By Marcus Venn | Digital Rule Book | March 2026 TL;DR — Key Points The EU Digital Omnibus Package, proposed 19 November 2025, is the most significant change to EU digital regulation since the AI Act itself. It proposes to simplify GDPR, delay the AI Act's high-risk deadlines by up to 16 months, merge cybersecurity reporting into a single entry point, and modernise cookie rules. For most EU businesses, the Omnibus will reduce compliance burden — but it has not been passed into law yet, and current deadlines still apply. The Digital Omnibus is not a weakening of the AI Act. It is a restructuring of the rollout to align with the actual readiness of the compliance ecosystem. This article explains every major proposal in plain English, so you know what is changing, when, and what it means for your business. DISCLAIMER: This article is for informational purposes only. The Digital Omnibus Package is a legislative proposal subject to amendment and rejection. Information ...
What It Means for EU Business Compliance
By Marcus Venn | Digital Rule Book | March 2026
On 16 March 2026, as the war between the United States, Israel, and Iran entered its third week, the Council of the European Union made a regulatory move that most EU businesses have not yet noticed. It imposed sanctions — asset freezes and travel bans — on Emennet Pasargad, an Iranian company the EU has identified as directly responsible for cyberattacks against European citizens and institutions.
This is not a geopolitical headline. It is a compliance event. And it has immediate implications for every EU business, whether they know it or not.
This article explains what happened, what Emennet Pasargad actually did, what the sanctions mean in practice, and what you should do this week.
What Is Emennet Pasargad and What Did It Do?
Emennet Pasargad is an Iranian company with confirmed links to the Islamic Revolutionary Guard Corps (IRGC). It has been operating as an offensive cyber unit, conducting attacks against Western targets since at least 2020.
Its attacks against EU targets are documented and verified. The EU Council's sanctions decision cites three specific operations:
It compromised a French subscriber database, gaining access to personal data of EU citizens stored by a French telecommunications or media provider.
It targeted the digital advertising and ticketing infrastructure of the 2024 Paris Olympics — one of the largest sporting events in European history, attended by millions.
It compromised a Swedish SMS service provider, affecting the personal data and communications security of large numbers of EU residents.
These are not theoretical threats. These are documented attacks on European infrastructure that directly affected EU citizens' data rights under GDPR. The EU's decision to sanction the company is the formal legal acknowledgement of that record.
What Do EU Sanctions Actually Mean for Businesses?
When the EU imposes sanctions on an entity, the legal effect is immediate and applies to all natural and legal persons in the EU, and to all EU nationals anywhere in the world. The core obligations are:
Asset Freeze
All funds and economic resources belonging to, owned, held, or controlled by Emennet Pasargad must be frozen. No EU person or entity may make funds or economic resources available — directly or indirectly — to the company.
This means: if your company has any contract, payment, or financial relationship with Emennet Pasargad or any entity it controls, you are legally required to freeze those assets immediately and report to your national competent authority.
Travel Ban
Individuals designated under the sanctions are prohibited from entering or transiting EU territory. If your business employs, hosts, or provides services to individuals on the EU sanctions list, you have compliance obligations.
Due Diligence Obligation
The sanctions create an implicit due diligence obligation across the EU. You are expected to know your counterparties. Ignorance of a sanctioned entity's involvement in your supply chain is not a legal defence under EU sanctions law.
The NIS2 Dimension: What Critical Sector Businesses Must Do Now
The EU's NIS2 Directive, which became enforceable across member states in 2024–2025, imposes specific obligations on businesses in 18 critical sectors when relevant threat intelligence emerges. The Emennet Pasargad sanctions constitute exactly that kind of intelligence event.
Under NIS2, medium and large entities in critical sectors — which now includes cloud computing, online marketplaces, digital infrastructure providers, and dozens of other categories — must:
Conduct a risk assessment when new threat actors are identified in their sector or geographic area.
Implement appropriate technical and organisational measures to address identified risks.
Maintain awareness of active threat actors through national cybersecurity authorities.
Report significant incidents to their national competent authority within 24 hours of detection, and provide a full report within 72 hours.
The sanctions against Emennet Pasargad serve as a formal threat intelligence signal. If your sector was targeted — telecommunications, digital services, event management, authentication services — you have an enhanced obligation to review your security posture in response to this week's events.
What Every EU Business Should Do This Week
These five steps are proportionate, achievable, and directly relevant to the current compliance situation:
Step 1 — Run a Sanctions Screening Check
Screen your existing vendor list, supplier contracts, and software licensing agreements against the EU consolidated sanctions list. The official list is maintained by the European External Action Service and is searchable at sanctionsmap.eu. This takes one day and costs nothing.
Step 2 — Check Your NIS2 Sector Classification
Many businesses are still unaware that they fall within NIS2's expanded scope. Use the European Commission's NIS2 scope checker or consult your national cybersecurity authority's guidance. If you are NIS2-regulated, you must have incident response and reporting procedures already in place.
Step 3 — Brief Your IT and Legal Teams
Your IT team should be made aware that Emennet Pasargad uses specific attack vectors: spearphishing for credential theft, compromise of SMS authentication services, and database exfiltration. These are the threat types to prioritise in your defensive posture this week.
Step 4 — Verify Your Data Processing Agreements
If you process personal data of EU citizens using any third-party service provider, check that your Data Processing Agreement includes provisions requiring the processor to notify you of any sanctions exposure or law enforcement contact. Many DPAs do not include this clause — they should.
Step 5 — Document Your Response
Under NIS2, 'if it is not documented, it does not exist' is the enforcement principle. Record the date you became aware of the sanctions, the steps you took to assess your exposure, and the outcome of that assessment. Keep this on file.
The Bigger Picture: Iran's Cyber Campaign Against the EU
Emennet Pasargad is not an isolated actor. It is one element of a broader Iranian state cyber apparatus that has been targeting European institutions, citizens, and businesses for years. The 2026 war has intensified that campaign. Iranian-linked hackers continue to operate even with Iran's internet severely degraded — using Starlink terminals and alternative connectivity to maintain offensive operations against Western targets.
The EU's decision to formally sanction Emennet Pasargad sends a clear signal: European regulators are treating Iranian cyberattacks as a compliance and legal matter, not just a security problem. Businesses that treat this as someone else's concern are misjudging the risk environment.
Frequently Asked Questions
Q: How do I know if my business has exposure to Emennet Pasargad?
A: Search the EU consolidated sanctions list at sanctionsmap.eu using the company name and its known aliases. Also screen your sub-contractor and vendor list for any entities registered in Iran. If you find exposure, freeze all economic resources immediately and contact your national competent authority.
Q: Do these sanctions apply to businesses outside the EU?
A: The EU sanctions apply directly to all EU nationals and all legal persons established in the EU, regardless of where they operate. Non-EU businesses are not directly bound by EU sanctions but may face consequences if they have EU operations or serve EU clients.
Q: What is the penalty for breaching EU sanctions?
A: Penalties vary by member state. In France, breaching sanctions can result in fines of up to ten years' imprisonment and large financial penalties. In Germany, the penalties include criminal prosecution. The EU is in the process of harmonising criminal sanctions for violations across member states.
Q: Is NIS2 definitely applicable to my business?
A: NIS2 applies to medium and large entities in 18 critical sectors. The expanded scope compared to NIS1 now includes digital infrastructure, cloud computing, online marketplaces, postal services, and food manufacturers. Use your national cybersecurity authority's guidance to verify your classification.
The EU sanctions against Emennet Pasargad are the clearest signal yet that Iranian cyber operations against European targets have crossed a threshold requiring formal legal response. For EU businesses, this week's development is not a news item. It is a compliance trigger. Act on it.
Digital Rule Book will continue covering the regulatory and legal consequences of the Iran conflict as they develop. The next article in this series examines what the conflict means for the EU AI Act's August 2026 enforcement deadline.
AFFILIATE NOTE: This blog occasionally recommends tools and services. If you click a link and make a purchase, we may earn a small commission at no extra cost to you. We only recommend tools we genuinely find useful.