Paul Greaves

About Paul Greaves

Paul Greaves advises on all aspects of privacy, cyber, and data law across a diverse range of clients - from global technology firms to life sciences startups expanding into Europe. His extensive experience includes advising on EU and UK GDPR compliance projects, cross-border data transfers, and personal data breaches.

[Read Bio]

European Commission Publishes Draft Guidelines on Classification of High-Risk AI Systems Under the EU AI Act

May 21, 2026 By Alice Portnoy, Wim Nauwelaerts and Paul Greaves

On May 19, 2026, the European Commission (EC) published draft guidance on how to determine whether an AI system qualifies as a high-risk AI system (HRAIS) under the EU’s Regulation 2024/1689 on artificial intelligence (AI Act). The draft reflects input from stakeholders and EU Member States through the EU AI Board and represents the most […]

Secure Connectivity for Operational Technology—UK NCSC Publishes New Guidance

April 21, 2026 By Hanna Hewitt, Kelly Hagedorn and Paul Greaves

The UK National Cyber Security Centre (NCSC) published guidance to help organisations design, secure, and manage Operational Technology (OT) environments. It sets out eight core principles to improve resilience, reduce exposure, and support secure architectural decision‑making. The NCSC positions these as goals rather than minimum requirements, and operators of essential services (including those within scope […]

European Commission Publishes Guidance For Companies Implementing the EU Cyber Resilience Act

January 29, 2026 By Paul Greaves, Kelly Hagedorn and Wim Nauwelaerts

On December 3, 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (‘CRA’). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’ (‘PDEs’), including IoT devices, hardware components, and certain software. It becomes fully applicable on December 11, 2027, with […]

New EU Regulation Clarifies Cybersecurity Rules for IoT Devices and Other ‘Products with Digital Elements’

December 10, 2025 By Paul Greaves, Wim Nauwelaerts and Kelly Hagedorn

On November 28 2025, the European Commission adopted a regulation implementing the Cyber Resilience Act (‘CRA’) – an EU-wide law which lays down cybersecurity requirements for companies that design and sell ‘products with digital elements’. PDEs can take many forms including IoT devices, hardware components, and certain software. The CRA imposes cybersecurity obligations in connection […]

The EU Digital Omnibus: A European Data Law Shake-Up May Be Coming

November 21, 2025 By Alice Portnoy, Wim Nauwelaerts and Paul Greaves

On November 19, the European Commission (EC) released its EU Digital Omnibus proposal – a 153-page document accompanied by an explanatory memorandum and a Staff Working Document. This proposal introduces amendments, deletions, and replacements to several cornerstone EU digital laws, including: The GDPR. The Data Act. The AI Act. The ePrivacy Directive. Other instruments such […]