EU pushes for a profound reshaping of the digital economy in 2026 with proposed changes to legislation governing AI, data and platforms

2026 is set to be another year of new developments and far-reaching regulatory challenges for the digital economy.

Artificial intelligence 

As far as artificial intelligence is concerned, 2026 will either witness the final consolidation of the Artificial Intelligence Act (AI Act) or a deferral of its application. The European Commission has published a proposal for a Regulation (Digital Omnibus on AI) that, if approved, would mean several major amendments to the AI Act, including a change to the deadline for mandatory application of all provisions relating to the obligations for providers and deployers of high-risk AI systems. You can consult our recent publication (in Spanish) in this regard here.

Simplification of the European digital rulebook

2026 will also see intense debate concerning some key concepts of the legislation governing the digital economy, such as the notions of “personal data” or the concept of “pseudonymization”. This stems from another proposal for a Regulation (Digital Omnibus) by the European Commission, "on the simplification of the digital legislative framework", which proposes amendments to key pieces of legislation including the General Data Protection Regulation, the NIS 2 Directive and the Data Act, in which such concepts would be included, by repealing and merging provisions of other related regulations such as the Data Governance Act or the Open Data Directive. 

Privacy

The basic principles set out in EU data protection legislation are under review, both as a result of case law developments (for example, calling into question the traditional absolute approach to the concept of personal data, as seen in the CJEU judgment in the EDPS vs SRB case) and the proposed legislative amendments included in the two Omnibus proposals mentioned above and in other regulatory initiatives. Although the aim is to simplify and streamline the application of the legislation, there is resistance from defenders of fundamental rights, which will lead to intense academic and regulatory debates the outcome of which is hard to predict.

From an international perspective, and focusing on jurisdictions in which Garrigues has a presence, Chile is in the process of implementing new data protection legislation, meaning that Chilean companies and companies operating in Chile must take the necessary steps to comply with the law prior to its mandatory application.

Digital Services Act (DSA)

Effective implementation of the Digital Services Act (DSA), aimed at creating a uniform EU framework governing liability and due diligence obligations of providers of intermediary services (hosting, social networks, marketplaces, search engines, etc.), will continue to ramp up in 2026. The year will see an increase in supervisory measures, interpretative criteria and finalization of procedures (including corrective measures), especially as regards transparency obligations, management of illegal content, traceability of traders on marketplaces, notice and action systems, and complaint and redress mechanisms. For very large platforms and search engines, the requirements for systemic risk assessments and mitigation (e.g., protection of minors, algorithmic effects, misinformation, security and public health risks), as well as advertising transparency and oversight of deceptive design patterns, will be particularly significant.

In Spain, the body responsible for supervision under the DSA is the CNMC, as Digital Services Coordinator. However, effective deployment of the national framework (including the penalty regime and all supervisory procedures) continues to be closely linked to domestic legislative processes and the allocation of resources, meaning that 2026 is likely to be a year of institutional consolidation, accompanied by a gradual increase in supervisory measures and coordination with the European Commission.

Digital Markets Act (DMA)

In parallel, 2026 will also see further practical implementation of the Digital Markets Act (DMA), geared towards ensuring open and competitive digital markets by establishing specific obligations for gatekeepers. The focus will shift from simply designating gatekeepers to assessing their compliance measures and adopting decisions on key practices affecting market structure, such as self-preferencing, restrictions on the commercial freedom of business users, interoperability and conditions for accessing closed ecosystems (app stores and operating systems) and use of data. This process is likely to be accompanied by an increase in litigation and the need to coordinate regulatory analysis with the spheres of competition, consumer affairs and data protection.

The European Commission will present its first report on the application of the Digital Markets Act (DMA) to the other EU institutions no later than May 2026. One of the core issues to be addressed by Commission in its report will be whether, and to what extent, the regulation applies to artificial intelligence (AI).

In particular, the European Commission may consider including AI within the existing categories of “core platform services” or it may propose new or modified definitions with a view to covering AI tools and services. Similarly, the European Commission will analyze how substantive obligations under the DMA apply to AI and whether any legislative amendments are needed to that effect.

For reasons of speed and efficiency, it is likely that the European Commission will favor solutions that do not require legislative reform.

eIDAS and digital identity

Another area poised to witness major developments in 2026 is digital identity. This year is expected to see the completion of the technical specifications for the real and effective deployment of the European Digital Identity (EUDI) Wallet, a landmark official identification system that will allow EU citizens and residents to store all their official credentials (such as national ID cards, driving licenses, health cards, library or university ID cards, academic qualifications, etc.) in a single mobile app.

Cybersecurity

We hope that 2026 will also be the year in which the law transposing the NIS 2 Directive is finally approved and published in Spain, not only because we are already behind schedule with respect to the mandatory date for enactment of this critical piece of legislation (which should have been approved by October 2024), but also because of its extraordinary importance in achieving a higher level of security for the systems and networks of a huge number of companies operating across multiple sectors of the Spanish economy. The adaptation required at many companies poses significant operational challenges that will need to be addressed without delay.