Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
CJEU (19 March 2026): access may be refused if abusive
The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.
AI Act: 52 days to go before transparency duty (Article 50)
On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.
Stryker: mass device wipe — why immutable, isolated backups are vital
After the remote wipe of tens of thousands of Stryker devices, immutable and isolated backup architecture is essential to recover quickly and demonstrate DORA compliance.
Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)
On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after an access request. In practice: purge must be suspended until the access right is handled (Arts. 12 and 15 GDPR).
Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h
A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.
Unimed (DE): 72,000+ patient files stolen — DLP, Article 32 and GDPR transfers
In mid‑April 2026, outsourcer Unimed had 72,000+ patient records stolen. Here is a concrete DLP stack to prevent exfiltration and demonstrate compliance with GDPR Article 32 and cross‑border transfers (Arts. 44‑49).
Amazon v. CNPD (12 March 2026): Legitimate interest rejected in AdTech
Luxembourg’s Administrative Court confirms Amazon’s behavioral advertising could not rely on legitimate interest and annuls the fine in light of the CJEU’s fault requirement.
ENISA updates crypto mechanisms: public review open until July
ENISA opens the public consultation of ACM v3 until the end of July 2026. Companies can comment on suites and key sizes that will guide EUCC and the European security “state of the art.”
VG Düsseldorf clarifies email: TLS may suffice, no default E2E
On 02/04/2026, the VG Düsseldorf ruled that under GDPR Art. 32, email does not require default E2E: transport encryption (TLS) may suffice based on risk.
Transfers to the United States: CNPD implements the DPF, EDPB remains cautious
The CNPD confirms “free” transfers to US entities certified under the DPF (Art. 45 GDPR), while the EDPB maintains reservations and calls for ongoing vigilance.
SMEs under NIS 2: defensive AI more effective and cheaper than a classic SOC
Classic antivirus, EDR and SIEM miss the 0-day and the attack that diverts legitimate tools. An on-premise defensive AI that reasons on behaviour rather than signatures detects those unknown attacks, reacts in under 30 seconds and costs a fraction of a traditional SOC. Demonstrated on a concrete case, minute by minute.
ANSSI risk analysis on encryption: actions for GDPR Art. 32 and CSSF 22/806
On 27/05/2026, ANSSI released an encryption risk analysis. This article turns the guidance into an at‑rest and in‑transit architecture aligned with GDPR Art. 32 and CSSF 22/806, including a post‑quantum roadmap.