7-minute read | 1,650 words
What to know this week
EU instructs Meta to make changes to Instagram and Facebook.
European Union (EU) authorities said the company’s use of additive features violated a digital safety law.
Pentagon suspends phase two of CMMC.
The Pentagon has suspended the phase two requirements for a key cybersecurity certification for third-party vendors.
This week's full stories
EU tells Meta to make major changes to its social media platforms.
THE NEWS
On Friday, EU regulators instructed Meta to make major changes to both its Instagram and Facebook platforms or face significant fines. EU regulators are concerned about how Meta's “addictive design” features, such as infinite scroll and autoplay, are impacting minors. More specifically, regulators concluded that Meta violated the Digital Services Act (DSA) by deploying design features that encouraged prolonged engagement, particularly among minors.
Authorities emphasized that features like personalized recommendations and infinite scroll constantly deliver new content, which “fuel the user’s urge to keep scrolling and shift the brain into autopilot mode.” Regulators also added that these features create “unhealthy habits and compulsive use.”
Henna Virkkunen, the executive vice president at the European Commission overseeing digital policy, stated:
“Protecting the physical and mental health of Europeans must be a priority for social media platforms. The [DSA] provides a clear framework to hold platforms accountable for the addictive design and effects of their services. We are fully committed to enforcing our legislation in Europe.”
THE KNOWLEDGE
The EU’s warning comes after a two-year investigation that was focused on assessing these design features and their impacts on “the mental wellbeing of users, including minors and vulnerable adults.” In the report’s findings, the EU stated the following:
“Meta disregarded available information about the time minors spend on Instagram or Facebook at night and how the optimization of its different formats - such as reels and stories - could lead to excessive or compulsive use of the services.”
Additionally, the report found that Meta’s current mitigation measures failed to effectively address risks associated with its platform design. For example, regulators said the platform’s time-management tools could be easily disabled and failed to meaningfully reduce users’ time spent on the applications.
From these findings, the investigation stated that the Commission could issue a non-compliance decision, which could trigger a fine capped at 6% of the company’s total worldwide annual turnover.
For context, the EU’s DSA is the regional bloc’s major flagship online services law. The law oversees services, such as online marketplaces, social media networks, app stores, and similar platforms. Through the DSA, the EU looked to establish greater platform accountability, user empowerment, ad transparency, and stricter rules for large technology companies.
THE IMPACT
The Commission’s preliminary findings represent a major development for DSA enforcement as it moves beyond content moderation to platform design regulation. Features, like infinite scroll, autoplay, and personalized recommendations, are now being evaluated as potential safety risks as they promote compulsive use.
For technology companies, the implications extend well beyond Meta. If the Commission ultimately issues a formal non-compliance decision, it could establish a precedent that requires large online platforms to redesign core user engagement features across the European market. Given the DSA’s substantial penalties of up to 6% of global annual revenue, companies may choose to implement these design changes globally rather than maintain separate versions of their platforms for different regions.
More broadly, the decision reflects the EU’s growing willingness to regulate not only the content users encounter online, but also the behavioral mechanics that shape how digital services capture and retain attention. As governments around the world continue debating children’s online safety legislation, the Commission’s approach could provide a model for future regulation that focuses less on individual pieces of content and more on the design choices underlying modern social media platforms.
Pentagon suspends CMMC program.
THE NEWS
On Monday, the Pentagon announced that it will be suspending the Cybersecurity Maturity Model Certification (CMMC), while the program undergoes a sixty-day audit. The Pentagon said it will conduct a “top-to-bottom” review of the certification program over the next sixty days. Notably, the Pentagon is only suspending Phase 2 of the program while Phase 1 remains in full effect until further notice.
In the announcement, Department of Defense (DOD) Chief Information Officer Kirsten Davies wrote:
“The current iteration of the [CMMC] program, while intended to enhance security, imposes significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation.”
Davies also noted that this audit was launched after receiving data and feedback, which suggested that the “CMMC program is structurally incompatible with our need to rapidly expand the DIB.”
Through this audit, the CMMC Reform Task Force will be charged with providing recommendations that will prioritize “speed to capability, lower barriers for small, medium, and non-traditional businesses, and replace prohibitive, third-party compliance models with scalable, realistic security measures.”
While the suspension is in effect, the DOD will continue using self-assessments and will focus on cyber hygiene efforts.
THE KNOWLEDGE
The CMMC program was originally developed during the first Trump administration. The program’s key driver was a need to check whether contractors were meeting cyber standards by requiring third-party audits rather than relying on self-attestation. Through the program, the Pentagon established a “Cyber Accreditation Body” to oversee the network of various third-party auditors who would be tasked with carrying out the CMMC assessments.
However, since its inception, the CMMC program has received significant pushback from small businesses, many of which cited that CMMC placed significant compliance burdens on operations. This pushback led to the former Biden administration to launch its own review of the program, which eventually resulted in the CMMC program requirements being substantially lessened.
After these regulatory reductions, the Pentagon then undertook a yearslong process to develop the CMMC 2.0 program, whose final contracting rules went into effect November 2025. With this updated version, the Pentagon announced that it would do a tiered roll out to allow businesses to better prepare for the new regulations.
With the program now under review, the Pentagon is once again balancing two competing priorities: raising cybersecurity standards across the defense supply chain while avoiding requirements that discourage smaller companies from participating in defense contracting. How the department resolves that tension will shape the future of cybersecurity oversight across the DIB.
THE IMPACT
The Pentagon’s review of the CMMC signals that the department is reevaluating whether third-party security audits remain the best way to strengthen cybersecurity across the DIB as the agency looks to expand the sector. Instead, the DOD is placing greater emphasis on reducing barriers for contractors, particularly smaller or non-traditional companies.
If the review results in a lighter certification model, it would likely make it easier for businesses to enter and compete in the defense market. However, those benefits come with tradeoffs. Third-party assessments were originally introduced because self-attestation often failed to provide enough assurance that the contractors were adequately protecting sensitive information and systems.
The challenge for the Pentagon will be determining whether a less burdensome certification model can expand the DIB without weakening confidence in the cybersecurity of companies entrusted with sensitive defense systems.
This Week's Caveat Podcast: The future of transatlantic data sharing.
Dave Bittner and Ben Yelin discuss two key stories. The first involves how the Supreme Court’s recent ruling could impact data-sharing practices with the EU. The second involves how the Los Angeles Police Department let its Flock contract expire after the surveillance company was found to be regularly investigating and surveilling innocent people.
OTHER NOTEWORTHY STORIES
EU planning children's social media curbs.
What: The EU announced it is planning to limit young children’s access to social media.
Why: On Monday, European Commission President Ursula von der Leyen stated that it is planning to impose new restrictions on children’s access to social media platforms.
In the announcement, President von der Leyen stated:
“It is clear we need age-appropriate restrictions to platforms. The question is no longer if children face risks online, but what can we do to give children a safer start online.”
Additionally, von der Leyen also indicated that she would likely follow expert suggestions and she is expected to announce it at her next state of the union address.
JULY 13, 2026 | Source: Reuters
EU imposes sanctions on Russia over cybercrime.
What: The EU announced new sanctions against Russia for alleged cybercrime and human rights violations.
Why: On Monday, the EU imposed new sanctions on several Russian individuals and entities. The sanctions targeted VKontakte and Communication Platform LLC for developing and managing the MaxApp for Russian smartphones. The EU alleges that this app is used to repress criticism of Russia’s invasion against Ukraine.
Sanctions were also imposed on Citadel, VAS Experts, and Norsi-Trans. These companies manufacture, develop, and sell hardware and software used in surveillance systems. Lastly, the EU has also imposed sanctions on officers from Russia’s military intelligence service.
JULY 13, 2026 | Source: Reuters
New York imposes nation’s first freeze on hyperscale data centers.
What: New York imposes a statewide freeze on “hyperscale” data centers.
Why: On Tuesday, New York Governor Kathy Hochul imposed the nation’s first statewide freeze on new “hyperscale” data centers. With the freeze, Governor Hochul stated that she wants to give the state time to put in new frameworks that better protect the environment, energy grid, and electric bills. More specifically, Governor Hochul wrote:
“As data center development threatens to hike up utility bills, deplete our natural resources, and create uncertainty for New Yorkers, it’s my responsibility to take action and lead. New York will lead the way in creating the strongest standards in the nation for data center development, ensuring that when companies succeed because of New York, New Yorkers succeed too.”
JULY 14, 2026 | Source: The Hill
