Newsletter #20 - 12 May 2026

Read on website

---

NicFab Newsletter

Issue 20 | May 12, 2026

Privacy, Data Protection, AI, and Cybersecurity

---

Welcome to issue 20 of the weekly newsletter on privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a curated selection of the most relevant news from the previous week, focused on European regulatory developments, case law, enforcement, and technological innovation.

---

In this issue

ITALIAN DATA PROTECTION AUTHORITY

EDPB - EUROPEAN DATA PROTECTION BOARD

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

EUROPEAN COMMISSION

CNIL - FRENCH AUTHORITY

DPC - IRISH AUTHORITY

EUROPEAN PARLIAMENT

COUNCIL OF THE EUROPEAN UNION

DIGITAL MARKETS & PLATFORM REGULATION

INTERNATIONAL DEVELOPMENTS

ARTIFICIAL INTELLIGENCE

CYBERSECURITY

TECH & INNOVATION

SCIENTIFIC RESEARCH

AI Act in Pills

Legal Prompting

Podcast

From the NicFab Blog

Events of the week and upcoming dates

Conclusion

---

ITALIAN DATA PROTECTION AUTHORITY

Deepfakes: the Italian DPA calls for blocking powers

On May 6, 2026, the Italian DPA returned to the issue of services that generate deepfakes from real images and voices, including apps that “undress” people without consent, reiterating that these practices are potentially criminal conduct and serious violations of European data protection law.

The Authority recalls the warning notice issued in December 2025 against users of Grok, ChatGPT, Clothoff, and similar services, and references the October 2025 block of Clothoff. The political ask is explicit: obtain the power to prevent connections from Italy to these platforms, breaking the viral chain of sharing before the damage becomes irreversible.

The request is notable because it marks a paradigm shift compared with the corrective tools under Article 58 GDPR: not an action against the controller, but an infrastructural block on access, a model so far reserved to AGCOM and the judiciary. An open question remains how this power would coordinate with the DSA, with the European Commission’s competences over VLOPs, and with judicial safeguards on content filtering.

Source

Meta AI: the Italian DPA reminds users of their right to object to training

With the window for exercising the right to object closing at the end of May, the Italian DPA reminds Italian users of their right to object to the processing of their personal data for training Meta’s artificial intelligence. The notice, formalized in the statement published on the Authority’s institutional website (doc. web no. 10125702), applies to Facebook and Instagram users and — a point often overlooked — also to non-users whose data may nonetheless appear on the platforms because third parties posted them.

Operationally, the Authority identifies a sharp temporal divide: an objection exercised before the end of May removes all personal information from training, including data already published; one exercised afterward applies only to future content, not to what has already been ingested into the datasets. The distinction is legally subtle because it shifts the burden of a time-bound choice with substantially irreversible effects onto the data subject. Meta declares that it relies on legitimate interest under Article 6(1)(f) GDPR as its legal basis; the right to object is the one under Article 21(1), exercisable at any time but with effects that vary depending on when the objection is filed. The Italian DPA also notes that the right may be exercised against other AI systems — such as OpenAI, DeepSeek, and Google — and that the Authority is working with its European counterparts to assess the lawfulness of the processing, the effectiveness of the right to object, and the compatibility of the purposes.

For DPOs, the operational takeaway is twofold. First, raise the issue in internal and external awareness activities, particularly toward vulnerable populations (minors, through those who exercise parental responsibility). Second, monitor the dialogue among European authorities: the outcome of that coordination will determine whether the legitimate-interest + opt-out architecture holds up as a lawful framework for training generative models at scale, or whether the EDPB will call for a stricter standard. The matter is open and must be tracked closely.

Source

Guest ID documents: no more retention of copies by hotels

In a press release dated April 29, 2026 (doc. web no. 10244195), picked up and amplified by sector press between May 1 and 7, the Italian DPA sent a notice to industry associations in the hospitality sector to restate an operational principle that widespread practice has eroded: the obligation to identify guests under Article 109 of the Italian Public Security Act (TULPS), fulfilled by transmitting data to the Alloggiati Web portal, does not legitimize the retention of photocopies, scans, or digital images of identity documents beyond the time strictly necessary to communicate them to public security authorities.

The only item that may be retained is the transmission receipt, which must be kept for 5 years as proof of compliance. Everything else — phone photos, scans archived in management systems, attachments received via WhatsApp — must be destroyed or deleted immediately. The Authority justifies the intervention with the rise in complaints and personal data breaches reported in the sector in recent months, some involving the exfiltration of substantial volumes of ID-document copies.

Substantively, the notice is a clear reminder of the principles of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e)). Operationally, the Italian DPA also flags the need to regulate under Article 28 of the GDPR. These relationships with reservation-management and digital check-in service providers may obtain copies of documents, and to avoid using instant-messaging channels to transmit such data. For the millions of controllers in the hospitality sector — hotels, B&Bs, guesthouses, holiday-home managers — this is an immediate operational shift that must be formalized in organizational models and front-office procedures.

Source

—

Full clarification note (doc. web no. 10244289)

---

EDPB - EUROPEAN DATA PROTECTION BOARD

Europe Day 2026: EDPB opens its doors

On May 9, 2026, the EDPB will be at the European Parliament (Rue Wiertz 60, Brussels, 10:00 AM – 6:00 PM) for the Schuman Declaration anniversary celebration, with a joint stand alongside the EDPS on the ground floor in the cybersecurity area. The program includes a quiz on EU institutions and the debut of the new mascot, “Eddy the beaver.” The event is open to the public.

Source

---

EDPS - EUROPEAN DATA PROTECTION SUPERVISOR

Safe and Ethical AI: a big European idea for the world

To mark Europe Day on May 9, the EDPS published a blog post relaunching the European vision of safe and ethical artificial intelligence, anchored in shared values and fundamental rights. The message is one of positioning: Europe claims authorship of a human-centric, transparent model to be proposed as a global reference at a moment when regulatory trajectories in the United States and China openly diverge from the European one. No regulatory announcement, no new guidelines: an institutional statement that the European Supervisor uses to reaffirm its role in the AI governance debate beyond the AI Act.

Source

---

EUROPEAN COMMISSION

Recommendation (EU) 2026/1035 on age verification

On April 29, 2026, the European Commission adopted Recommendation (EU) 2026/1035, published in the Official Journal on May 7, establishing a common European framework for age-verification technologies.

The act seeks to harmonize national approaches to a topic that has so far remained fragmented, with each Member State testing its own solutions, yielding uneven outcomes in terms of proportionality and data minimization. The choice of form — a recommendation rather than a regulation — confirms its soft-law nature: technical guidance and harmonization of practices, not binding obligations. The implicit reference is twofold: on the one hand, the DSA and platforms’ obligations to protect minors, and on the other, the EUDI Wallet ecosystem, which is emerging as the reference infrastructure for verifiable attributes such as age.

The crux remains the balance with the GDPR: every age-verification solution processes data that may reveal identity, and the risk of drift toward generalized identification systems is real. It will be worth examining closely how the Recommendation articulates the principles of privacy by design, unlinkability, and selective disclosure, and whether the technical indications will be sufficient to prevent the protection of minors from becoming a pretext for mass identification of adults.

Source

—

CELEX

AI Act, Article 50: the Commission opens consultation on transparency guidelines

On May 7, 2026, the AI Office published the draft Guidelines on the implementation of transparency obligations for certain AI systems under Article 50 of the AI Act, followed on May 8 by the press release opening the public consultation. The text addresses the obligations on providers and deployers of AI systems that interact directly with natural persons (chatbots and conversational assistants), generate synthetic image, audio, video, or text content (generative models), perform emotion recognition or biometric categorization, or produce deepfakes and content intended to inform the public on matters of public interest.

Substantively, the drafts clarify the scope of application, relevant definitions, the perimeter of exemptions, and horizontal issues, in particular the marking and machine-readable identification of AI-generated or AI-manipulated content — an obligation whose deadline, as reformulated by the Digital Omnibus, has been moved to December 2, 2026. The consultation runs in parallel with the finalization of the Code of Practice on the marking and labeling of AI-generated content, which is also a voluntary tool to support the obligations of Article 50.

The initiative fills a concrete gap: among the AI Act provisions effectively in force from August 2, 2026, the transparency rules under Article 50 are among the few that will remain applicable on the original timeline (net of the watermarking delay), while the regime for high-risk systems has been postponed to December 2027. Once adopted, the guidelines will steer the enforcement approach of national market-surveillance authorities and the AI Office.

Source — Draft guidelines

—

Commission release, May 8

EU-Japan: 4th Digital Partnership Council relaunches cooperation on AI, data, quantum, and semiconductors

On May 5, 2026, the fourth EU-Japan Digital Partnership Council took place in Brussels, with Executive Vice-President Henna Virkkunen and Japanese ministers Hisashi Matsumoto (Digital Transformation), Yoshimasa Hayashi (Internal Affairs and Communication), and METI Parliamentary Vice-Minister Toshiyuki Ochi. The Joint Statement sets out an agenda built on four pillars: data governance, with the operational evolution of Data Free Flow with Trust (DFFT); frontier technologies, with a focus on trustworthy AI and quantum technologies; the security of digital infrastructure (submarine cables and semiconductors, with use of the Early Warning Mechanism for supply chains); and online-platform regulation.

Among the new deliverables, the most prominent is a cooperation agreement on transparency in content moderation systems and the effectiveness of reporting systems for illegal content and rights-infringing information — a natural ground for intersection with the European DSA. Both sides have also agreed to extend the scope of work to video games and audiovisual strategies, and the fifth Council is already scheduled for Tokyo in 2027.

The framing is geopolitical: at a moment when the United States and China are building diverging regulatory ecosystems on AI and data flows, the EU-Japan axis positions itself as a laboratory of interoperability among like-minded democratic jurisdictions, including on digital identity and verifiable attributes (with potential implications for both EUDI Wallet and Japan’s digital My Number).

Source — Joint Statement

—

Commission release IP/26/978

---

CNIL - FRENCH AUTHORITY

Privacy Research Day 2026: fifth edition in Paris during the G7

CNIL announced the fifth edition of the Privacy Research Day, scheduled for June 24, 2026, at the French Authority’s headquarters and via streaming. The event takes place within the G7 of data protection authorities hosted by CNIL and precedes the Round Table among the authorities by one day.

The meeting brings together researchers, lawyers, computer scientists, economists, interface designers, and regulators from the G7 countries (France, the United States, the United Kingdom, Germany, Japan, Italy, and Canada) and the European Union. The 2026 edition emphasizes interdisciplinarity: works that cross multiple fields are explicitly encouraged.

The opening keynote is delivered by Marie-Laure Denis, President of CNIL. The first panel addresses the limits of AI regulation, with an analysis of data-reconstruction attacks against machine learning models and a critical reading of the “safety” discourse promoted by major industry players. Registration is free, with sessions in English and French subtitles.

Source

Credit scoring: the CNIL recommendation after CJEU judgments C-634/21 and C-203/22

On May 7, 2026, following a public consultation, CNIL published the updated recommendation on the use of personal data for assessing creditworthiness when granting credit. The text is addressed to private credit-granting bodies and to intermediaries in banking and payment services.

The update implements the judgments of the Court of Justice of the EU in cases C-634/21 and C-203/22, which qualified scoring as automated decision-making when it plays a determining role in granting credit and established the right to an explanation of the mechanism that led to the decision. The scope also covers the use of AI systems for scoring and for providing inputs to the FICP (French national database of payment incidents), which generates a significant volume of complaints before the Authority.

The recommendation translates the obligations of transparency, accountability, and the protection of rights into operational guidance, especially with respect to fully or partly automated decisions.

Source

Consumer credit: the CNIL guide for applicants

Alongside the technical recommendation, CNIL published a public-facing factsheet for consumers applying for a loan. The text clarifies which data banks may collect (account statements, employment information, etc.), for which purposes (creditworthiness assessment, anti-money laundering, counter-terrorism financing, anti-fraud), and which uses are excluded, in particular commercial prospecting.

The Authority reiterates that there is no automatic right to a bank loan in France and that scoring may be used as a decision-support tool. Applicants have the right to understand how their situation is evaluated, to know which data are used, and, in specified cases, to know the reasons for the decision: aspects that directly reflect the CJEU case law already referenced in the companion recommendation.

Source

G7 2026: CNIL hosts the Round Table of privacy authorities in Paris

From June 23 to 26, 2026, CNIL will host the annual meeting of the G7 Round Table of data protection authorities in Paris, under the French presidency. Participating authorities include Germany, Canada, the United States, France, Italy, Japan, the United Kingdom, and the European Union.

The forum, established in 2021, pursues three objectives: information exchange on legal, technological, and operational developments; strategic dialogue among the heads of authorities; and the search for common positions on shared topics. For 2026, three working tracks continue: emerging technologies, cooperation in enforcement, and the free flow of data.

The French presidency declares its intention to prioritize an approach grounded in dialogue and the search for operational convergences, against a backdrop marked by the expansion of AI and rising expectations for data protection.

Source

Agenda of the plenary session of May 5, 2026

The CNIL plenary on May 5 examined the opinion on Article 5 of the draft Child Protection Bill, heard a presentation titled “From language models to world models,” and — under the Article 17 procedure — examined the accreditation of AFNOR Certification as a monitoring body for the Alliance du Commerce code of conduct and the amendment of the reference framework on retention periods for HR processing.

Source

---

DPC - IRISH AUTHORITY

SHEIN under investigation: data transfers to China

On May 5, 2026, the Irish Data Protection Commission announced the opening of an inquiry into Infinite Styles Services Co. Ltd. (SHEIN Ireland), the European establishment of the fast-fashion giant, following the formal notice of inquiry sent to the company on April 30, 2026. The investigative scope is organized around three axes: transfers of personal data of EU/EEA data subjects to China (GDPR Chapter V), compliance with the principles relating to processing (Article 5 GDPR), and transparency obligations under Article 13 GDPR.

The statement by Deputy Commissioner Graham Doyle frames the decision as an explicit shift in strategic priorities: recent DPC action, together with complaints lodged with other European authorities, has placed transfers to China at the center of the enforcement agenda. The implicit reference is to the TikTok decision of May 2, 2025 (€530 million fine, currently under appeal), which had already marked a turning point in Irish administrative case law on extra-EU transfers to high-risk jurisdictions.

The case is significant on two levels. Substantively, SHEIN processes the personal data of hundreds of millions of European consumers and, being established in Ireland, falls fully within the one-stop-shop mechanism under Irish lead supervision: any final decision will have effect across the single market. Systematically, the DPC declares its intention to cooperate closely with other European supervisory authorities, anticipating a coordinated proceeding that could structurally recalibrate the evidentiary standards required to demonstrate the supplementary safeguards under Schrems II when the destination country presents a government-access framework comparable to that of China.

Source

---

EUROPEAN PARLIAMENT

AI Act: political agreement on simplification and ban on “nudifier” apps

On May 7, the European Parliament and the Council reached a provisional agreement on the revision of certain AI Act provisions within the Digital Omnibus package. The compromise redesigns the application timeline: obligations for high-risk systems will apply from December 2, 2027, for the use cases listed in Annex III (biometrics, critical infrastructure, education, employment, law enforcement, border management), and from August 2, 2028, for AI systems operating as safety components covered by sectoral product legislation. The obligation to mark and identify AI-generated or AI-manipulated content has been set at December 2, 2026 — a date earlier than the February 2, 2027, originally floated in the Commission’s proposal, but still later than the AI Act’s original timetable.

On the substantive side, the agreement introduces an explicit ban on AI systems designed to generate child sexual abuse material or images, videos, and audio depicting intimate parts or sexual acts of identifiable persons without consent. The ban covers placing on the market with such purpose, placing on the market without reasonable safety measures suitable to prevent unlawful use, and use by deployers. Compliance deadline: December 2, 2026.

The text also reduces overlaps with machinery safety legislation, narrows the notion of “safety component” (excluding AI functions that are merely assistive or optimization-related and do not affect health or safety), and authorizes the processing of personal data when strictly necessary to detect and correct bias, with appropriate safeguards, both in high-risk and non-high-risk contexts.

Source

Health and well-being in the AI era: the EPRS briefing

The European Parliamentary Research Service published on May 6 a briefing by Laurence Amand-Eeckhout on the impact of AI on health and well-being. The document maps the clinical benefits in radiology, oncology, cardiology, and rare diseases, as well as in hospital management and drug development, alongside the risks of consumer use of health chatbots: disinformation and over-reliance.

The analysis is disaggregated by age group. For older adults: remote monitoring and assistive technologies, with the risk that machines replace rather than complement the human relationship. For minors and young people: exposure to harmful content, emotional dependence, privacy violations, and erosion of critical thinking. Transversally, the briefing flags anxiety, sleep disturbances, sedentary behavior, and social withdrawal. AI companions may aggravate isolation or trigger crises in vulnerable individuals. The reference regulatory framework remains the AI Act, complemented by sectoral legislation.

Source

Parliament resolution on digitalization, AI, and algorithmic management at work

Published in the Official Journal: resolution P10_TA(2025)0337 of December 17, 2025, by which the European Parliament makes recommendations to the Commission on digitalization, artificial intelligence, and algorithmic management in the workplace (procedure 2025/2080(INL)). This is a legislative initiative under Article 225 TFEU: the Parliament formally asks the Commission to present a proposal on a file currently covered in a fragmentary way across the AI Act (high-risk systems in employment, Annex III), the GDPR (Article 22 on automated decisions), and the Platform Work Directive. Also available on EUR-Lex under identifier CELEX:52025IP0337.

Source

—

CELEX

---

COUNCIL OF THE EUROPEAN UNION

Artificial Intelligence: Council and Parliament agree on streamlining the rules

On May 7, 2026, the Council of the EU announced the agreement with the European Parliament on the simplification of the Digital Omnibus, institutionally confirming the provisional understanding reached by the co-legislators. For the substantive analysis — application timetable, prohibitions, scope changes — see the

EUROPEAN PARLIAMENT

section.

Source

Cybersecurity Act 2 and the NIS2 review: document ST 8980 2026 INIT

On May 5, 2026, document ST 8980 2026 INIT was circulated, containing the proposal for a Regulation on ENISA, the European cybersecurity certification framework, and ICT supply-chain security, intended to repeal Regulation (EU) 2019/881 — the so-called Cybersecurity Act 2. The package is accompanied by a proposal for a Directive amending Directive (EU) 2022/2555 (NIS2) with simplification measures and alignments with the new Cybersecurity Act 2. Two qualifying elements stand out: the entry of ICT supply-chain security as an autonomous object of EU-level regulation, and the early review of NIS2 before the national transposition cycle has even been absorbed by operators. The document also reports the opinion (with a truncated reference in the available material), which should be examined to gauge the institutional positioning on the underlying choices.

Source

---

DIGITAL MARKETS & PLATFORM REGULATION

DSA: consolidated text of Regulation (EU) 2022/2065 published

The Council of the EU has made available document ST 8665 2026 INIT containing the consolidated text of Regulation (EU) 2022/2065 on the single market for digital services, amending Directive 2000/31/EC. A useful reference to keep on hand, given the multiplying national and Commission investigations.

Source

Ireland opens a DSA investigation into Facebook and Instagram recommender systems

Coimisiún na Meán announced on Tuesday an investigation into Meta for suspected DSA violations relating to the recommendation systems of Facebook and Instagram. The focus is on dark patterns: the Irish regulator suspects that the interfaces of the two platforms discourage users from selecting non-profile-based feeds, and prevent them from modifying or accessing recommendations independent of tracking.

The obligation for designated platforms to offer at least one non-profiling recommendation option remains the exclusive competence of the Commission. It therefore lies outside the scope of the Irish inquiry. If a violation is established, the penalty can reach up to 6% of Meta’s global turnover.

John Evans, digital services commissioner, referenced the “potential harm” of algorithms that repeatedly push harmful content into feeds, specifically referring to recent episodes of anti-immigration tension amplified on social platforms in Ireland. In March, a Dutch court had already upheld a national DSA measure requiring Meta to maintain the user’s stable, non-profiled timeline without automatic resets. The Commission’s investigations into Meta have so far remained on other fronts: child safety, electoral integrity, illegal content, and transparency.

Source

---

INTERNATIONAL DEVELOPMENTS

India AI Impact Summit 2026: sandboxes, geopolitics, and new governance priorities

From February 16 to 21, 2026, New Delhi hosted the AI Impact Summit, with 600,000 participants and 92 signatories of the New Delhi Declaration. The Future of Privacy Forum took part both in the Pre-Summit on January 20, co-organized with Nasscom on “Building Safe Spaces for AI Impact: Regulatory and Private Sandboxes,” and in the February week with a delegation led by CEO Jules Polonetsky, APAC Managing Director Josh Lee Kok Thong, and India Policy Manager Bilal Mohamed.

The official framing revolved around infrastructure, compute capacity, and equitable access to AI, but the substance was different. The global conversation has shifted from principles to building the regulatory infrastructure that operationalizes them. Sandboxes — both regulatory and private — are identified as a concrete tool for testing models and rules in controlled environments before scaled deployment.

FPF identifies three threads that will weigh in over the coming months: the role of sandboxes as governance infrastructure; the resilience of multilateral dialogue on AI in the face of geopolitical divergence; and the centrality of two specific dossiers — child safety and agentic AI — on which technology is moving faster than the frameworks meant to discipline it.

Worth noting is the prominence of a Global South country in shaping the global agenda, at a time when Brussels, Washington, and Beijing are pursuing trajectories that are increasingly hard to reconcile.

Source

---

ARTIFICIAL INTELLIGENCE

Youth, conversational AI, and mental health: the VYV-CNIL survey

Nearly 9 in 10 young people in France use conversational AI, and 48% discuss personal or intimate topics with it. Thirty-three percent see it as a sort of “therapist” in some cases — a figure that rises to 46% among those suffering from anxiety. The survey conducted by Groupe VYV and CNIL across four European countries captures a shift in usage: from academic or professional utility to personal confidence, in a context where, in France, over one young person in four shows symptoms of generalized anxiety disorder.

The trust figures are striking when read alongside the awareness data: 69% believe AI can give reliable advice, 56% that it can keep conversations private, and 51% that it can protect the information shared. But only 32% say they know what happens to their data. 34% of those who used AI for personal matters felt uncomfortable with the advice they received, and 85% want more information on risks and best practices. Family and friends remain the primary interlocutors; AI is added, not substituted.

Source

OpenAI under investigation: joint action by Canadian privacy authorities

On May 6, 2026, the Privacy Commissioner of Canada Philippe Dufresne, together with the privacy authorities of Quebec (CAI), British Columbia (OIPC-BC), and Alberta (OIPC-AB), published the findings of the joint investigation opened in May 2023 into OpenAI OpCo, LLC. The report — PIPEDA Findings #2026-002, citation 2026 BCIPC 41, 128 pages — concludes that the initial training of ChatGPT (GPT-3.5 and GPT-4 models) did not comply with Canadian federal and provincial privacy laws.

Seven areas of non-compliance were established: disproportionate collection of personal information (including health conditions, political views, and data relating to minors) without adequate safeguards; lack of valid consent for data collected from the public web and user interactions; transparency shortcomings regarding model practices; inaccuracy of personal information in outputs; difficulty in exercising rights of access and rectification; absence of formal retention policies; and lack of accountability with respect to risks known at launch. Dufresne is blunt: OpenAI launched ChatGPT without fully addressing known privacy issues, exposing individuals to the risk of breaches and discrimination.

OpenAI has committed to corrective measures on defined timelines: a bilingual Canadian blog post on privacy practices concurrent with the report; pre-prompt notice in the signed-out version of ChatGPT within three months; improved data-export format within six months; formalized retention policies; and quarterly compliance reporting. The federal Privacy Commissioner deems the complaint “well-founded and conditionally resolved” under PIPEDA.

The case has systemic relevance for AI governance: it is the first multi-jurisdictional joint investigation into a GPAI provider, concluded in a jurisdiction that holds an adequacy decision under the GDPR. The criteria applied — explicit consent, appropriate purposes, accountability, retention — largely replicate the test articulated by the EDPB in Opinion 28/2024 on AI models. The fact that the GPT-3.5 and GPT-4 models are now superseded or no longer central to the commercial offering enabled the Canadian regulators to close the proceeding pragmatically, but the evidentiary framework developed will remain available for future investigations into next-generation models.

Source — OPC news release

—

Detailed report PIPEDA Findings 2026-002

Digital Omnibus on AI: Council opinion on subsidiarity and proportionality

Published on EUR-Lex: Council opinion (ST 8918/2026) on the proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 — the Digital Omnibus [COM(2025) 836 final, 15708/25] — on the application of the principles of subsidiarity and proportionality to the simplification intervention.

Source

Political pressure for deeper cuts to the AI Act

The Digital Omnibus agreement is not enough for liberals, centrists, and industrial lobbies. Liberal Dutch MEP Bart Groothuis, speaking at POLITICO’s AI & Tech Week, said he had yet to decide his plenary vote: “We need to deregulate much, much faster than we are doing now.” Swedish conservative Arba Kokalari complained about the lack of ambition among Member States, while German liberal Svenja Hahn blamed them for failing to broaden sectoral exemptions.

CCIA Europe, which represents Meta, Google, and Apple among others, speaks of a “clear opportunity” to simplify. BSA (Zoom, IBM, SAP) is on the same line. Socialists and Greens push back: industrial exemptions cannot override safety and fundamental rights. The political signal is that the Digital Omnibus does not close the file: the deregulatory push, also fueled by Washington, will continue to weigh on upcoming digital files.

Source

Anthropic: Claude’s blackmail attempts came from texts portraying AI as “evil”

Anthropic attributes a specific cause to the blackmail attempts observed in Claude Opus 4 during last year’s pre-release tests, when the model — in fictional scenarios — tried to blackmail engineers to avoid being replaced: the origin, the company says, lies in internet texts that portray AI as evil and self-preservation-oriented. Similar behaviors, defined as “agentic misalignment,” had also been documented in models from other providers.

According to the company, from Claude Haiku 4.5 onwards, the models no longer engage in blackmail in tests, unlike earlier versions, which achieved rates of up to 96%. The change is attributed to training on documents related to Claude’s “constitution” and on stories of AI behaving correctly, combining alignment principles with practical demonstrations. This is a relevant data point for those working on red teaming, model evaluation, and risk-management obligations for GPAI under the AI Act: the composition of the training corpus, including cultural narratives about AI, falls within the perimeter of systemic risk.

Source

---

CYBERSECURITY

Salt Typhoon hits an IBM company in Italy: INPS, INAIL, and PA data exposed

The news emerged between May 4 and 5, 2026: an intrusion attributed to the Chinese APT group Salt Typhoon struck Sistemi Informativi S.r.l., a company controlled by IBM that operates technological infrastructure for the Italian public administration, including systems serving INPS and INAIL. The attack had been ongoing for two weeks before becoming public, and internal technicians, alongside a team from the National Cybersecurity Agency (ACN), are working on remediation and recovery. The extent of the damage and the volume of exfiltrated data are still being assessed.

Salt Typhoon does not operate on ransomware logic: it does not encrypt or destroy data, but silently exfiltrates as much data as possible after compromising a system. It is the modus operandi of strategic cyber espionage, already observed by U.S. agencies in U.S. telco breaches in 2024-2025. IBM confirmed the incident with a formal statement: “We have identified and contained a cybersecurity incident. We continue to monitor our environment as we investigate the matter.”

The legal relevance is significant on several fronts. Under NIS2, the incident affects an entity providing essential services to public bodies in the social welfare and protection sectors: any spillover onto INPS and INAIL, as controllers, affects the supplier’s qualification as a manager of a critical ICT supply chain. Under the GDPR, the correct handling of notifications under Article 33 and, where applicable, under Article 34 must be verified. From the chain-of-responsibility perspective, the “IBM Italy → Sistemi Informativi → public-body controllers” structure calls for a careful reading of Article 28 relationships and sub-processors, consistent with the emerging case law on the processing chain. The case fits within the framework outlined in Council document ST 8980 2026 (Cybersecurity Act 2), which puts ICT supply-chain security precisely at the center stage.

Source

—

Federprivacy

Zara: 197,000 customers exposed

ShinyHunters claimed responsibility for exfiltrating a 140 GB archive from Inditex BigQuery instances, obtained via compromised Anodot authentication tokens. Have I Been Pwned quantified the exposure at 197,400 unique email addresses, along with product SKUs, order IDs, and the market of origin for support tickets. Inditex says that names, phone numbers, addresses, credentials, and payment data were not compromised, and attributes the incident to a former technology supplier whose name it does not disclose. The group told BleepingComputer it had hit dozens of companies with the same Anodot scheme, while attempts on Salesforce failed thanks to AI-based detection systems. The chain is the same as already seen at Google, Cisco, Vimeo, and Match Group: corporate SSO compromised via vishing, with fan-out access to connected SaaS. The legally interesting point is the silence on the supplier’s identity: from the chain-of-responsibility perspective under Article 28 GDPR, opacity about the processor is itself a choice that should attract scrutiny from authorities.

Source

NVIDIA confirms the GeForce NOW breach for Armenian users

NVIDIA confirmed to BleepingComputer that the breach concerns exclusively the infrastructure of regional partner GFN.am, operating in Armenia, with no impact on the parent company’s network. The incident, which took place between March 20 and 26, exposed full name (for those registered via Google), email, phone number (if registered through a mobile operator), date of birth, and username. Passwords are not reported as compromised, and users registered after March 9 are not affected. GFN.am also runs services in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan, but no impact has been confirmed in those countries so far. The initial claim on hacker forums by a self-styled ShinyHunters spoke of millions of records and a price of $100,000 in Bitcoin or Monero; the account is now considered an impostor, and the post has been removed. The “Alliance partner” model, with locally managed authentication systems and customer databases, draws a responsibility map that the global controller cannot offload downstream without consequences.

Source

Braintrust asks for API key rotation after an AWS breach

The AI model evaluation and observability platform Braintrust discovered unauthorized access to one of its AWS accounts on May 4 and notified customers on May 5 with IOCs and remediation instructions. The compromised account likely contained the API keys customers use to access AI model providers. One customer is directly affected; three others reported anomalous consumption spikes at AI providers. Braintrust recommends revoking secrets at the organization level, regenerating them, and reviewing timestamps. Jaime Blasco (Nudge Security) told SecurityWeek that the blast radius is not Braintrust but the entire downstream AI stack of customers: a single SaaS compromise propagates across dozens of accounts at LLM providers. Evaluation, observability, and AI gateway platforms effectively function as credential stores and become priority targets in the supply chain. For those mapping suppliers for DPIA and Article 28 purposes, a category that did not exist yesterday must now be added to the records.

Source

Poland: ICS breached at five water treatment plants

ABW, the Polish internal security agency, documented in its biennial report intrusions into the industrial control systems of water plants in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In some cases, attackers gained the ability to modify the equipment’s operational parameters, posing a direct risk to service continuity and the safety of the delivered water. The vectors are familiar: weak password policies and systems directly exposed to the Internet — the same ones exploited in the Russian-attributed attack on the Polish energy sector. ABW attributes the attacks to hacktivist groups acting as fronts for foreign intelligence services, specifically citing APT28, APT29, and the Belarusian UNC1151. The report extends the perimeter also to wastewater plants, incinerators, and municipal supply chains, where attackers seek contractual data, project documentation, and credentials for pivoting.

Source

The same playbook threatens U.S. water utilities

The Polish case is not isolated. TechCrunch recalls the Oldsmar (Florida) episode of 2021, when an attacker tried to raise sodium hydroxide to dangerous levels at a water plant, and the activity of the Iranian group CyberAv3ngers, which in 2023 breached digital control panels at multiple water plants in Pennsylvania. A joint advisory by CISA, FBI, NSA, and other federal agencies warns that Iran-linked actors are actively targeting PLCs at U.S. utilities. The geopolitical reading of the ABW report is explicit: cyberattacks and cyber espionage are tools of a Russian strategy to destabilize the West, applied both in Ukraine and against NATO countries. For those handling NIS2 compliance on essential entities in the water sector, the operational lesson is banal and routinely ignored: OT/IT segmentation, elimination of direct Internet exposure, and strong authentication on PLCs.

Source

ENISA Root: four new CNAs join the CVE Program

On May 6, 2026, ENISA announced the onboarding of four new European organizations as CVE Numbering Authorities (CNAs) under ENISA Root. This is the first cohort of CNAs trained and supported directly by the European agency since it was elevated, in November 2025, to CVE Root alongside MITRE, CISA, Google, Red Hat, and JPCERT/CC. At the same time, seven already active European CNAs voluntarily migrated from MITRE Root to ENISA Root.

Hans de Vries, ENISA Chief Cybersecurity and Operations Officer, calls the move “a significant milestone for European cybersecurity”: the shift brings concrete operational vulnerability-disclosure coordination functions under the agency, alongside its role in managing the European Vulnerability Database (EUVD) under Article 12 of NIS2 and the build-out of the Single Reporting Platform under the Cyber Resilience Act (mandatory from September 2026 for manufacturers required to notify actively exploited vulnerabilities).

The structural data point is significant: Europe accounts for roughly one-fifth of the 510 CNAs globally, with more than 90 organizations potentially transferable to ENISA Root. Centralization on a European Root reduces dependence on U.S. infrastructure (MITRE/CISA) for identifying and publishing vulnerabilities that affect European products or are exploited against European entities. For NIS2 controllers — essential entities — this means the pipeline from disclosure through EUVD to CRA notification consolidates under a unified governance, with practical effects on response SLAs, record quality, and time-to-publish for vulnerability-management workflows.

Source

---

TECH & INNOVATION

Google tweaks the privacy wording of on-device AI in Chrome

Google modified, in Chrome 148, the text describing how on-device AI works, removing from the “On-device AI” entry in System settings the line “without sending your data to Google servers.” The change, not yet distributed to all users, was spotted on Reddit and amplified by Alexander Hanff, who publicly asked whether the rewording signals an architectural change, an inaccuracy in the previous wording, or a legal choice to avoid defending it as a representation.

A Google spokesperson said there is no change to how Chrome’s on-device AI works, and that data passed to the model is processed exclusively on the device. The timing explains the alarm: the change emerges as Chrome distributes the Prompt API, which exposes a programmatic interface to the local model to web pages, and as the silent download of the 4 GB Nano model to user devices has become public knowledge. Gemini Nano has been present in Chrome since 2024, initially as a preview with Chrome 126; the download and storage are not yet opt-in, but the ability to disable and remove the model has been introduced.

The legal point remains the consistency between the representations made to the data subject and the actual processing: a representation removed — even without technical changes — weakens the position of those who must demonstrate transparency under Article 13 GDPR with respect to processing that involves a locally pre-installed model without prior consent.

Source

---

SCIENTIFIC RESEARCH

Selection of the most relevant papers of the week from arXiv on AI, Machine Learning, and Privacy

Privacy of training and fine-tuning pipelines

Channel-Level Semantic Perturbations: Unlearnable Examples for Diverse Training Paradigms

The authors extend the unlearnable-examples paradigm to the pretraining-finetuning setting, so far neglected by the UE literature that focused on training from scratch. The channel-level perturbations aim to prevent feature learning even when protected data are used to fine-tune pre-trained models — the dominant scenario today. A relevant technique as a technical safeguard against unauthorized scraping for training.

arXiv

PACZero: PAC-Private Fine-Tuning of Language Models via Sign Quantization

A zeroth-order PAC-private mechanism for fine-tuning LLMs operating in the regime $I(S^*; Y_{1:T})=0$, where the posterior success rate of an MIA is bounded by the prior. The authors argue that the DP framework achieves an equivalent level of MIA resistance only at $\varepsilon=0$ with infinite noise, proposing PAC-privacy as a more usable alternative for equivalent anti-MIA guarantees.

arXiv

Quadratic Objective Perturbation: Curvature-Based Differential Privacy

An extension of objective perturbation in differentially private ERM: the authors remove the bounded-gradients assumption required by the classical Linear Objective Perturbation, replacing the deterministic quadratic term with one based on curvature. Result: applicability to a broader class of modern ML models previously excluded from DP guarantees via objective perturbation.

arXiv

Machine Unlearning and erasure

DurableUn: Quantization-Induced Recovery Attacks in Machine Unlearning

A relevant finding: INT4 quantization at deployment time systematically restores content already “forgotten,” even when the model passes compliance audits at BF16 precision. The authors call this attack the Quantization Recovery Attack (QRA). The legal consequence is direct: an unlearning audit performed on the full-precision model proves nothing about the compliance of the model actually serving in production, and the test for Article 17 of the GDPR must be rethought.

arXiv

Reconstruction and inference attacks

Efficient Techniques for Data Reconstruction, with Finite-Width Recovery Guarantees

A unified optimization formulation for reconstruction attacks against trained neural networks, with finite-width recovery guarantees (not only in the infinite limit typical of prior literature). The work consolidates SOTA proposals into a single framework and provides explicit conditions under which the training dataset can be recovered from the parameters.

arXiv

Graph Reconstruction from Differentially Private GNN Explanations

The authors show that an adversary observing only post-hoc GNN explanations, perturbed with DP, can reconstruct the hidden graph structure with high accuracy. The result matters for anyone who thinks DP applied to explanations is enough to cover residual risk: the combination of explainability obligations (GDPR, AI Act) with standard DP does not ensure the confidentiality of the underlying data when the data are relational.

arXiv

Membership Inference Attacks for Retrieval-Based In-Context Learning for Document Question Answering

Two black-box MIAs against remotely hosted RAG / in-context-learning applications, leveraging query prefixes to distinguish member from non-member documents in the retrieval corpus. The scenario is realistic: provider and user are distinct parties, and the attack works without model access. Relevant for those assessing the privacy risks of enterprise RAG solutions over confidential documents.

arXiv

Synthetic data generation

Breaking the Quality-Privacy Tradeoff in Tabular Data Generation via In-Context Learning

The authors document the typical trade-off of tabular generative models in the small-data regime: increasing the quality of synthetic data increases memorization of real samples, weakening protection. They propose an in-context learning-based approach that, they argue, breaks this trade-off. A central topic for those using synthetic data as a minimization measure under Article 5(1)(c) GDPR.

arXiv

---

AI ACT IN PILLS - Part 20

Article 24 - Obligations of distributors

In the previous installment, we analyzed the obligations of importers set out in Article 23, focusing on their role as a “filter” at the entry of AI systems into the Union market. We now continue our journey along the distribution chain by examining Article 24, which governs distributors’ obligations — a crucial and often underestimated link in the AI Act’s regulatory ecosystem.

Who is a distributor and why it matters

The AI Act defines a distributor as any natural or legal person in the supply chain, other than the provider or the importer, who makes an AI system available on the Union market. This is therefore an actor who neither produces nor imports the system, but rather channels it to end users: resellers, commercial integrators, and e-commerce platforms that host third-party AI solutions typically fall into this category.

The relevance of the distributor stems from the fact that, although it does not have direct control over system design, it represents the last checkpoint before effective market placement and therefore bears a formal verification responsibility that the European legislator chose to codify precisely.

Preventive verification obligations

Before making a high-risk AI system available on the market, the distributor must carry out a series of documentary checks. In particular, it must verify that the system bears the required CE marking, that it is accompanied by the EU declaration of conformity and instructions for use, and that the provider and — where applicable — the importer have complied with their respective obligations under the Regulation (notably those relating to provider registration and identifying data on the product or in accompanying documentation).

This check does not require a technical reassessment of the system but a diligent documentary review. In practical terms, a B2B reseller distributing AI-based résumé-screening solutions must ensure that, before offering them to clients, the documentation is complete and the CE marking is in place.

Obligations during marketing

When the high-risk AI system is under its responsibility, the distributor must ensure that storage and transport conditions do not compromise the system’s compliance with the requirements of Chapter III, Section 2. Consider, for example, the need to preserve the integrity of hardware devices embedding AI models, avoiding unauthorized updates or tampering during the logistics phase.

Obligations of intervention and cooperation

If the distributor considers, or has reason to consider based on information in its possession, that a high-risk AI system does not comply with the requirements, it may not make it available on the market until compliance has been restored. If the system poses a risk within the meaning of Article 79(1), the distributor must inform the provider, the importer, and the competent authorities.

Furthermore, upon a reasoned request from a competent authority, the distributor must provide all information and documentation necessary to demonstrate the system’s compliance, and actively cooperate with any corrective action undertaken.

Practical implications and risk profiles

For organizations that operate as distributors, even occasionally, it is essential to structure internal vendor management and documentation control procedures at product intake. Verification checklists, archiving of conformity documentation received from the provider, and training of commercial staff in recognizing high-risk systems are essential building blocks.

On the sanctions front, violations of the obligations under Article 24 fall within the regime of Article 99, with administrative fines that can reach EUR 15 million or 3% of worldwide annual turnover, whichever is higher.

Next installment

In Part 21, we will address Article 25 - Responsibilities along the value chain, examining how the chain of responsibility is articulated in the AI ecosystem and when a distributor, importer, or other actor may be considered a provider for all intents and purposes.

---

LEGAL PROMPTING

Where do your prompts live? Choosing infrastructure as an ethical question

In the previous installment, we looked at how to structure prompts for reviewing contractual clauses and DPAs. There remains, however, a preliminary question that is too often ignored: where do those texts actually end up when we paste them into an AI interface? Because asking a model to review a limitation-of-liability clause in the abstract is one thing; transmitting to an extra-EU cloud provider a real client DPA — with names, amounts, negotiation pressure points, and defense strategies — is quite another.

Professional secrecy (Article 622 of the Italian Criminal Code, Article 28 of the Italian Code of Ethics for Lawyers, Article 13 of the Code of Ethics for Accountants) is not exhausted by “do not disclose.” It includes the duty to adopt suitable measures to ensure that client information is not accessible to unauthorized third parties. And a generative-AI provider that processes our prompt is, to all intents and purposes, a third party.

This is where the third recurring premise of this column comes in: choosing the infrastructure is a compliance decision before it is a technological one. Let’s look at it operationally, distinguishing three scenarios.

Scenario 1 — Consumer public cloud (ChatGPT free, Claude free, Gemini consumer). Data may be used for training, logs are retained, and contractual guarantees are minimal. Recommended use: only for activities on fictional, instructional, or already public materials. Never with client data.

Scenario 2 — Enterprise cloud with DPA (Azure OpenAI, Anthropic Enterprise, Google Workspace AI with addendum). Contractual guarantees exist — no training, limited logs, often in EU regions. Recommended use: for ordinary professional activities, after appointment as a processor under Article 28 GDPR, assessment of extra-EU transfers (Schrems II), and notice to the client. The AI Act dimension remains: these systems are GPAI and must be assessed in high-risk use cases.

Scenario 3 — Local or on-premise models (Llama, Mistral, Qwen run on Ollama, LM Studio, or a dedicated server). The data never leaves the professional’s infrastructure. Recommended use: for materials covered by qualified secrecy, judicial data, defense strategies, sensitive case files. The trade-off lies in model quality and the technical skills required.

A practical rule: classify materials before choosing the tool, not the other way around. Building an internal matrix that cross-references data types (public, confidential, secret, special categories under Article 9 of the GDPR) with permitted infrastructure is an exercise every firm should formalize within its organizational model. Always remembering that language models produce plausible outputs, not verified truths: human supervision remains a professional duty, whatever the infrastructure.

In the next installment, we will address the AI Act obligations for legal professionals: risk classification, staff AI literacy, and internal documentation.

🔗

Legal Prompting: the new frontier of AI in the legal domain

---

PODCAST

NicFab Podcast — Legal Prompting - Legal Prompting in corporate compliance processes

In the previous episode, we looked at how to use AI to analyze contracts and clauses. Now we take a step further: those prompts do not live in isolation but inside corporate processes involving people, documents, deadlines, and responsibilities.

In this episode, we discuss Legal Prompting in corporate compliance processes, including privacy, anti-corruption, anti-money laundering, information security, 231 models, and internal controls.

The starting principle: AI is not a neutral tool…

---

FROM THE NICFAB BLOG

Digital Omnibus on AI: the provisional agreement of May 7, 2026

May 7, 2026

Legal analysis of the provisional agreement of May 7, 2026, on the Digital Omnibus on AI. Application dates, Annex I conformity assessment, narrowing of the safety-component concept, bias detection, ban on nudifiers and AI-generated CSAM, SMC modulation, GPAI enforcement.

Read the full article

ai-resources.eu and the AI-centric glossary: AI Act, GDPR, and EU regulation

May 4, 2026

A bilingual reference on the EU digital regulatory ecosystem: nine full acts (AI Act, GDPR, Data Act, DSA, NIS2…), cross-references, and a glossary of 80 entries.

Read the full article

DPIA and FRIA: why the GDPR and the AI Act keep two distinct assessments

May 4, 2026

DPIA Article 35 GDPR and FRIA Article 27 AI Act: object, parties required, paradigm, and absorption clause. Legal analysis of overlapping and divergent areas, with a comparative table and three illustrative scenarios.

Read the full article

---

Events of the week and upcoming dates

Events of the week, May 4-10, 2026

Europe Day 2026: let’s celebrate together (May 9, 2026 — Brussels)

EDPB — Joint stand with EDPS at the European Parliament, cybersecurity area |

Info

4th EU-Japan Digital Partnership Council (May 5, 2026 — Brussels)

European Commission |

Joint Statement

CNIL plenary session (May 5, 2026 — Paris)

CNIL |

Agenda

Upcoming dates

HiPEAC Vision 2026 | CONNECT University (May 19, 2026)

European Commission |

Info

Privacy Research Day 2026 — fifth edition (June 24, 2026 — Paris)

CNIL |

Info

G7 2026 — Round Table of privacy authorities (June 23-26, 2026 — Paris)

CNIL |

Info

High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation” (June 8, 2026)

EDPS |

Info

Info session - Call for proposals “Digital solutions for regulatory compliance through data” (June 8, 2026)

European Commission |

Info

---

Conclusion

There is a contradiction that runs through all of this week’s regulatory output and deserves to be named: the European Union is simultaneously accelerating on symbolic bans and slowing down on substantive obligations. The political agreement between the European Parliament and the Council on the Digital Omnibus bans nudifier apps and CSAM-generation systems — a necessary step, aligned moreover with the Italian DPA’s call for more incisive blocking powers against Clothoff and similar services — but the same package pushes the obligations on high-risk systems to December 2027 and those on watermarking to December 2026. The public narrative will focus on the bans because they are visible and morally unassailable. The deferral, which weighs far more on everyday people’s protection, will pass as “simplification.”

This is not simplification: it is a political choice. The signal to large providers is clear — there is time. And time, in the generative-model industry, is the resource that separates those who set the standard from those who have to absorb it. The Italian DPA today calls for swift intervention powers precisely because it has grasped that the European regulatory window is widening while harms unfold in real time. The request is legitimate, but it reveals an uncomfortable truth: the AI Act, as conceived and now remodeled, is not a tool for rapid intervention. It is a medium-term compliance architecture.

On the other side, CNIL’s recommendation on credit scoring does exactly what the AI Act promises but postpones: it engages with the merits of an automated decision-making system that affects concrete rights, sets boundaries on data use, and restates transparency and contestability. This is a regulation that bites, produced by a national authority with the tools it already has. The same logic emerges from two investigations opened or closed this week: the Irish DPC opening its inquiry into SHEIN over transfers to China, and the joint block of Canadian privacy authorities closing the OpenAI investigation, finding seven areas of non-compliance. The contrast is worth noting: while Brussels negotiates the timing of the AI Act, Dublin, Paris, and Ottawa exercise the enforcement they already have.

To this must be added a level that often stays in the shadows but that this week brought back to the foreground: the cyber dimension. The Salt Typhoon attack against Sistemi Informativi, which exposed data managed by INPS, INAIL, and the public administration, reveals that the real playing field is not documentary compliance but the operational resilience of the ICT supply chain. It is a front where the European regulatory incumbent (NIS2, the upcoming Cybersecurity Act 2) is moving but struggling to keep pace with real threats — and where ENISA’s operational positioning moves (it became CVE Root in November 2025 and is now active in onboarding the first European CNAs) mark a concrete pace change, more technical-operational than political-regulatory in nature.

I forecast that over the next eighteen months, we will see a substantive transfer from the EU level to the national and sectoral one. The authorities that already have competencies — privacy regulators, financial regulators, health authorities, cyber agencies — will fill the gap with their own instruments, sometimes overlapping. The result will be less coherent than the AI Act promised, but probably more effective in the short term. Those engaged in advisory work should stop looking only to Brussels and start seriously mapping the moves of national and operational authorities. That is where the real rules are being decided.

---

📧 Edited by Nicola Fabiano

Lawyer - Fabiano Law Firm

🌐 Studio Legale Fabiano:

https://www.fabiano.law

🌐 Blog:

https://www.nicfab.eu

🌐 DAPPREMO:

www.dappremo.eu

---

Supporter

https://lawandtechnology.eu/

https://caffe20.it/

https://privacykit.it/

---

To receive the newsletter directly in your inbox,

subscribe at nicfab.eu

Follow our news on these channels:

Telegram

Telegram →

@nicfabnews

Matrix

Matrix →

#nicfabnews:matrix.org

Mastodon

Mastodon →

@nicfab@fosstodon.org

Bluesky

Bluesky →

@nicfab.eu

---

.newsletter-subscription-box {

max-width: 600px;

margin: 2.5rem auto;

padding: 2.5rem;

background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);

border-radius: 12px;

border: 2px solid #7f1d1d;

box-shadow: 0 4px 6px rgba(0,0,0,0.1);

}

.newsletter-form-group {

margin-bottom: 1.5rem;

}

.newsletter-form-label {

display: block;

font-size: 1.1rem;

font-weight: 700;

margin-bottom: 0.75rem;

color: #1a1a1a;

}

.newsletter-form-input {

width: 100%;

padding: 1rem;

border: 2px solid #ddd;

border-radius: 8px;

font-size: 1rem;

transition: all 0.3s ease;

box-sizing: border-box;

}

.newsletter-form-input:focus {

outline: none;

border-color: #7f1d1d;

box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);

}

.newsletter-captcha-group {

margin-bottom: 1.5rem;

display: flex;

justify-content: center;

}

.newsletter-submit-btn {

width: 100%;

padding: 1.25rem;

background: #7f1d1d;

color: white;

border: none;

border-radius: 8px;

font-size: 1.1rem;

font-weight: 700;

cursor: pointer;

transition: all 0.3s ease;

text-transform: uppercase;

letter-spacing: 0.5px;

}

.newsletter-submit-btn:hover {

background: #991b1b;

transform: translateY(-2px);

box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);

}

.newsletter-submit-btn:disabled {

background: #9ca3af;

cursor: not-allowed;

transform: none;

box-shadow: none;

}

.newsletter-privacy-notice {

margin-top: 1.5rem;

text-align: center;

font-size: 0.9rem;

color: #666;

line-height: 1.6;

}

.newsletter-privacy-notice a {

color: #7f1d1d;

text-decoration: underline;

font-weight: 600;

}

Email Address *

Name

Subscribe to Newsletter

We respect your privacy. Double opt-in required. Unsubscribe anytime.

Privacy Policy

---

Back to newsletter list

English section

Home