to the point: technology & digitalisation | 3/2026

Much has happened since our last edition, and the European digital regulatory framework looks set to change significantly in the months ahead. This issue of to the point. technology & digitalisation covers the most important proposals, enforcement trends and implementation milestones from the first quarter of 2026.

Our spotlight falls on the ambitious proposal for a Digital Networks Act, a sweeping consolidation of EU telecommunications law into a single, directly applicable Regulation comprising no fewer than 210 articles – with a remarkably short six-month implementation window. We also examine the EDPB and EDPS Joint Opinion on the Digital Omnibus, which takes a firm stance against proposed changes to the very definition of personal data under the GDPR. In addition, we provide a practical guide to the e-Evidence Regulation taking effect this August, which will transform cross-border access to electronic evidence. Complementing these EU-level updates, we take a closer look at Poland's implementation of the NIS2 Directive, which will impact an estimated 30,000 organisations. On the enforcement side, recent GDPR fines in Poland – totalling well over PLN 16m – serve as a powerful reminder that compliance obligations around data processing still demand careful attention. We also preview this year's coordinated enforcement audits, with their focus on transparency obligations and, in Austria, the security of processing.

Much like an Easter egg hunt, navigating the evolving digital regulatory framework requires knowing where to look and moving quickly once you find what matters. To assist you in navigating this landscape, we have created the Digital Law Monitor. To receive it, you can subscribe to Schoenherr's Legal Insights or to the Schönherr Digitalrechtsmonitor.

We hope this edition provides you with some insightful updates. From all of us, we wish you a restful and happy Easter.

On 21 January 2026, the proposal for a Digital Networks Act (DNA), COM(2026) 16 final, was published. The DNA further harmonises the legal framework for European telecommunications law, amending the Net Neutrality Regulation (Regulation (EU) 2015/2120), the ePrivacy Directive (Directive 2002/58/EC) and the Radio Spectrum Decision (Decision No 676/2002/EC). It will also repeal the BEREC Regulation (Regulation (EU) 2018/1971), the European Electronic Communications Code (EECC, Directive (EU) 2018/1972) and the Radio Spectrum Policy Programme (RSPP, Decision No 243/2012/EU).

The EECC has already consolidated several EU legal acts in the field of telecommunications law, and the DNA continues on this path. Notably, the DNA will be adopted as a Regulation and will therefore be directly applicable in the Member States. The Commission proposal comprises 416 recitals and 210 articles. The period provided for the application of the DNA after its entry into force is only six months.

The Commission presents the DNA in its Q&A as a new legal framework aimed at boosting innovation and investment in resilient and advanced fibre, 5G and 6G networks. Its stated goal is to improve the competitiveness of the connectivity sector and to support the development of AI, quantum computing and digital services through the transition from copper to fibre cable networks, the expansion of 5G and the rollout of 6G radio spectrum networks. The DNA will also be embedded in the EU's cybersecurity framework and will contain a link to the Cybersecurity Act (Regulation (EU) 2019/881), which is to be replaced by the second Cybersecurity Act (CSA2; COM(2026) 11 final). The CSA2 Proposal was published one day before the DNA proposal.

The main actors under the DNA will be the Commission, the Body of European Regulators for Electronic Communications (BEREC), the Radio Spectrum Policy Body (RSPB), the Office for Digital Networks (ODN) and the national regulatory authorities.

Once established under the DNA, BEREC will retain its current name but will constitute a new entity, replacing the existing BEREC established under the BEREC Regulation. The ODN will replace the current Agency for Support for BEREC ("BEREC Office") and, like its predecessor, will be a body of the Union with legal personality. The RSPB will replace the Radio Spectrum Policy Group and will be established without legal personality.

The 210 articles of the DNA are divided into eight Parts, further subdivided into Titles, Chapters and Sections:

-            Part I: Scope, objectives and definitions (Art 1 to 3 DNA). This Part sets out the scope of application, legal definitions and general objectives. The definitions are largely based on those in the EECC; however, new definitions have been introduced, e.g. regarding satellite communications services.

-            Part II: Resilience (Art 4 to 8 DNA). This Part links the DNA to the EU's cybersecurity legislation. BEREC will be tasked with adopting a "Union Preparedness Plan for Digital Infrastructures".

-            Part III: Single market authorisation and passporting (Art 9 to Art 12 DNA). This Part establishes a single passport procedure, requiring telecom providers to notify the competent authority in only one Member State of their intention to provide networks or services. The competent authorities of other affected Member States will be informed via the ODN, which will also maintain a publicly available Union database.

-            Part IV: Resources (radio spectrum and numbering; Art 13 to Art 52 DNA). This Part regulates the authorisation and allocation of radio spectrum usage (Title I), the Union-level authorisation of radio spectrum usage by satellite (Title II) and the EU-wide management of numbering resources (Title III). Currently, radio spectrum and numbering resources are allocated by the competent national authorities.

-            Part V: Transition to fibre, markets functioning and competition (Art 53 to Art 86 DNA). Title I of this Part addresses the transition to fibre networks and the switching off of copper networks. Titles II and III grant telecom providers the right to install facilities on public and private property for the provision of electronic communications networks or services and regulate the shared usage of physical resources. Title IV sets out competition rules. The right to install facilities, shared usage and competition are currently governed by the EECC, leaving room for variations in transposing national laws.

-            Part VI: Services (Art 87 to Art 114 DNA). This Part addresses universal service obligations (Title I), safeguards open internet access (Title II) and protects end-user rights (Title III). The Net Neutrality Regulation will be renamed, as its provisions on open internet – another term for net neutrality – will be transferred into Part VI, Title II of the DNA. The universal service obligations and end-user rights rules are currently governed by the EECC and the ePrivacy Directive and require transposition into national law.

-            Part VII: Governance (Art 115 to Art 180 DNA). This Part allocates competencies to national regulatory authorities (Title I), regulates the tasks and organisation of BEREC (Title II), establishes the RSPB, governs its cooperation with BEREC (Titles III and IV) and establishes the ODN (Title V).

-            Part VIII: General and final provisions (Art 181 to Art 210 DNA). This Part establishes mechanisms for the provision of information, surveys and consultations (Title I), rules on harmonisation and standardisation (Title II) and out-of-court dispute resolution (Title III). It also addresses cooperation within the telecom sector (Title IV), compliance with the exercise of rights of use for radio spectrum, numbering resources and facilities installation, a right of appeal against decisions by competent authorities (Title V) and the final provisions, including entry into force and application (Title VI).

The DNA will consolidate several legal acts applicable to telecom providers. Nevertheless, the ePrivacy Directive and the Net Neutrality Regulation (under a new name) will remain partially in force, unless repealed by other legal acts such as the Digital Omnibus package (find more on the Digital Omnibus here). Moreover, the Roaming Regulation (Regulation (EU) 2022/612) and the Gigabit Infrastructure Act (GIA; Regulation (EU) 2024/1309) will not be affected (find more on the GIA here). Accordingly, EU-level telecom law remains to some extent fragmented.

On 10 February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their Joint Opinion on the European Commission's Digital Omnibus proposal. This comprehensive legislative package proposes targeted amendments to the GDPR, the ePrivacy Directive, the Data Act and the Data Governance Act, aiming to simplify compliance and boost EU competitiveness.

The most contentious point concerns the proposed amendment to Art 4(1) GDPR. Under the proposal, information relating to a natural person would not be considered personal data for an entity that cannot identify the data subject, i.e. taking into account the "means reasonably likely to be used" by that entity. The EDPB and EDPS firmly reject this change: they argue it goes far beyond a targeted modification, contradicts CJEU case law, and would significantly narrow the scope of the fundamental right to data protection. The proposed empowerment of the Commission to determine, by way of implementing acts, when pseudonymised data no longer qualifies as personal data is also clearly rejected. The Joint Opinion therefore recommends the complete deletion of the proposed Art 41a GDPR.

The EDPB and EDPS also raise concerns regarding the proposed specific legal basis for AI model training based on legitimate interests, which they consider unnecessary. The proposed limitations to the right of access (Art 15 GDPR) and changes to automated individual decision-making (Art 22 GDPR) are likewise critically assessed.

The EDPB and EDPS positively assess, among other things, the streamlined data breach notification rules (including a single-entry point across the EEA), the harmonisation of Data Protection Impact Assessment (DPIA) requirements through EU-wide templates, the introduction of a harmonised definition of "scientific research", as well as measures to address so-called "cookie fatigue" under the ePrivacy Directive.

The Digital Omnibus is now subject to the ordinary legislative procedure. We are closely monitoring the legislative process and are ready to support you in assessing the impact on your data protection compliance and data governance. Please do not hesitate to reach out for a tailored assessment.

On 18 August 2026, the EU's new e-Evidence Regulation (Regulation (EU) 2023/1543) will be applicable across all EU Member States (except Denmark). The framework enables law enforcement authorities in one Member State to directly request electronic evidence from digital service providers in another, replacing traditional mutual legal assistance channels that previously took an average of ten months.

The Regulation introduces two key tools: the European Production Order Certificate (EPOC) to compel production of electronic evidence (subscriber data, IP addresses, traffic data and content data), and the European Preservation Order (EPOC-PR) to preserve data for 60 days pending a subsequent production request. All communication will take place through a new decentralised IT system based on ETSI standards.

The scope is broad: the Regulation applies to providers of electronic communications services, cloud services, social media platforms, online marketplaces, messaging providers and domain/IP registration services, also including providers based outside the EU, if they offer services to users within the Union.

Providers must designate an EU establishment or legal representative to receive and execute orders. Standard production requests must be complied with within ten days, emergency requests within just eight hours. Non-compliance can result in penalties of up to 2 % of the global annual turnover.

While practical challenges remain (e.g. the distinction between "offering services" in an EU Member State and merely making them accessible online) organisations should act promptly and assess whether the Regulation applies to them, designate their EU addressee, update internal workflows for the tight response deadlines, prepare for the new IT interface and train their employees.

The EU data protection authorities are gearing up for their 2026 Coordinated Enforcement Framework audits. This year, the spotlight is on transparency and information obligations under Art 12, 13 and 14 GDPR. These coordinated enforcement actions have led to administrative penalty proceedings and fines against both SMEs and large companies in recent years, having covered topics such as cloud services, the right of access and the right to erasure.

For the 2026 audit cycle, the Austrian Data Protection Authority has announced an additional focus on the security of processing under Art 32 GDPR, the documentation obligations under Art 30 and, where applicable, the data protection impact assessment under Art 35 GDPR. In practice, this means controllers must ensure that their privacy policies are current and complete, their records of processing activities accurately reflect all ongoing processing operations, their technical and organisational measures (TOM) are regularly reviewed and updated, and any required data protection impact assessment documentation is in place.

Importantly, data protection documentation must also reflect recent CJEU and Austrian case law, including the obligation to communicate specific recipients (Österreichische Post, C-154/21), the requirements for international data transfers (Schrems II, C-311/18) and documentation of legal bases (Meta Platforms, C-252/21), and must take into account rigorous standards regarding the role of the Data Protection Officer (Austrian DPA, DSB-D550.769).

A critical, comprehensive review of the entire data protection documentation (privacy policies, records of processing activities, TOMs and impact assessments) is required to ensure full accuracy and legal compliance ahead of a potential unannounced audit. Any inconsistencies identified by the authorities during an examination may trigger closer scrutiny. More details under https://www.schoenherr.eu/content/data-protection-compliance-a-call-to-action.

On 19 February 2026, the President of Poland signed an amendment to the Act on the National Cybersecurity System, implementing the EU NIS2 Directive. The new regulations will enter into force on 3 April 2026 and will apply to a wide range of entities, estimated at over 30,000 organisations.

The scope of the Act is extensive and covers numerous sectors, including industry, chemicals, pharmaceuticals, healthcare, energy, food production, waste management and ICT-related entities. By 3 May 2026, the Minister of Digital Affairs will establish a list of essential and important entities. Subsequently, those entities will be required to carry out so-called self-identification and self-registration, in accordance with a schedule that has not yet been published. Self-identification, i.e. determining whether a given entity falls within the scope of NIS2 and the Act, is the first obligation and one we recommend undertaking as soon as possible.

The Act implementing NIS2 also introduces a number of obligations for entities within its scope, including the implementation of an information security management system. This covers, in particular, the development of business continuity procedures, incident handling processes and the conduct of audits, as well as the implementation of appropriate documentation and technical measures, and the provision of staff training. Entities that, as of 3 April 2026, meet the criteria to be classified as essential or important will be required to comply with these obligations by 3 April 2027.

Penalties for non-compliance are significant: up to EUR 10m or 2 % of annual turnover for essential entities, and up to EUR 7m or 1.4 % of annual turnover for important entities. Notably, financial liability may also extend to members of the entity's management.

On 5 February 2026, the President of the Personal Data Protection Office (PUODO) issued a decision imposing a fine exceeding PLN 11m on a courier company. During the inspection, the supervisory authority identified two infringements of the GDPR.

The courier company outsourced the transport of parcels between its branches to external carriers. However, it failed to conclude data processing agreements with those carriers. As noted by the PUODO, carriers gain access to personal data contained on shipment labels, for example during loading and unloading. By transporting parcels, they act on behalf of the courier company and for its purposes, therefore qualifying as data processors. In such cases, a data processing agreement is required, and failure to conclude one constitutes a breach of the GDPR. For this infringement, the PUODO imposed a fine of PLN 6,251,000.

The second infringement concerned the lack of proper authorisation. After completing data protection training, employees received an automatically generated document from the IT system suggesting it constituted authorisation to process personal data. However, the document did not indicate the name of the authorised employee, nor did it contain the signature of a person authorised to grant such permissions. Moreover, the company failed to designate a person authorised to issue such authorisations, despite such a requirement being set out in its internal policies. For this infringement, the PUODO imposed a fine of PLN 5,209,000.

On 19 February 2026, the PUODO imposed a fine on a company operating a food delivery platform. The company required users to provide scans or photos of identity documents in cases of suspected fraud – for example, when a courier reported an attempted order theft, the use of counterfeit money, suspected transport of illegal substances, or a mismatch between payment card details and user data.

The company argued that such processing was based on its legitimate interest, namely verifying user identity in cases of suspected fraud. However, the supervisory authority found this justification insufficient. In its view, processing detailed and sensitive data such as that contained in identity documents is permissible only where explicitly authorised by law (e.g. under anti-money laundering regulations). As the platform is not an obliged entity under AML regulations, it is not entitled to collect such data. Consequently, the PUODO imposed a fine of nearly PLN 6m.