European Digital Compliance: Key Digital Regulation & Compliance Developments

To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the final quarter of 2024.

This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3 and Q4), 2022 (Q1, Q2, Q3 and Q4), 2023 (Q1, Q2, Q3 and Q4) and 2024 (Q1, Q2 and Q3).

In this issue, we report on key developments in the EU and UK, highlighting significant digital regulatory updates and consultations. The EU has introduced the Implementing Regulation for the Digital Services Act, standardizing transparency reporting, and released drafts for the AI Act's General-Purpose AI Code of Practice. Elsewhere, the Cyber Resilience Act and Digital Operational Resilience Act are set to enhance cybersecurity and ICT risk management across sectors. The UK is advancing compliance with the Online Safety Act through Ofcom's toolkit, and government consultations have been launched on ransomware payment regulations and AI copyright reforms. In Germany, the collapse of Germany's government has delayed many key digital regulatory projects, with one exception being the Interstate Treaty on Minors in Media, which will trigger new parental control requirements as of December 2025.

EU

1. DSA update: Implementing legislation passed to specify transparency reports

2. AI Act update: Initial drafts for the GPAI Code of Practice

3. Cyber Resilience Act has now been finalized and will apply from 2027

4. NIS2: Implementing legislation passed to specify cybersecurity risk management measures and incident report for digital services

5. DORA has come into effect

UK

6. Ofcom has published new resources relating to online services’ compliance with the Online Safety Act 2023

7. UK government plans to crack down on ransomware payments

8. UK government launches consultation on AI and copyright

Germany

9. The impact of the collapse of the German government and the upcoming re-election on pending digital regulatory projects

10. Draft implementation of EU’s revised financial services and green transition

11. Revised amendment to the Interstate Treaty on the Protection of Minors in the Media: New minor safety obligations for operating systems adopted

EU

1. DSA update: Implementing legislation passed to specify transparency reports

On 4 November 2024, the European Commission (“EC” or the “Commission”) published the Implementing Regulation (“IR”) for transparency reports under the Digital Services Act (“DSA”), establishing uniform reporting templates and periods which providers will have to comply with.

What’s New?

With the IR, the Commission finally provides long-awaited guidance on what it expects transparency reporting on platforms’ content moderation practices under Articles 15, 24 and 42 of the DSA to look like. We suspect, however, that providers will soon yearn for the status quo ante: Before the IR, providers enjoyed relative freedom in putting together their transparency reports, whereas the IR now introduces granular and onerous reporting parameters – and compliance will likely require a significant lift in terms of time and resources.

The IR and its annexes standardize the format, content and reporting periods under the DSA, with Annex 1 providing table-based “quantitative” and free text “qualitative” templates providers must use, and Annex 2 setting out instructions for how to complete and publish the required information. Providers should note that the templates may require data that they have not traditionally collected or tracked systematically, but that they will have to add to their reports. Specific requirements depend on the qualification of the reporting entity as provider of an intermediary service, hosting service, online platform, very large online platform (“VLOP”) or very large online search engine (“VLOSE”).

What’s Next?

Providers will have to start collecting data under the harmonized parameters as of 1 July 2025, with the first corresponding reports due in the beginning of 2026. Providers of VLOPs and VLOSEs are obliged to publish transparency reports every six months, whereas other providers are subject to a yearly reporting period ending on 31 December. To align reporting periods, Annex 2 provides for certain transitional arrangements.

Back to Top

2. AI Act update: Initial drafts for the GPAI Code of Practice

Under Article 56 of the EU Artificial Intelligence Act (“EU AI Act”), which entered into force on 1 August 2024, the European AI Office is tasked with facilitating the development of a General-Purpose AI Code of Practice (the “GPAI CoP”), which is set to be finalized by 2 May 2025.

This GPAI CoP aims to give GPAI model providers practical guidance on how to comply with their obligations under Articles 53 and 55 of the EU AI Act that apply from 2 August 2025. Until European harmonized standards for GPAI models have been adopted (which may take years), providers of GPAI models can rely on the GPAI CoP to demonstrate compliance with the corresponding obligations under the EU AI Act.

What’s New?

The first draft of the GPAI CoP was released on 14 November 2024 by the European AI Office, following the work of independent experts, nearly 1,000 stakeholders and EU Member States’ representatives, who were organized in different working groups. A second draft of the GPAI CoP, incorporating feedback in response to the first draft, was published on 19 December 2024. Specifically, the GPAI CoP contains model commitments, metrics and key performance indicators (“KPIs”) that can be used to implement the obligations for providers of GPAI models as outlined in Article 53 of the EU AI Act, such as:

• Details on the type of information that needs to go into the technical documentation, distinguishing between information for the AI Office or national authorities and for downstream providers.
• Model metrics and KPIs that indicate the provider’s fulfillment of its obligation to draw up and implement a policy to comply with EU copyright law, including specific measures aiming to ensure that the procurement and use of content for model training does not infringe upon third-party copyrights.

For providers of GPAI models with systemic risk who are subject to further obligations in Article 55 of the EU AI Act, the respective guidance in the draft GPAI CoP includes:

• Considerations on how to identify systemic risks, including presumptive examples of such systemic risks, and a description of potential sources of systemic risks that should be considered in the risk analysis (e.g., certain model propensities).
• The outline of a potential “Safety and Security Framework”, which details the risk management policies that the providers commit to adhere to in order to assess and mitigate systemic risks from their GPAI models.
• Various other commitments that a provider should undertake in the areas of risk assessment and mitigation, whereby the GPAI CoP distinguishes between “technical risk mitigation” (such as cybersecurity best practices) and “governance risk mitigation” (such as serious incident reporting, whistleblowing protection and public transparency).

What’s Next?

Feedback on the second draft closed on 15 January 2025. After the discussion of such feedback in the working groups, a third draft of the GPAI CoP is expected for the week of 17 February 2025, again with the invitation to provide feedback. The final version of the GPAI CoP is expected to be published before 1 May 2025.

Back to Top

3. Cyber Resilience Act has now been finalized and will apply from 2027

Digital devices beware – the EU’s Cyber Resilience Act (“CRA”) is now law. As we reported previously, organizations manufacturing, distributing or selling products with digital elements (“PDEs”) across the EU must navigate new, unified security standards, signaling a significant overhaul of cybersecurity regulations.

What’s New?

Adopted by the Council on 20 October 2024 and published in the Official Journal of the EU as Regulation (EU) 2024/2847 on 20 November 2024, the CRA formally came into force on 10 December 2024. It harmonizes cybersecurity standards across PDEs, from household IoT devices to embedded industrial software. Manufacturers bear the brunt of CRA’s requirements as they must build security in from the design phase – conducting risk assessments, managing vulnerabilities with automated updates and keeping detailed documentation.

Organizations will have anticipated the CRA’s broad scope, and now is the time to review existing policies for compliance. While the CRA lays out common-sense cybersecurity rules, it also grants regulators the power to crack down on any misleading or incomplete information, a stricter approach compared to NIS2 or DORA.

To ease the transition, the European Commission has tasked ENISA and the Joint Research Centre with mapping key cybersecurity standards to each CRA requirement, turning complex mandates into clear, harmonized benchmarks.

What’s Next?

The CRA’s implementation will be gradual. By the end of 2025, the Commission will finalize product categories in Class I and II, and those in Annex IV. Requirements for conformity assessment bodies will begin by 11 June 2026, followed by reporting obligations for manufacturers and developers by 11 September 2026. Full enforcement of most other CRA provisions will begin by 11 December 2027, giving organizations ample time to get compliant.

Additionally, the Commission is setting up the CRA Expert Group to advise on key implementation issues. 

Back to Top

4. NIS2: Implementing legislation passed to specify cybersecurity risk management measures and incident report for digital services

We last reported in our Q3 update that the Commission published a draft Implementing Regulation (“IR”) on cybersecurity risk management measures and reporting obligations for digital businesses. This draft was set to further specify the respective requirements imposed on companies under the EU’s NIS2 Directive (Directive (EU) 2022/2555).

The IR was finalized by the Commission and adopted on 17 October 2024 – coinciding with the deadline for EU Member States to transpose NIS2 into national law and just one day before the NIS2 rules were set to take effect. In the nick of time, the following day, the Commission swiftly published the IR in the Official Journal of the EU as Regulation (EU) 2024/2690.

What’s New?

The IR underwent extensive changes following public consultation, incorporating detailed risk management requirements for incident handling, business continuity and crisis management. The IR also sets forth the general criteria that must be met for an incident to be deemed significant – thereby triggering the reporting requirements under NIS2. These criteria include:

• Direct financial loss exceeding EUR 500,000, or 5% of the relevant entity’s total annual turnover in the preceding financial year (whichever is lower);
• Exfiltration of the entity’s trade secrets;
• Incidents capable of causing death of a natural person;
• Considerable damage to the individual’s health;
• A successful, suspectedly malicious, unauthorized access to network and information systems causing severe operational disruption; or
• Recurring incidents (at least twice within six months) with the same root cause that collectively exceed the financial loss thresholds.

Additionally, any unscheduled service unavailability lasting no more than 30 minutes or affecting more than 5% of users – or over one million users, whichever is smaller – will be considered a significant incident under the IR for cloud computing services. Similar parameters apply to providers of social media services, content delivery networks, data centers, online marketplaces, managed services, managed security services or online search engines.

What’s Next?

The IR came into force on 7 November 2024, 20 days after the publication in the Official Journal. Organizations that may experience significant incidents are now subject to these regulations and should already have developed Incident Response Plans.

In conjunction with the IR, ENISA is developing technical guidance to support Member States and organizations with the implementation of the IR’s requirements. Consultation for the draft guidance closed in January, and we expect finalized guidance to be published in due course.

We continue to track the Commission’s crackdown on Member States over their NIS2 transposition, following its recent threat to fine 23 Member States for failure to implement NIS2 in accordance with the Directive’s implementation deadline.

Back to Top

5. DORA has come into effect

The EU’s Digital Operational Resilience Act (“DORA”) became applicable on 17 January 2025. The increased reliance by financial institutions on ICT hardware, software, cloud and digital solutions highlighted vulnerabilities to the EU, necessitating measures to ensure digital operational resilience. Enter DORA.

While financial institutions have previously had to comply with EU cybersecurity requirements, DORA raises the bar by introducing even more prescriptive management liability and additional ICT risk management and contracting elements for firms to consider (see our client alert on understanding DORA for financial institutions). This has caused a downstream effect, with ICT service providers facing contract remediation and confusion regarding their classification under DORA (see our client alert for service providers for some myth busting).

What’s New?

The European Supervisory Authorities (the European Banking Authority (“EBA”), the European Insurance and Occupational Pension Authority (“EIOPA”) and the European Securities & Markets Authority (“ESMA”); together, the “ESAs”) recently published a report following a “dry run exercise” that involved over 1,000 financial institutions. These institutions participated by submitting data for the registers of information on a “best efforts” basis. Under DORA, these registers must include details of all contractual arrangements with ICT service providers, available at the entity, sub-consolidated and consolidated levels. The results revealed that only 6.5% of the registers analyzed passed all data quality checks, while 50% of the remaining registers marginally missed the mark. The ESAs concluded that they are confident of having sufficient-quality registers by 2025. However, financial institutions should be aware that accurate registers will be the ESAs’ top enforcement priority for this year.

DORA is supported by an extensive framework of implementing and regulatory technical standards, which has been in development since January 2024. However, the EC has yet to finalize the entire framework. It was only in December 2024 that the implementing technical standards (“ITS”) to establish the standard templates for the register of information came into force. Financial institutions should already be in the process of classifying and reporting all contractual arrangements with ICT service providers.

On the other hand, ICT service providers within the scope of DORA will be contending with DORA addendums and FAQs and proactively preparing internal processes to address requests from financial institutions.

What’s Next?

DORA’s rollout has been frustrating for both financial institutions and ICT service providers. The EC recently rejected the ESAs’ drafted Delegated Regulation regarding the regulatory technical standards (“RTS”) on subcontracting ICT services “supporting critical or important functions” – just five days after DORA entered into force. The ESAs will need to revise and submit an amended draft RTS by the end of February.

The EC has also not yet responded to the ESAs’ draft RTS relating to threat-led penetration testing.

Additionally, the ESAs expect financial institutions to make their registers of information available to competent authorities early in 2025, as these authorities will need to report the registers to the ESAs by 30 April 2025. ICT service providers likely to be deemed as “critical” providers can expect the first designations by the ESAs in the second half of 2025.

Back to Top

UK

6. Ofcom has published new resources relating to online services’ compliance with the Online Safety Act 2023

The UK’s communications regulator, Ofcom, has launched a digital toolkit to help organizations comply with the Online Safety Act 2023 (“OSA”). Ofcom continues to release guidance and engage in consultations concerning the far-reaching OSA – a topic we have covered in our previous updates (see Q1, Q2 and Q3 2024).

How Does the Toolkit Help Providers?

Available for both user-to-user services and search services, the toolkit comprises an interactive tool and an illegal content duties record-keeping template.

Any provider subject to the OSA can use the toolkit to complete the mandatory illegal harm risk assessment.

The toolkit follows Ofcom’s risk assessment guidance and is structured as follows:

1. Identifying Risk Factors: By answering a questionnaire reflecting the structure of Ofcom’s recommended risk assessment format, services will be able to download an itemized list of their risk factors for the assessment.
2. Assessing the Illegal Harms: This list can then be used alongside the tool to assess the risk level of each of the 17 illegal harms. The tool has broken down the Risk Assessment Guidance and the corresponding Register of Risks to guide providers when conducting an assessment.
3. Recommending Safety Measures: In another questionnaire, providers can fill in their assigned risk level for each kind of illegal harm and provide details of other characteristics of their service. Based on the provider’s answers, the tool will present the corresponding recommended safety measures taken from the illegal content Codes of Practice.
4. Report, Review and Update: The tool provides a walk-through on how to succeed in ongoing compliance.

Also, throughout all the steps, Ofcom has set out checklists at the end of each section explaining how to maintain necessary records. Providers can also fill out the record-keeping template to ensure that steps 1-4 are appropriately recorded.

What Else Is New?

Previously, Ofcom released the complementing Illegal Harms statement and Illegal Content Risk Assessment guidance in December 2024 as part of Phase 1. This was followed in Phase 2 by the publication in January 2025 of Ofcom’s final age assurance guidance for publishers of pornographic content and separate statement on Children’s Access Assessments.

What’s Next?

Providers have to conduct their risk assessment of illegal harms by 16 March 2025. Ofcom anticipates that its Illegal Harms Codes of Practice will pass through Parliament and become enforceable around March 2025.

Ofcom has a full slate of guidance and consultations planned for 2025. While the Children’s Risk Assessment guidance and draft Codes of Practice are expected in April 2025, the deadline for compliance with the not-yet-published codes is estimated to be July 2025. Ofcom also intends to publish the register of categorized services in July 2025.

Ofcom is prioritizing rapid guidance over the coming year to help organizations manage the extensive OSA provisions and aims to produce a similar toolkit to help with Children’s Risk Assessments.

While organizations may face an overwhelming volume of guidance, Ofcom is seeking further provider feedback. It is launching consultations on guidance to protect women and girls in February 2025, followed by discussions on additional measures for Codes of Practice from April through June 2025.

Back to Top

7. UK government plans to crack down on ransomware payments

In its recent consultation, the UK government proposed potential legislative changes to regulate ransomware payments. These proposals are not only aimed at increasing the government’s understanding and intelligence around threat actors, but also at deterring any malicious actors from targeting critical UK infrastructure.

What’s New?

The consultation covers the following three legislative proposals:

1. Targeted ban on ransomware payments applying to all: (i) UK public sector bodies (e.g., the UK National Health Service); and (ii) owners and operators of UK Critical National Infrastructure (“CNI”) that are regulated or that have competent authorities. This would therefore catch critical entities within the 13 national sectors, such as communications, energy, chemicals, finance, food and health. Going one step further, in its consultation questionnaire, the government also showed signs of considering whether this ban should be extended to entities further down the CNI supply chain.

1. Reporting requirement for any intention to make a ransom payment from the UK – This covers all types of businesses, not just those within the CNI or public sector. By requiring organizations to report before making the payment, the government hopes that it can support and discuss non-payment resolution options with organizations and also assess if a block is required for the potential payment (e.g., due to sanctions or terrorism finance regulations). The government has not yet clarified which authority would be responsible for this reporting requirement and is also weighing up whether: (i) any criminal or civil penalties should be imposed for non-compliance with this requirement (especially if payment is made despite it being blocked); and (ii) any threshold for reporting should apply (e.g., based on organization size or ransom amount).
2. Notification requirements for suspected ransomware attacks, regardless of any intention to pay ransom. This means submitting an initial report within 72 hours and a full report within 28 days. However, the government has not yet specified the time from which the clock would start ticking and is still exploring if this requirement should be economy-wide or subject to a threshold. The government also acknowledged existing reporting regimes and noted that it will try to ensure that UK organizations are only required to report each ransomware incident once.

What’s Next?

Organizations have until 8 April 2025 to respond to the consultation, but the timing of any resulting legislation is still undetermined. In the meantime, organizations can prepare for potential regulatory changes by assessing their current ransomware reporting practices under existing regimes (e.g., the UK GDPR and the UK NIS Regulation) and conducting a high-level gap analysis against the government’s proposals.

Back to Top

8. UK government launches consultation on AI and copyright

The UK government has stressed that the technology and creative sector are fundamental to the UK economy. However, reform is needed to unlock growth and innovation and greater protect human creativity.

In order to address this need for reform, the government has launched a wide-ranging consultation on AI and copyright as it seeks to reform the law to address some of the complex and contentious issues found at the intersection of technology and creativity.

What’s New?

The consultation sets out four options:

1. Option “0”: Do nothing

Copyright and other related laws would remain unchanged.

2. Option “1”: Require licensing in all cases

Under this option, AI models could only be trained on copyright works in the UK where there is an express licence to do so. Firms providing such services in the UK could not get around this requirement by training AI models in other countries. The consultation points out that this option would make the UK uncompetitive and unappealing when compared to other jurisdictions.

3. Option “2”: Offer a broad data mining exception

This option would cover anyone undertaking text or data mining for a commercial purpose. There would be few or no restrictions, and rights holders’ permission would not be required.

The previous government proposed this approach in 2022. It was met with opposition and ultimately taken off the table. The current government has stated that this approach would be difficult to reconcile with international law and would not meet the needs of the rights holders.

4. Option “3”: Offer a data mining exception allowing rights holders to reserve their rights and transparency measures

This option would cover anyone conducting text or data mining for any purpose, including commercial, provided that the user has lawful access to the relevant works and the rights holder has not reserved their rights (in these circumstances, an express licence would still be required). Measures on transparency would be introduced to ensure that developers are transparent about the works that AI models are trained on.

Option 3 is the approach that the government believes would best balance the needs of the rights holders and AI developers. It is noted that further work would be required to ensure that the measures around transparency and rights reservation are effective.

What’s Next?

Interested parties have until 25 February 2025 to respond to the consultation’s questions. The responses provided will be evaluated, and the information received will help design any future policy changes in this area.

Back to Top

Germany

9. The impact of the collapse of the German government and the upcoming re-election on pending digital regulatory projects

The recent collapse of Germany’s government and the upcoming re-elections on 23 February 2025 introduce significant uncertainty regarding the future of digital regulatory initiatives that had been on the government’s agenda. For most affected initiatives, this already led to significant delays, and the ones that do not make the cut prior to re-elections are at risk of being abandoned altogether – depending on the composition and priorities of the next government.

What’s New?

On 6 November 2024, the German Federal Government collapsed, triggering re-elections that are coming up in February. In accordance with the principle of discontinuity, all legislative proposals that have not been finalized before that date expire and must be reintroduced in the next legislative period under the newly formed government – if that government wants to pursue them further. This effectively means that the legislative process must begin anew, delaying and/or altering the scope of pending initiatives. This development could have a direct impact on several key digital regulatory measures, including:

• The NIS2 Implementation Act, which is intended to transpose the EU NIS2 Directive into national law. This initiative is already severely delayed as it was originally anticipated to take effect in March 2025 – almost half a year after expiry of the implementation deadline. It is currently unlikely that there will be any movement in this matter prior to re-elections. This would move a final adoption well into the second half of the year, even if a newly formed government was to pick this back up quickly. This could trigger further escalation of the already ongoing infringement proceedings that have been initiated by the EC.
• The Digital Violence Act, a legislative proposal designed to strengthen protections against online abuse and lower legal barriers for victims of digital violence. The act seeks to provide more effective recourse against online threats, harassment and hate speech. However, as of now, only an early draft exists, which has not yet been formally submitted to the Bundestag. The collapse of the coalition raises doubts about whether this initiative will make it onto the next government’s agenda.
• A similar fate looms for the draft implementation of EU’s revised financial services and green transition, where the outgoing government also recently presented initial drafts – see below for our update on the draft implementation of EU’s revised financial services and green transition below.

What’s Next?

The enactment of those projects is now contingent upon the political composition of the next government, which may choose to modify, delay or abandon these initiatives altogether. This will depend on the composition and the priorities set by the next government.

Back to Top

10. Draft implementation of EU’s revised financial services and green transition

We reported in our Q4 2023 and Q2 2022 updates on the amendments to the Unfair Commercial Practices Directive (“UCP”) and the Consumer Rights Directive (“CRD”) as part of the EU’s Green Deal. In December 2024, the German Federal Ministry of Justice (“BMJ”) published discussion drafts to transpose those into German national law (see Drittes Gesetz zur Änderung des Gesetzes gegen den unlauteren Wettbewerb and Entwurf eines Gesetzes zur Änderung des Verbrauchervertrags- und des Versicherungsvertragsrechts). With these proposals, the BMJ additionally intends to implement the EU Directive on Distance Sales of Financial Services (see Q4 2023 and Q1 2023), which also amends the CRD.

What’s New?

UCP-related legislative proposals

The discussion draft proposes a 1:1 transposition of the EU directive. Hence, the draft introduces provisions ensuring that sellers do not mislead consumers about the environmental or social impact of their products, services or company, the durability, recyclability and reparability of products, as well as the use of sustainability labels into the German Unfair Competition Act. Amongst other things, this obliges traders to refrain from making generic and vague environmental claims (e.g., “environmentally friendly”, “eco” or “green”) when the claimed environmental performance of the product or service cannot be demonstrated or from making an environmental claim for the whole product when only one aspect is concerned.

CRD-related legislative proposals

Again, the BMJ draft stays close to the wording of the EU directive. As already reported (see Q4 2023, Q1 2023), providers will need to include an easily readable and accessible “withdrawal function” on their interface, e.g., their website or their app, during the withdrawal period. In absence of other indications in the draft and its explanation, the new withdrawal function will have to be added separately to and cannot be combined with the already existing German cancellation button.

The draft furthermore introduces pre-contractual information obligations about warranties (including software updates) for businesses. The proposed transpositions concerning consumer contracts in financial services include the right to request human intervention in automated processes under certain conditions and a 12‑month and 14-day limit to the formerly eternal withdrawal right in most cases.

What’s Next?

The BMJ drafts have to be adopted by the federal government before they can be introduced in the German federal parliament for final adoption. With elections due in February 2025, it is currently unclear when and if these next steps are going to happen. EU Member States, however, are required to incorporate the EU Directive on Distance Sales of Financial Services into their national legislation by December 2025 and the Green Deal‑related amendments by March 2026.

Back to Top

11. Revised amendment to the Interstate Treaty on the Protection of Minors in the Media: New minor safety obligations for operating systems adopted

The Sixth Amendment to the Interstate Treaty on the Protection of Minors in the Media (“JMStV”) has introduced significant changes. The proposed amendments were already outlined in our Q1 2024 update. As reported in our Q2 update, the EC issued a detailed opinion on the draft Youth Media Protection State Treaty in July 2024. The Commission found that the draft violated the country-of-origin principle of the e-Commerce Directive and conflicted with the binding youth protection rules of the DSA. As predicted in our Q3 update, the treaty was ultimately adopted with only minor modifications.

What’s New?

One of the most substantial changes introduced by the Sixth Amendment is the requirement for parental control features in operating systems. Under Sections 12 et seq. of the JMStV, providers of operating systems that are “commonly” used by children and adolescents are now required to integrate youth protection mechanisms.

These systems must include age categories of 6, 12, 16 and 18 to tailor restrictions accordingly. The parental control features should be simple for parents to activate, deactivate and adjust. Additionally, during the initial device setup, users must be sufficiently informed about the availability of these protection mechanisms.

The youth protection system will have the following effects:

• Online search engines can only be used with a secure search function enabled. Unfiltered search options may be manually unlocked.
• App installations will be restricted based on age ratings, ensuring that apps can only be installed if their rating aligns with the permissions set in the operating system.
• App usage will also be regulated, allowing access only when the app’s age rating matches the system’s permissions. However, individual app approvals will be possible.
• Blocking options will be provided, allowing users to completely restrict access to browsers and specific apps.

In addition to these measures, data protection regulations have been tightened. When parental controls are active, app and operating system providers may only use collected data to fulfill their own legal obligations and are prohibited from processing it for any other purposes.

What’s Next?

The changes are set to come into effect on 1 December 2025. It remains uncertain whether the EC will continue to consider the JMStV as violating the e-Commerce Directive or the DSA. If so, the Commission may choose to initiate an infringement procedure against Germany before the European Court of Justice.

Back to Top

We are grateful to the following member(s) of MoFo’s European Digital Regulatory Compliance team for their contributions: Safwan Akbar and Abigail Pacey, London office trainee solicitors; and Lotta Stroehlein, Berlin office research assistant.