News

Strict Safeguards Demanded for UBO Registers The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has criticised the government’s proposed decree regarding Ultimate Beneficial Owner (UBO) registers. The AP noted the proposal lacks clarity on access conditions. Following the 2022 Court of Justice of the European Union (CJEU) ruling, access to UBO data requires a strictly demonstrable “legitimate interest” to protect sensitive information such as citizen service numbers (BSNs) and residential addresses.

EDPB Guidelines on Scientific Research The European Data Protection Board (EDPB) is consulting on Guidelines 1/2026, which address the processing of personal data for scientific research. The guidelines outline a “presumption of compatibility” for further data processing and define the technical framework for Article 89(1) safeguards. Organisations must prioritise anonymisation and pseudonymisation hierarchies when handling research data.

CJEU Clarifies Refusal of Abusive Access Requests The CJEU provided further clarification on its Brillen Rottler ruling (C-526/24). Controllers are permitted to refuse a first-time Data Subject Access Request (DSAR) if they can definitively prove the requester’s sole intent is to artificially generate a damages claim rather than to exercise their privacy rights. The threshold for categorising a request as “excessive” remains high.

AI Governance and Compliance Timelines

AI Omnibus Agreement Delays Compliance Deadlines A political agreement has been reached on the “AI Omnibus” proposal, formally amending the EU AI Act. The compliance deadline for high-risk AI systems has been postponed from August 2, 2026, to December 2, 2027. This extension allows member states additional time to designate competent authorities and finalise harmonised technical standards.

AP Appointed as Central AI Supervisor in the Netherlands The Dutch Cabinet proposed the AP as the primary supervisory authority for AI systems that do not fall under a sector-specific regulator. The AP will intervene at the early stages of AI development to enforce transparency and prevent structural bias. The authority is currently establishing an internal AI directorate to manage this mandate.

Cybersecurity and Digital Connectivity

Digital Networks Act Transitions to Regulation Draft The proposed Digital Networks Act (DNA) has advanced to a formal Regulation draft, intended to replace the European Electronic Communications Code (EECC). The legislation introduces a “Single Passport” authorisation system for telecom operators. Member states are now required to submit “National Transition Plans” detailing the infrastructure phase-out of copper networks in favor of full fibre.

ENISA Updates 2026 International Strategy The European Union Agency for Cybersecurity (ENISA) revised its operational priorities to align with the EU Cyber Solidarity Act. The primary focus for the remainder of the year is operationalising the EU Cybersecurity Reserve. This includes assisting candidate countries and strategic partners, such as Japan, in developing defenses against quantum-level cryptographic threats.

Digital Rights and Legal Precedents

ECHR Interim Measures on Algorithmic Enforcement The European Court of Human Rights granted an interim measure in the case of Dziurda and Others v. Poland. While this specific case involves legal professionals, the procedural emphasis on the “no punishment without law” principle establishes relevant legal parallels for ongoing EU debates regarding algorithmic enforcement and rule of law standards in digital environments.

More to come…
Drew Campbell

Sources and Further Reading

• Autoriteit Persoonsgegevens (AP): Advice on UBO Register Decree
• European Data Protection Board (EDPB): Guidelines 1/2026 on processing personal data for scientific research
• Court of Justice of the European Union (CJEU): Judgment in Case C-526/24 (Brillen Rottler)
• International Association of Privacy Professionals (IAPP): Analysis of the AI Omnibus Agreement
• ICTRecht: Analysis of AP AI Supervision Priorities for 2026
• European Commission: Digital Networks Act (DNA) Policy Framework
• Industrial Cyber: ENISA International Strategy 2026 Update
• European Court of Human Rights (ECHR): Interim Measures in Dziurda and Others v. Poland

The European regulatory landscape for data privacy, cybersecurity, and digital infrastructure has introduced critical compliance requirements as of May 2026. This update details the operational impacts of the AI Omnibus, the Cyber Resilience Act, and the Digital Networks Act for data governance professionals.
GDPR Enforcement and the AI Omnibus
EU legislators have finalised a political agreement on the AI Omnibus, amending the EU AI Act. The agreement expands the authorisation to process sensitive personal data, such as ethnicity or race, for bias detection and correction across all AI systems, subject to strict safeguards. Additionally, a late-stage provision introduces a comprehensive ban on AI systems designed to generate non-consensual sexualised deepfakes.
Concurrently, the European Data Protection Board (EDPB) is executing the active audit phase of its 2026 Coordinated Enforcement Framework (CEF). The Dutch Autoriteit Persoonsgegevens (AP) and 24 other national authorities are utilising standardised questionnaires to audit compliance with the transparency obligations under Articles 12, 13, and 14 of the GDPR. Regulators are assessing both the completeness of privacy notices and their comprehensibility, with a specific focus on the disclosure of Automated Decision-Making (ADM) and AI logic. Organisations must ensure that the explanation of data pipelines feeding into AI models is clear to end users.
Legislative friction remains regarding the broader Digital Omnibus proposal. This draft contains measures that would narrow the definition of personal data and explicitly recognise AI training data ingestion as a legitimate interest, raising concerns about deviations from established CJEU case law.
Cybersecurity Policy: CSA2.0 and CRA Deadlines
The proposed Cybersecurity Act 2.0 (CSA2.0) is advancing a revised supply chain framework. The European Commission is seeking the authority to designate specific third-country vendors as high-risk. For essential and important entities governed by NIS2, the use of components from these designated vendors will trigger a mandatory phase-out period of 36 months.
CSA2.0 also introduces posture certification. Organisations will have the capability to certify their overall cybersecurity maturity and readiness. Achieving this certification grants a presumption of conformity with NIS2, streamlining cross-border compliance audits.
Product security teams face an imminent deadline under the Cyber Resilience Act (CRA). Mandatory reporting of actively exploited vulnerabilities commences on September 11, 2026. Manufacturers are required to submit a preliminary early warning within 24 hours of discovery, followed by a full notification within 72 hours, utilising the ENISA Single Reporting Platform.
Infrastructure Digitalisation and the DNA
The Digital Networks Act (DNA) is standardising the telecommunications and cloud infrastructure market by merging four legacy acts into a single, directly applicable Regulation. A primary feature is the Single Passport Authorisation. This mechanism allows operators, including satellite and cloud service providers, to file a notification in one Member State, such as the Netherlands, and gain authorisation to operate across all 27 Member States.
The DNA mandates the creation of National Transition Plans to manage the decommissioning of legacy copper networks. Member States must facilitate the transition to full fibre and 5G/6G infrastructure ahead of a hard 2035 deadline.
To secure this modernising infrastructure, targeted amendments to NIS2 have expanded the directive’s scope. Submarine infrastructure operators, digital wallet providers, and dual-use infrastructure operators are now classified as essential entities, regardless of their organisational size.
Operational Actions for Data and IT Professionals
Privacy Documentation: Reconcile your Record of Processing Activities (ROPA) with public privacy notices to ensure all AI-driven logic and data retention schedules meet the 2026 CEF transparency standards.
Incident Response Testing: Verify that internal computer security incident response teams (CSIRT) are capable of meeting the CRA 24-hour early warning window prior to the September deadline.
Supply Chain Audits: Map existing hardware and software dependencies to identify potential exposure to high-risk third-country vendors subject to upcoming CSA2.0 phase-out mandates.
Network Expansion: Evaluate internal infrastructure scaling strategies to leverage the DNA Single Passport system for reduced administrative overhead in cross-border deployments.

More to come…
Drew Campbell

Sources and Further Reading

• Tech Policy Press: What the EU AI Omnibus Deal Changes (May 7, 2026)
• EDPB: CEF 2026 Coordinated Action on Transparency (May 5, 2026)
• Wilson Sonsini: EU AI Act Undergoes Significant Changes (May 8, 2026)
• European Commission: Digital Networks Act Policy Overview
• Hogan Lovells: Key 2026 Milestones for Cyber Resilience Act Compliance