I. GDPR and Data Protection
AI Act “Omnibus” Breakthrough (May 7, 2026): As I previously noted, EU legislative bodies have reached a provisional agreement on a series of amendments known as the AI Act Omnibus:
– High-Risk Deadline Deferral: In what has been labeled a significant relief for data governance planning, the application dates for high-risk AI obligations (Chapter III) have been pushed back. Obligations for Annex III systems (Biometrics, Law Enforcement, Education) are now set for December 2, 2027, while those for Annex I (sectoral safety-regulated AI) move to August 2, 2028.
– The “Nudifier” Prohibition: Effective December 2, 2026, a new prohibition under Article 5 targets AI systems designed to generate non-consensual intimate imagery or child sexual abuse material (CSAM).
– Bias Mitigation: The Omnibus confirms a broader legal basis for processing special category data (race, biometrics, health) for the “strict necessity” of detecting and correcting bias in AI models, extending this to providers of non-high-risk systems.
CEF 2026: Transparency Audit in Active Phase: The EDPB is now in the active field-work phase of its 2026 Coordinated Enforcement Framework:
– Audit Focus: 25 DPAs (including the Dutch AP) are currently issuing standardised questionnaires to controllers across the EU. They are examining compliance with Articles 12, 13, and 14, specifically checking if privacy notices are “concise, transparent, and intelligible” regarding AI training logic and data retention.
UK AI Code of Practice (May 12, 2026): The UK has brought into force regulations requiring the Information Commissioner (ICO) to prepare a specific Code of Practice on AI and Automated Decision-Making. This will serve as a critical reference for cross-border operations involving UK data subjects.
II. Cybersecurity Policy and Discussion
Revised Cybersecurity Act (CSA2.0) Pillar: Posture Certification:
Legal Shield: One of the most discussed features of the CSA2.0 proposal is the “Cyber Posture” Certification. Once a valid certificate is obtained, competent authorities (like the Dutch RDI) are prohibited from imposing additional audits or supervision for the requirements covered, significantly reducing “compliance fatigue” for companies operating in multiple Member States.
NIS2 “Small Mid-Cap” Relief: Targeted amendments have introduced a “small mid-cap” category. This moves roughly 22,500 entities from “essential” to “important” status, meaning they face ex-post supervision rather than ex-ante, which lowers the immediate administrative and auditing burden.
Supply Chain De-risking: The CSA2.0 confirms a harmonised 3-step process for supply chain security: identifying high-risk third countries, designating specific suppliers, and conducting sectoral analysis of key ICT assets (like core network functions).
III. Digitalisation of Infrastructure
Digital Networks Act (DNA) “Single Passport” (In Force): The DNA, adopted in January 2026, has replaced several legacy laws:
– Licensing: The “Single Passport” system is now active, allowing providers to notify authorities in a single Member State (e.g., the Netherlands) to gain the right to operate infrastructure and services Union-wide.
– Satellite Authorisation: For those interested in Eurostack and connectivity, the DNA establishes a unified EU-level framework for satellite spectrum and networks, removing the need for 27 individual national authorisations.
Copper Decommissioning Mandates: The DNA requires Member States to submit formal plans to switch off copper networks. Network operators must submit their specific decommissioning schedules to national authorities, accelerating the transition to fiber and 5G/6G.
IV. Executive Summary for Data Professionals
| Area | Development | Operational Impact |
| AI Governance | Omnibus Delay | Use the extra time (until Dec 2027) to refine HRAIS technical documentation. |
| Privacy Audit | CEF 2026 | Audit your public-facing notices for “intelligibility” regarding AI data pipelines. |
| Cybersecurity | Posture Cert | Consider “Posture Certification” as a strategic way to bypass national NIS2 audits. |
| Infrastructure | DNA Passport | Streamline cross-border network or cloud deployments via a single Dutch notification. |
More to come…
Drew Campbell
Sources and Further Reading
- data.europa.eu | Modern Framework for Europe’s Connectivity: The Digital Networks Act
- Latham & Watkins | AI Act Update: EU Resolves to Change Rules and Extend Deadlines (May 13, 2026)
- Bird & Bird | Digital Omnibus on AI: Provisional Agreement Reached (May Trilogue)
- EDPB | CEF 2026: Coordinated Enforcement Action on Transparency
- Taylor Wessing | Five key takeaways on the EU’s new Cyber Security Package
