Newsletter #15 - 7 April 2026

Read on website

---

NicFab Newsletter

Issue 15 | 7 April 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to issue 15 of our weekly newsletter covering privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, this newsletter brings you a curated selection of the most relevant developments from the previous week, with a focus on European regulatory trends, case law, enforcement, and technological innovation.

---

In this issue

---

ITALIAN SUPERVISORY AUTHORITY

Record fine for Intesa Sanpaolo: €31.8 million for data breach

The Italian Supervisory Authority (Garante Privacy) has imposed one of the largest fines in its history on Intesa Sanpaolo — €31.8 million — for serious data security failings. An employee gained unauthorized access to the banking records of 3,573 customers on more than 6,600 occasions over a period of two years, without being detected by internal controls.

The breach also affected “high-risk” customers in prominent public roles, exposing the inadequacy of an operational model that allowed staff to search across the entire customer database without sufficient safeguards. The Garante also criticized the handling of the breach itself, citing incomplete and delayed notifications.

In practice, the case underscores the importance of continuous access monitoring and a strict “need to know” approach, limiting access to only the data required for each employee’s specific role.

Source

Child protection bill: the Garante clarifies its position

The Italian Supervisory Authority has clarified that no technical obstacles to the adoption of the bill on the protection of minors in the digital space exist, contrary to claims by the Minister of Education.

The Authority actively worked with the Government between August and September to address the shortcomings in the original text. The revised version presented on 24 September 2025 incorporates all the recommendations the Garante had formulated on the privacy aspects referred to it.

Parliamentary scrutiny of the bill has stalled in Committee since 21 October 2025, for reasons the Authority says it is not aware of. The statement highlights the Garante’s commitment to balancing data protection with the safety of minors online, pushing back against narratives that portray privacy as an obstacle to children’s digital safety.

Source

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

Prior consultations: towards transparency in privacy oversight

The European Data Protection Supervisor, Wojciech Wiewiórowski, has published a new blog post on prior consultations between EU institutions and bodies in the field of justice and the Supervisor’s office. These procedures are a key oversight mechanism triggered when planned processing operations are likely to pose a high risk to individuals’ rights and freedoms.

The “zero surprises” approach stressed by the Supervisor highlights the value of proactive engagement between institutions. For those working in the European public sector, it is a clear reminder to identify high-risk processing early and initiate the appropriate consultations before implementation begins.

The EDPS strategy aims to strengthen preventive compliance, reduce the risk of enforcement action, and ensure stronger protection of fundamental rights through constructive dialogue with competent authorities.

Source

— Supervisor’s blog post on prior consultations

---

EUROPEAN COMMISSION

Trivy supply chain attack: over 340GB of data stolen from EU cloud infrastructure

The European Commission has officially confirmed a major data breach linked to the supply chain compromise of Aqua Security’s Trivy vulnerability scanner. According to CERT-EU’s detailed reconstruction, two distinct criminal groups were involved: TeamPCP, which gained initial access on 19 March through a compromised version of Trivy that the Commission had downloaded via its normal software update channels, and ShinyHunters, which subsequently published the stolen data on the dark web.

The attackers leveraged the compromised AWS API key to access Commission-affiliated accounts and used TruffleHog to uncover additional credentials. The leaked dataset — 91.7GB compressed, roughly 340GB uncompressed — includes personal data from 71 clients of the Europa.eu hosting service: 42 internal to the Commission and at least 29 other Union entities. Approximately 52,000 files containing email messages were identified, most of them automated but some with potentially sensitive content.

The cross-organizational scope of the incident raises complex governance issues. Determining notification responsibilities, assessing the impact on each affected organization, and coordinating the institutional response will require thorough forensic analysis to satisfy GDPR obligations. Notably, this is the second confirmed data breach affecting the Commission in 2026, following a February incident — a pattern that points to systemic weaknesses in the institution’s cybersecurity practices. AWS has clarified that its own infrastructure was not compromised, indicating that the root cause lies in credential and configuration management, not in the cloud platform itself.

From a regulatory perspective, the case offers three practical takeaways: the need for rigorous software supply chain controls, the importance of avoiding premature public statements before forensic assessments are complete, and the urgency of continuous monitoring of cloud environments — particularly for API keys with elevated privileges.

Source

|

CERT-EU Source

|

TechCrunch

|

BleepingComputer

|

POLITICO

|

SecurityWeek

---

CNIL - FRENCH SUPERVISORY AUTHORITY

DPO designation: updated requirements and procedures

The CNIL has refreshed its procedures for designating Data Protection Officers, reaffirming three core requirements. The DPO must have specific legal and technical expertise, including deep knowledge of the organization’s sector and information systems. Adequate resources to carry out the role must be guaranteed — sufficient time, material support, and access to the information needed.

The ability to act with full independence is the third pillar, requiring the avoidance of conflicts of interest and a direct reporting line to senior management. Designations are handled exclusively through the CNIL’s online portal, which requires the organization’s SIREN number and, for amendments, the previous designation reference.

Source

2026 enforcement priorities: focus on recruitment and the sports sector

The CNIL has set out its enforcement priorities for 2026, targeting three strategic areas: recruitment, the single electoral register, and sports federations. In the HR space, the Authority will audit compliance with its 2023 recruitment guide, with a particular focus on automated decision-making and candidate data retention periods.

Inspections will focus on large employers and consultancy firms that handle high volumes of applications. The initiative also foreshadows the CNIL’s future supervisory role in the employment sector under the AI Act. Twenty per cent of annual inspections will follow these thematic priorities, reflecting the breadth of GDPR obligations.

Source

New reference framework for HR data retention

The CNIL has published a dedicated reference framework for data retention periods in human resources management, developed jointly with professional associations from multiple sectors. The document covers ten areas: recruitment, administrative management, remuneration, health and safety, company vehicles, call recording, trade union relations, workplace accidents, litigation, and whistleblowing.

Aimed at all employers subject to French law, the framework supports DPOs, GDPR leads, and HR professionals in determining appropriate retention periods. While not legally binding, it serves as a practical “soft law” tool that complements the range of guidance already available on the CNIL website.

Source

AI webinar: legitimate interest and web scraping

The CNIL has released the recording of a webinar on the use of legitimate interest as a legal basis for developing AI systems, with a particular focus on web scraping. Held on 13 January 2026, the session offered practical criteria for assessing when this legal basis applies and the safeguards needed to mitigate the impact on data subjects.

The webinar addressed the specific challenges of web scraping for building training datasets, using concrete examples to illustrate how to balance an organization’s legitimate interests with individuals’ rights. It provides hands-on guidance for professionals developing AI systems within a GDPR-compliant framework.

Source

Post-mortem data: the ethics of digital traces

As part of its ethics mandate, the CNIL has published the cahier air2025 on the implications of digital traces after death — the outcome of a symposium held on 15 October 2025 in partnership with the National Library of France. The report examines what happens to personal data when someone dies, noting that a third of French people have already encountered online content belonging to a deceased person.

The cahier explores both the individual dimension — including the right to leave instructions about one’s data and emerging practices of digital mourning — and the collective challenge of preserving digital historical memory. The prospect of AI-enabled numerical immortality raises thorny ethical questions about “digital remains” and their impact on families and society, calling for fresh regulatory thinking.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

Privacy and regulatory simplification: the clash over von der Leyen’s Digital Omnibus

Von der Leyen’s drive to simplify data rules is running into resistance from Parliament and Member States, who fear it would weaken GDPR protections. The Commission’s proposed “digital omnibus” seeks to redefine the scope of personal data to unlock information useful for AI development, but faces stiff opposition.

From a governance standpoint, the debate marks a critical juncture: the need to compete with the US and China in AI on one side, the preservation of the GDPR’s core principles on the other. The proposed approach to “pseudonymization” raises real questions about the level of protection that would remain, and warrants scrutiny of its operational implications.

The legislative process is expected to stretch into 2027, giving organisations time to analyse the proposed changes and adjust their compliance strategies accordingly.

Source

EU officials shut down Signal group chat over security concerns

The European Commission has instructed senior officials to disband a Signal group used for internal communications amid fears of targeted hacking. The episode comes amid escalating cyber threats, including phishing campaigns targeting EU officials and the interception of private conversations.

The case illustrates the vulnerability of digital communications even when using tools widely regarded as secure. The Commission officially recommends Signal over WhatsApp, but these incidents show that no platform is immune if the underlying device is compromised.

The takeaway is clear: robust security protocols for sensitive communications and ongoing staff training on social engineering and phishing remain essential.

Source

---

ARTIFICIAL INTELLIGENCE

EU AI Act: the prohibition of biometric categorization for sensitive characteristics

The Future of Privacy Forum analyses Article 5(1)(g) of the EU AI Act, which prohibits biometric categorization systems that infer race, political opinions, trade union membership, religious beliefs, or sexual orientation from biometric data. The ban applies when the system’s specific purpose is to infer these protected characteristics.

A key point for practitioners: the provision does not prohibit all forms of biometric categorization — only those specifically aimed at inferring protected attributes. The interplay with the GDPR remains complex and will require further clarification, as certain processing activities may still be lawful under Article 9(2) of the Regulation.

Source

Swiss minister files criminal charges over Grok-generated content

Swiss Finance Minister Karin Keller-Sutter has filed criminal charges for defamation over vulgar remarks generated by Elon Musk’s AI assistant Grok. The case stems from a post on X dated 10 March that contained offensive comments generated by the xAI chatbot; the complaint was filed against “unknown persons” because the user behind the post could not be identified.

The case raises fundamental questions about liability for AI-generated content and sets a significant precedent. The line between freedom of expression and harmful AI-generated speech is becoming increasingly difficult to draw. At the same time, Grok continues to face scrutiny from the European Commission over the generation of inappropriate material.

Source

EU bans AI-generated content in official communications

Major EU institutions have barred staff from using artificially generated videos and images in official communications. The Commission, Parliament, and European Council have adopted policies preventing press teams from using AI-generated images and videos. This stance contrasts with governments elsewhere experimenting with deepfakes and synthetic media.

The move aims to safeguard institutional credibility, though it raises questions about the EU’s ability to stay relevant in the age of AI-driven political communication. For organizations and practitioners, it offers a cautious model that prioritizes transparency and authenticity, balancing innovation against reputational risk at a time when synthetic content is increasingly outnumbering human-created material online.

Source

US pressures EU to join the AI chips club

The United States is pushing the European Union to join “Pax Silica”, a global alliance launched in December to counter Chinese dominance in AI supply chains — covering critical minerals, semiconductors, and energy. EU representatives have so far refused to authorize the Commission to open formal negotiations with the US State Department.

US Undersecretary Jacob Helberg has ratcheted up the pressure, lambasting European digital regulations as “innovation killers” and accusing the EU of “regulating itself into irrelevance”. The standoff underscores the growing tension between data protection and technological competitiveness, with the AI Act and other EU rules increasingly seen as barriers to transatlantic AI collaboration.

Source

---

CYBERSECURITY

Critical FortiClient EMS vulnerability actively exploited

Fortinet has issued emergency patches for CVE-2026-35616, a critical vulnerability (CVSS 9.1) in FortiClient EMS that was exploited as a zero-day before disclosure. The flaw allows unauthenticated attackers to execute arbitrary code by bypassing API authentication entirely, and affects versions 7.4.5–7.4.6.

According to Shadowserver, over 2,000 FortiClient EMS instances are exposed online, primarily in the US and Germany, making the potential impact substantial. The attacks were detected over the Easter weekend, reinforcing the pattern of exploitation during holiday periods when security teams operate at reduced capacity. The fact that two critical vulnerabilities in the same product have surfaced in quick succession raises serious questions about Fortinet’s security assurance processes.

Organizations running FortiClient EMS should prioritize immediate patching and assess whether any personal data may have been compromised, while bearing in mind GDPR breach notification obligations.

Source

|

BleepingComputer

React2Shell campaign for automated credential theft

Cisco Talos researchers have uncovered a large-scale automated campaign exploiting React2Shell (CVE-2025-55182) to compromise Next.js applications. In just 24 hours, the NEXUS Listener framework compromised 766 hosts, harvesting database credentials, SSH keys, cloud tokens, and environment secrets.

The operation, attributed to the threat cluster UAT-10608, uses automated scripts to extract sensitive data from vulnerable applications systematically. The stolen data includes personally identifiable information, exposing victims to potential violations of privacy laws.

Breaches on this scale are likely to trigger notification obligations to supervisory authorities and affected individuals. Immediate server-side exposure audits and credential rotation are critical, along with a careful assessment of the breadth of data that may have been exfiltrated.

Source

Malicious npm packages exploit databases for persistent implants

SafeDep has identified 36 malicious npm packages masquerading as Strapi CMS plugins. The packages abuse Redis and PostgreSQL to deploy reverse shells, harvest credentials, and establish persistent implants via automatic post-installation scripts.

Uploaded from four fictitious accounts, the packages use deceptive names that closely mimic official Strapi plugins. The sophisticated payload includes Docker container escapes, disk-scanning for secrets (crypto wallets, Elasticsearch APIs), and data exfiltration.

For development teams, the message is clear: supply chain attack risks demand rigorous controls over third-party dependencies, including automated scanning and formal approval policies before any new package is added to a corporate codebase.

Source

$285 million hack: a six-month DPRK operation

Drift has revealed that the 1 April attack, which stole $285 million, was the culmination of a six-month North Korean social engineering campaign. The UNC4736/Golden Chollima group executed a methodical approach that began in autumn 2025 through networking at crypto conferences.

The operation illustrates the growing sophistication of state-sponsored attacks on the cryptocurrency sector, applying traditional intelligence tradecraft to digital assets. On-chain links to previous attacks confirm the group’s persistence and operational maturity.

For fintech organizations, the case demands stronger anti-social engineering training and more rigorous due diligence procedures for partnerships and integrations — including scenarios involving the prolonged, multi-vector campaigns typical of state-sponsored threats.

Source

---

SCIENTIFIC RESEARCH

A selection of the week’s most relevant papers from arXiv on AI, Machine Learning, and Privacy

Differential Privacy and Machine Learning

Beyond Laplace and Gaussian: Exploring the Generalized Gaussian Mechanism for Private Machine Learning

New research on additive noise mechanisms for differential privacy that moves beyond traditional Laplace and Gaussian approaches. The work explores generalized mechanisms to navigate better the trade-off between utility and privacy in machine learning algorithms.

arXiv

Federated Learning and Healthcare Data

BVFLMSP: Bayesian Vertical Federated Learning for Multimodal Survival with Privacy

A framework for multimodal predictive analysis on sensitive data distributed across multiple parties, while respecting privacy constraints. The model integrates Bayesian approaches to provide confidence estimates in predictions — crucial for healthcare applications and critical decision-making.

arXiv

DISCO-TAB: A Hierarchical Reinforcement Learning Framework for Privacy-Preserving Synthesis of Complex Clinical Data

A solution for synthesizing complex clinical data using hierarchical reinforcement learning. It tackles the challenge of scarce high-fidelity biomedical data while preserving privacy — particularly relevant for developing GDPR-compliant clinical decision support systems.

arXiv

Privacy in AI Agents

Do Phone-Use Agents Respect Your Privacy?

The first systematic study of privacy compliance by mobile AI agents. It introduces MyPhoneBench, a framework for evaluating privacy-respecting behaviors in agents that interact with smartphones, and highlights critical gaps in data protection during the execution of seemingly innocuous tasks.

arXiv

Do LLMs Know What Is Private Internally? Probing and Steering Contextual Privacy Norms in Large Language Model Representations

Foundational research into how Large Language Models internally encode contextual privacy norms. It investigates why privacy violations persist even though models can, in theory, recognize private information, with direct implications for corporate AI governance.

arXiv

CARE: Privacy-Compliant Agentic Reasoning with Evidence Discordance

A reasoning system for LLMs that maintains privacy compliance even in the face of contradictory evidence. Especially relevant in healthcare, where patient-reported symptoms may conflict with objective clinical findings, requiring careful handling of confidentiality.

arXiv

Security and Detection

AEGIS: Adversarial Entropy-Guided Immune System – Thermodynamic State Space Models for Zero-Day Network Evasion Detection

A zero-day attack detection system that uses thermodynamic models to analyze TLS 1.3-encrypted traffic. It addresses weaknesses in current Transformer-based classifiers against adversarial attacks — a critical protection for systems processing personal data.

arXiv

RuleForge: Automated Generation and Validation for Web Vulnerability Detection at Scale

An automation platform for generating web vulnerability detection rules. With over 48,000 new CVEs published in 2025, automating the creation of security rules is essential to maintaining adequate data protection standards.

arXiv

---

AI ACT IN A NUTSHELL - Part 15

Article 19 - Automatically generated logging

Part 15

In the previous installment, we examined the documentation obligations set out in Article 18. We now turn to Article 19, which introduces a fundamental technical requirement for the governance of AI systems: the automatic logging of operational activities.

Article 19 requires high-risk AI systems to be designed and developed with the capability to record events during operation automatically. This obligation falls on providers of high-risk AI systems and is an essential component of the compliance architecture set out in the Regulation.

What the logs must capture

Logging must cover several critical aspects of the system’s operation. First, logs must document the periods during which the system is in use, providing a precise timeline of activity. That is essential for correlating anomalies or incidents with specific operational windows.

Input data is another key element. The system must keep a record of the information it processes, enabling reconstruction of the conditions that led to specific decisions or outputs. Where applicable, particular care must be taken to record individuals monitored by the system, while ensuring compliance with data protection law.

Purpose and use of logs

Automatic logging serves specific accountability and transparency goals. Logs are indispensable for post-market monitoring, enabling providers to spot anomalous patterns or performance degradation over time. They are also a vital resource for supervisory authorities during inspections.

A practical example: an AI system used for bank credit scoring. The logs should record every assessment performed, the data considered, the outcome, and the identity of the individual assessed — all in compliance with privacy rules. This traceability would allow the consistency of decisions to be verified over time and any discriminatory bias to be identified.

Technical and operational considerations

Implementing automatic logging calls for deliberate architectural choices from the design phase onward. Providers must strike a balance between comprehensive logging and practical constraints around performance, storage, and cybersecurity. Because logs frequently contain sensitive information, they must be secured with appropriate measures and managed in line with data minimization principles.

The link between this article and Article 18 on document retention is clear: Article 18 governs the static documentation of the system (technical specifications, instructions for use, conformity assessments), while Article 19 governs the dynamic documentation generated during operation.

Implications for deployers

Although the primary obligation rests with providers, deployers of high-risk AI systems need to be aware of the existence and purpose of this logging. They must also cooperate in managing the logs, especially where these contain personal data for which they act as data controllers, ensuring GDPR compliance.

Failure to comply with logging obligations falls within the AI Act’s general sanctioning framework. Article 99 provides for administrative fines of up to €15 million or, if higher, up to 3% of total worldwide annual turnover for breaches of provider obligations relating to high-risk systems.

In the next installment, we will turn to Article 20 on corrective actions and the duty to inform — examining how providers must handle non-compliance and their obligations to notify competent authorities.

---

Privacy notices and artificial intelligence: opportunities and limits

Having explored prompting techniques for regulatory analysis, we turn today to a topic that concerns every organization subject to the GDPR: drafting privacy notices.

The privacy notice is the first point of contact between the data controller and the data subject. Articles 13 and 14 of the Regulation define its mandatory content; Article 12 governs its form, requiring concise, transparent, and easily understandable language. In practice, however, many privacy notices remain opaque documents — overloaded with boilerplate and short on meaningful substance.

AI can support practitioners in this area, but only under specific conditions. The added value lies not in generating the document from scratch — a language model does not know the organisation’s processing activities, the processors involved or the actual retention periods — but rather in assisting with specific tasks: a systematic review of an existing text against regulatory requirements, the reformulation of complex passages to improve readability, and the adaptation of a well-established notice to different operational contexts.

Each of these tasks requires the practitioner to retain control over the substantive content, using the model as a tool for formal verification and linguistic refinement rather than as a source of legal or factual information. Article 12, in particular, poses an interesting challenge: simplifying without sacrificing legal precision is a balancing act that the model can facilitate, but only the lawyer can validate.

The infrastructure question remains central. Sharing an organization’s processing structure with a cloud-based model means routing organizational information to a third-party provider, with direct implications for professional secrecy and contractual obligations to clients. The AI Act and the GDPR converge in demanding that this choice be deliberate and documented.

Readers following this column may have expected this week’s topic to be RAG, as previewed in the previous issue. An editorial update led us to prioritize privacy notices, a theme that ties directly into this week’s podcast episode. RAG — Retrieval-Augmented Generation — will be the focus of the next issue, where we will address the question of sources and the specific risks this technique introduces in the legal domain.

For further reading:

Legal Prompting: the new frontier of AI in law

---

PODCAST

Third episode of the Legal Prompting series.

How to use AI to work with privacy notices: checking an existing notice for completeness against Articles 13 and 14 of the GDPR, simplifying language without sacrificing legal precision, and adapting a baseline notice to specific contexts (employees, apps, services). Why generating a privacy notice from scratch is a mistake — and how to structure effective prompts for these three concrete tasks.

Read the column in the newsletter.

---

FROM THE NICFAB BLOG

Born Private: your child’s first email is a data protection choice

4 April 2026

Born Private by Proton: reserving an encrypted email address for a minor. What it means for children’s digital identity in light of the GDPR, the principle of data minimization, and the European debate on the protection of minors online.

Read the full article

AI at school: 10 categories of AI tools and how they are classified under the AI Act

2 April 2026

A practical classification matrix under the AI Act for 10 categories of AI tools used in European schools. For each category: what it does, which point of Annex III applies, whether it is potentially high-risk, and who qualifies as the deployer.

Read the full article

1 April 2026

An analysis of the European AI regulatory framework drawing on the rulings of the Courts of Ferrara and Siracusa of February 2026: human oversight as a cross-cutting principle, legal prompting as a professional competence, and an international perspective.

Read the full article

---

Events

IAPP Global Summit 2026: Privacy, AI governance, Cybersecurity law (30 March - 2 April 2026)

EDPB |

Info

Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting (8 April 2026)

European Parliament |

Info

Privacy Symposium (20 April 2026)

EDPB |

Info

Computers, Privacy and Data Protection - CPDP Brussels (19 May 2026)

EDPB |

Info

Nordic meeting (21 May 2026)

EDPB |

Info

Commission holds first meeting of Special Panel on child safety online

European Commission |

Info

10th Cybersecurity Standardization Conference (held on 12 March 2026)

CEN, CENELEC, ETSI, and ENISA | Proceedings of the cybersecurity standardization conference in the context of the Cybersecurity Act and NIS2. |

Info

---

Conclusion

The European data protection landscape is entering a phase of deep reconfiguration, shaped by developments that expose both the growing maturity of the enforcement system and the persistent vulnerability of critical digital infrastructure.

The record €31.8 million fine imposed on Intesa Sanpaolo marks a turning point in GDPR enforcement. Over 6,600 instances of unauthorized access to the records of 3,573 “high-risk” customers — for more than two years without detection — make it clear that having technical and organizational measures on paper is not enough. The Garante has sent an unambiguous signal: what counts is the actual capacity to prevent and detect, not mere documentary compliance.

The attack on the European Commission adds a different but closely related dimension. The initial compromise via the Trivy tool, followed by ShinyHunters’ publication of data from more than 70 European entities, marks a new chapter in the convergence of specialized cybercrime and data extortion. That is the second confirmed data breach affecting the Commission in 2026, underscoring the pattern. Meanwhile, concerns over the security of internal Signal communications and the ban on AI-generated content in official messaging point to a broader climate of heightened institutional vigilance.

On the AI front, the AI Act’s “red lines” on biometric categorization and the Swiss minister’s criminal complaint over Grok-generated content illustrate how hard it is to translate regulatory principles into effective, workable safeguards. The CNIL’s output — from its référentiel on HR data retention to its 2026 enforcement priorities targeting recruitment and sports federations — signals an increasingly sector-specific approach, foreshadowing a future of data protection built on vertical standards rather than general principles alone.

The convergence of privacy, cybersecurity, and AI regulation is no longer a prospect on the horizon — it is today’s operating reality. It demands interdisciplinary expertise and integrated governance. The question that remains open is how to build systems that are simultaneously resilient, effective, and sustainable, without tipping into the paralysis of over-compliance.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home

Proxied content from gemini://nicfab.eu/en/newsletteren/2026/2026-04-07-issue-15_en.gmi

Gemini request details:

Original URL
gemini://nicfab.eu/en/newsletteren/2026/2026-04-07-issue-15_en.gmi
Status code
Success
Meta
text/gemini;lang=en-US
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.