EU regulators say Google's Play Store changes still don't meet fairness rules and are preparing a potentially hefty 2026 fine unless Google makes deeper concessions. Reuters reports: Google Play has been in the European Commission's crosshairs since March, with regulators singling out technical restrictions preventing app developers from steering users to other channels for cheaper offers. Another issue is the service fee charged by Google for facilitating an app developer's initial acquisition of a new customer via Google Play which the regulator said goes beyond what is justified. Tweaks to Google Play announced in August to make it easier for app developers to direct customers to other channels and choose a fee model are still falling short, the people said, with the EU antitrust regulator viewing Apple's recent changes to its App Store as a benchmark. [...] Google can still offer to make more changes before regulators impose a fine, likely in the first quarter of the next year, the people said, adding that the timing of any sanction can still change. "We continue to work closely with the European Commission in its ongoing investigation but have serious concerns that further changes would put Android and Play users at risk of malware, scams and data theft. Unlike iOS, Android is already open by design," a Google spokesperson said.

Read more of this story at Slashdot.

The 6th edition of the NIS Investments report highlights a realignment in how organizations across the European Union allocate their cybersecurity investments, with funding steadily shifting from staffing toward technologies and outsourced services. The findings come from ENISA’s annual survey, which examines how EU cybersecurity policy, particularly the NIS2 Directive, translates into practice and influences operational decisions, resources, and long-term planning.  ENISA Executive Director Juhan Lepassaar highlighted the study’s importance, stating: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support, and inform our recommendations for the future.”  For last year’s cycle, the survey gathered responses from 1,080 public and private organizations across all EU Member States. The sample represented sectors deemed highly critical under the NIS2 Directive.   Large enterprises made up 83% of respondents, while 17% were SMEs, allowing comparisons between organizations with very different resource structures. A detailed data companion was published alongside the main report, offering both sector-based and Member State views for deeper analysis. 

Cybersecurity Investment Becomes a Priority

Compared to last year, overall cybersecurity investments remained stable, averaging 9% of IT budgets with a median spend of 1.5 million euros. However, the data shows a clear pivot away from expanding internal cybersecurity teams and toward enhanced technology stacks and outsourced services. This shift marks one of the report’s central trends.  The cyber talent shortage remains a defining challenge across the EU. Organisations reported persistent difficulties in attracting (76%) and retaining (71%) cybersecurity professionals. High turnover, limited talent availability, and competitive hiring conditions continue to widen the workforce gap, prompting organizations to reassess staffing models and increase reliance on external support.  Compliance, especially related to NIS2, is still the main catalyst behind cybersecurity investments, cited by 70% of organizations. Yet the report notes that these efforts produce benefits beyond regulatory adherence. Respondents pointed to improvements in risk management (41%), detection capability (35%), and incident response (26%). Future investment priorities include upgrading cybersecurity tools, strengthening recovery processes, and improving internal skills development. 

NIS2 Implementation is Essential but Difficult 

While NIS2 is prompting organizations to raise their cybersecurity baseline, the directive implementation poses challenges across multiple domains. Entities reported obstacles in patching (50%), business continuity (49%), and supply-chain risk management (37%). Larger organizations struggle with harmonizing approaches and transitioning from legacy systems, while SMEs face barriers such as limited guidance, high tooling costs, and insufficient skills.  The report reveals ongoing difficulty in timely patching and conducting security assessments. Nearly one in three organizations had not performed a cybersecurity assessment in the previous 12 months. Additionally, 28% require more than three months to patch critical vulnerabilities, a pressing issue given that vulnerability exploitation remains a leading attack vector. SMEs face the steepest hurdles, with 63% struggling with testing and 51% with patching. 

Supply-Chain Exposure Rising 

As supply-chain risk management slowly improves, dependence on outsourced ICT and security services continues to introduce vulnerabilities, especially when suppliers are SMEs with limited resources. Supply-chain and third-party compromises were identified as the second most concerning future threat (47%), aligning with trends in the ENISA Threat Landscape report, which notes a rise in attacks targeting cyber dependencies.  Organizations cited DoS attacks as the most disruptive to daily operations, yet ransomware (55%), supply-chain attacks (47%), and phishing (35%) dominate long-term concerns. SMEs consistently reported the lowest confidence in their ability to prepare for, withstand, and recover from cyber incidents across any threat category.  Findings from the NIS Investments report feed into several ENISA initiatives, including the NIS360 assessment of sectoral maturity, the EU Cybersecurity Index, and the State of Cybersecurity in the Union report. These insights help refine policy recommendations and guide future actions to strengthen the EU’s overall cyber resilience. 

An anonymous reader quotes a report from Reuters: Meta's proposal to use less personal data for targeted advertising in its pay-or-consent model that will be rolled out next month won the approval of EU antitrust regulators on Monday, signaling the company will not face daily fines after all. [...] The U.S. tech giant has been locked in discussions with the European Commission after getting hit with a $233 million fine in April for breaching the Digital Markets Act aimed at reining in the power of Big Tech. The violation covered Facebook and Instagram in the period from November 2023 to November 2024, after which Meta tweaked its pay-or-consent model to use less personal data for targeted advertising. The EU executive has been examining the changes to see if they comply with the DMA, with Meta risking daily fines of as much as 5% of its average daily worldwide turnover if found to be still in breach of the law. The tweaks are in wording, design and transparency to remind users of the two options. Meta did not plan on any substantial changes to its November proposal despite the risk of EU fines, people with direct knowledge of the matter had told Reuters. The Commission, which acts as the EU competition enforcer, acknowledged Meta's November proposal, saying that it will monitor the new ad model and seek feedback, with no more talk of periodic fines. "Meta will give users the effective choice between consenting to share all their data and seeing fully personalized advertising, and opting to share less personal data for an experience with more limited personalized advertising," the Commission said in a statement.

Read more of this story at Slashdot.

Meta has agreed to make changes to its “pay or consent” business model in the EU, seeking to agree to a deal that avoids further regulatory fines at a time when the bloc’s digital rule book is drawing anger from US authorities.

On Tuesday, the European Commission announced that the social media giant had offered users an alternative choice of Facebook and Instagram services that would show them fewer personalized advertisements.

The offer follows an EU investigation into Meta’s policy of requiring users either to consent to data tracking or pay for an ad-free service. The Financial Times reported on optimism that an agreement could be reached between the parties in October.

Read full article

Comments

© Derick Hudson

Friday six European Union countries "asked the European Commission to water down an effective ban on the sale of internal combustion engine cars slated for 2035," reports Reuters The countries have asked the EU Commission to allow the sale of hybrid cars or vehicles powered by other, existing or future, technologies "that could contribute to the goal of reducing emissions" beyond 2035, a joint letter seen by Reuters showed on Friday. The letter was signed by the prime ministers of Bulgaria, the Czech Republic, Hungary, Italy, Poland and Slovakia. They also asked for low-carbon and renewable fuels to be included in the plan to reduce the carbon emissions from transportation... Since they adopted a regulation that all new vehicles from 2035 should have zero emissions in March 2023, EU countries are now having second thoughts. Back then, the outlook for battery electric vehicles was positive, but carmakers' efforts have later collided with the reality of lower-than-expected demand and fierce competition from China. Car and Drive reports that Chancellor Friedrich Merz of Germany also "wants to allow exceptions for plug-in hybrids, extended-range EVs, and 'highly efficient' combustion vehicles beyond the current 2035 deadline." They cite a report in Automotive News. The European Commission hasn't made any official changes yet, but mounting pressure suggests that a revised plan could be coming soon.... Apostolos Tzitzikostas, the European Commissioner for Sustainable Transport and Tourism, was cited by the German paper Handelsblatt as saying that the EU "will take all technological advances into account when reassessing fleet emission limits, including combustion engines running on e-fuels and biofuels." And these renewable products will apparently be key pieces of the puzzle. BMW uses a vegetable-oil-derived fuel called HVO 100 in its diesel products throughout Europe. The plant-oil-based fuel reportedly reduces tailpipe emissions by 90 percent compared with traditional diesel. For its part, Porsche has been working on producing synthetic fuel at a plant in Chile since 2022. The European Commission is set to meet on December 10. At that time, the body is expected to assemble a package of proposals to help out the struggling European automotive industry, though the actual announcement may be pushed to a later date. Thanks to long-time Slashdot reader sinij for sharing the article.

Read more of this story at Slashdot.

The EU has opened an antitrust investigation into Meta over a new WhatsApp policy that could block rival AI assistants from accessing the platform. Complaints from smaller AI developers triggered the probe, which could lead to fines of up to 10% of Meta's global revenue if the company is found to have abused its dominance. Reuters reports: EU antitrust chief Teresa Ribera said the move was to prevent dominant firms from "abusing their power to crowd out innovative competitors." She added interim measures could be imposed to block Meta's new WhatsApp AI policy rollout. "AI markets are booming in Europe and beyond," she said. "This is why we are investigating if Meta's new policy might be illegal under competition rules, and whether we should act quickly to prevent any possible irreparable harm to competition in the AI space." A WhatsApp spokesperson called the claims "baseless," adding that the emergence of chatbots on its platforms had put a "strain on our systems that they were not designed to support," a reference to AI systems from other providers. "Still, the AI space is highly competitive and people have access to the services of their choice in any number of ways, including app stores, search engines, email services, partnership integrations, and operating systems."

Read more of this story at Slashdot.

An anonymous reader shared this report from CNBC: Italian defense company Leonardo on Thursday unveiled plans for an AI-powered shield for cities and critical infrastructure, adding to Europe's push to ramp up sovereign defense capabilities amid rising geopolitical tensions. The system, dubbed the "Michelangelo Dome" in a nod to Israel's Iron Dome and U.S. President Donald Trump's plans for a "Golden Dome," will integrate multiple defense systems to detect and neutralize threats from sea to air including missile attacks and drone swarms... Leonardo's dome will be built on what CEO Roberto Cingolani called an "open architecture" system meaning it can operate alongside any country's defense systems... Leonardo's dome will be built on what CEO Roberto Cingolani called an "open architecture" system meaning it can operate alongside any country's defense systems.

Read more of this story at Slashdot.

EU antitrust regulators will examine whether Apple's Apple Ads and Apple Maps should be subject to the onerous requirements of the bloc's digital rules after both services hit key criteria, with the U.S. tech giant saying they should be exempted. From a report: Apple's App Store, iOS operating system and Safari web browser were designated core platform services under the Digital Markets Act two years ago aimed at reining in the power of Big Tech and opening up the field to rivals so consumers can have more choice. The European Commission said that Apple has notified it that Apple Ads and Apple Maps met the Act's two thresholds to be considered "gatekeepers." The DMA designates companies with services with more than 45 million monthly active users and $79 billion in market capitalisation as gatekeepers subject to a list of dos and don'ts.

Read more of this story at Slashdot.

European leaders have spent years warning that the continent risked falling behind the U.S., China and Russia in the global contest for economic, technological and military dominance, and officials now believe they have reached that point. The mood darkened over the summer when Europe found itself on the sidelines as Washington and Beijing negotiated a reset of global trade rules, and turned bleak this month when the White House presented a Ukraine cease-fire plan without consulting European capitals. In July, the EU accepted a trade deal allowing the U.S. to impose 15% tariffs without retaliation. President Trump ignored European calls to pressure Moscow before meeting Vladimir Putin in Alaska in August, telling reporters "this is not to do with Europe, Europe's not telling me what to do." Germany has eased its debt brake to pour $580 billion into a decade-long rearmament program, and the EU has set a 2030 rearmament goal -- defense spending across the region is set to exceed $560 billion this year, double what it was a decade ago. "Battle lines for a new world order, based on power, are being drawn right now," European Commission President Ursula von der Leyen said in September. "A new Europe must emerge."

Read more of this story at Slashdot.

That lengthy standoff over privacy rights versus child protection ended Wednesday when EU member states finally agreed on a negotiating mandate for the Child Sexual Abuse Regulation, a controversial law requiring online platforms to detect, report, and remove child sexual abuse material while critics warn the measures could enable mass surveillance of private communications.

The Council agreement, reached despite opposition from the Czech Republic, Netherlands, and Poland, clears the way for trilogue negotiations with the European Parliament to begin in 2026 on legislation that would permanently extend voluntary scanning provisions and establish a new EU Centre on Child Sexual Abuse.

The Council introduces three risk categories of online services based on objective criteria including service type, with authorities able to oblige online service providers classified in the high-risk category to contribute to developing technologies to mitigate risks relating to their services. The framework shifts responsibility to digital companies to proactively address risks on their platforms.

Permanent Extension of Voluntary Scanning

One significant provision permanently extends voluntary scanning, a temporary measure first introduced in 2021 that allows companies to voluntarily scan for child sexual abuse material without violating EU privacy laws. That exemption was set to expire in April 2026 under current e-Privacy Directive provisions.

At present, providers of messaging services may voluntarily check content shared on their platforms for online child sexual abuse material, then report and remove it. According to the Council position, this exemption will continue to apply indefinitely under the new law.

Danish Justice Minister Peter Hummelgaard welcomed the Council's agreement, stating that the spread of child sexual abuse material is "completely unacceptable." "Every year, millions of files are shared that depict the sexual abuse of children. And behind every single image and video, there is a child who has been subjected to the most horrific and terrible abuse," Hummelgaard said.

New EU Centre on Child Sexual Abuse

The legislation provides for establishment of a new EU agency, the EU Centre on Child Sexual Abuse, to support implementation of the regulation. The Centre will act as a hub for child sexual abuse material detection, reporting, and database management, receiving reports from providers, assessing risk levels across platforms, and maintaining a database of indicators.

The EU Centre will assess and process information supplied by online providers about child sexual abuse material identified on services, creating, maintaining and operating a database for reports submitted by providers. The Centre will share information from companies with Europol and national law enforcement bodies, supporting national authorities in assessing the risk that online services could be used to spread abuse material.

Online companies must provide assistance for victims who would like child sexual abuse material depicting them removed or for access to such material disabled. Victims can ask for support from the EU Centre, which will check whether companies involved have removed or disabled access to items victims want taken down.

Privacy Concerns and Opposition

The breakthrough comes after months of stalled negotiations and a postponed October vote when Germany joined a blocking minority opposing what critics commonly call "chat control." Berlin argued the proposal risked "unwarranted monitoring of chats," comparing it to opening letters from other correspondents.

Critics from Big Tech companies and data privacy NGOs warn the measures could pave the way for mass surveillance, as private messages would be scanned by authorities to detect illegal images. The Computer and Communications Industry Association stated that EU member states made clear the regulation can only move forward if new rules strike a true balance protecting minors while maintaining confidentiality of communications, including end-to-end encryption.

Also read: EU Chat Control Proposal to Prevent Child Sexual Abuse Slammed by Critics

Former Pirate MEP Patrick Breyer, who has been advocating against the file, characterized the Council endorsement as "a Trojan Horse" that legitimizes warrantless, error-prone mass surveillance of millions of Europeans by US corporations through cementing voluntary mass scanning.

The European Parliament's study heavily critiqued the Commission's proposal, concluding there aren't currently technological solutions that can detect child sexual abuse material without resulting in high error rates affecting all messages, files and data in platforms. The study also concluded the proposal would undermine end-to-end encryption and security of digital communications.

Scope of the Crisis

Statistics underscore the urgency. 20.5 million reports and 63 million files of abuse were submitted to the National Center for Missing and Exploited Children CyberTipline last year, with online grooming increasing 300 percent since negotiations began. Every half second, an image of a child being sexually abused is reported online.

Sixty-two percent of abuse content flagged by the Internet Watch Foundation in 2024 was traced to EU servers, with at least one in five children in Europe a victim of sexual abuse.

The Council position allows trilogue negotiations with the European Parliament and Commission to start in 2026. Those negotiations need to conclude before the already postponed expiration of the current e-Privacy regulation that allows exceptions under which companies can conduct voluntary scanning. The European Parliament reached its negotiating position in November 2023.

The European Parliament has passed a non-binding resolution urging an EU-wide minimum age of 16 to access social media, video-sharing platforms, and AI chatbots, with parental consent allowed for ages 13-16 and a hard ban for anyone under 13. "It also proposes additional measures, including a ban on addictive design features that keep children hooked to screens and manipulative advertising and gambling-like elements," reports Reuters. Furthermore, the draft "calls for the outright blocking of websites that don't follow EU rules and to address AI tools that can create fake or inappropriate content." The resolution "carries no legal weight" but reflects the growing concern on the issue of AI companions and algorithm-driven platforms even. "Any binding legislation would require formal proposals from the European Commission, followed by negotiations between EU member states and Parliament in a process that typically takes years to complete," notes the report.

Read more of this story at Slashdot.

The European Union Agency for Cybersecurity (ENISA) has taken a major step forward in advancing vulnerability management across Europe by becoming a CVE Root within the global Common Vulnerabilities and Exposures (CVE) Program. This designation makes ENISA a central point of contact for national and EU authorities, members of the EU CSIRTs Network, and other partners under its mandate.  Previously acting as a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA has been authorized since January 2024 to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs. The move to CVE Root status expands the agency’s responsibilities and strengthens the coordination of vulnerability management efforts throughout the EU.  ENISA’s Executive Director, Juhan Lepassaar, emphasized the importance of this milestone: “By becoming a Root, ENISA moves a step further to improve the development and capacity of the Agency to support vulnerability management in the EU. With the new responsibilities, ENISA extends its support to the CSIRTs network and to all its partners to further enhance the EU's ability to manage and coordinate cybersecurity vulnerabilities and improve digital security across the Union.”  This development aligns with wider EU investments in coordinated vulnerability disclosure, the European Vulnerability Database (EUVD), and responsibilities outlined in the Cyber Resilience Act (CRA). Under the CRA, ENISA will guide manufacturers on compliance, assist in applying the new cybersecurity framework, and contribute to the development of the Single Reporting Platform for vulnerability notifications. 

Understanding the CVE Program and ENISA’s Expanded Mandate 

Founded in 1999, the CVE Program serves as a global system for identifying and cataloging publicly disclosed vulnerabilities. CVE IDs and accompanying records allow developers, organizations, and cybersecurity professionals to understand and address security flaws quickly. As a key figure in this ecosystem, ENISA now plays an expanded role in supporting the identification, onboarding, and oversight of CNAs that fall within its scope.  As a CVE Root, ENISA will help enforce CVE Program guidelines, refine procedures for assigning and managing CVE IDs, and maintain its registry services to support the vulnerability coordination work of EU CSIRTs. It will also act as a central contact point for cooperative partners under its mandate.  ENISA will join the CVE Program Council of Roots, the coordinating body responsible for overseeing operational alignment among Root organizations. Internationally, Roots include MITRE, CISA, Google, Red Hat, and Japan’s JPCERT/CC. Within the EU, INCIBE-CERT, Thales Group, and CERT@VDE are existing Roots, now accompanied by ENISA. 

Transition Plans for Existing CNAs 

ENISA’s new Root scope applies to organizations within its mandate, and eligible CNAs interested in transitioning under ENISA’s Root may do so voluntarily. The CVE Program will collaborate closely with each organization to support a smooth and phased transition. This approach ensures that CNAs can align the change with their operational requirements while maintaining continuity in their vulnerability management processes.  By becoming a CVE Root, ENISA deepens its involvement in coordinated vulnerability management across the EU. The agency’s expanded duties will help enhance the accuracy and timeliness of CVE Records, improve cross-border coordination, and support responsible vulnerability disclosure practices. These advances contribute directly to reducing fragmentation across Member States and creating a more unified European cybersecurity ecosystem.  ENISA also plays a pivotal role in several strategic EU cybersecurity initiatives. It operates the European Vulnerability Database (EUVD), developed under the NIS2 Directive and now fully operational. Additionally, the agency is developing the Single Reporting Platform (SRP) under the Cyber Resilience Act to facilitate mandatory reporting of actively exploited vulnerabilities by manufacturers starting in September 2026. 

Conclusion  

As secretariat of the EU CSIRTs Network, ENISA plays a key role in coordinating vulnerability disclosure across Member States and guiding CVD policies, reinforcing Europe’s cybersecurity resilience. Its new CVE Root status further strengthens its capacity in vulnerability management and cross-border coordination.  Complementing these efforts, Cyble offers AI-driven threat intelligence and real-time monitoring, enabling European enterprises to detect, investigate, and mitigate emerging cyber threats. Request a personalized demo from Cyble today to enhance your organization’s cyber resilience. 

A coalition of 127 civil society organizations and trade unions have banded together to oppose proposed changes that they warn could severely weaken EU data protection and privacy laws like GDPR. In an open letter released this week, the groups expressed “serious alarm at the forthcoming EU Digital Omnibus proposals, part of a wide deregulation agenda. What is being presented as a ‘technical streamlining’ of EU digital laws is, in reality, an attempt to covertly dismantle Europe's strongest protections against digital threats. “These are the protections that keep everyone’s data safe, governments accountable, protect people from having artificial intelligence (AI) systems decide their life opportunities, and ultimately keep our societies free from unchecked surveillance,” the groups added. Many of the same groups expressed concerns about the Digital Omnibus process earlier this year, but with a comprehensive proposal expected from the European Commission next week and reports that drafts of the legislation would significantly weaken GDPR and other privacy protections, the groups are stepping up their efforts.

GDPR, AI Rules Could Be Weakened in Digital Omnibus Process

Netzpolitik said that GDPR and other protections in several areas would be “significantly reduced to allow for greater data usage” under the Digital Omnibus proposals, including making it easier to train AI systems with personal data. Online tracking and cookie restrictions would also be weakened. “Storing and reading non-essential cookies on users' devices would no longer be permitted only with their consent,” Netzpolitik said. “Instead, the full range of legal bases offered by the GDPR would be opened up. This includes the legitimate interests of website operators and tracking companies. Users would then only have the option of opting out retroactively.” Article 9 of the GDPR concerning special categories of data would also be targeted. Article 9 offers special protection for data that includes "ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership." It also includes the processing of genetic data, biometric data for identification purposes, health data, and data about a person's sex life or orientation. “The Commission aims to define sensitive data more narrowly,” Netzpolitik said. “Only data that explicitly reveals the aforementioned information would then be afforded special protection. This means that if, for example, a person indicates their sexual orientation in a selection field, this would still be afforded special protection. However, if a data processor infers a person's presumed sexual orientation based on perceived interests or characteristics, current restrictions would no longer apply.” Protections for genetic and biometric data are more likely to remain unchanged “due to their unique and specific characteristics."

Groups Decry ‘Rushed and Opaque’ Process

The 127 civil society groups and trade unions charged that the Digital Omnibus process “is being done under the radar, using rushed and opaque processes designed to avoid democratic oversight.” The same approach has been used with other Omnibus proposals with damaging results, they said. “As a result, supposedly minimal changes under the guise of ‘simplification’ have already jeopardised Europe’s core social and environmental protections,” they said. The Digital Omnibus, they said, will reportedly weaken “the only clear rule that stops companies and governments from constantly tracking what people do on their devices, part of the ePrivacy framework. This will make it a lot easier for those in power to control people’s phones, cars or smart homes, while also revealing sensitive information about where people go, and with whom.” EU AI rules could also be weakened, the groups said, including guardrails to ensure “that AI is developed safely and without discrimination, as well as delaying key elements like penalties for selling dangerous AI systems.” Currently, AI tools that could affect important decisions like whether people can obtain benefits must register in a public database. Under the proposed changes, they said, “those providing AI tools could unilaterally and secretly exempt themselves from all obligations – and neither the public nor authorities would know.” “By recasting vital laws like the GDPR, ePrivacy, AI Act, DSA, DMA, Open Internet Regulation (DNA), Corporate Sustainability Due Diligence Directive and other crucial laws as ‘red tape’, the EU is giving in to powerful corporate and state actors who oppose the principles of a fair, safe and democratic digital landscape and who want to lower the bar of EU laws for their own benefit,” they charged. They urged the European Commission to stop any attempts to reopen the GDPR, ePrivacy framework, AI Act and other “core digital rights protections.”