Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
35 articles found · #actualite · Veille Luxgap
AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
Italy: €100,000 fine against Lepida over LepidaID shortcomings
Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.
Lithuania: €450,000 GDPR fine for lack of MFA at InMedica
Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).
GDPR: no automatic damage — French Court of Cassation tightens Article 82
On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.
CNIL: vehicle location data — new recommendation
On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.
AI Act D-31: transparency on 2 August, machine-readable marking by 2 December
The EU Council confirms AI Act transparency duties from 2 August 2026, with a grace period until 2 December 2026 for machine‑readable marking of AI-generated content.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations
Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.
EDPB updates its Objection & Erasure digest and launches a form
On 25 June 2026, the EDPB updated its OSS digest on the rights to object (Art. 21) and to erasure (Art. 17) and, on 24 June, launched a form to report divergences in GDPR interpretation.
Cold calling: Constitutional Council ends the triple risk
On 25 June 2026, France’s Constitutional Council struck down parallel CNIL/ARCOM/DGCCRF proceedings for the same electronic marketing (Art. L.34‑5 CPCE). Repeal by 31 Oct 2027, but immediate effect: no more duplicate proceedings.
Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures
The Italian Garante fined AgID €55,000 for transparency and privacy‑by‑design failures when moving PEC addresses from INI‑PEC to INAD. A warning shot for public registers and data reuse.
DORA — Third-country branches: ICT register due by June 30
DORA’s final stretch in Luxembourg: third‑country bank branches must submit their ICT register to the CSSF by June 30, 2026 at the latest. Here is how to get it done this week.