The NIS2 Directive has significantly reshaped the cybersecurity landscape across the EU. Since the implementation deadline in October 2024, EU Member States have been working to incorporate new standards into their national laws, fostering a dynamic and rapidly evolving regulatory environment. Recently, Ireland’s National Cyber Security Centre (NCSC) published the draft NIS2 Risk Management Measures

Continue Reading Ireland: NIS2 revamps Ireland’s cybersecurity landscape: Old regulators, new powers

The Spanish Data Protection Authority (“AEPD“) has published its 2024 annual report, which includes the AEPD’s awareness-raising activities; the collaboration and inspection activities of the Spanish authorities; relevant reports and procedures published during 2024; and an analysis of regulatory trends and key privacy challenges for the coming months. The annual report’s key elements

Continue Reading Spain: Spanish Data Protection Authority Publishes Annual Report

The potential criminalization of activities associated with ransomware cyber attacks, including ransom payments by victims, has long been an unresolved issue. This concern has now led Italy to introduce a ground breaking legislative proposal aimed at enhancing cybersecurity and mitigating threats posed by digital extortionists.

Recognizing ransomware cyberattacks not merely as economic disturbances but as

Continue Reading Italy: Ransomware and Crime – A Proposal to Tackle Cyber Extortion in Italy

On 17th June 2025, the Spanish Data Protection Authority (“AEPD”) published guidance in relation to Royal Decree 933/2021, which regulates document registration and information obligations relating to accommodation and motor vehicle rental activities (“Royal Decree“). In particular, the AEPD has clarified that the Royal Decree does not authorise requests for copies

Continue Reading Spain: AEPD Guidance – Important Update on Royal Decree 933/2021

On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act“) was passed and received Royal Assent on 19th June 2025.

The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws

Continue Reading UK: Data (Use and Access) Bill passes through Parliament

On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent

Continue Reading EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance

The Italian Data Protection Authority (the Garante) has issued its first GDPR fine for, among other breaches, unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies, for the first time, the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing

Continue Reading Italy: The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach

On 20 March 2025, the Nigeria Data Protection Commission (Commission), issued the General Application and Implementation Directive (GAID).  The GAID serves as a regulatory framework for implementing the Nigeria Data Protection Act (NDPA) 2023. It provides practical guidance for organisations handling personal data and aims to ensure uniform compliance

Continue Reading Nigeria: NDPC Issues GAID – Key Compliance Insights

The European Commission has published its proposal for a new regulation simplifying the EU General Data Protection Regulation (“GDPR”) requirements for small mid-cap enterprises (“the Proposal“). The Proposal forms part of the European Commission’s Omnibus IV Simplification Package and comes after the European Data Protection Board (“EDPB”) and the

Continue Reading Europe: European Commission publishes proposal for simplification of the GDPR

The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:

Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle

Continue Reading China: CAC publishes official Q&As for cross-border data transfer regulation