EU Geopolitical Risk Update - Key Policy & Regulatory Developments No. 121

On 12 March 2025, the Commission published "The EU in 2024 – General Report on the Activities of the European Union."

The Report highlights the EU's key activities in 2024, particularly in the face of unprecedented challenges in an increasingly fragmented geopolitical environment.

The Report emphasizes EU competitiveness as one of the Commission's priorities in its new 2024–2029 mandate, as set out in its Competitiveness Compass, a major initiative released in January 2025 that presents the Commission's five-year plan to boost Europe's competitiveness (see also Jones Day EU Geopolitical Risk Update No. 120 of 4 February 2025).

In this respect, the Report recalls the key role of competition policy in enhancing the EU's competitiveness, including State aid initiatives such as IPCEIs (Important Projects of Common European Interest)* to support the green and digital transition. Since 2018, the Commission has approved State aid for ten IPCEI projects to support EU industry innovation in strategic sectors such as batteries, hydrogen, microelectronics and healthcare (see also Jones Day EU Geopolitical Risk Update No. 115 of 24 June 2024).

These ten IPCEIs have involved 22 Member States, with the Commission assessing over 330 projects from nearly 250 companies and approving a total of aid of over €37 billion. According to the Commission, these public investments have attracted €66 billion in additional private investment.

The Report also provided the following snapshot of the Commission's antitrust and State aid results in 2024:

• 400 merger decisions;
• 8 antitrust decisions;
• 2 cartel decisions;
• 613 State aid decisions; and
• €3.5 billion in fines on companies deemed to having breached EU competition laws.

For further information about the EU, the Report refers to the official portal for European data (data.europa.eu), which provides access to open datasets from the EU institutions and bodies, as well as from European countries.

* The EU's IPCEI rules (Communication on Important Projects of Common European Interest) seek to enable Member States and industry to jointly invest in ambitious pan-European projects in a transparent and inclusive manner, where the market alone appears unable to deliver and particularly where the risks are deemed as too large for a single Member State or company to assume (see also Jones Day EU Emergency Update No. 107 of 29 September 2023).

On 11 March 2025, the Commission released its draft Communication on the Clean Industrial Deal State Aid Framework (CISAF), a key component of the Commission's Communication on the Clean Industrial Deal: A joint roadmap for competitiveness and decarbonization of 26 February 2025 (see here).

The Clean Industrial Deal aims to support the EU manufacturing industry's competitiveness and resilience, while accelerating decarbonization. The Deal notes that EU industries urgently need support in the face of high energy costs and intense global competition, which is portrayed as unfair by certain stakeholders.

CISAF. The planned CISAF will accompany the Clean Industrial Deal by laying out how Member States can develop State aid measures. The CISAF complements existing State aid guidelines and builds, in particular, on experience with the Temporary Crisis and Transition Framework (TCTF).*

The draft CISAF contains provisions for the simplified and swifter approval of the following types of State aid measures that aim to:

• Accelerate the rollout of renewable energy (e.g., promoting non-fossil electricity flexibility, i.e., the ability of electricity system to adjust to changes in supply and demand without relying on fossil fuels, by using a variety of non-fossil sources to balance the grid, such as renewable energy and energy storage);
• Facilitate industrial decarbonization (e.g., supporting certain investments reducing greenhouse gas emissions or improving the energy efficiency of industrial activities can be eligible, irrespective of the technological solution used);
• Ensure sufficient manufacturing capacity in clean technologies (e.g., incentivizing investment projects that create additional manufacturing capacity for the production, including with secondary raw materials, of relevant equipment for the transition towards a net-zero economy (batteries, solar panels, wind turbines, heat-pumps, electrolysers, and equipment for carbon capture usage and storage (CCUS)); and
• Ease the risk of private investments (e.g., incentivizing private investors to invest in portfolios of eligible projects through aid in the form of equity, loans, and/or guarantees provided to a dedicated fund or special purpose vehicle (SPV) that will hold the portfolio of eligible projects).

Looking ahead. The Commission aims to adopt the CISAF in Q2 2025, including taking into account stakeholder views provided during the Commission's recent consultation (see here).

Once adopted, the CISAF would replace the TCTF. It is intended that the CISAF would remain in force until 31 December 2030.

* The TCTF was established to support the EU economy in the context of Russia's invasion of Ukraine and in sectors key to accelerating the green transition and reducing fuel dependencies (as most lately amended on 2 May 2024). Notably, the Commission published a brief on the use of State aid measures under the TCTF on 20 February 2025 (see here). From March 2022 to June 2024, nearly €796 billion of aid was approved either under the TCTF or directly under the Treaty and based on TCTF principles. Some €219 billion was actually granted to companies, representing 27% of the aid approved and corresponding to 0.5% of EU27 GDP in 2022, 2023 and the first half of 2024.

The EU employs restrictive measures, commonly known as sanctions, as a key instrument to advance its Common Foreign and Security Policy (CFSP) objectives. These objectives include safeguarding the EU's values, fundamental interests, and security; preserving peace; and supporting democracy and the rule of law.

Sanctions encompass a range of measures, including travel bans that prohibit entry or transit through EU territories, asset freezes, and restrictions on EU citizens and companies from providing funds and economic resources to listed individuals and entities. Additionally, sanctions may include bans on imports and exports, such as prohibiting the export to Iran of equipment that could be used for internal repression or telecommunications monitoring, as well as sectoral restrictions.

Russia: On 14 March 2025, the Council prolonged by six months (until 15 September 2025) individual sanctions targeting those responsible for undermining or threatening the territorial integrity, sovereignty and independence of Ukraine. Such restrictions are subject to renewal every six months. In the context of the sanctions' review, the Council also decided not to renew the listings of four individuals and removed three deceased persons from the list.

Earlier, on 24 February 2025, the Council adopted the 16th package of sanctions (see here) followed on 20 May 2025 by the 17th package of sanctions against Russia (see here), which will be reported in a forthcoming issue of the EU Geopolitical Risk Update.*

Altogether, the sanctions apply to over 2400 individuals and entities, many of which are targeted in response to Russia's war against Ukraine. Such restrictive measures concern asset freezes, travel restrictions for natural persons, the freezing of assets, and a ban on making funds or other economic resources available to the listed individuals and entities.

The Council provides an overview of EU sanctions against Russia concerning Ukraine (since 2014), available here. To recall, the EU's restrictive measures against Russia, initially introduced in 2014 in response to Russia's destabilizing actions in Ukraine, have significantly expanded following Russia's military aggression against Ukraine, beginning on 23 February 2022, with the adoption of the first package of sanctions. The Council adopted the 15th package of sanctions on 16 December 2024 (see also Jones Day EU Geopolitical Risk Update No. 119 of 31 December 2024).

* In-depth analyses of the 16th and 17th packages are available from the authors of the EU Geopolitical Risk Update (see contact details below for Nadiya Nychay (Brussels) and Rick van 't Hullenaar (Amsterdam)).

On 26 February 2025, the European Commission released the Omnibus I and Omnibus II packages of proposals to simplify EU rules, boost competitiveness and investment, and support the transition to a more sustainable economy.*

The proposals aim to simplify EU requirements for all businesses (notably, SMEs and small mid-caps), while focusing the regulatory framework on the largest companies that are likely to more significantly impact the environment.

This initiative follows the Communication on the Competitive Compass for the EU of January 2025, which notably included the Commission's objective of unprecedented simplification effort to achieve agreed policy objectives in the simplest, most targeted and effective, and least burdensome way (see also Jones Day EU Geopolitical Risk Update No. 120 of 4 February 2025).

The Omnibus I package includes amendments to the Corporate Sustainability Reporting Directive (CSRD) and Corporate Sustainability Due Diligence Directive (CSDDD) (see also Jones Day Trending Now in ESG of 19 May 2025), as well as the Carbon Adjustment Mechanism Regulation (CBAM). The Omnibus II package includes amendments to the InvestEU Regulation. A draft Taxonomy Delegated Act also accompanied the Omnibus simplification package on sustainability reporting and due diligence.

CBAM. On CBAM, more specifically, the Commission's proposed Regulation to amend the CBAM Regulation (EU) 2023/956 seeks to simplify and reinforce the carbon border adjustment mechanism.

Background. To recall, CBAM addresses greenhouse gas emissions embedded in imports into the EU of certain products in carbon-intensive industries, in view of ensuring equivalent carbon pricing for imports and domestic products. In this respect, the CBAM seeks to prevent the risk of socalled carbon leakage, which jeopardizes the EU's greenhouse gas emissions reduction efforts when businesses (i) increase emissions outside EU borders by relocating production to non-EU countries with less stringent policies to tackle climate change, or (ii) increase imports of carbon-intensive products.

The CBAM's scope initially applies to imports of certain goods and selected precursors whose production is carbon-intensive and at greatest risk of carbon leakage: iron and steel, cement, fertilizers, aluminium, electricity and hydrogen.

The CBAM is designed to operate in parallel with the EU Emissions Trading System (EU ETS),** to mirror and complement its functioning on imported goods. CBAM will gradually replace the existing EU mechanisms to address the risk of carbon leakage, and in particular the free allocation of EU ETS allowances for sectors covered by CBAM.***

Proposed amendments to CBAM Regulation. The main proposed changes to CBAM would:

• Exempt small importers from CBAM requirements by introducing a new CBAM cumulative annual threshold of 50 tonnes per importer. This would exempt some 90% of importers, while maintaining some 99% of emissions within the CBAM scope.
• Facilitate compliance for those importers remaining in CBAM's scope (e.g., simplifying data collection processes and calculation of emissions).
• Enhance CBAM's effectiveness by reinforcing anti-abuse provisions and establishing a joint anti-circumvention strategy alongside national authorities.

Next steps. The legislative proposals were submitted to the European Parliament and the Council for their consideration and adoption.

As concerns the Commission's proposed Regulation to amend CBAM, on 27 May 2025, the Council adopted its negotiating position (general approach) on the proposed Regulation (see here). The Council's negotiating mandate contains several amendments to the proposed Regulation, which aim at further simplifying and clarifying the CBAM rules.

Earlier, on 23 May 2025, the Parliament endorsed the proposed Regulation to amend CBAM, with only certain technical amendments adopted for clarification purposes (see here).

The Council and the Parliament are now ready to commence negotiations on the final contours of the proposed legislation.

* Omnibus III (released 14 May 2025) aims to simplify the Common Agricultural Policy (CAP) and boost farmers' competitiveness in a large package of proposed measures targeting the sector's administrative burden, crisis response and investment needs. Omnibus IV (released 21 May 2025) seeks to ease compliance obligations and free up resources for growth and investment for small-mid caps companies (i.e., companies below 750 employees and with either up to €150 million in turnover or up to €129 million in total assets). These developments will be reported in a forthcoming issue of the EU Geopolitical Risk Update.

** The EU ETS is one of the EU's key climate change mitigation policies and is the world's first carbon market, aimed at providing an efficient mechanism to reduce emissions. Under the EU ETS, companies must obtain emission allowances covering their carbon emissions. The default option is to purchase allowances at an auction, but these can also be allocated for free, which is a transitional method of allocating allowances.

*** CBAM will equalize the price of carbon paid for EU products operating under the EU ETS and the one for imported goods. This will be done by requiring companies importing into the EU to purchase so-called CBAM certificates to pay the difference between the carbon price paid in the country of production and the price of carbon allowances in the EU ETS.

On 11 March 2025, the European Commission proposed a Regulation to strengthen the availability and security of supply of critical medicinal products and other essential medicines ("Critical Medicines Act").

The proposed Act aims to address supply chain vulnerabilities and manufacturing issues, triggered by recent medicine shortages – exacerbated by COVID-19 and geopolitical tensions.

Key measures include, in particular:

• Strategic Projects* to boost or modernize EU manufacturing for critical medicines or ingredients, supported by facilitating access to funding and accelerated regulatory processes;
• State aid guidance to help Member States support these projects, with the Commission's Directorate-General for Competition also publishing Guidance on the application of State aid rules in the context of the proposed Critical Medicines Act (see here);
• Procurement rules requiring diversified sourcing and supply chain monitoring for critical medicines, with a preference for EU-based production where dependencies exist;
• Joint procurement support from the Commission to improve access across Member States; and
• International partnerships to diversify global supply sources.

While the proposed Act focuses primarily on critical medicines listed in the Union List**, it also covers other medicines of common interest that encounter market failures, such as medicines for rare diseases.

The Commission has also issued factsheets (see here and here) and a Q&A (see here) on the proposed Act.

Looking ahead. The Commission intends to publish a staff working document in Q2 2025, which will notably reflect the results of its general consultation on the proposed Act launched in its earlier Call for Evidence.

The Commission expects to adopt the Critical Medicines Act in Q4 2025, with implementation starting in 2026.

* The proposed Act defines criteria for certain industrial ventures that could be recognized as Strategic Projects, if they create, increase or modernize EU manufacturing capacity of critical medicines and their key ingredients. This can also include processes that ensure greater sustainability or increased efficiency, as well as the deployment of key technologies that enable manufacturing.

** The Union list of Critical Medicines contains human medicines that the EU has identified as critical to ensure the health of its citizens, and which is updated periodically by the European Medicines Agency ("EMA") (see here).

On 12 March 2025, the EMA and the Heads of Medicines Agencies ("HMA") announced warnings to the public about the hazards of unregulated advanced therapy medicinal products ("ATMPs") made available to patients in the European Union.

ATMPs are medicinal products based on genes, tissues or cells. When regulated (i.e. authorized via EMA or approved by a national authority), these medicines can significantly benefit patients.

However, unregulated ATMPs are also marketed directly to patients by various individuals, companies, and clinics, despite often providing scant or no evidence of the products' effectiveness or safety.

Authorities are warning the public that unregulated ATMPs could put patients at risk by:

• causing serious side effects, without benefitting patients; and
• raising significant quality-related risks given the absence of strict oversight and regulatory compliance in the manufacturing process, which can result in contamination, inconsistent product composition, and improper storage.

The authorities have listed some behaviors indicating that ATMPs may be supplied illegally. In particular:

• the provider markets the product as experimental, but its use is outside of an authorized clinical trial;
• the provider lacks confirmation that the EMA or relevant national authority has approved the product's use; and
• the claimed benefits surpass those of currently authorized treatments (if available) and are undocumented in the medical literature.

Authorities across the EU are collaborating to halt those supplying unregulated ATMPs. The public is requested to report suspect cases to their national competent authorities (listed here).

On 5 March 2025, the European Union Agency for Cybersecurity (ENISA) published the NIS360 2024 report on assessment of the maturity and criticality of sectors identified as highly critical under the NIS2 Directive* ("Report").

Backdrop. To enable more effective prioritization and greater understanding of the cybersecurity needs and challenges of sectors covered under the NIS2 Directive, ENISA developed the NIS360 methodology to annually appraise the cybersecurity maturity and criticality of these sectors.

The NIS360 methodology (initially designed and piloted in 2023 across a limited number of sectors) has undergone further development and was fully applied for the first time in 2024 to assess all high-criticality sectors under the NIS2 Directive in view of providing an in-depth understanding of their cybersecurity maturity and criticality.

Notably, 2024 also marked the first time that ENISA integrated the industry perspective into the assessment, transitioning to an indicator-based evaluation. Additionally, ENISA introduced dual validation of outcomes by both authorities and the industry, boosting the credibility and robustness of its findings.

Objective. The Report aims to support national authorities and cybersecurity agencies across the EU in implementing the NIS2 Directive by offering a structured overview of the current landscape, in view of setting strategic priorities, identifying areas for improvement, and monitoring progress across critical sectors. The Report also serves as a valuable resource for policymakers at both national and EU levels, providing evidence-based input to guide the development of effective strategies and strengthen overall cyber resilience.

Main findings. The Report notably highlighted the following:

• Electricity, telecoms, and banking are the three sectors demonstrating the highest levels of cybersecurity maturity and criticality. This strong performance reflects long-standing regulatory oversight, sustained investment, political prioritization, and robust public-private cooperation;
• Digital infrastructures (including core internet services, trust services, data centers, and cloud services) also exhibit high maturity levels. However, they face persistent challenges arising from sector heterogeneity, cross-border operations, and the integration of previously unregulated entities.
• Four sectors and two subsectors are in the "risk zone", requiring targeted efforts to strengthen cybersecurity resilience. In particular:
  • ICT service management struggles with cross-border complexities and diverse entities, requiring better cooperation, streamlined compliance under NIS2 and DORA (Digital Operation Resilience Act)**, and harmonized supervision;
  • The space sector remains vulnerable due to low cybersecurity awareness and heavy reliance on commercial off-the-shelf components;
  • Public administrations show uneven maturity and, as frequent cyber targets, should strengthen resilience through the EU Cyber Solidarity Act** and shared digital service models;
  • The health sector faces challenges such as reliance on complex supply chains, legacy systems, and poorly secured medical devices;
  • The maritime sector (energy sub-sector) continues to face operational technology risks, needing sector-specific risk management and EU-wide cybersecurity exercises; and
  • The gas sector (energy sub-sector) shows inconsistent maturity, with gaps in incident response, highlighting the need for tested response plans and stronger cooperation with related sectors.

Looking ahead. The NIS360 assessment calls for enhanced collaboration across sectors, the development of tailored guidance, and targeted capacity-building to ensure more consistent and resilient implementation of NIS2 requirements.

In 2025, ENISA plan to build on the work of the NIS360 assessment by continuing the appraisal of all highly critical sectors under NIS2, adopting a broad-based approach that weighs improvements at each level (EU, national authorities, and individual entities), thereby contributing to allaround enhanced security.

* Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union. The implementation deadline for this Directive by the EU Member States was 17 October 2024.

** For further details on DORA and the Cyber Solidarity Act, see also Jones Day EU Geopolitical Risk Update No. 120.

On 11 February 2025, the European Commission released its 2025 Work Program, which outlines key strategies, action plans and legislative initiatives to boost competitiveness, enhance security, and bolster economic resilience in the EU. It notes that while the start of this Commission's mandate is a time of tremendous global upheaval, it is also a time of great opportunity to shape the future of Europe.

The Work Program, in particular, announced the Commission's intention to (i) withdraw several pending legislative proposals within the next six months, including the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) and the AI Liability Directive* and (ii) simplify the digital regulatory framework by end-2025.

On the other hand, as announced in the Work Program, the Commission launched the AI Continent Action Plan, an initiative aimed at accelerating the development and deployment of AI across Europe by focusing on five priority areas of action:

• Enhancing computing infrastructure through the expansion of the network of AI Factories and the creation of energy-efficient Gigafactories to integrate massive computing power into data centers to facilitate scientific collaboration.
• Ensuring access to high-quality data by advancing a new Data Union strategy (building on the 2020 European strategy for data) and establishing data labs, within AI Factories, to enable the provision, pooling, and secure sharing of high-quality data.
• Driving AI adoption across sectors by launching the intended Apply AI Strategy. This initiative aims to (i) scale up AI use in industry, (ii) integrate AI into key sectors such as public administration and healthcare, and (iii) deploy the capabilities of AI Factories and European Digital Innovation Hubs to support implementation.
• Developing and attracting AI talent by expanding education and training opportunities, fostering diversity, increasing public awareness, and positioning the EU as a global hub for top AI professionals.
• Facilitating regulatory compliance through the creation of an AI Act Service Desk to assist businesses in navigating new requirements and fostering an innovation-friendly environment.

Conclusions. The 2025 Work Program marks, in particular, a strategic shift in the pursuit of global AI leadership. Notably, by launching the AI Continent Action Plan, the Commission aims at advancing a coherent, future-oriented agenda that combines regulatory modernization with strong support for innovation.

* See also Jones Day Alert, "European Commission Proposes New Liability Rules on Products and AI," 5 October 2022.