EU and UK: Technology Law Shorts - March 2026

Over the last quarter, regulators across the EU and UK have continued to raise expectations around resilience, coordination and enforcement. Cybersecurity and safety requirements are tightening, while policymakers are also working to reduce fragmentation through more harmonised rules and cross border supervision.

In the EU, there is clear ambition to remove long standing network and infrastructure barriers and support digital scale across the single market. In the UK, the focus has shifted firmly from implementation to enforcement, particularly in online safety and regulatory compliance.

For global technology businesses, this means staying proactive. Compliance remains critical, but so does aligning investment and sourcing strategies with a more coordinated regulatory landscape. At the same time, simplification creates real opportunities to reduce friction, improve market access and support sustainable growth across the region.

Commercial technology on the horizon: what do I need to know?

EU: Cybersecurity package proposed

On 20 January 2026, the European Commission (Commission) proposed a new cybersecurity package aimed at strengthening the EU’s resilience against cyber threats.

The package includes proposed amendments to the EU Cybersecurity Act and targeted updates to NIS 2. The aim is to secure ICT supply chains and streamline EU wide cybersecurity certification schemes. It also enhances ENISA’s role, improving coordination, threat awareness and crisis response across the EU.

A consultation on the Draft Guidance under the Cyber Resilience Act (CRA) also opened on 3 March and closes on 31 March. This Guidance is intended to help manufacturers, developers and other stakeholders apply key requirements consistently across the EU.

Impact: As the proposals develop, organisations may need to revisit contracts, sourcing models and product assurances to meet updated cybersecurity expectations.

Global supply chains may face higher certification costs and longer timelines. Early engagement with suppliers and certification bodies will help manage risk and avoid disruption.

EU: Digital Networks Act

On 21 January 2026, the Commission unveiled its proposal for a Digital Networks Act (DNA). 

The proposal aims to accelerate 5G, 6G and fibre rollout across the EU by reducing regulatory barriers and addressing spectrum constraints. It would allow operators to register in one Member State while providing services EU wide.

Additionally, an EU‑level framework for satellite spectrum introduces longer and renewable licences, and promotes spectrum sharing under a ‘use it or share it’ approach.

Other key measures include:

• mandatory national plans to phase out copper networks between 2030 and 2035;
• an EU‑level preparedness plan to enhance network security and resilience; and
• clarified net neutrality rules to support innovative services and voluntary cooperation across the connectivity ecosystem.

The proposal will now be examined by the European Parliament and the Council.

Impact: The proposals will affect telecoms operators, infrastructure and satellite providers, and large digital platforms operating across the EU.

• EU‑wide spectrum harmonisation could simplify market access and reduce regulatory fragmentation. Longer spectrum licences may improve investment certainty, while spectrum sharing could lower entry barriers for new providers.
• Early preparation for the copper switch‑off will be essential, although transition rules may involve complex procedures.
• Direct network fees for large digital platforms have been dropped, but a voluntary conciliation mechanism for disputes with operators has been introduced. This could signal the direction of future, more formal dispute resolution frameworks.

EU: Guidelines for VLOPs on managing journalistic content

On 6 February 2026, the European Commission published guidelines on cooperation between Very Large Online Platforms (VLOPs) and media service providers. 

The guidelines support implementation of the European Media Freedom Act, protecting professional journalistic content from unjustified removal. They clarify when VLOPs must notify media providers before removing content and explain the reasons for removal. Media providers must generally be given up to 24 hours to respond before content removal takes effect. The guidelines also explain the declaration process for media providers to demonstrate editorial independence and regulatory oversight.

Impact: The guidelines clarify how VLOPs should approach moderation, visibility and treatment of journalistic content.

For platforms, this increases expectations around transparency, procedural safeguards and engagement with recognised media providers. For publishers, it strengthens protections and supports more structured dialogue with platforms.

UK/EU: UK–EU memorandum of understanding on critical third parties

On 14 January 2026, the European Supervisory Authorities and UK financial regulators signed a memorandum of understanding. 

The signatories include the EBA, EIOPA and ESMA, alongside the FCA, PRA and Bank of England. 

The MOU sets out principles for cooperation, information‑sharing and coordination of oversight activities. These concern critical ICT third‑party service providers (designated under the EU Digital Operational Resilience Act (DORA) EU regime) and critical third parties (designated under the UK regime).

The agreement aims to enhance third‑party risk management and operational resilience across the EU and UK financial sector. 

Impact: The MOU represents a further step towards supervisory alignment for critical technology providers serving financial institutions. 

Cross‑border providers are more likely to face coordinated supervisory engagement and information requests from EU and UK authorities. Consistent governance, resilience testing and incident management frameworks will be increasingly important.

UK: Online Safety Act moves from implementation to enforcement

On 4 December, Ofcom published its first report on the technology sector’s response to the Online Safety Act. 

It marks a clear shift from implementation to enforcement, setting regulatory priorities for 2026.  Service providers are expected to deliver ‘meaningful, measurable improvements’ in user safety.

Key focus areas include:

• effectiveness of age‑assurance measures;
• transparency around child‑protection controls;
• outcomes of consultations on preventing child sexual abuse, including use of automated tools;
• removal of terrorist and illegal hate content in line with Ofcom codes;
• progress on safer online experiences for women and girls; and
• submission of risk assessments between 1 May and 31 July.

Impact: Online service providers should expect closer regulatory scrutiny throughout 2026. 

Ofcom will be focusing on whether safety measures work in practice. Clear governance, robust evidence and demonstrable outcomes will be central to meeting regulatory expectations.

Further resources:

• Cybersecurity in International Corporate Reorganizations: Strategic Impacts on Structure, Integration, and Risk
• EU Digital Omnibus: At a glance
• EU Legislation Roundup: February 2026
• Global Tech Law Series - Global Tech Law Series
• Legal Telescope: Tech & AI trends shaping supplier–customer relationships in 2025/26
• NIS2 Implementation Tracker
• Tech Talks – Decoding quantum: Navigating the quantum frontier
• Updata: Your quarterly privacy & cybersecurity update