Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

80 articles found · #luxembourg

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

CJEU: age checks for foreign porn sites, under conditions

On 16 June 2026, the CJEU conditionally upheld requiring porn sites based in another EU state to implement age checks. A strong signal for regulators like ARCOM with immediate GDPR implications.

GDPR: complaint closure and no Article 78 appeal if not concerned

The French Council of State (20 May 2026) held that a CNIL complaint closure is not a “legally binding decision” triggering an Article 78 GDPR appeal if the complainant is not concretely affected.

AI Act: Code of Practice published — D-46 for your AI notices

On 10 June 2026, the Commission published a Code of Practice for marking/labelling AI-generated content. From 2 August 2026, transparency obligations (Art. 50) apply. Sign and implement this week.

Munich: Google held liable for false “AI Overviews”

On May 28, 2026, the Munich I Regional Court barred Google from publishing false claims via “AI Overviews,” deeming them Google’s “own statements,” with penalties of up to €250,000 per breach.

AI Act — Prohibited practices (Art. 5): the Commission’s 2025 clarifications

On 4 February 2025, the Commission issued guidelines on prohibited AI practices (Art. 5 AI Act). Eight uses are banned as of 02/02/2025, with fines up to €35m or 7% of global turnover.

ILR — NIS 2 Incident Notification: 24h to alert

On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.

Berlin: €14.5m cut to €900k — deletion obligation confirmed

On 9 June 2026, the Berlin Regional Court confirmed a GDPR breach by Deutsche Wohnen for archiving without deletion and cut the fine from €14.5m to €900k. A strong signal on effective deletion obligations.

RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.

CJEU (19 March 2026): access may be refused if abusive

The CJEU accepts that a data access request may be rejected as “abusive” if it solely aims at obtaining GDPR compensation. Strong signal for reasoned refusals, burden of proof, and meeting deadlines.

AI Act: 52 days to go before transparency duty (Article 50)

On 2 August 2026, the AI Act transparency duty (Art. 50) applies: clear “you are interacting with AI” notices, machine‑readable labels for generated/manipulated content, and disclosure of deepfakes.

Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h

A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.

← Newer Page 3 / 7 Older →