Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
80 articles found · #luxembourg
France Travail fined €5M: GDPR Article 32 moves from theory to audit
The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.
CJEU: age checks for foreign porn sites, under conditions
On 16 June 2026, the CJEU conditionally upheld requiring porn sites based in another EU state to implement age checks. A strong signal for regulators like ARCOM with immediate GDPR implications.
GDPR: complaint closure and no Article 78 appeal if not concerned
The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.
AI Act: Code of Practice published — D-46 for your AI notices
On 10 June 2026, the Commission published a Code of Practice for marking/labelling AI-generated content. From 2 August 2026, transparency obligations (Art. 50) apply. Sign and implement this week.
Munich: Google held liable for false “AI Overviews”
On May 28, 2026, the Munich I Regional Court barred Google from publishing false claims via “AI Overviews,” deeming them Google’s “own statements,” with penalties of up to €250,000 per breach.
AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications
On 4 February 2025, the Commission issued guidelines on prohibited AI practices (Art. 5 AI Act). Eight uses are banned as of 02/02/2025, with fines up to €35m or 7% of global turnover.
ILR — NIS 2 Incident Notification: 24h to alert
On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.
Berlin: €14.5m cut to €900k — deletion obligation confirmed
On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for archiving without deletion and cut the fine from €14.5m to €900k. A strong signal on effective deletion obligations.
RUAG pays a ransom to Akira: red alert for executive boards
On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.
CJEU (19 March 2026): access may be refused if abusive
The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.
AI Act: 52 days to go before transparency duty (Article 50)
On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.
Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h
A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.