Connected - November 2025
Contacts
Partner
Finland
I am a partner and the head of our Privacy and Data Protection group in Helsinki, where I advise our local and international clients on complex privacy and data issues.
The November 2025 edition has been edited by Tobias Bräutigam with contributions from the Regulatory & Public Affairs team.
This November brought so many new developments that everyone interested in EU regulatory developments will be busy for months to come. To start with, the European Commission has published its ambitious work programme for 2026. This development is going to be topped by the so-called Digital Omnibus, a simplification agenda that will be officially published on 19 November 2025. From what was leaked regarding the GDPR reform, it looks like changes in the definition of personal data are proposed and several other provisions will be amended to enable AI growth in Europe. This goal is shared by the EU Apply AI strategy covered in the next article.
We continue with giving some context on one of the most important decisions by the European Court of Justice recently, namely the Single Resolution Board decision. Next is an update on the guidance of the EU Commission on the Data Act, relevant not only for automotive stakeholders. We will then cover the EU Political Advertisements Regulation, an interesting piece of legislation often overlooked.
Our reports from Member State countries cover a report on a fine concerning lawful interception and an update on the developments in the space sector in Finland. We end with two highlights on the implementation of the NIS2 Directive, one from Portugal where Bird & Bird recently opened an office and one from the Nordics.
SIGN-UP TO RECEIVE THIS MONTHLY NEWSLETTER BY CLICKING HERE
EU: A bid for tech sovereignty drives Commission’s Work Programme for 2026
At a time of geopolitical instability, the European Commission has vowed to make sovereignty and independence guiding principles in its Work Programme for 2026. While there is increasing policy momentum in favour of simplifying and streamlining digital regulation to boost EU competitiveness, the Commission is nevertheless planning to introduce several new regulatory initiatives. Industry players, who are still getting to grips with the breadth and complexity of the recent wave of recent EU digital legislation, have the prospect of further legislation on the horizon.
Below, we explore the most relevant initiatives for the digital, data and telecoms sectors.
For more information, please contact Francine Cunningham.
EU Digital Omnibus: Resetting Europe’s digital rulebook
The European Commission is preparing a major legislative initiative to streamline and modernise the EU’s digital regulatory framework. Known as the Digital Omnibus Package, this effort is part of the broader Commission’s simplification agenda aimed at reducing administrative burdens, enhancing legal clarity, and fostering innovation across key policy areas.
For more information, please contact Paolo Sasdelli.
The EU’s Apply AI Strategy: An overly ambitious blueprint for sectoral transformation?
The European Commission’s Apply AI Strategy, unveiled in October 2025, marks a pivotal step in integrating artificial intelligence across the EU’s strategic sectors. Building on the AI Act and the AI Continent Action Plan, the strategy aims to accelerate AI adoption, especially among SMEs, and reinforce Europe’s technological sovereignty.
For more information, please contact Feyo Sickinghe.
EU: The SRB decision: A new era for personal data and data processing agreements?
On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a significant judgment in the case EDPS v. SRB (C-413/23 P). This is the first judgment in which the CJEU has explicitly confirmed that sufficiently strongly pseudonymised data may constitute personal data for the original controller but not for the recipient who cannot reverse the pseudonymisation and cannot identify data subjects by other means. This raises the question as to whether controllers are required to conclude Data Processing Agreements with processors that are unable to identify data subjects.
For more information, please contact Riku Rauhanen.
Navigating the Data Act: EU Commission guidance for the automotive sector
On 12 September 2025, the EU Data Act entered into application, imposing significant obligations on businesses across all sectors. While most rights and obligations of the regulation are now fully applicable, the European Commission has yet to finalise its (non-binding) Model Contractual Terms (“MCT”) for data sharing, and Standard Contractual Clauses (“SCC”) for cloud computing contracts. The Data Act raises many questions and businesses lack clear guidance on many aspects. At least for the automotive industry, more guidance is now available.
For more information, please contact Lennart Schüssler.
The EU Political Advertising Regulation: what you need to know
On 10 October 2025, the remaining provisions of the European Union’s Regulation (EU) 2024/900 on the transparency and targeting of political advertising (i.e. the Political Advertising Regulation, or "PAR") became applicable. Guidance issued by the European Commission on implementation of PAR (“Guidance”) was finalised two days beforehand on 8 October 2025.
PAR can apply to a wide range of services in the advertising ecosystem - even those only involved in commercial advertising - and regulatory fines under PAR can be up to 6% annual income, budget or worldwide turnover.
For more information, please contact Alex Dixie, Heather Catchpole and Stephanie Ong.
Netherlands: €1.5M fine for failure to comply with Dutch lawful intercept obligations
After already imposing a similar fine in 2024, in October 2025 the Dutch Authority for Digital Infrastructure (“RDI”) imposed a fine of €1.5M on one of the three mobile network operators in the Netherlands for breaches of legal requirements related to the security of the lawful intercept (“LI”) system. Under Chapter 13 of the Dutch Telecommunications Act (“DTA”), providers of public electronic communication services and networks must ensure that their services and networks are capable of being intercepted. Operators need to comply with authorised orders to intercept communications whilst keeping such data confidential. At the same time the law requires operators to keep data secure against unauthorised access.
For more information, please contact Raoul Grifoni Waterman.
Finland: Space and satellite developments
In October, the Nordic countries have made a joint declaration to strengthen regional cooperation on space matters. This initiative aims to enhance innovation, security, environmental sustainability, and competitiveness across Denmark, Finland, Iceland, Norway, and Sweden. The declaration comes at a time when Europe is actively developing its space capabilities, with the Nordics playing an increasingly strategic role.
For more information, please contact Hayley Blyth and Niilo-Pekka Salminen.
NIS2 Directive transposition in Portugal: Status and brief overview
On 22 October 2025, the law authorising the government to transpose the NIS2 Directive was published by the official journal as Law no. 59/2025 (“Law”).
The Law is not yet the final transposition, but determines general guidelines the Government must follow when transposing the NIS2 Directive into Portuguese law and, consequently, approve the Cybersecurity Regime and adapt the existing national framework accordingly [available at Lei n.º 59/2025 | DR ].
For more information, please contact Ana Mira Cordeiro.
Update from the Nordic countries on the NIS2 Directive implementation
What is the Nordic approach on the NIS2 implementation?
This status update informs about how the Nordic countries Sweden, Finland, and Denmark are implementing the NIS2 Directive. All countries have chosen a minimalistic approach, closely following the directive’s baseline requirements without adding significant national-specific obligations. Some details can however be specified through secondary legislation at ordinance and agency regulation level.
For more information, please contact Ana-Maria Barbu-Nyström, Julie Bak-Larsen and Hertta Hytinantti.
