Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

Type: All Expertise News
Topics: luxembourg 14 expertise 13 reglementaire 13 rgpd 11 nis-2 8 cybersecurite 7 cnpd 5 ilr 5 solution 5 conformite 4 veille 4 actualite 4 dora 4 ransomware 3 edpb 3

11 articles found · #rgpd

consultant 13/05/2026

CNPD — Workplace video surveillance: proportionality, DPIA and employee rights

Workplace cameras are allowed in Luxembourg, but under strict rules: legal basis, proportionality, frequent DPIA, L.261‑1 information duties and employee rights. Document everything, camera by camera.

expertisereglementairergpd
consultant 12/05/2026

GDPR – Article 28: the watertight processor contract

In 2026, every DPO/CISO must bulletproof processor contracts. Mandatory clauses, EDPB/CNPD guidance, and a practical audit playbook for a watertight Article 28.

expertisereglementairergpd
consultant 10/05/2026

Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32

GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.

cybersecuritesolutionmfa
consultant 07/05/2026

NIS 2 in Luxembourg: Law of 5 May 2026 published—what to do before 10 May

Luxembourg’s law transposing NIS 2 was published on 5 May 2026 and enters into force on 10 May. Broader scope, stronger governance, incident reporting within 24 h/72 h to ILR via SERIMA. Priority actions and official sources.

expertisereglementairenis-2
consultant 06/05/2026

AI Act – Article 50: transparency for chatbots and deepfakes by 2026

From 2 August 2026, any AI interaction, synthetic content, and any emotion recognition/biometric categorization system must be disclosed. Fines up to €15M or 3% of global turnover.

expertisereglementaireai-act
consultant 05/05/2026

GDPR Art. 33: Notify CNPD of a breach within 72h—without panic

Practical method, based on official texts and CNPD guidance, to decide, notify, and document a personal data breach within 72 hours.

expertisereglementairergpd
consultant 04/05/2026

EU‑US data transfers after Schrems II and the DPF: CNPD expectations 2026

Secure transatlantic flows without over‑compliance: the DPF eases transfers to certified US entities, but Article 46 and supplementary measures remain key outside the DPF. Prioritize vendor governance and DPIA documentation.

expertisereglementairergpd
consultant 02/05/2026

CNPD: recording business meetings and conversations in GDPR compliance

In 2026, Luxembourg’s CNPD frames audio/video recording of private meetings. Legal basis, transparency and retention are critical; recordings often must be deleted once the minutes are approved.

expertisereglementairergpd
redaction 02/05/2026

CNIL approves a GDPR code of conduct for retail

On 28 April 2026, the CNIL approved a GDPR code of conduct for apparel/footwear retailers in France. A strong signal for retailers, with auditable requirements and third-party oversight.

veilleactualitergpd
redaction 02/05/2026

Qilin claims cyberattack on Exclusive Networks

The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.

veilleactualiteransomware
redaction 02/05/2026

Ransomware at ChipSoft: alert for cross‑border care

Dutch EHR vendor ChipSoft said on April 29 that data stolen in an early‑April cyberattack had been “destroyed.” Cross‑border hospitals and insurers should take action this week.

veilleactualiteransomware