Blog

Insights, guides and news from the compliance and RegTech world

Road Safety Just Created Biometric Data. Who Governs It?

Road Safety Just Created Biometric Data. Who Governs It?

From 7 July 2026 every new car in the EU carries ADDW: a system that monitors the driver's gaze by capturing their face. A safety measure that also creates a new personal-data surface. The rule mandates a closed loop but sets no continuous privacy audit, no definition of 'necessary', no retention periods. The GDPR applies: governance has to be built.

Independence Revoked: Trump v. Slaughter and the Fate of the DPF

Independence Revoked: Trump v. Slaughter and the Fate of the DPF

On 29 June 2026, in Trump v. Slaughter, the US Supreme Court made the FTC removable at will by the President, overruling Humphrey's Executor. A domestic-law ruling that shakes the pillar of EU-US adequacy: the independent enforcement the Data Privacy Framework rests on.

ISO/IEC 27000:2026 Almost Out: What Actually Changes (Spoiler: Less Than They'll Tell You)

ISO/IEC 27000:2026 Almost Out: What Actually Changes (Spoiler: Less Than They'll Tell You)

ISO/IEC 27000:2026 is in its final publication stage ("under publication"): it's the non-certifiable overview of the 27k family, not the requirements. For anyone certified to ISO/IEC 27001:2022 nothing changes, and no auditor needs to recertify because of it. The distinction almost nobody explains.

DORA mandates TLPT: TIBER-EU as the operational map for financial SMEs

DORA mandates TLPT: TIBER-EU as the operational map for financial SMEs

DORA has been fully applicable since January 17, 2025: Art. 26 mandates Threat-Led Penetration Testing for significant financial entities every 3 years. TIBER-EU is the operational reference framework. What it means in practice for a financial SME.

Once Only, ANPR and PDND: The Principle Is 58 Years Old. The News Is the Infrastructure

Once Only, ANPR and PDND: The Principle Is 58 Years Old. The News Is the Infrastructure

From 1 July 2026 all public bodies automatically access the Italian population registry (ANPR) via the national interoperability platform (PDND). But the once-only principle has been in Italian law since 1968: the real news is the infrastructure. What stays with the entities — data quality, legal bases and privacy roles.

Forwarding Company Email to a Personal Gmail: Why It's Not Just a Bad Habit, but a GDPR Risk

Forwarding Company Email to a Personal Gmail: Why It's Not Just a Bad Habit, but a GDPR Risk

Auto-forwarding company email to a personal Gmail is shadow IT, not productivity. Even with paid Google Workspace, the employee's consumer account stays outside the company's DPA, controls and retention policies. Same provider does not mean same perimeter.

Establish, Then Escape: The Court of Rome, the One-Stop-Shop and the OpenAI Fine

Establish, Then Escape: The Court of Rome, the One-Stop-Shop and the OpenAI Fine

The Court of Rome annulled the Garante's €15 million fine against OpenAI not on the merits, but for lack of jurisdiction. An analysis of the GDPR one-stop-shop, EDPB Opinion 8/2019 and the enforcement gap the ruling opens.

What Does Cybercrime Really Cost? The (Real) Numbers for SMEs

What Does Cybercrime Really Cost? The (Real) Numbers for SMEs

Global damages in the trillions make headlines but say little to an SME. What IBM, Clusit and the WEF actually report, why small businesses are the favourite target in Italy, and how to move from numbers to action.

When the Price of AI Becomes a Risk to Your ISMS

When the Price of AI Becomes a Risk to Your ISMS

Token-based AI inference is economically subsidized today. What happens to your ISMS if the cost of an AI-based security control rises 10x? Repricing risk, DORA / ISO 27001 / NIS2 mapping, and mitigations for CISOs and SMEs.