Newsletter #13 - March 24, 2026

Read on website

---

NicFab Newsletter

Issue 13 | March 24, 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to Issue 13 of our weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you’ll find a curated selection of the most relevant news from the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN DATA PROTECTION AUTHORITY

Court of Rome: OpenAI Fine Overturned

On December 20, 2024, the Italian Data Protection Authority announced Decision No. 755 of November 2, 2024, against OpenAI, imposing a fine of 15 million euros for alleged GDPR violations related to ChatGPT. OpenAI had challenged the decision and obtained a preliminary injunction in March 2025.

A note has now been added to the page of the Authority’s press release regarding that decision, stating that Decision No. 755 of November 2, 2024, has been temporarily removed from the website following the judgment of the Court of Rome No. 4153/2026, published on March 18, 2026, which upheld the appeal filed against the Data Protection Authority’s decision. The full text of the ruling is not publicly available; the grounds for the decision are currently unknown.

For DPOs, this ruling signals that courts are playing an increasingly central role in defining the boundaries between the GDPR and artificial intelligence, supporting supervisory authorities in a regulatory landscape still under development. The reasoning has not yet been published, but the effect is immediate: for the first time, an Italian court has overturned a sanction imposed by the Data Protection Authority on an issue — the legal basis for training AI models — that lies at the heart of the European regulatory debate. That does not mean the Authority’s approach was necessarily incorrect, nor does it mean that OpenAI is exempt from GDPR obligations. It means that the line between lawful and unlawful data processing for AI training is still being defined by case law.

Official Source — Italian Data Protection Authority

Press Source — Reuters

In-depth analysis — HWUpgrade

New episode of the “A proposito di privacy” podcast on health records

The Italian Data Protection Authority has published the sixth episode of the “A proposito di privacy” podcast, dedicated to health records. This initiative reaffirms the Authority’s commitment to disseminating information and raising awareness about data protection issues through more accessible digital channels.

The focus on health records is particularly relevant given the growing digitization of the healthcare sector and the numerous privacy challenges it raises. For DPOs working in the healthcare sector, this content can provide useful clarification on best practices and key regulatory requirements, given the highly sensitive nature of the data processed.

Source

---

EDPB - EUROPEAN DATA PROTECTION BOARD

CEF 2026: Coordinated Action on Transparency and Information Obligations

The EDPB has launched the Coordinated Enforcement Framework (CEF) action for 2026, focusing on compliance with the transparency and information obligations outlined in Articles 12, 13, and 14 of the GDPR. Following the 2025 initiative on the right to erasure, twenty-five European supervisory authorities—including the Italian Data Protection Authority—will assess controllers’ compliance through enforcement actions and fact-finding exercises. The French CNIL will coordinate the initiative at the European level.

The assessments will be conducted via questionnaires sent to data controllers operating across the following sectors: public, insurance-financial, healthcare, utilities, and marketing, with potential targeted follow-ups. The initiative aims to verify how data controllers inform data subjects about the processing of their data in a concise, transparent, and easily accessible manner, as required by Articles 5, 12, 13, and 14 of the GDPR. The results from individual authorities will be compiled into an EDPB report in the second half of the year, which may identify further in-depth initiatives at the national and European levels.

DPOs must prepare for potential audits by reviewing privacy notices and communication processes with data subjects to ensure full compliance with information obligations.

Source: EDPB

|

Source: Garante

|

Source: CNIL

EDPB-EDPS Joint Opinion 4/2026 on Cybersecurity Act 2 and NIS2

The EDPB and the EDPS have adopted Joint Opinion 4/2026 on the Commission’s Proposal for a Cybersecurity Act 2 and on the amendments to the NIS2 Directive. The document underscores the mutual interconnection between data protection and cybersecurity, emphasizing that security measures must be implemented without compromising individuals’ fundamental rights.

The opinion welcomes the strengthening of ENISA’s role and the facilitation of the adoption of cybersecurity certifications. Particular attention is given to coordination between ENISA and the EDPB, with provisions for prior consultations to ensure a clear division of responsibilities. Data protection authorities are increasingly involved in cybersecurity regulation, bringing specific expertise and signaling an institutional convergence that goes beyond mere formal consultation.

For DPOs, this initiative represents an opportunity to strengthen the integrated approach between security and privacy, requiring greater collaboration between technical and compliance functions.

Source

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

Towards trustworthy AI in the EU public administration: The EDPS Compass for its new role under the AI Act

The EDPS has published a strategic guide for the implementation of trustworthy AI systems in European public administrations, outlining its new role under the AI Act. The document provides practical guidance to ensure that the adoption of AI in the public sector complies with the principles of transparency, fairness, and the protection of fundamental rights.

The guide is particularly relevant for public-sector DPOs, who will need to coordinate compliance with the AI Act alongside compliance with the GDPR. The EDPS emphasizes the importance of integrated impact assessments and governance mechanisms that take both regulatory frameworks into account, requiring increasingly specialized cross-functional expertise.

Source

High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation”

On June 8, 2026, the EDPS, together with the German and Bavarian data protection authorities, will organize a high-level debate on the European Commission’s Omnibus proposals and their implications for the GDPR. The event, to be held at the Bavarian Representation in Brussels, will explore how regulatory changes can reconcile data protection and innovation.

The debate represents a crucial opportunity for DPOs to understand future developments in the European regulatory framework. The Omnibus proposals could, in fact, introduce significant changes to the GDPR, requiring updates to internal procedures and professional skills. Participation in these high-profile events is essential to anticipate regulatory changes.

Source

---

CNIL - FRENCH DATA PROTECTION AUTHORITY

Audio Recording and Video Surveillance Devices

The CNIL clarifies the rules governing the use of audio recording devices in combination with video surveillance. While audio recording integrated into cameras remains prohibited, separate systems may be installed in publicly accessible locations, but not on public streets.

The devices are permitted only if they are not automatically interconnected with the cameras, can be activated manually in the event of an attack, and are used exclusively by personnel directly under threat. They must also comply with the principles of necessity, proportionality, and GDPR compliance.

DPOs must carefully evaluate the implementation of such systems, document the specific need, implement appropriate technical controls, and ensure that personnel authorized to activate them receive appropriate training.

Source

Agenda for the Plenary Session on March 19, 2026

The CNIL plenary session on March 19 addressed important regulatory updates. Among the main points: the evolution of reference methodologies for medical research, with new resolutions on MR-001 and MR-003, and a recommendation on the security of electronic mail-in voting systems.

Draft decrees regarding software for drafting national police procedures (LRPPN) and the procedures for electronic elections for medical professional associations were also examined. The session also included authorizations for CNIL agents and opinions on data processing for scientific research.

For DPOs in the healthcare sector and public institutions, these developments provide new operational guidelines and reference frameworks to ensure regulatory compliance in their respective fields.

Source

---

EUROPEAN PARLIAMENT

European Parliament Approves Delay of Certain AI Rules

MEPs have approved a proposal to postpone the application of certain rules under the AI Act, acknowledging that key technical standards may not be ready by the August 2, 2026, deadline. The proposed new dates are December 2, 2027, for high-risk systems in critical sectors such as biometrics, infrastructure, and justice, and August 2028 for systems covered by EU sectoral legislation.

Of particular relevance to DPOs is the introduction of a ban on “nudifier” systems that create intimate images without consent, as well as new provisions allowing the processing of personal data to detect bias in AI systems, albeit with strict safeguards. These changes offer greater flexibility to companies while maintaining the protection of fundamental rights.

Source

Chat Control: No Agreement Between the EU Parliament and the Council

The European Parliament and the Council of the EU have not reached an agreement on extending the exemption from privacy rules that allowed platforms to voluntarily scan private communications to detect child sexual abuse material (CSAM). The exemption, extended by the Parliament until August 2027 with much stricter conditions than previous versions, failed to secure the necessary agreement with the Council, which chose not to accept the watered-down version approved by Strasbourg.

With the expiration of the exceptional measure on April 3, 2026, the legal basis that allowed digital service providers to conduct large-scale monitoring of private communications will cease to exist. The framework reverts to the standard regime based on the GDPR and the ePrivacy Directive. In the meantime, the Parliament has consolidated two key principles: the protection of end-to-end encryption from systematic surveillance, and the application of the principle of proportionality focused on content already known or subjects already identified by the authorities.

For DPOs, the failure to reach an agreement means that platforms will no longer be able to rely on an explicit exemption for detection activities and will have to bring any processing for this purpose within the scope of the GDPR and the ePrivacy Directive, with all the consequences for legal basis and proportionality.

Source

Simplifying Cybersecurity Reporting: The Single-Entry Point Mechanism

The Digital Omnibus proposes implementing a Single-Entry Point (SEP) mechanism to simplify cybersecurity reporting obligations. Currently, companies must navigate multiple reporting procedures across different authorities, with varying deadlines and requirements, creating significant administrative burdens.

The SEP would allow companies to fulfill the reporting obligations set forth by various EU regulations through a unified process. For DPOs, this initiative represents an important step toward reducing regulatory complexity, particularly given the rise in cyberattacks exploiting AI to compromise security systems and breach personal data protection.

Source

AI Regulatory Sandboxes: Implementation Challenges

The AI Act requires Member States to establish at least one AI regulatory sandbox—controlled environments for testing the compliance of AI systems. However, researchers have identified significant challenges related to design, fragmentation, and implementation timelines.

These testing environments offer DPOs a crucial opportunity to better understand the impact of AI systems on data protection before large-scale deployment. Sandboxes could facilitate the development of best practices for simultaneous compliance with the AI Act and the GDPR, allowing potential regulatory conflicts to be identified and resolved in a controlled environment.

Source

Enforcement of the AI Act: Hybrid Oversight Model

The AI Act, adopted in 2024, establishes a hybrid enforcement model that divides responsibilities between Member States and the European Commission. While rules for high-risk AI systems are enforced at the national level, oversight of GPAI models falls exclusively to the Commission.

This dominant decentralized approach could lead to inconsistent enforcement across the EU, creating uncertainty for DPOs operating in multinational contexts. The model differs significantly from that of the GDPR with its “one-stop shop” mechanism, suggesting the need to develop more sophisticated compliance strategies to manage the various competent authorities.

Source

AI Regulatory Framework: General-Purpose Systems and Models

The AI Act regulates both AI systems and general-purpose models (GPAI), applying a risk-based approach that distinguishes between unacceptable, high, minimal, and transparency risks. GPAI models with systemic risks, such as GPT-5 and Gemini 3, are subject to additional risk evaluation and assessment requirements.

For DPOs, this regulatory stratification requires a thorough understanding of the different risk categories and related obligations. The classification of AI systems directly affects the data protection measures to be implemented, making an accurate risk assessment essential to ensure compliance with both the AI Act and the GDPR.

Source

---

COUNCIL OF THE EUROPEAN UNION

Cybersecurity Act 2: Consultation of the European Economic and Social Committee

The Council of the EU has launched a consultation with the European Economic and Social Committee on the proposed “Cybersecurity Act 2,” which will replace Regulation 2019/881. The new legislation aims to strengthen the role of the European Union Agency for Cybersecurity (ENISA) and to introduce a more robust framework for cybersecurity certification.

Particular attention is given to the security of the ICT supply chain, an issue of growing importance for DPOs who must assess risks arising from technology suppliers. The Proposal introduces specific measures to ensure greater transparency and control throughout the supply chain, with potentially significant impacts on due diligence and supplier evaluation processes.

Source

The document presents the joint opinion of the Council’s legal services on the proposed ENISA Regulation and the related directive amending NIS2. This technical-legal opinion provides crucial interpretive clarifications to understand the interaction between the new cybersecurity rules and the current regulatory framework.

For DPOs, the legal services’ analysis is a valuable resource for anticipating how the new provisions will be implemented in practice. The opinion highlights potential overlaps or conflicts among regulations, which is essential for planning integrated, consistent compliance strategies.

Source

Consultation on Amendments to the NIS2 Directive

The Council has simultaneously launched a consultation with the Economic and Social Committee on the proposed directive amending NIS2 to align it with the new Cybersecurity Act 2. The proposed amendments aim to simplify compliance requirements and ensure regulatory consistency within the European cybersecurity landscape.

The simplification measures could alleviate certain administrative burdens for organizations subject to NIS2, an issue of particular interest to DPOs operating in critical sectors. Regulatory alignment should also reduce interpretative ambiguities and facilitate the implementation of integrated cybersecurity and data protection management systems.

Source

---

COURT OF JUSTICE OF THE EUROPEAN UNION

Case C-371/24: Limits on the Collection of Biometric Data in Criminal Investigations

The Court of Justice has established stringent criteria for the collection of biometric data by police authorities during criminal investigations. The principle of strict necessity serves as the benchmark for assessing the legitimacy of such operations, requiring a case-by-case evaluation of the proportionality between the investigative objective and the intrusiveness of the measure.

For DPOs working in public security contexts or collaborating with law enforcement agencies, this ruling reinforces the importance of implementing rigorous preliminary assessment procedures. It is essential to accurately document the reasons justifying biometric collection and ensure that less invasive alternatives exist before proceeding.

Source

Case C-526/24: Abusive Access Requests and GDPR Compensation

The Court clarified that a request for access to personal data may be considered abusive when submitted with the sole intent of creating grounds for subsequent claims for compensation for alleged GDPR violations. This decision provides data controllers with a defensive tool against opportunistic practices.

The ruling provides DPOs with objective criteria for assessing the genuineness of access requests, enabling them to identify behavioral patterns indicative of purely compensatory intentions. However, it remains essential to maintain a balanced approach that does not compromise data subjects’ legitimate right to access their own data.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

X Pays the €120 Million EU Fine

Elon Musk’s X met the €120 million fine imposed by the EU in December, confirming its cooperation with the European Commission despite an ongoing legal appeal. The penalty stems from violations of the Digital Services Act regarding the design of blue verification badges and failures to meet transparency obligations.

For DPOs, this case highlights the importance of proactive compliance: X had to submit corrective proposals by March regarding verification and will have until April to remedy violations related to advertising and data transparency. The strategy of paying while maintaining the appeal demonstrates how companies can balance immediate compliance with legal challenges to regulatory decisions.

Source

U.S. Congress Requests Big Tech-EU Private Communications

The U.S. House Judiciary Committee has ordered Big Tech companies to provide all communications with EU officials regarding the implementation of the Digital Services Act, including self-deleting messages. The move follows revelations that EU officials use Signal with self-deleting messages to avoid U.S. pressure.

For DPOs operating internationally, this case underscores the need for clear policies on the retention of institutional communications. Communications with regulators may be subject to disclosure in different jurisdictions, requiring document retention strategies that balance transparency, operational confidentiality, and multi-jurisdictional compliance.

Source

---

INTERNATIONAL DEVELOPMENTS

The Future of Privacy Forum organized a panel discussion on AgeTech, highlighting the tensions between individual privacy and care support for the elderly. Emerging technologies collect highly sensitive data (health, location, behaviors) in exchange for the possibility of living longer independently at home.

Key challenges include consent management, often delegated to caregivers, which compromises the care recipient’s autonomy, and default settings that can unknowingly influence users’ decisions. AI plays a dual role: it can both facilitate fraud against older people and help detect it.

For DPOs, this sector requires particular attention to the design of collaborative controls that balance caregiver access with the autonomy of data subjects, treating older adults’ data as a special category requiring enhanced protections.

Source

Privacy Papers for Policymakers 2026: Focus on AI and Governance

The Future of Privacy Forum concluded the 16th edition of the “Privacy Papers for Policymakers” program, presenting innovative research on privacy and AI governance. The initiative recognized seven leading papers that analyze emerging issues and propose concrete solutions for policymaking.

The virtual events brought together academics from prestigious universities (Princeton, Northwestern, Chicago) with experts from industry and civil society to discuss voluntary regulatory approaches in the U.S., red lines in the EU AI Act, and data protection reforms in Africa.

The program serves as a crucial bridge between academic research and practical application for privacy professionals. DPOs can find in these studies advanced analytical tools to address current regulatory challenges, particularly useful for understanding the evolution of the international regulatory landscape.

Source

EU Sanctions Three Entities and Two Individuals for Cyberattacks Against Member States

On March 16, 2026, the Council of the European Union adopted new restrictive measures against three entities and two individuals deemed responsible for cyberattacks threatening the Union or its member states. Among those targeted are the Chinese companies Integrity Technology Group and Anxun Information Technology (i-Soon), as well as the Iranian company Emennet Pasargad.

According to the Council, Emennet Pasargad has been involved in cyberattack activities and information manipulation campaigns, including operations linked to Charlie Hebdo and the 2024 Paris Olympic Games. The Council identifies the two Chinese entities as suppliers of hacking products and services used against devices, critical infrastructure, and critical functions in Member States and third countries.

For DPOs, these measures confirm the need to integrate geopolitical risk into supplier assessments, security analyses, and governance strategies for international data transfers.

Institutional source — Council of the European Union

Press source — Dark Reading

---

ARTIFICIAL INTELLIGENCE

Red Lines under the EU AI Act: Understanding the ban on untargeted scraping of facial images and facial recognition databases

The AI Act introduces a specific ban on AI systems that create or expand facial recognition databases through the “untargeted scraping” of facial images from the Internet or CCTV footage. This provision (Article 5(1)(e)) focuses on activities preparatory to actual facial recognition, considering them particularly intrusive practices that fuel the perception of mass surveillance.

The distinction between “targeted” and “non-targeted” scraping is crucial for DPOs, as it clearly delineates the scope of the ban. While the former remains permitted under certain conditions, the latter is categorically prohibited. This regulation complements the existing GDPR, creating a layered regulatory framework that requires particular attention in the implementation of facial recognition systems and the management of related databases.

Source

---

CYBERSECURITY

CISA Adds Apple, Craft CMS, and Laravel Vulnerabilities to the KEV Catalog

CISA has added five critical vulnerabilities to the Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by April 3, 2026. Among these are three Apple flaws (WebKit and kernel) with CVSS scores up to 8.8, a Craft CMS vulnerability with a score of 10.0, and a Laravel Livewire bug rated 9.8.

The most concerning issue for DPOs is the iOS exploit kit “DarkSword,” which exploits Apple vulnerabilities to distribute malware such as GHOSTBLADE for data theft. The Craft CMS bug has been exploited as a zero-day since February 2025, while the Laravel vulnerability is attributed to the Iranian group MuddyWater in attacks against critical diplomatic and energy infrastructure.

Source

CISA Orders Immediate Patch for Critical Cisco Vulnerability

CISA has ordered federal agencies to patch CVE-2026-20131 (CVSS 10.0) in the Cisco Secure Firewall Management Center by Sunday, March 22. The bug allows arbitrary Java code to execute as root without authentication via unsafe deserialization in the web interface.

Amazon has confirmed that the Interlock ransomware group has been actively exploiting this vulnerability since late January 2026, more than a month before the patch was released. DPOs must note that Cisco FMC manages critical security systems such as firewalls and malware protection, making this vulnerability particularly dangerous for the integrity of corporate security infrastructure.

Source

Oracle Releases Emergency Patch for Identity Manager

Oracle has released an unscheduled security update to address CVE-2026-21992, a critical vulnerability (CVSS 9.8) in Identity Manager and Web Services Manager that allows remote code execution without authentication. The bug is remotely exploitable via HTTP with low complexity and without user interaction.

The criticality for DPOs stems from Oracle Identity Manager’s central role in managing corporate identities and access. A compromise could expose the entire identity governance infrastructure, jeopardizing GDPR compliance and other regulatory frameworks. Oracle recommends immediate application of the patches, which are available only for versions under Premier or Extended support.

Source

Langflow Vulnerability Exploited Within Hours of Disclosure

A critical vulnerability in Langflow (CVE-2026-33017, CVSS 9.3) was exploited by threat actors just 20 hours after public disclosure. The open-source AI agent framework has a bug in its POST endpoint that allows execution of unauthenticated Python code via manipulated node definitions.

Sysdig observed three phases of the attack: automated scans from four IP addresses, active reconnaissance using pre-established infrastructure, and data exfiltration to common C&C servers. DPOs must recognize that attackers are targeting the theft of keys and credentials for connected databases, potentially preparing supply chain attacks. The speed of exploitation underscores the importance of proactive patch management for AI frameworks.

Source

DoJ Dismantles IoT Botnet Comprising 3 Million Devices

The U.S. Department of Justice dismantled the command-and-control infrastructure of four IoT botnets (AISURU, Kimwolf, JackSkid, Mossad) that controlled over 3 million compromised devices. The botnets launched record-breaking DDoS attacks of 31.4 Tbps, primarily exploiting Android devices, including smart TVs and set-top boxes.

The operation, supported by Canada, Germany, and private companies, uncovered a “cybercrime-as-a-service” model that sold access to compromised devices. DPOs must understand that hundreds of thousands of devices in the United States were involved, underscoring the importance of IoT security within the corporate ecosystem and the need for device management policies that encompass equipment traditionally considered “non-critical.”

Source

---

TECH & INNOVATION

Delve Accused of “Fake Compliance” by Customers

An anonymous complaint published on Substack accuses the startup Delve of deceiving hundreds of customers into believing they were compliant with privacy and security regulations, potentially exposing them to criminal liability under HIPAA and heavy GDPR penalties. The startup, backed by Y Combinator with a $32 million Series A round, allegedly provided “false evidence of meetings, tests, and processes that never took place.”

The accuser, identified as “DeepDelver” and reportedly a former client, claims that Delve achieves its claimed speed by producing fake documentation and bypassing fundamental requirements of regulatory frameworks. The company has rejected the allegations, calling them “misleading” and containing “inaccurate claims.”

For DPOs, this case highlights the importance of thoroughly verifying compliance providers’ credentials and avoiding blind reliance on “all-in-one” solutions without adequate due diligence.

Source

---

SCIENTIFIC RESEARCH

Selection of the week’s most relevant papers from arXiv on AI, Machine Learning, and Privacy

AI Detection and Verification

Automatic detection of Gen-AI texts: A comparative framework of neural models

The growing proliferation of Large Language Models makes it increasingly difficult to distinguish between human-written and AI-generated texts. The study presents a comparative framework of four neural architectures for the automatic detection of AI-generated content, addressing critical issues for academic, publishing, and social domains.

arXiv

NANOZK: Layerwise Zero-Knowledge Proofs for Verifiable Large Language Model Inference

Presents a system of zero-knowledge cryptographic proofs to make LLM inference verifiable. Users can cryptographically confirm that the declared model was actually used, preventing substitutions with cheaper models or cached responses. Essential for algorithmic transparency and compliance.

arXiv

Real-Time Trustworthiness Scoring for LLM Structured Outputs and Data Extraction

CONSTRUCT offers a method for evaluating the reliability of LLM structured outputs in real time, identifying where to focus human review. Essential for enterprise applications where sporadic errors hinder AI adoption and require control mechanisms for governance.

arXiv

Privacy-Preserving Machine Learning

Informationally Compressive Anonymization: Non-Degrading Sensitive Input Protection

Introduces Informationally Compressive Anonymization (ICA) as an alternative to traditional privacy-preserving ML techniques. Overcomes the limitations of Differential Privacy and Homomorphic Encryption, which degrade performance or require prohibitive computational overhead, while maintaining protection of sensitive data without compromising performance.

arXiv

Bias and Fairness in LLMs

Vulnerability of LLMs’ Stated Beliefs? LLMs Belief Resistance Check

Systematically evaluates LLMs’ susceptibility to persuasion through the Source-Message-Channel-Receiver communication framework. Demonstrates how LLMs can adopt counterfactual beliefs, raising critical concerns about the reliability of responses in sensitive decision-making and compliance contexts.

arXiv

When Names Change Verdicts: Intervention Consistency Reveals Systematic Bias

ICE-Guard detects spurious dependencies in LLMs through consistency tests: demographic, Authority, and framing biases. It analyzes 3,000 vignettes across 10 high-risk domains, highlighting how irrelevant characteristics influence critical decisions, with significant implications for fairness and non-discrimination.

arXiv

Implicit Grading Bias in Large Language Models

Investigates implicit biases in LLMs used as automated graders in education. The study demonstrates that writing style influences grades even when content accuracy remains constant, raising critical concerns about fairness and equity in automated grading.

arXiv

Safety and Harmful Content

SynBullying: A Multi-LLM Synthetic Conversational Dataset for Cyberbullying Detection

Presents a multi-LLM synthetic dataset for studying cyberbullying, offering a scalable and ethically sound alternative to human data collection. It provides multi-turn conversational structures and context-aware annotations, essential for developing moderation systems compliant with harmful content regulations.

arXiv

---

AI ACT IN A NUTSHELL - Part 13

Article 17 - The Quality Management System

After examining Article 16 and the catalog of operational obligations for providers of high-risk AI systems in Part 12—from technical documentation to logging systems, from conformity assessment to cooperation with authorities—we now delve into one of the most structural provisions of the entire regulatory framework: Article 17, which governs the quality management system that providers are required to adopt.

That is a provision that, in some ways, positions the AI Act as a management system rather than merely a set of specific prohibitions and obligations. The logic is one already established in other regulated sectors—pharmaceuticals, aviation, medical devices—where quality is not an attribute of the finished product but a continuous organizational process.

A System, Not a Document

Article 17 requires providers to establish, document, implement, monitor, maintain, and continuously improve a quality management system. The choice of the verb “improve” is no accident: the European legislator has borrowed the PDCA (Plan-Do-Check-Act) logic from ISO 9001, imposing a dynamic approach to compliance that goes beyond the static view of simple certification.

The system must be proportionate to the size of the provider’s organization, which represents an important element of flexibility for SMEs facing obligations typically designed for large organizations. However, proportionality concerns the methods of implementation, not the substance of the obligations.

Minimum Requirements for the Quality Management System

Article 17 precisely identifies the elements that the quality management system must necessarily include. First, a regulatory compliance strategy specifying how the provider will ensure compliance with the AI Act and other applicable regulations, including the GDPR, when the AI system processes personal data.

The system must include techniques, procedures, and systematic actions for the design and control of the AI system, as well as techniques for the verification, validation, and testing of the system. This element is particularly relevant to DPOs, as it implies that GDPR compliance testing—from the DPIA to the verification of security measures—must be integrated into the AI system’s development cycle from the earliest stages, rather than added ex post.

The system must include procedures for data management, including those for acquisition, annotation, cleaning, and enrichment of training data. For data protection professionals, these requirements overlap directly with GDPR obligations on data quality and data minimization, creating a regulatory convergence area that requires coordination between technical and compliance teams.

Risk Management, Monitoring, and Improvement

The quality management system must include a risk management system, as required by Article 9, but, in a broader sense, encompass not only risks to users and third parties but also operational and compliance risks. It must also include procedures for managing changes made to the system throughout its lifecycle, a critical aspect since many AI systems evolve through updates and fine-tuning.

Also fundamental is the system for reporting serious incidents, which aligns with the reporting obligations under the AI Act and, for systems processing personal data, with the breach notifications required by Article 33 of the GDPR. DPOs must establish coordinated procedures that satisfy both frameworks, avoiding duplication and ensuring the completeness of reports.

Documentation and Retention

The quality management system must be systematically documented, with policies and procedures set out in writing. Documentation must be retained for at least ten years from the AI system’s placing on the market, and for fifteen years for remote biometric identification systems. These deadlines overlap with the GDPR retention periods for related documentation, necessitating integrated planning of retention policies.

Practical Implications for DPOs

Article 17 transforms compliance with the AI Act from a one-time requirement into an ongoing organizational process. For DPOs, this means that their role does not end with the initial preparation of documentation, but includes ongoing participation in the quality management system: from periodic reviews of the data processing policies integrated into the system, to verifying the updating of DPIAs when the AI system is modified, to the coordinated management of incidents.

The link between the AI Act’s quality management system and the GDPR’s record of processing activities becomes a concrete operational requirement: organizations that develop or distribute high-risk AI systems must ensure consistency between the two documentation systems, preventing misalignment in information about the same data processing operations.

In the next installment, we will analyze Article 18, which governs documentation retention obligations, thereby completing the framework of fundamental documentation requirements set forth by the AI Act for providers of high-risk systems.

---

Legal Prompting is not simply using ChatGPT or another language model to conduct legal research. It is something more precise and demanding: the ability to formulate structured instructions for language models that account for the hierarchy of sources, legal reasoning, professional ethics, and the practical implications for the client or the organization.

The difference between a generic prompt and a legally structured prompt does not lie in the technology—it lies in the method. And the method requires solid legal expertise: you cannot delegate to the model what you cannot critically evaluate.

Three premises that will recur in every installment of this column. First: language models do not reason like lawyers—they generate plausible outputs, not necessarily legally correct ones. Human supervision is an ethical obligation, not an option. Second: the European regulatory framework—the AI Act, GDPR, codes of ethics, Law 132/2025—imposes precise limits on the use of AI in professional settings that the professional must know even before opening an interface. Third: the choice of model and infrastructure (local vs. cloud) is not a technical issue but a matter of compliance, professional secrecy, and liability.

In upcoming issues: advanced prompting techniques for regulatory analysis, RAG and its risks in the legal field, how to structure prompts for decisions by the Data Protection Authority and rulings by the Court of Justice, and how to integrate Legal Prompting into corporate compliance processes without creating additional risks.

To learn more about the basics:

Legal Prompting: The New Frontier of AI in the Legal Field

---

PODCAST

The Legal Prompting topic is now available in audio format. The first episode dedicated to this series introduces the concept, the methodological foundations, and the path we will explore in the coming weeks—designed for those who prefer to listen while on the go or want to delve deeper in a format other than reading.

Listen to the episode

---

FROM THE NICFAB BLOG

AI Act: Regulatory Sandboxes Between Regulatory Obligations and Implementation Gaps

March 20, 2026

As of August 2025, only one out of twenty-seven Member States had an operational sandbox. A critical analysis of the challenges of design, fragmentation, and timing, with all sources cited in document EPRS PE 785.673.

Read the full article

AI Act: The Hybrid Enforcement Model Between Regulations and Reality

March 19, 2026

As of March 2026, only 8 out of 27 Member States had designated their single points of contact. A critical analysis of the hybrid enforcement model between the national level and the AI Office, with a structural comparison to the GDPR.

Read the full article

EU Council Sanctions Three Entities and Two Individuals for Cyberattacks Against Member States

March 18, 2026

Analysis of the EU Council’s decision of March 16, 2026, imposing restrictive measures against three Chinese and Iranian entities for cyberattacks against Member States.

Read the full article

March 16, 2026

On March 10, 2026, the European Parliament adopted Resolution P10_TA(2026)0066 on copyright and generative AI. A critical analysis of shared principles and operational shortcomings that the Commission is called upon to address.

Read the full article

---

EDPB-EDPS Joint Opinion on the Proposal for a Cybersecurity Act 2 and the Proposal on amendments to the NIS 2 Directive (published on March 18, 2026)

EDPS |

Info

EDPB and EDPS support strengthening EU cybersecurity and easing compliance while protecting individuals’ personal data (published on March 19, 2026)

EDPB |

Info

CEF 2026: EDPB launches coordinated enforcement action on transparency and information obligations under the GDPR (published on March 19, 2026)

EDPB |

Info

Apply AI Webinars Sectoral Deep Dive - Agrifood, Climate & Environment (published on March 19, 2026)

European Commission |

Info

AI for 3D Digital Twins in Cultural Heritage: Stakeholder Forum (event on March 23, 2026)

European Commission |

Info

Blog post: Advancing into Practice: Third Meeting of the AI Act Correspondents Network

EDPS |

Info

Commission holds first meeting of Special Panel on child safety online

European Commission |

Info

European Union endorses Leaders’ Declaration at AI Summit in India

European Commission |

Info

---

Conclusion

European coordination is entering a new phase of maturity, with the EDPB launching the CEF 2026 on the fundamentals of transparency while simultaneously building strategic bridges with cybersecurity through the joint opinion on the Cybersecurity Act 2. A framework is emerging in which enforcement becomes more systematic, and the barriers between regulatory disciplines are gradually thinning.

The EDPB’s decision to focus the 2026 coordinated action on transparency and information obligations marks a return to basics after years of focusing on the more high-profile rights. Twenty-five supervisory authorities will simultaneously verify the quality of privacy notices, an operation that will have direct impacts on corporate compliance. That is not a secondary issue: transparency is the prerequisite for every other GDPR right, and its inadequacy can compromise an organization’s entire data protection architecture.

The Court of Rome’s ruling on the OpenAI case is likely the most significant news of the week for those working in the sector. The reasoning has not yet been published, but the effect is immediate: for the first time, an Italian court has overturned a sanction imposed by the Data Protection Authority on an issue — the legal basis for training AI models — that lies at the heart of the European regulatory debate. That does not mean the Authority’s approach was necessarily incorrect, nor does it mean that OpenAI is exempt from GDPR obligations. It means that the line between lawful and unlawful data processing for AI training is still being defined by case law, and that courts are playing an increasingly decisive role alongside supervisory authorities in this definition.

The failure of Parliament and the Council to reach an agreement on Chat Control introduces another significant operational complexity: as of April 3, 2026, platforms will no longer be able to rely on an exemption for activities involving the detection of child sexual abuse material. They will have to bring all such processing under the ordinary scope of the GDPR and the ePrivacy Directive. For DPOs of electronic communications service providers, this requires an urgent review of the legal bases currently in use.

The joint EDPB-EDPS opinion on the Cybersecurity Act 2 is perhaps the most significant institutional development, signaling a convergence that goes beyond mere formal consultation. Data protection authorities are now engaging with cybersecurity regulation with specific expertise, moving beyond the traditional approach where privacy and cybersecurity operated on parallel tracks. This integration becomes crucial considering that many data breaches stem from security incidents, and that cybersecurity measures often involve significant processing of personal data.

On the international enforcement front, the case of X, which cooperated and paid the €120 million fine, sets an important precedent. Despite anti-regulatory rhetoric, compliance with European deadlines demonstrates the deterrent power of the EU regulatory framework. The new EU sanctions against three entities and two individuals linked to cyberattacks confirm an increasingly assertive approach, with direct implications for geopolitical risk assessments in supplier due diligence processes.

On the cybersecurity front, critical vulnerabilities in Cisco FMC (CVSS 10.0), Oracle Identity Manager (CVSS 9.8), and Langflow—the latter exploited just 20 hours after disclosure—confirm that proactive patch management is no longer optional. The DoJ’s dismantling of a 3-million-device IoT botnet serves as a reminder that even seemingly non-critical devices can become vectors for large-scale attacks.

For compliance professionals, this week outlines clear priorities: immediate preparation for the 2026 CEF on transparency, reviewing the legal foundations for detection activities following the failure to reach an agreement on Chat Control, monitoring the reasoning behind the OpenAI ruling that will redraw the boundaries of GDPR application to AI, and increasing integration between privacy and cybersecurity in compliance programs. The main challenge remains managing the growing complexity of an increasingly interconnected regulatory ecosystem, where decisions made in one area have immediate repercussions on others.

The fundamental question remains: will Europe succeed in maintaining regulatory leadership without stifling technological innovation? The answer will determine not only the future of Europe’s digital sector, but also the global balance between technological progress and the protection of fundamental rights.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-03-24-issue-13_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-03-24-issue-13_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.