NicFab Newsletter
Issue 3 | January 13, 2026
Privacy, Data Protection, AI, and Cybersecurity
This issue officially kicks off 2026 for the NicFab Newsletter, a year that promises to be particularly significant for the evolution of personal data protection and the Regulation of artificial intelligence.
The publication resumes regularly after the holiday break, aiming to continue offering a critical and systemic analysis of the main regulatory, institutional, and technological developments.
Enjoy reading!
In this issue
- Privacy Guarantor: deepfake alert
- EDPS: Opinion 1/2026 on VAT data access
- European Commission: DMA Review consultation
- CNIL: rules for tourist webcams
- European Parliament: Cybersecurity Act review
- USA: new AI laws in force since January 1
- Cybersecurity: data breaches and critical vulnerabilities
- AI Act in a nutshell – Part 2
- From the NicFab Blog
ITALIAN DATA PROTECTION AUTHORITY
Deepfakes: the Authority warns of risks to fundamental rights and freedoms
January 8, 2026 - The Italian Data Protection Authority has issued a warning to users of tools such as Grok, ChatGPT, and Clothoff, which are used to generate deepfake content.
The Authority has emphasized that the creation and dissemination of images, videos, or audio manipulated using artificial intelligence without the consent of the persons depicted constitutes a serious violation of the GDPR and may infringe on the fundamental rights and freedoms of the persons concerned.
The warning highlights in particular the risks associated with:
- Creation of non-consensual sexually explicit content
- Digital identity theft
- Defamation and reputational damage
- Manipulation of public opinion
The Authority reminds that those who generate and disseminate deepfakes without consent may incur administrative penalties of up to €20 million or 4% of global annual turnover, in addition to possible criminal liability.
EDPS - EUROPEAN DATA PROTECTION SUPERVISOR
Opinion 1/2026: access to VAT data for the fight against fraud
January 8, 2026 - The European Data Protection Supervisor (EDPS) has published Opinion 1/2026 on the proposed Regulation amending Regulation (EU) No. 904/2010 on access to VAT data by the EPPO (European Public Prosecutor’s Office) and OLAF (European Anti-Fraud Office).
Supervisor Wojciech Wiewiórowski expressed support for the objectives of the proposal, recognizing that targeted and limited access to certain VAT information may be necessary to ensure effective investigations into MTIC (Missing Trader Intra-Community) fraud, which costs the EU between €12.5 and €32.8 billion per year.
However, the EDPS issued a crucial warning: the boundaries between administrative and criminal processing of personal data must not be blurred. The two regimes follow distinct legal principles that must be strictly adhered to within the regulatory framework.
[Opinion EDPS 1/2026](https://www.edps.europa.eu/data-protection/our-work/publications/opinions/2026-01-07-opinion -12026-regulation-amending-regulation-eu-no-9042010-regards-access-eppo-and-olaf-vat-information_en)
Upcoming EDPS events
January 28, 2026 - Data Protection Day 2026: Reset or refine?
Conference organized jointly by the Council of Europe and the EDPS to celebrate the signing of Convention 108, the first binding treaty on privacy protection in the digital age.
February 12, 2026 - Data takes flight: Navigating privacy at the airport
Conference organized by the EDPS and EDPB Trainees on the protection of personal data in the context of air travel.
EUROPEAN COMMISSION
DMA Review: summary of consultation published
January 8, 2026 - The European Commission has published the summary and responses received in the consultation on the review of the Digital Markets Act (DMA), with over 450 contributions from stakeholders across Europe.
The results highlight:
Broad support for the objectives of the DMA, with requests to strengthen:
- Interoperability between platforms
- Access to data for third-party developers
- Extension of the scope to AI and cloud sectors
Concerns from gatekeepers about the proportionality of obligations and compliance costs.
The final report is expected on May 3, 2026.
DMA Review - European Commission
CNIL - FRENCH AUTHORITY
Tourist webcams: rules clarified for municipalities
January 5, 2026 - The CNIL has published a report on checks conducted on tourist webcams installed by French municipalities, clarifying the rules governing their management in compliance with privacy regulations.
Key points of the measure:
- Legitimate interest cannot be invoked as a legal basis for cameras filming public areas
- Cameras must be configured to avoid capturing identifiable individuals or vehicle license plates
- The vidéoprotection (security video surveillance) framework does not apply to tourist webcams
- A data protection impact assessment (DPIA) is required when the processing presents high risks
EUROPEAN PARLIAMENT
Cybersecurity Act: what to expect from the review
January 5-9, 2026 - The European Parliament’s Think Tank has published two key documents on the review of the Cybersecurity Act (CSA), which is expected to be proposed on January 14, 2026.
Context: The CSA came into force in 2019, formalizing ENISA’s permanent mandate and establishing the European Certification Framework (ECCF).
Alarming data from the Digital Package briefing:
- +150% increase in cyberattacks in 2024
- ENISA resources under increasing pressure
- Significant delays in the implementation of the ECCF: to date, only the EUCC (Common Criteria) scheme has been adopted
Key themes of the review:
- Simplification of certification procedures
- Strengthening the resilience of critical infrastructure
- Streamlining the regulatory landscape (coordination with NIS2, CRA, DORA)
- Sovereignty requirements in cloud certification schemes (EUCS) - controversial issue
Cybersecurity Act Review - EP Think Tank
INTERNATIONAL DEVELOPMENTS
USA: new AI laws in force since January 1, 2026
The new year marked the entry into force of necessary state regulations on artificial intelligence in the United States:
California - Transparency in Frontier AI Act (TFAIA)
Transparency obligations for developers of frontier AI systems, including reporting requirements on capabilities and risks.
Texas - Responsible AI Governance Act (RAIGA)
Framework for the responsible use of AI by state public entities, with impact assessment requirements.
Illinois - HB 3773 (AI in Employment)
Specific rules on the use of AI in personnel selection processes, with notification requirements for candidates.
The Colorado AI Act will come into force on June 30, 2026 (postponed from the original date of February 1).
CYBERSECURITY
Data Breach and Critical Vulnerabilities
Trust Wallet - December 24, 2025
Attack on the supply chain of the Trust Wallet Chrome extension. Hackers compromised GitHub credentials, gaining access to the Chrome Web Store API. $8.5 million in cryptocurrency was stolen. The attack, dubbed “Shai-Hulud,” highlights the risks of dependencies in the software development chain.
Korean Air - December 31, 2025
The Cl0p ransomware group claimed responsibility for stealing 30,000 records of Korean Air employees, obtained by compromising a catering service provider (KC&D).
RondoDox Botnet - January 2026
A nine-month campaign exploiting the CVE-2025-55182 vulnerability (React2Shell, CVSS 10.0) has been discovered. 84,916 vulnerable instances were affected, including 66,200 in the United States. Targets: IoT devices and web servers.
AI ACT IN A NUTSHELL - Part 2
Article 6: Classification of high-risk systems
Article 6 of Regulation (EU) 2024/1689 (AI Act) sets out the criteria for classifying an artificial intelligence system as high-risk.
Two classification paths:
1. AI systems as safety components (Art. 6, para. 1)
An AI system is high-risk when:
- It is a safety component of a product covered by EU harmonization legislation listed in Annex I, or
- It is itself a product covered by such legislation
And in both cases:
- The product must undergo third-party conformity assessment in accordance with applicable legislation
2. AI systems in critical sectors (Art. 6, par. 2)
AI systems listed in Annex III, which covers sensitive areas such as:
- Biometric identification
- Critical infrastructure management
- Education and vocational training
- Employment and worker management
- Access to essential services
- Law enforcement, migration, justice
Important exception (Art. 6, para. 3)
A system is not considered high-risk if it does not pose significant risks to health, safety, or fundamental rights, in particular when:
- It performs a limited procedural task
- It improves the outcome of a previous human activity
- It detects decision-making patterns without replacing human judgment
- It performs a preparatory task for a relevant assessment
A supplier who considers that their system falls under this exception must formally document the assessment before placing it on the market and registering it in the EU database.
In the next episode: Article 5 - Prohibited AI practices
FROM THE NICFAB BLOG
Markdown: From 2004 to the age of AI
January 6, 2026 - A journey through the history of the Markdown format, from its creation by John Gruber and Aaron Swartz in 2004 to its natural convergence with artificial intelligence. Large Language Models produce output natively in Markdown, confirming the principles of data portability that underpin the GDPR.
WhatsApp, metadata, and privacy: when the problem is not the content but the context
January 5, 2026 - Two recent studies (University of Vienna and Tal Be’ery) reveal significant vulnerabilities in WhatsApp metadata: 3.5 billion enumerable accounts and device fingerprinting. End-to-end encryption protects content, but not metadata. Analysis of GDPR implications and open source alternatives such as XMPP, Matrix, and SimpleX Chat.
Search engines and artificial intelligence: between technological transformation and emerging risks
December 29, 2025 - Analysis of the EPRS report “Search engines in times of AI” and the Gartner advisory on agentic browsers. Google AI Overviews already accounts for 60% of searches, and traffic is expected to decline by 25% by 2026. Risks of agentic browsers: data leaks, prompt injection, fictitious compliance. The regulatory framework: DSA, DMA, AI Act, GDPR, and Copyright Directive.
Upcoming events
| Date | Event |
|---|---|
| January 14, 2026 | Proposed revision of the Cybersecurity Act |
| January 27, 2026 | Digital Clearinghouse 2.0 |
| January 28, 2026 | Data Protection Day 2026 |
| February 12, 2026 | “Data takes flight” - EDPS/EDPB |
Conclusion
2026 begins with clear signs of full convergence between artificial intelligence, personal data protection, and cybersecurity, which is set to dominate the regulatory and operational agenda for the year. The Italian Data Protection Authority’s warning on deepfakes is a significant wake-up call, highlighting how generative technologies have reached a level of sophistication that poses concrete, immediate risks to citizens’ fundamental rights. These are no longer future scenarios but violations that occur daily.
At the European level, the regulatory framework continues to evolve with the revision of the Cybersecurity Act and the Digital Markets Act. The most worrying data comes from the European Parliament briefing: a 150% increase in cyberattacks in 2024 underscores how systemic the cyber threat has become. It emphasizes the need for coordinated responses at the continental level. The slow adoption of ECCF certification schemes—with only the EUCC operational after the CSA came into force—raises questions about the Union’s ability to promptly translate legislation into usable technical and operational tools.
On the other side of the Atlantic, the United States is pursuing a fragmented but dynamic approach: California, Texas, and Illinois have ushered in 2026 with new AI laws, each with distinct priorities. This proliferation of state regulations, in the absence of comprehensive federal legislation, creates a complex mosaic for companies operating on a national and international scale.
The “AI Act in a Nutshell” column continues with an analysis of Article 6, the beating heart of the classification of high-risk systems. Understanding these mechanisms is essential for all operators who develop or use artificial intelligence systems in the European Union.
Finally, the security incidents of recent weeks—from Trust Wallet to Korean Air—confirm a well-established trend: attacks on the supply chain and third-party suppliers are the preferred vector for compromising even organizations with robust perimeter defenses. Security can no longer be conceived as the individual responsibility of single organizations, but requires an ecosystemic approach involving the entire value chain.
See you in the next issue to continue this journey of analysis, monitoring, and in-depth discussion together.
📧 Edited by Nicola Fabiano
Lawyer - Fabiano Law Firm
🌐 Studio Legale Fabiano: https://www.fabiano.law
🌐 Blog: https://www.nicfab.eu
🌐 DAPPREMO: www.dappremo.eu
Partnership
Follow us on Telegram 👉 @nicfabnews