Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
AI Act – Article 50: transparency for chatbots and deepfakes by 2026
From 2 August 2026, any AI interaction, synthetic content, and any emotion recognition/biometric categorization system must be disclosed. Fines up to €15M or 3% of global turnover.
GDPR Art. 33: Notify CNPD of a breach within 72h—without panic
Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.
EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026
Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.
NIS 2 in Luxembourg: how to notify ILR within 24h/72h/1 month
NIS 2 requires an early warning within 24h, a formal notification at 72h, and a final report within 1 month. In Luxembourg, ILR and the national CSIRT (CIRCL) are your key contacts.
DORA Article 28: the 'ICT dependencies register' expected by the CSSF
Since 17 January 2025, all financial entities subject to DORA must keep a structured register of their ICT contracts. The CSSF has specified the timeline and submission modalities in Luxembourg.
CNPD: recording business meetings and conversations in GDPR compliance
In 2026, Luxembourg’s CNPD frames audio/video recording of private meetings. Legal basis, transparency and retention are critical; recordings often must be deleted once the minutes are approved.
CNIL approves a GDPR code of conduct for retail
On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.
Qilin claims cyberattack on Exclusive Networks
The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.
Ransomware at ChipSoft: alert for cross‑border care
Dutch EHR vendor ChipSoft said on April 29 that data stolen in an early‑April cyberattack had been “destroyed.” Cross‑border hospitals and insurers should take action this week.
Luxembourg referred to the CJEU for delay in transposing CER
The European Commission is referring Luxembourg to the Court of Justice for failing to transpose the Critical Entities Resilience (CER) Directive. Immediate implications for essential operators, linked to NIS2.
NIS2 Directive in Luxembourg: a new era of cyber accountability
Luxembourg has transposed the NIS2 Directive, fundamentally reshaping corporate cybersecurity obligations. Broader scope, strengthened governance, tougher sanctions: an overview of the key challenges and the first steps to take.
