Overview
This report covers Parliamentary Questions (PQs) and Commission replies published between 22 and 26 September 2025. The key policy areas under scrutiny include the enforcement of the Digital Services Act (DSA), particularly concerning the protection of minors, the implementation and potential reform of the AI Act, and the cybersecurity of critical infrastructure under the NIS2 Directive and Cyber Resilience Act. Other significant topics include international data transfers under the GDPR, the EU’s digital sovereignty ambitions, and platform accountability in various sectors.
Institutionally, the Commission’s replies consistently position existing legislative frameworks—such as the DSA, GDPR, and the new cybersecurity rules—as the primary tools for addressing the concerns raised by MEPs. The tone is procedural and enforcement-oriented, emphasizing the roles and responsibilities of both EU bodies and national authorities in implementing the digital rulebook. These developments are critical for digital policy professionals as they signal a definitive shift from the legislative phase to the practical application and enforcement of the EU’s landmark digital regulations.
Digital Services Act (DSA) & Platform Regulation
❗ Commission Cites DSA as Primary Tool to Protect Youth Mental Health Online
In a reply on 25 September 2025, the Commission addressed concerns about the digital threats to youth mental health raised in question E-002673/25. Commissioner Várhelyi confirmed that protecting minors online is a priority, highlighting the Digital Services Act (DSA) as the central instrument. The response details that Very Large Online Platforms (VLOPs) are obligated to assess and mitigate systemic risks to minors’ well-being and guarantee high levels of privacy and safety. The Commission also pointed to its recent guidelines on the protection of minors, ongoing formal investigations into platforms like TikTok and Meta, and a public consultation on cyberbullying as evidence of its active enforcement and policy development in this area.
❓ MEPs Question Enforcement of DSA and P2B Rules in Holiday Rental Sector
Concerns over consumer protection and fair practices in the holiday home rental sector were raised in question E-003708/2025, submitted on 24 September 2025. Citing issues with platforms like DanCenter and OYO Vacation Homes, the question asks how the Commission will ensure compliance with the Digital Services Act (DSA), particularly regarding transparency and the appointment of legal representatives. It also seeks clarity on how the Commission will coordinate with national authorities to address cross-border consumer issues and verify compliance with the Platform-to-Business (P2B) Regulation. A response from the Commission is pending.
❓ MEPs Press for Exemptions for Local Media Under Political Advertising Rules
In question E-003717/2025 submitted on 24 September 2025, MEP Kristoffer Storm (ECR) raised concerns that new EU regulations on political advertising could harm local and regional media. The question argues that detailed labelling and reporting requirements impose significant administrative burdens on smaller news organisations, potentially forcing them to stop running political ads and lose vital revenue. The MEP asks if the Commission has data on the rules’ impact, whether it will consider exempting local media, and if it will delay implementation to allow for impact assessments. A response from the Commission is pending.
❓ MEPs Question Political Neutrality of French Digital Regulator Arcom
A question submitted on 24 September 2025 (E-003702/2025) raises concerns about the impartiality of France’s regulatory authority for audiovisual and digital communication (Arcom), a key body for enforcing EU digital law. The MEPs allege that Arcom has been “systematically infiltrated by left-wing activists” and failed in its duties, asking if the Commission is concerned about its recruitment methods and whether national authorities responsible for enforcing EU law should be required to have members nominated by the parliamentary opposition. A response from the Commission is pending.
Artificial Intelligence Act (AI Act)
❓ MEPs Ask if Commission Will Reform AI Act High-Risk Rules Before 2026
Citing concerns that the AI Act could hinder innovation and harm competitiveness, MEPs from the ECR group submitted question E-003745/2025 on 26 September 2025. The question highlights that the high-risk requirements will not apply until August 2026, presenting an opportunity for review. The MEPs ask if the Commission intends to reform the high-risk categories before they enter into force, whether it would consider suspending obligations if they are shown to harm innovation, and how it will ensure the framework does not put EU businesses at a structural disadvantage. A response from the Commission is pending.
❓ MEPs Raise Alarm Over Emotional Dependence on AI Systems
A group of Renew MEPs submitted question E-003674/2025 on 23 September 2025, highlighting the risk of psychological dependence on AI platforms that foster intimate exchanges. The question asks the Commission what concrete measures it plans to implement to prevent these risks, particularly for vulnerable users. It also inquires about any European-level initiatives to establish an alert system for AI-induced psychological distress and when the Commission intends to ratify the Council of Europe Framework Convention on AI. A response from the Commission is pending.
Cybersecurity & Resilience (NIS2, CRA)
❗ Commission Outlines Cybersecurity Frameworks to Mitigate Risks from Chinese Drones
In a 26 September 2025 response to question P-003323/25 regarding security risks from Chinese-manufactured drones, Executive Vice-President Virkkunen detailed the EU’s legislative toolkit. The reply states that Unmanned Aircraft Systems (UAS) are covered by the mandatory cybersecurity requirements of the Cyber Resilience Act (CRA), with exceptions for military use or products certified under aviation regulations. The Commission also points to the NIS2 Directive, which allows for coordinated security risk assessments of critical ICT supply chains. Furthermore, it mentions the upcoming revision of the Cybersecurity Act will look at de-risking ICT supply chains from high-risk suppliers and confirms work on a voluntary ‘European Trusted Drone’ label to certify secure design.
❓ MEPs Question Airport Cybersecurity and Resilience Following Major Attack
Following a significant cyberattack on an IT provider that disrupted major European airports, MEPs submitted two related questions on 22 September 2025. Question E-003667/2025 asks if the Commission plans stress tests and joint exercises with ENISA for airport IT providers and how it will mitigate hybrid security risks. Question E-003669/2025 inquires about immediate measures to ensure operational resilience against ransomware, the potential for mandatory security standards for aviation system providers, and measures to prevent passenger data leaks. Responses from the Commission are pending.
❓ MEP Questions Legality of ‘Chat Control’ Proposal Under Fundamental Rights
Concerns over the proposal for a regulation to prevent and combat online child sexual abuse, known as ‘chat control’, were raised in question E-003690/2025 on 23 September 2025. The question highlights that recent proposals could oblige encrypted messaging services to analyse private conversations indiscriminately. MEP Jean-Paul Garraud (PfE) asks the Commission if it considers blanket monitoring of encrypted communications to be in line with fundamental rights and what minimum safeguards must be respected to balance child protection and privacy. A response from the Commission is pending.
Data Protection & Governance (GDPR)
❗ Commission Affirms Israel’s Data Adequacy Decision Remains in Place
In a 22 September 2025 reply to question E-002617/25, Commissioner McGrath confirmed that the Commission’s adequacy decision for Israel under the GDPR remains functional. The Commission recently evaluated the decision and concluded it could be kept in place, noting that it had negotiated a “significant strengthening of privacy safeguards” in Israeli law in May 2023. The reply states that monitoring developments in third countries is a “continuous and comprehensive process” based on various sources, and that the Commission has the tools to amend, suspend, or repeal the decision if the level of protection weakens.
❗ Commission Clarifies GDPR Rules on Genetic Data but Defers to National Authorities
Responding to question E-002290/25 about a Greek program involving neonatal genetic screening by US companies, the Commission outlined the relevant EU legal framework on 22 September 2025. Commissioner McGrath’s reply references the EU Charter of Fundamental Rights and the GDPR, which require a legal basis and informed consent for processing such sensitive data. However, the Commission clarified that monitoring and enforcement of the GDPR fall within the competence of national authorities, in this case, the Greek Data Protection Authority. The Commission stated it does not assess individual compliance cases and has no specific information about the program in question.
❓ MEPs Seek Action on Protection of Genetic Data from Recreational Testing
Question E-003662/2025, submitted on 23 September 2025, raises concerns about the privacy risks associated with direct-to-consumer genetic tests. The question notes that genetic data cannot be fully anonymised and that consumers may not be aware of how their data is shared or sold, including to entities outside the EU. The MEP asks what steps the Commission is taking to ensure the effective protection of citizens’ genetic data, counter misleading commercial practices, and introduce additional information requirements for consumers. A response from the Commission is pending.
Telecommunications & Connectivity
❗ Commission Explains Legal Hurdles to Western Balkans Joining ‘Roam Like at Home’
In a 25 September 2025 response to question E-002926/25, the Commission explained the different legal bases for including Ukraine and Moldova versus the Western Balkans in the EU’s ‘roam like at home’ area. Commissioner Kos noted that the Association Agreements with Ukraine and Moldova include a Deep and Comprehensive Free Trade Area, providing the necessary legal framework, which is absent in the EU-Western Balkans Stabilisation and Association Agreements. The Commission confirmed it is working on a solution via the Growth Plan for the Western Balkans to complement the existing agreements and provide the legal framework needed for extension.
❓ MEP Asks if Signal Messenger Falls Under European Electronic Communications Code
Question E-003714/2025, submitted on 24 September 2025, asks for the Commission’s interpretation of the European Electronic Communications Code. Specifically, MEP Markéta Gregorová (Verts/ALE) questions whether the free and ad-free messenger application Signal falls under the Code’s definition of a service “normally provided for remuneration.” This clarification would determine whether internal market rules, such as the Code, apply to the service. A response from the Commission is pending.
❗ Commission Proposes Partial Suspension of Israel’s Horizon Europe Association
In a significant reply on 24 September 2025 to question E-002253/25, the Commission addressed the involvement of Israeli defence-related actors in Horizon Europe projects. Commissioner Zaharieva stated that while dual-use research is not prohibited, the Commission considers there is a case for a “partial suspension” of Israel’s association to the program. This follows a review by the High Representative which found indications that Israel may be in breach of its human rights obligations under the EU-Israel Association Agreement. The Commission has proposed to the Council a “proportionate measure” specifically concerning the participation of Israeli entities in the European Innovation Council (EIC) Accelerator.
❓ MEP Questions Lack of EU Support for AI Champion Mistral AI
Highlighting French start-up Mistral AI as a key player for European technological sovereignty, question E-003657/2025 from 22 September 2025 asks why there has been no “concrete, structured or significant support” from the Commission. MEP Jean-Paul Garraud (PfE) asks if the Commission acknowledges Mistral AI as a strategic actor for the EU’s digital autonomy and what practical steps it plans to take to help Member States develop such businesses without them falling under non-European control. A response from the Commission is pending.
❗ Commission Details EUBAM Libya’s Border Surveillance Support
On 26 September 2025, High Representative/Vice-President Kallas provided a detailed response to question E-003137/25 concerning the EU’s border management assistance mission in Libya (EUBAM Libya). The reply specifies that the mission is active at the Ras Ajdir border crossing, Al Assah operations centre, and Abu Sharaf guard tower. It lists technical equipment provided, including radio systems, computers, and photovoltaic panels. The Commission clarified that the mission’s focus is on Libyan intra- and inter-agency cooperation and that it has no engagement with Tunisian authorities. It also confirmed that EUBAM Libya is providing customs management software to the Libyan Customs Authority to launch the Automated System for Customs Data (ASYCUDA).
❗ EU-Africa Partnership Guided by 2030 Joint Vision, Says Commission
Responding to criticism of the EU’s approach to relations with African states in question E-002888/2025, High Representative/Vice-President Kallas stated on 22 September 2025 that the partnership is guided by the “Joint Vision for 2030” adopted at the 2022 EU-AU Summit. The reply emphasizes that the EU remains Africa’s top partner in trade, investment, and security. It highlights the Global Gateway Africa-Europe Investment Package, which targets at least EUR 150 billion of investments by 2027 in key infrastructure, including energy, digital, and transport, as a core element of the strategy.
❗ Commission Confirms RRF Final Recipient Data is Being Collected and Published
In a 22 September 2025 reply to question E-003046/2025, Executive Vice-President Fitto addressed the tracking of Recovery and Resilience Facility (RRF) funds reaching the real economy. The Commission confirmed that Member States are obligated to report data on the 100 final recipients receiving the highest amount of funding. This data is updated twice a year and centralized on the Recovery and Resilience Scoreboard. The Commission noted that 25 Member States had complied in the last reporting round and it is working with the remaining two to ensure they provide the data.
❓ MEPs Question Commission President’s Use of Disappearing Messages
Question E-003738/2025, submitted on 25 September 2025, raises concerns about transparency and institutional accountability following reports of Commission President Ursula von der Leyen using the ‘disappearing messages’ function. The question asks how the Commission ensures this practice does not lead to the loss of information that should be archived under EU transparency rules, what objective criteria are used to decide which communications must be archived, and what measures will be taken to ensure digital exchanges of political importance are documented. A response from the Commission is pending.
❗ Commission Outlines Digital Circularity Passport in End-of-Life Vehicles Proposal
On 25 September 2025, the Commission responded to question E-003165/25 concerning the revision of the End-of-Life Vehicles (ELV) Directive. Commissioner Roswall explained that the proposed “Circularity Vehicle Passport” will ensure the availability of digital information on the safe removal and replacement of parts, which will benefit citizens through more cost-effective repairs. The Commission clarified the passport is not intended to trace vehicles but to improve traceability and enforcement, stating that the rules will not restrict private sales of roadworthy vehicles. The reply notes that digitalisation synergies with the Roadworthiness Package will help limit costs.
An analysis of the Commission’s replies from this period reveals a clear institutional posture focused on the implementation and enforcement of existing legal frameworks. Across diverse topics—from protecting minors online (DSA) and securing critical infrastructure (NIS2, CRA) to managing international data flows (GDPR)—the Commission consistently points to its recently enacted digital and cybersecurity rulebook as the primary solution. This suggests a strategic shift from a decade of intensive law-making to a phase of operationalizing those laws. The institution is actively using its new powers, as evidenced by references to ongoing DSA investigations and the development of implementation guidelines.
A second cross-cutting theme is the Commission’s careful delineation of its jurisdictional boundaries. In responses concerning data protection enforcement in Greece or the conduct of Israeli entities in Horizon Europe, the Commission positions itself as the guardian of EU law at a systemic level, while deferring to national authorities (like Data Protection Authorities) for individual cases or to the Council for politically sensitive decisions like sanctions. This underscores a commitment to the EU’s institutional structure, framing its role as one of oversight and coordination rather than direct intervention in all matters.
Finally, the replies indicate a pragmatic, rules-based approach to strategic autonomy. Whether explaining the legal prerequisites for extending roaming to the Western Balkans or outlining the development of a ‘European Trusted Drone’ label, the Commission frames its actions within established legal and technical processes. This approach suggests that the pursuit of digital sovereignty is being translated from high-level political ambition into concrete, albeit incremental, regulatory and technical measures designed to de-risk supply chains and strengthen the single market.
