You may have heard this before: “America innovates, China replicates, and the EU regulates.”
It’s an overused trope. But it’s also true.
Every quarter brings a new crop of laws, cases, and incidents. In Q3 of 2025, the EU’s legislative machinery was in full swing: new acts came into force, guidance documents proliferated, enforcement intensified, and courts weighed in.
Meanwhile, attackers ran their own campaigns with no regard for regulatory considerations. The lesson for companies and the private sector is obvious-and not really new - that resilience is existential. While legislators push their laws into force and regulators clarify what they have adopted and courts weigh in on transfers and pseudonymization, attackers remind everyone that new laws do not patch outdated software.
With that in mind, let’s take a look at what happened in data protection and cybersecurity in Q3 of 2025, shall we?
New Laws & Policy Milestones
EU Data Act Enters Into Force – or: Most of It
After years of drafting, negotiations, and public discussions, the EU’s Data Act has finally been enacted - with some caveats. The Data Act requires manufacturers and service providers of connected products to grant users - as well as their chosen third parties - access to the data generated by those products. The law also obligates cloud providers to allow switching without contractual traps and bans unfair B2B terms. For companies accustomed to treating product telemetry as proprietary information and users as confined animals, the law is disruptive.
The EU Commission set deadlines for certain design and contractual obligations in 2026 and 2027, but most of the regulation took effect in September.
As is often the case, the new legislation will generate work for compliance officers, consultants, lawyers, and explainers. Contracts will need to be renegotiated and rewritten. Legal disputes may arise over what constitutes “data generated by use,” and consultants will be asked to explain “interoperability.”
The age of data hoarding may officially be over, but the age of litigation over the details of the act has only begun.
AI Act Obligations for General-Purpose AI Come Into Effect
Similar to the Data Act, the EU’s AI Act is also implemented in phases. The EU frequently uses this technique, and it makes sense in many ways: Urgent aspects of the law can be prioritized, and smaller players can be given more time to adapt.
The first phase of the AI Act has begun, and the first wave of obligations now applies to providers of general-purpose AI systems - namely, the large language models (LLMs) and foundation models that power countless downstream applications.
Providers must publish summaries of training data, document copyright compliance, and assess systemic risks for very large models. This reaches well beyond Europe: U.S. and Asian providers offering services in the EU are also affected. The knock-on effects for integrators and corporate users are immediate, ranging from due diligence questionnaires to licensing terms.
Of course, critics do not tire of accusing the EU of trying to regulate AI, even though the EU does not have its own AI projects. And there is truth to that. On the other hand, AI does pose risks, some of which may be existential. At least the EU is taking action and has placed its regulatory flag directly into the foundation of the AI stack.
Apple and Meta (may) Breach the Digital Market Act – an Act in Flux
The Digital Markets Act (DMA) is still new, yet the EU Commission has already concluded that Apple and Meta violated it less than a year after it took effect.
In Apple’s case, the commission took offense to the company’s strict distribution terms. Apple tightly controls its ecosystem and does whatever it can to prevent users from downloading apps and developers from offering them outside its store.
The case of Meta is even more interesting. Meta required users to either consent to data processing or pay to use the company’s services (Facebook, etc.). The Commission found this “binary model” lacking.
Regardless of the outcome, it’s notable that these investigations are happening at the same time that the commission launched a public consultation on the first DMA review. The consultation asked whether the law really boosts “contestability” and fairness. The answer depends on your perspective: Some think the DMA is still “not enough,” while gatekeepers in the digital economy say it is “too much.” Users mostly do not seem to care very much.
The pace of legislation is accelerating to such an extent that new laws barely come into force before they are revised, while the first enforcement cases are still ongoing.
In a similar vein, reports have emerged of companies discussing possible settlements with the Commission regarding the aforementioned DMA noncompliance findings. If successful, this could set a new paradigm in regulatory thinking because settlements are quicker than years of litigation.
Apple Explains its DMA Changes
Apple, of course, has its own views on these issues and has promoted them on various platforms, including talks, lobbying activities, and, quite simply, on its website.
Reading through Apple’s talking points, one cannot help but get the impression of blame shift. Apple explains at length why they believe it is difficult to provide certain features of their devices and operating systems to EU customers (e.g., live translation or remembering preferred routes).
While the author of this digest mostly agrees with those who believe the EU is regulating too much and too early, it is hard not to see this, to some extent, as corporate blackmail. It does not necessarily shine a good light on one of the world’s largest companies, especially since the DMA has been in place for a while.
NIS2 implementation Heats Up – Even Germany Has a National Law Now
Few laws have been discussed as extensively as the EU’s NIS2 Directive. It is surely a necessary instrument to boost digital resilience in both the public and private sectors. In this digest, we discuss data breaches and lack of awareness mass.
What is often overlooked: the NIS2 directive has to be transformed into national law. The October deadline for Member States to do exactly that looms large. Finally, Germany’s cabinet approved the “NIS2UmsuCG” (if this does not sound German, nothing does!) draft on 30 July. France’s “Resilience” bill moved forward in September, and other Member States remain behind.
NIS2 expands the scope of entities that must adopt cybersecurity risk management and reporting. For many medium-sized firms, this will be the first time they are explicitly regulated on their cyber activities.
The Commission is unlikely to grant mercy for late transposition: By mid-October, the scoreboard will show who made the cut. Some countries were quick and have issued their laws already, others may stumble. Should it take too long, courts may declare the directive to be directly applicable – a technique that has been used before to not create a legislative vacuum when countries do not act quick enough.
While countries still struggle, ENISA – the European Cybersecurity Agency – has already issued guidelines for the technical implementation of NIS2 (and updated them already two times).
The EU Cybersecurity Reserve Becomes… a Thing
The Cyber Solidarity Act is one of the less discussed EU attempts to regulate the digital domain. Yet, it is one of the more interesting attempts.
The act establishes an “EU Cybersecurity Reserve.” Think of this as a pool of pre-contracted incident response services from “trusted” managed security service providers that member states and EU institutions can call in during significant or large-scale cyber incidents. It’s basically an escalation mechanism on retainer in case national efforts are no longer sufficient.
The reserve is managed by the European Union Agency for Cybersecurity (ENISA), which launched the project in September. It received 36 million euros. It remains to be seen whether this modest effort will be sufficient - fighting one (!) ransomware campaign may cost far more.
Cyber Resilience Act: Standards Work Begins
As we review the latest EU legislative work, let’s also examine the status of the Cyber Resilience Act (CRA). The CRA obliges manufacturers of connected products and software to adhere to essential cybersecurity requirements. This is obviously a good idea, as it prevents manufacturers from engaging in a “race to the bottom” just to save a few cents in production costs.
However, this idea must be made practical. To this end, the Commission sent a standardization request to the European standardization agencies CEN, CENELEC, and ETSI over the summer, and they accepted it. The Commission hopes to adopt an implementing act defining categories of products in scope by December 2025.
Vendors now face a choice: adapt early to the CRA, or scramble later. The timeline is tight, and the standards bodies are under pressure to produce blueprints that the industry can follow.
Public Initiatives & Guidance
EDPB Clarifies DSA - GDPR Interplay.
Often, even specialists are unclear about which EU acts regulate what and how they work together.
In September, the European Data Protection Board adopted guidelines on how the Digital Services Act (DSA) interacts with the General Data Protection Regulation (GDPR). For so-called “very large platforms,” the DSA’s transparency obligations may trigger data protection impact assessments and change how they handle access to data. The GDPR regulates the latter.
The guidelines are still under consultation, but they illustrate the EU’s layered approach of legislating broadly and then adding interpretive documents to stitch the pieces together.
For companies, this means that compliance is not a one-time event, but rather an ever-changing process. For this reason, more clarifications like these might be helpful.
DSA Guidance on Minors’ Protection Finalized.
The EU Commission published the final guidance under the Digital Services Act regarding how platforms should protect minors. Topics include age-appropriate design, advertising restrictions, and new reporting duties.
Several Member States are already piloting age verification apps based on the EU eID Wallet, as we have reported in previous digests. This is where two significant projects - child protection and digital identity - converge, accompanied by the expected political sensitivity. Of course, platforms face the practical challenge of proving compliance without excluding half of their teenage user base.
Enforcement & Court Decisions
Data Privacy Framework Survives its First Legal Challenge
This digest monitors all developments concerning the EU-US Data Privacy Framework. We believe it is a convenient data transfer tool that facilitates data flow between the two trade blocks. However, it is also hypocritical because it deems certain countries as adequate when they are not, thereby exposing the personal data of EU citizens to US intelligence authorities.
One of the earliest legal challenges to the DPF was led by French MP Philippe Latombe. He asked the General Court of the European Union to annul the DPF.
On September 3, the court dismissed the challenge. The court held that, at the time of adoption, the safeguards provided by the US met the required adequacy standard.
For companies relying on the DPF, this means continuity. However, the court also emphasized that the Commission must continue to monitor the situation. As we pointed out in a recent Engity article, the DPF may have been a good idea at one time. However, the safeguards necessary to ensure that U.S. privacy standards are adequate to those in the EU have been systematically undermined by the Trump administration. This means that, while the court may be right in retrospect, a new decision considering today’s state of affairs may yield a different result.
In other words, the DPF is still relevant. But not immortal.
European Court of Justice Rules on Pseudonymisation – and it’s Thrilling
In September, the European Court of Justice (ECJ) issued a ruling that, in our opinion, could have significant consequences, but has not received much attention.
The setup of the case sounds unexciting. The European Data Protection Supervisor (EDPS) claimed that the EU Single Resolution Board’s handling of comments on bankruptcy data violated the GDPR.
One question in the case was of particular interest: if the data in question are properly pseudonymized, do they “count” as personal data from the subjective point of view of a controller who cannot de-pseudonymize the data themselves?
The court clarified that such pseudonymized data may count as non-personal if the recipient cannot reasonably reidentify the individuals concerned. This matters greatly for data sharing, especially in research and financial services. It provides legal certainty in that not every dataset sprinkled with hashes automatically triggers full GDPR compliance.
The Court stressed the “reasonably likely” test, so context matters. Companies will still need to carefully assess re-identification risks. However, the decisive point is: The ECJ provides a clear incentive to develop more effective privacy-enhancing technologies in the EU. See: If pseudonymized data are considered “personal data” and must be treated under the strictest GDPR rules, then what’s the point? However, if good pseudonymization paves the way for better use of “personal” data, both data subjects and the economy will benefit.
Meta and TikTok Challenge the EU Supervisory Fee - Successfully
Both Meta and TikTok have successfully challenged parts of the EU’s social media supervision regime in court.
The General Court overturned the Commission’s calculation of the supervisory fees imposed under the Digital Services Act (DSA). The idea is that social media companies must support EU supervision efforts (“the polluter pays”). While this principle is sound, the methodology used by the EU Commission to calculate the fees was not.
Although the companies did not get their money back, the ruling forces Brussels to re-evaluate its funding of supervision.
Although this may seem like a minor procedural victory, it shows that the EU Commission does not always make the right decisions and that challenging laws, regimes, and decisions can be worthwhile. Given social media’s litigious nature, the coming years promise to be entertaining for outside observers.
As long as they are lawyers, that is.
Consent is Key: CNIL Issues Major Fines for Google and Shein
CNIL, the French data protection watchdog, issued a €325 million fine to Google for unlawful advertising. Google displayed advertisements among emails in its popular Gmail service without obtaining proper consent.
The same agency also fined Shein €150 million for setting cookies without consent. Again, without consent.
While the cases are different, they both demonstrate the importance of consent under the GDPR. They also demonstrate that DPAs are unimpressed by global brands’ claims of complexity and business considerations.
CNIL was upset because both companies had already been sanctioned on previous occasions - apparently to no avail.
The decisions only considered users in France. Other European data protection authorities may issue similar fines.
Spain’s AEPD Adds National Flavour to GDPR Enforcement
The Spanish data protection authority AEPD also issued fines in two cases.
One case was brought against the state-owned company SAREB for failing to implement adequate technical and organizational measures to ensure proper data protection, as well as for failing to inform affected employees of a data breach.
The other case concerned Informa, a private company, for processing data without a legal basis or informing the data subjects.
These cases may seem mundane, and the fines are relatively small (€180,000 and €1.8 million, respectively). However, these cases send a clear message that national DPAs are active and do not wait for the “big four” (like CNIL in our previous case) to take the lead. GDPR enforcement is decentralized, even if headlines often suggest otherwise.
Major Cybersecurity Incidents & Threat Landscape
Salesforce Supply-Chain Attacks Still Bear Dark Fruit
Attack on Salesforce’s supply chain. Attackers exploited OAuth integrations with third-party tools. By compromising authentication tokens, they accessed CRM data, and they did so on scale.
This is problematic because the Salesforce system is used everywhere. Victims included Air France-KLM and multiple global brands. Meanwhile, multiple extortion attempts were reported.
This incident highlights the vulnerability of Software as a Service (SaaS) ecosystems. Integrations designed to enhance efficiency can inadvertently increase the attack surface beyond the control of security teams. Those with more experience may also remember the Kaseya hack, which followed a similar pattern.
As an identity provider, we at Engity look at the sad state of authentication in the system and how easily tokens were abused with professional eyes. Please allow us one commercial break. If your organization needs assistance, we are open for business.
Jaguar Land Rover Incident Disrupts Production
British carmaker Jaguar Land Rover (JLR) faced a severe cyberattack that disrupted vehicle production for six weeks. While Jaguar, after undergoing some controversial rebranding, was not producing much anyway, Land Rover production was actually halted. The attack impacted not only IT systems, but also supply chains and logistics. It took JLR six weeks to restart production in the affected factories.
The incident affected not only JLR, but also its suppliers, some of whom struggled financially and operationally. Given that the pandemic is still fresh in our memory, we are all aware of the fragility of supply chains. However, the JLR incident shows that cyber risks quickly translate into operational and financial pain down the supply chain, particularly in sectors with just-in-time production. A chain is only as strong as its weakest link.
The “story behind the story” is that JLR may not have been insured against cyber incidents because an insurance deal did not come to fruition.
Airports Probed
Airports, and the disruptions they cause, have been in the public spotlight for some time. News reports have focused mainly on drones, speculating about their origin and purpose.
Meanwhile, airports have also been-and continue to be-routinely attacked in the cyber domain. In the last quarter, Berlin, London, and Brussels were targeted, with the main attack vector being the check-in systems. The result was flight cancellations and severe delays in baggage handling. In the case of BER (the Berlin airport), operations could not be fully restored for weeks. This gave travelers the opportunity to enjoy the gastronomic marvels of BER, which the author of this digest knows rather intimately and hates with feverish passion.
The nature of the attacks suggests that the goal was not to endanger the operation of security-relevant systems (e.g., flight control), but rather to create a situation of digital harassment.
It’s difficult not to see a connection to the larger political situation, and many fingers point toward the Kremlin.
Monthly Breach Tallies Still Rise – and We All Show Fatigue
Too much pain does not raise awareness; it just makes you numb. The same may be true for data breaches. As the numbers - and severity! - rise, we may pay less and less attention to them and accept them as “another fact of life.”
In this digest, we can only report a few headlines, such as “Supply chain attacks intensify” (as we reported last quarter), “Ransomware is still on the rise,” and “Nobody is safe.” We will spare you the detailed numbers for Q3, suffice it to say, they are up. Again.
In a sense, the problem isn’t the lack of data, but the abundance of incidents: saturation leads to numbness. Breach count metrics increasingly measure only public exhaustion.
This is problematic because many of the reported issues could easily be prevented with proper system configuration and maintenance. As an IdP provider, we cannot help but notice the abundance of incidents concerning:
Reuse of authentication tokens and overly permissive integration with third-party systems (one source of the Salesforce attack we reported on above).
Credential theft by malware (unpatched systems often provide an entry point here).
Weak or nonexistent third-party control/vendor management invites risk by opening well-maintained systems to sloppily run third-party IT.
Outlook: What to Look Out For in Q4
We did not start this digest with our (usual) assessment that the previous quarter was exciting. But we will close this time with an outlook on things to come: good preparation may prove to be better than good hindsight.
There will for sure be early implementation struggles under the Data Act, particularly around connected product data. It will be very instructive to see
First supervisory steps under the AI Act will happen as model providers start filing their transparency documents.
Potential DMA settlements with Apple and Meta may blossom, or more infringement cases if talks collapse.
NIS2 transposition deadlines expire - and infringement proceedings waiting for those who miss them. If you have not done your homework yet, it is high time.
Cyber Resilience Act implementing act due by December, defining scope categories.
Appeals and follow-on litigation in the Data Privacy Framework and pseudonymisation cases.