In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog
Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance
EU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.
Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data LawsWhat to Watch in 2026: Key EU Privacy & Cybersecurity Developments
As 2026 gets underway, the European Union enters a pivotal year for data protection, AI governance, and cybersecurity regulation, among other matters. EU institutions and national authorities are expected to progress a number of significant digital‑policy files, roll‑out new cyber‑resilience obligations, and make transparency in the privacy space a top priority. Below is an overview of the key developments to monitor.
Continue Reading What to Watch in 2026: Key EU Privacy & Cybersecurity DevelopmentsEuropean Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms
On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the
Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification ReformsEuropean Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2
On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.
The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.
With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.
Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.
Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers
On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.
The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.
Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to ManufacturersFrench CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm
On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.
The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.
Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech FirmSpain Issues Guidance Under the EU AI Act
In December 2025, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) published a set of detailed guidance documents and templates aimed at helping providers and deployers of high-risk AI systems under the EU AI Act comply with the relevant requirements of the law. The materials are also available in English.
Continue Reading Spain Issues Guidance Under the EU AI ActHelp Shape the Future of EU Product Compliance: Participate in the Public Consultations
On November 12, 2025, the European Commission launched two public consultations that could significantly reshape EU product compliance rules. To participate, stakeholders – including businesses, consumer groups, and industry associations – are invited to complete the Commission’s online questionnaires, available until February 4, 2026.
Continue Reading Help Shape the Future of EU Product Compliance: Participate in the Public ConsultationsEuropean Commission Announces 2030 Consumer Policy Strategy
On November 19, 2025, the European Commission unveiled its 2030 Consumer Agenda, setting out priorities for EU consumer policy over the next five years. Below is an overview of the six key measures most relevant to industry.
Continue Reading European Commission Announces 2030 Consumer Policy Strategy