The internet was built to connect people across borders. Yet increasingly, users experience different versions of the same internet depending on where they are located. Through geo-location technologies, websites and online services can determine a user’s approximate location and tailor — or restrict — access accordingly.

While often presented as a technical necessity, this trend raises important questions about the future of an open and accessible internet. What information, services, or opportunities are available to one user may be unavailable to another solely because of their location.

Europe itself is a collection of jurisdictions governed by different national laws, yet united by a common commitment to fundamental rights and the free flow of information. As policymakers consider new regulatory frameworks, they must remain mindful of how digital borders can undermine these principles.

The proposed European age verification framework is one example. Like most EU legislation, it would apply within the European Union. However, the internet does not stop at Europe’s borders. Technical workarounds (VPN’s) already exist that allow users to route their connections through other jurisdictions, raising questions about both the effectiveness and the broader consequences of such measures.

But this debate extends far beyond age verification. It touches on a wider question of how governments seek to regulate digital spaces and how those efforts shape the structure of the internet itself.

The original design of the internet prioritised resilience. Data could travel through multiple routes, allowing communication to continue even when parts of the network failed. This decentralised architecture made the network robust, innovative, and resistant to central control.

Over time, however, regulation has increasingly focused on large online platforms and service providers. While this approach may appear practical, it also creates incentives for further concentration of power. When compliance becomes easier for large actors than for smaller competitors, regulation can unintentionally reinforce the dominance of the very platforms it seeks to oversee.

As policymakers pursue new security and enforcement objectives, this tension becomes increasingly important. VPN providers are facing the following measures being discussed at the EU level:
[1]

• Data retention. The EU Commission is expected to carry out an impact assessment with the aim of extending the EU’s data retention obligations and reinforcing cooperation between service providers and authorities.
• Lawful interception. Lawmakers seek to explore measures aimed at improving cross-border cooperation for lawful interception of data by 2027.
• Digital forensics. The goal here is to develop technical solutions that allow authorities to analyze and preserve digital evidence stored on electronic devices.
• Decryption. Next year, the EU Commission is set to present a Technology Roadmap on encryption to identify and evaluate decrypting solutions. These technologies are expected to equip Europol officers from 2030.
• Standardisation. The Commission is said to be committed to working alongside Europol, industry stakeholders, experts, and law enforcement practitioners to standardize the new approach to internal security.
• AI solutions for law enforcement. Lawmakers also seek to promote the development and deployment of AI tools by 2028. These solutions will enable authorities to lawfully and effectively process large volumes of seized data.

How these initiatives will interact with existing legislation, including the Cyber Resilience Act [2], remains unclear.

What is clear, however, is that expanding the collection, retention, and processing of personal data carries risks. Experience has repeatedly shown that larger stores of sensitive information become attractive targets for criminals and hostile actors. Data breaches and security failures are not hypothetical concerns; they are an inevitable consequence of accumulating ever-greater quantities of personal information.

Europe must therefore ensure that efforts to improve security do not come at the expense of privacy, digital freedom, and the resilience of the internet itself.

1. discuss.privacyguides.net/t/th… (23-12-2025)
2. digital-strategy.ec.europa.eu/… (2024)

europeanpirates.eu/vpn-digital…