Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
Deploying ChatGPT without consulting staff: courts order suspension — and Luxembourg is not immune
On 21 May 2026, the Paris Court of Appeal suspended ChatGPT and an internal AI assistant at a press group, under a EUR 1,000 daily penalty: the works council had not been consulted before deployment. The fourth such ruling in a year. In Luxembourg the logic already exists — staff delegation, co-decision from 150 employees, AI Act in August 2026. What to check before deploying.
CNIL: vehicle location data — new recommendation
On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.
ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)
ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.
AEPD vs AENA: €10.04M for a deficient DPIA in biometrics
On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.
AI Act D-31: transparency on 2 August, machine-readable marking by 2 December
The EU Council confirms AI Act transparency duties from 2 August 2026, with a grace period until 2 December 2026 for machine‑readable marking of AI-generated content.
UniCredit Romania: €12k GDPR fine — preventing misdirected emails
On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.
Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser
Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.
Electric bike team building on the Moselle: Schengen → Grevenmacher
A day on e-bikes along the Moselle from Schengen to Grevenmacher, with friendly stops and a tasting. Communication, coordination and shared fun strengthen cohesion — with minimal logistics.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ANSSI — ReCyF: Microsegmentation as a key NIS 2 control
ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.
NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)
Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.
ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations
Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.