Newsroom

Regulatory change, translated for privacy teams

Follow updates on GDPR, AI governance, cybersecurity, PECR and enforcement activity, with practical notes on what privacy teams should review next.

62 articles5 topicsUpdated 25 June 2026
AI & Privacy
Commission Extends Consultation on High-Risk AI Classification GuidelinesThe European Commission has extended the consultation on its draft guidelines for classifying high-risk AI systems to 23 July 2026, giving organisations more time to engage with guidance that clarifies how to determine whether an AI system falls within the AI Act's high-risk category under Article 6.EUAdvisory2 min read
AI & Privacy
AI Transparency Code of Practice Published Ahead of August DeadlineThe European AI Office has published the final Code of Practice on Transparency of AI-Generated Content, giving providers and deployers a practical compliance pathway ahead of the Article 50 transparency obligations that apply from 2 August 2026. Initial signatories must submit their forms by 22 July.EUAction required2 min read
Cybersecurity
Council of Europe Breach Exposes Scale of PeopleSoft Zero-Day CampaignShinyHunters claims to have stolen more than 297GB of data — over 429,000 files including 409,000 payslips — from the Council of Europe, exploiting an Oracle PeopleSoft zero-day that has been used to compromise more than 100 organisations across Europe and the United States.GlobalBackground3 min read
GDPR Enforcement
ICO Fines South Staffordshire Water £963,900 Over Critical Infrastructure BreachThe ICO has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a phishing-led cyberattack left an attacker undetected on the network for 20 months and exposed the personal data of 633,887 people — a decision that signals tougher scrutiny of cybersecurity failures at critical infrastructure operators.EUUKAction required2 min read
Cybersecurity
NIS2 Cooperation Group Adopts Common Incident Reporting TemplatesThe NIS Cooperation Group has adopted common templates for cybersecurity incident reporting under the NIS2 Directive, establishing a uniform format across member states. The Commission intends to make the templates mandatory through an implementing act, reducing the administrative burden of cross-border reporting.EUAction required2 min read
GDPR Enforcement
AEPD Closes Amadeus Case After €14.4 Million Traveller Profiling SettlementSpain's AEPD has closed its case against Amadeus IT Group after the travel technology company paid €14.4 million to settle a fine over a pilot that profiled travellers using booking data without a lawful basis or adequate transparency — a decision the travel sector is reading as a warning on the reuse of passenger data.USAction required3 min read
Policy & Guidance
European Commission Proposes Cloud and AI Development Act to Strengthen Digital SovereigntyThe European Commission has formally proposed the Cloud and AI Development Act (CADA), introducing a four-tier cloud sovereignty framework, plans to triple EU data centre capacity, and new requirements for how public institutions procure cloud and AI services.EUAdvisory2 min read
Cybersecurity
Netherlands Seizes 800 Servers and Arrests Two for Enabling Russian-Linked CyberattacksDutch authorities have seized 800 servers and arrested two men for operating bulletproof hosting infrastructure used by Russia-linked actors to conduct cyberattacks, influence operations, and disinformation campaigns across the European Union.GlobalAction required2 min read
Policy & Guidance
UK Complaints Procedure Deadline Arrives: What Organisations Must Have in Place by 19 JuneFrom 19 June 2026, all UK data controllers must have a formal data protection complaints procedure in place under the Data (Use and Access) Act 2025, requiring 30-day acknowledgment, investigation without undue delay, and a mandatory pre-escalation step before individuals can complain to the ICO.EUUKAction required2 min read
Policy & Guidance
E-Evidence Regulation Takes Effect in August, Enabling Direct Cross-Border Data RequestsFrom 18 August 2026, the EU's E-Evidence Regulation will allow law enforcement authorities to request electronic data - including content data - directly from service providers in other member states, with a standard ten-day production deadline and an eight-hour window in urgent cases.EUAction required2 min read
Policy & Guidance
Digital Omnibus Proposes Sweeping GDPR Changes: Longer Breach Deadlines, Simplified ROPA, and Single-Click ConsentThe European Commission's Digital Omnibus proposal would raise the breach notification threshold to high risk only, extend the reporting deadline from 72 to 96 hours, simplify records of processing for SMEs, and introduce single-click consent mechanisms - the most significant set of proposed changes to the GDPR since its adoption.EUUSAction required2 min read
Cybersecurity
ENISA NIS360 Report Identifies Seven Critical Sectors in the Cybersecurity Risk ZoneThe third annual ENISA NIS360 assessment reveals that while cybersecurity maturity is improving across EU critical sectors, seven sectors - including health, public administration, and water - remain in a risk zone where their importance to society exceeds their cyber readiness.EUBackground2 min read
Policy & Guidance
EDPB Adopts First Harmonized DPIA Template to Standardise Assessments Across EuropeThe European Data Protection Board has published the first EU-wide harmonized template for Data Protection Impact Assessments, aiming to replace the patchwork of national formats and bring consistency to one of the GDPR's most important compliance tools.EUAdvisory2 min read
GDPR Enforcement
GDPR Fines Surge Nearly 400% in Q1 2026 as France and UK Drive EnforcementEuropean data protection authorities imposed €68.18 million in GDPR fines in the first quarter of 2026 - nearly five times the €13.8 million recorded in Q1 2025 - with France and the United Kingdom accounting for 94% of the total.EUUKAction required2 min read
AI & Privacy
AI Act Transparency Code of Practice Due for Finalisation Ahead of August DeadlineThe European Commission is finalising the Code of Practice on marking and labelling AI-generated content, with Article 50 transparency obligations - including deepfake disclosure and machine-readable content marking - taking effect on 2 August 2026.EUAction required2 min read
GDPR Enforcement
CNIL Fines IQVIA €5 Million Over Health Data Warehouse FailuresFrance's CNIL has fined IQVIA Operations France €5 million for failing to comply with the conditions of its authorised health data warehouses, including deficiencies in patient information, rights management, and data security - with a €10,000 daily penalty for non-compliance within six months.EUAction required2 min read

Regulatory calendar

What’s on the horizon

Primary sources →
  1. 1 monthto go
    EU2 Aug 2026

    EU AI Act - Article 50 transparency obligations

    Transparency obligations begin applying in August 2026. Many high-risk obligations follow later timelines depending on system category and implementation measures.

  2. 4 monthsto go
    EU18 Oct 2026

    NIS2 — DORA interplay review

    European Commission NIS2/DORA review window opens for financial-entity carve-outs.

  3. 7 monthsto go
    EU1 Feb 2027

    AI Act — Art. 6 list review

    Commission review of the Annex III high-risk AI use-case list, with potential additions for workplace monitoring.

  4. 13 monthsto go
    EU2 Aug 2027

    AI Act — General-purpose AI

    Transparency, copyright, and systemic-risk obligations for GPAI providers take full effect.

  5. 17 monthsto go
    UK29 Nov 2027

    UK DPDI Act — Phase 2 commencement

    Second commencement order expected to activate ICO guidance regime and automated decision-making rules.

  6. 2.1 yrsto go
    EU2 Aug 2028

    EU AI Act — All remaining provisions

    Final tranche: existing high-risk AI systems placed on the market before 2026 must come into conformity.

Turn regulatory updates into workflow action

Use Acompli to review affected assessments, records, risks and suppliers when the regulatory landscape changes.