On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.
Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions
EU Sets the Clock on Age Verification: Rollout Urged by End‑2026
The European Commission has set a clear timeline for rolling out age verification across the EU:
- by June 30, 2026, Member States are encouraged to submit implementation plans; and
- by December 31, 2026, at least one EU‑compliant age verification solution should be available in each Member State.
This timeline, set
Continue Reading EU Sets the Clock on Age Verification: Rollout Urged by End‑2026Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice Transcription
On April 20, 2026, the Spanish Data Protection Agency (AEPD) has published new guidance on how to comply with the GDPR when using AI‑powered voice transcription tools. The guidance builds on earlier AEPD guidance on this topic from January 2026. This blog post sets out the key takeaways of both guidance documents, which are only available in Spanish.
The AEPD’s guidance confirms a risk‑based approach to AI‑powered voice transcription. Organizations using these tools should not treat transcription as a purely technical feature, but as a processing activity that requires continuous governance, clear transparency, and proactive safeguards. Given the widespread and growing use of transcription tools across business functions, this guidance is likely to be relevant well beyond Spain.
Continue Reading Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice TranscriptionNew EDPB Guidelines on the Use of Personal Data in Scientific Research
On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific ResearchSpanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance
In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog
Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR ComplianceEU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.
Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data LawsWhat to Watch in 2026: Key EU Privacy & Cybersecurity Developments
As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.
Continue Reading What to Watch in 2026: Key EU Privacy & Cybersecurity DevelopmentsEuropean Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms
On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the
Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification ReformsEuropean Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2
On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.
The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.
With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.
Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.
Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers
On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.
The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.
Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers