric vehicle ( EV ) uptake. Motorway service areas ( MSAs )
This document explores the risks and industry concerns around recycled plastic content claims and the potential introduction of a mandatory certification requirement for plastic pa
Article 50 obligations for AI systems generating synthetic content become applicable. Providers must ensure AI-generated audio, images, video and text are machine-readably marked o
Domains
Signals and context
Signals help explain where regulation, markets and technology may be moving. They are not obligation evidence.
The report signals forthcoming EU legislative or regulatory measures on child online safety that platforms and digital services will need to anticipate.
Provides a formal record of how Secretary of State powers under the Communications Act 2003 were exercised, relevant to understanding the ministerialβOfcom regulatory boundary.
The report is likely to shape DSA enforcement priorities and potentially new legislative obligations for platforms operating in the EU.
AI Governance
1 item
1 commentary
Accessibility
no items today
Chemicals
no items today
Cloud & Infra
no items today
Consumer & Redress
1 item
1 enforcement
Cybersecurity
5 items
2 guidance3 commentary
Data Protection
1 item
1 legislation
Data Sharing
no items today
Digital Identity
no items today
Digital Markets
no items today
Ecodesign & Energy
no items today
Financial Markets
1 item
1 legislation
Health & Life Sci
1 item
1 guidance
Media & Copyright
no items today
Online Safety
3 items
3 commentary
Payments
no items today
Product Safety
no items today
Telecoms
no items today
Vehicles & Mobility
no items today
Waste & EPR
no items today
AI Governance
An independent report on children's circumvention behaviours online was published, with findings that may shape future regulatory expectations for platforms subject to UK Online Safety Act children's safety duties.
Platforms subject to UK OSA children's safety duties should review findings as they may shape future regulatory expectations on age assurance and content controls.
Consumer Protection, Ecommerce and Redress
An EU official signalled that Big Tech platforms face fines for consumer protection failures, indicating that enforcement with financial penalties is being actively considered for platforms operating in the EU.
Platforms operating in the EU should assess consumer protection compliance exposure now, as enforcement with financial penalties is being actively signalled by the Commission.
Cybersecurity and Operational Resilience
The EU Council enacted Implementing Regulation 2026/1714 and amended Decision 2026/1713 on 13 July 2026, updating cyber sanctions listings and triggering immediate asset-freeze and screening obligations for affected parties. The EU also authorised activation of the Cybersecurity Reserve to support Moldova via Decision 2026/1725, marking the mechanism's operational debut. The UK and allied governments issued a joint advisory naming Russian intelligence actors targeting critical infrastructure sectors and their supply chains.
EU-listed entities or individuals under the amended cyber sanctions regime trigger asset freeze and travel ban obligations for in-scope organisations operating across EU member states.
This is the first or early activation of the EU Cybersecurity Reserve, signalling the operational readiness of a mechanism that EU-regulated entities may interact with during significant cross-border incidents.
Critical infrastructure operators and their suppliers face named, state-level threat actors and should treat this advisory as a direct prompt to review controls.
Entities subject to or transacting with listed parties must immediately screen sanctioned persons and freeze assets to avoid EU sanctions breaches.
Data Protection, Privacy and Surveillance
The European Parliament adopted a temporary derogation from the ePrivacy Directive on 9 July 2026, requiring messaging and communications platform providers to assess whether their CSAM-detection practices comply with the renewed legal framework.
Messaging and communications platform providers must assess whether their CSAM-detection practices comply with the renewed derogation's specific conditions and time limits.
Financial Markets, Conduct and Financial Crime
The UK enacted the Central Counterparties (Equivalence) Regulations 2026, requiring firms clearing through non-UK CCPs to confirm whether their CCP's home jurisdiction has received UK equivalence recognition.
Firms clearing through non-UK CCPs must confirm whether their CCP's home jurisdiction has received equivalence recognition under this new instrument to ensure continued regulatory compliance.
Health Data, Medical Devices and Life Sciences
The EMA published guidance for applicants on preparing the precise scope section of variation application forms, with errors in this section risking validation failures or delays to marketing authorisation procedures.
1 Guidance
GuidanceEMA Regulatory and Procedural Guidelines RSSπͺπΊ
Errors in the precise scope section of variation applications can cause EMA validation failures or delays, directly affecting marketing authorisation timelines.
Online Safety and Child Protection
The European Commission advanced proposals for a minimum age restriction of 13 for social media access across EU member states, which would impose new age-verification and parental-consent obligations on platforms if adopted as binding legislation.
A binding EU minimum age requirement would impose new verification and parental-consent obligations on social media platforms operating across member states.
A Commission-level social media ban for children would impose new platform obligations across all 27 member states, requiring rapid compliance programme updates.