Newsroom

Privacy news, enforcement updates, and AI policy insight

The latest GDPR enforcement developments, data protection regulation, and cybersecurity signals for privacy teams.

32 articlesAI & Privacy · GDPR Enforcement · Cybersecurity · GDPR Policy

Regulatory calendar

What’s on the horizon

Primary sources →
  1. 3 monthsto go
    EU2 Aug 2026

    EU AI Act — High-risk obligations

    General application date; high-risk AI systems must meet conformity, risk management, and registration obligations.

  2. 5 monthsto go
    EU18 Oct 2026

    NIS2 — DORA interplay review

    European Commission NIS2/DORA review window opens for financial-entity carve-outs.

  3. 9 monthsto go
    EU1 Feb 2027

    AI Act — Art. 6 list review

    Commission review of the Annex III high-risk AI use-case list, with potential additions for workplace monitoring.

  4. 15 monthsto go
    EU2 Aug 2027

    AI Act — General-purpose AI

    Transparency, copyright, and systemic-risk obligations for GPAI providers take full effect.

  5. 18 monthsto go
    UK29 Nov 2027

    UK DPDI Act — Phase 2 commencement

    Second commencement order expected to activate ICO guidance regime and automated decision-making rules.

  6. 2.2 yrsto go
    EU2 Aug 2028

    EU AI Act — All remaining provisions

    Final tranche: existing high-risk AI systems placed on the market before 2026 must come into conformity.

Amnesty Warns EU Digital Omnibus Could Weaken GDPR and AI ActBackground
AI & PrivacyEUUS

Amnesty Warns EU Digital Omnibus Could Weaken GDPR and AI Act

Amnesty International has warned that the European Commission’s proposed Digital Omnibus reforms, presented as regulatory simplification, could weaken core privacy safeguards under both the GDPR and the AI Act.

Read article →
AI Act March 2026: What’s Live and What’s NextBackground
AI & PrivacyEU

AI Act March 2026: What’s Live and What’s Next

The EU AI Act entered into force in August 2024 and applies in phases. Several obligations are already in force, and the general application date remains 2 August 2026.

Read article →
CNIL Fines €3.5m for Loyalty Data TransferAction required
GDPR EnforcementEU

CNIL Fines €3.5m for Loyalty Data Transfer

CNIL has fined a company €3.5 million for transferring loyalty programme member data to a social network for advertising targeting without valid consent.

Read article →
EDPB 2026–2027 Work Programme: Key PrioritiesBackground
GDPR PolicyEU

EDPB 2026–2027 Work Programme: Key Priorities

The EDPB has adopted its Work Programme 2026–2027, signalling planned work on anonymisation, children’s data, and ‘consent or pay’ models.

Read article →
AI & Privacy
Agentic AI Poses New Governance Challenge Under EU AI ActAs agentic AI systems capable of autonomous multi-step decision-making become more widespread, organisations face a growing governance gap that the EU AI Act’s framework was not originally designed to address.EUBackground
GDPR Enforcement
CNIL Targets Session Replay Tools with Draft RecommendationFrance’s CNIL has published a draft recommendation on session replay tools and opened a public consultation closing 22 April 2026, setting out strict requirements for consent, data minimisation, and masking.EUAction required
AI & Privacy
Only 8 of 27 EU States Ready for AI Act August DeadlineWith the EU AI Act’s general application date of 2 August 2026 approaching, only 8 of the EU’s 27 member states have designated national enforcement contacts, raising questions about consistent implementation.EUAction required
GDPR Enforcement
EDPB Launches Coordinated Enforcement on GDPR TransparencyThe European Data Protection Board has launched its 2026 Coordinated Enforcement Framework action, with 25 DPAs across Europe assessing controller compliance with transparency and information obligations under the GDPR.EUAction required
AI & Privacy
Council Agrees AI Omnibus: Deadlines Pushed to 2027The Council of the EU has agreed its negotiating position on a proposal to streamline certain rules on artificial intelligence, extending high-risk AI deadlines by up to 24 months.EUAction required
AI & Privacy
Article 50 Transparency on Track for August 2026The European Commission has published a second draft Code of Practice on marking and labelling AI-generated content, supporting Article 50 transparency obligations.EUAdvisory
GDPR Enforcement
ICO Fines Reddit £14.47m Over Children’s DataThe UK ICO has fined Reddit £14.47 million after finding serious failings in how the platform handled children’s personal information.EUUKAction required
GDPR Enforcement
ICO Fines Imgur £248k for Children’s PrivacyThe ICO has fined MediaLab.AI, owner of Imgur, £247,590 for failures relating to children’s personal information including lack of age assurance and missing DPIA.EUUKAction required
Cybersecurity
CNIL Fines Free Mobile €42m for Data BreachFrance’s CNIL has issued fines of €27 million and €15 million against Free Mobile and Free respectively, citing inadequate security measures for subscriber data.EUAction required
International Transfers
EDPB Processor BCR Consultation ClosesThe EDPB’s public consultation on Processor BCR recommendations has closed, addressing the application route for approval and expected documentation elements.EUAdvisory
AI & Privacy
Ireland Publishes EU AI Act Guidance for 2026Ireland’s Department of Enterprise has published updated guidance on the EU AI Act, including key commencement milestones and an overview of phased obligations.EUIEAdvisory
EU Digital Policy
EDPB and EDPS Warn on Digital Omnibus ProposalThe EDPB and EDPS have adopted Joint Opinion 2/2026 on the Digital Omnibus proposal, supporting simplification but stressing that changes must not weaken fundamental rights protections.EUUSAdvisory
GDPR Fines
Europe’s GDPR Fines Hold at €1.2bnEurope’s privacy regulators continued to levy penalties at scale in 2025, with total GDPR fines reaching approximately €1.2bn.GlobalAction required
GDPR Enforcement
Ireland as a Key GDPR Hub: Cross-Border CasesIreland continues to sit at the centre of European GDPR enforcement, largely because many major technology companies have their European headquarters there.EUIEAction required
GDPR Policy
Helsinki Statement: GDPR Compliance for SMEsThe European Data Protection Board adopted a landmark statement aimed at improving GDPR usability for micro, small and medium organisations.EUBackground
GDPR Guidance
EDPB Challenges Forced Accounts in Online ShoppingThe EDPB has opened a public consultation on when e-commerce websites can lawfully require users to create accounts before purchasing goods or services.EUAdvisory
International Transfers
Processor BCRs: EDPB Opens ConsultationThe EDPB has launched a public consultation on Recommendations 1/2026, focused on the approval process and required elements for Processor Binding Corporate Rules.EUAdvisory
International Transfers
EDPB Standardises the Route for Ad-Hoc Clauses and New SCCsThe EDPB published a procedure document setting out how supervisory authorities should cooperate when authorising ad-hoc contractual clauses and new SCCs.EUBackground
GDPR Fines
TikTok’s €530m GDPR Fine: China TransfersIreland’s Data Protection Commission issued a decision fining TikTok €530 million and ordering corrective measures following an inquiry into transfers to China.GlobalAction required
GDPR Fines
Reading the Fines: Why the GDPR Enforcement Tracker is Becoming a Boardroom InputThe CMS GDPR Enforcement Tracker is becoming a key input for risk discussions, offering a practical lens on what regulators are prioritising.GlobalAction required
AI & Privacy
Regulators Push Back on AI Simplification: Joint Opinion Warns Against Weakening RightsThe EDPB and EDPS have adopted a Joint Opinion on the European Commission’s proposal to simplify AI rules, warning that simplification must not lower protection.EUAdvisory
EU Digital Policy
The EU Digital Omnibus Debate: Easier Rules or a Rollback of Protections?The European Commission’s “Digital Omnibus” proposal aims to streamline rules, but critics warn of specific delays to high-risk AI requirements.EUUSAdvisory
Cybersecurity
EU Cybersecurity Package: Strengthening ResilienceThe European Commission proposed a new cybersecurity package to strengthen EU resilience, explicitly referencing amendments affecting the NIS2 framework.EUBackground
Cybersecurity
High-Risk Supplier Exclusions Under Cybersecurity ActThe EU is planning to phase out components from high-risk suppliers in critical infrastructure as part of a proposed revision of the Cybersecurity Act.GlobalBackground
Cybersecurity
Cybersecurity Act Review: EU Certification ExpandsThe European Parliamentary Research Service has outlined the evolution of cybersecurity certification, aiming for schemes recognised across Member States.EUBackground
Cybersecurity
Ireland’s NCSC Publishes Draft NIS2 Risk Management MeasuresIreland’s National Cyber Security Centre published draft Risk Management Measures guidance intended to support implementation of NIS2 requirements.EUIEAdvisory
Cybersecurity
Irish Legal Update: NIS2 Guidance Signals a Wider Net and More ReportingThe Law Society Gazette reported on the NCSC’s guidance, noting the anticipated scope expansion and practical need for organisations to check if they are in scope.EUIEAdvisory
Cybersecurity
Ransomware Hits the Irish Ombudsman: A Public-Sector Wake-Up CallA ransomware attack against Ireland’s Office of the Ombudsman caused major disruption, locking investigators out of key systems.IEBackground

Turn regulatory news into faster decisions

Acompli connects enforcement signals, policy changes, and high-risk alerts with your governance, controls, and vendor review workflow.

Get started →Book a demo