A first view on the proposed Digital Networks Act (DNA) Core impact on EU organizations

The Proposed Digital Networks Act (DNA) is a draft EU regulation published on Januari 21st 2026, that replaces the EECC and related telecom instruments with a single, fully harmonized framework for electronic communications and digital networks across the EEA. We have made a quick analysis of its content and what it potentially would mean for European Organizations.

Main breakdown

Single market & "Single Passport": Providers of public electronic communications networks and services will operate under a uniform general authorization regime, with a single notification ("Single Passport") to one national authority granting rights to operate in multiple Member States. This cuts multi‑country licensing friction but centralizes supervision and makes cross‑border non‑compliance more visible.

Security, resilience and supply chain scrutiny: Authorization conditions explicitly include compliance with resilience and preparedness obligations, cybersecurity rules (via an updated Cybersecurity Act), ICT supply‑chain security, and enabling lawful access to data (lawful interception and data retention) in accordance with EU and national law. Operators, cloud‑converged telcos, and satellite providers must be ready for more intrusive technical and vendor‑risk assessments, tighter dependency management (e.g. for 5G, subsea cables, critical segments), and alignment with Union‑level preparedness and crisis plans.

Governance and oversight: BEREC's role is strengthened, supported by the new Office for Digital Networks (ODN) and a Radio Spectrum Policy Body (RSPB), giving the Commission and EU bodies a stronger hand in spectrum, resilience coordination and harmonized enforcement. For organizations, this means more consistent but less negotiable regulatory expectations and increased data‑reporting on resilience, spectrum use and market behaviour.

Transition to fiber & gigabit obligations: The DNA accelerates mandatory copper switch‑off where fiber coverage and affordability thresholds are met, pushing operators further into gigabit networks (FTTH, 5G/6G, satellite). This implies capex pressure but also clearer EU‑level safeguards for end‑users and a more predictable long‑term decommissioning framework.

End‑user and net‑neutrality rules: End‑user rights (contracts, switching, affordability, universal service) and open‑internet provisions are fully harmonized, with limited, strictly defined exceptions for traffic management. This reduces legal fragmentation but narrows flexibility for differentiated retail terms and quality‑of‑service models.

Encryption and lawful access

The DNA does not introduce a bespoke "encryption chapter" and this aligns with, what we think is an omision in NIS2 as well, but the proposed DNA embeds cryptography within broader security and lawful‑access obligations:

Providers under general authorization must comply with national rules on "access to data by law enforcement and judicial authorities, including on lawful interception and data retention," alongside cybersecurity and supply‑chain requirements. This confirms that end‑to‑end encrypted services can remain in scope of interception/data‑access obligations where applicable, without prescribing specific weakening of encryption.

Security conditions reference compliance with future cybersecurity certification and ICT supply‑chain rules under a revised Cybersecurity Act, which can indirectly shape acceptable cryptographic implementations, hardware security modules, and vendor choices.

For security teams, this translates to: demonstrable lawful‑access interfaces where required by national law, strong logging and retention controls, and audited key‑management and crypto‑policy governance consistent with NIS2.

Post‑quantum cryptography (PQC)

The DNA explicitly recognizes quantum threats and ties networks to EU‑level PQC policy:

The proposal states that resilience of 4G/5G, fixed networks, submarine cables and cloud services must be strengthened, and that "the security of sensitive data and critical infrastructure should be reinforced by ensuring timely transition to post‑quantum cryptography," progressively integrating quantum‑based systems such as EuroQCI and IRIS2 into communications infrastructure.

This aligns with the EU‑wide PQC roadmap adopted by Member States, which requires all Member States to start transitioning to PQC by end‑2026 and to migrate critical infrastructures no later than end‑2030. NIS2 further requires policies and procedures for cryptography and, where appropriate, encryption, with an emphasis on crypto‑agility and robust key‑management.

Implications for European organizations:

High‑value operators (telcos, OES under NIS2, operators of critical infrastructures, satellite operators, and cloud‑telco hybrids) will be expected to map crypto assets, design crypto‑agile architectures, and define PQC migration plans aligned with EU timelines.

Integration with EuroQCI and IRIS2 for governmental and critical communications means operators participating in these ecosystems must implement PQC‑ready stacks and quantum‑safe key‑distribution interfaces, subject to EU security and certification requirements.

European ownership, sovereignty and strategic autonomy

The DNA strongly emphasizes strategic autonomy and "digital sovereignty," but not by imposing strict "European‑only" ownership rules; instead it uses conditions, risk management and governance levers:

The Act identifies satellite connectivity as a "core enabler of EU strategic autonomy" and ties it to harmonized EU‑level satellite spectrum authorization, with conditions such as establishment in the EU, high levels of security, permanent control over transmissions and compliance with data‑retention and lawful‑interception rules. This effectively favours EU‑anchored operators and governance structures for critical satellite services, without an outright foreign‑vendor ban.

Strategic planning of radio spectrum is framed as a tool for "security and digital sovereignty," with the Commission and Member States managing spectrum as a "common European resource" and explicitly required to take measures to minimize security risks and manage dependencies, especially in critical segments.

The DNA is designed to complement other sovereignty instruments: the EU Space Act and IRIS2 for secure EU satellite connectivity and space entrepreneurship, the future Cloud and AI Development Act (CADA) for EU‑based cloud and edge capabilities, and the EU's Economic Security Strategy and Preparedness Union Strategy. Together, these push operators towards diversified, trustworthy supply chains and EU‑governed infrastructures for critical services, rather than pure cost‑optimized global sourcing.

For European organisations, "European ownership" in practice means:

Expect more scrutiny of ownership/control structures and data‑sovereignty posture when participating in critical infrastructure, satellite, public‑sector and defense‑related communications.

Procurement and architecture decisions will need to factor EU strategic‑autonomy criteria (location of facilities and key management, jurisdiction of parent entities, compliance with EU certification schemes), not just technical performance or price.

Cross‑border operators benefit from simplified, harmonized rules, but in exchange must accept tighter EU‑level coordination on resilience, PQC migration, and supply‑chain risk, with BEREC/ODN oversight and potential Commission intervention where national decisions endanger single‑market or security objectives.