As we ring in the new year, we want to make you aware of key issues that we expect lawmakers and regulators to focus on in the months ahead.

Below are the top European digital regulatory issues to watch out for in 2026:

1. European lawmakers will debate the relaxation of existing digital regulations. In November 2025, the European Commission (EC) published proposals to simplify the EU’s legal framework for data processing and AI, kickstarting a legislative process that will extend into—and possibly beyond—2026.
   
   These proposals will be iterated on over the coming months, including in the following areas:
   1. Reforms to the General Data Protection Regulation (GDPR). The EC proposes to recognize the development and operation of AI systems as a “legitimate interest” under the GDPR, and to introduce a new legal basis for the processing of special category data for AI model training. More broadly, the proposals would reduce the compliance burden for companies by, for example, relaxing the threshold at which a data breach becomes reportable and broadening the situations in which data could be considered “anonymous.”
   2. Delaying certain aspects of the AI Act. The EC proposes to delay the application of the AI Act’s rules for high-risk AI systems, so that they will come into force in December 2027, rather than in August 2026. Given the usual timeline for adopting new legislation, implementing this delay may prove challenging. Certain obligations would also be simplified for small- and medium-sized enterprises (SMEs) and small mid-cap enterprise providers (SMCs), reducing their overall compliance burden.
   3. Data Act. The proposals would modify the switching and interoperability rules—which came into force in September 2025—providing exemptions for certain customized data processing service providers, as well as SMEs and SMCs. Trade secrets would also be excluded from the scope of data sharing obligations.
2. There will be an increasingly significant overlap between privacy and other areas of digital regulation. As newer regulatory regimes bed down and enforcement actions take place, we expect more areas of overlap to emerge. Prominent examples include the design and operation of online services, which may face regulation under the Digital Services Act (DSA), GDPR, and consumer protection laws, for example, in relation to the use of so-called “dark patterns.” Another key area is the development and deployment of AI systems, which we expect both privacy and AI-specific regulators to tackle in the years ahead. In 2025, we saw the European Data Protection Board (EDPB) issue guidelines on the interplay between the DSA and the GDPR; in the year ahead, we expect the EDPB and the EC to issue similar guidelines on the interplay between the AI Act and the GDPR.
3. Regulators and companies will react to recent case law on the concept of pseudonymization. In September 2025, the Court of Justice of the European Union (CJEU) issued a significant decision in the case of EDPS v SRB (C-413/23 P), confirming that pseudonymized data may not amount to personal data in the hands of a recipient, provided that sufficient technical and organizational measures are in place to prevent the data in question being attributed to a data subject. In 2026, we will see the implications of this judgment begin to play out, with the EDPB expected to release updated guidance on pseudonymization. The impact of this judgment and updated guidance could be significant for companies seeking to use data for research and development.
4. Proposals for a new “Digital Fairness Act” will increase complexity for providers of online services. In July 2025, the EC launched a public consultation on the proposed Digital Fairness Act (DFA), which would aim to combat “unfair commercial practices” such as dark patterns, addictive design features, and exploitative personalization, including those related to the AI agents. While some of these issues are already addressed by the DSA, the EC has noted that these practices concern “all types of traders,” and not just those with business models based on content intermediation. We expect the DFA to take shape in 2026.
5. First wave of DSA enforcement. In December 2025, the EC fined X in respect of multiple DSA infringements, including deceptive design and lack of transparency, and there were several open investigations under the legislation. In the coming year, we can expect the EC to issue final decisions in respect of more of these investigations. The CJEU has delivered some significant decisions under the DSA regime in 2025, and we expect to see further cases referred to the court in 2026 and beyond, as companies increasingly look to challenge the application of this controversial piece of legislation.
6. Continued focus on online safety, including minors’ data. The past year saw a range of significant developments relating to the safety of minors online, including the coming into force of duties to protect minors under the UK Online Safety Act, and the release of the EC’s guidelines on the protection of minors and age-verification. We expect to see continued focus by both lawmakers and regulators on minors’ safety and privacy in the coming year, including in EU negotiations over the proposed DFA.
7. Divergences between the legal frameworks of the UK and the EU will continue to emerge and become more pronounced. In 2025, the UK passed the Data (Use and Access) Act, bringing about targeted reforms to the country’s data protection regime and demonstrating the potential for meaningful differences in regulation to emerge. Notably, the UK has not introduced legislation equivalent to the AI Act, and the Online Safety Act, in some ways an equivalent to the DSA, imposes unique risk assessment and mitigation duties on regulated companies. In 2026, as the EU explores simplifying its digital rulebook, we expect further divergences to emerge between jurisdictions, with it being unclear at present whether the UK will follow the EU in relaxing its data protection laws.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of cybersecurity and data protection laws and regulations, along with advising clients on general domestic and international data security issues. For more on what to expect in U.S. privacy regulation in 2026, see this Wilson Sonsini alert.

For more information, please contact Cédric Burton, Yann Padova, Laura De Boel, Nikolaos Theodorakis, Tom Evans, Olga Kosno, or another member of the firm’s Data, Privacy, and Cybersecurity practice.