EU Tech Policy Brief: March 2025
Welcome back to the Centre for Democracy & Technology Europe‘s Tech Policy Brief! This edition covers the most pressing technology and internet policy issues under debate in Europe and gives CDT’s perspective on the impact to digital rights. To sign up for CDT Europe’s AI newsletter, please visit our website. Do not hesitate to contact our team in Brussels.
👁️ Security, Surveillance & Human Rights
CDT Europe at RightsCon 2025
CDT US and CDT Europe took part in the 13th edition of RightsCon, held in Taipei from 24-27 February. CDT Europe’s Silvia Lorenzo Perez participated in several sessions addressing abuse of commercial spyware in the EU and beyond from several angles, including investor accountability, the complexities of defining spyware, financial tracking (“follow the money” reporting), litigation strategies, global regulatory efforts, and the geopolitical factors shaping policy responses.
Silvia spoke on two key panels addressing spyware regulation and global accountability. The first, hosted by the Human Rights Center at the University of Minnesota, explored the challenges and lessons of spyware regulation, using the European Parliament’s PEGA Committee Report as a starting point. It incorporated insights from UN Special Procedures, observations from UNODC and OHCHR, and civil society perspectives on ground-level realities and necessary reforms. The discussion also considered the EU’s leadership role in global spyware regulation, particularly where multilateral efforts have struggled.
The second panel, organised by the Spyware Accountability Initiative, convened global experts to assess progress in spyware accountability, covering research, litigation, state regulation, and investor engagement. Silvia reflected on developments over the past year and expectations for the year ahead.
CDT Europe also took advantage of the presence of key European partners at RightsCon to host a strategic brainstorming session, identifying challenges and opportunities to advance regulatory and litigation efforts in the region.
Focus on the Pall Mall Process for the Future of Spyware Regulation
Spyware and cyber threats were also a major topic at CyberNext Brussels 2025 on 5 March, where CDT Europe’s Silvia Lorenzo Perez appeared on a panel to discuss commercial spyware’s growing impact in Europe and its risks to cybersecurity, national security, and human rights. In response to concerns about lacking oversight of States’ spyware uses, Silvia emphasised the need for governments to limit their use of spyware and ensure that national security claims are necessary, proportionate, and clearly defined by law, and respect the essence of fundamental rights. Those claims should also be subject to strong oversight, in line with the standards set by the European Court of Human Rights and the Court of Justice of the European Union.
Silvia’s panel also discussed the Pall Mall Process, a joint initiative by France and the UK to establish guiding principles for development, sale, and use of commercial spyware. While the process offers an important multistakeholder platform for dialogue, robust safeguards are still crucial to prevent spyware misuse and protect fundamental rights. Panelists also emphasised the importance of EU-level action in addressing the proliferation of commercial spyware.
Recommended read: Council of Europe, Europe Press Freedom Report – 2024: Confronting Political Pressure, Disinformation, and the Erosion of Media Independence
💬 Online Expression & Civic Space
International Women’s Day 2025
To mark International Women’s Day 2025, our Secretary General Asha Allen participated in two important occasions to discuss the state of play for gender equality in Europe.
During a conversation with Laeticia Thissen for the FEPS Talks podcast, Asha reflected on the impact of online gender-based violence on democratic and civic space participation. The two also discussed how harmful content moderation practices result in self-censorship of feminist and LGBTQI+ voices, an effect widely criticised by advocates.
At the “Equality in Digital” event at the European Parliament, organised by Member of the European Parliament Elena Sancho Murillo, Asha joined a panel to exchange on how to implement regulations such as the DSA, Directive on Violence against Women, and AI Act, to effectively address the harms that AI systems can cause for victims.
Addressing Online Threats Against Journalists and Fact-Checkers
On 11 March, CDT Europe’s David Klotsonis took part in a thematic roundtable on journalistic protections, organised by the OSCE Representative on Freedom of the Media. The discussion focused on strengthening Big Tech accountability and engagement to enhance journalists’ safety, with key topics including safety-by-design measures and escalation channels.
David emphasised the need for safety-by-design approaches to mitigate online risks for journalists. While platforms often rely on ex-post moderation, their engagement-driven models can amplify online violence. The Digital Services Act (DSA) includes critical provisions, such as Article 22 on Trusted Flaggers, to help identify harmful content including threats against journalists. However, their effectiveness is undermined by resource constraints, low adoption rates, and public skepticism. Additionally, attacks seeking to delegitimize the media have increasingly targeted fact-checkers and Trusted Flaggers themselves. To ensure these tools fulfill their purpose, national regulators (Digital Services Coordinators) must prioritise adequate resourcing and clear communication to build public trust in mechanisms designed to protect journalists and uphold media integrity.
Recommended read: Tech Policy Press, A New Framework for Understanding Algorithmic Feeds and How to Fix Them
⚖️ Equity and Data
Global AI Action Summit: A Missed Opportunity
CDT Europe’s Laura Lazaro Cabrera attended the French AI Summit, held in Paris on 10 and 11 February, which was largely a missed opportunity for EU policymakers to defend and promote the bloc’s Artificial Intelligence Act on a global stage. Instead, representatives promised an innovation-friendly implementation of the AI Act and committed to cutting red tape for companies. Despite the limited spaces created by the French AI Summit to hold frank and meaningful discussions about the risks posed by AI, several Summit side events explored these questions in depth. Many were organised by civil society organisations critically reflecting on the global approach to AI governance and devising strategies to move forward.
One of these events, organised by Renaissance Numérique, notably explored how to meaningfully leverage civil society participation in global AI governance processes. Civil society representatives took stock of the French AI Summit and brainstormed crucial changes needed to build on lessons learned. At the event, Laura delivered a summary of panelists’ and discussants’ inputs, and set the scene for the concluding remarks.
Third Draft Code of Practice on General-Purpose AI Released
On 11 March, the European Commission unveiled the third draft of the Code of Practice on general-purpose AI (GPAI) – the last draft to be put to final consultation. This latest draft splits the Code of Practice into four parts, dealing with commitments, transparency, copyright, and safety and security respectively. The latter section addresses obligations relative to risk assessment and mitigations, and has been subject to significant changes amounting to a significant regression in terms of fundamental rights protections. The list of mandatory risks to be assessed — also known as “selected” systemic risks taxonomy — has been substantially watered down, and now excludes discrimination, which has been relegated to the list of optional risks alongside CSAM/NCII and risks to privacy. The draft moreover dissuades GPAI model providers from considering these risks, cautioning them to only assess them if they are specific to the high-impact capabilities of GPAI models. Read our initial analysis on our website.
Recommended read: Reuters, Spain to impose massive fines for not labelling AI-generated content
🗞️ In the Press
- Netzpolitik, EU-Kommission will ausfegen
- Silicon Republic, EU withdraws its AI Liability Directive – What does this mean?
- Euronews, Industry flags ‘serious concerns’ with latest draft of EU AI code of practice
- Contexte, IA : la Commission revoit à la baisse ses ambitions sur le code de bonnes pratiques pour tenter de rallier la tech (paywalled)
⏫ Upcoming Events
AI Standards Hub Global Summit
On Monday 17 March, our Equity & Data programme director Laura Lazaro Cabrera is speaking at the AI Standards Hub Global Summit 2025 on a panel with CSO representatives and experts. They’ll explore the role of civil society and human rights expertise in shaping AI standards, and challenges in effectively integrating fundamental rights considerations to current standards-setting processes. You can register to attend the event either in person or online.
