By Marcus Venn | Digital Rule Book | March 2026 TL;DR — Key Points The EU Digital Omnibus Package, proposed 19 November 2025, is the most significant change to EU digital regulation since the AI Act itself. It proposes to simplify GDPR, delay the AI Act's high-risk deadlines by up to 16 months, merge cybersecurity reporting into a single entry point, and modernise cookie rules. For most EU businesses, the Omnibus will reduce compliance burden — but it has not been passed into law yet, and current deadlines still apply. The Digital Omnibus is not a weakening of the AI Act. It is a restructuring of the rollout to align with the actual readiness of the compliance ecosystem. This article explains every major proposal in plain English, so you know what is changing, when, and what it means for your business. DISCLAIMER: This article is for informational purposes only. The Digital Omnibus Package is a legislative proposal subject to amendment and rejection. Information ...
What the World's Biggest Cyberattack Means for EU Cyber Law
By Marcus Venn | Digital Rule Book | March 7, 2026
At 18:45 UTC on February 28, 2026, Cloudflare Radar published a brief, clinical statement: 'Internet traffic in Iran has dropped to effectively zero, signaling a complete shutdown and disconnection from the global internet.'
Four words that had never been written about a major nation in modern history: dropped to effectively zero.
What happened to Iran's internet on February 28 is not just a news story. It is a case study in digital warfare that will be studied in cybersecurity programmes, quoted in legal proceedings, and cited in EU regulatory documents for the next decade. Understanding what happened — technically, legally, and strategically — is essential for any business or professional navigating the EU's digital regulatory environment.
What Actually Happened — The Technical Reality
The internet blackout in Iran on February 28 was not a single event. It was the culmination of a campaign that had been running since January 2026 and which escalated dramatically on the day of the joint US-Israeli strikes.
The campaign's timeline reveals its sophistication:
Phase 1 — January 2026 — Government satellite broadcasts hacked. Content calling for the regime's overthrow was aired to millions of Iranian households. This was the test run: establishing deep access to Iran's broadcast infrastructure before the main operation.
Phase 2 — February 28 — Main operation begins. As fighter jets struck IRGC command centres, a parallel digital assault combined four distinct attack vectors simultaneously: large-scale DDoS attacks to overwhelm internet infrastructure, deep intrusions into government data systems, electronic warfare disrupting navigation and communications, and targeted attacks on state media and IRGC communications networks.
Phase 3 — 18:45 UTC, February 28 — Cloudflare Radar confirms complete shutdown. Iran's National Information Network — the regime's internal internet, theoretically isolated from the global internet — was also reported fully disconnected, even internally. Iran was not just cut off from the world. It was cut off from itself.
The attack's stated objective, confirmed by Western intelligence sources, was to prevent coordination of counterattacks by destroying the IRGC's communications infrastructure. By blinding Iran's military command and control in the digital domain simultaneously with the physical strikes, the operation aimed to prevent an organised, coordinated Iranian military response.
Whether it succeeded militarily is a separate question. What is not in question is what it demonstrated technically: a nation-state's entire digital infrastructure can be effectively disabled as a military objective. That capability now exists. It has been demonstrated publicly. And it changes the legal and regulatory calculus around digital infrastructure security permanently.
The Economic Cost of an Internet Blackout — Iran as a Case Study
Iran has experience with internet shutdowns — the regime has used them as tools of political control during protest periods. The data from those previous shutdowns reveals the devastating economic impact of losing digital connectivity, and it provides a sobering lens for understanding what digital infrastructure disruption actually costs.
During the January 2026 internet blackout — implemented before the military strikes — Iran's Minister of Communications acknowledged a cost of $35.7 million per day. Online sales fell by 80% during the shutdown. The Tehran Stock Exchange lost 450,000 points over four days. Financial transactions dropped by 185 million in January 2026 alone.
These figures come from a developing economy with significant pre-existing internet restrictions. For a fully digitalised EU economy, the proportional damage from an equivalent disruption would be orders of magnitude larger. This is not a hypothetical — it is now a documented economic reality.
The EU Cyber Solidarity Act, which established the European Cyber Shield and the EU Cyber Reserve, was designed with exactly this scenario in mind: a major cyberattack against EU digital infrastructure causing economic and societal disruption at scale. The Iran events are the most powerful possible real-world demonstration of why that legislation exists.
The EU Cyber Law Implications — What Changes After February 28
The Iran cyberattack will enter EU regulatory and legal discourse immediately. Here are the specific areas of EU cyber law that are directly affected:
1. The Precedent of Infrastructure as a Military Target
International law has long recognised that attacks on civilian infrastructure violate the laws of armed conflict. The near-total shutdown of Iran's internet — affecting civilian communications, emergency services, financial transactions, and basic digital services — raises fundamental questions about the legal status of national internet infrastructure under international humanitarian law.
The EU has consistently argued that cyberattacks on civilian infrastructure are illegal under international law. The Iran events — while directed at a military adversary — demonstrate that civilian digital infrastructure is effectively inseparable from military infrastructure in modern conflict. This will accelerate EU discussions about classifying internet shutdowns and mass cyberattacks on civilian digital services as violations of international law, with direct implications for how the EU governs its own digital infrastructure.
2. The Dual-Use AI Problem and the EU AI Act
The cyberattack on Iran almost certainly involved AI-assisted systems for target selection, traffic analysis, and automated intrusion. These are AI capabilities that exist in civilian form — the same techniques used for legitimate network security, fraud detection, and traffic optimisation. This dual-use problem — AI systems with both legitimate commercial applications and potential military or offensive uses — is one of the most complex challenges in the EU AI Act.
The Act's current framework explicitly excludes AI used for national security and military purposes from its scope. But the Iran events demonstrate that the line between commercial AI capabilities and military AI weapons is thinner than legislators assumed. Expect EU AI Act discussions to increasingly address dual-use scenarios in the months ahead.
3. Data Sovereignty and Cloud Security — GDPR Article 32
Many EU businesses and individuals have personal and business data stored on cloud infrastructure with points of presence in the UAE, Qatar, and the broader Gulf region — all of which have experienced disruption this weekend. Under GDPR Article 32, data controllers must implement 'appropriate technical and organisational measures' to ensure data security. The question this week is: was your cloud provider's data architecture in the Gulf region consistent with GDPR's security requirements when missiles began falling on Dubai?
This is not a rhetorical question. EU data protection authorities will be reviewing cloud provider resilience and data centre geographic distribution in the context of this conflict. Businesses should verify that their processors have implemented adequate business continuity arrangements — and document that verification.
What the Previous Iranian Internet Blackouts Revealed About Information Control
One detail from the Wikipedia documentation of the 2026 Iran internet blackout deserves special attention for anyone interested in digital regulation and disinformation. During the previous Iranian internet shutdown in 2025, cybersecurity analysts discovered that social media accounts claiming to support Scottish independence suddenly went silent — because they were operated by Iranians using false Scottish identities.
This is not a footnote. This is one of the most significant documented examples of foreign state-sponsored disinformation operations being accidentally exposed by an internet blackout. When Iran went dark, its disinformation networks went dark too — revealing the geographic origin of accounts that had been influencing political discourse in the United Kingdom.
For EU digital regulation, this incident validates a core principle of the Digital Services Act: transparency about account origins and foreign influence operations. The DSA requires very large online platforms to identify and label state-controlled accounts and political advertising from foreign entities. The Iran disinformation exposure proves this requirement is not bureaucratic caution — it is a documented response to a real and active threat.
Frequently Asked Questions
Q: Is what happened to Iran's internet legal under international law?
A: This is genuinely contested. The laws of armed conflict prohibit attacks on civilian infrastructure. However, Iran's National Information Network, which was also targeted, is closely integrated with IRGC military communications. The legal status of attacks on dual-use civilian-military digital infrastructure is one of the most actively debated questions in international cyber law, and the Iran events will add significantly to that debate.
Q: Could something like this happen to EU countries?
A: EU countries are NATO members with significantly better cyber defences than Iran. However, the techniques demonstrated against Iran — particularly the combination of DDoS, deep intrusion, and electronic warfare — are within the capabilities of several state actors. This is precisely why NIS2, the Cyber Resilience Act, and the EU Cyber Blueprint exist. No defence is perfect, but the EU framework significantly raises the cost and complexity of large-scale attacks.
Q: What is the EU Cyber Reserve mentioned in the Cyber Solidarity Act?
A: The Cyber Reserve is a pool of trusted private sector cybersecurity providers that can be deployed rapidly to help EU member states respond to major cyber incidents. It was established under the Cyber Solidarity Act adopted in 2024. Given the current threat environment, the Cyber Reserve may be placed on standby status.
The internet shutdown that descended on Iran on February 28, 2026 has changed the way the world understands digital infrastructure security. For EU regulators, it is validation. For EU businesses, it is a warning. For the global development of cyber law, it is a landmark event that will shape legal thinking for years.
Digital Rule Book will continue covering the regulatory and legal implications of these events as they develop. The story of what happened to Iran's internet is not over — its consequences are just beginning.