Renan Bendel Vaughan (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/40)

Setting the scene: eight days in April, one contradiction

In April 2026, two events gave rise to a situation that European Union law has not yet addressed in its entirety. On the 21st, the Court of Justice of the European Union (CJEU), sitting as a full court, delivered its judgment in Commission v. Hungary (C-769/22) and recognised for the first time an autonomous and self-sufficient violation of Article 2 of the Treaty on European Union (TEU): the Hungarian legislation stigmatising and marginalising LGBTI+ people was held to be contrary to “the very identity of the Union as a common legal order in a society in which pluralism prevails.”[1] Article 2 TEU thereby acquired the status of a justiciable provision with genuine normative force, capable of constituting an autonomous ground of infringement in its own right, provided that the violation is manifest and particularly serious – a threshold the Court held to be crossed in the Hungarian case on account of the cumulative and coordinated character of the breaches of Articles 1, 7, 11, and 21 of the Charter of Fundamental Rights of European Union (CFREU).[2]

Eight days later, on the 29th, the European Parliament adopted a resolution which examined the European Commission’s 2025 Rule of Law Report, and noted that 93% of the Commission’s recommendations are repeats from previous years, with only 6% having been fully implemented; furthermore, it condemned the use of spyware as a persistent and systematic threat to the rule of law, requiring binding response mechanisms.[3]

Read together, these two instruments reveal a contradiction that is constitutionally precise. Article 2 TEU acquired, in April 2026, an operative density that goes beyond declaratory commitment. The Parliament confirmed, at that same moment, that one of the most elementary structural conditions of the rule of law – judicial independence – remains exposed to a threat that Union law has yet to address: the clandestine surveillance of members of the judiciary by spyware tools operated by the Member States themselves. The legal basis for imposing a positive obligation has just been consolidated, yet the very problem that would call for such imposition remains without an articulated legal response. This text argues that construction is already possible – and that the time has come to undertake it.

Ana Filipa Ribeiro [master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder (ref. UMINHO/BIM/2026/33)]

On 1 July 2026, the transitional period provided for under the Markets in Crypto-Assets Regulation (MiCAR)[1] will expire across the European Union,[2] meaning that providers wishing to continue serving EU clients must either hold a MiCAR authorisation, benefit from another entitlement recognised under the Regulation,[3] or cease the provision of those services.[4] This date marks a decisive moment in the legal ordering of crypto-asset markets, since it is the point at which Regulation (EU) 2023/1114 becomes a concrete legal condition for access to the European market. More specifically, it is the moment at which national authorisation begins to operate as a Union-wide market-access decision with consequences for providers, competitors, users and host Member States across the internal market.

The legal significance of this transition lies in the regulatory architecture chosen by MiCAR. The Regulation seeks to overcome the previous fragmentation of national regimes by establishing uniform rules on authorisation, governance, conduct, prudential requirements, supervision and client protection.[5] Yet, it does so through a model in which authorisation is granted by national competent authorities,[6] while the effects of that authorisation may extend throughout the internal market by means of the European passport.[7] National administrative decisions, thus, acquire a Union-wide market-access function, insofar as an authorisation granted by one competent authority may determine the ability of a crypto-asset service provider to operate across several Member States.

That structure gives rise to a central tension in the legal ordering of EU crypto-asset markets. MiCAR presupposes that decentralised authorisation can coexist with integrated market access, provided that national supervisory practices remain sufficiently convergent.[8] The expiry of the transitional period places that assumption under practical scrutiny. If national authorities apply authorisation requirements with materially different levels of intensity, speed or interpretative strictness, operators subject to the same Regulation may enter the internal market under unequal supervisory conditions.[9] Hence, the concern extends beyond administrative coordination and reaches the conditions of competitive neutrality within the market framework that MiCAR is intended to create.

Helder Matos (master’s student in Human Rights at the School of Law of the University of Minho)

Introduction

In March 2024, the European Data Protection Supervisor (EDPS) revealed that the European Commission, the institution assuming the role of global vanguard in the matter of digital rights, violated the EU’s own data protection regulation due to its structural dependency on the Microsoft 365 ecosystem.[1]

Although the EDPS closed the case in July 2025 after the Commission updated its licensing agreements with Microsoft, this episode brings to the surface the underlying problem that this article proposes to address.[2]

Even as it received the green light to proceed with business-as-usual, the European Commission admitted its deep concerns regarding the crippling dependence on a non-European company for the digital platforms needed for normal day-to-day functioning.[3] The European Union (EU) does not control the technological infrastructure it runs on, as it is forced to negotiate the terms of its own data security with foreign corporations.

Vitória Menezes Sanhudo (master’s student in European Union Law at the School of Law of University of Minho)

The harmonisation of corporate sustainability disclosure criteria has become increasingly relevant as a guarantee of a level playing field among companies and for the efficiency of the Internal Market. In this context, Directive (EU) 2022/2464 (CSRD) amends previous provisions, aiming to promote a more standardised sustainability reporting obligation, using the double materiality principle (DMP). It is deemed as necessary to analyse the conceptual evolution of materiality, from its origin in accounting to double materiality (enshrined in the CSRD Directive), its enforcement in the Directive under consideration, to evaluate the benefits and challenges of this dual perspective from a theoretical approach and, subsequently, to assess it from a more practical viewpoint, taking into account conclusions that can already be drawn from its introduction in the CSRD Directive.

The research question is as follows: in what way does the evolution of materiality in sustainability reporting prove to be positive, particularly with the incorporation of the DMP in the CSRD?

The concept of materiality

For a complete understanding of the CSRD Directive and the DMP, firstly, it is crucial to establish the conceptual basis that underpins them: materiality as a legal principle. The concept of material information emerged in the field of accounting at the beginning of the 20^th century, and its importance and scope have expanded over the years. In the EU, the Accounting Directive[1] is the central instrument for corporate financial reporting. Generally, all definitions formulated imply that information is material when its omission or misrepresentation can influence the economic decisions of the users that this concept aims to inform and benefit. Naturally, the definition of materiality varies according to the objective pursued by the reporting.[2]

Renan Bendel Vaughan (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/40)

Setting the scene: a political moment and a legal gap

The concept of hybrid threats has become one of the most frequently invoked analytical categories in contemporary European discourse in matters of security. Since its consolidation in the institutional vocabulary of the EU in sequence of the Joint Framework of 2016,[1] the expression migrated progressively from the strategic-military domain to the field of Union law, informing legislative instruments in matters of cybersecurity, critical infrastructures’ resilience and protection of the democratic institutions. However, its legal operability remains uncertain, given that the concept is invoked with increasing frequency in soft-law instruments and in policy frameworks, without this invocation being accompanied by a legal definition sufficiently precise to underpin the normative requirements placed upon it.

The Conclusions of the Council of the EU of 16 March 2026 on advancing the European Union’s capacity to counter hybrid threats constitutes the most recent institutional moment in this evolutive framework.[2] The Council of EU condemned the persistent hybrid threats of state and non-state actors aimed at compromising the security and stability of the Union and its Member States, specifically identifying the sabotage on critical infrastructures, the malicious cyber activities, the foreign information manipulation and interference (FIMI), the election interference, and instrumentalisation of migration. It called for the utmost implementation of the Directives NIS2 and CER, it highlighted the importance of the Cyber Blueprint as a mechanism of collective response and drew attention to the malicious use of emerging technologies, including AI and quantic technologies.

Ana Cardoso (PhD candidate & Master’s in European Union Law at the School of Law of University of Minho. FCT research scholarship holder – 2025.06747.BD.)

I.

On March 23, 2026 the European Commission took the final procedural step required for provisional application of the EU-Mercosur interim Trade Agreement (“iTA”), by notifying the Mercosur countries with a “note verbale”.[1] This means that as of May 1, 2026, the iTA has started being provisionally applied, despite the European Parliament’s decision to ask for the European Court of Justice’s (“CJEU”) opinion on whether the EU-Mercosur Free Trade Agreement (“EMTA”) is in conformity with the Treaties.[2]

This was possible because the EMTA is divided into two main documents: (i) the iTA covering trade liberalisation and (ii) a broader comprehensive Partnership Agreement; the first can take effect while the second faces the hurdles of full ratification.[3]

Given this somewhat unprecedented decision by the Commission – which ignores a long-standing gentleman’s agreement of institutional respect between the Commission and the Parliament – it is worth questioning if this provisional application might end up jeopardising the EU’s ambitious climate and environmental goals or if, on the other hand, the internal legal framework in this area is strong enough to prevent indirect backtracking.

Ana Filipa Ribeiro (master’s student in European Union Law at the School of Law of University of Minho and ENDE Research Grant Holder – UMINHO/BIM/2026/33)

Regulation (EU) 2023/1114 on Markets in Crypto-assets (MiCAR)[1] is the European Union’s first comprehensive framework for crypto-assets that fall outside existing financial-services legislation,[2] designed to harmonise rules across the internal market, while pursuing objectives traditionally associated with public regulation, including investor and consumer protection, market integrity and financial stability.[3] MiCAR does so in large part by placing crypto-asset service providers (CASPs) at the centre of its governance architecture. A CASP[4] is a legal person or other undertaking that is authorised and supervised as an intermediary that provides one or more crypto-asset services to clients on a professional basis, including custody and administration of crypto-assets, operation of trading platforms, exchange, execution of orders and transfers on behalf of clients.[5] In practice, CASPs set and enforce platform rules, monitor activity, restrict access, freeze, or limit the movement of assets, suspend trading and delist tokens, often in real time and on the basis of risk assessments that combine regulatory obligations and internal policies.[6] It is therefore plausible to say that these entities go beyond acting as technical conduits and participate in a form of private ordering with structurally quasi-public effects, a claim developed below.

Because CASPs control the infrastructure through which most users access crypto markets, their decisions can function as immediate constraints on market access and on effective enjoyment of asset-related interests. Crucially, these decisions often give rise to dispute’s origin, by unilaterally altering a client’s position through measures such as freezing assets, restricting transfers, suspending trading, or delisting a token.[7] The resulting conflict is then typically channelled into an internal process designed and administered by the CASP itself, with the provider acting simultaneously as rule-maker, investigator, decision-maker, and initial reviewer.[8] This concentration of functions is a familiar source of legitimacy concerns in public governance, yet it has received limited conceptual attention in the MiCAR context.