Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
35 articles found · #veille
CSSF: requirements of the review on illiquid asset valuation
On 4 June 2026, the CSSF released a feedback report on illiquid asset valuation at IFMs. It requires immediate benchmarking of practices and documented corrective measures.
ICO recovers £118,852 from two former RAC employees
On 4 June 2026, the ICO secured confiscation orders totaling £118,852.32 against two former RAC employees for illegally selling nearly 30,000 lines of motorists’ data, underscoring increased post-conviction use of POCA powers.
WFP Gaza: warning for your enrollment portals (600,000 households)
On 2 June 2026, the WFP confirmed its self‑registration app in Palestine was compromised: data of ~600,000 Gaza households (names, IDs, mobiles, location) exfiltrated. Breach dated 14 May.
Dashlane: fewer than 20 vaults copied — lessons from a 2FA attack
On May 31, 2026, a brute-force campaign targeting 2FA allowed attackers to copy encrypted Dashlane vaults from “fewer than 20” users. Here’s what this means for your IAM controls and GDPR/NIS 2 obligations.
AEPD fines Amadeus €14.4M for traveler profiling without legal basis
Spain’s AEPD fined Amadeus IT Group €14.4M (reduced from €18M) for a traveler profiling pilot using booking data without a lawful basis and without informing travelers. Decision made public on May 26–27, 2026.
AI Act: 3 days to respond — EU consultation on transparency
The European Commission closes its consultation on transparency guidelines (Article 50 AI Act) on 3 June 2026. Last call to finalize your “AI” notices and labelling of synthetic content.
CNIL updates MR‑001/MR‑003: an operational playbook (26/05)
The CNIL updates MR‑001 and MR‑003 and releases compliance checklists. Immediate effect for health research conducted in France, impacting Luxembourg sponsors when French patients or sites are involved.
CNIL approves a GDPR code of conduct for retail
On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.
Qilin claims cyberattack on Exclusive Networks
The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.
Ransomware at ChipSoft: alert for cross‑border care
Dutch EHR vendor ChipSoft said on April 29 that data stolen in an early‑April cyberattack had been “destroyed.” Cross‑border hospitals and insurers should take action this week.
Luxembourg referred to the CJEU for delay in transposing CER
The European Commission is referring Luxembourg to the Court of Justice for failing to transpose the Critical Entities Resilience (CER) Directive. Immediate implications for essential operators, linked to NIS2.