Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
58 articles found · #solution
Council of State (13/02/2026): Pseudonymization ≠ Anonymization — DLP and GDPR Transfers
France’s Council of State confirms: “pseudonymized” health data remain personal if re-identifiable. Here’s how strong DLP secures flows and compliance with GDPR Articles 32 and 44–49.
Stryker: mass device wipe — why immutable, isolated backups are vital
After the remote wipe of tens of thousands of Stryker devices, immutable and isolated backup architecture is essential to recover quickly and demonstrate DORA compliance.
Unimed (DE): 72,000+ patient files stolen — DLP, Article 32 and GDPR transfers
In mid‑April 2026, outsourcer Unimed had 72,000+ patient records stolen. Here is a concrete DLP stack to prevent exfiltration and demonstrate compliance with GDPR Article 32 and cross‑border transfers (Arts. 44‑49).
VG Düsseldorf clarifies email: TLS may suffice, no default E2E
On 02/04/2026, the VG Düsseldorf ruled that under GDPR Art. 32, email does not require default E2E: transport encryption (TLS) may suffice based on risk.
ANSSI risk analysis on encryption: actions for GDPR Art. 32 and CSSF 22/806
On 27/05/2026, ANSSI released an encryption risk analysis. This article turns the guidance into an at‑rest and in‑transit architecture aligned with GDPR Art. 32 and CSSF 22/806, including a post‑quantum roadmap.
Microsoft: cryptominer via SEO/AI — EDR/XDR and NIS 2 in action
Microsoft disclosed an active cryptomining campaign spread via SEO poisoning and AI recommendations. Here’s how an EDR/XDR stack detects, contains, and evidences compliance with NIS 2 and DORA.
Magecart 1×1 SVG skimmer on Magento: DLP and GDPR compliance
Sansec reveals a credit-card skimmer hidden in a 1×1 SVG targeting ~100 Magento stores, exfiltrating to 23.137.249.67. Here’s how well‑tuned DLP addresses GDPR Articles 32 and 44‑49.
Charter: 4.9M emails exposed — phishing‑resistant MFA is now essential
A vishing attack abused a Microsoft Entra account to exfiltrate customer data from Salesforce. FIDO2/WebAuthn MFA is now the state of the art expected by GDPR Article 32.
French Council of State 2026 — Health Data Hub: DLP impact and EU transfers
The French Council of State (20/03/2026) upholds CNIL’s authorization for Health Data Hub on Microsoft Ireland in France and confirms no transfers outside the EU. A well‑configured DLP proves and enforces these flow limits technically.
ILR — NIS 2 guidelines for governing bodies (17/02/2026)
ILR reiterates the 24‑hour early warning via SERIMA, then 72 hours and 1 month. See how a managed SOC/SIEM helps meet NIS 2 deadlines without stress.
Tycoon 2FA: device code campaign bypasses Microsoft MFA
On May 12, 2026, eSentire detailed a Tycoon 2FA campaign abusing the OAuth Device Code flow to steal tokens without passwords. Why phishing-resistant FIDO2/WebAuthn MFA is required to meet GDPR Article 32.
French Supreme Court (Mar 5, 2026) reshapes qualified e-signatures
Since March 5, 2026, only a Qualified Electronic Signature (QES) shifts the burden of proof. How to evidence QTSP, QSCD and LTV to secure contracts and compliance.