Alston & Bird Privacy, Cyber & Data Strategy Blog

European Privacy & Cybersecurity

Dutch DPA Fines Taxi App €100M Over Unlawful Transfers of Personal Data to Russia, Despite Use of EU Standard Contractual Clauses

By and

On April 1, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million fine on MLU B.V., the Dutch operator of the Yango taxi app. The AP found that personal data of EU users was unlawfully transferred to affiliated entities in Russia, despite the formal use of the EU Standard Contractual Clauses […]

Secure Connectivity for Operational Technology—UK NCSC Publishes New Guidance

By , and

The UK National Cyber Security Centre (NCSC) published guidance to help organisations design, secure, and manage Operational Technology (OT) environments. It sets out eight core principles to improve resilience, reduce exposure, and support secure architectural decision‑making. The NCSC positions these as goals rather than minimum requirements, and operators of essential services (including those within scope […]

Britain’s Financial Regulators Raise the Bar on Cyber Reporting and Resilience

By and

Cyber risk has shifted from a technical issue to a systemic one and Britain’s financial regulators are making that reality unmistakably clear. On March 18, 2026, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England announced a new, unified cyber and operational resilience framework that strengthens the requirements on how firms […]

EU Moves Toward a Single Entry Point for Security Incident Reporting

By and

On March 17, 2026, the European Parliament published a briefing signalling continued momentum toward the creation of an EU‑wide Single Entry Point (SEP) for security incident reporting. The initiative is part of the European Commission’s proposed Digital Omnibus legislative package and is intended to simplify how organizations report incidents – including personal data breaches – […]

Spanish DPA Releases Agentic AI Guidance

By and

On 18 February 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos or ‘AEPD’) published an 81‑page guidance document on the privacy aspects of AI systems operating as agents – commonly referred to as ‘agentic AI’. The guidance is aimed at companies that process personal data under the EU General Data Protection […]