The EU AI Act is moving from legislation to enforcement. On May 19, the Commission opened public feedback on draft guidelines for classifying high-risk AI systems; the document determines compliance scope for thousands of businesses, and it arrives ten weeks before enforcement powers over general-purpose AI models become fully active.
Two days from now, the Tech Sovereignty Package lands with the Cloud and AI Development Act, which will define what "sovereign cloud" means in EU law, and whether that definition has teeth.
Policy & Regulation
DMA first review: fit for purpose, but cloud and AI are next
The European Commission's April 28 first formal review of the Digital Markets Act found the regulation fit for purpose and declined to expand its scope: no generative AI services added to gatekeeper obligations, no social media interoperability mandate.
The DMA has been fully applicable for just over two years, and the Commission's view is that the evidence base for major changes is not there. But the review made equally clear where enforcement pressure is heading.
Three cloud market investigations are already underway: whether AWS and Microsoft Azure should be designated as gatekeepers, and whether DMA provisions can address cloud market concentration at all.
US hyperscalers hold more than 65% of the EU cloud market. Cloud contracts are typically B2B, so user-number thresholds that trigger DMA designation may not be met even where market dominance is obvious.
The Commission has signalled it will use qualitative analysis and market investigations to close that gap, without waiting for legislative amendment. (TechPolicy.Press) (European Commission)
AI Act: high-risk classification guidelines open for feedback
On May 19, the Commission opened a public consultation on draft guidelines for how to classify AI systems as high-risk under Annex III of the AI Act. The document determines the practical scope of the heaviest compliance obligations: conformity assessments, technical documentation, human oversight requirements.
Final guidelines are expected before August 2.
August 2 is when Commission enforcement powers over GPAI model providers become fully active. Providers placing models on the market before August 2025 have until August 2027 to comply; all new models face obligations now.
The AI Omnibus agreed May 7 pushed most high-risk obligations to December 2027 and August 2028. The August 2 GPAI enforcement date stands, and transparency rules for AI-generated content apply from August 2026 as originally scheduled. (EU AI Act tracker) (Commission consultation)
DSA: platforms meet researchers for the first time
Also on May 19, the Commission and a coalition of Digital Services Coordinators convened the first roundtable bringing Very Large Online Platforms together with vetted researchers under Article 40 of the Digital Services Act. The session operationalised the delegated act on researcher data access, translating a legal right that existed on paper into actual data requests.
Academic and civil society researchers can now submit requests to access platform datasets for public interest research: disinformation patterns, algorithmic amplification, content moderation effects.
For the first time, the DSA's accountability infrastructure has moved from legal text into practice. Whether platforms cooperate substantively or use technical and legal friction to slow access will determine whether the DSA produces real transparency or compliance theatre. (EOSC Association) (European Commission)
Platform Work Directive: six months to transposition, most states silent
EU member states have until December 2, 2026 to transpose the Platform Work Directive into national law. The directive introduces a rebuttable presumption of employment where indicators of managerial control exist, shifts the burden of proof onto platforms, and requires human review of any decision to suspend or terminate a worker's account.
It also mandates algorithmic transparency: platforms must disclose how automated systems allocate work, set prices, and restrict accounts.
With six months to go, formal transposition processes have barely begun in most member states. The directive covers an estimated 28 million workers across the EU.
The most complex implementation falls on countries with large gig economies: Spain, Italy, France, and Poland. The December deadline will stress-test whether member states treat EU digital labour law as a priority or repeat the DSA pattern of implementation by litigation. (EU Platform Work Directive) (Remote Work Europe News)
Capital & Investment
ICEYE secures €300M credit facility as sovereign surveillance accelerates
Helsinki-based ICEYE, the SAR satellite operator that doubled in size in 2025, closed a €300 million three-year revolving credit facility on May 21, backed by a seven-bank syndicate including Citi and Danske Bank as lead arrangers.
The facility covers customer-contract guarantees, operating growth, and liquidity. It is the financial plumbing for a rapid succession of government contracts.
The contracts are piling up: a €158 million agreement with the Finnish Defence Forces in September 2025; a Sweden-FMV contract in January 2026; the handover of MikroSAR, Poland's sovereign SAR satellite reconnaissance system, to the Polish Armed Forces in under 12 months from contract signing; and a €1.7 billion space-based reconnaissance partnership with Rheinmetall for the German Bundeswehr.
ICEYE is building the backbone of NATO-adjacent satellite surveillance infrastructure. Total equity funding now exceeds €600 million. (EU-Startups) (ArcticStartup)
EU Defence Fund deploys €1.07B across 57 projects
The European Commission confirmed in April that €1.07 billion from the European Defence Fund will flow to 57 collaborative R&D projects under the European Readiness Flagships programme. Priority areas include AI and autonomous systems, quantum-secured communications, electronic warfare, and multi-domain operations cloud infrastructure.
The EDF marks a structural shift: EU-level funding for defence R&D that was politically unthinkable a decade ago is now routine. The 2026 Work Programme earmarks €1 billion for collaborative R&D, with a quarter allocated to critical technologies. (European Commission — EDF)
European defence-tech on course to exceed 2025 record
European defence, security, and resilience startups raised $8.7 billion in 2025, up 55% year-on-year and nearly four times higher than five years ago. Venture data for 2026 suggests the trajectory is continuing; Helsing's reported $1.2B raise at an $18B valuation (covered last week) and ICEYE's €300M credit facility are among the headline moves.
The SAFE programme, providing up to €150 billion in EU loans for urgent defence procurement, began disbursing first payments in early 2026.
The political conditions are structural, not cyclical: Russia's ongoing war in Ukraine, NATO spending commitments, and accelerating US signals that European defence cannot rely on American guarantees. Capital is following the threat assessment. (Vestbee) (European Commission — SAFE)
Work & Society
Platform workers gain employment presumption, if states deliver
The Platform Work Directive's employment presumption reverses the default logic of the entire gig economy. From December 2, platforms that exercise managerial control over workers, setting prices, allocating tasks, monitoring performance algorithmically, will need to affirmatively prove those workers are contractors, not employees.
For 28 million workers across the EU, this opens access to minimum wages, paid leave, and collective bargaining rights they currently lack.
The question is whether transposition produces real reclassification or creative compliance. Spain's 2021 Riders' Law, which introduced a similar presumption nationally, resulted in significant reclassification by major platforms but also widespread restructuring designed to preserve contractor status without substantive employment control.
December's EU-wide baseline should prevent the most obvious workarounds. Enforcement, however, will be national. (Baker McKenzie)
Talent & Workforce
AI literacy becomes a legal obligation from August
Article 4 of the AI Act requires that any organisation deploying AI systems ensure the people working with those systems possess sufficient AI literacy: understanding of how the system works, its limitations, and how to interpret its outputs. The obligation becomes enforceable in August.
The Commission is launching an EU-funded AI Skills Academy in 2026 to provide structured upskilling infrastructure. AI talent in the EU has doubled since 2016, but still represents only 0.41% of the total workforce; women account for fewer than a quarter of AI engineers. (European Commission — AI talent)
One to Watch
CADA drops Wednesday: read the definitions, not the press release
The Tech Sovereignty Package lands May 27. The Cloud and AI Development Act (CADA), twice delayed from March, will define what constitutes a sovereign cloud provider, set eligibility criteria for EU public procurement, and potentially restrict sensitive government data from US hyperscaler platforms in healthcare, finance, and judicial systems.
The political alignment is unusual: tech sovereignty goals, AI competitiveness pressure, and real US trade friction are pointing in the same direction. But whether CADA produces structural change or compliance theatre depends on the definitions section.
A binding, specific definition displaces hyperscalers from significant EU public contracts. A vague or voluntary framework produces a checkbox exercise.
The package also includes Chips Act 2.0 and an open-source strategy; watch how the sovereign cloud definition interacts with the DMA cloud investigations already underway. (European Parliament Legislative Train) (CNBC)