Digital Service Oversight in EU Member States

A substantive policy decision has come out of France, where the government has committed to phasing out US based collaboration platforms across public administration in favor of a domestically developed alternative. The rationale is not novelty or protectionism, but governance. France will require public officials to move away from platforms including Zoom, Microsoft Teams, Google Meet, WhatsApp, and Telegram Messenger, shifting instead to state approved tools such as Visio for videoconferencing and Tchap for messaging. Visio is developed under the authority of the Interministerial Digital Directorate and runs on French infrastructure. It is already used by tens of thousands of civil servants, with a target of broad adoption across government by 2027. https://lnkd.in/efbMG5NN Collaboration platforms are not neutral tools. They structure data flows, determine jurisdictional exposure, and embed long term dependencies into public institutions. In a regulatory environment shaped by GDPR, the EU AI Act, and increased scrutiny of cross border data transfers, these choices are no longer technical. They are political, legal, and strategic. France’s move reflects a broader shift in how digital infrastructure is understood in Europe. Digital sovereignty is being translated into procurement rules, system architecture, and enforceable institutional practice. Similar calls for greater digital independence from the United States have been made by European leaders across Germany, Spain, and at the EU level, particularly in relation to cloud services, data localization, and strategic technologies. A cross-party majority of Members of the European Parliament have explicitly called for reducing reliance on US digital infrastructure and expanding European capabilities in a recent technological sovereignty resolution, framing it as a strategic necessity rather than mere regulation.  https://lnkd.in/eBHQ3YfE What distinguishes the French case is the execution. Policy intent has now been converted into mandatory tools, monitored adoption, and infrastructure level enforcement.

This is the 3rd edition of a comprehensive overview of legislative measures in the EU relevant to digitalization, covering enacted laws during the EU's 2019-2024 legislative term, as well as ongoing and future policy initiatives, published by Bruegel - Improving economic policy and compiled by authors Kai Zenner,J. Scott Marcus, and Kamil Sekut. The overview includes measures like the Digital Markets Act (DMA), Digital Services Act (DSA), Data Act, and the Artificial Intelligence Act (AI Act), with insights into their implementation and enforcement. The dataset also includes a detailed taxonomy of EU governmental and non-governmental bodies responsible for enforcing these legislative measures. Website: https://lnkd.in/g9Jrfnyt * * * For a deeper dive into these legislative developments and their broader impacts on the digital economy, check out the brand-new mini-series developed by VISCHER: a series of short, five-minute training videos to help understand and navigate the increasing complexity of EU digital regulations. The videos cover regulations such as the AI Act, DSA, Data Act, Cyber Resilience Act, NIS2, and DMA. Aimed at employees in product development, management, and sales, the videos offer a basic understanding of the laws and their implications for businesses, with a digital avatar of David Rosenthal explaining key points. 😊 Link: https://lnkd.in/gMPZ2QcT 👏 * * * In this context, it is also interesting that as the European Commission highlighted in its Second Report on the State of the Digital Decade on the progress toward the EU’s 2030 digital transformation goals, despite advancements, member states are falling short in key areas, including digital skills, connectivity, and the uptake of AI: https://lnkd.in/gAj9uqX7 Only 55.6% of EU citizens have basic digital skills, and AI adoption remains low, with only 17% of businesses expected to use it by 2030, far below the 75% target. The report calls for increased investments at both EU and national levels and emphasizes the need for more ambition and cooperation among member states. It also outlines country-specific recommendations to address gaps and accelerate progress in key sectors, such as cloud computing, semiconductor production, and startup ecosystems. Member states are expected to review and adjust their national roadmaps by December 2024 to align with the EU’s broader digital transformation strategy. Link to the EU’s Digital Decade initiative: https://lnkd.in/gjkaJt3e

📣 The enforcement of European digital regulation requires more attention , particularly in times of omnibus. 🖊️ My new paper with Anna Vicinanza published in the Yearbook of European Law examines how significant attention has focused on the lack of coherence across legislation and other regulatory instruments, while less consideration has been given to enforcement, particularly to the expansion of powers and overlaps of responsibilities distributed across multiple national and supranational authorities. In this work, we address the primary challenges to the enforcement of European digital regulation and explore potential pathways for enhancing its effectiveness. 🔵 The first part provides examples of how the growing number of EU legal instruments in the European digital policy, particularly targeting digital services, has not fully considered the intersections between different technologies and regulatory frameworks. The second part then underlines how these substantive overlaps translate into enforcement challenges. It addresses the quantitative dimension of the enforcement framework, detailing the multiplicity of bodies involved while analysing the overlapping competences that arise from this institutional complexity from the national and supranational perspectives. The final section explores possible solutions, evaluating opportunities and limitations of various pathways to improve the enforcement of European digital regulation. 🔗 Read the full article here: https://lnkd.in/d3PXNb_V

471 votes later, Europe agrees on one thing: digital dependency is a risk 3 companies control roughly 70% of EU’s cloud market. Yesterday, that concentration moved from market fact to political risk. With its vote, the European Parliament reframed scale and efficiency as resilience, control, and strategic exposure. Conservatives, social democrats, liberals, and greens agreed on EU’s digital dependency being a strategic risk. The numbers made the case The EU relies on non-EU actors for 80%+ of its digital products, services, infrastructure, and IP. In cloud - the backbone of AI, data, and enterprise systems - concentration is extreme and, in many cases, irreversible. This is about lock-in, concentration, and loss of strategic choice. Yesterday’s vote changes governance mechanics. By mandating a clear view of EU’s critical digital dependencies, the Parliament moves dependency to a managed exposure. Once visible, it can be assessed. Once assessed, it drives procurement, investment, certification, and security decisions. 4 elements make today’s vote decisive. 1️⃣ From regulation to infrastructure Cloud, AI compute, digital identity, data layers, and web indexing are treated as digital public infrastructure to reduce systemic exposure where private concentration has become the norm. The resolution explicitly references: ▫️ AI “gigafactories” to secure compute capacity ▫️ a EU web index to reduce reliance on non-EU indexing infrastructure ▫️ the expansion of EU digital identity, including a new business wallet 2️⃣ The emergence of a “EuroStack” The Parliament endorses a EU digital stack - spanning semiconductors, connectivity, cloud, software, data, and AI - built on open standards and decentralised governance. The goal? Avoid irreversibility and preserve strategic optionality. 3️⃣ Procurement as a key lever The Parliament advances: 🔹 sovereignty and security criteria in public procurement 🔹 “open source first” and “public money, public code” principles 🔹 systematic consideration of dependency risks in critical systems Procurement becomes industrial policy: legal, scalable, and effective. 4️⃣ Security and digital governance fused The resolution calls for: ✔️ making the EU 5G security toolbox binding ✔️ strengthening cybersecurity certification ✔️ tighter oversight of high-risk vendors in critical infrastructure Cloud and AI are treated like telecoms or energy: strategic systems subject to risk management. The implication for boards & executives Cloud architecture, AI stack, data location, and vendor concentration are governance and risk exposures, similar to supply-chain concentration or energy dependence. This vote won’t change EU’s digital stack overnight, but it'll shape how EU buys, invests, and governs digital infrastructure for years. That’s the real shift. If 471 lawmakers see digital dependency as risk, why is it still an IT decision and who owns it at the board? #AI #DigitalSovereignty #AIGovernance #Boardroom #Geopolitics

🚨 A Must-Read for Risk & Compliance Teams: DORA Oversight of Critical Third Parties Just Got Serious If your organization relies on third-party technology providers (cloud, infrastructure, software, data services) and serves EU markets, you need to understand what this new DORA update means. Here’s a clear, no-fluff breakdown of the EU's new guide (July 2025) on how critical ICT service providers will now be designated, examined, and held accountable: What's the big deal? This is the first ever structured, EU-wide oversight framework for third-party ICT providers who are critical to the financial sector. Think AWS, Microsoft, Google Cloud, IBM, and many others. Under DORA, these providers will be: - Designated as critical if their failure could threaten financial stability. - Monitored year-round by joint EU supervisory teams. - Inspected on-site or off-site if risks emerge. - Given recommendations that, if ignored, may trigger public naming. This changes how financial institutions manage third-party risks, particularly in terms of concentration risks and systemic reliance on a few large technology providers. What DORA’s Oversight Involves ✔️ Annual designation process based on service criticality, substitutability, and systemic risk. ✔️ Joint Examination Teams (JETs) will actively monitor providers across the EU. ✔️ Investigations & inspections can be initiated if risks, incidents, or non-compliance are detected. ✔️ Non-binding recommendations will be issued, but if ignored, they’ll go public. ✔️ Competent Authorities will be informed, and may require firms to suspend or terminate services from non-compliant providers. ✔️ Third-country oversight is possible if the provider serves EU clients, even if based elsewhere. Why This Matters to You? Vendor due diligence just got heavier. You’ll need to understand not just your vendor’s controls, but how they interact with DORA regulators. More shared insight. Regulators can now share oversight findings with you if you use a critical provider. ICT concentration risks are under a microscope. Risk leaders will need to prove they understand and mitigate dependencies. EU or not, this affects global providers. If you’re outside the EU but serve EU clients, your oversight perimeter just expanded. DORA isn't just about resilience anymore, it’s about control, transparency, and accountability at the third-party level. If your key ICT vendors are designated as critical, expect more scrutiny and be ready for deeper oversight conversations. #DORA #ThirdPartyRisk #ICTRisk #CyberResilience #RiskManagement #EURegulation #VendorOversight #Compliance #FinancialServices #tprm

Spain is one of the first EU countries out of the blocks publishing their AI Act implementation legislation. The Spanish approach creates a centralised coordination system with specialised oversight mechanisms and introduces several innovative protections beyond EU requirements. The Spanish legislation establishes the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) as a central coordinating body that will serve as the Single Point of Contact with the European Commission and chair a Joint Committee for Coordination. Alongside this centralised coordination, Spain has designated specialised sectoral authorities including the Spanish Data Protection Agency and the Bank of Spain to regulate AI systems in their respective domains. This approach bears similarities to Ireland's recently announced AI legislative strategy. While initially characterised as purely distributed, Ireland will in fact be establishing a "single super regulator" to coordinate all competent authorities. Like Spain, Ireland has designated existing sectoral regulators including the Central Bank of Ireland, the Data Protection Commission, and various other authorities to oversee AI systems in their areas of expertise. Both countries seem to be implementing a two-tier system: a central coordinating body paired with sectoral regulators bringing domain-specific knowledge. There are notable parallels in the designated authorities, with financial regulators (Bank of Spain and Central Bank of Ireland) playing similar roles in their respective frameworks. Where Spain's approach does introduce distinctive elements is in its judicial oversight provisions for biometric systems. Spain has mandated court authorisation for real-time biometric identification in public spaces and pioneered a "right to disconnect" harmful AI systems. The Spanish legislation also establishes a detailed sanctioning regime with graduated penalties and creates anonymous reporting channels for potential violations. Spain has set specific dates for different aspects of regulation to take effect, beginning with prohibited systems in August 2025, followed by high-risk AI system oversight in 2026 and 2027. These hybrid models reflect a pragmatic approach to AI governance. Both countries recognise the need for centralised coordination while leveraging the established expertise of sectoral regulators. Rather than representing dramatically divergent paths, Spain and Ireland's implementation strategies demonstrate a convergence around a balanced regulatory model. Both countries are seeking to establish effective oversight while minimising disruption to innovation. As AI technologies continue evolving rapidly, these similar yet nuanced approaches will offer valuable insights into effective models for implementing the EU's pioneering AI regulation framework.