NicFab Newsletter
Issue 2 - December 23, 2025
Privacy, Data Protection, AI, Cybersecurity & Tech Law - Weekly Review
Welcome to issue 2 of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a carefully selected list of the most relevant news items from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.
FROM THE PREVIOUS WEEK (December 16, 2025 - December 21, 2025)
🇮🇹 ITALIAN DATA PROTECTION AUTHORITY
Unsolicited marketing: Verisure Italia fined €400,000
The Italian Data Protection Authority has fined Verisure Italia S.r.l. for the unlawful processing of personal data for marketing purposes. The measure stems from a complaint by a former customer who continued to receive unwanted promotional text messages even after objecting to the processing, and from a report by a potential customer who, after requesting a quote, began receiving advertising calls, emails, and text messages despite exercising their right to object.
The violations found are numerous and serious: handling of objections with a delay exceeding the terms set out in the EU Regulation; failure to correctly collect consent via the form on the website; consent effectively combined with the request for a quote (simply providing a phone number to obtain a quote was considered by the company as consent to receive advertising calls); excessive data retention period for telesales (12 months).
In addition to the financial penalty, the Authority prohibited the further processing of unlawfully acquired data, ordered the deletion of data collected without valid consent, and required that privacy policies be adapted to the GDPR.
Inadequate security measures: Aimag fined €300,000
The Italian Data Protection Authority has imposed a fine of €300,000 on Aimag S.p.A. This company provides energy, water, environmental, and district heating services, and processes its customers’ data without adequate security measures and a suitable legal basis for telemarketing purposes.
The investigation found that anyone could register in the service holder’s name in the reserved area of the website by entering the holder’s tax code and any email address, thereby gaining unlawful access to personal information such as home address and telephone number. In addition, the three consent fields in the registration form were already pre-flagged ‘YES’, in violation of European regulations regarding privacy policy, the use of data for advertising, and processing for customer satisfaction.
Schengen Information System: new forms for exercising rights now online
New forms for exercising the rights of access, rectification, and erasure of personal data contained in the Schengen Information System (SIS) are now available on the Garante’s website. Requests should be addressed directly to the Ministry of the Interior - Department of Public Security, as the central authority responsible for the national section of the SIS (N.SIS).
If the Ministry of the Interior does not, in whole or in part, meet the request, the data subject may complain to the Garante, which exercises control over the processing of personal data recorded in the SIS in its capacity as the supervisory authority for the national section.
🇪🇺 EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)
TechDispatch: Digital Identity Wallet
On December 16, the EDPS published a new TechDispatch dedicated to the European Digital Identity Wallet (EUDI Wallet). The document provides an in-depth technical analysis of the infrastructure mandated by the eIDAS 2.0 Regulation, which will allow European citizens to securely store and manage their digital identity and other personal attributes on mobile devices.
The TechDispatch examines the implications for personal data protection, highlighting challenges related to data minimization, the security of verifiable credentials, and the risks of user tracking. The EDPS emphasizes the importance of implementing the wallet in full compliance with the principles of privacy by design and privacy by default.
🇫🇷 CNIL (FRANCE)
FantomApp: the application to protect 10-15-year-olds on social networks
On December 16, the CNIL launched FantomApp, an innovative application designed to help young people aged 10 to 15 protect themselves on social networks. The app offers interactive educational tools that teach minors to recognize online risks, manage their privacy settings, and adopt safe behaviors in the digital environment.
The initiative is part of the French Authority for the Protection of Minors Online’s actions, in line with the provisions of the Digital Services Act relating to the protection of minors and the European Commission’s guidelines on the protection of minors on online platforms.
Data breach: €1 million fine for Mobius Solutions Ltd
On December 19, the CNIL imposed a fine of €1,000,000 on Mobius Solutions Ltd for violating the GDPR provisions on personal data security. The measure follows a data breach that exposed the personal data of a significant number of data subjects.
The French authority found deficiencies in the technical and organizational measures implemented by the company to ensure the security of processing, in violation of Article 32 of the European Regulation.
🇪🇺 EUROPEAN COMMISSION
First draft of the Code of Practice on the marking and labeling of AI-generated content
On December 17, 2025, the European Commission published the first draft of the Code of Practice on the marking and labeling of content generated by artificial intelligence, implementing Article 50 of the AI Act (EU Regulation 2024/1689).
The document is divided into two distinct sections:
Section 1 - Marking and detection: aimed at providers of generative AI systems, it establishes technical rules for marking outputs (audio, images, video, text) in a machine-readable format. Technical solutions must be adequate, interoperable, robust, and reliable.
Section 2 - Deepfake labeling and AI texts: aimed at deployers of generative AI systems for professional purposes, it defines how to clearly label deepfakes and AI-generated or manipulated text publications on matters of public interest.
The consultation on the first draft is open until January 23, 2026. The second draft is expected in mid-March 2026, with the Code to be finalized by June 2026 and enter into force on August 2, 2026.
📝 Further reading: I have published a detailed analysis of the Code of Practice on my blog, examining the structure of the draft, the obligations for suppliers and deployers, the development process with the two Working Groups (chaired by Prof. Kalina Bontcheva and Prof. Anja Bechmann), the practical implications, and future challenges. The article includes the complete calendar from the kick-off on November 5, 2025, to the entry into force on August 2, 2026.
Read the full in-depth analysis on the blog
First Annual Report on Interoperability in the Union
On December 16, the European Commission presented the first Annual Report on Interoperability in the Union (COM:2025:860:FIN) to the Parliament and the Council, which analyzes the progress of initiatives aimed at ensuring the interoperability of European public administrations’ IT systems.
The document assesses progress in implementing the European Interoperability Framework. It makes recommendations for improving cross-border data exchange between Member State administrations, with a particular focus on personal data protection and cybersecurity.
European Biotech Act: proposal for a regulation on biotechnology and biomanufacturing
On December 17, the Commission presented a proposal for a regulation to establish a framework of measures to strengthen the Union’s biotechnology and biomanufacturing sectors, particularly in the health sector (European Biotech Act - COM:2025:1022:FIN).
The proposal amends several existing regulations and includes provisions relevant to personal data protection, given the processing of genetic and health data that characterizes the biotech sector.
Joint statement on EU legislative priorities for 2026
On December 18, 2025, European Parliament President Roberta Metsola, Danish Prime Minister Mette Frederiksen (on behalf of the Council Presidency), and Commission President Ursula von der Leyen signed the Joint Declaration on EU legislative priorities for 2026.
The priorities identified include: a new era for European defense and security; sustainable prosperity, competitiveness, and simplification; strengthening European societies and the European social model; an integrated approach to border and migration management; protecting democracy and defending values; strengthening the EU’s global influence and partnerships.
Digital Europe Program: positive mid-term evaluation
On December 18, the Commission published the mid-term evaluation of the Digital Europe Program (DIGITAL), highlighting its significant impact on Europe’s digital transformation. The program is effectively contributing to the development of digital skills and capacity building in key areas such as artificial intelligence, cybersecurity, high-performance computing, and advanced digital technologies.
WSIS+20: UN commitment to an inclusive digital future
On December 18, the European Commission welcomed the WSIS+20 final document adopted at the United Nations General Assembly’s high-level meeting. The document reaffirms the international community’s commitment to an inclusive digital future and multi-stakeholder internet governance, fundamental principles for ensuring that technological development respects human rights and the protection of personal data.
Intra-EU communications tariffs: first implementing act
On December 17, the Commission adopted the first implementing act on intra-EU communications based on Article 5a of the Open Internet Regulation, as amended by the Gigabit Infrastructure Act. The act allows providers to eliminate price differences for calls and SMS messages made between Member States, contributing to the realization of the digital single market.
⚖️ COURT OF JUSTICE OF THE EUROPEAN UNION
Judgment of the General Court in joined cases T-620/23, T-1023/23, T-483/24
On December 17, 2025, the General Court of the European Union issued a judgment in joined cases T-620/23, T-1023/23, and T-483/24. The ruling, the full details of which are awaited, could have implications for data protection and digital regulation issues.
🇪🇺 EUROPEAN PARLIAMENT
2025 Sakharov Prize was awarded to journalists for freedom of expression
President Roberta Metsola awarded the 2025 Sakharov Prize to representatives of Andrzej Poczobut (Belarus) and Mzia Amaglobeli (Georgia), journalists fighting for democracy in their countries. Both have been imprisoned for defending freedom of expression and democracy, and Parliament has called for their immediate release.
The Sakharov Prize is the EU’s highest award for work in defense of human rights, given to those who have made an exceptional contribution to the protection of freedom of thought.
Compulsory patent licenses for crisis management
Parliament adopted at second reading the provisional agreement on a compulsory patent licensing regime. The mechanism aims to facilitate rapid patent use during crises while preserving incentives for innovation through patent protection. Parliamentary negotiators secured the exclusion of crises relating to semiconductors, gas supply security, and defense-related products from the scope of application.
[Source] (https://epthinktank.eu/2025/12/19/plenary-round-up-december-2025/)
🇪🇺 COUNCIL OF THE EUROPEAN UNION
CAP simplification (Omnibus III): final approval
On December 18, the Council gave final approval to the simplification of the Common Agricultural Policy (CAP). The “Omnibus III” package aims to reduce the administrative burden on farmers and national administrations, with estimated savings of up to €1.6 billion per year for farmers and over €200 million for Member State administrations.
Although the measure primarily concerns the agricultural sector, it intersects with data protection legislation regarding the management of farmers’ data and administrative controls.
EU-Western Balkans Summit
European Council President António Costa issued a statement on December 17 following the EU-Western Balkans Summit, reaffirming the Union’s support for the European future of the countries in the region. The enlargement process also includes aligning candidate countries with the EU acquis on data protection.
🔐 CYBERSECURITY
UEFI vulnerability on ASRock, ASUS, GIGABYTE, and MSI motherboards
On December 19, a new security vulnerability was disclosed that affects motherboards from several manufacturers (ASRock, ASUS, GIGABYTE, MSI), exposing them to DMA (Direct Memory Access) attacks during the initial boot phase. The flaw affects systems with a UEFI interface and could allow attackers with physical access to compromise the system before the operating system loads, bypassing traditional security measures.
The vulnerability raises significant concerns for data security, as a successful attack could allow unauthorized access to personal data stored on compromised devices.
🤖 ARTIFICIAL INTELLIGENCE
AI Act in a Nutshell - Part 1: Introduction to the Regulation
With this issue, we are launching a new column dedicated to the AI Act (EU Regulation 2024/1689), the world’s first comprehensive regulatory framework on artificial intelligence. Each week, we will explore a specific aspect of the Regulation and offer practical guidance for professionals, companies, and industry operators.
What is the AI Act and why is it important?
The AI Act, which came into force on August 1, 2024, is the cornerstone of the European strategy for trustworthy and human-centered artificial intelligence. The Regulation adopts a risk-based approach, classifying AI systems into four categories:
Unacceptable risk (prohibited systems): AI practices considered an unacceptable threat to fundamental rights, such as government social scoring or subliminal manipulation.
High risk: systems subject to stringent requirements before being placed on the market, such as those used in critical infrastructure, education, employment, essential services, law enforcement, border management, and the administration of justice.
Limited risk: systems subject to specific transparency obligations, such as chatbots and systems that generate deepfakes.
Minimal risk: all other AI systems, not subject to specific obligations but encouraged to adopt voluntary codes of conduct.
Timeline for implementation
The Regulation provides for gradual implementation:
- February 2, 2025: ban on prohibited AI practices and AI literacy requirements
- August 2, 2025: requirements for general-purpose AI models (GPAI)
- August 2, 2026: full application for high-risk systems
OECD AI: medium-sized economies can collaborate on frontier AI
On December 16, the OECD AI Policy Observatory published an analysis on the possibility for medium-sized economies to collaborate to develop frontier artificial intelligence. The document explores models of international cooperation that could enable countries with limited resources to participate in the development of advanced AI systems, highlighting the importance of common AI governance frameworks that include personal data protection.
OECD AI: Insurance Companies and AI Risk Management
On December 17, the OECD published an analysis explaining why insurance companies should encourage robust AI risk management rather than excluding it from coverage. The document highlights how a proactive approach to managing AI-related risks can benefit both companies and insurers, promoting the responsible development of AI.
Future of Privacy Forum: Five Big Questions for US Privacy/AI 2026
On December 17, the Future of Privacy Forum published an analysis of the five big questions (and zero predictions) for the privacy and AI landscape in the United States in 2026. The document examines the main regulatory uncertainties that will characterize the evolution of the US regulatory framework, with potential impacts on transatlantic relations in the area of data transfer.
👶 PROTECTION OF MINORS ONLINE
Better Internet for Kids Bulletin - December 2025
The 44th edition of the Better Internet for Kids Bulletin was published on December 18, reflecting on the recent Safer Internet Forum (SIF) 2025, dedicated to the theme “Why age matters: Protecting and empowering youth in the digital age.”. The bulletin presents the resources of the “DSA for YOUth” campaign, including a toolkit with explanatory guides and a glossary, as well as a family-friendly brochure co-created with the BIK Youth Ambassadors and available in all EU languages.
The document also includes updates on Insafe helpline statistics, which received over 14,300 contacts in the third quarter of 2025, with cyberbullying remaining the most common reason for contacting a helpline (15% of contacts).
Safer Internet Day 2026: save the date
Safer Internet Day 2026 will be celebrated on Tuesday, February 10, 2026, with events in over 160 countries and territories. The day will highlight how everyone—children, parents, educators, policymakers, and industry—can work together to create positive digital experiences.
🌍 INTERNATIONAL DEVELOPMENTS
FPF: Youth Privacy in Australia
On December 16, the Future of Privacy Forum published an analysis of children’s privacy in Australia, based on national policy dialogues. The document examines the evolution of the Australian regulatory framework for the protection of children’s data, offering valuable comparative insights for the European debate.
FPF: Issue Brief on Vietnam’s data protection laws
On December 20, the Future of Privacy Forum published an Issue Brief on Vietnam’s personal data protection laws (Law on Protection of Personal Data and Law on Data). The document provides a valuable comparative analysis for companies operating or intending to operate in the Vietnamese market.
🔗 BLOCKCHAIN AND DIGITAL IDENTITY
EBSI Newsflash #47: updates on Europeum and Verifiable Credentials
The European Blockchain Services Infrastructure (EBSI) published Newsflash #47 on December 17, with essential updates on the transition to Europeum. Marc Antoine Lemaire was appointed Chief Technology Officer (CTO) of Europeum on November 10, 2025. The transition to Europeum is proceeding according to an accelerated plan.
On the technical front, the team is updating the Data Models, libraries, and other artifacts of the Developers Hub to the latest versions of the Verifiable Credentials Data Models 2.0 (VCDM) as specified by the W3C. The previous models will not be deprecated but will coexist with the new ones to support both existing and new use cases.
The Copyright Innovation Challenge, after a strong response to the call for participation, saw 16 shortlisted candidates present their proposed solutions during a dedicated pitch day. Three candidates were selected to pilot their solutions.
ANALYSIS COMMENT
The week of December 16-21, 2025, proved to be particularly busy with regulatory developments and enforcement in the areas of personal data protection, artificial intelligence, and cybersecurity. Some significant trends have emerged that deserve in-depth critical analysis.
National enforcement: the Italian Data Protection Authority at the forefront
The Italian Data Protection Authority’s sanctioning activity confirms the Authority’s constant focus on illegal marketing practices and shortcomings in security measures. The sanctions imposed on Verisure Italia (€400,000) and Aimag (€300,000) highlight recurring issues: invalid consent obtained, pre-selected checkboxes on forms, and inadequate handling of opposition requests. These cases serve as a warning to all organizations that process personal data for promotional purposes, reminding them that GDPR compliance requires a substantive approach and not merely a formal one.
Artificial intelligence: towards the regulation of synthetic content
The publication of the first draft of the Code of Practice on the labeling of AI-generated content is a key step in implementing the AI Act. The challenge of making synthetic content identifiable is crucial to combating disinformation and protecting the integrity of the information ecosystem. The finalization, scheduled for June 2026, will have to address complex technical issues, from watermarking to metadata, balancing the effectiveness of labeling and practicability for operators.
Protection of minors: a cross-cutting issue
The protection of minors online emerges as a common thread running through multiple initiatives: from the Better Internet for Kids Bulletin to the DSA for YOUth campaign, from the CNIL’s FantomApp to the announcement of Safer Internet Day 2026. The European approach stands out for its search for a balance between protection and empowerment, recognizing that age matters not only as an access threshold but also as a parameter for the appropriate design of digital experiences.
Cybersecurity: increasingly sophisticated threats
The UEFI vulnerability affecting motherboards from major manufacturers is a reminder that cybersecurity requires attention at all levels of the technology stack, from firmware to operating systems. DMA attacks during the early-boot phase can bypass traditional protections, underscoring the need for a security approach that accounts for the entire device lifecycle.
Digital identity and blockchain: Europe accelerates
The EDPS TechDispatch on the Digital Identity Wallet and EBSI updates on Verifiable Credentials Data Models 2.0 signal the acceleration towards a European digital identity infrastructure. The transition to Europeum and the adoption of the latest W3C standards lay the foundations for an interoperable ecosystem, but also raise significant questions about data minimization and tracking risks, which the EDPS rightly highlights.
Outlook
2026 promises to be a crucial year for the maturation of the European regulatory framework for digital issues. The legislative priorities agreed by the Parliament,
Council and Commission explicitly include digital competitiveness and regulatory simplification. Still, it will be essential to ensure that the pursuit of efficiency does not compromise the level of protection of fundamental rights that characterizes the European model. The challenge for professionals in the sector will be to accompany clients in this evolving scenario, anticipating regulatory developments and translating regulatory complexity into concrete and compliant operational practices.
🎄 SEASON’S GREETINGS
This issue concludes the 2025 edition of the Newsletter.
It has been an intense year full of significant regulatory developments: from the entry into force of the AI Act to the first operational applications of the Digital Services Act, from record privacy fines to the challenges posed by generative artificial intelligence. We have tried to accompany you week after week as you interpret this ever-changing landscape.
I would like to thank all our readers for their attention and trust. Your feedback and suggestions are invaluable in helping us to improve the quality of our content constantly.
I wish you and your families a peaceful Christmas and a happy New Year.
We will be back in January 2026 with new news, insights, and the continuation of the “AI Act in a Nutshell” column.
Happy Holidays!
📧 Edited by Nicola Fabiano
Lawyer - Fabiano Law Firm
🌐 Fabiano Law Firm: https://www.fabiano.law
🌐 Blog: https://www.nicfab.eu
🌐 DAPPREMO: www.dappremo.eu
Partnerships:
Feedback and suggestions are always welcome to improve future editions. See you next Tuesday!