Free Tools
Paid Assessments
Learn
Pricing
News
Compliance
Sign in
Regulatory Intelligence

EU Regulatory News

What's changed across CSRD, GDPR, EU AI Act, DMA, and EU Taxonomy, and what it means for your business.

Italian Garante Fines Character.AI €158,000 for Failing to Protect Minors Under GDPR

On 9 July 2026, the Italian data protection authority (Garante) fined Character.AI €158,000 for five GDPR violations relating to the protection of minors: inadequate age verification, no cooling-off period after banning a minor user, minor profiles not set to private by default, a late Data Protection Impact Assessment, and failure to appoint an EU representative under Article 27. The Garante ordered remedial action within 120 days.

What changed

On 9 July 2026 (decision dated 3 July 2026, document reference 10269571), the Garante per la Protezione dei Dati Personali (Italian data protection authority) issued a decision fining Character.AI €158,000 for violations of the GDPR in connection with the processing of personal data of minor users of its conversational AI platform. The Garante found five distinct violations: first, inadequate age verification mechanisms, which allowed minors to access the platform without effective controls commensurate with the risk that the platform's content and interaction model poses to minors; second, the absence of a mandatory cooling-off period following the ban of a minor user, enabling immediate re-registration and circumventing protective account restrictions; third, failure to set minor user profiles to private by default, contrary to the data protection by design and by default obligations under GDPR Article 25; fourth, failure to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35 within the required timeframe, with the assessment completed late; and fifth, failure to appoint an EU representative under GDPR Article 27, which is mandatory for non-EU controllers that process personal data of EU data subjects on a systematic basis. The Garante issued remedial orders alongside the fine, requiring Character.AI to implement effective age verification, introduce a cooling-off period for minor re-registration, set minor profiles to private by default, and bring its EU representation into compliance, all within 120 days of the decision.

The Character.AI fine follows a period of heightened Garante scrutiny of AI conversational platforms; the authority restricted ChatGPT in 2023 and has since investigated multiple generative AI services for compliance with GDPR transparency, data minimisation, and age verification obligations. The five violations reflect a comprehensive theory of GDPR liability for consumer-facing AI platforms: the Garante applied not only the data protection by design and by default requirement of Article 25, but also the Article 27 EU representative requirement, which has historically been under-enforced for smaller non-EU technology companies but is receiving increasing attention from EU supervisory authorities as consumer-facing AI applications scale across the EU. The requirement to maintain a cooling-off period for banned minor users addresses circumvention risk specific to the AI chatbot context; the decision provides useful precedent for how GDPR Article 25 obligations translate into specific technical requirements for age-gated conversational AI services. Controllers offering similar conversational AI services to users in EU member states, in particular services accessible to or used by minors, should treat this decision as a benchmark for the minimum technical and organisational measures the GDPR requires.

What it means for your business

If you operate a consumer-facing AI platform, chatbot, or similar digital service accessible to minors across EU member states: The Garante's Character.AI decision establishes a GDPR compliance benchmark for age-gated AI services. As a minimum, implement effective age verification proportionate to the risk to minors, set minor profiles to private by default (Article 25), introduce a cooling-off period preventing banned minor users from immediately re-registering, and complete a DPIA under GDPR Article 35. If you are a non-EU controller processing personal data of EU data subjects on a systematic basis: The Article 27 EU representative requirement was among the five violations in this decision. Appoint an EU representative in writing, designate them as the point of contact for supervisory authorities, and inform data subjects of the representative's identity in your privacy notice. If you process personal data of minors under GDPR: Article 8 (age of consent for information society services) and Article 25 (data protection by design and by default) are increasingly enforced jointly. Review your age verification approach, default settings for minor users, and DPIA documentation against this decision. Use Verdaio's GDPR Quick Check to map your GDPR obligations.

EDPB Adopts Guidelines on Anonymisation, AI Web Scraping, and Blockchain at July Plenary

At its 122nd plenary on 8 July 2026, the European Data Protection Board (EDPB) adopted two draft sets of guidelines and one final text under GDPR. The drafts cover the legal concept of anonymous data, updated in light of CJEU judgment C-413/23 P, and the GDPR compliance of web scraping for generative AI; both are open for public consultation until 30 October 2026. The Board also adopted the final version of its guidelines on processing personal data through blockchain technologies (EDPB, press release, 8 Jul 2026).

What changed

On 8 July 2026, the European Data Protection Board (EDPB) concluded its 122nd plenary session by adopting three sets of guidelines under the GDPR. First, the Board adopted draft Guidelines on Anonymisation, updating the EDPB's position on the legal concept of anonymous data in light of CJEU judgment C-413/23 P (EDPS v SRB, 4 September 2025) and other relevant case law. The draft guidelines clarify the threshold for data to fall outside GDPR scope as truly anonymous, address risk-based and absolute approaches to anonymisation, and cover common techniques including aggregation, generalisation, and noise addition. Second, the Board adopted draft Guidelines on Web Scraping in the Context of Generative AI, clarifying the GDPR compliance requirements for large-scale automated data extraction from publicly available online sources for AI training purposes. The guidelines set out which legal bases under GDPR Article 6 are available for web scraping operations, address the conditions for processing special categories of personal data under Article 9 where scraping inadvertently collects health, biometric, or similar data, and outline transparency and data subject rights obligations for controllers. Third, the Board adopted the final version of its Guidelines on Processing of Personal Data through Blockchain Technologies, replacing the earlier draft and providing definitive guidance on how GDPR requirements apply to both permissioned and permissionless blockchain architectures. The Board emphasises the importance of conducting Data Protection Impact Assessments before processing personal data through blockchain systems and highlights the particular challenges posed by the immutable nature of ledger entries for GDPR rights including erasure and rectification.

The anonymisation guidelines are expected to raise the practical bar for claims that processed data falls outside the GDPR, with material implications for AI model developers who rely on anonymisation of training datasets. The web scraping guidelines signal that the EDPB does not regard general legitimate interest balancing tests as automatically sufficient legal basis for large-scale scraping for AI training; controllers must document a specific, context-appropriate legal basis for each category of data collected and address data subject notification obligations. The blockchain guidelines, now finalised, are the authoritative EDPB reference for GDPR compliance in decentralised ledger environments; organisations operating blockchain-based systems that process personal data of EU residents should treat the guidelines as directly applicable. The public consultation on the anonymisation and web scraping guidelines closes 30 October 2026, providing an opportunity for industry, researchers, and civil society to comment on the practical thresholds and conditions set out by the Board. The EDPB is also cooperating with the EU AI Office on guidelines addressing the interplay between the AI Act and EU data protection law, the draft of which is expected in the second half of 2026.

What it means for your business

If you train AI models or use web scraping to collect personal data at scale: The EDPB draft guidelines require a documented legal basis under GDPR Article 6 for each web scraping operation. Legitimate interest under Article 6(1)(f) is not automatically available and requires a documented balancing test; special category data under Article 9 requires explicit consent or another qualifying ground. Review your training data sourcing practices against the draft guidelines and consider submitting a consultation response by 30 October 2026. If you rely on anonymisation to take your processing outside GDPR scope: The draft guidelines update the anonymisation threshold in light of CJEU C-413/23 P. Review your anonymisation methodology against the updated standards before the consultation closes on 30 October 2026. If you use blockchain to record or share personal data of EU data subjects: The final blockchain guidelines are now the authoritative EDPB reference. Conduct a DPIA if one is not in place, and implement technical measures, such as off-chain storage, cryptographic deletion, or zero-knowledge proofs, to address the rights to erasure and rectification. Use Verdaio's GDPR Quick Check to map your GDPR obligations.

Commission Launches EU Cybersecurity and AI Action Plan: Four Pillars Under AI Act and NIS2

On 7 July 2026, the European Commission published the EU Action Plan on Cybersecurity and Artificial Intelligence (IP/26/1544), setting out four concrete measures to address the risks and opportunities of advanced AI for cybersecurity. The plan complements the existing legal framework under the AI Act, Cyber Resilience Act, NIS2, DORA, and the Cyber Solidarity Act, and does not introduce new legislation.

What changed

On 7 July 2026, the European Commission published the EU Action Plan on Cybersecurity and Artificial Intelligence (Commission press release IP/26/1544), a non-legislative policy document establishing four pillars for coordinated EU action at the intersection of AI and cybersecurity. The plan operationalises and complements the existing legislative framework, which includes the EU AI Act (Regulation (EU) 2024/1689), the Cyber Resilience Act (Regulation (EU) 2024/2847), the NIS2 Directive (Directive (EU) 2022/2555), the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554), and the Cyber Solidarity Act (Regulation (EU) 2024/1252). The four pillars of the action plan are: first, establishing an EU AI model evaluation capacity to strengthen third-party assessment of advanced AI models before EU market placement, supporting the EU AI Office in its enforcement role under the AI Act; second, developing a European blueprint for structured and secure access to advanced AI capabilities for cybersecurity purposes, to be produced jointly by the Commission and ENISA; third, creating a secure testing and simulation platform for AI in cybersecurity, operated jointly by ENISA and the Commission's Joint Research Centre (JRC), with priority access for operators in critical sectors including energy, transport, health, finance, and public administration; and fourth, launching an EU Grand Challenge on AI for Cybersecurity, a competitive initiative to foster innovation in AI-powered cybersecurity solutions by bringing together companies, researchers, and other stakeholders.

The Commission framed the action plan as an implementation measure for existing obligations rather than a source of new legal requirements. Organisations already subject to the AI Act, NIS2, DORA, or the CRA do not face new compliance deadlines from the plan itself. However, the plan has operational significance: the AI model evaluation capacity will inform how the AI Office assesses GPAI model obligations under Chapter V of the AI Act from 2 August 2026; the secure testing platform will be available to critical-sector operators required under NIS2 Article 21 to implement appropriate technical and organisational security measures, which increasingly include measures addressing AI-driven threats; and the EU Grand Challenge may produce reference architectures and practices that national competent authorities incorporate into supervisory expectations under NIS2 and DORA. The plan also signals Commission priority attention on AI-specific cybersecurity risks, including adversarial attacks on AI models, AI-enabled social engineering and phishing at scale, and the use of AI to automate vulnerability discovery and exploitation against critical infrastructure. The European Parliament had included AI and cybersecurity intersection work as a priority in its June 2026 agenda in the days immediately preceding the plan's publication.

What it means for your business

If you develop, provide or deploy AI systems or use AI tools in your operations and are subject to NIS2 or DORA: The Commission action plan confirms that national supervisory authorities and the AI Office will increasingly assess AI-specific cybersecurity risks as part of both AI Act and NIS2/DORA compliance reviews. Under NIS2 Article 21, your risk management measures must address all relevant threats, including AI-enabled attacks. The plan's secure testing platform (ENISA plus JRC) will be available to critical-sector operators; monitor ENISA for access details as the platform is developed. If you are a provider of GPAI models subject to Chapter V of the AI Act: The EU AI model evaluation capacity pillar signals that third-party evaluation practices will evolve rapidly from 2 August 2026 when AI Office enforcement activates. Align your technical documentation and safety evaluations with the GPAI Code of Practice before that date. If you manufacture connected products subject to the CRA: The plan signals increased Commission and ENISA attention to AI-driven vulnerability discovery and exploitation; ensure your vulnerability management and Article 14 incident reporting processes are operational before the 11 September 2026 CRA reporting deadline. Map your AI Act and NIS2 obligations with Verdaio's EU AI Act Assessment and NIS2 Readiness Assessment.

Commission Adopts Revised ESRS, Cutting Total Datapoints by Over 70% Under CSRD Omnibus

On 3 July 2026, the European Commission formally adopted revised European Sustainability Reporting Standards (ESRS) under the CSRD Omnibus package, reducing the total number of mandatory datapoints by more than 70% compared to the 2023 delegated act. The revised ESRS introduce a voluntary-first approach for most sustainability topics, with mandatory disclosure limited to a core set of material matters, and introduce a simplified ESRS set for SMEs subject to CSRD.

What changed

The Commission adopted the revised ESRS on 3 July 2026 as a delegated regulation under Article 29b of Directive 2013/34/EU (the Accounting Directive, as amended by CSRD). The revision follows the CSRD Omnibus proposal published in February 2026 and subsequent technical work by EFRAG. The 2023 ESRS delegated act (Commission Delegated Regulation (EU) 2023/2772) contained 1,144 mandatory and semi-mandatory datapoints across twelve thematic standards (ESRS E1 to E5, ESRS S1 to S4, ESRS G1) and two cross-cutting standards (ESRS 1 and ESRS 2). The revised ESRS reduce the total disclosure burden by more than 70%, restructuring the standards so that the vast majority of datapoints become voluntary or conditional on a materiality assessment finding them to be material. Under the revised framework, ESRS 2 (General Disclosures) retains a mandatory core of entity-level information required regardless of materiality assessment outcome; all thematic standards (environment, social, governance) shift to a mandatory-if-material basis, meaning disclosure is only required where the topic is determined material through the double materiality assessment. The Commission simultaneously adopted a simplified ESRS set for small and medium-sized enterprises in scope of CSRD (listed SMEs and large non-listed entities below the CSRD thresholds that are nonetheless captured by the directive's phased scope). The simplified ESRS set applies from the 2026 financial year for third-wave in-scope companies.

The revised ESRS take effect immediately as a delegated regulation and will govern sustainability reporting for all entities in scope of CSRD from the applicable reporting year. Companies in wave one (large public-interest entities with more than 500 employees) that began reporting under the 2023 ESRS from the 2024 financial year will need to transition to the revised ESRS for their 2025 financial year report, published in 2026. EFRAG is expected to provide transition guidance and mapping documentation between the 2023 and revised ESRS. The CSRD Omnibus also made legislative amendments to Directive 2022/2464/EU (CSRD) itself, including revisions to the in-scope thresholds: from 2028, mandatory CSRD reporting will apply only to companies with more than 1,000 employees and either more than €50 million net turnover or more than €25 million balance sheet total. Companies between 250 and 1,000 employees are no longer automatically in-scope under the revised CSRD thresholds, though listed SMEs remain subject to CSRD with the simplified ESRS set.

What it means for your business

If you are currently in scope of CSRD (a large public-interest entity, large undertaking, or listed SME under Directive 2013/34/EU as amended by CSRD): The revised ESRS reduce your mandatory disclosure burden by more than 70%. Review whether topics you previously assessed as material remain material under the revised framework, and update your double materiality assessment and reporting templates accordingly. For your first report under the revised ESRS, transition guidance from EFRAG is expected in late 2026. If you are a listed SME or a company that will be in scope under the revised CSRD thresholds: The simplified ESRS set adopted simultaneously provides a proportionate reporting framework; begin your gap analysis against the simplified ESRS requirements now. If you are a large company between 250 and 1,000 employees that expected to enter CSRD scope: Review the revised in-scope thresholds (1,000 employees + turnover/balance sheet criteria) to confirm whether you remain subject to CSRD mandatory reporting from 2028. Map your CSRD obligations and run your double materiality assessment with Verdaio's CSRD Readiness Assessment.

Italian Garante 2025 Report: Sanctions Surge 54% to EUR 37.7 Million, AI Takes Centre Stage

The Italian data protection authority (Garante) presented its 2025 Annual Report to the Italian Parliament on 2 July 2026, recording 807 collegial measures, EUR 37.7 million in sanctions (a 54.5% increase year-on-year), and 2,415 data breach notifications. Enforcement actions targeting generative AI were dominant in 2025: the Garante issued a decision limiting DeepSeek's processing of Italian user data, warnings against deepfake platforms including Grok, ChatGPT, and Clothoff, and suspended facial recognition at Milan Linate airport. The authority also sent 65 criminal referrals to judicial bodies in 2025, four times the 16 made in 2024.

What changed

The Garante per la Protezione dei Dati Personali (Italian data protection authority) presented its 2025 annual activity report to the Camera dei Deputati (Italian Chamber of Deputies) on 2 July 2026. The report records 807 collegial measures adopted in 2025, of which 506 were enforcement actions comprising 229 sanctions or corrective measure decisions and 91 formal warnings. Sanctions collected reached EUR 37.7 million, a 54.5% year-on-year increase on the EUR 24.4 million collected in 2024. Data breach notifications received by the Garante totalled 2,415, a 10% annual increase, with 78.7% originating from private-sector entities and 21.3% from public-sector entities. The Garante sent 65 criminal referrals to judicial authorities in 2025, compared to 16 in 2024, covering unauthorised access to computer systems, extortion, and in 54 cases the non-consensual distribution of sexually explicit images (NCII). Presenting the report, Garante President Pasquale Stanzione described artificial intelligence as "the new infrastructure of power," noting the volume and pace of AI-driven data processing as the authority's defining enforcement challenge for 2025 and 2026.

Generative AI and deepfakes were the dominant enforcement themes of 2025. In January 2025, the Garante issued a decision limiting the processing of personal data of Italian users by the Chinese companies operating the DeepSeek conversational AI system, citing non-compliance with GDPR transparency and data subject information obligations and unresolved concerns about transfers to third countries. Investigation activities against the illicit generation of synthetic intimate images resulted in warnings addressed to operators of platforms including Grok, ChatGPT, and Clothoff, calling on service providers to adopt technical and organisational measures consistent with the prohibition on non-consensual intimate image generation. The Garante also suspended the FaceBoarding biometric identification system at Milan Linate airport after finding that biometric data of more than 24,500 passengers had been stored in a centralised database without adequate control mechanisms. For 2026, the Garante's inspection plan targets data processing in public administration databases and the use of new technologies and AI-based systems in both public and private sectors, signalling continued scrutiny of AI deployments, large-scale data collection, and biometric processing across Italy.

What it means for your business

If you process personal data of Italian data subjects, operate an establishment in Italy, or offer goods or services to individuals in Italy: The 2025 Annual Report confirms the Garante is in a phase of significantly expanded enforcement, with sanctions up 54.5% year-on-year and criminal referrals quadrupled. The Garante's 2026 inspection plan targets public-sector databases and new-technology deployments including AI systems; private-sector entities processing personal data with generative AI tools, biometric identification systems, or large-scale data warehouses face elevated inspection risk. If you develop, provide or deploy AI systems that process personal data of Italian users, generate synthetic content, or use biometric data: Review compliance with GDPR Articles 9 (special category data), 5(1)(a)(c)(e) (lawfulness, data minimisation, storage limitation), 13-14 (transparency), and 25 (data protection by design). The Garante's parallel application of GDPR and the EU AI Act prohibition on workplace emotion-inference AI in prior decisions signals that cross-regulatory enforcement is accelerating. Map your GDPR obligations with Verdaio's GDPR Quick Check.

EDPB and AMLA Partner to Develop Joint Guidelines on AML Information Sharing

On 1 July 2026, the European Data Protection Board (EDPB) and the Anti-Money Laundering Authority (AMLA) announced they will develop joint guidelines on how financial entities can share personal data for anti-money laundering purposes while complying with GDPR. The initiative targets Article 75 of the EU AML Regulation, which creates a new information-sharing permission for obligated entities entering into force on 10 July 2027. A public consultation on the draft guidelines is planned for the first half of 2027.

What changed

On 1 July 2026, the EDPB and AMLA published a joint announcement confirming their cooperation to develop guidelines clarifying how the information-sharing provisions of the EU AML Regulation interact with GDPR obligations. Article 75 of the AML Regulation creates a new legal basis for obligated entities (banks, payment institutions, e-money institutions, asset managers, and other AML-obligated financial actors) to share personal data and transaction information with each other and with competent authorities, including financial intelligence units (FIUs), for the purpose of preventing, detecting, and investigating money laundering and terrorist financing. This information-sharing capability enters into application on 10 July 2027. The joint EDPB-AMLA guidelines will address the practical conditions under which such sharing can take place in a manner consistent with GDPR, covering the legal basis for processing, transparency obligations toward data subjects, data subject rights, and technical and organisational safeguards. The EDPB and AMLA announced they will hold a stakeholder event later in 2026 to gather early views on what the guidelines should address, with a public consultation on the draft guidelines planned for the first half of 2027.

The EDPB's involvement in developing these joint guidelines signals that Article 75 AML information sharing will be assessed against all applicable GDPR principles, including purpose limitation, data minimisation, and storage limitation under Article 5 GDPR. Data protection impact assessments (DPIAs) under GDPR Article 35 are likely to be required for large-scale Article 75 information-sharing arrangements, as they involve systematic processing of personal data with heightened risk (financial transaction data and identity data). For entities subject to both GDPR and DORA, cross-entity information sharing for AML purposes also creates ICT third-party risk obligations under DORA Articles 28-44, including classification of information-sharing counterparties in the Register of Information submitted to competent authorities. The AMLA, established as the central EU AML supervisor, will take over direct supervision of certain high-risk obligated entities from national supervisors from July 2027, meaning the joint guidelines will also define the standard expected in AMLA supervisory reviews.

What it means for your business

If you are a financial entity subject to EU AML obligations (banks, credit institutions, payment institutions, e-money institutions, asset managers, virtual asset service providers, or other obligated entities under the AML Regulation): Article 75 information sharing becomes available from 10 July 2027. Monitor the EDPB-AMLA guidelines development: a draft is expected for public consultation in the first half of 2027. Begin reviewing your data governance architecture for AML information-sharing use cases now, and identify whether existing DPIAs need updating when the draft guidelines are published. If you are subject to both GDPR and DORA: Cross-entity AML information sharing creates additional ICT third-party risk obligations under DORA Articles 28-44; identify information-sharing counterparties in your DORA Register of Information. Map your GDPR obligations with Verdaio's GDPR Quick Check.

Council of the EU Formally Adopts Digital Omnibus on AI, Completing the Co-Legislative Process

On 29 June 2026, the Council of the European Union formally adopted the Digital Omnibus on AI legislative package, completing the co-legislative process and clearing the last step before publication in the Official Journal of the EU. The Council's adoption follows the European Parliament's approval on 16 June 2026. Once published, the amendments to the EU AI Act extend the compliance deadline for providers and deployers of high-risk AI systems under Annex III from August 2026 to December 2027, giving affected organisations an additional 16 months.

What changed

The Digital Omnibus on AI amends the EU AI Act (Regulation (EU) 2024/1689) and follows the standard EU co-legislative process: a provisional agreement was reached between the European Parliament and the Council on 7 May 2026, the European Parliament approved the package at plenary on 16 June 2026, and on 29 June 2026 the Council of the EU voted to formally adopt the text. The Council's adoption is the final legislative step; the regulation will be signed by the Presidents of the European Parliament and the Council, published in the Official Journal of the European Union, and enter into force twenty days after publication. The core amendment extends the deadline for Annex III and Annex IV obligations under the EU AI Act from 2 August 2026 to 2 December 2027, giving providers and deployers of high-risk AI systems in the Annex III categories (critical infrastructure, education, employment, essential services, law enforcement, migration management, and the administration of justice) an additional 16 months. The package also permanently bans AI-based nudifier applications that generate synthetic intimate images of identifiable real persons without consent under Article 5 of the AI Act prohibited practices, and introduces a three-month technical implementation grace period for the Article 50 transparency and watermarking obligations.

For organisations that have been planning their EU AI Act compliance on the original August 2026 timeline, the formal Council adoption confirms that the December 2027 extension is now legally certain, pending only signature and Official Journal publication (which typically takes weeks, not months). Providers of general-purpose AI (GPAI) models are not affected by the Annex III extension: the GPAI obligations under Chapter V of the AI Act, including copyright disclosure, technical documentation, and the GPAI Code of Practice process, applied from 2 August 2025 and are unchanged. The Article 50 transparency obligations (disclosure requirements for AI systems interacting with persons) still apply from 2 August 2026; only the technical implementation of compliant watermarking and metadata solutions receives the three-month grace period until 2 December 2026. The prohibited practices ban under Article 5 has been in effect since 2 February 2025 and is unaffected by the Digital Omnibus, except for the new permanent prohibition on nudifier applications. The publication of the Digital Omnibus on AI in the Official Journal will trigger the 20-day countdown to its entry into force and confirm the extended Annex III deadline at 2 December 2027.

What it means for your business

If you develop, provide or deploy AI systems classified as high-risk under Annex III of the EU AI Act (AI systems in critical infrastructure management, education and vocational training, employment and workforce management, access to essential private and public services, law enforcement, migration and border management, or administration of justice): The Annex III compliance deadline is legally confirmed as 2 December 2027 following the Council's formal adoption on 29 June 2026. Use the extension to complete conformity assessments, prepare technical documentation, align with harmonised standards as they are published, and register in the EU database. Do not wait for Official Journal publication to begin: the date is confirmed. If you build or deploy generative AI systems subject to Article 50 transparency obligations: Those obligations apply from 2 August 2026; the technical grace period for compliant watermarking extends to 2 December 2026. If you provide general-purpose AI models: Your Chapter V obligations from August 2025 are unchanged by the Digital Omnibus on AI. Map your EU AI Act obligations with Verdaio's EU AI Act Assessment.

EDPB Launches Contact Form to Report GDPR Interpretation Inconsistencies Across the EU

On 24 June 2026, the European Data Protection Board launched a dedicated contact form allowing any stakeholder to report alleged divergences in how the GDPR is interpreted by national supervisory authorities, either between national positions or between a national position and the EDPB's own published guidance. The form is a Helsinki Statement deliverable designed to help the Board identify where GDPR application is most fragmented across the EU. Submissions are compiled for Board discussion; the EDPB will not respond to individual reports.

What changed

The EDPB contact form was published on 24 June 2026 as part of the Board's implementation of the Helsinki Statement on enhanced clarity, support, and engagement, adopted to address feedback that fragmented national GDPR interpretations create uneven compliance conditions across the EU and EEA. The form allows any stakeholder, including businesses, legal practitioners, civil society organisations, researchers, and individuals, to report specific cases of perceived inconsistency: either a divergence between the positions of two or more national supervisory authorities on a GDPR question, or a divergence between a national supervisory authority's position and published EDPB opinions, guidelines, or decisions. The mechanism covers all areas of GDPR interpretation where national approaches differ, including legal bases for processing (such as legitimate interest under Article 6(1)(f)), consent requirements, data retention limits, breach notification practices, and data transfer mechanisms. The form is not a complaint tool and does not trigger any individual investigation or remedy by the EDPB; the Board has confirmed it will not respond to individual submissions received through the mechanism.

Submissions received via the form will be compiled by the EDPB Secretariat and presented periodically to the Board for review. The Board will then consider whether any of the identified inconsistency areas warrant additional consistency measures, which may include new EDPB guidelines under Article 70(1)(e) of the GDPR, a formal opinion under Article 64 (which the Board can issue at the request of a supervisory authority or on its own initiative), or a binding decision under Article 65 (used to resolve disputes in cross-border cases). The form complements the EDPB's existing consistency toolkit and its broader Helsinki Statement commitments, which also include the common data breach notification template adopted at the Board's June 2026 plenary (open for public consultation until 5 August 2026), the DPIA template published earlier in 2026, and ongoing work on anonymisation guidelines. The EDPB's focus on consistency comes at a time of accelerating GDPR enforcement: cumulative documented fines have passed €7.4 billion, with more than €600 million issued in the first half of 2026. Organisations operating across multiple EU or EEA member states currently face different national approaches to core GDPR concepts, which the EDPB consistency mechanism seeks to reduce over time.

What it means for your business

If you operate across multiple EU or EEA member states and face conflicting GDPR guidance from different national supervisory authorities (for example, divergent positions on legitimate interest assessments, cookie consent requirements, or data retention periods): The EDPB consistency form gives you a direct channel to bring those divergences to the Board's attention. Submissions that document systemic inconsistencies may lead the EDPB to issue clarifying guidelines that benefit your compliance programme across all affected jurisdictions. The form does not produce individual rulings, but flagging a well-documented divergence is a practical step when cross-border inconsistency creates real compliance cost. If you submit a report: include specific regulatory references, the national authority positions involved, and the practical impact, to give the EDPB the structured information it needs to assess whether a consistency action is warranted. Map your GDPR obligations with Verdaio's GDPR Quick Check.

European Parliament Approves Digital Omnibus on AI: High-Risk Deadline Moved to December 2027

On 16 June 2026, the European Parliament voted to approve the Digital Omnibus on AI legislative package, formally adopting amendments to the EU AI Act (Regulation (EU) 2024/1689) that extend the deadline for high-risk AI system obligations under Annexes III and IV. The vote extends the compliance deadline for providers and deployers of high-risk AI systems from August 2026 to December 2027, giving affected organisations an additional 16 months. The package also introduces a permanent ban on AI-based nudifier applications under Article 5 prohibited practices.

What changed

The Digital Omnibus on AI is a legislative amendment package that modifies key transition provisions of the EU AI Act (Regulation (EU) 2024/1689). The AI Act entered into force on 1 August 2024, with prohibited practices applying from 2 February 2025 and obligations for providers of general-purpose AI models applying from 2 August 2025. The original AI Act established 2 August 2026 as the compliance deadline for obligations applying to providers and deployers of high-risk AI systems listed in Annex III (covering AI systems in critical infrastructure, education, employment, essential private and public services, law enforcement, migration management, and the administration of justice) and Annex IV (documentation requirements for high-risk AI systems). The provisional agreement on the Digital Omnibus on AI was reached between the European Parliament and the Council of the EU on 7 May 2026. On 16 June 2026, the European Parliament voted to formally approve the package at plenary. The Council is expected to adopt the text formally in the coming weeks. Once published in the Official Journal of the European Union, the amendments enter into force. The core change in the Digital Omnibus on AI is the extension of the Annex III and Annex IV obligations deadline to 2 December 2027, giving providers and deployers of high-risk AI systems in those categories an additional 16 months beyond the original August 2026 date. The package also permanently bans AI systems that generate synthetic intimate images of identifiable real persons without their consent (nudifier applications) under Article 5 of the AI Act's prohibited practices list.

The Digital Omnibus on AI also includes a three-month grace period for providers and deployers to adopt compliant technical measures for the Article 50 transparency and watermarking obligations, resulting in a transitional deadline of 2 December 2026 for those implementation steps (the underlying Article 50 obligations themselves still apply from 2 August 2026). For providers of general-purpose AI (GPAI) models, the Digital Omnibus on AI does not change the 2 August 2025 application date or the obligations under Chapter V of the AI Act, including the requirements for systematic copyright disclosure, the preparation of technical documentation, and compliance with the GPAI Code of Practice process. The extension of the Annex III high-risk deadline does not alter the prohibited practices ban (Article 5, applied since 2 February 2025), the transparency obligations for AI systems interacting with persons (Article 50, applied from 2 August 2026), or the GPAI obligations (Article 51 onward, applied from 2 August 2025). National market surveillance authorities and the EU AI Office continue to coordinate on the transition, including the publication of standardised conformity assessment templates and technical standards by the European standards bodies (CEN, CENELEC, ETSI) under the AI Act mandate.

What it means for your business

If you develop, provide or deploy AI systems classified as high-risk under Annex III of the EU AI Act (AI systems in critical infrastructure management, education and vocational training, employment and workforce management, access to essential private and public services, law enforcement, migration and border management, or administration of justice): Your compliance deadline for the core Annex III obligations (conformity assessment, technical documentation, registration in the EU AI Act database, transparency requirements for deployers, and post-market monitoring) has been extended to 2 December 2027. Use the additional time to complete a structured readiness assessment, align with the published harmonised standards once available, and prepare your technical documentation and conformity assessment process. If you build or deploy generative AI systems or systems covered by Article 50 transparency obligations: The Article 50 obligations still apply from 2 August 2026; the three-month technical grace period extends implementation of compliant watermarking and metadata solutions to 2 December 2026. If you develop or deploy nudifier applications that generate synthetic intimate images of real persons: These are now permanently prohibited under Article 5 of the AI Act. Map your EU AI Act obligations with Verdaio's EU AI Act Assessment.

EU Cyber Resilience Act Chapter IV Enters Into Force, Reporting Obligations Due 11 September 2026

On 11 June 2026, Chapter IV of the EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into application, requiring EU Member States to have designated notifying authorities for the assessment and notification of conformity assessment bodies for products with digital elements. This milestone marks the start of the CRA's phased rollout: the next deadline is 11 September 2026, when Article 14 mandatory vulnerability and incident reporting obligations apply, requiring manufacturers to submit a 24-hour early warning to ENISA and the relevant national CSIRT for any actively exploited vulnerability. With fewer than 90 days to the Article 14 deadline, manufacturers of connected products sold in the EU must complete preparation for the ENISA Single Reporting Platform.

What changed

The Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) entered into force on 10 December 2024 and sets mandatory cybersecurity requirements for products with digital elements placed on the EU market, covering hardware and software with network connectivity or data-processing functions. The CRA follows a phased application schedule tied to 18, 21 and 36 months after entry into force. Chapter IV, which governs the notification of conformity assessment bodies, applies from 11 June 2026 (the 18-month milestone). Under Chapter IV, EU Member States are required to have designated notifying authorities responsible for establishing and carrying out procedures for the assessment, designation, monitoring and notification of conformity assessment bodies. Conformity assessment bodies are the accredited third-party organisations that certify CRA compliance for manufacturers of Class II products (Annex III items including firewalls, VPNs, operating systems, microprocessors and industrial control systems) and for Class I products where manufacturers cannot demonstrate conformity through internal checks alone.

The most operationally urgent CRA deadline is 11 September 2026, when Article 14 enters into application. Article 14 requires manufacturers of products with digital elements to report actively exploited vulnerabilities and incidents affecting product security to both ENISA and the national CSIRT of the Member State where the manufacturer has its main establishment, via ENISA's Single Reporting Platform (SRP). The reporting process has three stages: an early warning within 24 hours of becoming aware of an actively exploited vulnerability or severe incident; a detailed notification within 72 hours covering the nature and severity of the vulnerability, affected product versions and initial mitigation measures; and a final report within 14 days of a patch or corrective action being available. As of June 2026, ENISA is providing registration instructions, training materials and dry-run support for the SRP, which is expected to be fully operational by 11 September 2026. Non-compliance with Article 14 carries fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. Manufacturers are also required under Article 13 to identify and document vulnerabilities in their products and to apply security updates without undue delay throughout the product's expected service lifetime.

What it means for your business

If you manufacture, develop or place on the EU market hardware or software products with digital elements (IoT devices, routers, firewalls, network equipment, operating systems, security software, industrial control systems, or connected consumer products): The 11 September 2026 Article 14 deadline is now fewer than 90 days away. Complete your ENISA Single Reporting Platform registration during June 2026 while training and dry-run support is available, map your internal vulnerability management and incident response procedures to the 24-hour, 72-hour and 14-day reporting windows, and confirm your main establishment in the EU for CSIRT notification routing. If your product falls within Class II under Annex III of the CRA (firewalls, VPNs, hardware security modules, operating systems, microprocessors, industrial automation systems): Third-party conformity assessment is mandatory. Engage a designated conformity assessment body notified by a Member State under Chapter IV. Check your CRA product classification and prepare your technical documentation with Verdaio's CRA Product Compliance Checker.

ENISA Runs Cyber Europe 2026 Exercise Testing EU Collective Response to Attacks on Rail and Maritime Infrastructure

On 10 June 2026, ENISA launched Cyber Europe 2026, the eighth pan-European cybersecurity exercise, bringing together more than 5,000 experts from EU and EEA Member States to simulate coordinated cyberattacks targeting rail and maritime critical infrastructure. The exercise tested the revised EU Cybersecurity Blueprint for large-scale incident coordination and marked the first activation of the EU Cybersecurity Reserve in a full-scale scenario.

What changed

Cyber Europe 2026 took place on 10 and 11 June 2026 under the organisation of ENISA and brought together more than 5,000 cybersecurity professionals from EU Member States, EEA countries, EU institutions, and private sector operators. The exercise simulated a large-scale coordinated cyberattack scenario targeting two critical infrastructure sectors listed as essential sectors under the NIS2 Directive (Directive (EU) 2022/2555): rail transport (railway networks and operational technology systems) and maritime transport (port logistics, navigation systems, and vessel traffic services). Cyber Europe is the EU's flagship cyber crisis simulation, designed to test the technical and operational crisis management procedures developed under the EU Cybersecurity Blueprint, the overarching framework for the EU's coordinated response to large-scale cybersecurity incidents and crises, revised in June 2025 to align with the evolving threat landscape and NIS2 obligations. The 2026 edition marked the first activation of the EU Cybersecurity Reserve in a full-scale exercise scenario. The EU Cybersecurity Reserve, established under the EU Cyber Solidarity Act (Regulation (EU) 2024/1252), consists of pre-committed incident response services provided by trusted managed security service providers, available to Member States facing significant or large-scale cybersecurity incidents that exceed their national capacities.

The exercise findings, including identified capability gaps, coordination bottlenecks, and response metrics, will be published in an after-action report by ENISA in the second half of 2026. Cyber Europe 2026 focused on the cross-border and cross-sector coordination dimension of the NIS2 Directive, which requires Member States to designate national cybersecurity crisis management authorities and participate in the EU CyCLONe network (Cyber Crisis Liaison Organisation Network) for large-scale incident coordination. For transport-sector operators, the exercise confirmed that port authorities, railway infrastructure managers, vessel traffic service providers, and freight logistics platforms are priority threat targets in national and EU-level incident response planning. The exercise also validated the interaction between the NIS2 single point of contact structure (Articles 8 and 40 of NIS2) and the EU Cybersecurity Blueprint notification chains, confirming that mandatory incident reporting under NIS2 Article 23, the 24-hour early warning obligation, and ongoing threat information sharing via the CSIRTs Network are integral parts of the collective response framework.

What it means for your business

If you operate critical infrastructure in the rail or maritime transport sector (port operators, railway infrastructure managers, vessel traffic services, freight logistics platforms, or passenger rail networks) as an essential entity under NIS2: Cyber Europe 2026 confirms that your sector is a priority target in EU-level threat scenario planning. Review your NIS2 Article 21 security measures, confirm your incident reporting readiness under Article 23 (24-hour early warning to your national CSIRT), and verify that your contacts in the national cybersecurity crisis management authority are current. If you provide services to transport-sector critical infrastructure operators as an important entity under NIS2, or supply operational technology (OT), industrial control systems (ICS) or vessel traffic management software to the transport sector: Supply chain security and OT/IT convergence are central to the NIS2 Article 21 risk management requirements. Check your NIS2 obligations and security controls with Verdaio's NIS2 Compliance Assessment.

EU AI Office Publishes Final Code of Practice on Marking and Labelling of AI-Generated Content

On 10 June 2026, the European Commission's AI Office published the final Code of Practice on the transparency of AI-generated content, developed under Article 50 of the EU AI Act through a multi-stakeholder process with more than 187 participants. The voluntary code sets out practical commitments for providers of generative AI systems to mark synthetic audio, image, video and text outputs in machine-readable formats, and for deployers to label deepfakes and AI-generated text published to inform the public on matters of public interest. The underlying Article 50 transparency obligations apply from 2 August 2026, with a three-month grace period for technical implementation measures until 2 December 2026.

What changed

On 10 June 2026, the European AI Office published the final Code of Practice on the Transparency of AI-Generated Content, completing a multi-stakeholder drafting process launched in September 2025. Six independent experts appointed by the AI Office led three rounds of stakeholder consultations with more than 187 participants from industry, academia, civil society, rightsholders, and EU Member States. The code is structured in two sections addressing distinct obligations under Article 50 of the EU AI Act (Regulation (EU) 2024/1689). Section 1 covers the obligations of providers of generative AI systems under Article 50(2): providers must ensure that audio, image, video and text outputs generated or substantially manipulated by their systems are marked in a machine-readable format allowing detection as artificially generated. The code recommends two primary technical mechanisms: digitally-signed metadata and imperceptible watermarking, implemented in a way that is effective, interoperable, robust, and reliable as far as technically feasible. Section 2 covers the obligations of deployers under Article 50(4): deployers must clearly label deepfakes (AI-generated or manipulated audio, video or images depicting real persons or real places in a way that a person would mistakenly believe to be authentic) and AI-generated or manipulated text published for the purpose of informing the public on matters of public interest, with practical guidance on label design, placement, and presentation including icons and disclaimers.

The Code of Practice is voluntary: it does not create obligations beyond those already contained in Article 50 of the AI Act and does not introduce new requirements or additional administrative burdens. Providers and deployers that sign the code commit to the practical measures it describes as a way to demonstrate compliance with the underlying AI Act obligations. Signatories will be publicly listed in July 2026, ahead of the 2 August 2026 date on which Article 50 transparency obligations apply. The Digital Omnibus on AI provisional agreement of 7 May 2026 included a three-month grace period for providers and deployers to adopt compliant technical solutions (such as watermarking infrastructure), with a transitional deadline of 2 December 2026 for those implementation steps. Separately, the Commission opened a targeted public consultation on draft Article 50 transparency guidelines in May 2026, closed on 3 June 2026; the final guidelines are expected later in 2026 and will clarify the legal scope of Article 50 duties. From 2 August 2026, providers of AI systems designed to interact directly with persons must also ensure users are informed they are communicating with an AI system unless that is obvious from context (Article 50(1)).

What it means for your business

If you build or deploy generative AI systems (text-to-image, voice synthesis, video generation, chatbots, or deepfake tools) that produce or manipulate audio, image, video or text for EU users: Your Article 50(2) marking obligation applies from 2 August 2026. Implement machine-readable metadata or watermarking in your output pipeline before that date; the Code of Practice sets the technical benchmark against which the EU AI Office and national market surveillance authorities will assess compliance. If you have not yet adopted a compliant technical mechanism, the 2 December 2026 transitional deadline applies to those implementation steps. If you operate a platform that publishes AI-generated or AI-manipulated content on matters of public interest (news, political advertising, public information campaigns): The Article 50(4) deepfake and public-interest text labelling obligation applies from 2 August 2026. Review your editorial workflows and label placement against the Code's Section 2 guidance. If you deploy chatbots or virtual assistants that interact directly with users: The Article 50(1) AI disclosure obligation also applies from 2 August 2026. Map your AI Act transparency obligations with Verdaio's EU AI Act Assessment.

EDPB Adopts Common EU Data Breach Notification Template, Opens Consultation Until 5 August 2026

On 10 June 2026, during its June plenary, the European Data Protection Board adopted a common template for data breach notifications to supervisory authorities, designed to harmonise compliance with the 72-hour notification duty under Article 33 of the GDPR. The template provides predefined fields and structured guidance that reduce the administrative burden of breach reporting, particularly for smaller organisations without dedicated data protection officers. The template is open for public consultation until 5 August 2026; following the consultation, the EDPB will determine the timeline for all EU and EEA supervisory authorities to adopt it as their standard notification form.

What changed

On 10 June 2026, the European Data Protection Board (EDPB) held its June plenary, at which it adopted a draft common template for personal data breach notifications to supervisory authorities under Article 33 of the GDPR. Article 33 requires data controllers to notify their competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. Until now, each national data protection authority in the EU and EEA has operated its own notification form with different fields, formats, and submission channels, requiring organisations with cross-border operations to manage separate national procedures. The EDPB common template introduces a single, harmonised format with predefined fields and guidance covering the information required under Article 33(3) GDPR: the nature of the breach, the categories and approximate number of data subjects and records involved, the likely consequences, and the measures taken or proposed to address the breach.

The adoption follows the EDPB Helsinki Commitments to simplify GDPR compliance and reduce administrative burden, in particular for small and medium-sized enterprises and controllers without dedicated data protection officers. After the public consultation closes on 5 August 2026, the EDPB will decide on the timeline for all EU and EEA supervisory authorities to adopt the template as their standard or reference form, with the aim that organisations eventually face a single notification format regardless of which national authority receives the report. The June 10 plenary also saw the EDPB meet with Commissioner Michael McGrath (Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection), where discussions included the Digital Omnibus proposals and their implications for the GDPR. The template is separate from the existing EDPB Guidelines 09/2022 on personal data breach notification, which remain in force and continue to provide substantive guidance on when notification is required and what constitutes a risk to rights and freedoms.

What it means for your business

If you act as a data controller operating in one or more EU or EEA Member States: The EDPB common breach notification template will, once finalised and adopted by national supervisory authorities, replace each DPA's current notification form with a single harmonised format. Review your incident response playbook now: your internal notification procedures, SIEM runbooks, and outsourced incident response arrangements should be structured around the Article 33(3) mandatory information elements so they can map cleanly onto the new fields when the template enters into force. If you operate across borders and currently maintain separate notification procedures for different national DPA forms: the common template will simplify cross-border breach response materially once it enters into force. Participate in the public consultation (open until 5 August 2026) if your organisation has practical experience with current breach notification forms. Map your GDPR controls and breach response readiness with Verdaio's GDPR Quick Check.

EU Commission Opens Infringement Against Spain Over Excessive Traveller Data Collection

On 4 June 2026, the European Commission sent a letter of formal notice to Spain, opening an infringement procedure (case INFR(2026)4005) over Real Decreto 933/2021, which requires hotels, travel agencies, and car rental companies to collect payment details, GPS coordinates, and other personal data from travellers and transmit them to the national police. The Commission considers the data collection disproportionate and inconsistent with the Law Enforcement Directive (Directive 2016/680, LED), which limits police access to personal data to what is strictly necessary for law-enforcement purposes. Spain has two months to reply before the Commission may escalate to a reasoned opinion and, ultimately, a referral to the Court of Justice of the EU.

What changed

On 4 June 2026, the European Commission announced infringement proceedings against Spain as part of its June 2026 infringement package. The case targets Real Decreto 933/2021, a Spanish royal decree that entered into force in January 2023 and imposes extensive data-collection obligations on accommodation providers (hotels, hostels, holiday rentals), travel agencies, and vehicle rental companies. Under the decree, those businesses must collect a wide range of personal data from travellers — including full payment-card details, national identity or passport number, address, and GPS location data — and transmit it in real time to a national police database. The data is retained for three years and accessible to the Guardia Civil and National Police for public security and crime-prevention purposes.

The Commission's letter of formal notice argues that the data categories mandated by Real Decreto 933/2021 — particularly payment details, GPS coordinates, and the blanket three-year retention period — exceed what is strictly necessary for the law-enforcement objectives the decree purports to serve, in breach of the proportionality and data-minimisation requirements of the Law Enforcement Directive (Directive (EU) 2016/680). The LED governs processing of personal data by competent authorities for criminal law-enforcement and public-security purposes and applies a stricter necessity test than the general GDPR framework. The Commission's action follows years of complaints from the hospitality and travel sector and concerns raised by privacy advocates that the decree's requirements had been designed largely to build a comprehensive state surveillance database of domestic and foreign travellers. Spain has two months from the formal notice to submit observations before the Commission may issue a reasoned opinion, which would be a prerequisite for referral to the Court of Justice of the EU.

What it means for your business

If you operate accommodation, travel, or vehicle rental services that collect guest or traveller data on behalf of police or regulatory mandates in any EU Member State: This infringement case signals that the Commission treats blanket traveller-data mandates as disproportionate under the LED, regardless of national security justifications. Audit the categories and retention periods of traveller data you are required by national law to collect and transmit, and document the LED legal basis and necessity analysis in your ROPA. If you operate in Spain under Real Decreto 933/2021: Monitor developments closely; if the Commission escalates to a reasoned opinion or Court referral, Spain may be required to amend or repeal the decree, which would alter your compliance obligations. Review your data mapping and subject-rights procedures with Verdaio's GDPR Quick Check.

EU Commission Proposes Tech Sovereignty Package: Chips Act 2.0 and Cloud and AI Development Act

On 3 June 2026, the European Commission unveiled the European Technological Sovereignty Package, a set of four linked measures to strengthen EU independence in semiconductors, cloud, and artificial intelligence. The package includes two legislative proposals: the Chips Act 2.0, which aims to accelerate EU semiconductor capacity, and the Cloud and AI Development Act (CADA), which introduces a four-level EU sovereignty framework for cloud and AI services used in sensitive public-sector workloads. The Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy complete the package; all legislative elements must still clear the European Parliament and Council before taking effect.

What changed

On 3 June 2026, the European Commission presented the European Technological Sovereignty Package in a formal communication, accompanied by two legislative proposals. The Chips Act 2.0 proposes measures to accelerate EU semiconductor production capacity, streamline permitting, deepen partnerships with allied nations, and introduce an EU excellence label for semiconductor regions. The Cloud and AI Development Act (CADA) is designed to reduce EU dependence on non-EU hyperscalers, which currently represent approximately 70% of Europe's cloud market. CADA aims to triple EU data centre capacity over five to seven years through streamlined permitting, public investment incentives, and coordination across Member States. The package also includes a non-legislative EU Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy grids.

The CADA introduces a four-level EU sovereignty framework for cloud and AI services used by public bodies. Level 2 requires providers to demonstrate independence from third-country jurisdictions and transparency over their software supply chain; Level 3 requires EU ownership and control, including additional criteria such as personnel citizenship, with the Commission able to recognise qualifying third-country providers by exception; Level 4 requires full software supply-chain transparency and no interference from any third country. Public bodies procuring cloud and AI services for sensitive workloads in healthcare, banking, energy, and justice must conduct sovereignty risk assessments and apply the appropriate CADA level. The Computer and Communications Industry Association raised concerns that the territorial approach risks market fragmentation and disadvantages non-EU providers with established European operations. Both Chips Act 2.0 and CADA are legislative proposals requiring co-decision by the European Parliament and Council before they enter into force.

What it means for your business

If you sell cloud services, SaaS, or AI tools to EU public-sector bodies (central government, health, banking, energy, or justice): CADA introduces formal sovereignty risk assessments into public procurement. Prepare to answer questions about parent-company jurisdiction, third-country data access rights, software supply-chain transparency, and data escrow arrangements. Non-EU-owned providers face structural barriers to Levels 3 and 4 procurement tiers. If you build or deploy AI systems hosted on cloud infrastructure: The CADA sovereignty framework may affect your cloud provider options for regulated public-sector workloads once the act enters into force. Map your infrastructure against the four CADA levels and assess whether current provider arrangements would require renegotiation. Both proposals are early-stage and must pass the full EU legislative process. Map your AI Act obligations with Verdaio's EU AI Act Assessment and your CRA exposure with the CRA Product Compliance Checker.

EU Commission Appoints AI Act Scientific Panel and Advisory Forum to Drive Enforcement

On 2 June 2026, the European Commission appointed two independent bodies to support enforcement of the EU AI Act: a Scientific Panel of 60 independent experts focused on general-purpose AI (GPAI) model risks, and an Advisory Forum of 174 members drawn from academia, civil society, and industry. The Scientific Panel, established under Article 68 of the AI Act, will alert the EU AI Office to systemic risks in GPAI models, advise on model classification and evaluation methodologies, and support cross-border market surveillance. Both bodies serve 2-year renewable mandates, ahead of the Commission's full enforcement powers for GPAI obligations entering into application on 2 August 2026.

What changed

On 2 June 2026, the European Commission published an announcement confirming the appointment of the Scientific Panel and Advisory Forum established under the EU AI Act (Regulation (EU) 2024/1689). The Scientific Panel, governed by Article 68 of the AI Act, brings together 60 world-class independent experts with experience in frontier AI research, engineering, technical auditing, industry, and societal impact. Experts are appointed in a personal capacity for 24-month renewable terms. The panel's mandate covers three areas: alerting the EU AI Office to systemic risks linked to general-purpose AI (GPAI) models and systems, advising on GPAI model classification and evaluation methodologies, and supporting cross-border market surveillance activities for GPAI model providers.

The Advisory Forum, established under Article 67 of the AI Act, brings together 174 members selected from more than 700 applications, drawn from civil society, academia, and industry including small and medium-sized enterprises and startups. The EU Agency for Fundamental Rights (FRA) and the EU Agency for Cybersecurity (ENISA) hold permanent seats on the Advisory Forum, alongside standardisation bodies. The Forum provides technical expertise and stakeholder input to the Commission and the AI Board on AI Act implementation, standardisation, and compliance challenges. Both bodies are operational ahead of the August 2, 2026 milestone, when the Commission's enforcement powers for GPAI model obligations under Chapter V of the AI Act enter into full application. From that date, the AI Office may impose fines of up to 3% of total worldwide annual turnover or €15 million (whichever is higher) on non-compliant GPAI model providers.

What it means for your business

If you provide, deploy, or integrate general-purpose AI models (including large language models, multimodal foundation models, or AI models made available via API) in your products or services: The Scientific Panel now gives the EU AI Office dedicated independent expertise to identify systemic risks in GPAI models, advise on classification, and coordinate cross-border enforcement from 2 August 2026. Review your GPAI model obligations under Articles 53-55 of the AI Act: technical documentation, transparency measures including copyright summaries, cooperation with the AI Office, and systemic risk assessments for high-impact capability models. If your GPAI model was on the market before 2 August 2025, you have until 2 August 2027 to achieve full compliance. If you build or deploy AI systems that use GPAI models as components: your obligations as a deployer depend on whether the downstream use creates a high-risk AI system. Classify your AI system and map your obligations with Verdaio's EU AI Act Assessment.

Italian Garante Warns AI Startup Over Workplace Stress-Detection Plug-in, Citing GDPR and EU AI Act

On 28 May 2026, the Italian data protection authority (the Garante) published a formal warning to Myndoor S.r.l., a Milan-area startup that markets an AI plug-in for Slack and Microsoft Teams that infers employees' psychological stress levels from workplace chat messages. The Garante's decision (Provvedimento n. 342 of 14 May 2026) found that aggregate stress reports of this kind would likely breach the GDPR ban on processing special category data, the Italian employment law limits on employer data collection, and the EU AI Act prohibition on workplace emotion-inference AI systems under Article 5(1)(f). The warning was issued under Article 58(2)(a) of the GDPR and did not impose a financial penalty.

What changed

On 28 May 2026, Italy's Garante per la Protezione dei Dati Personali published a press release detailing a formal warning against Myndoor S.r.l., a Milan-area artificial intelligence startup. The underlying decision (Provvedimento n. 342 of 14 May 2026, document reference 10255494) targets a Myndoor plug-in for Slack and Microsoft Teams that analyses the language and emotional content of workplace chat messages to infer employees' psychological stress levels, and which Myndoor markets to employers in the form of aggregate stress reports. The Garante opened the file after the startup's own product communications drew regulatory attention and assessed the plug-in under both the GDPR and the EU AI Act.

The Garante concluded that even when presented in aggregate form, inferred stress data falls within categories of personal data that employers are forbidden to collect under Italian employment law and within the special category of health-related data under Article 9 of the GDPR. The authority issued a formal warning under Article 58(2)(a) GDPR that placing the plug-in on the market in the way described would likely breach the principles of lawfulness, data minimisation and privacy by design under Articles 5, 6 and 25 of the GDPR. It also identified the practice as falling within the EU AI Act prohibition on workplace emotion-inference AI systems under Article 5(1)(f) of Regulation (EU) 2024/1689. The decision is one of the first European enforcement actions to invoke both the GDPR and the EU AI Act in parallel against a single workplace AI product, and did not impose a financial penalty.

What it means for your business

If you build, deploy or procure AI tools that score employee sentiment, mood, stress or wellbeing from communications data: Review the legal basis for any such product against both Article 9 GDPR (special category data) and the EU AI Act Article 5(1)(f) prohibition on workplace emotion-inference AI. Aggregation, anonymisation labels and "wellbeing" framings will not save a product that infers psychological states from chat or voice data. If you run collaboration suites such as Slack or Microsoft Teams across your workforce: Audit any third-party plug-ins or integrations that perform sentiment, emotion or stress analytics, document the lawful basis and DPIA, and tighten supplier terms before procurement. Map your AI Act exposure with Verdaio's EU AI Act Assessment and your GDPR controls with the GDPR Quick Check.

French CNIL Fines IQVIA €5 Million Over Health Data Warehouse Transparency and Anonymisation Failures

On 26 May 2026, France's data protection authority (the CNIL) imposed a €5 million fine on IQVIA OPERATIONS FRANCE for failures in the operation of two health data warehouses: the LRX warehouse, supplied by data from around 14,000 pharmacies, and the EMR warehouse, supplied by data from several thousand doctors. The CNIL rejected IQVIA's argument that the data was anonymous, finding that the data was only pseudonymous because re-identification was possible by reasonable means, and held that patients had not been properly informed under Articles 14 and 25 of the GDPR. The CNIL also ordered IQVIA to remedy the remaining breaches within six months, subject to a penalty of €10,000 per day of delay.

What changed

On 26 May 2026, the CNIL's restricted committee published a decision against IQVIA OPERATIONS FRANCE, a health data company that operates two large data warehouses: the LRX warehouse (authorised by the CNIL in 2018, supplied with data extracted from around 14,000 pharmacies) and the EMR warehouse (authorised in 2021, supplied with data from several thousand doctors). The CNIL opened the investigation after receiving complaints from individuals and associations following a Cash Investigation report on the use of patient data by IQVIA. Inspections at four Paris pharmacies on the LRX panel in autumn 2021 found that none of them was handing out the patient notice or displaying the general information poster required by the original CNIL authorisation.

The CNIL's restricted committee rejected IQVIA's argument that the data processed in the warehouses was anonymous, concluding that the data was only pseudonymous because re-identification of the data subjects was possible by reasonable means, and that the data therefore remained personal data subject to the GDPR. The committee found that pharmacy management software transmitted customer data to IQVIA even when patients refused, contrary to data-protection-by-design requirements under Article 25, and that patients had not received the information required by Article 14 GDPR because the patient information sheet contained inaccuracies and there was no effective procedure for individuals to exercise their right to object. The committee also found security failings, including the absence of regular analysis of connection logs in both warehouses and the lack of multi-factor authentication for the EMR warehouse, although it noted that IQVIA had remediated several of those issues since the inspections. In addition to the €5 million fine, the CNIL ordered IQVIA to bring the warehouses into compliance within six months, subject to a penalty of €10,000 per day of delay.

What it means for your business

If you operate a data warehouse, research platform or other large-scale processing that you have characterised as anonymous: The CNIL's decision confirms that the GDPR anonymisation threshold is high and the test is whether re-identification remains reasonably possible. Re-assess your anonymisation methodology against the singling-out, linkability and inference criteria of the Article 29 Working Party opinion (WP216), and avoid relying on labels alone. If you collect personal data through pharmacies, doctors, brokers or other intermediaries: Article 14 GDPR transparency duties stay with the controller. You cannot rely on a third party to hand out a notice; you must verify the information actually reaches data subjects and that an effective right to object is available. Tighten your information notices, logging and access controls with Verdaio's GDPR Quick Check.

ENISA Publishes Third NIS360 Report: Six EU Critical Sectors Stay in Cybersecurity Risk Zone

On 28 May 2026, the EU Agency for Cybersecurity (ENISA) published the third edition of its NIS360 report, an annual assessment of cybersecurity maturity and criticality across the high-criticality sectors listed in Annex I of the NIS2 Directive. ENISA finds that electricity, telecoms and banking remain the most mature sectors, supported by strong regulatory oversight, consistent investment and well-established public-private partnerships. Six sectors fall within the risk zone, where cybersecurity maturity lags behind criticality, with progress across the NIS2 perimeter described as improving but uneven.

What changed

On 28 May 2026, ENISA released the third edition of its annual NIS360 report, which assesses the cybersecurity maturity and criticality of all sectors of high criticality identified under Annex I of the NIS2 Directive. NIS360 is designed as a tool for national authorities, policymakers and other stakeholders to compare sectors and prioritise NIS2 investment, supervisory attention and capacity building. ENISA scores sectoral maturity on four pillars: legislation and its effectiveness, companies and their preparedness, authorities and their institutional capacity, and sectoral ecosystem structures and their effectiveness.

ENISA identifies electricity, telecoms and banking as the most mature sectors, citing strong regulatory oversight, consistent investment and well-established public-private partnerships. Six sectors fall within the NIS360 risk zone, meaning their cybersecurity maturity is comparatively lower while their criticality score is higher than their maturity score. Across the broader NIS2 perimeter, ENISA notes that maturity is steadily improving but that progress remains uneven both across and within sectors, reflecting skill shortages, sector-specific characteristics and organisational size.

What it means for your business

If your organisation is registered as an essential or important entity under NIS2: The 2026 NIS360 is the most authoritative public benchmark of where each high-criticality sector stands on cyber maturity, and a signal of where supervisory attention is likely to land first. Compare your governance, risk management, incident response and supply-chain controls against ENISA's four pillars (legislation, company preparedness, authority capacity and ecosystem) and prioritise the gaps that pull your sector's profile down. If you operate in a sector flagged as falling within the risk zone: expect closer scrutiny from your national competent authority during the next supervision cycle and budget for accelerated remediation. Map your NIS2 obligations and identify gaps with Verdaio's NIS2 Readiness Assessment.

NIS2 Cooperation Group Adopts Common EU Templates for Cyber Incident Reporting

On 26 May 2026, during the 39th Plenary meeting in Cyprus, the NIS Cooperation Group (composed of EU Member States, the European Commission and the EU Agency for Cybersecurity, ENISA) adopted common templates for incident reporting under the NIS2 Directive. The templates provide a single, uniform format for reporting cyber incidents across Member States and are positioned as a simplification measure aimed at reducing the administrative burden on essential and important entities. The Commission has signalled that it will adopt the templates through an implementing act so they become mandatory across the Union.

What changed

On 26 May 2026, the NIS Cooperation Group, made up of EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA), agreed on common templates for incident reporting at its 39th Plenary meeting held in Cyprus. NIS2 (Directive 2022/2555) requires essential and important entities to notify their competent authorities or CSIRTs of significant incidents through an early warning within 24 hours, an incident notification within 72 hours and a final report within one month under Article 23. Until now, Member States have been free to design their own reporting forms and fields, and multinational entities had to navigate a patchwork of national templates.

The newly adopted templates set out a clear, harmonised format and common reporting fields for the early warning, the incident notification and the final report stages. The European Commission has indicated that it will adopt the templates through an implementing act, making them mandatory for all Member States, and has framed the work as part of a broader simplification agenda that also feeds into the proposed single entry point for cyber incident reporting under the upcoming Digital Omnibus. The change is intended to lighten the administrative load on companies, while giving authorities a more consistent EU-wide picture of cyber incidents.

What it means for your business

If you are an essential or important entity under NIS2 with operations in more than one Member State: Common templates will materially reduce the cost of complying with the Article 23 reporting clock by replacing parallel national forms with a single EU-wide format. Track the implementing act expected from the Commission, then update your internal incident playbooks, SIEM runbooks and outsourcing contracts so your 24-hour, 72-hour and one-month reports map cleanly onto the new fields. If you are a managed service provider or supplier to NIS2 entities: Expect customers to push the harmonised template requirements down through contractual clauses on incident notification and cooperation. Map your NIS2 obligations and tighten your incident response process with Verdaio's NIS2 Readiness Assessment.

Irish High Court Rejects Meta's Challenge, Clearing Path for DPC €360-€430M GDPR Access Right Fine

On 21 May 2026, the Irish High Court rejected Meta's judicial review challenge to a Data Protection Commission (DPC) draft decision that proposes a fine of €360 to €430 million for failures to give a Facebook user access to all personal data Meta held about him. Justice Siobhan Phelan dismissed Meta's argument that the DPC had unlawfully expanded a 2018 individual complaint into a systemic, EEA-wide inquiry, ruling there had been no impermissible extension and no breach of fair procedures. The DPC's draft signalled infringements of Articles 12, 15 and 20 of the GDPR over Meta's handling of access requests to data held in its internal data warehouse known as Hive.

What changed

On 21 May 2026, Ms Justice Siobhan Phelan of the Irish High Court delivered a 98-page judgment rejecting all grounds of Meta Platforms Ireland's challenge to the Irish Data Protection Commission. The case followed an October 2025 DPC draft decision finding Meta in breach of Articles 12, 15 and 20 of the GDPR over how it handled a 2018 access request from a Facebook user. The user had asked for the personal data Meta held about him beyond what was returned via Meta's standard self-service download tools, and complained that he had not been given access to information stored in an internal data warehouse referred to as Hive. The DPC's draft signalled a reprimand, a compliance order affecting Meta's general data-access practices, and proposed fines of €360 million to €430 million.

Meta argued that the DPC had unlawfully turned a single user complaint into an own-volition inquiry covering systemic, EEA-wide practices, exceeding its powers under the GDPR and the Data Protection Act 2018. Justice Phelan found that contention was not legally sound, ruling that there had been "no impermissible extension of the process from an individual-complaint process to an own-volition process and no breach of rights of fair procedures". With the judicial review dismissed, the DPC can now move to finalise its decision and proposed fine, subject to the cross-border cooperation and consistency procedures with other EEA supervisory authorities under Articles 60 to 65 of the GDPR. Meta has previously indicated it intends to challenge any final decision.

What it means for your business

If you operate any consumer service that handles personal data and receives data subject access requests under GDPR Article 15: The High Court ruling reinforces that regulators can pursue systemic access-right failures and propose substantial fines, even when an inquiry starts from a single complaint. Audit your end-to-end access-request workflow, ensure all categories of personal data (including data held in internal analytics warehouses, logs, and backend tools) are returned in a complete and intelligible form within the one-month deadline of Article 12, and document any restrictions you rely on under Article 15(4). If you are considering challenging a DPC or other EEA preliminary finding: Procedural arguments about the scope of an inquiry are unlikely to defeat findings on the merits where the regulator has identified systemic issues affecting many users. Map your data subject rights process with Verdaio's GDPR Quick Check.

French CNIL 2025 Annual Report: Record €486.8 Million in Fines, AI Act Powers to Expand in 2026

On 19 May 2026, France's data protection authority (the CNIL) published its 2025 annual report. The CNIL recorded 20,150 complaints (a 10% rise on 2024), 6,167 data breach notifications (up 9.5%), 323 investigations and 259 corrective decisions including 83 sanctions totalling €486,839,500. For 2026, the CNIL will dedicate half of its controls and enforcement actions to data security, and confirmed it is already the designated authority for prohibited AI practices under the EU AI Act and is set to be named market surveillance authority for several categories of high-risk AI systems.

What changed

On 19 May 2026, France's Commission nationale de l'informatique et des libertés (CNIL) presented its 2025 annual report, marking another record year for enforcement and complaints. The CNIL received 20,150 complaints in 2025, a 10% increase on 2024, and 6,167 notifications of personal data breaches, up 9.5%. It carried out 323 investigations, issued 259 corrective decisions, and adopted 83 sanctions for a total of €486,839,500, the highest annual fine total in the authority's history. Two sanctions issued on 1 September 2025, both relating to cookies and other trackers, accounted for €475 million of that total.

The CNIL also set out its 2026 priorities. Half of all controls and enforcement actions this year will focus on data security, in response to the continued rise in breach notifications. On artificial intelligence, the CNIL confirmed that it is already the designated national authority to monitor prohibited AI practices under Article 5 of the EU AI Act, and is expected shortly to be designated as the market surveillance authority for several categories of high-risk AI systems, including biometrics, migration, law enforcement, employment and education. The report also covers the CNIL's continued work on its AI regulatory sandbox, where six projects relating to the silver economy were supported during the year.

What it means for your business

If you handle personal data of users in France or sell into the French market: The CNIL's 2025 figures show enforcement intensity is rising on cookies, employee monitoring and data security, the three areas it identifies as driving the bulk of last year's fines. Review your cookie banners, monitor your data-breach response times against the Article 33 72-hour deadline, and audit your security controls against the storage-limitation and security principles of GDPR Articles 5 and 32. If you build, deploy or distribute AI systems used in France: The CNIL is positioning itself as one of the most active EU AI Act regulators and is on track to supervise several Annex III high-risk categories (biometrics, migration, law enforcement, employment, education) once formally designated. Map your AI systems against the prohibited practices in Article 5 and the high-risk categories in Annex III. Run a privacy review with Verdaio's GDPR Quick Check and an AI Act classification check with Verdaio's EU AI Act Assessment.

Italian Garante Fines Ambrosetti €85,000 for Plain-Text Passwords and Late Breach Notification

On 21 May 2026, Italy's data protection authority (the Garante) announced an €85,000 fine against the consultancy The European House - Ambrosetti for security and notification failures exposed by a data breach affecting 61,670 people. The Garante found roughly 36,000 account passwords stored in plain text and around 98,000 hashed with the outdated MD5 algorithm, alongside excessive retention of credentials for systems no longer in use. Although Ambrosetti notified the regulator within the 72-hour deadline, it informed the affected individuals only about two months later, and only after the authority intervened.

What changed

On 21 May 2026, the Italian Garante per la protezione dei dati personali published an enforcement decision fining The European House - Ambrosetti €85,000 following a data breach that exposed the names, email addresses, usernames and passwords of 61,670 people, including staff of client companies and internal users of Ambrosetti's online services. The Garante found that the company had stored about 36,000 passwords in plain text and roughly 98,000 using the MD5 hashing algorithm, not always with a salt, a configuration the authority considered inadequate against the security and integrity requirements of GDPR Articles 5(1)(f) and 32. The authority also found that the company retained credentials for systems that were no longer in use, in breach of the storage-limitation principle of Article 5(1)(e).

The Garante separately examined how Ambrosetti handled communication of the breach. The company notified the authority within the 72-hour window required by Article 33, but it informed the affected individuals only around two months after discovering the incident, and only after the Garante intervened. Ambrosetti argued that disclosure had been complicated by reputational concerns and by the organisation of the Cernobbio Forum, but the authority held that those reasons could not justify the delay or override the rights of the people whose data had been exposed. The Garante concluded that the breach posed a high risk to the rights and freedoms of data subjects, which under Article 34 of the GDPR triggers an obligation to communicate the breach to those individuals without undue delay.

What it means for your business

If you store user credentials or run any service that holds account passwords: Plain-text password storage and weak hashing remain among the clearest security failures a regulator can find. Hash passwords with a modern, salted algorithm, never keep them in readable form, and delete credentials for systems and accounts you no longer use, in line with the storage-limitation principle. If you handle personal data breaches: Notifying the supervisory authority within 72 hours under Article 33 is only half of the obligation. Where a breach poses a high risk to individuals, Article 34 requires you to inform those individuals without undue delay, and commercial or reputational concerns do not pause that clock. Map your breach-response plan and security controls with Verdaio's GDPR Quick Check.

EU Commission Opens Consultation on Draft Guidelines for Classifying High-Risk AI Systems

On 19 May 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act and opened a targeted public consultation that closes on 23 June 2026. The guidelines explain both routes to high-risk status, the Annex I product-safety route and the Annex III route across eight areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and border control, and justice), and include practical examples of AI systems that should or should not be classified as high-risk.

What changed

On 19 May 2026, the European Commission published its draft guidelines on the classification of high-risk AI systems and opened a targeted consultation on the AI Act Single Information Platform. The guidelines set out the Commission's interpretation of the concepts relevant to Article 6 of the EU AI Act, which defines two routes to high-risk classification. Under Article 6(1), an AI system is high-risk where it is itself a product, or a safety component of a product, covered by the Union harmonisation legislation listed in Annex I (for example medical devices, machinery, toys and lifts). Under Article 6(2), an AI system is high-risk where it falls within one of the eight areas listed in Annex III: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and the administration of justice and democratic processes.

In line with Article 6(5) of the EU AI Act, the guidelines are accompanied by a set of practical examples of AI systems that should or should not be classified as high-risk, giving providers and deployers concrete reference points for borderline cases. The targeted consultation runs until 23 June 2026 (22:00 CET) and is open to AI providers and developers, organisations using AI systems, public authorities, supervisory bodies, researchers, civil society and members of the public. The guidelines are designed to support uniform application and effective enforcement of Article 6 by providers, deployers and market surveillance authorities. They arrive ahead of the high-risk obligations themselves, whose application date for stand-alone Annex III systems was provisionally postponed to 2 December 2027 under the Digital Omnibus on AI agreement.

What it means for your business

If you build, deploy or distribute AI systems and are unsure whether they count as high-risk: These draft guidelines are the most detailed official steer yet on where the high-risk line sits. Map your AI systems against the Annex I product-safety route and the eight Annex III areas, and use the practical examples to test borderline cases such as HR, credit-scoring and biometric tools. If a specific use case is unclear, submit feedback to the consultation before 23 June 2026. Classification is the first step in every AI Act compliance programme: a system classified as high-risk triggers risk management, data governance, logging, transparency and human-oversight obligations. Run a classification check with Verdaio's EU AI Act Assessment.

EU Member States Confirm Digital Omnibus on AI Compromise, Lock 2 December 2027 Annex III Deadline

On 13 May 2026, the Council's Permanent Representatives Committee (Coreper) formally confirmed the 7 May 2026 provisional agreement on the Digital Omnibus on AI. The text fixes the high-risk Annex III application date at 2 December 2027 and the Annex I date at 2 August 2028, shortens the grace period for AI-content transparency solutions to three months (new deadline 2 December 2026), and postpones the deadline for national AI regulatory sandboxes to 2 August 2027.

What changed

On 13 May 2026, Member State ambassadors meeting in the Permanent Representatives Committee (Coreper) confirmed the compromise text on the Digital Omnibus on AI agreed with the European Parliament on 7 May 2026. The Council Presidency was authorised to send a letter to the European Parliament stating that, if Parliament adopts the text at first reading, the Council will approve Parliament's position. The compromise locks the new application dates for high-risk AI systems: 2 December 2027 for stand-alone Annex III systems (employment, education, credit scoring, biometrics, critical infrastructure, law enforcement, migration, justice) and 2 August 2028 for high-risk AI embedded in regulated Annex I products (medical devices, machinery, toys, lifts, watercraft).

The Coreper text also clarifies several technical points beyond the headline deadlines. The grace period for providers to implement watermarking and other transparency solutions for AI-generated content under Article 50(2) is cut from six months to three months, with the new deadline set on 2 December 2026. The deadline for competent national authorities to establish AI regulatory sandboxes under Article 57 is postponed to 2 August 2027. The text also adds a new Article 5 prohibition on AI systems generating non-consensual sexual content ("nudification" tools) and AI-generated child sexual abuse material, extends SME regulatory exemptions to small mid-cap enterprises (up to 500 employees) and broadens the lawful basis for processing sensitive personal data for bias detection and mitigation. Formal adoption by Parliament at first reading is expected before 2 August 2026.

What it means for your business

If you build, deploy or distribute high-risk AI systems or general-purpose AI: The new deadlines (2 December 2027 for Annex III, 2 August 2028 for Annex I) are now locked in by Coreper but are not yet law until Parliament adopts at first reading. Until that adoption, the original 2 August 2026 deadline applies. If you build generative AI consumer products: The reduced three-month grace period means watermarking and content-provenance solutions must be in place by 2 December 2026, three months earlier than the originally proposed six-month grace. Audit your tooling against the new "nudification" and CSAM prohibitions before adoption. Run a classification check with Verdaio's EU AI Act Assessment.

EU Council Adopts Conclusions on Human-Centred AI in Education, Reinforces Teacher AI Literacy

On 11 May 2026, the EU Education, Youth, Culture and Sport Council adopted conclusions calling for an ethical, safe and human-centred approach to artificial intelligence in education. The conclusions ask Member States to strengthen teachers' AI literacy, embrace AI's potential while mitigating bias, misinformation and data-protection risks, and ensure teachers participate in the design and evaluation of AI tools used in classrooms.

What changed

On 11 May 2026, EU education ministers meeting as the Council adopted conclusions on the role of teachers in the era of AI, calling for an ethical, safe and human-centred approach to AI in education. The conclusions ask Member States to boost teachers' AI literacy, promote education-specific AI tools, address digital divides, and safeguard teachers' working conditions and well-being. The Council also argues that teachers should have an opportunity to contribute to the design and evaluation of AI tools, in line with an approach based on "digital humanism" that ensures technology supports human agency and democratic values.

The conclusions explicitly raise concerns about reduced autonomy, over-reliance on technology, and risks relating to bias, misinformation and data protection. The Council notes that AI in education could exacerbate inequalities and digital divides, affect learners' concentration and skill acquisition, and have broader societal and environmental implications. The conclusions reinforce Article 4 of the EU AI Act (the AI literacy obligation), which requires providers and deployers of AI systems to ensure their staff and persons dealing with the operation and use of those systems have a sufficient level of AI literacy. They also align with the classification of AI used in education and vocational training as a "high-risk" use case under Annex III of the EU AI Act.

What it means for your business

If you provide AI systems to schools, universities or vocational training providers, or if you deploy AI in an education or training context: Education ministers are now formally aligned on a human-centred deployment model. Expect Member States to push procurement requirements that include teacher AI-literacy training, transparent evaluation criteria, and bias and misinformation safeguards. The conclusions also reinforce that the Article 4 AI literacy obligation applies to all AI deployers, not just those in high-risk sectors. If you sell AI tools for HR, recruitment, assessment or scoring in an education or training context: Classification as high-risk under Annex III is now coupled with these political conclusions, raising the bar for transparency, human oversight and evaluation. Run a classification check with Verdaio's EU AI Act Assessment and review your training programme with Verdaio's AI Literacy guide.

EU Commission Opens Public Consultation on AI Act Article 50 Transparency Guidelines

On 8 May 2026, the European Commission published draft guidelines on the implementation of the transparency obligations under Article 50 of the EU AI Act and opened a targeted consultation that closes on 3 June 2026. From 2 August 2026, providers must inform users when they interact with an AI system and add machine-readable marks to AI-generated or manipulated audio, image, video and text, while deployers must disclose deepfakes and AI-generated text published to inform the public on matters of public interest.

What changed

The draft guidelines clarify the scope of Article 50 transparency duties for both providers and deployers of AI systems. Providers of AI systems intended to interact directly with people must design them so users are informed they are interacting with an AI system, unless that fact is obvious. Providers of generative AI systems must mark synthetic audio, image, video and text outputs in a machine-readable format that allows detection as artificially generated. Deployers must disclose AI-generated deepfakes and AI-generated text published to inform the public on matters of public interest, and must inform people exposed to emotion recognition or biometric categorisation systems.

The Commission has run the guidelines work in parallel with the Code of Practice on marking and labelling of AI-generated content: the guidelines clarify legal scope and the Code addresses technical implementation. The targeted consultation runs until 3 June 2026 and is open to providers, deployers, businesses, public authorities, academics and citizens. Article 50 obligations apply from 2 August 2026 and were not affected by the 7 May 2026 Digital Omnibus on AI deal, which postponed the high-risk Annex III deadline to 2 December 2027 but left the transparency timeline intact.

What it means for your business

If you build or deploy generative AI, chatbots, deepfake tools, emotion recognition or biometric categorisation systems: The 2 August 2026 transparency deadline still stands. Plan now for chatbot disclosure, machine-readable watermarking of synthetic outputs, and clear deepfake labelling, and submit feedback before 3 June 2026 if your use case needs clarification. Run a classification check with Verdaio's EU AI Act Assessment.

Irish DPC Fines PTSB €277,500 for Voice-Phishing Account Takeover Failures

On 8 May 2026, Ireland's Data Protection Commission concluded its inquiry into Permanent TSB (PTSB) and imposed total fines of €277,500: €250,000 for security and integrity failings under GDPR Articles 5 and 32, plus €27,500 for failing to notify the DPC of personal data breaches within 72 hours under Article 33. The breaches stemmed from voice-phishing attacks against PTSB's "Open24" contact centre in 2022, where attackers posed as customers and changed account details on three occasions, exposing the holders to fraud and financial loss.

What changed

The DPC found that PTSB's call-centre identification controls were not consistently followed in three separate incidents in 2022. Attackers, already in possession of certain customer information, contacted PTSB's "Open24" contact centre and impersonated the legitimate account holders to amend account details and obtain further account information. PTSB had reimbursed the affected customers for the funds taken by external fraudsters, but the DPC concluded that the bank infringed the security and integrity requirements of GDPR Articles 5(1)(f) and 32(1).

The DPC also found a separate breach of Article 33: PTSB failed to notify the regulator without undue delay and within 72 hours of becoming aware of the incidents. The total enforcement is €277,500 (€250,000 for the Article 5 and 32 infringements and €27,500 for the Article 33 infringement) and is accompanied by a formal reprimand. PTSB has acknowledged the outcome and stated that it has improved its processes to reduce the risk of similar incidents.

What it means for your business

If you operate a contact centre or any voice-channel customer service handling personal or financial data: Voice-channel social engineering remains a top regulatory concern. Map your caller-authentication procedures against Articles 5(1)(f) and 32(1), train staff on knowledge-based authentication weaknesses and impersonation indicators, and ensure your incident-response process can detect and notify the supervisory authority within the 72-hour window of Article 33. Run a structured posture check with Verdaio's GDPR Quick Check.

EU AI Act Omnibus Deal Reached: High-Risk Annex III Deadline Postponed to 2 December 2027

On 7 May 2026, the European Parliament and Council reached a provisional political agreement on the Digital Omnibus on AI, postponing the high-risk AI Act obligations originally due on 2 August 2026. Stand-alone Annex III systems now apply from 2 December 2027 and AI embedded in regulated Annex I products from 2 August 2028. The deal also adds a new prohibited practice covering AI "nudification" tools and AI-generated child sexual abuse material.

What changed

After the 28 April 2026 trilogue collapsed without agreement, negotiators returned on 7 May 2026 and closed a provisional deal under the Cypriot Council Presidency. Annex III stand-alone high-risk obligations (employment, education, credit scoring, biometrics, critical infrastructure, law enforcement, migration, justice) are postponed by 16 months, from 2 August 2026 to 2 December 2027. Annex I obligations covering AI embedded in regulated products (medical devices, machinery, toys, lifts, watercraft) are postponed by 24 months, to 2 August 2028. Both deadlines are now fixed dates rather than conditional on harmonised standards being in place.

The deal introduces a new prohibited AI practice under Article 5: AI systems used to generate non-consensual sexually explicit content (so-called "nudification" tools) and child sexual abuse material. Targeted simplifications extend SME regulatory exemptions to small mid-cap companies (SMCs, up to 500 employees), narrow certain technical documentation requirements, and broaden the lawful basis for processing sensitive personal data for bias detection and mitigation. The provisional agreement still requires formal adoption by both co-legislators before 2 August 2026 to take effect; until that adoption, the original 2 August 2026 deadline remains the legal baseline.

What it means for your business

If you build, deploy or distribute high-risk AI systems (HR, education, credit scoring, biometrics, AI in regulated products) or general-purpose AI: Plan for a 2 December 2027 (Annex III) or 2 August 2028 (Annex I) deadline, but do not stop compliance work. Formal adoption is still pending and the original 2 August 2026 deadline applies until both co-legislators sign off. The extra time is best used to mature risk management, data governance and human-oversight controls, not to delay them. If you build generative AI consumer products: Audit your tooling against the new "nudification" and CSAM prohibitions before the deal is adopted. Run a classification check with Verdaio's EU AI Act Assessment.

EU Commission Opens Public Consultation on Revised ESRS, Closes 3 June 2026

On 6 May 2026, the European Commission opened a one-month "Have Your Say" public consultation on the draft revised European Sustainability Reporting Standards (ESRS) and on a separate voluntary standard for smaller companies. The consultations close on 3 June 2026, with adoption planned for Q2 2026.

What changed

The draft revised ESRS reduce mandatory datapoints by over 60% and total datapoints by over 70%, are shorter and clearer, introduce new flexibilities, and simplify the materiality assessment used to determine what must be reported. The Commission estimates these changes will reduce reporting costs per company by more than 30%. The revised standards build largely on technical advice provided by EFRAG in December 2025.

Undertakings within the scope of the Corporate Sustainability Reporting Directive (CSRD) must use the revised ESRS for financial years beginning on or after 1 January 2027. However, undertakings subject to the CSRD for financial year 2026 may choose to apply the revised ESRS for that financial year instead of the existing ESRS. The voluntary standard introduces a "value chain cap": CSRD in-scope companies cannot require value-chain partners with 1,000 employees or fewer to provide information beyond the voluntary standard, unless those partners choose to provide it.

What it means for your business

If you are an undertaking in scope of the CSRD (1,000+ employees, €450M+ turnover): Review the draft revised ESRS now, especially the materiality assessment changes and reduced datapoint set, and decide whether to apply the revised standards early for FY 2026 or wait for FY 2027. Submit feedback before 3 June 2026 if you have specific concerns. If you are a smaller company in a CSRD value chain: The voluntary standard plus the value chain cap limits what your large clients can require from you on sustainability data. Run a gap-check with Verdaio's ESRS Gap Analysis.

European Parliament Calls for Stronger DMA Enforcement, Criticises 'Modest' Fines on Apple and Meta

On 30 April 2026, the European Parliament adopted a resolution (P10_TA(2026)0160) urging the Commission to use all enforcement tools under the Digital Markets Act and to conclude pending non-compliance proceedings without undue delay. MEPs called the €500M Apple and €200M Meta fines 'modest' and warned that pressure from third countries should not weaken EU enforcement.

What changed

In its resolution adopted by show of hands on 30 April 2026, the European Parliament called on the Commission to make full use of all DMA enforcement instruments: regulatory dialogue, market investigations, non-compliance proceedings, inspections, interim measures, fines and periodic penalty payments. MEPs regretted the 'modest' fines imposed on Apple (€500M) and Meta (€200M) in April 2025 and stressed that effective and proportionate fines are essential to ensure deterrence. The resolution focuses on the practical effect of DMA rules on competition, market access and user choice, rather than on formal compliance alone.

Parliament urged the Commission to prioritise enforcement of interoperability, data access, anti-steering and anti-self-preferencing obligations, and called for closer scrutiny of AI-driven search and assistant tools, including Google AI Overviews, Gemini, Apple Siri, Meta WhatsApp AI, Amazon Rufus and Microsoft Copilot. Although the resolution does not name third countries directly, MEPs warned that external pressure must not compromise the EU's sovereignty to enforce its own digital rules. The vote follows the Commission's first DMA review report (28 April 2026), which concluded that the DMA remains fit for purpose.

What it means for your business

If you operate or distribute services on a designated gatekeeper platform (App Store, Google Play, Amazon Marketplace, Facebook, Instagram, TikTok, Search, Booking.com): Expect the Commission to accelerate ongoing non-compliance proceedings and to focus on practical effects (real choice, real interoperability) rather than formal box-ticking. Plan for higher fines on repeat or continued non-compliance, and for closer scrutiny of AI-driven search and assistant tools when integrated with gatekeeper services. Track DMA developments and align your distribution, advertising and consent flows accordingly.

Irish Supreme Court Upholds Stay on €530M TikTok GDPR Fine and Data Transfer Orders

On 30 April 2026, Ireland's Supreme Court unanimously dismissed the Data Protection Commission's appeal in the TikTok case, leaving the High Court stay on the DPC's €530M fine and EEA-to-China data transfer orders in place during the substantive appeal. Justice Hogan held that the legal test for staying a regulator's decision is a matter of national procedural law and does not undermine the full effectiveness of EU data protection law.

What changed

In May 2025 the Irish DPC fined TikTok Technology Limited €530M and ordered it to bring its EEA-to-China transfers into compliance within six months, finding that TikTok had failed to verify the effectiveness of supplementary measures and Standard Contractual Clauses under Article 46(1) GDPR. TikTok appealed to the High Court, which granted a stay on the corrective orders pending the substantive ruling, citing the limited and temporary risk to consumers against the difficulty of quantifying the harm to TikTok from immediate enforcement. The DPC then appealed the stay itself to the Supreme Court.

On 30 April 2026, a five-judge Supreme Court led by Justice Hogan unanimously dismissed the DPC's appeal. The Court held that the test for staying a regulatory decision belongs to national procedural law, not EU law, and that applying the Irish stay test does not undermine the full effectiveness of GDPR enforcement. The €530M fine remains formally imposed but unenforced; the corrective orders to suspend the EEA-to-China transfers are paused. The substantive High Court appeal continues at pace.

What it means for your business

If you operate cross-border data transfers (especially to non-adequacy jurisdictions) or rely on Standard Contractual Clauses with supplementary measures: the DPC decision still stands as the EU benchmark on what 'essentially equivalent protection' under Article 46(1) GDPR requires. The stay only freezes enforcement while the Irish courts review the underlying decision; it does not weaken the substantive compliance obligation. Audit your transfer impact assessments, supplementary measures, and onward-access controls. Run a structured check with Verdaio's GDPR Quick Check.

Italian Garante: Hotels and B&Bs Cannot Retain Copies of Guest ID Documents After Police Reporting

On 29 April 2026, the Italian Garante issued a clarifying note to industry trade associations confirming that hotels, B&Bs, and short-term rentals cannot retain photocopies or digital images of guests' identity documents beyond the time strictly necessary to transmit the data to public security authorities. Once the Alloggiati Web reporting is complete, any document copies must be deleted or destroyed; only the automated transmission receipt may be kept (for up to five years as proof of compliance).

What changed

Italian public security law requires accommodation operators to identify guests and transmit their data to police authorities through the "Alloggiati Web" portal. The Garante's note clarifies that this legal obligation does not authorise hotels, B&Bs, or short-term rental operators to retain photocopies, scans, or smartphone images of identity documents. The Authority issued the note in response to a rise in data breaches and complaints, including the practice of receiving documents via WhatsApp or other messaging apps, which exposes guests to identity theft and unauthorised access risks.

Once data transmission to public security authorities is complete, any copy of an identity document acquired for that purpose must be immediately deleted or destroyed. The only record accommodation providers may retain is the automated receipt produced by the Alloggiati Web portal, kept for up to five years to evidence the reporting obligation. The Garante also reminds operators that, as GDPR data controllers, they must adopt adequate security measures, properly train staff handling guest data, and notify the Authority within 72 hours of any personal data breach (and, where appropriate, inform affected individuals).

What it means for your business

If you operate a hotel, B&B, or short-term rental in Italy (or process Italian guest data from abroad): Audit your check-in workflow now. Stop photographing or storing identity documents after the Alloggiati Web reporting; keep only the transmission receipt. Review your retention policy, train front-desk staff on the new guidance, and ensure your booking and PMS systems do not preserve ID images by default. Run a gap-check with Verdaio's GDPR Quick Check.

AI Omnibus Trilogue Collapses: 2 August 2026 High-Risk AI Act Deadline Stays in Force

The 28 April 2026 political trilogue on the Digital Omnibus on AI ended without agreement after roughly 12 hours of negotiations, with the conformity assessment architecture for AI in regulated products (Annex I) the unresolved sticking point. A follow-up trilogue is scheduled for around 13 May 2026; until and unless agreement is reached, the EU AI Act's 2 August 2026 high-risk obligations remain legally in force.

What changed

The European Parliament, Council, and Commission entered the second political trilogue on the Digital Omnibus on AI on 28 April 2026, aiming to postpone the high-risk compliance deadline (originally 2 August 2026) and integrate AI Act obligations more closely with sectoral product safety law. After approximately 12 hours of negotiations the talks broke down on Annex I, where the European Parliament pushed to move sectoral legislation (machinery, medical devices, in-vitro diagnostics) from Section A (combined AI Act and sectoral assessment) to Section B for primarily sectoral handling. The Council declined to move and the single disagreement was sufficient to block the entire package.

A follow-up political trilogue is scheduled for around 13 May 2026. The Cypriot Council Presidency is expected to attempt closure before its term ends on 30 June 2026, after which the Lithuanian Presidency would take over. With no agreed Omnibus, the original AI Act timetable stands: providers and deployers of high-risk AI systems remain on the hook for the 2 August 2026 obligations under Articles 9-15: risk management, data governance, technical documentation, logging, transparency, human oversight, and accuracy and robustness.

What it means for your business

If you build, deploy or distribute high-risk AI systems (particularly in HR, education, credit scoring, biometrics, or AI embedded in regulated products): Plan as if the 2 August 2026 deadline will hold. Trilogue uncertainty is not a basis for delaying compliance work. Even if a postponement is later agreed, an early start protects you from a compressed timeline. Run a classification check with Verdaio's EU AI Act Assessment.

Commission and EDPB Launch Joint Guidance on the Interplay Between EU Competition Law and the GDPR

On 28 April 2026, the European Commission's competition services and the European Data Protection Board announced joint work on guidance clarifying how EU competition law and the GDPR interact. The initiative builds on the prior DMA-GDPR joint guidelines and will inform a remote stakeholder event on 29 June 2026.

What changed

Commission services and the EDPB will jointly develop guidance on situations where data protection law is relevant for competition law assessment, and conversely where competition considerations matter for data protection. According to the announcement, the guidance is expected to address dominant digital platforms, access to user data, data portability, online advertising, contractual conditions linked to data use, and digital ecosystems. The work formalises a coordination model already piloted through the joint DMA-GDPR guidelines.

The EDPB has invited stakeholders to a remote event on 29 June 2026 to inform the upcoming guidelines, with a call for expressions of interest to follow in the coming weeks. The announcement signals continued integration of GDPR analysis into EU competition enforcement, particularly for gatekeepers and platforms whose business models rely on personal data. Companies operating across both regimes (large platforms, ad-tech, marketplaces and data brokers) should expect more cross-regulatory scrutiny.

What it means for your business

If you operate a digital platform, ad-tech product, or any service whose terms condition access on data use: Expect EU competition authorities to assess your data-handling practices through a GDPR lens, and the EDPB to factor competition outcomes into its guidance. Review the alignment of your privacy notices, consent flows and data-portability mechanisms with both frameworks. Run a gap-check with Verdaio's GDPR Quick Check.

Italian Garante Adopts Guidelines on Tracking Pixels in Email: Consent Mandatory, 6 Months to Comply

The Italian Garante adopted Guidelines on the use of tracking pixels in email communications on 17 April 2026, confirming that pixel tracking falls under Article 122 of the Italian Privacy Code and, in ordinary cases, requires prior, free, specific and informed consent. Senders and email platform providers have six months from publication in the Official Gazette to comply.

What changed

Tracking pixels are minimal-size images, typically invisible to the recipient, inserted into email messages to detect opens, clicks and device or behavioural signals. The Garante's Guidelines classify them as "instruments of access and storage of information" under Article 122 of the Italian Privacy Code (the national transposition of the ePrivacy Directive) and require prior, free, specific, informed and unambiguous consent before any tracking pixel is activated. Controllers must provide clear, transparent information, easy and granular consent-revocation mechanisms, and privacy-by-design and privacy-by-default measures such as non-intelligible identifiers separated from the email address.

The Guidelines apply broadly to information-society service providers, email service providers, managers of bulk-email sending platforms and any entity using tracking pixels in electronic communications. Limited consent exemptions cover cybersecurity (anti-phishing, fraud prevention), aggregated anonymous statistics that cannot identify recipients, and strictly necessary institutional or service communications. The Garante grants operators six months from publication in the Official Gazette to bring their systems into compliance.

What it means for your business

If you run email marketing, transactional emails or newsletters targeting Italian recipients: Review every pixel, open-tracker and click-tracker in your ESP or CRM stack, map each to a specific legal basis, and align your consent flows and privacy notices with the Guidelines. Revisit data-minimisation controls (pseudonymous IDs, short retention) and document the exemption you rely on where no consent is collected. Run a gap-check with Verdaio's GDPR Quick Check.

Italian Garante Fines Poste Italiane and Postepay €12.5M for Unlawful App Data Monitoring

Italy's data protection authority (Garante) imposed fines totalling over €12.5 million on Poste Italiane (€6.624M) and Postepay (€5.877M) for the BancoPosta and Postepay mobile apps' unlawful monitoring of users' device data. Users were required to authorise access to installed applications as a mandatory condition of service.

What changed

The Garante ruled that the BancoPosta and Postepay mobile apps' mandatory authorisation to monitor installed applications and running processes on users' devices was excessively invasive and not strictly necessary for fraud prevention. The investigation followed complaints received by the Authority from April 2024. Additional violations found include inadequate user information, absence of a proper Data Protection Impact Assessment, failure to adopt adequate security and retention measures, and irregularities in the designation of data controllers and processors.

Poste Italiane has announced it will appeal to the Rome Court, arguing that access to device data complied with PSD2 and had been recognised by Banca d'Italia as a legitimate fraud-prevention measure. The total €12.5M enforcement action is one of the largest Italian GDPR fines issued in 2026 and continues the Garante's focus on mobile-app privacy following prior decisions against banking and payment apps.

What it means for your business

If you run a mobile app that reads device state (installed apps, running processes, device fingerprinting): The Garante's decision sets a clear precedent that mandatory, all-or-nothing authorisations to access device data are disproportionate, even for fraud prevention. Review data minimisation, user-information flows, DPIA coverage, and security/retention controls for your mobile apps. Run a gap-check with Verdaio's GDPR Quick Check.

EDPB Plenary: Scientific Research Guidelines Adopted, Europrivacy Seal Approved for Transfers

At its 16 April 2026 plenary, the European Data Protection Board adopted Guidelines 1/2026 on processing personal data for scientific research and, for the first time, approved a European Data Protection Seal (Europrivacy) as a valid Article 46 tool for international data transfers.

What changed

Guidelines 1/2026 clarify the boundaries of the GDPR "scientific research" concept. The EDPB sets six indicative factors for identifying research processing (methodical approach, ethical standards, verifiability, autonomy, research objective, and contribution to knowledge) and explains how data subject rights, including the right to erasure and the right to object, can be limited under Article 89 GDPR. The Board also covers appropriate technical and organisational safeguards, including pseudonymisation, anonymisation, secure processing environments, and ethical oversight. The Guidelines are open for public consultation until 25 June 2026. A separate EDPB "sprint team" was created to finalise the long-pending Guidelines on anonymisation by summer.

The Board also adopted Opinion 15/2026 recognising the Europrivacy certification criteria as a European Data Protection Seal under Articles 42 and 46(2)(f) GDPR. This is the first time a certification mechanism has been approved at EU level as a valid tool for transfers. Data importers outside the EU/EEA who are not subject to the GDPR can now apply for Europrivacy certification and rely on it, together with binding and enforceable commitments, to receive personal data from EU controllers.

What it means for your business

If you process personal data for research: Start mapping your activities against the six indicative factors and review how you document consent, safeguards and the limits on data subject rights. If you transfer personal data outside the EU/EEA: Certification is now a practical alternative to Standard Contractual Clauses and BCRs, useful where providers are reluctant to sign SCCs, or where the destination jurisdiction creates uncertainty. Review your GDPR posture and see whether certification-based transfers fit your vendor stack.

Italian Garante: "FaceBoarding" Facial Recognition at Milan Linate Violates GDPR

The Italian Garante declared the "FaceBoarding" facial-recognition boarding system at Milan Linate airport, operated by SEA, unlawful, ordering a definitive stop to biometric processing. The decision aligns with the EDPB's 2025 opinion on airport facial recognition and targets missing encryption, excessive retention, and non-consensual data capture.

What changed

The Authority found that SEA, the Milan Linate airport operator, processed passengers' biometric data (facial templates) without a valid legal basis, failed to encrypt stored biometric models, retained templates for up to 12 months (an excessive period), and provided inaccurate information to data subjects. The system also captured facial images of passengers who had not opted into FaceBoarding but used hybrid boarding gates, processing their biometric data without consent.

The decision confirms a provisional limitation measure adopted in September 2025 and is explicitly aligned with the EDPB's 2025 opinion on facial recognition in airports, which concluded that passenger convenience does not justify default biometric processing. FaceBoarding is the first high-profile Italian application of the EDPB opinion and reinforces EU-wide expectations for airport biometrics: encryption of templates, minimised retention, explicit opt-in, and genuine non-biometric alternatives.

What it means for your business

If you deploy biometric systems (facial recognition, fingerprint) for access, authentication, or customer experience: Biometric processing in public or semi-public spaces must satisfy strict necessity, encryption, and retention standards, even with consent. Review the Article 9 GDPR legal basis, technical safeguards, and whether you offer a real non-biometric alternative. Biometric systems may also trigger EU AI Act obligations. Check your posture with Verdaio's GDPR Quick Check and EU AI Act Assessment.

EDPB Adopts Harmonised DPIA Template: Public Consultation Open Until 9 June 2026

The European Data Protection Board adopted a harmonised Data Protection Impact Assessment template to help controllers structure, harmonise and evidence their DPIA reporting across the EU. It is the first EU-level DPIA template and is open for public consultation until 9 June 2026.

What changed

Delivering on the EDPB's Helsinki Statement commitment to simplify GDPR compliance, the Board adopted a common DPIA template covering all core Article 35 elements: description of processing and its purposes, necessity and proportionality assessment, risks to data subjects, and mitigating measures. The template is accompanied by an explainer document breaking down key concepts in plain language and addressing common questions from controllers.

Use of the template is not mandatory, but organisations that use it will benefit from predefined fields that prompt complete, structured responses and evidence of accountability. After the public consultation closes on 9 June 2026, national supervisory authorities will take steps to adopt the template either as their sole standard or as a meta-template to which existing national-specific templates will align.

What it means for your business

If you conduct DPIAs: This is the first time the EU has offered a single, consistent DPIA format that will be recognised across Member States. Multinational controllers benefit most, one template, one structure, accepted by every DPA. Action: Review your current DPIA methodology against the draft template, submit feedback before 9 June if relevant, and plan to migrate existing DPIAs once national DPAs formally adopt it. Run a gap-check with Verdaio's GDPR Quick Check.

NIS2 Compliance Deadline: October 2026: First Audits Due by June

Companies in scope of the NIS2 Directive have until October 2026 to achieve full compliance. The first audit deadline has been set for 30 June 2026, and Member States must identify critical entities by 17 July 2026.

What changed

The NIS2 Directive (2022/2555) significantly expanded the scope of EU cybersecurity obligations from the original NIS Directive. It covers medium and large organisations in 18 sectors including energy, transport, banking, health, digital infrastructure, and ICT service management. Companies must implement risk management measures, incident reporting procedures, supply chain security assessments, and business continuity plans.

The first compliance audit deadline was originally set for 31 December 2025 but has been moved to 30 June 2026. By 17 July 2026, each Member State must formally identify the critical entities in their jurisdiction. Penalties for non-compliance include fines of up to €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important entities. Senior management can be held personally liable.

What it means for your business

If you operate in any of the 18 NIS2 sectors: The compliance deadline is now less than 6 months away. Start with a gap assessment to understand your current posture, particularly around incident reporting (72-hour notification requirement), supply chain risk management, and board-level accountability. Not sure if NIS2 applies to you? Run the free NIS2 Readiness Assessment.

CSRD Omnibus Now Law: Scope Cut by 80%, Only 1,000+ Employee Companies In

The EU's Omnibus I simplification package raises the CSRD reporting threshold to companies with 1,000+ employees and €450M+ in turnover, removing roughly 80% of previously in-scope businesses. Listed SMEs are fully exempt.

What changed

The Omnibus I Directive has raised the CSRD applicability threshold from the original 250-employee threshold to 1,000 employees and €450 million in net turnover. The law also removes listed SMEs from mandatory scope entirely, they will only report on a voluntary basis using a simplified VSME standard.

The wave 2 deadline (financial year 2025, reporting in 2026) and wave 3 deadline (FY 2026) are both postponed by two years. Wave 1 companies (those already reporting for FY 2024) are not affected. The Omnibus I Directive was published in the EU Official Journal on 26 February 2026 and entered into force on 19 March 2026. These changes are now binding law.

What it means for your business

If you have under 1,000 employees: You are likely out of mandatory scope under the new threshold. However, large customers and financial institutions may still require CSRD-aligned disclosures through their own value chain reporting. If you have 1,000+ employees: Mandatory reporting continues, the core ESRS standards remain unchanged. Use the delay to strengthen your data collection processes.

AI Act High-Risk Deadline: Extension to December 2027 in Final Negotiations

The EU Digital Omnibus proposes extending the compliance deadline for high-risk AI systems from August 2026 to December 2027. Trilogue negotiations are underway with political agreement expected by late April 2026. Until formally adopted, August 2, 2026 remains the legal deadline.

What changed

The EU Digital Omnibus package proposes extending the deadline for high-risk AI system compliance under the EU AI Act. The original Article 6 Annex III deadline is August 2, 2026. The proposal would push this to December 2027 for stand-alone high-risk systems, and to August 2028 for high-risk AI embedded in regulated products (medical devices, machinery). Trilogue negotiations between the European Parliament and Council started on 26 March 2026, with political agreement expected by 28 April 2026.

The proposed extension covers obligations under Articles 9-15 of the AI Act: risk management systems, data governance, technical documentation, logging, transparency, human oversight, and accuracy/robustness requirements. The prohibited practices ban (effective February 2025) and GPAI model obligations (effective August 2025) are not affected. The Omnibus also proposes adding a new prohibited practice: AI systems generating non-consensual intimate imagery.

What it means for your business

If you deploy high-risk AI: The extension is very likely to pass, but it is not yet law. The responsible approach is to prepare for the August 2026 deadline while expecting the relief. If adopted as expected, you will have until December 2027 for Annex III systems. Use the time to build compliant processes rather than waiting. We will update this story when the final text is published.

ECB, EBA and ESMA Warn: ESRS Simplifications Risk Undermining Data Quality

Four EU financial regulators published joint opinions warning that the Omnibus reliefs and permanent exemptions in the revised ESRS could significantly reduce the availability of decision-useful sustainability data.

What changed

In February 2026, the European Central Bank (ECB), European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) published their opinions on the revised European Sustainability Reporting Standards. All four regulators share a core concern: the cumulative effect of permanent reliefs, phase-ins, and exemptions risks undermining the availability of key quantitative data that financial institutions need for risk assessment and lending decisions.

The regulators also highlighted that several reliefs go beyond, or deviate from, the IFRS/ISSB framework, creating interoperability gaps between EU and international sustainability reporting standards. This matters for companies with global investors or operations, who may need to report under both frameworks.

What it means for your business

If you report under ESRS: Even though the Omnibus reduces mandatory scope, the financial sector, your banks, investors, and insurers, still expects comprehensive sustainability data. Companies that only meet the minimum simplified requirements may face challenges accessing green finance or satisfying due diligence requests from larger clients.

EU Taxonomy Reporting Simplified: 10% Materiality Threshold Introduced

A new EU delegated act introduces a 10% materiality threshold for Taxonomy reporting, significantly reducing the number of activities companies must assess and disclose.

What changed

The European Commission adopted a new delegated act amending the EU Taxonomy Disclosures Delegated Regulation. The key change is a 10% materiality threshold: companies no longer need to assess and report on Taxonomy alignment for activities that represent less than 10% of their total revenue, capital expenditure (CapEx), or operating expenditure (OpEx).

The delegated act also introduces simplifications to the "Do No Significant Harm" (DNSH) assessment, reduces the number of mandatory data points, and provides clearer guidance on how to handle activities that span multiple NACE codes.

What it means for your business

If you're already reporting: Review which activities fall below the 10% threshold, you may be able to exclude a significant portion of your current assessment scope. If you haven't started: This simplification makes first-time Taxonomy reporting considerably more manageable. The threshold applies for reporting periods from 2025 onwards.

EU AI Act: Prohibited AI Practices Are Now Enforceable

From 2 February 2025, the EU AI Act's ban on unacceptable-risk AI systems became legally enforceable across all Member States. Systems that manipulate users, exploit vulnerabilities, or enable social scoring are now prohibited by law.

What changed

Article 5 of the EU AI Act, listing AI systems with unacceptable risk, became enforceable on 2 February 2025, six months after the regulation entered into force. This includes absolute prohibitions on: AI systems that use subliminal techniques to influence behaviour, systems that exploit vulnerabilities of specific groups, real-time biometric identification in public spaces (with narrow exceptions), social scoring by public authorities, and AI used to infer emotions in workplaces and schools.

Member States were required to designate national market surveillance authorities and notify the European AI Office by this date. The AI Office, established within the European Commission, oversees enforcement for general-purpose AI models. National authorities handle enforcement for other AI systems.

What it means for your business

Immediate action required: If your organisation uses or deploys AI systems, review them against the Article 5 prohibited practices list now. Violations can result in fines of up to €35M or 7% of global annual turnover. Most business AI tools (productivity, analytics, customer service) are not prohibited, but AI used in recruitment, credit scoring, or affecting individuals in sensitive contexts requires careful review.

First DMA Penalties: Apple Fined €500M, Meta €200M

The European Commission issued its first-ever Digital Markets Act enforcement decisions, fining Apple €500M and Meta €200M for failing to comply with their DMA obligations as designated gatekeepers.

What changed

On 23 April 2025, the European Commission issued its first enforcement decisions under the Digital Markets Act (DMA). Apple was fined €500M for its App Store practices, specifically for not allowing app developers to freely direct users to alternative purchasing options outside the App Store. Meta was fined €200M for its "pay or consent" advertising model on Facebook and Instagram, which the Commission found did not give users a genuine free alternative to data-based advertising.

Both companies were also ordered to remedy their non-compliant practices within 60 days. The DMA targets large digital platforms designated as "gatekeepers", currently Apple, Alphabet, Meta, Amazon, Microsoft, ByteDance, and Booking.com. The fines can reach up to 10% of global annual turnover (20% for repeat infringements) and up to 5% of average daily worldwide turnover per day for non-compliance with interim measures.

What it means for your business

If you use gatekeeper platforms: These decisions signal that app stores, search rankings, and advertising systems on major platforms may change to comply with DMA requirements, potentially affecting your distribution and marketing strategies. If you are a gatekeeper platform: The DMA is now actively enforced. Non-compliance carries substantial financial risk.

GDPR Enforcement Record: TikTok Fined €530M for Sending EU Data to China

Ireland's Data Protection Commission fined TikTok €530M, the third largest GDPR fine on record, for transferring EU users' personal data to China without adequate legal safeguards under Chapter V of the GDPR.

What changed

The Irish Data Protection Commission (DPC) concluded a multi-year investigation into TikTok's international data transfers, finding that TikTok had transferred EU/EEA user data to its parent company ByteDance in China without meeting the strict adequacy requirements of GDPR Chapter V. The €530M fine consists of €485M for the transfer violations and €45M for a transparency infringement regarding TikTok's privacy policy.

This is the third largest GDPR fine ever issued, behind Meta's €1.2B fine (2023) and Amazon's €746M fine (2021). TikTok was also ordered to bring its data processing into compliance within six months. More than 360 GDPR fines were issued across Europe in 2025, with total enforcement reaching a record high.

What it means for your business

For any company that transfers personal data outside the EU/EEA: This fine reinforces that transfer mechanisms must be watertight. Standard Contractual Clauses (SCCs) are not sufficient if the destination country's laws prevent the data importer from complying with them in practice. Review your data transfer impact assessments (DTIAs), particularly for transfers to the US, India, and China. Consider data localisation where technically feasible.