Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
CSSF — DORA: ICT register due March 31, 2026; inventory is critical
The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.
GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)
France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.
Italy: €100,000 fine against Lepida over LepidaID shortcomings
Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.
ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver
In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.
Workplace video surveillance: CNIL fine of 2 April 2026
On 02/04/2026, the CNIL imposed a €7,500 fine for CCTV non-compliance. In Luxembourg, the CNPD likewise requires proportionality, frequent DPIAs and two-layer information.
Lithuania: €450,000 GDPR fine for lack of MFA at InMedica
Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).
CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification
On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).
GDPR: first access request may be refused for abuse (CJEU 19/03/2026)
The CJEU (C‑526/24) holds that a first GDPR access request may be refused for abuse under Article 12(5). Practical key: document abusive intent and a two‑pronged proportionality test.
GDPR: no automatic damage — French Court of Cassation tightens Article 82
On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.
BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM
In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.
DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?
On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.