Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

41 articles found · Veille Luxgap

EDPB — Scientific research: last chance to comment

On 25 June 2026, the EDPB closes its public consultation on Guidelines 1/2026 for processing personal data for scientific research. Key clarifications on legal basis, broad consent, and GDPR Article 89 safeguards.

Evidence and personal data: France’s Supreme Court draws a clear line

On 17 June 2026, the French Supreme Court allowed an analysis report based on pseudonymised data as evidence, where necessary and strictly proportionate. A green light for carefully run internal investigations.

AI Act: Code of Practice signing — D‑41 before your AI labels

On 22 June 2026, the Commission unveiled the Code of Practice for labelling AI-generated content. Transparency duties (Art. 50) apply from 2 August 2026, with penalties for non-compliance.

Novo Nordisk rejects $25M after 1.3 TB data theft

On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.

CJEU: age checks for foreign porn sites, under conditions

On 16 June 2026, the CJEU conditionally upheld requiring porn sites based in another EU state to implement age checks. A strong signal for regulators like ARCOM with immediate GDPR implications.

AI Act: Code of Practice published — D-46 for your AI notices

On 10 June 2026, the Commission published a Code of Practice for marking/labelling AI-generated content. From 2 August 2026, transparency obligations (Art. 50) apply. Sign and implement this week.

Munich: Google held liable for false “AI Overviews”

On May 28, 2026, the Munich I Regional Court barred Google from publishing false claims via “AI Overviews,” deeming them Google’s “own statements,” with penalties of up to €250,000 per breach.

Berlin: €14.5m cut to €900k — deletion obligation confirmed

On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for archiving without deletion and cut the fine from €14.5m to €900k. A strong signal on effective deletion obligations.

RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.

AI Act: 52 days to go before transparency duty (Article 50)

On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.

Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h

A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.

ENISA updates crypto mechanisms: public review open until July

ENISA opens the public consultation of ACM v3 until the end of July 2026. Companies can comment on suites and key sizes that will guide EUCC and the European security “state of the art.”

← Newer Page 2 / 4 Older →