April 7, 2026

Europe is simultaneously accelerating digital identity infrastructure and exposing enforcement gaps in its online safety framework. The CSAM scanning derogation expiry, the Entry-Exit System's stumbling April 10 rollout, ENISA's open certification consultation for the EUDI Wallet, Ireland's public engagement phase, and 4chan's direct defiance of Ofcom all reflect the same structural pattern: the EU and UK have set ambitious regulatory architectures that are outpacing both technical readiness and enforcement reach. For legal and compliance teams with EU or UK exposure, this week is less about new obligations than about managing uncertainty in frameworks that are partially operational.

Microsoft, Google, Meta, and Snapchat have jointly committed to continuing voluntary CSAM scanning in the EU following the expiration of the ePrivacy Directive derogation covered in yesterday's briefing. The material development is the formalization of that voluntary posture: platforms are now explicitly operating without a statutory legal basis for scanning private communications, creating direct tension with Article 5(1) of the ePrivacy Directive's confidentiality requirements. The practical question is whether a DPA or the Commission treats voluntary continuation as a compliance exposure rather than a good-faith interim measure — particularly as Chat Control negotiations remain stalled. Practitioners advising platforms on EU communications products should assess whether their client's scanning architecture can be characterised as something other than systematic content interception pending legislative resolution. Watch level: PREPARE (platforms operating communications or messaging services in the EU — legal basis for scanning is currently absent; document the rationale for any ongoing detection activity now)

ENISA has published a draft cybersecurity certification scheme for EUDI Wallets under the Cybersecurity Act, with the stakeholder comment window closing April 30, 2026. This is the operative procedural threshold: the scheme will directly shape security requirements that wallet providers and relying parties must meet ahead of the end-2026 mandatory deployment deadline. Separately, Epicenter.Works has flagged the Commission's proposed mandatory biometric photo requirement and removal of trilogue-era user protections — signals that the final scheme may face civil society challenge or member-state pushback. Organizations building on or integrating EUDI Wallet infrastructure should treat the April 30 comment deadline as an engagement decision point, not a monitoring item. Watch level: PREPARE (wallet providers, relying parties, and identity infrastructure vendors operating in the EU — April 30 comment deadline is the next material procedural gate)

Ireland has opened a public consultation and opt-in pilot for its Government Digital Wallet, aligned with its eIDAS 2 end-2026 obligation. The initiative is notable for its explicit incorporation of selective disclosure and data minimization principles into wallet design — design choices that will bind relying parties once the wallet is deployed. Organizations operating services in Ireland that may become relying parties under the eIDAS 2 framework should monitor the consultation output for credential scope and technical integration requirements. Watch level: MONITOR (relying parties and digital service providers operating in Ireland — eIDAS 2 deadline is end-2026, but design decisions made now will constrain later integration options)

4chan has formally refused to pay Ofcom fines totaling £520,000 under the Online Safety Act, asserting that UK law does not bind U.S.-incorporated entities. The refusal is not legally novel — the jurisdictional tension between residence-based regulation and incorporation-based immunity has been visible since the OSA was drafted — but the explicit, public defiance by a named platform is a materially different posture than non-compliance by inaction. It suggests that Ofcom's enforcement toolkit, which lacks direct in-country asset seizure or ISP-blocking authority in the near term, may be insufficient to compel compliance from non-cooperative foreign platforms. Legal teams advising on OSA compliance should monitor whether Ofcom escalates to IP-blocking referrals or seeks parliamentary attention; either step would signal a change in enforcement posture with implications beyond 4chan. Watch level: MONITOR (platforms incorporated outside the UK with UK user bases — current enforcement posture warrants observation, not immediate action)

The EU's Cyber Resilience Act is creating tangible redesign pressure for biometric access control manufacturers, particularly those built around centralized architectures and remote management dependencies. The regulation treats security-by-design as a market access condition, not a post-market audit concern — meaning products that cannot demonstrate reduced external attack surface at the design stage face direct regulatory exposure, not just best-practice criticism. Manufacturers and enterprise buyers procuring biometric access infrastructure for EU deployment should be reviewing vendor CRA compliance roadmaps now, as the product design cycle for hardware systems means lead time is a real constraint. Watch level: PREPARE (biometric hardware manufacturers and enterprise security procurement teams with EU operations — CRA compliance is a market access condition, and hardware design cycles are long)