Information Technology 2026

Last Updated July 08, 2026

EU

Trends and Developments


Authors



Digital & Analogue Partners is a law firm and strategic consultancy, specialising in the regulation of digital markets. Its core offering is Regulatory Trendwatching, a proprietary service recognised as Best Institutional RegTech in 2026, which analyses regulatory, market and technological signals across jurisdictions to show clients where digital regulation is heading before it arrives, and what that means for their products and strategy. The practice is built on deep domain expertise across the EU and UK digital markets regimes, including the Digital Markets Act and Digital Services Act, as well as AI, data protection, consumer protection and crypto regulation, with a dedicated US focus on blockchain and fintech. Bringing together lawyers, economists and data analysts, Digital & Analogue Partners helps technology companies, from start-ups to global platforms, anticipate regulatory change early enough to act on it.

Emerging Trends in European Digital Regulation: From Technological Sovereignty to User Autonomy

Trendwatching perspective

Digital regulation is often analysed through individual legal developments: a new investigation, a court judgment, a legislative proposal or an enforcement action. Viewed in isolation, these events may appear unrelated. However, regulatory change rarely occurs as a series of disconnected decisions. More often, it reflects broader shifts in technology, economics, politics and consumer behaviour that gradually reshape regulatory priorities.

This article adopts a trendwatching perspective. By “trend”, the authors do not mean a popular topic or a short-lived regulatory initiative. Rather, a trend is a structural change that manifests itself through multiple signals across different industries, jurisdictions and policy areas. A single signal may be insignificant. A consistent pattern of signals pointing in the same direction may indicate a deeper transformation already underway.

The legal and commercial environment for digital markets in the EU is currently being shaped by a number of such developments. This article focuses on three trends that appear particularly significant over the next 3–5 years. Each trend is illustrated through examples drawn from legislation, enforcement, policy initiatives and market developments. While these examples may seem unrelated at first glance, they are analysed together because they reflect a common underlying shift that is beginning to transform the regulatory and commercial landscape.

Being global in nature, these trends are taking a distinct form in the EU through regulation, enforcement and industrial policy.

Why businesses should track trends

Tracking trends matters because regulatory risks rarely emerge overnight. By the time a legislative proposal is adopted, an investigation is opened or a major enforcement decision is issued, the underlying shift has often been visible for years through a series of weaker signals across different jurisdictions, industries and policy areas.

For businesses, the value of trendwatching lies not in predicting the future but in recognising emerging developments early enough to respond strategically. Early awareness provides additional time to assess dependencies, adapt products and business models, allocate resources, strengthen compliance programmes and anticipate changes in customer and regulatory expectations. In increasingly regulated digital markets, the ability to identify structural change before it becomes mainstream may itself become a source of competitive advantage.

Trend 1: AI localises

A growing global trend is the localisation of artificial intelligence (AI). AI is becoming less universal as governments encourage the development of national language models, introduce data localisation requirements, and establish local standards for algorithm training and deployment. Localisation is no longer merely a technological trend. It reflects a broader shift towards digital sovereignty and cultural autonomy.

This trend matters for businesses because it affects not only compliance obligations, but also market access, technology choices and long-term investment decisions. Requirements that differ across jurisdictions may influence where data can be stored, which AI models can be deployed, and how digital products must be adapted for local markets.

From a regulatory perspective, this development is likely to result in stricter data localisation obligations, restrictions on the use of foreign AI models, enhanced transparency requirements, and increased scrutiny of algorithmic bias and cultural sensitivity.

AI, cloud and strategic autonomy

Europe’s response to this trend is shaped by a particular structural challenge: its dependence on foreign digital infrastructure. According to data cited by the Centre on Regulation in Europe, the EU relies on foreign providers for more than 80% of its digital products, services, infrastructure and intellectual property. Cloud computing provides a striking example: three non-EU hyperscalers reportedly account for over 70% of the European cloud market, whereas the largest European providers, including SAP and Deutsche Telekom, each hold only around 2%.

As AI becomes increasingly reliant on computing power and cloud services, questions of technological sovereignty are becoming closely intertwined with questions of economic competitiveness and security.

Lessons learned

The EU’s response is becoming increasingly systematic. A notable example is the Commission’s use of the Digital Markets Act (DMA) to address dependency in cloud infrastructure. In November 2025, the Commission opened three market investigations on cloud computing services, assessing whether:

  • Amazon Web Services should be designated as a gatekeeper (DMA.100033);
  • Microsoft Azure should be designated as a gatekeeper (DMA.100032); and
  • the DMA can effectively address practices limiting fairness and contestability in cloud computing markets (DMA.100236).

The underlying logic is that greater interoperability and lower switching costs could reduce dependence on a small number of dominant providers.

The Commission is also beginning to apply the DMA to AI-related markets. In January 2026, it opened a specification proceeding (DMA.100220) under Article 6(7), DMA on Android interoperability for AI services. Though early-stage, it reflects a lesson from the platform era: intervene before dependencies entrench, not after.

A new framework for tech sovereignty

Another indication that the EU is moving towards AI localisation is the European Technological Sovereignty Package, presented by the Commission on 3 June 2026.

The package consists of four initiatives: two legislative proposals – the Cloud and AI Development Act (CADA) and the Chips Act 2.0; and two policy initiatives – the EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.

At the centre of the package is CADA (COM (2026) 502), which introduces a sovereignty framework for cloud and AI services used by public-sector bodies. The proposal establishes four assurance levels based on factors such as control over infrastructure and supply chains, data processing arrangements, cybersecurity, and exposure to third-country interference. While non-EU providers are not excluded from the framework, the highest assurance level imposes requirements that may be difficult for providers subject to foreign legal regimes to satisfy. The proposal also aims to increase the market share of European cloud and AI computing providers to 30% by 2035 and to significantly expand European data-centre capacity.

The Chips Act 2.0, built on the 2023 Chips Act, strengthens support for Europe’s semiconductor industry through a new Chips Fund, centres of excellence, joint technology projects, and measures to accelerate the development of advanced and AI-related chips.

The remaining pillars are the EU Open Source Strategy, aimed at promoting open-source technologies and interoperable digital ecosystems, and the Strategic Roadmap for Digitalisation and AI in Energy, which supports the deployment of European digital and AI solutions in the energy sector.

Taken together, these developments show that AI localisation is no longer limited to discussions of data governance or model development but is increasingly shaping industrial, infrastructure and innovation policy across the EU.

Data localisation

Data localisation has a specific framework in EU law, particularly through the GDPR rules on international transfers, and AI companies are not treated differently in that respect. However, the processing of European personal data by foreign AI providers is drawing closer regulatory scrutiny. And DeepSeek has become the clearest test case.

On 28 January 2025, Italy’s data protection authority (Garante) sent DeepSeek a formal request for information, asking the company to clarify what personal data they collected, its sources and purposes, the applicable legal bases, whether data was stored in China and what data had been used to train the model. DeepSeek responded within the deadline but argued that it did not operate in Italy and was therefore outside the scope of the GDPR.

The Garante rejected that position: it found that DeepSeek unquestionably offered its services to Italian users, triggering GDPR applicability, including the obligation under Article 27 to appoint an EU representative. It also found that DeepSeek’s own privacy policy confirmed data was stored in China, in breach of the security-of-processing safeguards under Article 32. On 30 January 2025, the Garante imposed a definitive limitation on the processing of Italian users’ data, citing both DeepSeek’s lack of co-operation and the unresolved risk to users’ personal data.

The Italian intervention was not an isolated case. Ireland and Belgium opened their own information requests around the same time. In June 2025, Berlin Commissioner for Data Protection and Freedom of Information later asked Apple and Google to remove the app from German app stores over concerns about data transfers to China, while the Netherlands banned its use on government devices.

Taken together, these actions suggest that cross-border data transfers by AI providers are increasingly assessed not only as a matter of privacy compliance but also through the broader lens of security and technological sovereignty.

For businesses, the practical takeaway of this trend is that infrastructure choices are becoming legal and commercial decisions, not just technical ones. Which cloud provider, which AI model, and where data is processed may increasingly determine market access, procurement eligibility, and regulatory exposure across the EU.

Trend 2: the end of privacy in the digital environment

A growing global trend is the gradual disappearance of privacy in the digital environment. Data collection has reached a scale where preserving privacy in practice is increasingly difficult: individuals are monitored not only by governments and corporations but also by algorithms, connected devices and online communities. Personal data is no longer used solely to personalise services; it increasingly drives pricing strategies, behavioural targeting, recommender systems, political messaging and AI training.

This matters for businesses because regulators are paying closer attention to how data is collected, combined, analysed and used, creating new legal and commercial risk for data-driven business models. The EU’s emerging response does not prohibit personalisation outright. It aims to strengthen transparency and user control so that individuals understand when their data is used, and businesses cannot rely on opacity or information asymmetries.

Reshaping the rules of personalised pricing

Personalised pricing is not a new regulatory concern. The EU already has several legal instruments capable of addressing data-driven pricing practices. Under the GDPR, the use of personal data for pricing purposes must rely on a lawful basis and comply with restrictions on profiling, automated decision-making, and the processing of special category data. Consumer protection law adds a further layer of transparency: Directive (EU) 2019/2161, which amended the Consumer Rights Directive, requires traders to inform consumers when a price has been personalised on the basis of automated decision-making, while the Unfair Commercial Practices Directive separately requires that price information be presented clearly and intelligibly.

Recent enforcement activity illustrates how these rules operate in practice. Following a 2022 study by the Swedish Consumers’ Association, which found that Tinder charged different users different prices with no transparent rationale, the Consumer Protection Cooperation Network opened an investigation co-ordinated by the European Commission and led by the Swedish Consumer Agency and the Netherlands Authority for Consumers and Markets. The investigation examined Tinder’s use of automated personalisation, including pricing variations linked to age and behavioural signals such as prior disinterest in premium features. The investigation concluded in March 2024 with commitments from Tinder: to refrain from age-based pricing without clear advance notice, to disclose when discounts are personalised by automated means, and to explain the factors behind any personalised offer.

The case illustrates the limits of the existing framework as much as its reach. Current rules address disclosure and certain categories of data processing, but they do not resolve the broader concerns associated with personalised pricing: data-driven models may exploit behavioural vulnerabilities, render discriminatory outcomes difficult to detect, and leave consumers unable to understand why they were offered a particular price, even where formal disclosure requirements are met.

These gaps help explain why personalised pricing remains a live issue in the Commission’s preparatory work on the Digital Fairness Act. Options under discussion include giving consumers an explicit right to receive non-personalised pricing and advertising. Given the EU’s role as a global standard-setter on data protection, the approach ultimately adopted is likely to influence how other jurisdictions regulate personalised pricing in digital markets.

Reshaping the rules of personalised advertising

Personalised advertising is another area where EU regulation is moving from formal consent towards more substantive limits on data use.

The DSA restricts certain forms of targeted advertising, including advertising based on the profiling of minors and special categories of personal data.

The DMA goes further for gatekeepers. The Commission’s Meta decision (DMA.100055) in April 2025 is the central example. Meta’s “consent or pay” model required Facebook and Instagram users to either accept personalised advertising or pay a subscription fee: initially EUR9.99/month on desktop and EUR12.99/month on mobile. The Commission found this breached Article 5(2) of the DMA: access to the free service was conditioned on consent to cross-service data combination, with no less-personalised but equivalent alternative on offer. The Commission fined Meta EUR200 million for the non-compliance period of March–November 2024.

Meta has since introduced a free “less personalised ads” option in the EU. Under this model, Meta does not use a user’s broader profile or infer interests based on factors such as work or education. Instead, advertising relies primarily on the content that the user is viewing during the current browsing session.

The decision confirms that the Commission requires that users be offered a real choice regarding personalised advertising, including an alternative that relies on less extensive processing of personal data rather than a simple pay-or-consent model.

Reshaping the rules of personalised services and recommender systems

Regulatory scrutiny is also expanding beyond advertising and pricing into the design of digital services themselves. Recommending systems increasingly influence what users see, how long they remain on a platform and how they interact with digital content.

Under the DSA, online platforms must assess and mitigate systemic risks associated with their services: Article 28, DSA requires platforms accessible to minors to build in safety by design; Articles 34–35 impose systemic risk-assessment duties on VLOPs/VLOSEs (very large online platforms/very large online search engines), including over recommender systems.

In February 2026, the Commission preliminarily found TikTok in breach of the DSA in relation to addictive design, including concerns linked to its highly personalised recommender system. The case shows that personalised recommender systems may raise regulatory concerns where their design increases risks for minors, rather than merely improving user engagement.

There is no blanket prohibition on hyper-personalisation, as its lawfulness depends on its effects on consumers. However, where platform design and personalisation exploit users’ vulnerabilities, and the platform knowingly uses them to gain an advantage, the practice may fall outside lawful and fair commercial conduct.

For businesses, these developments suggest that the boundaries of acceptable data use are narrowing. Personalisation remains lawful, but it is increasingly expected to be transparent, explainable and compatible with user autonomy. As a result, data governance is becoming not only a compliance issue but also a strategic consideration for product design and business models.

Trend 3: growth of digital awareness

Another growing global trend is the increasing awareness of digital influence. Users are becoming more conscious of manipulative design and algorithmic steering and increasingly view their attention as a finite and valuable resource.

This trend matters for businesses because digital influence is becoming both a regulatory and reputational issue. As users become more aware of how platforms shape their behaviour, businesses may face growing pressure to demonstrate that engagement strategies support informed choice rather than exploit behavioural vulnerabilities.

From a regulatory perspective, this trend is driving greater scrutiny of dark patterns, addictive design features and algorithmic recommendation systems. Regulators are increasingly seeking to ensure that digital services support informed user choice rather than exploit behavioural vulnerabilities.

Platform safety and transparency as a new compliance standard

The DSA has become one of the EU’s primary tools for translating concerns about digital influence into binding platform-safety obligations. It moves regulation beyond the removal of illegal content and reliance on formal disclosures, requiring digital services to incorporate safety into their systems by design. Its core obligations include the following.

  • Effective notice-and-action mechanisms for illegal content by hosting services (Article 16, DSA).
  • Internal complaint-handling systems for certain content-moderation decisions by online platforms (Article 20, DSA).
  • Restrictions on interface designs that deceive, manipulate or materially distort users’ ability to make free and informed decisions (Article 25, DSA).
  • Transparency around the main parameters of recommender systems and the options available to users to modify or influence them (Article 27, DSA).
  • A high level of privacy, safety and security for minors on platforms accessible to children (Article 28, DSA).

Recent enforcement activity shows how the Commission is interpreting these obligations in practice.

  • In the TikTok proceedings, the Commission’s preliminary findings (February 2026) focus on engagement features such as infinite scroll, autoplay, push notifications, and a highly personalised recommender system, and conclude that TikTok did not adequately assess their effects on users’ physical and mental wellbeing, including minors and vulnerable adults.
  • In the Meta content-moderation proceedings (opened in April 2024), the Commission has focused on Facebook’s and Instagram’s mechanisms for notifying about illegal content and challenging content-moderation decisions, alongside related concerns about deceptive advertising and disinformation.
  • In relation to X, the Commission imposed a EUR120 million fine (December 2025) for transparency breaches: the deceptive design of the paid blue checkmark, an opaque advertising repository, and barriers to researcher data access. Separate, ongoing proceedings (opened in December 2023) concern X’s handling of illegal content and recommender-system risks linked to elections and radicalisation.
  • In the Shein proceedings (opened in February 2026), the Commission is examining systems for preventing the sale of illegal products, engagement features that may contribute to addictive design, and transparency around recommender systems.
  • In the Snapchat proceedings (opened March 2026), the Commission is assessing whether the platform’s age-assurance and risk-mitigation systems adequately address risks to minors, including grooming, criminal recruitment, and exposure to illegal or age-restricted products.
  • In the separate Meta child-safety proceedings (opened May 2024), the Commission preliminarily found, in April 2026, that Facebook and Instagram failed to identify, assess and mitigate the risk of children under 13 accessing services formally restricted to users aged 13 and above.

Beyond the current regulatory framework, the forthcoming Digital Fairness Act, already mentioned in relation to personalised pricing, may set new standards for tackling manipulative online practices more broadly. The Commission Work Programme for 2026 lists the Digital Fairness Act under the priority of “protecting our democracy, upholding our values”, with a legislative proposal expected in the fourth quarter of 2026. It is framed as a measure to address a broad range of dark patterns that exploit cognitive biases and steer users toward choices they might not otherwise make, resulting in unintended purchases, unwanted subscriptions, or the sharing of personal data without fully informed consent. Examples drawn from the Commission’s own consultation materials include the following.

  • Sneak into the basket – an extended warranty or add-on is pre-selected and added to the basket unless the user actively opts out.
  • Confirm-shaming – a user declining a newsletter is shown a guilt-inducing alternative, such as “No, I hate learning new things”.
  • Forced continuity – a free trial automatically converts into a paid subscription without a clear reminder or an easy cancellation route.
  • Decision fatigue – privacy settings require users to manually disable dozens of tracking options rather than offering a single “Reject all” button.

For businesses, the significance of these developments extends beyond gatekeepers and very large online platforms. The underlying trend is a broader shift in user expectations. Users are becoming more conscious of how digital services influence their behaviour and increasingly expect transparency, autonomy and meaningful choice. These changing expectations are likely to affect digital businesses well beyond those formally in scope of the DSA or DMA. In the long run, user trust and autonomy may become as important to competitive advantage as engagement and retention.

Practical implications for businesses

For technology companies operating in the EU, these trends are not abstract regulatory developments. They are becoming practical questions of product design, customer journey, data use, market strategy, and the selection of clients and other counterparties.

The following questions can help assess the extent to which a company may be exposed to the risks emerging from these trends:

  • How dependent is your business on third-party infrastructure, AI models, datasets or digital platforms that may become subject to localisation, sovereignty or security requirements?
  • Which parts of your products, services or revenue streams rely on extensive collection and use of personal data, and how resilient would they be to further restrictions?
  • Can users clearly understand how your algorithms, AI systems and interfaces influence their choices and experience? If transparency standards change, will you be able to explain these practices without undermining user trust?
  • Which regulatory developments that appear peripheral today could become commercially significant for your business over the next 3–5 years?

The ability to identify such developments early is becoming a competitive advantage in its own right. As digital regulation expands beyond traditional compliance and increasingly reflects broader societal and technological shifts, businesses will need not only to monitor legal change but also to anticipate the trends that shape it.

Digital & Analogue Partners

1 Water Lane
Hawley Wharf
London NW1 8NZ
United Kingdom

+44 74 2403 9183

info@dna.partners dna.partners
Author Business Card

Trends and Developments

Authors



Digital & Analogue Partners is a law firm and strategic consultancy, specialising in the regulation of digital markets. Its core offering is Regulatory Trendwatching, a proprietary service recognised as Best Institutional RegTech in 2026, which analyses regulatory, market and technological signals across jurisdictions to show clients where digital regulation is heading before it arrives, and what that means for their products and strategy. The practice is built on deep domain expertise across the EU and UK digital markets regimes, including the Digital Markets Act and Digital Services Act, as well as AI, data protection, consumer protection and crypto regulation, with a dedicated US focus on blockchain and fintech. Bringing together lawyers, economists and data analysts, Digital & Analogue Partners helps technology companies, from start-ups to global platforms, anticipate regulatory change early enough to act on it.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.