CompliPath — EU Regulatory Intelligence

Total updates

312

all time · +6 today

Sources

active feeds

Critical

need action

Last run

06:42 CET

12 min ago · all green

Regulatory updates 312 results

Sort

Critical NIS2 enisa.europa.eu 06:38 today

ENISA publishes binding technical guidance on incident notification timelines under Article 23

Essential entities must now submit an early warning within 24 hours and a full incident report within 72 hours. The guidance clarifies what counts as a "significant incident" and replaces the May 2025 draft that left timing ambiguous.

Action: Update your incident response runbook so the on-call lead can file an early warning to the national CSIRT within 24 hours.

High EU AI Act ec.europa.eu/digital 05:12 today

Commission opens consultation on transparency obligations for general-purpose AI models

Providers of GPAI models placed on the EU market will need to publish a sufficiently detailed summary of training data. Consultation closes 30 June; SMB providers fall in scope above the 10 PFLOPs threshold.

Action: If you fine-tune or distribute foundation models, draft a training-data summary template and submit a consultation response before 30 June.

Medium GDPR edpb.europa.eu yesterday · 16:04

EDPB adopts final guidelines 02/2026 on the interplay between the GDPR and the AI Act

The board confirms that automated decision-making rules under Article 22 GDPR continue to apply alongside the AI Act high-risk obligations. Joint controllership clarified for fine-tuning customer data into vendor models.

Action: Re-review your DPIAs for any AI-assisted decisions affecting customers and confirm the lawful basis still holds.

High DORA eba.europa.eu yesterday · 11:30

EBA finalises RTS on the register of ICT third-party arrangements — annual filing deadline 31 Jan

Financial entities must maintain a register at solo, sub-consolidated and consolidated level and submit it annually. The RTS sets the exact data fields, including subcontractor chains down to the third tier.

Action: Map your current ICT third-party register against the new RTS fields; the gap is usually subcontractor depth.

Low CRA ec.europa.eu 2 days ago

Cyber Resilience Act — implementing acts on conformity assessment expected Q3 2026

Workplan published. Most products with digital elements will use self-assessment; "important" categories (II) require a notified body. SMBs producing connected hardware should plan documentation and SBOM workflows now.

Info NIS2 cnil.fr 3 days ago

CNIL publishes practical FAQ for French essential entities on supply-chain attestation

Non-binding but strongly indicative of the French CSIRT's enforcement posture. Confirms that letters of comfort from suppliers are insufficient — contractual clauses with audit rights are now expected.

AI Summaries are AI-generated. Always verify against the original source before acting.