Newsroom
Regulatory change, translated for privacy teams
Follow updates on GDPR, AI governance, cybersecurity, PECR and enforcement activity, with practical notes on what privacy teams should review next.
For the maintained reference page, see EU AI Act Ireland: 2026 timeline and Article 50 guide.
Irish High Court Upholds TikTok's €530 Million Fine Over Transfers to China
The Irish High Court has upheld the Data Protection Commission's €530 million fine against TikTok over the transfer of EEA user data to China and related transparency failures, confirming one of the largest GDPR penalties on record while allowing a narrow appeal on the size of the fine to proceed.
Read article →Novo Nordisk Breach Exposes Clinical Trial and Healthcare Professional Data
Novo Nordisk has disclosed a security incident in which attackers copied personal data from internal systems, including pseudonymised clinical trial data covering biomarkers and lifestyle factors, and directly identifying information about healthcare professionals - a breach that illustrates the layered sensitivity of health-sector data.
Read article →Klue Supply-Chain Attack Exposes Salesforce Data Through Stolen OAuth Tokens
A compromise of market intelligence platform Klue allowed attackers to steal OAuth tokens connecting customer Salesforce environments, exposing business data across numerous organisations including Tanium, Gong, Huntress, and LastPass - a textbook SaaS supply-chain attack built on a forgotten legacy credential.
Read article →European Parliament Advances Digital Omnibus on AI, Confirming Deadline Extensions
The European Parliament has adopted its position on the Digital Omnibus on AI, moving the package that extends the AI Act's high-risk deadlines and streamlines its rules closer to final adoption - following the political agreement reached with the Council in May.
Read article →Regulatory calendar
What’s on the horizon
- 1 monthto go
EU AI Act - Article 50 transparency obligations
Transparency obligations begin applying in August 2026. Many high-risk obligations follow later timelines depending on system category and implementation measures.
- 4 monthsto go
NIS2 — DORA interplay review
European Commission NIS2/DORA review window opens for financial-entity carve-outs.
- 7 monthsto go
AI Act — Art. 6 list review
Commission review of the Annex III high-risk AI use-case list, with potential additions for workplace monitoring.
- 13 monthsto go
AI Act — General-purpose AI
Transparency, copyright, and systemic-risk obligations for GPAI providers take full effect.
- 17 monthsto go
UK DPDI Act — Phase 2 commencement
Second commencement order expected to activate ICO guidance regime and automated decision-making rules.
- 2.1 yrsto go
EU AI Act — All remaining provisions
Final tranche: existing high-risk AI systems placed on the market before 2026 must come into conformity.
Turn regulatory updates into workflow action
Use Acompli to review affected assessments, records, risks and suppliers when the regulatory landscape changes.