The communications sector is subject to a wide range of regulatory frameworks in the EU, just as they are elsewhere around the world. Some of these frameworks are specific to certain parts of the sector (e.g., the licensing and spectrum management regime set out in Member State transpositions of Directive 2018/1972: the European Electronic Communications Code, which are primarily relevant to operators that require direct access to electromagnetic spectrum), while others are generally-applicable frameworks that nonetheless have a significant impact on providers of communications networks and services (e.g., rules related to privacy, cybersecurity, law enforcement access to data, and product liability rules related to radio equipment). Many of these latter frameworks apply both to providers that require direct access to spectrum, and those providing over-the-top internet-enabled communications services.
In any event, most of these legal regimes are undergoing, or are due to undergo in the near future, significant changes, and many of these changes arise as a result of new ways of delivering of electronic communications networks and services. For example, satellite operators can provide communications networks and services across the EU, but the lack of a harmonized licensing framework for certain types of communications networks and services makes this more challenging. In addition, the growth of over-the-top communications services has vastly increased the amount of communications data, and has made cross-border law enforcement access to data a critical part of many criminal investigations.
Taken together, these legal changes could fundamentally change the way that electronic communications network (“ECN”) and electronic communications service (“ECS”) providers are regulated in Europe. We summarize briefly below the main forthcoming changes, and how they might impact different types of communications providers.
- Licensing and Spectrum Allocation: the Digital Networks Act
On 21 January 2026, the European Commission published its proposal for a Digital Networks Act (“DNA”), an ambitious attempt to harmonize significant aspects of the EU regulatory framework applicable to electronic communications network and service providers. Among other things, one of the Commission’s stated aims is to enable such providers to scale and provide their networks and services across the EU.
Among other things, the proposed DNA would establish a single list of conditions applicable to the grant of authorizations to communications networks and communications services that rely on national numbering systems, would allow providers authorized in one Member State to provide their services in other Member States without the need for further authorization, and harmonize the conditions for obtaining access to spectrum. It would also introduce measures to open up access to spectrum—effectively a “use-it-or-lose-it” requirement that would require organizations that have rights to access spectrum but that are not using it to grant requests to lease or share that spectrum.
The proposal would also establish a single, EU-level regime for satellite communications networks and services to obtain authorization to provide their services in the EU and to obtain access to spectrum, would mandate the switch-off of copper wire networks by 2035, would impose harmonized consumer protection obligations on communications service providers, and harmonize the framework for competition analyses of communications markets. One area that is likely to be subject to significant debate in the legislative process is the “conciliation mechanism” for access to electronic communications networks, which could ultimately require organizations that make large-scale use of such networks (e.g., large technology companies) to pay higher fees for their access.
The DNA is at the start of the legislative process, and is likely to be subject to substantial debate. For further details on some of the main proposed changes, see our blog post here.
- Cybersecurity: NIS2, the Cyber Resilience Act, and the Cybersecurity Act
Member States were required to transpose Directive (EU) 2022/2555 (“NIS2”) into their national laws by 17 October 2024. A large number failed to do so by this time, and some (e.g., France, Spain, and Ireland) have still not implemented the required legislation. NIS2 applies to electronic communications network and service providers (irrespective of whether they provide over-the-top services or not) as “essential entities”, and requires them to implement a broad range of cybersecurity governance requirements. In particular, these providers must implement a range of cybersecurity policies and procedures, including on cyber risk assessments, incident management, and supply-chain security. NIS2 also requires senior management to approve and monitor cyber programmes, and imposes strict incident reporting requirements—including a requirement for an “early warning” notification to regulators within 24 hours of a “significant incident.” For further details about NIS2, see our blog post here.
On 20 January 2026, the European Commission announced a proposal for a Regulation to replace the existing Cybersecurity Act (“CSA2”). In addition to broadening the remit of ENISA and imposing stricter timeframes for the completion of cybersecurity risk assessments, CSA2 would require the Commission to carry out risk assessments to identify “key ICT assets” used by organizations designated as essential and important entities under NIS2. It also empowers the Commission to designate countries and suppliers controlled by them as “high-risk,” e.g., due to the risks of foreign government interference in essential or important sectors, and impose restrictions on the use of components manufactured by high-risk countries / suppliers. While not expressly set out in the text of the law, the Commission’s immediate focus appears to be on removing equipment manufactured by companies with close links to the Chinese Government from European telecommunications networks. For more details on the CSA2 proposal, see our blog post here.
The Cyber Resilience Act (“CRA”), by contrast, establishes horizontal cybersecurity requirements for “products with digital elements” (“PDEs”), ranging from IoT devices to network hardware and software products placed on the EU market. It requires manufacturers of these products to conduct conformity assessments against certain “essential cybersecurity requirements,” including embedding security-by‑design principles. It also requires manufacturers to report both incidents affecting PDEs and unexploited vulnerabilities. For more information about the CRA, see our blog post here.
The primary impact of the CRA on communications providers is likely to be indirect: to the extent that they make use of PDEs to provide their services, they may need to ensure that those PDEs are subject to the appropriate conformity assessments. In addition, as operators increasingly rely on virtualised and cloud‑based architectures, they may also be subject to direct obligations under the CRA in particular in relation to software they manufacture to provide their networks and services.
- Privacy: the Digital Omnibus
The European Commission’s proposed Digital Omnibus Package proposes targeted amendments to the various EU laws, including privacy laws like the GDPR and the e-Privacy Directive. Generally, the Omnibus proposes a greater range of exceptions from the consent requirement to store / access personal data on users’ devices (e.g., for audience measurement and security purposes), expressly notes that AI training can be a legitimate interest of a controller, and would establish a single portal for submitting incident notifications under the GDPR and cyber legislation. For more details about the key aspects of the Omnibus Package, which will be relevant to communications network and service providers’ processing of personal data see our summary here.
Of particular relevance to the communications sector, the Omnibus would repeal the e-Privacy Directive’s rules on the security of electronic communications networks and services and incident reporting for those networks and services, because those obligations are duplicative of requirements in NIS2. However, the Omnibus does not propose any reforms to the very strict restrictions on the use of communications content and metadata currently set out in the e-Privacy Directive.
- Law Enforcement Access to Data: the e-Evidence Regulation, Data Retention, and the CSAM Regulation
The EU e‑Evidence Regulation will apply in full from August 2026. It will establish a new cross‑border framework allowing authorities in one EU Member State to issue binding production or preservation orders directly to covered service providers—including electronic communications service providers and providers of other online services that facilitate communication between users—established in another Member State. So-called European Production Orders can compel these service providers to disclose subscriber data, traffic data, or, in limited cases, content data. For further details about the e-Evidence Regulation, please see our blog post here. Communications service providers will therefore need to establish processes to recognize and respond to these new types of orders from a range of Member State authorities that they may not previously have received demands from, and often within short timeframes. They may also start to receive significantly increased volumes of demands for data.
Relatedly, ten years after the Court of Justice of the EU ruled that the Data Retention Directive was incompatible with the rights to privacy and data protection set out in the Charter of Fundamental Rights, in 2025 the Commission carried out a consultation and committed to preparing an impact assessment on new data retention requirements for communications service providers. A legislative proposal is likely either later in 2026 or in early 2027.
A key challenge for the Commission will be to ensure that any new legislation complies with the long line of CJEU judgments holding that data retention obligations must, among other things, be limited to what is “strictly necessary” for the purpose of fighting “serious crime,” and that “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” is not permitted under EU law (see an earlier post on one of these cases here). Any new data retention rules would apply directly to communications service providers, and could make significantly larger volumes of data theoretically accessible to law enforcement, which could in turn lead t0 an increased volume of demands for data using European Production Orders under the e-Evidence Regulation, as well as other instruments.
Finally, the proposed Regulation on Child Sexual Abuse Material (“CSAM Regulation”) would impose obligations on certain online service providers—including communications service providers—related to the detection, reporting, and removing child sexual abuse material (“CSAM”), replacing the temporary derogation to the e‑Privacy Directive.
The EU institutions are currently negotiating the final text for this Regulation, but the most controversial aspects—mandatory “detection orders” requiring communications service providers to scan all communications for known and unknown CSAM as well as grooming activity—are unlikely to be in the final version, based on the most recent Parliament and Council proposals. Several Member State governments remain interested in such mandatory detection orders, however. In any event, this Regulation is likely to impose obligations on providers to assess and mitigate the risks of CSAM on their services, which could entail voluntary scanning of communications.
- Space: the EU Space Act
Last but not least, the proposed EU Space Act would, if passed, represent the EU’s first horizontal regulatory framework governing the development, deployment, and operation of space‑based infrastructures and services, including satellite communications services. The Commission’s initial proposal for this Act would impose obligations on various categories of providers of “space services,” including a registration and licensing framework, and safety, security, and sustainability obligations. For a more detailed summary of the proposal, see our blog post here.
Satellite communications are an increasingly important component of Europe’s connectivity landscape—particularly for backhaul, redundancy, and rural coverage—and terrestrial operators may increasingly integrate low‑Earth‑orbit and geostationary satellite connectivity into their networks. To the extent that communications operators begin to use space-based infrastructure or services, the provisions of the Act are likely to be directly relevant.
The proposed Space Act has been somewhat controversial, however. The U.S. Government has criticized it, noting the significant increase in regulatory burden that would affect many U.S. companies wishing to operate in space, with a particular focus on the onerous obligations on large communications satellite constellations. It remains to be seen whether and how this new frontier for the communications sector will be regulated in the future.
Back
