Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

80 articles found · #luxembourg

DORA Art. 28: CSSF turns up the heat on the ICT dependencies register

As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.

CSSF: requirements of the review on illiquid asset valuation

On 4 June 2026, the CSSF released a feedback report on illiquid asset valuation at IFMs. It requires immediate benchmarking of practices and documented corrective measures.

CNPD 1FR/2025: how the DPA calculates a GDPR fine in 5 steps

On 6 January 2025, the CNPD fined a controller for delays in data subject rights and applied the EDPB’s five-step method. Key takeaway: track and document your “time-to-rights”.

ICO recovers £118,852 from two former RAC employees

On 4 June 2026, the ICO secured confiscation orders totaling £118,852.32 against two former RAC employees for illegally selling nearly 30,000 lines of motorists’ data, underscoring increased post-conviction use of POCA powers.

WFP Gaza: warning for your enrollment portals (600,000 households)

On 2 June 2026, the WFP confirmed its self‑registration app in Palestine was compromised: data of ~600,000 Gaza households (names, IDs, mobiles, location) exfiltrated. Breach dated 14 May.

Workplace video surveillance: the Hanako case rules out consent

Italy’s Garante (12/03/2026) fined Hanako s.r.l. for in-store video surveillance without proper notice and labor authorization. EU-wide message: in employment, employee consent is not a convenient legal basis.

Dashlane: fewer than 20 vaults copied — lessons from a 2FA attack

On May 31, 2026, a brute-force campaign targeting 2FA allowed attackers to copy encrypted Dashlane vaults from “fewer than 20” users. Here’s what this means for your IAM controls and GDPR/NIS 2 obligations.

AEPD fines Amadeus €14.4M for traveler profiling without legal basis

Spain’s AEPD fined Amadeus IT Group €14.4M (reduced from €18M) for a traveler profiling pilot using booking data without a lawful basis and without informing travelers. Decision made public on May 26–27, 2026.

AI Act: 3 days to respond — EU consultation on transparency

The European Commission closes its consultation on transparency guidelines (Article 50 AI Act) on 3 June 2026. Last call to finalize your “AI” notices and labelling of synthetic content.

Luxgap SealedMail: the first email server where your CIO cannot read you

Launch of SealedMail, zero-knowledge email server hosted in Luxembourg, designed for executives. End-to-end encryption with X25519 asymmetric keys. Neither IT admin nor Luxgap can read your mailboxes. Works with your usual Outlook.

Ireland — Permanent TSB fined: GDPR arts. 32/33 tested at call centers

The Irish DPC fined Permanent TSB €277,500 for call center authentication failures and late notification. Lesson for Luxembourg: Article 32 and the 72h rule (Art. 33) also apply to human processes.

CNIL updates MR‑001/MR‑003: an operational playbook (26/05)

The CNIL updates MR‑001 and MR‑003 and releases compliance checklists. Immediate effect for health research conducted in France, impacting Luxembourg sponsors when French patients or sites are involved.

← Newer Page 4 / 7 Older →