European Commission Publishes Draft Guidelines on High-Risk AI Systems
The long-awaited guidelines on high-risk AI systems under the EU AI Act have now been published in draft form by the European Commission. The draft guidelines concern the classification of high-risk AI systems, including the interpretation of Article 6 of the AI Act and the use cases listed in Annex III. They are intended to […]
EU Institutions Reach Preliminary Political Agreement on AI Act Omnibus
The EU institutions have reached a preliminary political agreement on the AI Act Omnibus, following intensive trilogue negotiations and a failed “final” negotiating round last week. The agreement is not yet final. It must still undergo review and formal adoption by the Council and Parliament before entering into force. However, the political deal provides the […]
Sweden’s updated NIS2 draft regulation on training and security measures: broader flexibility, targeted tightening on supply chain security
The Swedish Civil Defence and Resilience Agency (MCF, formerly MSB) has recently published an updated draft regulation on training and security measures under Sweden’s NIS2 framework. Although the regulation has not yet been finalised, it gives a clearer indication of the security and training measures that in-scope entities are expected to implement. The draft regulation is currently subject […]
When AI Transcription Is “Necessary” Under GDPR: Insights from IMY’s Latest Sandbox Project
On 13 April 2026, the Swedish Data Protection Authority (IMY) published its sandbox report on the use of AI for transcription in social services (Sw. Transkribering inom socialtjänsten). This is referred to below as the Transcription report. The report examines whether AI-based transcription and summarisation can be used in compliance with the GDPR, with particular focus on […]
EDPB approves Europrivacy certification criteria for use in international data transfers
The European Data Protection Board (EDPB) has approved the Europrivacy certification criteria for use as a European Data Protection Seal in the context of international data transfers under Articles 42 and 46 GDPR. In principle, certifications issued under the scheme may be relied upon as an Article 46(2)(f) transfer mechanism for certified data importers outside […]
ICC Guidance on Responsible AI in Marketing
On 20 March 2026, the International Chamber of Commerce (ICC) published a guidance on the responsible use of AI in advertising and marketing, clarifying how the ICC Advertising and Marketing Communications Code applies to AI. The guidance does not introduce new rules but rather provides a practical guide on how the existing principles under the […]
EU launches ICT Supply Chain Security Toolbox to address cybersecurity risks
On 30 January 2026, the NIS Cooperation Group, comprising representatives of EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA), adopted the EU ICT Supply Chain Security Toolbox, establishing a common EU approach to identifying, assessing and mitigating cybersecurity risks across ICT supply chains. The toolbox provides a structured, non-binding framework […]
IMY Annual Report 2025: Complaint and Supervision Statistics
On 20 February 2026, the Swedish Authority for Privacy Protection (IMY) published its Annual Report 2025, outlining a year marked by a sharp increase in complaints and data breach notifications, and a proposal to review the GDPR. Complaints, supervision and sanctions IMY received 7,434 complaints in 2025, a 102% increase compared to 2024. In parallel, […]
EDPB–EDPS Joint Opinion on the Digital Omnibus proposal
On 19 November 2025, the European Commission issued a Digital Omnibus proposal with the aim to simplify compliance with the digital rulebook, hereby amending several EU digital legislation, such as GDPR, Data Act and ePrivacy Directive. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed […]
NIS2 Entities Registration in Sweden – Guidance
The EU’s NIS2 Directive, implemented in Sweden via the Cybersecurity Act (Sv. Cybersäkerhetslag (2025:1506), introduces a mandatory obligation for covered organisations to register with the supervisory authority. In this context, the Swedish Civil Defence and Resilience Agency (Sv. Myndigheten för civilt försvar) has issued guidance and launched a registration platform to facilitate compliance. From 2 […]