For several decades now, the European Union’s approach to telecommunications has been defined by a single word: competition. The EU’s priorities were breaking up national monopolies, lowering prices for the consumers, and ensuring that everyone can get an affordable DSL connection. One could argue that such a strategy worked. European consumers enjoy some of the lowest mobile and broadband prices in the western world. The new goal that Brussels is trying to achieve is strategic sovereignty. Inspired by the trend-setting 2024 Mario Draghi’s and Enrico Letta’s reports, the European Commission has acknowledged that even though prices are low, the underlying infrastructure is fragmented and unable to keep up with the newest technological advancements. Europe currently consists of 27 mini-markets while the United States and China treat their networks as singular engines for industrial growth.
There are two pillars of this new era that need to be examined: the Digital Networks Act and the Cybersecurity Act II, alongside the immediate enforcement of the Gigabit Infrastructure Act and security directives. For businesses in the telecom field, it is safe to claim that the 2026 will be the year of the consolidation and adaptation to new rules.
Digital Networks Act: The Single Market Reset
Unveiled in January 2026, the DNA is a declaration that the EU wants to move away from 27 national telecom regimes toward a unified digital continent. The most immediate win for cross-border operators is the Single EU Network Passport system. Currently, if an operator wants to expand from Estonia into Portugal, they face the administrative hurdle of separate notifications and local paperwork that needs to be filed. The DNA replaces this with a model managed by the newly formed Office for Digital Network, through which they would be allowed to notify once and operate everywhere in the union. This lowers the barrier to entry for medium-sized players and allows pan-European companies to centralise their compliance teams in one capital.
A significant challenge for telecom corporations has been the so-called spectrum lottery. Licenses in one country might last 20 years, while the other Member State grants them for 80 years, creating a massive unpredictability for investment. The DNA now pushes for lifelong or significantly extended licensing. Instead, the Commission is introducing a “use it or share it” rule: If an operator sits on spectrum without using it, they will be forced to share it with competitors or satellite providers. This is a clear signal that the EU will provide stability, but the industry must provide coverage in the market.
Transition from Copper to Fiber Networks
For over a hundred years communication relied on copper networks: The first versions of the Internet were rolled out on copper cables. Today, people expect faster connection, and copper can no longer keep up. Over the past fifteen years, fiber have grown fivefold, outperforming copper in speed, distance, and bandwidth, creating a foundation for future technologies such as 6G and AI.
The EU has set a hard deadline for the retirement of copper networks: December 31, 2035. The roadmap begins now, and the companies in the industry could already start preparing for the switch-off. By June 2029, Member States will have to complete milestones in their transition to fiber optic networks. For legacy operators, this will be an expensive rule that will force them to switch to fiber or risk becoming significantly less competitive. For fiber-only players, it’s nothing but good news.
Businesses should expect localised disruptions in areas where copper is retired, requiring a proactive migration of IoT and legacy systems to fiber or 5G. Lastly, DNA introduces the voluntary conciliation facility. The Commission will now facilitate negotiations between “large traffic generators” (in other words, large tech companies) and telecom firms to reach commercial agreements on traffic costs. Even though the term itself suggests that meetings would be voluntary, mandatory measures might be introduced in 2027.
The Cybersecurity Act II: Building the Fortress
If the DNA is about building the new infrastructure for service providers, the CSA II, which was proposed in January 2026 and is highly likely to pass during the first half of 2027, creates a high-risk vendor framework to ensure that the critical components powering these networks are sourced from trusted and secure suppliers. Cybersecurity is the backbone of European security and therefore is an integral part of EU’s “security by design” strategy to address growing challenges from infrastructural fragmentation and threats from hostile actors.
To address these issues, the Act aims to create a unified rulebook for all Member States and build conditions for a better due diligence of the supply chain.
High-Risk Vendors and Maximum Harmonisation
This year marks the beginning of a 3-to-5-year phase-out window for high-risk hardware, which represents an increased business risk for companies that rely on such hardware. Industry players, particularly those coming from the countries that heavily rely on Chinese equipment such as Cyprus or Austria, would have several years to prepare, giving them time to physically replace all hardware. Should the new rules have come into effect immediately, an internet crash would have been guaranteed. For instance, for established companies that built their networks early and are heavily reliant on Chinese equipment, the cost of phasing out Chinese tech and replacing it with something else will likely be measured in billions. For smaller brands that often used Nokia’s or Ericsson’s hardware from the start, the negative impact will be lower. Investors are already pricing this fact into the valuations of major European telecommunication companies, lowering their estimated value.
Additionally, the Commission aims to ensure that cybersecurity rules are aligned for all Member States. Compliance will no longer be a local discussion, but something to be determined in Brussels. Instead of engaging with regulators across all 27 states, companies will now need to reach consensus on the EU level. However, should Brussels decide against a supplier, the company will effectively be locked out of the continent for good, while with the current rules if a negative decision was made on a local level, such as in Budapest or Dublin, the company would only lose one national market and still potentially have access to other states.
Importantly, the EU Agency for Cybersecurity (ENISA) is being transformed from an advisory body into a centralised watchtower. Under the new act, ENISA will have the power to conduct a process called Strategic Supply Chain Reviews. Instead of just examining the code, they will look at the corporate headquarters. If a vendor is deemed a subject to the influence of a non-democratic third country, ENISA can recommend a block.
The Immediate Horizon
As both DNA and CSA II have been unveiled in late January, the next several months will be crucial for polishing the text of the regulations and determining their scope and influence
First, the Digital Networks Act is intended to replace the Electronic Communications Code, adopted as a directive. Unlike the directives which allow for the more flexible implementation within individual Member States, regulations impose strictly the same rules across the Union. Some Member States already push back, arguing they need a directive with more flexible rules to maintain national control. If the “single passport” makes it through the Parliament’s amendments, it will represent a big change for cross-border mergers and acquisitions in the coming years. However, legacy operators are expected to fight the copper switch-off mandates set for 2035 to protect their existing margins. They view the old copper networks as almost pure profit – these networks are already built in the ground and functioning, so the customers who stay on copper networks are cheaper for the firm. Transitioning to fiber would necessitate a huge investment, often measured in billions of euros.
Unlike the original Cybersecurity Act from 2019 which centered on whether the systems were secure, the focus of the new CSA is on who builds those systems and creates a trusted ICT supply chain framework – a network of suppliers, manufacturers, and service providers of tech products. This framework will allow the Commission to bypass national governments to ban high-risk vendors across the EU.
The Gigabit Infrastructure Act: The Field Wave
The GIA, which became applicable in late 2025, is a set of EU-wide rules that make it faster and less expensive to build digital networks. For example, if the water supplier is escavating a street to repair a pipe, it needs to coordinate with telecommunication providers so that the fiber can be laid in the same spot. Even though the Gigabit Infrastructure Act has already entered into force, its heavyweight provisions will come into effect only in May 2026. One of the most significant rules is that if a local authority doesn’t respond to a permit application for 5G towers or fiber digging within four months, the permit is deemed as granted. Additionally, as of February 2026, all new or majorly renovated buildings must be pre-equipped with fiber-ready infrastructure. This implies that the architects and real estate investors will need to incorporate fiber infrastructure in the project designs. Consequently, the buildings that do not have optical networks will likely see a drop in market value.
Full Application of the NIS II Directive
2026 will be the year when the new Network and Information Systems Directive stops being a planning exercise and starts being a strict audit reality: the deadline to turn the Directive into the national laws has passed.
NIS II is made to protect critical infrastructure such as energy grids from cyberattacks or shutdowns. Most importantly, management bodies, such as supervisory boards and boards of directors, can now be held personally liable for cybersecurity failures, and organisations will need to report significant incidents within 24 hours. This applies to both the developers of cybersecurity tech and the end-users. In 2026, the first test cases of these fines are expected. They can reach up to 10 million euros or 2% of global turnover and will be issued by designated national authorities. The company might face different levels of severity across countries, but the Directive still sets the minimum fine amount, so that the rules are relatively harmonised.
Transitioning Towards the Edge Cloud
On 3 March 2026, the Commission announced the European Cloud-Cloud Continuum (EURO-3C) project worth 75 million euros. This is the first large-scale attempt to build a federated telco-edge-cloud. Instead of relying on a single data center outside European borders, edge cloud means deploying small but powerful servers directly within telecom towers on European soil. Since the goal is to create a federated cloud, all participating companies will have to connect their local edge servers into one large network. This signals EU’s plan to move processing power away from giant American data centers and embed it directly within the telecom network. For businesses, this means lower latency for industrial automation and a more sovereign way to store data.
What Should the Business Expect
The regulatory landscape of 2026 is moving toward predictability, but at a price. To stay ahead, business in the telecom and digital sectors should be prepared for the new legislative developments.
First, audit the supply chain. Rather than wait for the “high-risk” list from ENISA, it is advisable to identify dependencies on non-EU vendors soon.
Secondly, the Gigabyte Infrastructure Act’s tacit approval for network expansion can be used to benefit the business. If the company is waiting too long for the permit to be issued, they can now use the new 4 months rule to move forward.
Lastly, it is recommended to prepare for the NIS II audits which will be performed by national authorities to make sure that the leadership of a company is personally overseeing cyber-risk management. Business should ensure that the boardroom-level reporting structures are in place and function well. The grace period for learning the rules is officially over.
The European telecom sector is being rebuilt as the backbone of the the Union’s security. Those who adapt to the sovereignty model will find opportunities for scaling up, while those who stay attached to the national utility model may find themselves left behind by the DNA’s fast-moving timelines.
Read the full Regulatory Horizon Report by B&K Agency:
