EU Regulatory News

If you handle personal data of users in France or sell into the French market: The CNIL's 2025 figures show enforcement intensity is rising on cookies, employee monitoring and data security, the three areas it identifies as driving the bulk of last year's fines. Review your cookie banners, monitor your data-breach response times against the Article 33 72-hour deadline, and audit your security controls against the storage-limitation and security principles of GDPR Articles 5 and 32. If you build, deploy or distribute AI systems used in France: The CNIL is positioning itself as one of the most active EU AI Act regulators and is on track to supervise several Annex III high-risk categories (biometrics, migration, law enforcement, employment, education) once formally designated. Map your AI systems against the prohibited practices in Article 5 and the high-risk categories in Annex III. Run a privacy review with Verdaio's GDPR Quick Check and an AI Act classification check with Verdaio's EU AI Act Assessment.

If you store user credentials or run any service that holds account passwords: Plain-text password storage and weak hashing remain among the clearest security failures a regulator can find. Hash passwords with a modern, salted algorithm, never keep them in readable form, and delete credentials for systems and accounts you no longer use, in line with the storage-limitation principle. If you handle personal data breaches: Notifying the supervisory authority within 72 hours under Article 33 is only half of the obligation. Where a breach poses a high risk to individuals, Article 34 requires you to inform those individuals without undue delay, and commercial or reputational concerns do not pause that clock. Map your breach-response plan and security controls with Verdaio's GDPR Quick Check.

If you build, deploy or distribute AI systems and are unsure whether they count as high-risk: These draft guidelines are the most detailed official steer yet on where the high-risk line sits. Map your AI systems against the Annex I product-safety route and the eight Annex III areas, and use the practical examples to test borderline cases such as HR, credit-scoring and biometric tools. If a specific use case is unclear, submit feedback to the consultation before 23 June 2026. Classification is the first step in every AI Act compliance programme: a system classified as high-risk triggers risk management, data governance, logging, transparency and human-oversight obligations. Run a classification check with Verdaio's EU AI Act Assessment.

If you build, deploy or distribute high-risk AI systems or general-purpose AI: The new deadlines (2 December 2027 for Annex III, 2 August 2028 for Annex I) are now locked in by Coreper but are not yet law until Parliament adopts at first reading. Until that adoption, the original 2 August 2026 deadline applies. If you build generative AI consumer products: The reduced three-month grace period means watermarking and content-provenance solutions must be in place by 2 December 2026, three months earlier than the originally proposed six-month grace. Audit your tooling against the new "nudification" and CSAM prohibitions before adoption. Run a classification check with Verdaio's EU AI Act Assessment.

If you provide AI systems to schools, universities or vocational training providers, or if you deploy AI in an education or training context: Education ministers are now formally aligned on a human-centred deployment model. Expect Member States to push procurement requirements that include teacher AI-literacy training, transparent evaluation criteria, and bias and misinformation safeguards. The conclusions also reinforce that the Article 4 AI literacy obligation applies to all AI deployers, not just those in high-risk sectors. If you sell AI tools for HR, recruitment, assessment or scoring in an education or training context: Classification as high-risk under Annex III is now coupled with these political conclusions, raising the bar for transparency, human oversight and evaluation. Run a classification check with Verdaio's EU AI Act Assessment and review your training programme with Verdaio's AI Literacy guide.

If you build or deploy generative AI, chatbots, deepfake tools, emotion recognition or biometric categorisation systems: The 2 August 2026 transparency deadline still stands. Plan now for chatbot disclosure, machine-readable watermarking of synthetic outputs, and clear deepfake labelling, and submit feedback before 3 June 2026 if your use case needs clarification. Run a classification check with Verdaio's EU AI Act Assessment.

If you operate a contact centre or any voice-channel customer service handling personal or financial data: Voice-channel social engineering remains a top regulatory concern. Map your caller-authentication procedures against Articles 5(1)(f) and 32(1), train staff on knowledge-based authentication weaknesses and impersonation indicators, and ensure your incident-response process can detect and notify the supervisory authority within the 72-hour window of Article 33. Run a structured posture check with Verdaio's GDPR Quick Check.

If you build, deploy or distribute high-risk AI systems (HR, education, credit scoring, biometrics, AI in regulated products) or general-purpose AI: Plan for a 2 December 2027 (Annex III) or 2 August 2028 (Annex I) deadline, but do not stop compliance work. Formal adoption is still pending and the original 2 August 2026 deadline applies until both co-legislators sign off. The extra time is best used to mature risk management, data governance and human-oversight controls, not to delay them. If you build generative AI consumer products: Audit your tooling against the new "nudification" and CSAM prohibitions before the deal is adopted. Run a classification check with Verdaio's EU AI Act Assessment.

If you are an undertaking in scope of the CSRD (1,000+ employees, €450M+ turnover): Review the draft revised ESRS now, especially the materiality assessment changes and reduced datapoint set, and decide whether to apply the revised standards early for FY 2026 or wait for FY 2027. Submit feedback before 3 June 2026 if you have specific concerns. If you are a smaller company in a CSRD value chain: The voluntary standard plus the value chain cap limits what your large clients can require from you on sustainability data. Run a gap-check with Verdaio's ESRS Gap Analysis.

If you operate or distribute services on a designated gatekeeper platform (App Store, Google Play, Amazon Marketplace, Facebook, Instagram, TikTok, Search, Booking.com): Expect the Commission to accelerate ongoing non-compliance proceedings and to focus on practical effects (real choice, real interoperability) rather than formal box-ticking. Plan for higher fines on repeat or continued non-compliance, and for closer scrutiny of AI-driven search and assistant tools when integrated with gatekeeper services. Track DMA developments and align your distribution, advertising and consent flows accordingly.

If you operate cross-border data transfers (especially to non-adequacy jurisdictions) or rely on Standard Contractual Clauses with supplementary measures: the DPC decision still stands as the EU benchmark on what 'essentially equivalent protection' under Article 46(1) GDPR requires. The stay only freezes enforcement while the Irish courts review the underlying decision; it does not weaken the substantive compliance obligation. Audit your transfer impact assessments, supplementary measures, and onward-access controls. Run a structured check with Verdaio's GDPR Quick Check.

If you operate a hotel, B&B, or short-term rental in Italy (or process Italian guest data from abroad): Audit your check-in workflow now. Stop photographing or storing identity documents after the Alloggiati Web reporting; keep only the transmission receipt. Review your retention policy, train front-desk staff on the new guidance, and ensure your booking and PMS systems do not preserve ID images by default. Run a gap-check with Verdaio's GDPR Quick Check.

If you build, deploy or distribute high-risk AI systems (particularly in HR, education, credit scoring, biometrics, or AI embedded in regulated products): Plan as if the 2 August 2026 deadline will hold. Trilogue uncertainty is not a basis for delaying compliance work. Even if a postponement is later agreed, an early start protects you from a compressed timeline. Run a classification check with Verdaio's EU AI Act Assessment.

If you operate a digital platform, ad-tech product, or any service whose terms condition access on data use: Expect EU competition authorities to assess your data-handling practices through a GDPR lens, and the EDPB to factor competition outcomes into its guidance. Review the alignment of your privacy notices, consent flows and data-portability mechanisms with both frameworks. Run a gap-check with Verdaio's GDPR Quick Check.

If you run email marketing, transactional emails or newsletters targeting Italian recipients: Review every pixel, open-tracker and click-tracker in your ESP or CRM stack, map each to a specific legal basis, and align your consent flows and privacy notices with the Guidelines. Revisit data-minimisation controls (pseudonymous IDs, short retention) and document the exemption you rely on where no consent is collected. Run a gap-check with Verdaio's GDPR Quick Check.

If you run a mobile app that reads device state (installed apps, running processes, device fingerprinting): The Garante's decision sets a clear precedent that mandatory, all-or-nothing authorisations to access device data are disproportionate, even for fraud prevention. Review data minimisation, user-information flows, DPIA coverage, and security/retention controls for your mobile apps. Run a gap-check with Verdaio's GDPR Quick Check.

If you process personal data for research: Start mapping your activities against the six indicative factors and review how you document consent, safeguards and the limits on data subject rights. If you transfer personal data outside the EU/EEA: Certification is now a practical alternative to Standard Contractual Clauses and BCRs, useful where providers are reluctant to sign SCCs, or where the destination jurisdiction creates uncertainty. Review your GDPR posture and see whether certification-based transfers fit your vendor stack.

If you deploy biometric systems (facial recognition, fingerprint) for access, authentication, or customer experience: Biometric processing in public or semi-public spaces must satisfy strict necessity, encryption, and retention standards, even with consent. Review the Article 9 GDPR legal basis, technical safeguards, and whether you offer a real non-biometric alternative. Biometric systems may also trigger EU AI Act obligations. Check your posture with Verdaio's GDPR Quick Check and EU AI Act Assessment.

If you conduct DPIAs: This is the first time the EU has offered a single, consistent DPIA format that will be recognised across Member States. Multinational controllers benefit most, one template, one structure, accepted by every DPA. Action: Review your current DPIA methodology against the draft template, submit feedback before 9 June if relevant, and plan to migrate existing DPIAs once national DPAs formally adopt it. Run a gap-check with Verdaio's GDPR Quick Check.

If you operate in any of the 18 NIS2 sectors: The compliance deadline is now less than 6 months away. Start with a gap assessment to understand your current posture, particularly around incident reporting (72-hour notification requirement), supply chain risk management, and board-level accountability. Not sure if NIS2 applies to you? Run the free NIS2 Readiness Assessment.

If you have under 1,000 employees: You are likely out of mandatory scope under the new threshold. However, large customers and financial institutions may still require CSRD-aligned disclosures through their own value chain reporting. If you have 1,000+ employees: Mandatory reporting continues, the core ESRS standards remain unchanged. Use the delay to strengthen your data collection processes.

If you deploy high-risk AI: The extension is very likely to pass, but it is not yet law. The responsible approach is to prepare for the August 2026 deadline while expecting the relief. If adopted as expected, you will have until December 2027 for Annex III systems. Use the time to build compliant processes rather than waiting. We will update this story when the final text is published.

If you report under ESRS: Even though the Omnibus reduces mandatory scope, the financial sector, your banks, investors, and insurers, still expects comprehensive sustainability data. Companies that only meet the minimum simplified requirements may face challenges accessing green finance or satisfying due diligence requests from larger clients.

If you're already reporting: Review which activities fall below the 10% threshold, you may be able to exclude a significant portion of your current assessment scope. If you haven't started: This simplification makes first-time Taxonomy reporting considerably more manageable. The threshold applies for reporting periods from 2025 onwards.

Immediate action required: If your organisation uses or deploys AI systems, review them against the Article 5 prohibited practices list now. Violations can result in fines of up to €35M or 7% of global annual turnover. Most business AI tools (productivity, analytics, customer service) are not prohibited, but AI used in recruitment, credit scoring, or affecting individuals in sensitive contexts requires careful review.

If you use gatekeeper platforms: These decisions signal that app stores, search rankings, and advertising systems on major platforms may change to comply with DMA requirements, potentially affecting your distribution and marketing strategies. If you are a gatekeeper platform: The DMA is now actively enforced. Non-compliance carries substantial financial risk.

For any company that transfers personal data outside the EU/EEA: This fine reinforces that transfer mechanisms must be watertight. Standard Contractual Clauses (SCCs) are not sufficient if the destination country's laws prevent the data importer from complying with them in practice. Review your data transfer impact assessments (DTIAs), particularly for transfers to the US, India, and China. Consider data localisation where technically feasible.