Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

What to Watch in 2026: Key EU Privacy & Cybersecurity Developments

By Dan Cooper, Anna Oberschelp de Meneses, Alix Bertrand, Clemens Jaaks & Moritz Hüsch on January 27, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.

1. Regulatory Simplification

2026 is also shaping up to be a significant year for regulatory simplification. The European Commission is advancing the Digital Omnibus Package, a broad initiative aimed at streamlining the EU’s digital‑regulatory landscape and reducing administrative burdens for organizations (see more on this here and here). Key proposals include clarifying the GDPR’s definition of personal data to exclude information that an entity cannot reasonably link to an individual, empowering the Commission to set out the circumstances under which pseudonymized data may qualify as anonymized (and thus fall outside the scope of the GDPR), and introducing amendments to the GDPR that facilitate AI development and use.

The Package is currently under negotiation, with the Commission aiming for political agreement later in 2026. Timelines may shift depending on the EU trilogue progress, but any adopted measures would likely be phased in over several years, with certain changes (including delayed AI Act-related deadlines) expected to take effect only from late 2027.

The European Commission has also signaled that further reforms to the e‑Privacy Directive are under consideration, beyond the limited amendments already included in the Digital Omnibus Package. It noted that certain additional changes would be “considered” in a future reform of the remaining provisions of the Directive, while providing no indication of timing for such a proposal.

2. Enforcement Trends

2026 is likely to be busy on the enforcement front. Some noteworthy enforcement trends include:

  • Transparency Under Scrutiny: Transparency obligations under the GDPR will be a top enforcement priority in 2026. The European Data Protection Board’s 2026 Coordinated Enforcement Action will focus on transparency and information obligations — the GDPR rules that require organizations to clearly explain how they collect, use, and share personal data — pursuant to Articles 12–14 of the General Data Protection Regulation. This year’s coordinated enforcement action may lead to more investigations and stricter penalties than in previous years.
  • GDPR Procedural Regulation: The GDPR procedural regulation, which entered into force on January 1, 2026, and will apply to new cross‑border cases as of April 2, 2027, primarily affects how supervisory authorities process data protection-related complaints and cooperate with one another. Although it does not change their substantive GDPR obligations, organizations can expect stricter, more structured enforcement timelines and greater efficiencies and harmonization in cross-border regulatory investigations.
  • Digital Services Act (DSA): several formal investigations launched by the Commission in 2025—addressing matters such as age‑verification shortcomings, risk‑mitigation duties, and financial‑scam vulnerabilities—are expected to conclude during 2026, providing greater clarity as to how the Commission interprets key provisions in the DSA.

3. Rise of AI Legislation

AI will remain a central policy and regulatory theme in 2026. Key developments should include:

  • Publication of Commission guidance on high‑risk AI systems (expected February 2026), providing clarity on borderline high-risk use cases.
  • Finalization of the Code of Practice on Transparency of AI systems (expected in Q2 2026).
  • Entry into force of obligations for high-risk AI systems enumerated in Annex III (expected on August 2, 2026, although timelines may shift under the Commission’s Digital Omnibus Package).
  • Continued adoption of national laws intended to facilitate application of the AI Act at the Member State level, with additional Member States expected to adopt domestic legislation in 2026.

4. Data Act Implementation

Implementation of the Data Act continues apace throughout 2026:

  • For many organizations, 2026 will be the first year where they engage in full operational deployment of Data Act compliance programs at scale.
  • Core obligations—including B2B data‑sharing requirements and prohibitions on unfair contractual terms—have applied since September 12, 2025.
  • Additional provisions will apply from September 12, 2026, including obligations for manufacturers of connected products and providers of related services to ensure that data is accessible by default to users.

The European Commission will keep working on guidelines relating to implementation of the Data Act (e.g., guidance on selected definitions) in 2026. Finally, depending on progress made on the Digital Omnibus Package, implementation of the Data Act may be impacted as the text may be partially reformed.

5. Cyber Trends

Several important cyber frameworks reach critical points in 2026:

  • Multiple Member States are expected to complete the transposition of the NIS2 Directive this year. Where rules are already adopted, early compliance obligations—including sector‑specific registration and supervision—begin to apply. In Germany, for example, companies must meet early 2026 compliance deadlines under the German NIS2 Implementation Act, including mandatory registration obligations, and should prepare for gradually increasing supervisory activity and enforcement throughout the year.
  • From September 11, 2026, the Cyber Resilience Act begins to apply, imposing mandatory reporting of actively exploited vulnerabilities and serious cybersecurity incidents for products with digital elements.
  • The Commission is finalizing the European Open Digital Ecosystem Strategy (expected Q1 2026), aimed at strengthening EU technological sovereignty and increasing open‑source adoption.
  • On January 21, 2026, the Commission proposed a Digital Networks Act to modernize and harmonize EU connectivity rules by replacing the Electronic Communications Code. Key elements include a single EU‑wide authorization regime, streamlined regulatory obligations, longer and renewable spectrum licenses, expanded EU‑level satellite authorization, and measures to improve network security and resilience.
  • On January 20, 2026, the Commission proposed a revised Cybersecurity Act (CSA) as part of the EU’s new cybersecurity package. The revision introduces a strengthened EU cybersecurity certification framework, establishes a horizontal framework for ICT supply‑chain security, and reinforces ENISA’s role. The revised CSA is designed to simplify compliance with existing EU rules and operate alongside the Digital Omnibus’ “single‑entry‑point” incident‑reporting model.
  • On January 20, 2026, the Commission also proposed targeted amendments to the NIS2 Directive. The amendments would clarify jurisdictional rules, streamline the collection of ransomware‑related data, introduce a new “small mid‑cap” enterprise category to lower compliance costs, and strengthen ENISA’s coordinating role. Once adopted, Member States will have one year to transpose the amended provisions.
  • 2026 is also a pivotal year for the Critical Entities Resilience Directive. By January 2026, Member States must complete national risk assessments, and by mid‑2026 they begin designating ‘critical entities’, which then have nine months from notification to implement CER‑mandated resilience measures, including risk assessments, business continuity and crisis-management plans, and enhanced incident notification processes.

6. EDPB Guidance Pipeline

The EDPB is expected to advance several important guidance initiatives, including:

  • finalizing a number of draft guidelines including those on legitimate interests and those on the interplay between the GDPR and the DSA; and
  • advancing guidance concerning anonymization and pseudonymization, as outlined in its 2024–2025 work program.

*            *            *

Covington & Burling is closely monitoring the initiatives outlined above and is available to advise on how they may affect your organization.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Read more about Dan Cooper
Show more Show less
Photo of Clemens Jaaks Clemens Jaaks

Clemens Jaaks is an associate in Covington’s IP/IT team in Frankfurt. He focuses on IT law, outsourcing, cloud-services, digitalization/industry 4.0, technology and data driven licensing deals, e-commerce and data protection.

Read more about Clemens Jaaks
Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IT and data protection, among others by Best Lawyers in cooperation with Handelsblatt, Wirtschaftswoche and Legal 500.

Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Inside Privacy
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo