243 Vodafone Group Plc Annual Report 2026
Strategic report
Governance
Financials
Other information
Regulation Unaudited information Introduction
The national transposition process is not expected to complete before the end of 2026. The EU Cyber Resilience Act is currently going through implementation ahead of its full application in December 2027, with ongoing work on harmonised standards and alignment with related frameworks such as NIS2. It introduces mandatory cybersecurity requirements for all products with digital elements placed on the EU market, ensuring they are secure‑by‑design and throughout their lifecycle. Country specific Germany In July 2025, the Ministry for Digital Transformation published draft key points for amendments to the German Telecommunications Act aiming to accelerate Fibre-to-the-Home rollout and digitisation. After a first round of market consultation concluded at the end of August 2025, draft legislation was published in February 2026. United Kingdom Following completion of the Vodafone UK/Three UK merger on 31 May 2025, Vodafone Group entered into legally binding commitments with the UK Competition & Markets Authority (CMA), including an eight‑year network investment obligation and time‑limited retail and wholesale commitments lasting a minimum of three years. In March 2026, Ofcom concluded its Telecoms Access Review, setting out its approach to access regulation for fixed services until 2031, broadly continuing the existing regulatory approach set out in 2021. Türkiye BTK (Information Technologies and Communications Authority) has updated regulatory obligations for localisation rates, SME quotas, and the introduction of ‘National Product’ requirements for mobile operators transitioning to 5G. These changes mandate stricter adherence to domestic sourcing targets by 2029.
Associated key regulatory updates include the mandatory localisation rate being increased from 45% to 60% gradually over a three-year period and a new specific quota for National Products. Therefore, this rate is set to increase by 15% gradually over three years. The Authority reserves the right to increase these rates by up to double, depending on the market availability and supply status of goods qualifying as National Communication Products. If an operator meets these specific 5G localisation and national product ratios, they will be deemed compliant with their existing 3G and 4.5G domestic obligations. Full compliance with the new targets is expected by 2029. Africa Vodafone’s African operations continue to operate in a highly regulated environment across both telecommunications and mobile financial services such as M‑Pesa, as well as under quickly evolving regimes governing data protection, cybersecurity and digital markets. Regulatory oversight spans multiple authorities, including national communications regulators, central banks and competition bodies, and varies significantly across jurisdictions, often reflecting different policy priorities and market maturity. In many of our markets, telecommunications licensing and spectrum management remain core regulatory touchpoints, while in mobile financial services Vodafone is subject to stringent financial-sector regulation.
Telecommunications regulation Vodafone continues to meet all existing obligations while preparing for the proposed Digital Networks Act and the revised Cybersecurity Act. The former will govern areas such as long‑term spectrum licensing, network access, security, and end‑user rights across all Member States. Roaming As of 1 January 2026, the European Commission extended the ‘Roam Like at Home’ provisions to Ukraine and Moldova. This requires EU operators, like Vodafone, inter alia to offer subscribers the possibility to call, text, and use data in Ukraine and Moldova, with no additional charges. Privacy/GDPR We are subject to a wide range of local, national, regional and international laws and regulations relating to privacy, data protection and data security, which affect all aspects of our business across mobile, fixed, broadband, enterprise and digital services. Across Europe, our operations are governed by comprehensive data protection and telecommunications regulatory frameworks, including the EU General Data Protection Regulation, with active supervision and enforcement by national authorities. In parallel, regulatory focus on artificial intelligence is increasing. In Europe, a harmonised AI regulatory framework has been adopted and will introduce phased obligations for certain AI systems. Security Regulations The EU Network and Information Security Directive II (NIS2), in effect since 2024, introduced new and heightened requirements in security, risk, and incident management and reporting, with increased penalties (up to 2% of global turnover). It applies to critical sectors, including Telecommunications. Vodafone EU Operating Companies and Group companies providing services in the EU are in scope. Approximately 19 of 27 Member States have transposed the NIS Directive into national law.
Vodafone operates in a highly regulated and continually evolving competitive environment across all markets. We provide a broad range of electronic communications services that are subject to extensive oversight from national regulatory authorities and regional institutions. This includes regulation specific to telecommunications networks and services, data privacy requirements, consumer protection rules and broader digital market governance such as competition law, applicable to all commercial activities. Regulation can differ substantially between jurisdictions, resulting in variations in compliance obligations. Some of our competitors are subject to fewer regulatory constraints than Vodafone where regulation is not applied equitably across similar services. Vodafone also operates in an environment characterised by rapid technological change and increasing political and societal expectations relating to connectivity, security, resilience and digital inclusion. As governments seek to reach targets, regulatory interventions are becoming more ambitious and frequent. This section highlights regulatory changes that pose a material impact to Vodafone Group, and which have come into force during the 12 months between 22 May 2025 and 19 May 2026. EU Vodafone operates under the full suite of EU telecommunications, privacy, and security regulations, including the European Electronic Communications Code, GDPR, NIS2, and emerging AI and cybersecurity frameworks, while continuing to meet obligations across spectrum, interconnection, network regulation, consumer protection and competition. Over the past year, major EU regulatory developments such as the extension of Roam Like at Home to Ukraine and Moldova, and new cybersecurity and AI requirements have introduced important updates shaping Vodafone’s obligations across the region.
Powered by FlippingBook