On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.

The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.

With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.

Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2

On January 8, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced an enforcement action against Rickenbacher Data LLC (d/b/a “Datamasters”), an information reseller, for failing to register as a data broker under the California Delete Act.  Datamasters agreed to pay a $45,000 administrative fine, among other remedial measures.  In November, CalPrivacy launched a Data Broker Enforcement Strike Force within its enforcement division to investigate violations of the law in the data broker industry, which builds upon a 2024 investigative sweep into data broker compliance.Continue Reading CalPrivacy Announces $45,000 Fine Against Data Broker for Delete Act Violations

On November 12, 2025, UNESCO’S General Conference adopted its Recommendation on the Ethics of Neurotechnology (“the Recommendation”)–the first attempt at establishing a global legal framework for the ethical development and use of neurotechnology. The Recommendation aims to set out a comprehensive rights-based framework for the entire life cycle of neurotechnology, from the design of neurotechnology products and services to their disposal.

While not legally-binding, the Recommendation states that its provisions should be considered by, among others, UNESCO Member States, research organizations, and private companies involved in neurotechnology, and that they establish how best to honor fundamental human rights in the development, deployment and disposal of this technology. It is therefore possible that in the future, they may be a starting point for binding legislation, or could be used as persuasive authority to support enforcement actions arising under existing legislation protecting fundamental human rights, e.g., the GDPR and other privacy laws around the world. In that regard, it is notable that the EU AI Act was inspired, at least in part, on UNESCO’s November 2021 Recommendation on the Ethics of Artificial Intelligence. There is, therefore, a real possibility that private sector companies developing neurotechnologies will be subject to rules specifically regulating such technologies in the future.Continue Reading UNESCO Adopts First Global Framework on Neurotechnology Ethics

On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) (see here, in German only), roughly 29,500 companies will have to comply with the increased cybersecurity requirements adopted by the NIS2UmsG.Continue Reading Germany Transposes NIS 2 Directive – Increased Cybersecurity Requirements for Businesses

On December 22, the Federal Trade Commission (“FTC”) issued an order setting aside its 2024 final consent order against Rytr, LLC (“Rytr”) on the grounds that the facts alleged in the Rytr complaint did not violate Section 5.  The Commission further found that the Rytr order did not provide any

Continue Reading FTC Sets Aside Rytr Final Order Pursuant to White House AI Action Plan

On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers

The Federal Trade Commission (FTC) sent letters to 10 companies—whose identities were not publicly disclosed—on December 22, 2025, warning them about potential violations of the Consumer Reviews Rule. The Rule, which took effect in October 2024, targets deceptive online review and testimonial practices. These warning letters mark the FTC’s first

Continue Reading FTC Issues Warning Letters for Violations of Consumer Reviews Rule

The Federal Trade Commission (FTC) recently announced that it agreed to proposed consent orders with two companies that experienced recent cybersecurity incidents, Illuminate Education (“Illuminate”) and Illusory Systems, which does business as Nomad (“Illusory”), to resolve allegations that both companies’ information security practices had violated Section 5 of the FTC

Continue Reading FTC Announces 10-Year Information Security Consent Orders with Illuminate Education and Illusory Systems

On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”).  According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI

Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment

On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (“Jam City”), a mobile app gaming company, for alleged violations of the California Consumer Privacy Act (“CCPA”) and Unfair Competition Law (“UCL”). The Jam City settlement marks Attorney General Bonta’s sixth settlement obtained under the CCPA and reflects a continued focus on how businesses present opt-out rights mechanisms to California consumers, including minors.Continue Reading California AG Announces $1.4 Million Settlement with Mobile App Gaming Developer Over CCPA Violations