Newsletter #22 - 26 May 2026
Read on website
---
NicFab Newsletter
Issue 22 | May 26, 2026
Privacy, Data Protection, AI, and Cybersecurity
---
Welcome to issue 22 of the weekly newsletter dedicated to privacy, data protection, artificial intelligence, cybersecurity, and ethics. Every Tuesday, you will find a curated selection of the most relevant news of the previous week, with a focus on European regulatory developments, case law, enforcement, and technological innovation.
---
In this issue
- GARANTE PRIVACY ITALY
- EDPS - EUROPEAN DATA PROTECTION SUPERVISOR
- CNIL - FRENCH AUTHORITY
- COUNCIL OF THE EUROPEAN UNION
- DIGITAL MARKETS & PLATFORM REGULATION
- INTERNATIONAL DEVELOPMENTS
- ARTIFICIAL INTELLIGENCE
- CYBERSECURITY
- SCIENTIFIC RESEARCH
- AI Act in a Nutshell
- Legal Prompting
- Podcast
- From the NicFab Blog
- Events of the week and upcoming events
- Conclusion
---
GARANTE PRIVACY ITALY
The European House Ambrosetti: 85,000 euros for plaintext passwords and late notification
With newsletter no. 547 of May 21, 2026, the Garante fined The European House – Ambrosetti spa 85,000 euros following a data breach that exposed the data of 61,670 people, including company employees and personnel of client companies.
The attack exploited a technical vulnerability to gain access to systems and exfiltrate first names, last names, email addresses, usernames, and passwords. The investigation found that some passwords were stored in plaintext, while others were protected using cryptographic techniques that do not align with current standards. The company also retained credentials from decommissioned systems, in breach of the principles of storage limitation and security.
The most relevant point concerns Article 34 GDPR: notification to the Authority was made within the 72-hour window, but communication to data subjects was made roughly two months after the discovery, only after a corrective measure by the Garante. A time gap that is hard to justify when the exfiltration includes credentials and the risk to rights and freedoms is high.
The newsletter also covers the updated FAQs on the Electronic Health Record, the prohibition on disseminating photos of a sick person without consent, and the Spring Conference of European Data Protection Authorities held in Turkey.
Source
---
EDPS - EUROPEAN DATA PROTECTION SUPERVISOR
On May 22, 2026, Wojciech Wiewiórowski closed the Computers, Privacy and Data Protection Conference with a speech that fits into the thread traced by the EDPS in recent weeks: from the blog post of May 8 on “Safe and Ethical AI: a big European idea for the world” published on Europe Day, to the Annual Report 2025 presented on May 7, up to the upcoming high-level debate of June 8 with BfDI and BayLfD on the Commission’s Omnibus proposals and their implications for the GDPR.
The common thread is the operationalization of the EDPS’s extended mandate, built around the principles of Foresight, Action, and Solidarity, and the Authority’s positioning as the technology supervisor of the EU administration for AI Act, cybersecurity, and health data. On the AI Act front, the launch of the EDPS Compass, announced in the April 20 newsletter, is worth recalling — a tool that supports the European institutions in applying the regulation.
The full text of the closing speech is available on the EDPS website for those who wish to read the Authority’s position ahead of the June discussion on the Omnibus, where a concrete battle on the scope of the GDPR is being played out.
Source
---
CNIL - FRENCH AUTHORITY
Annual Report 2025: complaints, sanctions, and notifications all on the rise
On May 18, 2026, the CNIL published its 2025 activity report, a year marked by a record number of complaints, an unprecedented total of sanctions, and a never-before-seen volume of breach notifications. The Authority reports that resources are under pressure due to the workload and that an internal reorganization is required to accompany the progressive application of the AI Regulation.
On the guidance side, seven public consultations were launched in 2025 on connected vehicles, medical records, credit granting, tracking technologies, and social housing. The CNIL handled 539 authorization requests in the health sector, including 406 health research files, 1,351 advisory requests from professionals, and 90 opinions on draft legislation and regulatory texts, mostly at the government’s request. Six innovative silver economy projects were supported in the sandbox. Among the tools aimed at the public is FantomApp for teenagers, funded by the European Commission.
The report contains aggregate data on complaints, sanctions, and data breaches: reading it in full is the quickest way to calibrate one’s own compliance benchmark against French enforcement priorities for the next cycle.
Source
Plenary session of May 21, 2026: ANJ and Withings
The agenda for the CNIL plenary of May 21, 2026, included two points. First: communication on the finalization of the draft guide of the Autorité nationale des jeux on personal data in the gambling sector. Second: examination of a draft deliberation authorizing Withings to carry out processing aimed at a study on the development and validation of algorithms for the early detection of chronic diseases based on data, including those from connected objects.
The Withings dossier is the point to follow: it intertwines health research, IoT, and predictive algorithms on chronic pathologies, an area where the CNIL has historically set markers on legal basis, minimization, and qualification of research processing.
Source
---
COUNCIL OF THE EUROPEAN UNION
European Business Wallets: towards the Council’s general approach
On May 22, 2026, the Council published document ST 7659 2026 INIT, containing the Presidency’s compromise text in view of the general approach on the proposal for a Regulation of the European Parliament and of the Council establishing European Business Wallets. The text is intended for examination by Coreper, and formal adoption as the general approach is expected at the TTE Council on June 9, 2026.
Once adopted, the general approach will set the Council’s negotiating position ahead of the trilogue with the Parliament. The initiative extends the wallet logic already introduced by the eIDAS 2 Regulation for natural persons to the business world, building a digital identity and document exchange infrastructure dedicated to enterprises. The text is available in all EU official languages in PDF format, while the HTML version is not yet published.
The consolidated version of the general approach is worth following to verify the scope of the subjective approach (including SMEs and microenterprises), the interoperability requirements with the EUDI Wallet, and the liability regime for business wallet service providers.
Source
Extension of data protection periods in the Biocides Regulation
The Council has published document PE 20 2026 REV 1, concerning the regulation of the European Parliament and of the Council amending Regulation (EU) No 528/2012 on the extension of certain data protection periods.
The intervention concerns the Biocidal Products Regulation, where “data protection” has nothing to do with the GDPR but refers to the protection of declarants’ investments: the data on active substances and biocidal products submitted to the competent authorities remain covered for periods during which third parties cannot rely on them without the holder’s consent. The extension of these periods extends the exclusivity window for the dossiers, with direct effects on competition between original declarants and subsequent entrants who intend to rely on the same studies.
It is worth flagging because the phrase “data protection” in Council document titles generates recurring classification mismatches in regulatory monitoring flows. Here, the concern is ownership of regulatory data, not personal data protection.
Source
---
Commission’s annual report on the implementation of the DMA
On May 21, 2026, the European Commission published the annual report to the Council and the European Parliament on the implementation of Regulation (EU) 2022/1925 (Digital Markets Act), document COM(2026) 247 final. It is the reporting exercise foreseen by the regulation on contestable and fair markets in the digital sector, which also amends Directives (EU) 2019/1937 and (EU) 2020/1828. The text is available both in CELEX and COM/FIN versions on EUR-Lex. The publication arrives at a time when gatekeeper designations and non-compliance proceedings are consolidating as the testing ground for the regulation’s robustness, and reading the full document is the best way to gauge the state of enforcement.
CELEX source
—
COM/FIN source
MAGA report on the DSA: the Commission considers a GDPR complaint
The European Commission has declared it is “exploring a complaint with the competent data protection authority” to protect EU staff whose data were disclosed in the report of the U.S. House Judiciary Committee, signed by Jim Jordan, which describes the DSA as a “foreign censorship tool”. The document, published in February, included the names of nearly 30 EU officials and representatives of civil society organizations engaged in DSA enforcement, along with unredacted email exchanges with Meta, Google, and other platforms. The Commission described the publication as “deeply concerning” and recalled that the disclosure of unredacted personal data could expose the tech companies to liability under the GDPR. The lead authority for most U.S. giants is the Irish Data Protection Commission. The Commission also invokes the DSA’s confidentiality obligations, which should apply to all parties involved. The legally relevant point is the complainant’s qualification: a complaint filed by the Commission “on behalf of” its employees raises non-trivial standing questions under Article 77 GDPR, where the right to lodge a complaint belongs to the data subject.
Source
iOS 27, AirPlay, and the DMA interoperability obligation
According to Mark Gurman’s anticipation, with iOS 27, Apple will allow European users to set a third-party service — Google Cast first and foremost — as the default destination for streaming to TVs, speakers, and HDMI dongles, in place of AirPlay. The intervention falls within Apple’s obligations as a gatekeeper under the DMA. The scope of the change remains to be verified: the DMA distinguishes between the choice of default service, access to system APIs, and full interoperability across platforms, and so far, Cupertino’s strategy has been to grant only the minimum compatible with the rule. On the technical side, opening up to competing protocols affects latency, audio-video synchronization, and DRM management — areas where Apple will presumably oppose security and system integrity arguments, the same already used in the sideloading and browser engine dossiers. The case confirms that the real battleground is not the single obligation but the perimeter of the effective interoperability required under Article 6 of the DMA.
Source
---
INTERNATIONAL DEVELOPMENTS
South Korea: local elections as a testbed for anti-deepfake regulation
South Korea’s local elections next month will serve as a test of whether regulation can curb the spread of deepfakes in the electoral context. Seoul has chosen to address the issue at the legislative level, anticipating a round of voting that will serve as an observatory of the relationship between AI-generated synthetic content and the integrity of the democratic process.
The point of interest is not so much the regulatory provision itself, but its operational robustness: timely detection, chain of responsibility between platforms and creators, removal times compatible with the electoral cycle. These are the same variables that will weigh on the effectiveness of the AI Act on synthetic content and on the transparency obligations for deployers of generative systems.
Source
---
ARTIFICIAL INTELLIGENCE
AI-generated CSAM: the AI Act crackdown from December 2, 2026
The EPRS publishes an At a Glance on the use of image generation systems to produce child sexual abuse material, reporting an increase in CSAM deepfakes detected by recent reports. The legal point is the new AI Act provision that prohibits CSAM generation starting from December 2, 2026. The date fits into the application calendar of Regulation (EU) 2024/1689. It adds to the criminal perimeter already covered by Directive 2011/93/EU, raising a coordination issue between obligations of generative model providers (upstream filters, red teaming, reporting) and the liability regime of intermediaries under the DSA. Author of the document: Maria Del Mar Negreiro Achiaga, Freedom, Security and Justice area.
Source
The Commission publishes the report under Article 112(1) AI Act
On May 20, 2026, the Commission adopted COM(2026) 234 final, the report to the Parliament and the Council pursuant to Article 112(1) of Regulation (EU) 2024/1689 on the need to review the list of prohibited AI practices (Article 5) and of high-risk systems in Annex III. It is the first review exercise foreseen by the AI Act. It formally opens the window to modify, via delegated acts, the scope of prohibitions and the high-risk list: the Annex III areas (biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, justice, and democratic processes) are those on which the institutional debate will focus in the coming months. The document is available in two EUR-Lex versions (CELEX and COM-FIN) with identical content.
COM/FIN source
—
CELEX source
Colorado: from CAIA to CADMA, a paradigm shift
On May 15, 2026, Governor Polis signed SB 189, which rewrites the 2024 Colorado AI Act. The new text, renamed the Colorado ADM Act (CADMA), abandons the algorithmic-discrimination framework and adopts a transparency-centered approach. The scope narrows to automated decision-making technologies (ADMT) used for consequential decisions in sectors such as education, employment, credit, and financial services. Developers must provide deployers with a general statement on the system; deployers must inform consumers of the use of ADMT before the decision and, in case of an adverse outcome, communicate whether and to what extent the system contributed to it. Consumers are granted rights of explanation, correction, and appeal.
The governance obligations of the original text are eliminated, and liability is reconducted to existing anti-discrimination laws, with developer liability limited to intended use. Exclusive enforcement by the Attorney General, no private right of action, entry into force on January 1, 2027. It is a signal that the “EU-style” model, based on risk management and the duty of care, exported to Colorado in 2024, is holding up poorly amid U.S. political friction.
Source
Morgan McSweeney, former chief of staff to Keir Starmer, will speak at the GLOBSEC forum in Prague to highlight the use of AI as a vector of disinformation in electoral processes, with a specific focus on the risk of Russian interference in possible Ukrainian elections post-ceasefire. The topic, beyond political chronicle, directly intersects with the AI Act’s perimeter for systems affecting democratic processes (Annex III, point 8), the labeling obligations for synthetic content under Article 50, and the measures on VLOPs foreseen by the DSA to address systemic electoral risks. McSweeney already addressed the point at the Kyiv Security Forum in April.
Source
---
CYBERSECURITY
Verizon DBIR 2026: vulnerability exploitation overtakes credential theft
Verizon’s 2026 Data Breach Investigations Report reverses the ranking of attack vectors: exploitation of unpatched vulnerabilities is behind 31% of confirmed breaches, while credential abuse — last year’s top vector — drops to 13%. The dataset analyzed has doubled: 31,000 incidents, over 22,000 confirmed breaches, compared with 12,195 in the previous edition.
The patching numbers tell the rest. The median time for full remediation rises from 32 to 43 days. Organizations patched only 26% of the vulnerabilities in CISA’s KEV catalog, down from 38% in 2024, while the median volume of critical flaws to manage has increased by 50%. Ransomware appears in 48% of confirmed breaches (up from 44%), but only 31% of victims pay, and the median ransom drops below $140,000. Breaches involving third parties increase by 60%, reaching 48% of the total; in third-party cloud environments, only 23% of organizations have remediated missing or improper MFA configurations.
Verizon attributes to AI the compression of the defensive window “from months to hours”: the median attacker used AI assistance in 15 documented techniques, with outliers at 40-50.
Source
ChromaDB: pre-authentication RCE without a patch
HiddenLayer has published the details of CVE-2026-45829, dubbed ChromaToast: a pre-authentication RCE that allows a remote attacker to obtain a shell on the ChromaDB server process, the open source vector database used in AI pipelines (about 13 million monthly downloads via pip, adopted among others by Mintlify, Factory AI, and Weights & Biases).
The cause is a combination of two flaws: the server accepts model identifiers from the client without restrictions and executes them before the authentication check. A collection creation request without credentials that points to a malicious HuggingFace model is enough to trigger the download and execution of arbitrary code; only afterward does the server verify credentials and reject the request — too late. The attacker gains access to API keys, environment variables, mounted secrets, and files on disk.
All versions from 1.0.0 onwards are vulnerable, and HiddenLayer estimates that 73% of internet-exposed deployments are affected. The patch does not exist: HiddenLayer states it attempted to disclose it since February 17 without receiving a response, and the researcher Azraelxuemo reports having reported the bug in November 2025, also without a reply. Available mitigation: restrict network access to ChromaDB to trusted clients only. The code fix would require moving authentication ahead of configuration loading and removing the kwargs keys from requests in the create_collection V1 and V2 handlers — an intervention absent in ChromaDB 1.5.8.
Source
United Kingdom, the hypothesis of VPN restrictions: Mozilla opposed
The UK Department for Science, Innovation and Technology has opened a consultation on the protection of minors online that includes possible restrictions on VPN services, after the introduction of the mandatory age verification provided for by the 2025 Online Safety Act caused a surge in the use of VPNs to bypass controls that require documents and selfies on adult sites.
Mozilla, through Svea Windwehr (head of public policy), contested the approach: VPNs are not a tool for minors to evade filters but a standard security component — protection on public Wi-Fi, remote work, anti-tracking, and censorship circumvention. The position is that London is targeting the symptom rather than the cause. Children’s Commissioner Rachel de Souza had already proposed limiting minors’ use of VPNs. No ban has been approved, but the regulatory trajectory warrants monitoring, especially for its implications for cross-border services and the encryption of user traffic.
Source
Multi-layer cloud IDS with LLM and adaptive Q-learning
A paper on arXiv (Ali et al., May 2026) proposes a confidence-aware IDS at three levels — network, host, hypervisor — designed for cloud environments. ML models at each layer intercept known patterns; low-confidence events go through a chain of gates: a learned confidence threshold (Gate-1), matching against Chroma memory (Gate-2), escalation to an LLM for semantic analysis and explanation generation, and final promotion (Gate-3) based on the calibrated LLM confidence or weighted fusion. Unresolved events are placed in a review bucket rather than being forcibly classified.
Reported figures: 58.78% reduction in LLM escalations compared to static thresholds, overall accuracy 88.68%, with the network and hypervisor layers at 98.02% and 97.08% respectively. Explanations and confirmed knowledge are persisted in ChromaDB for subsequent retraining — an architectural choice that, in light of the ChromaToast vulnerability discussed above, demands a careful assessment of the memory component’s threat model.
Source
---
SCIENTIFIC RESEARCH
Selection of the most relevant arXiv papers of the week on AI, Machine Learning, and Privacy
Differential Privacy: auditing, fine-tuning, and new variants
Optimal Guarantees for Auditing Rényi Differentially Private Machine Learning
The authors propose a black-box auditing framework for algorithms that claim RDP guarantees, based on hypothesis testing and direct estimation of the Rényi divergence via the Donsker-Varadhan formula. Relevant because it shifts the DP audit problem from declarative to empirically verifiable on neighboring executions.
arXiv
An exponential mechanism based on quadratic approximations for fine-tuning machine learning models with privacy guarantees
A randomized algorithm for DP fine-tuning based on the exponential mechanism and quadratic approximations, designed for scenarios where a pretrained model is adapted to small and sensitive datasets. Fine-tuning on sensitive data is one of the areas most exposed to memorization attacks and model inversion, and technical mitigation is a precondition for any DPIA of models adapted to personal data.
arXiv
Lumberjack: Better Differentially Private Random Forests through Heavy Hitter Detection in Trees
DP random forest that builds large trees and then applies aggressive privacy-preserving pruning, recovering utility where classical approaches destroy it. Of interest for the tabular healthcare and financial sector, where forests remain the standard, and DP has so far been largely impractical.
arXiv
SMA-DP: Spectral Memory-Aware Differential Privacy for Deep Learning
A DP-SGD variant that addresses the known issue of high variance introduced by per-example clipping and calibrated Gaussian noise, leveraging spectral information to improve utility on difficult datasets.
arXiv
Contextual privacy in LLMs
It Takes Two: Complementary Self-Distillation for Contextual Integrity in LLMs
The authors address LLM adherence to Nissenbaum’s Contextual Integrity — privacy as the governance of information flows according to context norms, not as secrecy — and propose a complementary self-distillation technique. The topic is operationally central for personal agents handling sensitive workflows, where the GDPR’s purpose principle translates technically into precisely these contextual flow constraints.
arXiv
Federated learning and the right to erasure
Causal Unlearning in Collaborative Optimization: Exact and Approximate Influence Reversal under Adversarial Contributions
HF-KCU removes the contribution of a federated client by approximating the influence function via conjugate gradients in Krylov subspaces, reducing the complexity from O(d³) to O(kd). The practical point is clear: without efficient unlearning, Article 17 GDPR requests in federated contexts are unmanageable, and retraining from scratch is an increasingly weak technical justification before a supervisory authority.
arXiv
Cybersecurity AI: explainability and intrusion detection
Stabilizing Explainability Fragility in Cybersecurity AI: The Impact and Mitigation of Multicollinearity in Public Benchmark Datasets
The authors formalize a theorem stating that multicollinearity among features inflates the variance of attributions produced by SHAP and LIME, destabilizing explanations in IDS systems. A finding with direct impact on Article 86 AI Act and on transparency obligations for high-risk systems: an explanation that is unstable with respect to correlated features does not satisfy the requirement of substantive interpretability.
arXiv
HIDBench: Benchmarking Large Language Models for Host-Based Intrusion Detection
A new benchmark to evaluate the capabilities of LLMs in supporting HIDS based on system logs, an area so far neglected compared to penetration testing and vulnerability identification. Useful as a reference for evaluating the integration of LLMs into SOCs.
arXiv
---
AI ACT IN A NUTSHELL - Part 22
Article 26 - Obligations of deployers of high-risk AI systems
In the last installment, we explored Article 25 and the distribution of responsibilities across the AI value chain, examining how providers, importers, and distributors shift roles and duties as circumstances change. Today, we shift our focus to a crucial yet often underestimated actor: the deployer, namely the entity that actually uses a high-risk AI system in the course of its professional activity.
Who is the deployer, and why is it central
The deployer is any natural or legal person, public Authority, agency, or other body that uses an AI system under its Authority, except for cases of personal non-professional use. Think of a bank using a credit scoring system, a company adopting AI-based personnel selection software, or a hospital using algorithmic diagnostic tools. In all these cases, the organization that puts the system into operation assumes specific compliance obligations.
Article 26 delineates a perimeter of duties that balances innovation with the protection of fundamental rights, recognizing that the mere “putting into operation” of a high-risk system entails substantial, not merely formal, responsibilities.
The main obligations
The first duty concerns use in accordance with instructions: deployers must adopt appropriate technical and organizational measures to ensure that the system is used in accordance with the instructions provided by the provider. Purchasing and installing is not enough: the system must be integrated into one’s processes in compliance with the user manual, the technical documentation, and the declared limits.
Central is the obligation of human oversight: the deployer must entrust the supervision of the system to natural persons with the necessary competence, training, and Authority, as well as adequate support. This means investing in staff training, defining clear roles, and establishing intervention procedures for anomalies. An insurance company using an AI system for claims assessment, for example, cannot simply accept the system’s outputs automatically; it must ensure effective, qualified human oversight.
The deployer must also monitor the operation of the system in accordance with the instructions for use and, if there is reason to believe that compliant use may entail a risk to health, safety, or fundamental rights, inform the provider or distributor without delay and suspend use. In case of a serious incident, the obligation to promptly report to the provider and to the market surveillance authority kicks in.
There is also an obligation to retain automatically generated system logs for a period appropriate to the purpose and, in any case, for at least 6 months, unless otherwise provided by EU or national law.
Specific obligations for particular categories of deployers
The article introduces reinforced provisions for certain categories. Employers intending to use a high-risk system in the workplace must inform workers’ representatives and the workers concerned before putting it into service. Public authorities and entities providing public services must verify compliance with the obligations and, in many cases, register in the EU database.
Particularly relevant is the obligation for deployers using systems that make or assist in decisions concerning natural persons to inform the data subject that they are subject to the use of a high-risk AI system.
Practical implications and sanctions
For DPOs, compliance officers, and lawyers, Article 26 imposes a structural review of AI adoption processes: due diligence on suppliers, integration of instructions for use into internal procedures, training programs, human oversight policies, and incident management workflows. Coordination with the GDPR is also fundamental, especially regarding notices, legal bases, and DPIAs.
Violations expose the deployer to administrative fines of up to 15 million euros or 3% of worldwide annual turnover, as set out in the articulated grid of Article 99.
Next installment
In Part 23, we will address Article 27 - Fundamental Rights Impact Assessment (FRIA): we will analyze when it is mandatory, how it is conducted, and the synergies with the DPIA required by the GDPR.
---
LEGAL PROMPTING
Synthesis and perspectives on Legal Prompting
After examining, in the last installment, the obligations that the AI Act imposes on legal professionals, it is time to take stock of the path traveled and to look at the future directions of Legal Prompting.
In previous installments, we addressed the formulation of structured instructions, the hierarchy of sources for prompting, citation, and verification techniques, the management of hallucination risk, the integration of legal reasoning into workflows, and the regulatory obligations that professionals must safeguard. From this journey, some constants emerge that deserve to be fixed.
The first concerns the very nature of language models: they do not reason like jurists, but produce statistically plausible outputs. A prompt asking “indicate the relevant case law on the processing of biometric data in the workplace” may return non-existent judgments formulated in a perfectly credible way. Human oversight, therefore, is not a methodological option but a deontological obligation that runs through every phase of the work.
The second constant is the regulatory perimeter. The AI Act, GDPR, Italian Law 132/2025, and codes of conduct provide a framework for the professional use of AI. Mature Legal Prompting is not the one that obtains the fastest answer, but the one that integrates from the outset the constraints of lawfulness, transparency, and accountability. A well-constructed prompt is itself an act of compliance.
The third constant concerns infrastructure. The choice between cloud and local models — think of using self-hosted solutions to handle documents covered by professional secrecy — is not a technical preference but a matter of responsibility. Sending a defense brief or a clinical file to an extra-EU service without adequate safeguards means exposing the client and oneself.
Looking ahead, three directions appear particularly relevant. The first is the development of verified, versioned prompt libraries within firms as organizational assets to be maintained over time. The second is the integration of Legal Prompting into document management systems, with traceability of human-machine interactions to support accountability reporting required by the AI Act. The third is continuous training: the speed with which models and rules evolve imposes systematic, not episodic, updating.
The path traveled in these installments has shown that Legal Prompting is not a shortcut, but a new professional competence. It requires method, awareness of technological limits, and rooting in deontological principles. Those who master it do not replace their own judgment with the machine’s, but extend their capacities while keeping intact the responsibility that the profession requires.
For an overall picture:
Legal Prompting: la nuova frontiera dell’AI in ambito giuridico
.
---
PODCAST
NicFab Podcast — Legal Prompting - AI Act: obligations for the legal professional
Ninth episode of Legal Prompting. After addressing professional secrecy as the criterion for selecting AI infrastructure, we turn to the regulatory framework: the European AI Act and the obligations that fall on legal professionals as deployers of artificial intelligence systems.
The central principle is that those who use AI in legal practice are not just users but subjects regulated by the AI Act, with precise obligations.
---
FROM THE NICFAB BLOG
Annex I of the AI Act: the least supervised frontier of high-risk classification
May 20, 2026
The Draft Commission Guidelines of May 19, 2026, and the Omnibus agreement of May 7 bring attention back to a poorly supervised area of the AI Act: AI systems as safety components of regulated products. An analysis of Article 6(1), of the structure of Annex I, of its grafting onto sectoral conformity assessment regimes, and of the operational implications for providers and notified bodies.
Read the full article
---
Events of the week and upcoming events
Events of the week May 18-24, 2026
HiPEAC Vision 2026 | CONNECT University (May 19, 2026)
European Commission |
Info
Upcoming events
120th Plenary meeting (May 28, 2026)
EDPB |
Info
High-Level Debate: “From Omnibus to Opportunity: Driving Data Protection and Innovation” (June 8, 2026)
EDPS |
Info
Meeting Committee on Civil Liberties, Justice and Home Affairs (LIBE), European Parliament (June 8, 2026)
EDPB |
Info
Info session - Call for proposals “Digital solutions for regulatory compliance through data” (June 8, 2026)
European Commission |
Info
Meeting Data Protection Working Group, Council (June 12, 2026)
EDPB |
Info
---
Conclusion
Eighty-five thousand euros to The European House: Ambrosetti is not a figure that shakes corporate budgets, but the Garante’s reasoning deserves to be read twice. The sanction does not so much address the technical vulnerability — unprotected passwords, a classic — as the delay in communicating with the data subjects. It confirms a line that is now beyond discussion: Article 34 of the GDPR is not an accessory obligation to the notification to the Authority; it is the heart of the protection. Those who delay pay, regardless of the intrinsic gravity of the breach.
The interesting point is that this Italian rigidity around timeliness comes in the same week that Verizon, in the 2026 DBIR, reports that exploitation of vulnerabilities has overtaken credential theft as the top breach vector. Translated: companies will be hit more and more often by attack chains exploiting known and unpatched flaws, and that is exactly the scenario in which the 72-hour window becomes the real playing field of compliance. Those who do not already have a stopwatch-driven breach response process today will discover it the hard way in the coming months.
On the European front, the report under Article 112(1) of the AI Act is the most relevant document of the week, and probably of the quarter. The review of the list of prohibited practices and of high-risk systems in Annex III is the first serious stress test of the risk taxonomy built in 2024. That taxonomy was written in haste, under political pressure, and contains categories that already show their practical limits today. If the Commission uses this window to clarify and rationalize, the AI Act will gain credibility; if it uses it to expand by dragnet, it will confirm the fears of those who denounce excessive prescriptiveness.
Meanwhile, Colorado does the opposite. The new CADMA abandons the anti-discrimination framework of the old AI Act in favor of a transparency-based model, decidedly lighter on governance obligations. It is the plastic snapshot of the transatlantic divergence: Europe doubles down on risk classification, the United States — even those that had tried it — fall back on disclosure. Multinational companies will continue to build their compliance on the highest level, namely the European one. Still, the competitive cost of this asymmetry will start to weigh in the next twelve months.
A prediction: the MAGA-DSA case, with the publication of names and emails of EU officials, will end up before a privacy authority. And it will be the first serious precedent for using the GDPR as a shield against extra-EU political retaliation. Worth following.
---
📧 Edited by Nicola Fabiano
Lawyer - Fabiano Law Firm
🌐 Studio Legale Fabiano:
https://www.fabiano.law
🌐 Blog:
https://www.nicfab.eu
🌐 DAPPREMO:
www.dappremo.eu
---
Supporter
https://lawandtechnology.eu/
https://caffe20.it/
https://privacykit.it/
---
To receive the newsletter directly in your inbox,
subscribe at nicfab.eu
Follow our news on these channels:
Telegram
Telegram →
@nicfabnews
Matrix
Matrix →
#nicfabnews:matrix.org
Mastodon
Mastodon →
@nicfab@fosstodon.org
Bluesky
Bluesky →
@nicfab.eu
---
.newsletter-subscription-box {
max-width: 600px;
margin: 2.5rem auto;
padding: 2.5rem;
background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%);
border-radius: 12px;
border: 2px solid #7f1d1d;
box-shadow: 0 4px 6px rgba(0,0,0,0.1);
}
.newsletter-form-group {
margin-bottom: 1.5rem;
}
.newsletter-form-label {
display: block;
font-size: 1.1rem;
font-weight: 700;
margin-bottom: 0.75rem;
color: #1a1a1a;
}
.newsletter-form-input {
width: 100%;
padding: 1rem;
border: 2px solid #ddd;
border-radius: 8px;
font-size: 1rem;
transition: all 0.3s ease;
box-sizing: border-box;
}
.newsletter-form-input:focus {
outline: none;
border-color: #7f1d1d;
box-shadow: 0 0 0 4px rgba(127, 29, 29, 0.1);
}
.newsletter-captcha-group {
margin-bottom: 1.5rem;
display: flex;
justify-content: center;
}
.newsletter-submit-btn {
width: 100%;
padding: 1.25rem;
background: #7f1d1d;
color: white;
border: none;
border-radius: 8px;
font-size: 1.1rem;
font-weight: 700;
cursor: pointer;
transition: all 0.3s ease;
text-transform: uppercase;
letter-spacing: 0.5px;
}
.newsletter-submit-btn:hover {
background: #991b1b;
transform: translateY(-2px);
box-shadow: 0 4px 12px rgba(127, 29, 29, 0.3);
}
.newsletter-submit-btn:disabled {
background: #9ca3af;
cursor: not-allowed;
transform: none;
box-shadow: none;
}
.newsletter-privacy-notice {
margin-top: 1.5rem;
text-align: center;
font-size: 0.9rem;
color: #666;
line-height: 1.6;
}
.newsletter-privacy-notice a {
color: #7f1d1d;
text-decoration: underline;
font-weight: 600;
}
Email Address *
Name
Subscribe to Newsletter
We respect your privacy. Double opt-in required. Unsubscribe anytime.
Privacy Policy
---
Back to newsletter list
English section
Home