NicFab Newsletter
Issue 5 | January 27, 2026
Privacy, Data Protection, AI, and Cybersecurity
Welcome to issue 5 of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.
In this issue
- EDPB - EUROPEAN DATA PROTECTION BOARD
- EDPS - EUROPEAN DATA PROTECTION SUPERVISOR
- EUROPEAN COMMISSION
- COUNCIL OF THE EU
- DIGITAL MARKETS & PLATFORM REGULATION
- INTERNATIONAL DEVELOPMENTS
- ARTIFICIAL INTELLIGENCE
- CYBERSECURITY
- TECH & INNOVATION
- SCIENTIFIC RESEARCH
- AI Act in Pills
- From the NicFab Blog
- Events and Meetings
- Conclusion
EDPB - EUROPEAN DATA PROTECTION BOARD
EDPB Document on Cooperation Procedure for Contractual Clauses Authorization
The EDPB has published new procedural guidance for the authorization of contractual clauses under Article 46(3)(a) GDPR and the adoption of standard contractual clauses under Article 46(2)(d) GDPR. This document establishes a streamlined cooperation framework between data protection authorities when evaluating custom contractual arrangements for international data transfers.
For DPOs, this represents a significant development in the standardization of transfer mechanisms. The procedure should provide greater clarity on the timeline expectations and requirements for seeking approval for bespoke contractual clauses that deviate from the existing Standard Contractual Clauses. Organizations relying on complex international data flows may benefit from clearer pathways to regulatory approval, though the specific requirements and evaluation criteria will need careful review.
EDPB and EDPS Joint Position on AI Act Implementation Streamlining
The EDPB and EDPS have issued a joint opinion on the European Commission’s “Digital Omnibus on AI” proposal, supporting administrative simplification while warning against weakening fundamental rights protections. The data protection authorities particularly oppose removing registration obligations for AI systems that providers self-assess as non-high-risk, citing accountability concerns and potential regulatory gaming.
The joint position signals that DPAs will maintain vigilant oversight of AI implementations despite efforts to streamline. DPOs should note the emphasis on maintaining strong cooperation between data protection authorities, the AI Office, and market surveillance bodies. The opinion also addresses expanded possibilities for processing special category data for bias detection, recommending strict limitations to situations with sufficiently serious adverse effect risks.
EDPB-EDPS Joint Opinion 1/2026 on Digital Omnibus AI Regulation
This formal joint opinion document provides the detailed regulatory analysis behind the EDPB and EDPS position on simplifying AI Act implementation. The opinion represents the consolidated view of European data protection authorities on balancing administrative efficiency with rights protection in AI regulation.
DPOs working with AI systems should review this opinion carefully, as it signals the enforcement priorities and interpretive approach that data protection authorities are likely to adopt. The document will be particularly relevant for organizations developing compliance strategies that span both the GDPR and the AI Act, offering insight into how supervisory authorities view the intersection of these regulatory frameworks.
EU-U.S. Data Privacy Framework FAQ Updated for European Businesses
The EDPB has released version 2.0 of its FAQ guidance for European businesses using the EU-U.S. Data Privacy Framework. This updated guidance reflects evolving practical experience with the adequacy decision and addresses common implementation questions that have emerged since the framework’s adoption.
For DPOs managing transatlantic data flows, this update is likely to incorporate lessons learned from the initial framework implementation and may clarify ambiguous areas in transfer documentation and compliance monitoring. The timing suggests refinements based on supervisory authority feedback and business inquiries. Organizations should review the updated guidance against their current U.S. transfer practices to ensure alignment with the latest supervisory expectations.
Updated Rules of Procedure for EU DPA Panel on Data Privacy Framework
Version 2.0 of the Rules of Procedure for the “Informal Panel of EU DPAs” under the EU-U.S. Data Privacy Framework has been published, updating the operational framework for coordinated DPA oversight of transatlantic transfers. This procedural update governs how European data protection authorities collaborate on Data Privacy Framework supervision and complaint handling.
The procedural refinements suggest that the informal panel mechanism is being operationalized based on practical experience with oversight of the framework. DPOs should understand these procedures as they define the escalation and coordination pathways for Data Privacy Framework-related issues. The updated rules may also provide insights into complaint resolution timelines and inter-authority cooperation mechanisms that could affect transfer risk assessments.
EDPS - EUROPEAN DATA PROTECTION SUPERVISOR
🎙️ TechSonar Podcast: TechSonar: Debunking coding assistants
January 19, 2026
How are AI-powered coding assistants transforming software development? Will greater accessibility lead to new data protection challenges? Can organisations and service providers build stronger governance and privacy-by-design into coding assistants? With our guest, Laura Hernandez, we will decode the key risks, responsibilities, and opportunities behind AI coding assistants.
EDPB-EDPS Joint Press Release
The European Data Protection Board and the European Data Protection Supervisor have issued a joint statement on the implementation of the AI Act, advocating streamlined processes while emphasizing the critical need for enhanced fundamental rights protections. This collaborative approach signals unified regulatory oversight across both the private and public sectors for AI deployments.
The joint opinion reflects growing regulatory concern about balancing innovation efficiency with privacy safeguards as AI systems become more pervasive. For DPOs, this development suggests increased scrutiny of AI processing activities and potential alignment between GDPR enforcement and AI Act compliance requirements.
Organizations should prepare for more integrated regulatory guidance that treats data protection and AI governance as interconnected rather than separate compliance domains. DPOs may need to expand their expertise beyond traditional privacy frameworks to encompass broader fundamental rights considerations in AI system assessments.
EUROPEAN COMMISSION
CELEX:52026PC0011: Proposal for Cybersecurity Act 2 - Strengthening ENISA and ICT Supply Chain Security
The European Commission has unveiled its ambitious “Cybersecurity Act 2” proposal, which significantly expands ENISA’s mandate and introduces comprehensive ICT supply chain security measures. This regulation would replace the current Cybersecurity Act (EU 2019/881), reflecting the evolving threat landscape and the need for more robust cybersecurity governance across the EU.
For DPOs, this development signals a tighter integration between cybersecurity and data protection frameworks. The enhanced cybersecurity certification requirements and supply chain security provisions will likely create new compliance obligations that intersect with GDPR requirements, particularly around technical and organizational measures (TOMs) and vendor risk assessments.
The proposal’s focus on ICT supply chain security is particularly relevant for organizations processing personal data, as it may introduce mandatory due diligence requirements for technology vendors and service providers, complementing existing GDPR processor agreements.
CELEX:52026SC0011: Impact Assessment Report for Cybersecurity Act 2
The Commission’s comprehensive impact assessment accompanying the Cybersecurity Act 2 proposal provides crucial insights into the expected regulatory burden and benefits of the new framework. This working document evaluates the need for enhanced cybersecurity measures and their potential effects on businesses and public-sector organizations.
The assessment likely addresses the interplay between cybersecurity requirements and existing data protection obligations, providing valuable context for DPOs preparing for compliance. Understanding the Commission’s rationale will be essential for organizations developing integrated governance frameworks that address both cybersecurity and privacy requirements simultaneously.
This document serves as a roadmap for anticipated implementation challenges and may offer guidance on proportionate measures that organizations should consider when updating their data protection and security policies.
COM:2026:11:FIN: Cybersecurity Act 2 Regulation Proposal
This formal communication document presents the complete regulatory text for the proposed Cybersecurity Act 2, establishing the legal framework for enhanced EU cybersecurity governance. The regulation aims to strengthen ENISA’s role while introducing mandatory cybersecurity measures across critical sectors.
DPOs should pay particular attention to how the new cybersecurity requirements will complement existing GDPR Article 32 obligations regarding security of processing. The regulation may introduce specific technical standards and certification schemes that could become the de facto benchmark for demonstrating adequate technical measures under GDPR.
Organizations will need to assess how compliance with the new cybersecurity framework affects their data protection impact assessments and risk management procedures, ensuring seamless integration between privacy and security governance structures.
CELEX:52026PC0013: NIS2 Directive Amendment Proposal
The Commission proposes targeted amendments to the NIS2 Directive to align with the new Cybersecurity Act 2, focusing on simplification measures and regulatory coherence. This amendment demonstrates the EU’s commitment to creating a unified cybersecurity ecosystem that reduces compliance complexity while maintaining high security standards.
For DPOs, the alignment between NIS2 and the Cybersecurity Act 2 promises more explicit guidance on security requirements for essential and vital entities. The simplification measures may reduce regulatory overlap and provide more streamlined compliance pathways for organizations subject to both cybersecurity and data protection requirements.
The amendment offers organizations an opportunity to consolidate their compliance efforts and develop more efficient governance structures that address both incident reporting obligations and data breach notification requirements within a harmonized framework.
CELEX:52026PC0016: Digital Networks Act Proposal
The proposed Digital Networks Act represents a comprehensive overhaul of EU telecommunications regulation, consolidating multiple existing directives and regulations into a single framework. This ambitious proposal aims to modernize digital infrastructure governance while adapting to emerging technologies and market developments.
DPOs should monitor this development closely, as telecommunications networks are fundamental infrastructure for data processing activities. The Act may introduce new privacy-by-design requirements for network operators and could affect how personal data flows through digital infrastructure, potentially impacting international data transfer mechanisms.
The regulation’s scope, covering everything from network security to consumer protection, has significant implications for organizations that rely on digital communications services. DPOs may need to reassess vendor relationships and data processing agreements to ensure compliance with new network-level privacy and security requirements.
COUNCIL OF THE EU
Cybersecurity Act 2.0: Major Overhaul Proposed
The European Commission has unveiled a comprehensive proposal to replace the current Cybersecurity Act with an enhanced version that significantly expands ENISA’s role and introduces new ICT supply chain security requirements. This “Cybersecurity Act 2” represents a fundamental shift toward more integrated cybersecurity governance across the EU.
For DPOs, this development signals deeper convergence between cybersecurity and data protection frameworks. The enhanced certification requirements and supply chain security measures will likely impose additional due diligence obligations when selecting technology vendors and processors. Organizations should prepare for more rigorous security assessments and documentation requirements that align with both cybersecurity and GDPR compliance.
The proposal’s focus on ICT supply chain security particularly impacts international data transfers and vendor management processes that DPOs oversee daily.
EDPB Evaluates Law Enforcement Data Protection Framework
The European Data Protection Board has submitted its comprehensive evaluation of the Data Protection Law Enforcement Directive (LED) to the Commission, fulfilling the mandatory review requirement under Article 62. This assessment comes at a critical juncture, as law enforcement agencies increasingly rely on advanced data-processing technologies.
The evaluation likely addresses challenges DPOs face when their organizations interact with law enforcement, particularly regarding data-sharing protocols and limitations on individual rights. Understanding the EDPB’s findings will be crucial for organizations that regularly process data for law enforcement purposes or respond to official requests.
This review may herald significant changes to how personal data flows between private entities and law enforcement agencies, potentially affecting standard operating procedures that DPOs have established for such interactions.
Regulatory Scrutiny Board Reviews Cybersecurity Act Reform
The European Commission’s Regulatory Scrutiny Board has issued its opinion on the proposed review of the Cybersecurity Act, providing an independent assessment of the regulatory impact and proportionality of the new measures. This scrutiny represents a crucial checkpoint in the legislative process that could influence the final shape of cybersecurity requirements.
DPOs should closely monitor this opinion, as it may reveal potential implementation challenges or compliance burdens that could affect their organizations. The Board’s recommendations often lead to modifications in proposed legislation, particularly regarding administrative burden and cost-effectiveness of new requirements.
The opinion’s insights into proportionality and necessity tests will help DPOs better understand the rationale behind upcoming cybersecurity obligations and prepare more targeted compliance strategies.
NIS2 Directive Faces Simplification Amendments
A new proposal aims to amend the NIS2 Directive with simplification measures while ensuring alignment with the forthcoming Cybersecurity Act 2. This legislative fine-tuning reflects ongoing efforts to streamline the complex web of cybersecurity regulations that organizations must navigate.
For DPOs in essential entities under NIS2, these amendments could provide welcome relief from overlapping requirements and administrative complexity. The alignment with the Cybersecurity Act 2 suggests a more cohesive regulatory approach that may reduce friction in compliance across different cybersecurity frameworks.
However, DPOs should prepare for transition periods and potential changes to existing compliance procedures. The simplification may also redistribute responsibilities or modify reporting requirements that currently form part of established data protection and security workflows.
Comprehensive Annexes Detail New Cybersecurity Framework
The detailed annexes to the Cybersecurity Act 2 proposal provide the technical specifications and implementation guidelines that will govern the new regulatory framework. These documents contain the operational details that transform high-level policy objectives into concrete compliance requirements.
DPOs must carefully examine these annexes, as they likely contain specific technical and organizational measures that intersect with GDPR requirements. The annexes may specify new categories of security certifications, audit procedures, or documentation standards that will become mandatory for certain types of data processing activities.
The technical specifications will be particularly relevant for DPOs overseeing data processing in critical sectors or those involving high-risk technologies, as these areas typically face the most stringent certification and security requirements.
DIGITAL MARKETS & PLATFORM REGULATION
Commission Ready for ‘Further Action’ on Elon Musk’s Grok
The European Commission is signaling its willingness to escalate enforcement under the Digital Services Act (DSA), with EU tech chief Henna Virkkunen warning of potential action against Elon Musk’s AI chatbot Grok. The focus centers on AI-nudification tools and the associated risks under the DSA’s content moderation framework.
For DPOs, this development highlights the expanding scope of platform regulation beyond traditional social media content. The Commission’s readiness to act suggests that AI-powered services integrated into major platforms will face increased scrutiny for potential harms, including deepfake generation and image manipulation capabilities.
This case may establish important precedents for assessing AI tools embedded within regulated platforms for compliance. DPOs should monitor how the Commission defines and addresses AI-related risks under existing digital services legislation, as enforcement approaches here could influence broader AI governance frameworks.
Brussels Plans to Force Governments to Block Huawei from 5G
The European Commission is preparing mandatory restrictions on Chinese vendors such as Huawei and ZTE for critical 5G infrastructure, moving beyond the voluntary 2020 5G Security Toolbox. The new Cybersecurity Act proposal would legally require member states to block high-risk vendors from sensitive network components, addressing Commissioner Virkkunen’s dissatisfaction with inconsistent national implementation.
This shift from voluntary to mandatory restrictions reflects growing EU concerns about the security of supply chains for critical infrastructure. The legislation will establish formal risk assessment frameworks that take into account vendors’ countries of origin and potential security threats, particularly from China.
For DPOs, this represents a significant expansion of security-focused regulation that could impact data processing infrastructure decisions. Organizations may need to reassess vendor relationships and data flows through networks that could be affected by these restrictions, particularly where personal data transits critical telecommunications infrastructure.
INTERNATIONAL DEVELOPMENTS
FPF Releases Updated Issue Brief on Vietnam’s Data Protection Laws
Vietnam has implemented a comprehensive overhaul of its data governance framework with two landmark pieces of legislation in 2025: the Personal Data Protection Law (effective January 1, 2026) and the Data Law (effective July 2025). The PDP Law elevates Vietnam’s data protection regime from executive to legislative status while maintaining a consent-focused approach. However, it introduces refined categories for “basic” and “sensitive” personal data and enhanced cross-border transfer provisions centered on Transfer Impact Assessments.
The Data Law represents Vietnam’s first comprehensive framework governing both personal and non-personal digital data, applying to all domestic and foreign entities engaging in data activities within Vietnam. Together, these laws create enhanced sector-specific obligations for high-risk processing in employment, healthcare, banking, and social media platforms. DPOs operating in Vietnam must navigate the intersection of both laws, particularly for cross-border data transfers, and prepare for heightened compliance requirements across multiple sectors.
Innovation and Data Privacy Compatibility: Lessons from South Korea
Dr. Haksoo Ko, former Chairman of South Korea’s Personal Information Protection Commission (2022-2025), challenges the conventional “innovation versus privacy” dichotomy based on Korea’s recent regulatory experience. His analysis suggests that the primary barrier to AI innovation isn’t privacy protection itself. Still, there is a legal uncertainty around lawful pathways for novel data uses, particularly given AI systems’ complex processing pipelines involving large-scale unstructured data and composite modeling approaches.
Since 2023, Korea has implemented cooperative regulatory mechanisms that reduce transaction costs for innovation while maintaining privacy safeguards. These include structured pre-deployment engagement, controlled experimentation environments, translatable risk assessment frameworks, and mature privacy-enhancing technology governance. For DPOs, this approach offers a blueprint for engaging proactively with regulators to establish clearer pathways for AI development while ensuring robust privacy compliance through institutional mechanisms rather than binary trade-offs.
ARTIFICIAL INTELLIGENCE
Grok Deepfake Crisis Highlights Platform Accountability Gaps
X’s AI chatbot Grok generated an estimated 3 million sexualized images in just 11 days, with 23,000 potentially depicting minors, according to research by the Center for Countering Digital Hate. The study analyzed a sample of posts revealing that 65% contained sexualized content, sparking urgent regulatory concerns across Europe.
This incident exposes critical gaps in AI content moderation and platform governance. For data protection officers, it underscores the urgent need for robust safeguards in AI systems, particularly those that process personal data for image generation. The European Commission’s consideration of both Digital Services Act enforcement and potential AI nudification app bans signals an intensification of regulatory pressure.
The delay between viral adoption and effective content restrictions underscores the reactive nature of current AI governance frameworks, underscoring the need for proactive compliance strategies.
Chainlit Framework Vulnerabilities Expose AI Application Risks
Critical security flaws in the popular Chainlit AI framework could enable attackers to steal sensitive data and perform lateral network movements. The vulnerabilities, dubbed “ChainLeak,” include arbitrary file read access and server-side request forgery capabilities, with the framework having over 7.3 million total downloads.
These vulnerabilities demonstrate how AI development frameworks can introduce traditional security risks at scale. The ability to extract API keys, credentials, and database files through seemingly innocuous AI applications represents a significant concern for organizations deploying chatbot solutions.
The incident highlights the importance of security-by-design principles in AI development tools and the need for comprehensive security assessments when integrating third-party AI frameworks. Organizations must ensure robust validation mechanisms and access controls are implemented across their AI infrastructure.
VoidLink Malware Demonstrates AI-Assisted Threat Development
Researchers have identified VoidLink, a sophisticated 88,000-line Linux malware framework, as one of the first advanced threats developed primarily using AI assistance. The malware, created by a single developer with AI support, demonstrates how large language models can accelerate malicious code development from concept to functional tool within days.
The systematic nature of the code, including consistent formatting and template-like structures, reveals hallmarks of AI-generated content. This development represents a paradigm shift in the threat landscape, where AI democratizes advanced malware creation capabilities.
For cybersecurity professionals, this signals an urgent need to evolve defense strategies beyond traditional signature-based detection. Organizations must prepare for AI-accelerated threat development cycles and consider the implications for their security architectures and incident response capabilities.
EU AI Act Transparency Rules Face Industry Resistance
Major AI companies appear reluctant to comply with the EU AI Act’s transparency requirements for foundation models, raising questions about the effectiveness of enforcement. The regulation mandates disclosure of training data sources, significant for copyright holders seeking to verify unauthorized use of their content.
While the formal enforcement period begins this August, companies releasing models after August 2025 should already be compliant. The European Commission has provided standardized templates, yet adoption remains limited among major providers, with notable exceptions like Hugging Face demonstrating compliance feasibility.
This resistance pattern suggests potential enforcement challenges ahead and highlights the importance of proactive regulatory engagement. Organizations deploying AI systems should closely monitor compliance developments, as enforcement actions could affect vendor relationships and service availability across European markets.
Google Gemini Calendar Vulnerability Exposes Prompt Injection Risks
Security researchers discovered a prompt-injection vulnerability in Google Gemini that could extract private calendar data via malicious meeting invites. Attackers could embed hidden prompts in calendar descriptions, which would activate when users made innocent scheduling queries to the AI assistant.
The attack bypassed authorization controls by having Gemini create new calendar events with summaries of private meetings, potentially making them visible to attackers in enterprise configurations. This demonstrates how AI integration can create unexpected data exfiltration pathways through seemingly benign interactions.
The incident exemplifies emerging AI-native security risks, where vulnerabilities lie in language and context rather than in traditional code. Organizations integrating AI assistants must assess how these tools interact with existing data stores and implement appropriate isolation mechanisms to prevent unauthorized cross-system data access.
CYBERSECURITY
CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added a critical VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. CVE-2024-37079, with a CVSS score of 9.8, involves a heap overflow in the DCE/RPC protocol implementation that enables remote code execution through specially crafted network packets.
Originally patched by Broadcom in June 2024, this vulnerability can be chained with other flaws to achieve unauthorized root access to ESXi environments. For DPOs, this is a significant concern, as VMware infrastructure often hosts critical business systems that contain personal data. The active exploitation underscores the importance of rapid patch deployment and comprehensive asset inventory management.
Federal agencies must remediate by February 13, 2026, setting a precedent for urgency that private organizations should heed when protecting their data processing environments.
Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex
Cisco has patched a critical zero-day vulnerability affecting multiple Unified Communications products and Webex Calling services. CVE-2026-20045 allows unauthenticated remote attackers to execute arbitrary commands and escalate privileges to the root level by improperly validating HTTP requests to the web management interface.
The vulnerability affects widely used enterprise communication platforms, including Unified CM, Session Management Edition, and IM&P services. Organizations using these systems for internal communications may face significant data exposure risks, particularly given the root-level access that can be achieved through exploitation.
DPOs should prioritize immediate patching of affected systems, as communication platforms often process sensitive employee and customer data. CISA’s addition to the KEV catalog mandates federal agency remediation by February 11, 2026, highlighting the severity and active exploitation of this vulnerability in enterprise environments.
Hackers Targeting Cisco Unified CM Zero-Day
Security researchers have confirmed active exploitation of CVE-2026-20045, a critical vulnerability enabling unauthenticated remote code execution on Cisco Unified Communications Manager systems. This zero-day attack vector allows attackers to gain unauthorized access to enterprise communication infrastructure without requiring legitimate credentials.
The targeting of unified communications platforms presents particular risks for data protection, as these systems typically handle sensitive business communications, employee directory information, and call metadata. Organizations relying on Cisco UC infrastructure should treat this as a high-priority security incident requiring immediate attention.
For DPOs managing environments with Cisco UC deployments, this incident highlights the critical importance of maintaining current patch levels and implementing defense-in-depth strategies for communication infrastructure that processes personal and sensitive business data.
European Commission Proposes Cybersecurity Directive Amendments
The European Commission has published a proposal to amend the Network and Information Security Directive (NIS2), focusing on simplification measures and alignment with the forthcoming Cybersecurity Act 2. This legislative update aims to streamline cybersecurity requirements while strengthening the overall regulatory framework for critical infrastructure protection.
The amendments represent a significant development in European cybersecurity governance, potentially affecting how organizations approach security incident reporting, risk management, and compliance obligations. For DPOs, these changes may introduce new intersections between cybersecurity requirements and data protection obligations under GDPR.
Organizations subject to NIS2 should monitor these developments closely, as alignment with the Cybersecurity Act 2 provisions may create additional compliance requirements that affect data processing activities and security governance frameworks across EU member states.
Fortinet Confirms Active FortiCloud SSO Bypass on Fully Patched FortiGate Firewalls
Fortinet has acknowledged the ongoing exploitation of a FortiCloud SSO authentication bypass vulnerability affecting fully patched FortiGate firewalls. Despite previous patches for CVE-2025-59718 and CVE-2025-59719, attackers continue to exploit SAML authentication weaknesses to gain unauthorized administrative access and create persistent backdoors.
The attacks involve creating generic administrative accounts, modifying VPN configurations, and exfiltrating firewall configurations to external IP addresses. That represents a significant security control failure, as properly configured firewalls are fundamental to network security architectures protecting personal data processing systems.
DPOs should work with IT security teams to immediately disable FortiCloud SSO functionality and restrict administrative access from the internet. The persistence of exploitation despite patching efforts demonstrates the evolving threat landscape and the need for continuous monitoring of critical security infrastructure protecting organizational data assets.
TECH & INNOVATION
Europe’s GDPR Fines Hit €1.2B as Data Breaches Surge
European regulators reached a significant milestone in 2025, issuing €1.2 billion in GDPR fines while processing over 400 data breach notifications daily for the first time since the regulation’s inception. This 22% increase in breach reports signals a concerning trend driven by geopolitical tensions, sophisticated cyber attacks, and readily available hacking tools.
The surge coincides with new compliance challenges as organizations juggle GDPR alongside emerging regulations like NIS2 and DORA, creating a complex web of reporting requirements. Ireland continues to dominate enforcement actions, accounting for €4.04 billion of the total €7.1 billion in fines issued since 2018. For DPOs, these figures underscore the critical need to strengthen incident response procedures and ensure robust cybersecurity frameworks can handle the evolving threat landscape.
Under Armour Investigates 72 Million Email Address Breach
Under Armour is investigating a data breach affecting 72 million customer email addresses, along with names, genders, birthdates, and ZIP codes. The incident, believed to have occurred in late 2024, notably did not compromise passwords or financial information according to the company’s initial assessment.
What’s particularly striking is Under Armour’s lack of formal disclosure despite the breach’s scale and timeline. That highlights ongoing challenges DPOs face in balancing thorough investigation with timely notification requirements. The incident serves as a reminder that even “limited” breaches involving email addresses can have significant implications, as these datasets often serve as foundations for sophisticated phishing campaigns targeting affected individuals.
ShinyHunters Targets Okta Customers in Voice-Phishing Campaign
The notorious ShinyHunters group has claimed responsibility for breaching multiple organizations through voice-phishing attacks targeting Okta single sign-on credentials. The campaign affected Crunchbase and Betterment, while SoundCloud confirmed a separate breach impacting 28 million users, though the attack vector remains unclear for that incident.
This sophisticated social engineering approach bypasses traditional technical security controls by manipulating human psychology, highlighting a critical vulnerability in identity management systems. The attackers’ success in compromising SSO credentials demonstrates the cascading impact of successful voice-phishing, potentially granting access to multiple connected systems. DPOs should prioritize user awareness training and consider implementing additional verification steps for sensitive authentication processes.
Pwn2Own Automotive Reveals Critical Vehicle Security Gaps
Security researchers demonstrated 76 vulnerabilities across automotive systems during Pwn2Own Automotive 2026, earning $1 million in prizes for exploiting infotainment systems and EV charging infrastructure. These findings expose significant security weaknesses in increasingly connected vehicle ecosystems that process substantial amounts of personal data.
The successful exploits highlight emerging privacy risks as vehicles become sophisticated data collection platforms, tracking location, behavior patterns, and personal preferences. For organizations managing vehicle fleets or developing automotive technologies, these vulnerabilities represent both immediate security concerns and potential GDPR compliance issues. DPOs should assess how connected vehicle data flows through their organizations and ensure appropriate safeguards protect this sensitive information category.
Weekly Roundup: Critical Security Developments
This week brought additional security concerns, including Cloudflare WAF bypass techniques, malware distribution through Canonical’s Snap Store, and Curl’s decision to terminate its bug bounty program. These developments highlight the ongoing challenges in maintaining secure software supply chains and web application security.
The diversity of attack vectors—from infrastructure bypasses to trusted software repositories—demonstrates the expanding threat surface organizations must defend. DPOs should work closely with IT security teams to ensure data protection measures account for these evolving attack methods and maintain robust incident response capabilities across all potential breach scenarios.
SCIENTIFIC RESEARCH
Selection of the most relevant papers of the week from arXiv on AI, Machine Learning, and Privacy
AI Security & Privacy Risks
How malicious AI swarms can threaten democracy: The fusion of agentic AI and LLMs marks a new frontier in information warfare
This research examines how advanced AI systems can manipulate beliefs at the population scale through sophisticated influence campaigns. The study highlights unprecedented risks posed by the combination of autonomous agents and LLMs, which can create propaganda that appears more human-like than human-written content—critical implications for organizations developing AI governance frameworks and content moderation policies.
arXiv
Connect the Dots: Knowledge Graph-Guided Crawler Attack on Retrieval-Augmented Generation Systems
Researchers demonstrate how adversaries can systematically extract sensitive information from RAG systems through carefully crafted queries. The attack leverages knowledge graphs to facilitate long-term data exfiltration, posing significant privacy risks for organizations deploying RAG solutions—essential reading for DPOs evaluating AI system vulnerabilities and data protection measures.
arXiv
Privacy-Preserving AI Techniques
Data-Free Privacy-Preserving for LLMs via Model Inversion and Selective Unlearning
A novel approach addresses PII memorization in LLMs without requiring access to the original training data. The method combines model inversion with selective unlearning to remove sensitive information from deployed models. Particularly relevant for compliance officers managing AI systems where access to training data is limited or proprietary.
arXiv
SoK: Challenges in Tabular Membership Inference Attacks
Comprehensive analysis of membership inference attacks targeting tabular data in both centralized and federated learning environments. The study reveals critical privacy vulnerabilities in machine learning applications processing structured data. Essential for organizations conducting privacy impact assessments and implementing technical safeguards for data processing activities.
arXiv
Healthcare AI Privacy
Balancing Security and Privacy: The Pivotal Role of AI in Modern Healthcare Systems
Explores the dual challenge of enhancing security while protecting patient privacy in AI-driven healthcare systems. The research examines real-world implementations and provides frameworks for managing privacy risks in sensitive data environments. Critical for healthcare compliance officers navigating GDPR, HIPAA, and medical device regulations.
arXiv
AI Security Testing
RECAP: A Resource-Efficient Method for Adversarial Prompting in Large Language Models
Presents efficient techniques for testing LLM robustness against jailbreaking attacks and policy violations. The method offers practical approaches for organizations to evaluate the security of AI systems with limited computational resources. Valuable for compliance teams developing AI risk assessment protocols and security testing procedures.
arXiv
AI ACT IN PILLS - Part 4
Article 9 - Risk management system
Part 4 - Article 9: The mandatory risk management system
After examining the fundamental definitions in Article 3, we now turn to the core operational obligations set out in the AI Act. Article 9 introduces one of the central pillars of compliance: the risk management system for high-risk AI systems.
The fundamental obligation
Article 9 stipulates that providers of high-risk AI systems must implement and maintain a continuous, iterative risk management system throughout the system’s entire life cycle. That is not a one-off assessment, but a dynamic process that accompanies the system from design to decommissioning.
The system must identify, analyze, estimate, and evaluate the risks posed by high-risk AI systems to the health, safety, or fundamental rights of natural persons. This broad wording reflects the Regulation’s holistic approach, which goes beyond traditional technological risks to encompass social and individual implications.
Characteristics of the management system
The risk management system must be proportionate and commensurate with the scope of the supplier’s organization. A startup developing a single voice recognition system will have different requirements than a multinational technology company with dozens of AI products. However, proportionality does not mean superficiality: even smaller organizations must ensure a systematic and documented approach.
The Regulation requires that the system consider not only known and foreseeable risks, but also those that are reasonably foreseeable in the event of misuse of the AI system. That means that suppliers must anticipate unforeseen or incorrect usage scenarios, which is particularly relevant for systems operating in critical contexts such as personnel selection or credit assessment.
Practical implications for organizations
For DPOs and compliance officers, Article 9 represents a significant organizational challenge. The risk management system must integrate with existing business processes, creating synergies with ISO quality management systems and privacy impact assessment procedures already implemented under the GDPR.
A concrete example can clarify the practical application: a company developing an AI system for medical diagnosis will need to identify risks such as false negatives that could delay critical treatments, false positives that could cause stress and unnecessary invasive procedures, and algorithmic biases that could discriminate against specific demographic groups. For each of these risks, it will need to define mitigation measures, acceptability thresholds, and continuous monitoring procedures.
The link with other obligations
The risk management system does not operate in isolation but is closely interlinked with all other obligations for high-risk systems. The risks identified will influence the requirements for training data (Article 10), the characteristics of the technical documentation, and the methods of human supervision. This interconnection requires a coordinated approach that many organizations will have to develop from scratch.
Violations related to the risk management system can result in administrative penalties of up to €15 million or 3% of annual global turnover, highlighting the strategic importance of this compliance.
Next week, we will analyze Article 10 on data and data governance, exploring how the AI Act regulates the quality of training and validation data. This crucial aspect integrates directly with the risk management system examined here.
FROM THE NICFAB BLOG
Gemini Protocol: A Human-Centric Alternative to the AI-Driven Web
January 23, 2026
Exploring the Gemini protocol: history, NASA connection, privacy benefits, limitations, and my personal capsule at gemini://nicfab.eu
The Danish Approach to Deepfakes: Can Copyright Protect Digital Identity?
January 22, 2026
A critical analysis of the Danish proposal to use copyright law to protect citizens from AI-generated deepfakes, with reflections on the implications for the European regulatory framework.
Events and Meetings
| Date | Event |
|---|---|
| January 28, 2026 | Data Protection Day 2026: Reset or refine? - EDPS/Council of Europe Conference, Brussels |
| February 9, 2026 | Info Day: GenAI in Public Administrations - European Commission (online) |
| February 12, 2026 | Data takes flight: Navigating privacy at the airport - EDPS/EDPB Trainees |
Conclusion
The European Union’s digital governance architecture is witnessing a profound transformation that extends far beyond routine regulatory updates. This week’s developments signal a strategic pivot toward mandatory enforcement mechanisms and integrated oversight, fundamentally reshaping how organizations must approach compliance across privacy, AI, and cybersecurity.
The European Commission’s proposal for the Cybersecurity Act 2 represents perhaps the most significant escalation in EU digital sovereignty policy since the GDPR’s inception. By transitioning from the voluntary 5G Security Toolbox to legally binding obligations requiring member states to block high-risk vendors like Huawei, Brussels is demonstrating that strategic autonomy now trumps market flexibility. This shift carries immediate implications for telecommunications providers, cloud service providers, and any organization dependent on Chinese-manufactured network infrastructure. The proposal’s emphasis on ICT supply chain security creates new due diligence obligations that will ripple through procurement processes across both public and private sectors.
Simultaneously, the EDPB’s publication of updated cooperation procedures for contractual clauses under Article 46 GDPR reveals a more subtle but equally consequential development. These procedural refinements reflect lessons learned from nearly six years of GDPR enforcement, particularly around international data transfers post-Schrems II. The streamlined authorization process for contractual clauses suggests that supervisory authorities are seeking to reduce administrative burden while maintaining substantive protection levels. For organizations managing cross-border data flows, this represents both an opportunity for more predictable approval timelines and a warning that scrutiny of transfer mechanisms will intensify rather than diminish.
The joint EDPB-EDPS opinion on the Digital Omnibus proposal exposes a fundamental tension within European AI governance. While supporting administrative simplification, both bodies express concern that streamlining implementation could undermine fundamental rights protections. This resistance illuminates a critical challenge: how to operationalize AI regulation without creating either compliance paralysis or protection gaps. The data protection authorities’ emphasis on robust safeguards suggests that organizations hoping for a lighter-touch regulatory environment may be disappointed as AI Act implementation accelerates.
The emergence of regulatory convergence becomes particularly evident when examining its intersection. The EDPS TechSonar analysis of AI coding assistants exemplifies how technical tools create cascading implications across multiple regulatory domains. AI-generated code may embed privacy-invasive patterns, introduce cybersecurity vulnerabilities, or perpetuate algorithmic bias—requiring organizations to develop integrated compliance strategies rather than siloed approaches to different regulatory frameworks.
For data protection officers and compliance teams, these developments necessitate a fundamental recalibration of risk assessment methodologies. The traditional approach of evaluating GDPR compliance, AI Act requirements, and cybersecurity obligations as separate workstreams becomes increasingly untenable. Organizations must instead develop cross-functional compliance architectures that anticipate regulatory convergence rather than react to it. That includes reassessing vendor relationships, particularly those involving non-EU technology providers, and developing internal capabilities to evaluate the compound risks created by AI-cybersecurity-privacy intersections.
The €1.2 billion in GDPR fines issued in 2025 provides crucial context for understanding enforcement trends. This figure suggests that supervisory authorities have moved beyond the learning curve phase into systematic penalty application. Organizations can no longer treat privacy compliance as primarily procedural; substantive protection measures and demonstrable accountability are becoming enforcement priorities.
Looking ahead, the Commission’s willingness to take “further action” on Grok’s deepfake capabilities signals that AI governance enforcement will likely follow a similar trajectory to GDPR implementation—initial guidance phases followed by increasingly aggressive enforcement. The reported capacity for 3 million sexual deepfakes in eleven days represents precisely the type of fundamental rights violation that European regulators view as requiring immediate intervention rather than gradual compliance improvement.
The strategic question facing organizations is whether to interpret these developments as regulatory overreach or as necessary guardrails for sustainable digital innovation. The Korean data privacy experience highlighted by the Future of Privacy Forum demonstrates that privacy protection and innovation can coexist, but only with proactive compliance architectures that embed protection principles into technological development processes from inception.
How prepared are European organizations to navigate regulatory frameworks that increasingly demand integrated rather than compartmentalized compliance strategies? The answer may determine not only their regulatory risk exposure but also their competitive position as digital governance becomes a key differentiator in global markets.
📧 Edited by Nicola Fabiano
Lawyer - Fabiano Law Firm
🌐 Studio Legale Fabiano: https://www.fabiano.law
🌐 Blog: https://www.nicfab.eu
🌐 DAPPREMO: www.dappremo.eu
Partnership
Telegram → @nicfabnews
Matrix → #nicfabnews:matrix.org
Mastodon → @nicfab@fosstodon.org
Bluesky → @nicfab.eu