UK law
Data (Use and Access) Act 2025 (Commencement No 4) Regulations 2025 made
The Data (Use and Access) Act 2025 (Commencement No 4) Regulations 2025 SI 2025/1213 have been made. These are the fourth commencement regulations made under the Data (Use and Access) Act 2025. Regulation 2 brings into force most of Part 2 of the Act (digital verification services), which establishes a legislative structure for the provision of digital verification services in the UK, where those services apply to be registered on a government register. It does not bring into force sections 45 to 48 (which deal with public authorities sharing information with registered digital verification service providers).
Ofcom consults on Statement of Charging Principles for Online Safety Fees
Ofcom is consulting on the Statement of Charging Principles for its online safety fees regime. These fees will fund Ofcom’s online safety regulation. They will be paid by companies in scope of the Online Safety Act 2023 whose “qualifying worldwide revenues” (QWR) meet or exceed £250 million. Before Ofcom can require such companies to pay fees, the Act requires that a Statement of Charging Principles be in force. The draft Statement of Charging Principles on which Ofcom is consulting sets out the principles it proposes to apply when determining the fees payable by such companies and reflects its policy decisions. It also addresses practical matters like payments and invoicing. The consultation ends on 9 January 2026.
Online safety fees regime due in force from 11 December 2025
Ofcom also published its final guidance on QWR and final Fees Notification guidance. The QWR guidance is intended to provide high-level practical support to help companies calculate their QWR. The Fees Notification guidance sets out the practicalities of how companies can fulfil the requirement to notify Ofcom if they are liable to pay fees, and how to provide evidence of their QWR. Ofcom expects to update both guidance documents over time based on experience of administering the fees and penalties regime. On 20 November, the Secretary of State laid regulations in Parliament that, subject to the parliamentary process, will bring the online safety fees regime into force on 11 December 2025. Ofcom has therefore published a notice that 2026-27 will be the first charging year of the online safety fees regime. Providers who are liable to pay fees in respect of the 2026-27 charging year must notify it of their QWR and provide supporting evidence by 11 April 2026, using its online portal, available from 24 November 2025. It expects that invoices will be issued to providers by September 2026.
EU law
European Commission launches targeted consultation on notifying suspected criminal offences under DSA
The European Commission has launched a targeted consultation on the notification process of suspected criminal offences under Article 18 of the Digital Services Act. The DSA requires providers of hosting services, including cloud services or online platforms, to notify law enforcement or judicial authorities when they become aware of information indicating a suspected criminal offence involving a threat to the life or safety of a person or persons. This may include offences such as incitement to terrorism, sexual abuse and exploitation of children and trafficking in human beings. The consultation ends on 19 December 2025.
European Commission publishes report assessing the EU DSA’s effectiveness
The Commission published a report assessing the Digital Services Act’s interaction with other EU laws and its designation process for very large online platforms and search engines. The report confirms that the designation criteria for very large online platforms (VLOPs) and search engines (VLOSEs), including the threshold of 45 million average monthly active recipients, remain fit-for-purpose and well-suited to the dynamic digital environment. The report also evaluates the interactions between the DSA and other 54 legal acts, in areas such as data protection and privacy, audiovisual, media and IP, consumer policy, product safety, and democracy, security, and justice. It identifies selected provisions where regulatory overlaps require closer coordination to ensure a clear application of legal frameworks. It is the first of several reports that the DSA requires by 2027, evaluating its impact on the development and economic growth of small and medium-sized enterprises, and its overall effectiveness.
European Commission launches whistleblower tool for AI Act
The European Commission launched a whistleblower tool for the AI Act. The tool aims to provide a secure and confidential channel for individuals to report suspected breaches of the AI Act to the EU AI Office. Whistleblowers can provide relevant information in any of the EU official languages, and in any relevant format. The tool offers a secure way to report potential violations of the law that could endanger fundamental rights, health, or public trust. The Commission says that the highest level of confidentiality and data protection are guaranteed through certified encryption mechanisms. It enables secure follow-up, allowing whistleblowers to receive updates on the progress of their report and the option to respond to additional questions from the AI Office, without compromising their anonymity. By reporting information about violations, whistleblowers can support the AI Office in detecting them early on, therefore contributing to the safe and transparent development of AI technologies.
European Commission seeks input for the review of the 2030 Digital Decade targets and objectives
The European Commission has launched a call for evidence on whether the Digital Decade objectives and targets for 2030 remain aligned with the rapidly evolving tech landscape since their adoption in 2022. The call for evidence will help inform the Commission’s upcoming review, planned for 2026, of the policy programme guiding Europe’s digital transformation. It closes on 23 December 2025.
European Commission requests Shein to provide information under the Digital Services Act on the sale of illegal products
The European Commission has sent a request for information to Shein under the Digital Services Act, following concerns that illegal goods, particularly child-like sex dolls and weapons, are being offered on the marketplace. Following the sale of illegal products in France and several public reports, the Commission suspects that Shein’s system may pose a systemic risk for consumers across the entire EU. The Commission is now formally asking Shein to provide detailed information and internal documents on how it makes sure that minors are not exposed to age-inappropriate content, especially how it uses age assurance measures, as well as how it prevents the circulation of illegal products on its platform. The Commission is also inquiring about the effectiveness of Shein’s mitigation measures. The DSA requires VLOPs like Shein, to assess and adequately mitigate systemic risks, such as risks to minors or the spread of illegal content, that may arise from their systems, as well as from the design or functioning of their services. The Commission is actively monitoring compliance by VLOPs, including Shein, with their obligations under the DSA across the EU and says that it is ready to take enforcement action.
