The European Commission has initiated a far-reaching overhaul of the European Union’s regulatory framework for telecommunications and digital infrastructure by proposing two landmark pieces of legislation, the Digital Networks Act (DNA) and a revised Cybersecurity Act (CSA 2.0). Published in January 2026, these proposals are designed to dismantle a fragmented system of existing directives and regulations, replacing it with a unified, directly applicable Regulation. This sweeping reform aims to forge a more harmonized, secure, and future-proof digital single market, creating profound implications for a vast ecosystem of stakeholders, including telecom providers, satellite operators, digital infrastructure providers, and the corporate end-users who depend on these critical services. The modernization effort is a direct response to the escalating demand for advanced connectivity driven by technologies like AI and cloud computing, coupled with the ever-present shadow of sophisticated cybersecurity threats.
A New Regulatory Paradigm
Overhauling the Old Framework
The central goal of this legislative reform is to thoroughly modernize the EU’s telecommunications rules, bringing them in line with the complex realities of the contemporary digital economy. The existing framework, anchored by the 2018 European Electronic Communications Code (EECC), has long been criticized for fostering national fragmentation. Because the EECC is a directive, it requires transposition into the national laws of each member state, a process that has inevitably led to regulatory inconsistencies and operational hurdles for companies operating across borders. The new legislative package directly confronts this issue by consolidating several key legal instruments—including the EECC, the BEREC Regulation, and core components of the Open Internet Regulation and the ePrivacy Directive—into the singular Digital Networks Act. This consolidation is not merely an administrative tidying-up; it represents a strategic move to eliminate contradictions and streamline governance across the Union. A critical aspect of this new structure is the deep and direct interplay between the DNA and the revised Cybersecurity Act, which establishes a new paradigm where robust cybersecurity is no longer an ancillary consideration but a fundamental, non-negotiable prerequisite for market access.
Cybersecurity as a Condition for Market Access
Perhaps the most transformative change introduced by the new framework is the elevation of supply chain cybersecurity to a mandatory condition for providing electronic communications networks and services. The Digital Networks Act explicitly links the right to operate, granted through general authorizations and spectrum rights, to strict and verifiable compliance with the supply chain security measures mandated by CSA 2.0. This integration forges a powerful and direct enforcement mechanism for cybersecurity standards throughout the entire sector, moving security from a best-practice recommendation to a core element of regulatory compliance. Under the proposed CSA 2.0, the European Commission will be endowed with significant powers to identify and mitigate systemic risks. It will be empowered to designate specific vendors as “high-risk,” identify countries that pose a notable cybersecurity risk, and define “key ICT assets” that are deemed critical to network functionality and security. Consequently, providers of electronic communications services will be explicitly prohibited from using components from these designated high-risk vendors within their key ICT assets. Furthermore, the regulation will mandate the phasing out of any such existing components from their networks, forcing a potentially costly and operationally complex transition for many operators who have built their infrastructure around a diverse global supply chain. This proactive stance on security represents a fundamental shift in regulatory philosophy.
To enforce these stringent requirements, the Commission can impose a wide range of mandatory mitigation measures on targeted entities, many of which are likely to align with those already identified under the NIS2 Directive. These measures are extensive and can include compelling operators to diversify their ICT component sourcing to avoid over-reliance on a single, potentially high-risk vendor. Regulators can also impose contractual and operational restrictions, limiting or scrutinizing relationships with certain third-country entities, and even prohibit access to networks and data by entities from specified non-EU countries. Enhanced transparency and auditing requirements, including mandatory reporting and third-party audits, will be used to verify compliance. The penalties for non-compliance are severe, underscoring the seriousness of these new obligations. CSA 2.0 introduces the possibility of fines up to 7% of a company’s total worldwide annual turnover. In cases of persistent or egregious non-compliance, regulators will have the ultimate sanction of withdrawing an operator’s general authorization or spectrum rights, effectively terminating their ability to provide services within the EU. This creates an environment where ignoring supply chain security is no longer a viable business risk.
Core Pillars of the New Legislation
Fostering a True Single Market
In an effort to cultivate a genuine single market for telecommunications, the Digital Networks Act introduces a series of measures designed to streamline and simplify cross-border operations. A harmonized set of conditions for general authorizations will be established, ensuring that baseline requirements—including critical standards for cybersecurity and infrastructure resilience—are uniform across all member states. The centerpiece of this harmonization effort is a “single passport” procedure. This innovative mechanism will allow providers to offer electronic communications networks and services across multiple EU member states through a single notification and confirmation process. By drastically reducing administrative burdens and eliminating the need to navigate 27 different regulatory frameworks, this single passport creates a much more efficient and predictable path for market entry and expansion, encouraging competition and investment across the Union. This approach directly addresses the fragmentation that has long been a barrier to the creation of pan-European telecom operators capable of competing on a global scale. The goal is to make the EU a more attractive and coherent market for both established players and new entrants.
In the crucial realm of spectrum management, the DNA introduces two fundamental changes designed to promote more efficient use of this finite resource and provide the long-term certainty needed to spur investment in next-generation networks. First, a “use-it-or-share-it” principle will be strictly enforced, compelling holders of spectrum rights to either actively deploy their allocated frequencies or make them available for sharing with other operators. This policy is aimed squarely at preventing the inefficient practice of hoarding valuable spectrum resources, ensuring they are deployed for public benefit and economic growth. Second, the DNA proposes an unlimited duration for spectrum rights, moving away from the fixed-term licenses that have traditionally created investment uncertainty for operators planning multi-billion-euro network upgrades. While member states will retain the power to revoke or limit these rights under specific, justified conditions, individual rights that are limited in duration would be automatically renewed upon the holder’s request. This provides a much greater degree of long-term predictability, which is essential for operators planning significant capital investments in technologies like 5G Advanced and future 6G networks.
Modernizing Infrastructure and Competition Rules
The Digital Networks Act signals a definitive and strategic policy shift toward fiber-optic networks by mandating a structured, Union-wide transition away from legacy copper infrastructure. National regulatory authorities (NRAs) will be required to identify specific geographic “copper switch-off” (CSO) areas. The switch-off is mandated in a two-phase approach to ensure a smooth transition. The first phase, to be completed before December 31, 2035, requires copper switch-off in CSO areas that meet two cumulative conditions: at least 95% fiber coverage and the availability of affordable retail connectivity services for end-users. By December 31, 2035, the second phase will make the copper switch-off mandatory in all other designated CSO areas, setting a hard deadline for the full transition to next-generation infrastructure. While prioritizing fiber, the Commission reaffirms its commitment to infrastructure-based competition as the primary driver of market efficiency and consumer choice. The DNA stipulates that member states must ensure the roll-out of new networks can proceed in a fair and efficient manner, independent of any access obligations imposed on incumbent operators with significant market power (SMP).
This legislative package also refines the EU’s approach to market regulation and consumer protection. The significant market power (SMP) concept is retained as the cornerstone of ex-ante regulation but is refined to be more closely aligned with the “dominant position” standard under general EU competition law, aiming for greater speed and predictability. To simplify the regulatory process, certain complex and little-used mechanisms from the EECC, such as the co-investment deregulation option, are being removed. The framework for remedies is maintained but with a clear preference for less intrusive interventions, such as mandating access to passive infrastructure like ducts and masts, over heavy-handed price controls. Consumer protection rules are streamlined and harmonized, with a particular focus on requiring enhanced measures against fraud and malicious online activities. Finally, the DNA repeals sector-specific rules for universal service obligations, stipulating that any public compensation for these services will now be governed by the normal EU state aid framework, giving member states greater flexibility in how they ensure connectivity for all citizens.
Navigating the Path Forward
The introduction of the Digital Networks Act and the revised Cybersecurity Act marked a pivotal moment for the European Union’s digital and telecommunications sectors. The proposals, which elicited a mixed but engaged response from the industry, underwent the EU’s ordinary legislative procedure, involving detailed negotiations between the European Parliament and the Council. While major telecom operators had welcomed the moves toward harmonization, particularly the single passport and longer-term spectrum licensing, they also voiced concerns that the proposals did not go far enough in simplifying regulations and incentivizing investment. The legislative journey required balancing the need for robust security and consumer protection with the desire to foster a dynamic and competitive market. Businesses operating in this space had to prepare for a fundamentally altered regulatory environment. This involved immediate assessments of their supply chains to identify potential high-risk vendors and the development of strategies for mandated phase-outs and diversification. The streamlined authorization and spectrum procedures offered new avenues for growth, which companies factored into their cross-border expansion plans, while operators also developed clear roadmaps for the mandated copper switch-off. Ultimately, this legislative package represented a comprehensive and forward-looking effort to build a more resilient and competitive digital single market.
