AGEFI Luxembourg - septembre 2025

Septembre 2025 47 AGEFI Luxembourg Informatique financière By VincentWELLENS&Ottavio COVOLO,Avocats à la Cour, NautaDutilhAvocats Luxembourg S.à r.l. B ack in theApril 2024 edition of AGEFI Luxembourg, we presented twomajor newEU regulations: the Digital ServicesAct (“DSA”), primarily fo- cused on a broader regulation of online intermediaries offering their services in the EU (such as il- legal andharmful online ac- tivities and curb the spread of misinformation) ; and the DigitalMarketsAct (“DMA”), aimingmore specifically to regulating the aforementioned gatekeepers in view to ensure a fair and competitive digital economy for all actors. Since then, the EuropeanCommis- sionhas not waited tomake use of these new tools in its regulatory arsenal. Regulatory fees - Not just sanctions Article 43 of the DSA provides that the European Commission shall charge in-scope entities (i.e., providers of very large platforms (“ VLOPs ”) and very large online search engines (“ VLOSEs ”)) a su- pervisory fee to cover the estimated costs to be in- curredby theCommission in the enforcement of the DSA. Further to a report from the European Com- mission to the European Parliament of March 2025 (COM/2025/150),thesesupervisoryfeesamountedto € 58,2million, includingnotablyhuman resources of 81 full time employees. No recovery of such fees has been initiated as of that date. Asnotedintheaforementionedreport,therearecur- rently five ongoing court proceedings initiated by majorplayersagainsttheamountsofsuchregulatory fees : “ the provider of TikTok (CaseT-58/24 relating to the supervisory fee charged in2023 andCase T-88/25 relating to the supervisory fee charged in2024), and to the provider ofGoogleMaps,GooglePlay,GoogleSearch,GoogleShop- ping and YouTube (Case T-92/25 relating to the supervi- sory fee charged in 2024) ”. TheFacebookandInstagramcase(CaseT-55/24relat- ing to the supervisory fee charged in 2023 and Case T-89/25relatingtothesupervisoryfeechargedin2024) resulted in a recent judgement of 10 September 2025 infavouroftheclaimants,criticisingthemethodology oftheCommissionasnottakingcorrectlyintoaccount the number of average monthly active recipients of the claimants’ services (“ AMAR ”).Whilst the super- visory fee of 2024 needed to be recalculated, the su- pervisory fee for 2023 is however validated. No fines yet under theDSA, butmultiple pending investigations Article 74 of the DSA empowers the Commission to sanctionVLOPs andVLOSEs “ fines not exceeding 6% of its total worldwide annual turnover in the preceding fi- nancial year where it finds that the provider, intentionally or negligently ” breached theDSA. The European Commission keeps a public database of the designated services under the DSA (available at https://lc.cx/UScRzo ), which reveals 6 opened for- mal proceedings (Twitter/X inDecember 2023 on i.a. dissemination of illegal content; Facebook and Insta- graminApril 2024 onmultiple points including visi- bility of political content and moderation of said content, inMay 2024 on protectingminors; Temu on i.a.illegalproductsinOctober2024;Tiktokregarding improper mitigation of risks on election integrity in December 2024; Pornhub, Stripchat, XNXX, and XVideos on protecting minors in May 2025) and 2 closed with accepted commitments (Tiktok on the Tiktok Lite Rewards programme in 2024; Aliexpress onillegalproductsinJune2025).Thevastmajorityre- mainhoweveratthestageofrequestsforinformation. It should be noted that the European Commission takes notes or private liti- gation and complaints (by e.g., civil so- ciety organisations) in the scope of its investigations under the DSA. For in- stance, in June 2024, the European Commission took note of LinkedIn’s de- cision to disable targeted advertising fol- lowing the complaint made by EDRi to the European Commission on that topic. In terms of legal pro- ceedings, Zalando has seen its challenge on its designation under the DSA rejected by judge- ment of 3 September 2025 of the General Court of the EU. An appeal is currently pending before the Court of Justice. Amazon’s similar challenge is still pending before the Gen- eral Court, but was denied interim relief both be- fore the General Court in September 2023 and the Court of Justice in March 2024. EUR700million fines under theDMA Article 30 of the DMA foresees administrative fines for non-compliance with the DMA could amount to up to 10%of the company’s total annual worldwide turnover incaseof afirst offense andrise to20%with additional corrective measures in case of repeat of- fenses.TheEuropeanCommissionagainkeepsapub- licdatabaseof itsdecisions renderedunder theDMA as a sub-section of its database of competition law cases (available at: https://lc.cx/G6igYg ). No decisions accepting commitments have yet been made under theDSA.We can however note 10 deci- sions mainly relating to potential designation of ser- viceshavingbeenclosed further to rebuttals formthe investigated entities (such asMicrosoft, Tiktok, Twit- ter/X’s respective online advertising services). As of writing, the European Commission neverthe- less issued2 administrativefines bothannounced in April 2025. Applewasfined€ 500million (DMA.100109) for fail- ure of Apple’s App Store to comply with the DMA provisions, mainly related to app developers being able to steer customers away from the official app store and towards alternatives for downloading smartphoneapplicationsormakingpayments inside said applications. It shouldbenoted thatApplewas also facinganother investigation regarding their iOS operating system (DMA. 100185) regarding i.a. the ability of end users to un-install any (pre-installed) applications. This in- vestigationwas however dropped inApril 2025 not- ing that such changes have beenmade in iOS 18.2. Meta was fined € 200 million (DMA.100055) in rela- tion to their ‘Consent or Pay’ advertisingmodel, as it offers only a binary choice of using the service with adsornotaccessingit,whereastheDMAforeseesthe middlegroundof “ offering a less personalised but equiv- alentalternative,andwithoutmakingtheuseofthecoreplat- form service or certain functionalities thereof conditional upon the end user’s consent ” (recital 36). Inadditiontotheabovefines,theEuropeanCommis- sion also adopted mandatory measures to be com- plied with by Apple (DMA.100203 – regarding opening the features for connected physical devices to third parties, such as the graphical integration of AirPodswithin iOS). 3 other formal proceedings are currently ongoing (Google’sregardingtheirsearchengineandappstore, andApple’s business terms). Key takeaways Therecentenforcementactionsandheftyfinesunder theDMAhighlight not only theEU’s determination to regulate thedigitalmarket, but also the increasing convergence between competition law and regula- tory frameworks like the DSAandDMA, whilst re- maining distinct. This is demonstrated by the € 2.95 billion fine imposed on Google by the Commission on abusive practices in online advertising, despite such topicbeingalsocoveredby theaboveDSAand DMAdecisions. Amid growing political pressure notably from the Trump administration to temper such enforcement, and the Von der Leyen Commission’s recent push for ‘red-tape’ reduction, thesemovesunderscorenot only their key role in shaping the digital space, but also the growing importance of competition law for any actor present in this space – both in terms of op- portunities for competitors and risks for leading players in Europe. European Commission vs. BigTech : how does the DMAand DSA look like in practice? L es organisations luxembour- geoises ont subi enmoyenne 1862 cyberattaques par semaine au deuxième trimestre 2025, soit une hausse de 59%par rapport à lamême période l'année dernière. Le secteur le plus visé est celui des institutions financières. C'est ce qui ressort des dernières données de Check Point Research, l'équipe Threat Intelligence de Check Point Software Technolo- gies. L'Europe n'a pas enregistré le volume d'attaques le plus élevé, mais bien la plus forte augmenta- tion annuelle, avec +22%. « Les schémas d'attaque en Europe deviennent plus sophistiqués, plus ciblés et sont de plus en plus adaptés localement », explique Lieven Van Rentergem, Security Expert chez Check Point Software. « On observe une tran- sition claire entre les ransomwares clas- siques et des techniques basées sur le vol d'informations ou l'utilisationde l'IA.Au deuxième trimestre, ce ne sont pas les fuitesmassives qui dominent, mais bien les attaques silencieuses qui permettent d'accéder à des réseaux, des services cloud ou des identifiants, souvent sans que les entreprises s'en aperçoivent immédiatement. » Les institutions financières restent, elles aussi, des cibles privilégiées en raison de la nature confidentielle de leurs données. Outre les chiffres luxembourgeois, les données deCheckPoint indiquent que la Belgique a connu une augmentation de 17 % (avec 1275 attaques/semaine) et la France une augmentation de 45 % (avec 1862 attaques/semaine). Vulnérabilités les plus exploitées Les vulnérabilités les plus fréquentes au 2 e trimestre sont : -Divulgationd'informations(Information Disclosure) : 66% - Exécution de code à distance (Remote Code Execution) : 66%des vulnérabilités enLuxembourg - Contournement de l'authentification (AuthenticationBypass) : 48% Origine des cyberattaques contre les entreprises luxembourgeoises 1. États-Unis - 45% 2. Luxembourg - 12% 3. Singapour - 6% Tendancesmondiales en cybersécurité Audeuxièmetrimestre2025,lesorganisa- tionsdans lemondeont subi enmoyenne 1.984 cyberattaques par semaine, soit une augmentation de 21 % par rapport à la mêmepériodeen2024,etde58%parrap- port à il y a deux ans. Aucun secteur n'est épargné,mais l'ensei- gnement est le plus touché avec 4.388 attaques par organisation et par semaine (+31% en un an). Le secteur public arrive en deuxième position avec 2.632 attaques/semaine (+26 %), tandis que les télécommunications enregistrent la plus forte hausse proportionnelle : +38%, avec 2.612 attaques/semaine. Cette évolution s'expliqueparleurdépendancecroissante à l'infrastructure numérique et leur expo- sition publique, ce qui en fait des cibles idéales pour les cybercriminels. Les entreprises européennes doivent adopter une posture proactive « Ce dont les entreprises ont besoin aujourd'hui,c'estd'unétatd'espritaxésur la prévention », conclut Van Rentergem. «Celacommenceparlavisibilitéetlaseg- mentation,maisaussiparlaformationdes employés,l'authentificationmulti-facteur, etunesurveillanceconstantedesenviron- nements cloud et des endpoints. Ce tri- mestre, ce n'est pas seulement le volume desattaquesquiaugmente,c'estaussileur sophistication. Il faut s'ypréparer ». Lesmarques les plus usurpées Au deuxième trimestre 2025, les cam- pagnes de phishing ont gagné en sophis- tication,avecdescybercriminelssefaisant passer pour des marques connues via de faux sites ou e-mails. Le top 10 des marques les plus usurpées est le suivant : Microsoft (25 %), Google (11 %), Apple (9 %), Spotify (6 %), Adobe (4 %), LinkedIn (3 %), Amazon (2 %), Booking (2 %), WhatsApp (2 %) et Facebook (2%). Cette tendance illustre comment les atta- quants exploitent les habitudes numé- riques des utilisateurs pour collecter leurs identifiants ou données de paiement via une communication trompeuse. Les cyberattaques contre les organisations luxembourgeoises augmentent de 59 % ©Freepik Abonnement aumensuel (journal + éditiondigitale) 1an(11numéros)=55€abonnementpourLuxembourgetBelgique-65€pourautrespays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’éditionpapier. NOM:....................................................................................................................................................................... ADRESSE:.............................................................................................................................................................. LOCALITÉ:............................................................................................................................................................ PAYS:....................................................................................................................................................................... TELEPHONE:...................................................................................................................................................... EMAIL:.................................................................................................................................................................... - Je verse ……€ au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture :...................................................................................................................................... -N°TVA : ................................................................................................................................................................ Abonnement aumensuel en ligne Sivouspréférezvousabonnerenligne,rendez-vousàlapage‘S’abonner’surnotresiteIn- ternet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi auvendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous / Subscribe