On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.
Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment
EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIs
On 19 May 2026, the European Commission published its long-awaited draft, non-binding guidelines on the classification of high-risk AI systems (“HRAIs”) under the EU AI Act (the “Guidelines”). Across three documents—covering general principles, high-risk classification in the context of regulated products (Annex I), and high-risk use cases (Annex III)—the Commission sets out its approach to one of the AI Act’s central questions: when does an AI system fall within the high-risk regime (and, just as importantly, when does it not)?
Continue Reading EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIsEU Tech Sovereignty Package
On June 3, the European Commission published its Tech Sovereignty Package, a set of legislative and policy initiatives designed to address what the Commission characterizes as Europe’s technological dependencies on non-European suppliers. The Package marks a further step in the evolution of the EU’s technology policy, with initiatives spanning the full tech stack—from chips and infrastructure to software, cloud, and artificial intelligence. Through this “ecosystem” approach, the Commission seeks to reduce supply-side dependencies by strengthening domestic capabilities in Europe and stimulating demand in downstream sectors.
The Package comprises four components: two legislative proposals—(i) the Cloud and AI Development Act (CADA), and (ii) the Chips Act 2.0—as well as two non-legislative initiatives—(iii) the EU Open Source Strategy and (iv) a Strategic Roadmap for Digitalisation and AI in Energy.
Continue Reading EU Tech Sovereignty PackageEU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions
On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The
Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New ProhibitionsEU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions
On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.
Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New ProhibitionsNew EDPB Guidelines on the Use of Personal Data in Scientific Research
On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.
Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific ResearchEU Regulators Issue Opinion on Revisions of GDPR and Other Data Laws
On February 11, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) (jointly, the Authorities) issued a Joint Opinion on the European Commission’s proposed Digital Omnibus Regulation (Digital Omnibus). This follows their Joint Opinion of January 20, 2026 on the Digital Omnibus on AI.
The Digital Omnibus, as with the other “omnibuses” released by the Commission, aims to streamline several EU laws, reduce administrative burdens for covered entities, and enhance competitiveness in the EU. Once adopted, it should reshape how organizations handle personal data generally, including in relation to AI development, scientific research, and incident reporting. The Authorities welcome efforts to simplify and to promote consistent interpretations of key concepts found in the GDPR, the ePrivacy Directive, the NIS2 Directive, and the remaining Data Acquis. At the same time, they caution that this initiative launched by the Commission must not weaken fundamental rights protections, including data protection.
Below is an overview of the Authorities’ positions. It covers only the key amendments discussed in our previous blog post on the Digital Omnibus.
Continue Reading EU Regulators Issue Opinion on Revisions of GDPR and Other Data LawsWhat to Watch in 2026: Key Developments in EMEA Consumer Protection
Consumer protection law across EMEA continues to evolve rapidly in response to digitalization, emerging technologies (particularly AI) and the continued expansion of online commerce. As we move into 2026, regulators are preparing significant reforms that will reshape business obligations and strengthen consumer‑protection enforcement. Below is an overview of the most important developments to watch this year.
Continue Reading What to Watch in 2026: Key Developments in EMEA Consumer ProtectionEuropean Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification Reforms
On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the Commission’s parallel proposal to amend Directive (EU) 2022/2555 (NIS2). We cover that proposal in a separate blog post.
CSA2 covers two main areas that will be relevant to private companies. First, it would introduce the EU’s first horizontal framework for ICT supply chain security—this is an entirely new addition that is not contained in the Cybersecurity Act, and could have significant implications for organizations in sectors that procure components from providers located in high-risk jurisdictions (e.g., telecoms). Second, it would update and expand the existing framework for cybersecurity certifications (the European Cybersecurity Certification Framework, or ECCF). In addition, it would significantly expand the role of the EU cybersecurity agency, ENISA.
Below, we summarize the main elements of the proposal.
Continue Reading European Commission Proposes Cybersecurity Act 2: New EU Supply Chain Rules and Certification ReformsEuropean Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2
On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.
The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.
With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.
Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.
Continue Reading European Commission Proposes Targeted Amendments to NIS2 to Simplify Compliance and Align With Proposed Cybersecurity Act 2