regulation – Page 2

Autonomous AI Agents and the GDPR: First Detailed Spanish Regulatory Guidance Sets the Bar

By CIO / Blog / GDPR, AI, compliance, privacy, regulation, AI agent

The Spanish Data Protection Agency (AEPD) has published the first detailed regulatory guidance on autonomous AI agents under the GDPR, addressing challenges posed by AI systems that independently plan, reason, and execute tasks with limited human oversight. This guidance highlights critical compliance issues, including defining controller and processor roles, transparency obligations, data minimization, automated decision-making risks, and the need for thorough risk assessments, setting a precedent that extends beyond Spain and is relevant for all organizations deploying agentic AI in personal data processing.

https://technologyquotient.freshfields.com/post/102mmys/autonomous-ai-agents-and-the-gdpr-first-detailed-spanish-regulatory-guidance-set

Cybersecurity: New Cyber Strategy; Cybercrime Executive Order

By CIO / Blog / cybersecurity, regulation

KPMG's new Cyber Strategy outlines long-term federal cybersecurity policies focusing on national security and economic competitiveness, with an emphasis on coordinated public-private efforts. The accompanying Executive Order targets immediate actions against cybercrime, particularly driven by transnational criminal organizations. Key points include interagency coordination, public-private collaboration, enforcement measures, and international engagement. Organizations must enhance their cybersecurity programs to address evolving threats, aligned with established frameworks.

https://kpmg.com/us/en/articles/2026/cybersecurity-new-cyber-strategy-cybercrime-executive-order-reg-alert.html

Cyber Enforcement – When an Incident Is Just the Tip of the Iceberg

By CIO / Blog / risk management, incident response, cybersecurity, compliance, regulation

The article explains that recent UK enforcement trends show cyber incidents often expose broader compliance failures, making the reported breach only the starting point for regulatory scrutiny. Regulators increasingly focus on security weaknesses, governance gaps, and data-handling practices across the organization, especially after cyberattacks. Fines have risen, and enforcement actions target private-sector companies with inadequate safeguards. The article concludes that organizations must treat cyber resilience, contractual risk allocation, and data protection controls as ongoing obligations because investigations can extend beyond the original incident to encompass broader operational and legal failings.

https://www.slaughterandmay.com/insights/new-insights/cyber-enforcement-when-an-incident-is-just-the-tip-of-the-iceberg/

5 Innovations Desperately Needed for EUDR Compliance

By CIO / Blog / compliance, EU, regulation, sustainability, EUDR

EUDR compliance poses challenges, especially for small businesses, as the EU Deforestation Regulation aims to eliminate deforestation in global supply chains. Key innovations needed include public policy improvements, collaborative corporate practices, innovative financial services, action from civil society, and harmonized technological solutions. While major firms are preparing for the regulation, smaller players require support to meet compliance requirements. Ultimately, harmonized tech and collective efforts will be crucial for transitioning to sustainable, deforestation-free supply chains.

https://www.foodnavigator.com/Article/2026/03/03/innovations-for-eudr-compliance/

Spain’s Data Watchdog Maps the Hidden GDPR Risks of Agentic AI

By CIO / Blog / risk management, data protection, GDPR, AI, regulation

Spain's AEPD published a 71-page guide addressing GDPR compliance for agentic AI, highlighting privacy risks like prompt injection and memory issues. It distinguishes AI agents from chatbots and outlines vulnerabilities in multi-agent systems. The guide includes recommendations for memory compartmentalization, data minimization, and governance frameworks aimed at responsible AI deployment.

https://ppc.land/spains-data-watchdog-maps-the-hidden-gdpr-risks-of-agentic-ai/

Security Obligations Under GDPR Still Apply, Even if Data Is Anonymous in the Hands of an Attacker

By CIO / Blog / compliance, privacy, regulation, GDPR, data protection

UK Court of Appeal ruled in DSG Retail v. Information Commissioner that GDPR security obligations remain for controllers even if data is anonymous to attackers. The decision emphasizes the broad nature of “personal data” and the need for controllers to protect against unauthorized access, regardless of how data may appear to a third party. This ruling challenges prior interpretations that could diminish data protection responsibilities. It suggests that GDPR accountability may extend beyond the direct data handling by the controller.

https://iapp.org/news/a/security-obligations-under-gdpr-still-apply-even-if-data-is-anonymous-in-the-hands-of-an-attacker

When AI Agents Pay: Who Owns the Compliance Liability?

By CIO / Blog / AI agent, payments, PCI DSS, regulation, compliance, cybersecurity, AI

AI agents in commerce raise complex compliance issues regarding transactional liability. With their adoption accelerating, traditional regulatory frameworks (such as PCI DSS, AML, and DORA) may struggle to keep pace, as compliance is hard to assign when AIs initiate payments. Financial institutions must proactively assess their compliance strategies for AI interactions to avoid future liability risks, particularly around transaction monitoring, script security, and operational resilience. Immediate steps include mapping integrations and recalibrating AML systems. Delayed action may lead to regulatory crises as compliance standards evolve.

https://www.finextra.com/blogposting/30917/when-ai-agents-pay-who-owns-the-compliance-liability

From Innovation to Regulation: How Internal Audit Must Respond to the EU AI Act

By CIO / Blog / EU, risk management, AI, compliance, regulation, audit

The EU AI Act, a global standard for AI regulation, requires organizations worldwide to address AI risks through governance, controls, and accountability. Internal auditors must adapt to this shift, auditing AI governance, risk classification, data quality, human oversight, and third-party AI risk to ensure compliance.

https://www.wolterskluwer.com/en/expert-insights/innovation-regulation-how-internal-audit-must-respond-eu-ai-act

Breaking Down NIS2: the Five Main Requirements of the Updated NIS Directive

By CIO / Blog / cybersecurity, compliance, NIS2, regulation

NIS2, an update of the EU's cyber security framework, aims to enhance resilience against evolving threats across more sectors, covering essential and important entities. It introduces five key compliance requirements: risk management, incident reporting, cyber security practices, third-party risk management, and workforce security training. NIS2 is an ongoing process, not a one-time compliance task. The directive sets a baseline for accountability and resilience in cyber security across the EU.

https://www.financierworldwide.com/breaking-down-nis2-the-five-main-requirements-of-the-updated-nis-directive

Protecting the ICT Supply Chain: a Step-By-Step Guide to the New EU Security Framework

By CIO / Blog / cybersecurity, NIS2, regulation

The European Commission proposed a new cybersecurity package, including a revised Cybersecurity Act (CSA2) and amendments to NIS2, to strengthen the EU’s cybersecurity resilience. The CSA2 introduces a five-step mechanism to address non-technical risks in the ICT supply chain, potentially prohibiting NIS2 organizations from using ICT equipment from high-risk suppliers, particularly those from countries posing cybersecurity concerns. This framework aims to protect the EU’s ICT supply chain, with potential implications for connectivity and space operators.

https://accesspartnership.com/opinion/protecting-the-ict-supply-chain-a-step-by-step-guide-to-the-new-eu-security-framework/