European Privacy & Cybersecurity

Secure Connectivity for Operational Technology—UK NCSC Publishes New Guidance

April 21, 2026 By Hanna Hewitt, Kelly Hagedorn and Paul Greaves

The UK National Cyber Security Centre (NCSC) published guidance to help organisations design, secure, and manage Operational Technology (OT) environments. It sets out eight core principles to improve resilience, reduce exposure, and support secure architectural decision‑making. The NCSC positions these as goals rather than minimum requirements, and operators of essential services (including those within scope […]

Britain’s Financial Regulators Raise the Bar on Cyber Reporting and Resilience

April 20, 2026 By Kelly Hagedorn and Kristen Bartolotta

Cyber risk has shifted from a technical issue to a systemic one and Britain’s financial regulators are making that reality unmistakably clear. On March 18, 2026, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England announced a new, unified cyber and operational resilience framework that strengthens the requirements on how firms […]

EU Moves Toward a Single Entry Point for Security Incident Reporting

March 19, 2026 By Alice Portnoy and Wim Nauwelaerts

On March 17, 2026, the European Parliament published a briefing signalling continued momentum toward the creation of an EU‑wide Single Entry Point (SEP) for security incident reporting. The initiative is part of the European Commission’s proposed Digital Omnibus legislative package and is intended to simplify how organizations report incidents – including personal data breaches – […]

Spanish DPA Releases Agentic AI Guidance

February 23, 2026 By Alice Portnoy and Wim Nauwelaerts

On 18 February 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos or ‘AEPD’) published an 81‑page guidance document on the privacy aspects of AI systems operating as agents – commonly referred to as ‘agentic AI’. The guidance is aimed at companies that process personal data under the EU General Data Protection […]

European Commission Publishes Guidance For Companies Implementing the EU Cyber Resilience Act

January 29, 2026 By Paul Greaves, Kelly Hagedorn and Wim Nauwelaerts

On December 3, 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (‘CRA’). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’ (‘PDEs’), including IoT devices, hardware components, and certain software. It becomes fully applicable on December 11, 2027, with […]