As it is tradition to note at the beginning of every digest: no quarter is boring, but every single one has its own, very distinct flavor.
Q4/2025 was the quarter in which the European Union (kind of) openly admitted that regulating the digital world is not a linear process and it may have overshot a bit. Laws had barely entered into force when they were already being “adjusted,” postponed, bundled into omnibus packages, or politically reframed as competitiveness measures. Thus, Q4/2025 felt less like a period of bold new legislative visions and more like a phase of repair, recalibration, and confrontation with reality.
The big story in our view, however, was something very mundane: a change of e-mail-provider. If that does not sound exciting to you, dear reader, then you may be forgiven. Yet the fact that the International Criminal Court had to let go of Microsoft against the backdrop of something that can only be described as digital colonialism, is more than remarkable. It is, in many ways, a watershed. A new world is emerging under our eyes. To speak with Goethe: “From this place, and from this day forth, commences a new era in the history of the world, and you can all say that you were present at its birth”. The significance of the moment cannot be overstated, yet it did not make too many headlines - which is why we report in-depth.
Last not least there were rather interesting legal cases, enforcements, and the all too usual cybersecurity incidents.
Let’s take a closer look.
Public Initiatives & Regulatory Developments
The EU’s Digital Omnibus: Simplification - or Strategic Rollback?
On 19 November 2025, the European Commission presented what it called a “Digital Omnibus Package”. If you had to google the Latin expression, you me be forgiven – we had to.
According to the official announcement, the idea is to “simplify existing rules on Artificial Intelligence, cybersecurity, and data” and safe European businesses “time on administrative work and compliance” and to give them “more time innovating and scaling-up”.
The package bundles amendments, postponements, and clarifications across several regulatory instruments, including the AI Act, Data Act, and other parts of the digital regulation more broadly. Politically, the move is framed as a response to pressure from industry and member states concerned about Europe’s competitiveness in AI and digital markets (we reported: “America innovates, Europe regulates”).
Many critics, however, see something else: a tacit acknowledgment that the EU has been regulating faster than it can put all the red tape into operation. This became particularly visible in the proposal to delay certain high-risk AI Act obligations until 2027, a move that triggered immediate backlash from civil society and parts of the European Parliament.
The underlying tension is obvious: the EU wants to be both a global regulatory standard-setter and an innovation hub. Q4/2025 showed just how hard it is to be both at the same time.
NIS2: Germany Finally Switches the Lights On – and Enforcement Starts
After a very – very! – long delay, one of the most consequential developments for practitioners in cybersecurity happened quietly but most decisively: Germany’s NIS2 implementation law entered into force on 6 December 2025 (we reported on the history in our last digest).
After months of political paralysis and EU infringement pressure, the law now makes NIS2 obligations operational for thousands of entities: registration, risk management measures, governance duties, and tight incident reporting timelines. For many medium-sized companies, this marks the first time cybersecurity obligations are not merely “best practice” but explicit statutory duties - with management liability attached and, in the worst case, the authorities having the power to take private cybersecurity concerns in their own hands.
On the EU level, the dust should have settled on the NIS2 transposition. Instead, we saw a fragmented landscape. While Germany finally cleared its legislative hurdles, several Member States are still lagging, prompting the European Commission to move from the gentle-reminder-stage to formal infringement procedures. Concerned are seemingly “small” economies such as Bulgaria and Luxembourg, but also heavyweights such as France and Spain.
Guidance & Regulatory Initiatives
DMA–GDPR: EDPD Clarifies Cross-Regulatory Compliance
Even for professionals – or professional observers like our digest – it is not always easy to understand how many of the EU legislative acts work together (for more on this, read our story on Russmedia v Inform Media).
To make at least the interplay between Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR) more transparent, the European Data Protection Board (EDPB) and the European Commission launched public consultation on joint respective guidelines.
While the DMA and GDPR are separate legal regimes with distinct objectives - the DMA focuses on ensuring contestable and fair digital markets and the GDPR on the protection of personal data - there are significant points of intersection. For example, the DMA’s provisions on data combination and portability, or requirements to provide alternative distribution channels or app stores, involve data processing that is subject to GDPR principles (such as lawfulness, transparency, data minimization) and legal bases.
The joint guidelines are designed to help digital gatekeepers, business users, and individuals interpret and comply with both sets of rules in a coherent way. They affirm the fundamental principle that the DMA does not displace or dilute GDPR obligations: the DMA itself does not create a separate legal basis for data processing, and any processing mandated or enabled by the DMA must still comply with GDPR requirements, including valid legal basis under Article 6 GDPR and data protection principles under Article 5 GDPR.
Key themes in the draft guidance include how to apply valid consent in contexts where the DMA authorizes certain data uses; how to align data portability and interoperability obligations under the DMA with GDPR safeguards; and how gatekeepers should respect GDPR definitions and rights (like access and erasure) when implementing DMA obligations. The guidelines also touch on operational topics such as data access requests and messaging service interoperability.
DSA–GDPR Interplay: Content Governance Meets Data Protection
Only days earlier, the EDPB had also issued Guidelines on the interplay between the Digital Services Act (DSA) and the GDPR – a very similar topic to the one discussed in our previous story.
The guidance addresses a growing practical problem: many DSA obligations imposed on online intermediaries - such as notice-and-action systems, illegal-content moderation, advertising transparency, and recommender-system governance - involve the processing of personal data. The EDPB makes clear that the DSA does not create a standalone legal basis for such processing. Wherever personal data is involved, controllers must continue to identify and document a valid GDPR legal basis and comply with core principles such as purpose limitation, data minimization, transparency, and data subject rights.
The guidelines aim to prevent the DSA from becoming a de facto erosion of GDPR safeguards. They emphasize that voluntary content detection, profiling in recommender systems, and transparency mechanisms must be designed in a proportionate and privacy-preserving way, and that safeguards for minors and non-profiling options must be genuine rather than formal. The EDPB also stresses the need for close cooperation between Digital Services Coordinators, data protection authorities, and the Commission to avoid fragmented enforcement.
UK Adequacy: Still Standing, but Fragile
On 16 October 2025, the EDPB adopted Opinion 26/2025 on the extension of the UK adequacy decision.
The original UK adequacy decisions, granted in 2021, were deliberately limited by a sunset clause expiring at the end of 2025, forcing the European Commission to reassess whether UK law continued to provide a level of protection essentially equivalent to EU standards. That reassessment coincided with the UK’s adoption of the Data Act 2025, which reignited concerns about legal divergence, particularly around lawful bases for processing, automated decision-making, and the institutional role of the UK Information Commissioner.
Throughout the year, the Commission and the European Data Protection Board scrutinized these developments closely. Both ultimately concluded that the UK framework still meets the adequacy threshold, but their assessments were notably cautious. To prevent disruption, the Commission first adopted a temporary extension and then, in December 2025, formally renewed the UK adequacy decisions until 2031, subject to continued monitoring and the possibility of future review.
From a practical perspective, the renewal preserved seamless EU–UK data flows and avoided a significant compliance shock for organizations on both sides of the Channel. At the same time, the episode underscored how fragile adequacy has become as a legal construct. “Quicksand” as we called it in a previous digest.
eIDAS and Digital Identity: From Regulation to Infrastructure
We rather often reported on the state of eIDAS 2.0. In Q4 2025, developments here were less about new legislation and more about the EU’s digital identity framework becoming an operational reality. For providers of identity and access management (IAM) and IDaaS, the quarter highlighted a clear shift: digital identity in Europe is moving from theory to infrastructure that organisations will soon be expected to integrate, support, and rely on.
A central focus was the ongoing rollout of the European Digital Identity Wallet for natural persons. Policy discussions in Q4 increasingly revolved around concrete use cases, such as age verification (a field which we at Engity also start working in), access to public services, and cross-border authentication. The wallet is thought of as a privacy-by-design solution: users selectively disclose attributes, retain control over data sharing, and avoid repeated identity checks. For IAM providers such as us, this points to a future in which state-backed identities and private IAM systems must interoperate seamlessly, rather than compete. Identity orchestration, attribute handling, and assurance-level mapping are becoming differentiators, not edge cases.
Closely connected to this was renewed attention to the so called “once-only” principle, particularly in cross-border scenarios. Late-2025 policy debates increasingly described once-only as the backbone of a harmonised digital administrative layer - sometimes referred to as a “28th regime” (referring to the 27 member states of the EU “+1”). In practice, “once-only” only works if identity, authentication, and authorisation are reliable, auditable, and legally trusted. For IDaaS providers, this reinforces the role of modern IAM platforms as enablers of controlled data reuse, ensuring that access decisions remain compliant with GDPR purpose limitation, data minimisation, and accountability requirements.
Another notable development was the emergence of the European Business Wallet, which complements the personal wallet by extending eIDAS concepts to legal entities. While the wallet for natural persons focuses on personal identity attributes, the business wallet is intended to carry verifiable organisational credentials such as company registration data, mandates, or regulatory attestations. Together, these wallets reflect a reality IAM providers already know well: access decisions are rarely about individuals alone, but about individuals acting on behalf of organisations. Solutions that can securely combine personal identity, organisational context, and delegated authority will be increasingly relevant.
Taken together, Q4 2025 made clear that eIDAS is evolving into a trust layer for European digital services, intersecting with GDPR, NIS2, and broader digital sovereignty goals. Identity, cybersecurity, and data protection are discouraging point solutions and favouring platforms that are interoperable, standards-based, and designed for high-assurance environments.
For IAM and IDaaS providers, the signal from this quarter is clear: customers will increasingly look for identity solutions that are eIDAS-ready, support selective disclosure, integrate with public and private trust services, and reduce regulatory friction rather than add to it.
Cybersecurity Incidents & Threat Landscape
Oracle E-Business Suite and the Return of Supply-Chain Nightmares
Attackers these days often do not go after single target – but cleverly attack infrastructure: many birds with one stone.
In late Q3 and early Q4 2025, a critical zero-day vulnerability in Oracle E-Business Suite (EBS), one of the world’s most widely deployed enterprise resource planning (ERP) platforms, was actively exploited. The vulnerability affected multiple supported versions of EBS and was remarkably dangerous because it allowed remote code execution without authentication: attackers could compromise vulnerable systems directly over the network. A nightmare.
Security researchers and threat intelligence teams reported evidence that the exploitation of the flaw had been going on for several weeks before Oracle published an emergency patch in early October 2025. The attack campaign involved data theft, followed by extortion e-mails sent to corporate executives demanding ransom to prevent publication or misuse of stolen material.
Oracle EBS is often deeply embedded in supply-chain operations, financial systems, HR, procurement, logistics, and inventory management. Compromising these systems posed a serious risk - not only to sensitive corporate data but also to core business continuity.
How dangerous such supply-chain attacks can be, even threatening the beer supply, shows our next story.
Asahi Group: Ransomware Meets Industrial Reality
Very much interesting to us – given our intellectual interest but also personal taste – was the Asahi ransomware attack: it affected logistics and resulted, among other things, in beer shortages.
Japanese beverage giant Asahi Group Holdings, maker of the tasty beer of the same name, suffered a major ransomware attack that crippled its domestic digital systems, including order processing, shipping logistics, and customer service platforms. The disruption forced the company to suspend automated operations and revert to manual processes (like phone, fax, and handwritten orders) to maintain basic supply. Retailers, convenience stores, and restaurants across Japan reported beer and beverage shortages as a result.
The cybercrime group Qilin - a notorious ransomware-as-a-service (RaaS) operation - publicly claimed responsibility and posted sample data it said had been exfiltrated. Asahi has not confirmed details of ransom demand or precise entry vectors, but Qilin’s claim aligns with its known pattern of attacks.
The Asahi breach illustrates a critical point in cybersecurity: when ransomware hits a major manufacturer, the impact stops being an IT problem and becomes a systemic risk - affecting supply chains, consumer markets, and potentially, regulated personal data. For security architects, risk managers, and identity providers, the key lesson is that identity, access, and network segmentation are no longer optional add-ons in industrial settings - they are central to resilience.
The Nikkei Slack Breach: Collaboration Tools as the New Frontier
In November, the media giant Nikkei fell victim to a sophisticated breach that didn’t target their own servers, but their communication. By exploiting a compromised session-token in a third-party integration, attackers gained access to internal Slack channels. Tens of thousands of employees were affected. The exposed data reportedly included names, e-mail addresses, and internal chat histories across Slack. Such communication contents can be of interest for private competitors but also state actors and intelligence agencies: they create a treasure-trove of concentrated and aggregated information.
The type of attack follows a trend that we in our digest tracked all year: the “human-centric” approach. When your internal chat contains more secrets than your database, you don’t need a zero-day exploit; you just need one tired employee.
Court Decisions & Enforcement
Croatian DPA Fines 4.5 Mio Euro for Lack of SCC
We have become so used to seeing the world through the lens of the EU-US DPF (which may or may not last forever – we reported on this issue multiple times) that we lose track of the mundane issues of day-to-day data transfers involving other countries.
As a reminder that these still exist and also have to be taken care of, the Croatian DPA issued an administrative fine of 4.5 Mio Euro to a telecom operator for the transfer of personal data to neighbouring Serbia – not a EU member – without a proper transfer mechanism. Namely, the inclusion of the SCC or similar safeguards in the DPA covering the data transfer to the operator’s IT-service provider was missing.
Taking care of such relatively basic transfers is no witchcraft but, well, “just” craft. The lack of which can become rather expensive as we learn.
ECJ: Operators of Online Marketplaces Responsible for Data Processing in Ads
The – in legal terms – most interesting case in Q4, was Russmedia v Inform Media, heard by the European Court of Justice (ECJ). Furthermore, the case has the best storyline of all the recent verdicts we read: spicy.
Russmedia, a Romanian company, owns a digital marketplace where ads can be published by individuals and business – a kind of Romanian Craiglist. On that site, an ad was posted with photo and private contact data, in which a woman seemed to offer sexual services. The ad, however, was not put up by her, but most probably by a prankster. The concerned women naturally objected, the ad was taken down, but the damage was done.
She sued Russmedia for damages with the argument that they were the controller of an unlawful processing of the data, while the company defended itself with the argument that they were only a hosting provider, thus benefiting from the eCommerce Directive safe harbour, a liability exemption.
The ECJ sided with the victim.
The Court made clear that operators of online marketplaces which publish user-generated advertisements cannot automatically hide behind the role of a neutral intermediary when personal data is processed through those ads. A marketplace operator may be a “controller” in the meaning of Article 4 (7) GDPR. This can be the case even if the data is initially provided by the advertiser, insofar as the platform decides how ads are structured, categorised, displayed, indexed or made searchable, or otherwise integrates the data into its own commercial offering. In such situations, the advertiser and the platform may be joint controllers under Article 26 GDPR, each bearing responsibility corresponding to their respective influence over the processing.
A particularly important aspect of the judgment concerns special categories of personal data. Where advertisements reveal data falling under Article 9 GDPR -such as health data or other sensitive characteristics - the platform cannot rely on an ex-post notice-and-takedown approach. If the platform’s design or business model makes the publication of such data foreseeable, it must have appropriate measures in place to prevent unlawful processing in the first place, including organisational and technical safeguards. Lawful processing in such cases requires a valid Article 9 exception, typically explicit consent, and the burden of compliance cannot be shifted entirely onto individual advertisers.
Addressing the main line of defence of Russmedia, the Court draws a clear line between GDPR obligations and the hosting liability exemptions under the E-Commerce Directive. While the latter’s exemptions may protect intermediaries from certain forms of liability for third-party content, they do not apply to the obligations under the GDPR. Where a platform plays an active role in the processing of personal data, the hosting exemption cannot be used as a shield against data-protection responsibilities.
This all is a rather complicated legal argument, but if we may offer to boil it down: if you make money with it, and it’s potentially dangerous, it’s your problem. Simple as that.
Meta to pay 550 Million Euro in Spain
While discussing subtle points of liability, we must not lose focus on the interplay between data protection and “the rest” of the body of law.
A very good reminder was to be found in November 2025, when a commercial court in Madrid ordered Meta Platforms (the owner of Facebook and Instagram) to pay compensation totalling 550 million Euro to a group of Spanish digital publishers and news agencies, on the grounds that the company had abused personal data in ways that violated EU data protection law and this way created unfair competitive advantages.
The case was brought up by 87 Spanish media outlets organised under the “Asociación de Medios de Información” (AMI). The plaintiffs argued that Meta had systematically processed users’ personal data to deliver hyper-targeted behavioural advertising without valid consent over several years. During that period, Meta had justified its data processing on the basis of “necessity for the performance of a contract,” a legal basis the court found inadequate for behavioural ad profiling under EU data protection rules.
The Madrid Commercial Court concluded that this conduct gave Meta a “significant competitive advantage” in the Spanish digital advertising market because it could monetise user data more effectively than media outlets that complied with GDPR consent requirements. Under Spanish law, and certainly most other European laws, this can also be seen as an issue of unfair competition.
As a result, the court ordered Meta to pay approximately 479 million Euro in compensation - plus additional interest - to the media organisations.
The ruling links data-protection shortcomings not only to administrative fines but to civil compensation obligations. Similar lawsuits are reportedly underway in other EU Member States, particularly France, amplifying the potential continental impact.
The decision is subject to appeal and Meta already said they will – we surely will report further.
Digital Colonialism: The ICC had to Change its E-Mail Provider
One of the most criminally (pun intended) underreported stories of 2025 aired a new season in Q4: The weaponisation of digital infrastructure by the current US-administration to dictate governmental functions in other parts of the world. Or short: digital colonialism.
The International Criminal Court (ICC) substituted its e-mail provider – and went from Microsoft to a European Solution (“Open Desk”). That sounds simple, yet the backstory is not.
In May 2024, the ICC’s Chief Prosecutor applied for arrest warrants against senior Israeli political and military leaders in connection with alleged war crimes in Gaza. The United States are not a party to the “Rome Statute” – the basis of the ICC’s existence – and has, across administrations, taken the position that the ICC has no jurisdiction over Israeli nationals. That position is not the rhetorical one: the U.S. legal framework explicitly allows for sanctions against ICC.
While U.S. political pressure escalated rapidly, U.S. companies were suddenly facing a compliance dilemma: whether continued service provision to people and institutions to whom sanctions apply could expose the companies themselves to (secondary) sanctions risk, enforcement action, or political retaliation.
And so, Microsoft terminated the Prosecutor’s e-mail. Once the Prosecutor personally became the focal point of sanctions threats, Microsoft appears to have treated the continued provision of services to his account as a potential sanction exposure.
From Microsoft’s perspective, this was likely seen as a compliance and risk-management decision, not a political statement: if an individual is credibly threatened with designation under U.S. sanctions law, continuing to provide services may later be characterised as a violation. And we, at Engity, understand: after all, it was Microsoft who sued against a court order based on the US Patriot Act – and was awarded with the US Cloud Act.
From the ICC’s perspective, however, the effect was traumatic. A private U.S. company had unilaterally interrupted the official communications of an international prosecutor acting within his mandate under international law - without any judicial process binding on the Court, and without recourse to remedies within the Court’s own legal order. In effect, an essential digital infrastructure was effectively weaponised through a foreign legal systems having no jurisdiction over the institution concerned. The Prosecutor was not accused of misconduct under Dutch law, EU law, or international law; yet his ability to function was curtailed through the extraterritorial reach of U.S. law as applied by a U.S.-based service provider. That may not sound as crass as kidnapping a president, but the effect may in essence be comparable.
The episode should be seen as a highly symbolic moment in the European debate on digital sovereignty versus what is can only be described as digital colonialism. A non-EU, privately owned technology company, subject to U.S. law and geopolitical pressure, was effectively able to interfere with the operational communications of an international judicial institution.
The move to a European e-mail solution seems to be less as an IT decision and more as a governance response, or signal if you will. Control over digital infrastructure is inseparable from institutional independence. If e-mail, cloud storage, identity management, or collaboration tools are operated under legal regimes that allow extraterritorial access, sanctions enforcement, or political leverage, then the affected institution is no longer fully sovereign. And that is not hypothetical but can materialize abruptly, and without meaningful remedies.
We here at Engity, in our field of Identity provision, help our customers to use a fully European, fully privacy compliant IAM solution. That is our contribution to this discussion.