Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
ILR — NIS 2 Incident Notification: 24h to alert
On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.
CNPD vs CNIL: workplace CCTV, 8 days in LU, up to 30 days in FR
The CNPD sets a default retention of “up to 8 days,” while the CNIL in practice admits up to one month. Entities operating in Luxembourg must adjust their practices and records.
Berlin: €14.5m cut to €900k — deletion obligation confirmed
On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for archiving without deletion and cut the fine from €14.5m to €900k. A strong signal on effective deletion obligations.
CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM
The CSSF opened the 2026 “PSD2 – PSP ICT Assessment” campaign: every PSP must submit an up‑to‑date ICT risk assessment via eDesk. Continuous vulnerability management aligns with NIS 2 Art. 21 and DORA Arts. 25–27.
72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg
On 25 May 2026, Poland’s UODO fined the Mayor of Myślenice for failing to notify a data breach within 72 hours (GDPR Art. 33). A useful reminder of what the CNPD expects in Luxembourg.
RUAG pays a ransom to Akira: red alert for executive boards
On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.
Council of State (13/02/2026): Pseudonymization ≠ Anonymization — DLP and GDPR Transfers
France’s Council of State confirms: “pseudonymized” health data remain personal if re-identifiable. Here’s how strong DLP secures flows and compliance with GDPR Articles 32 and 44–49.
CJEU (19 March 2026): access may be refused if abusive
The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.
AI Act: 52 days to go before transparency duty (Article 50)
On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.
Stryker: mass device wipe — why immutable, isolated backups are vital
After the remote wipe of tens of thousands of Stryker devices, immutable and isolated backup architecture is essential to recover quickly and demonstrate DORA compliance.
Right of access vs premature deletion: Belgian DPA warns recruiter (37/2026)
On 24 February 2026, the Belgian DPA warned a company for deleting an interview video after an access request. In practice: purge must be suspended until the access right is handled (Arts. 12 and 15 GDPR).
Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h
A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.