Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
80 articles found · #luxembourg
AML/CFT information sharing: EDPB and AMLA to issue joint guidelines
The EDPB and AMLA announced joint guidelines on information‑sharing partnerships under AMLR Article 75, applicable from 10 July 2027. Goal: a GDPR‑compatible data‑sharing framework for AML/CFT.
GDPR rights at work: only the individual has standing (Cass. crim., Jan 13, 2026)
France’s Supreme Court held that a company cannot invoke employees’ GDPR rights to challenge a seizure: only the data subjects themselves have standing. A key takeaway for DSAR and DPO response workflows.
ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver
In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.
Lithuania: €450,000 GDPR fine for lack of MFA at InMedica
Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).
GDPR: no automatic damage — French Court of Cassation tightens Article 82
On 24 June 2026, the French Court of Cassation held that a GDPR breach does not, by itself, entitle a claimant to compensation: the claimant must prove damage and causation. A strong signal for data litigation across Europe.
DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?
On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.
CNIL: vehicle location data — new recommendation
On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.
AI Act D-31: transparency on 2 August, machine-readable marking by 2 December
The EU Council confirms AI Act transparency duties from 2 August 2026, with a grace period until 2 December 2026 for machine‑readable marking of AI-generated content.
Electric bike team building on the Moselle: Schengen → Grevenmacher
A day on e-bikes along the Moselle from Schengen to Grevenmacher, with friendly stops and a tasting. Communication, coordination and shared fun strengthen cohesion — with minimal logistics.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ANSSI — ReCyF: Microsegmentation as a key NIS 2 control
ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.
NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)
Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.