Europe’s digital regulatory landscape continues to evolve rapidly. From AI transparency obligations and cybersecurity reforms to stricter enforcement activity by data-protection authorities, organisations are facing an increasingly interconnected compliance environment. This bulletin highlights the latest legislative and regulatory developments from Greece and across the EU, together with the practical implications for businesses.
GREECE
New accessibility rules for e-communications
Joint Ministerial Decision 2573/2026 introduces measures designed to ensure equal access to electronic communications for persons with disabilities. The Decision covers assistive services — including real-time text, instant messaging, speech-to-text, and relay services — as well as accessible terminal equipment. Notably, e-communications providers are subject to strict data protection obligations: processing of personal data, including special categories, is permitted only to the extent necessary to deliver these accessibility measures and must be preceded by a mandatory Data Protection Impact Assessment (DPIA). Organisations in scope should review their data processing activities and DPIA frameworks accordingly.
DPA fines telecoms provider over mishandled data requests
The Hellenic Data Protection Authority (“DPA”) examined a complaint against a telecommunications provider concerning delays in handling access and restriction requests relating to recorded calls. The DPA found that the provider failed to supply all requested recordings, did not inform the complainant within the prescribed timeframe of the reasons for not acting, and did not properly implement the restriction request — resulting in the loss of recordings that should have been preserved. The DPA ordered the provider to enhance its technical and organisational measures, including staff training, and imposed a €30,000 fine for GDPR violations. The decision serves as a reminder that robust internal procedures for handling data subject requests are essential to avoid regulatory scrutiny. More information can be found here.
EU
European Commission publishes draft guidelines on AI transparency obligations
The European Commission has published draft guidelines on the AI transparency obligations mandated by the AI Act, which take effect on 2 August 2026. The guidelines are intended to assist providers and deployers of AI systems in meeting the requirement to inform individuals that they are interacting with AI systems or are exposed to AI-generated or manipulated content. Organisations developing or deploying AI should closely monitor these guidelines as they will shape compliance expectations ahead of the August deadline.
Agreement reached on AI Omnibus
The European Parliament and the Council of the EU have reached agreement on the implementation timeline for rules governing high-risk AI systems in the context of the Digital Omnibus on AI, which will amend the AI Act. Subject to formal adoption, rules for AI systems used in high-risk areas — including biometrics, education, and critical infrastructure — will apply from 2 December 2027. For systems integrated into regulated products such as lifts or toys, the rules will apply from 2 August 2028. Businesses developing and deploying AI in these sectors should begin preparing their compliance strategies well in advance of these deadlines.
EDPB expands Europrivacy certification globally
The European Data Protection Board (“EDPB”) has approved an updated version of the Europrivacy certification scheme, officially establishing it as a valid mechanism for transferring personal data outside the EEA. The certification must be paired with binding and enforceable commitments from the data importer to uphold EU privacy standards before any transfer can take place. This development is significant for controllers and processors seeking to demonstrate that they provide appropriate safeguards for personal data transfers to third countries or international organisations, and may offer a practical alternative to other transfer mechanisms.
European Commission prepares practical CRA guidance
The European Commission is preparing guidance on implementing the Cyber Resilience Act (“CRA”), which entered into force in December 2024 and will apply in stages between June 2026 and December 2027. The guidance will help manufacturers, developers, and other stakeholders interpret and apply the CRA consistently across the EU. To gather input, the Commission has opened a consultation inviting stakeholders to submit comments via a dedicated template.
European Commission and EDPB publish feedback on draft DMA – GDPR joint guidelines
The European Commission and the European Data Protection Board (“EDPB”) have published the responses received during their public consultation on draft guidelines addressing the interplay between the Digital Markets Act (“DMA”) and the GDPR. Both bodies are now reviewing the feedback with a view to refining the guidelines, and the final version is expected to enhance legal clarity for businesses while ensuring effective enforcement of both regulations. Final adoption is planned for Q4 2026. This is an area to watch, as the guidelines will have practical implications for how gatekeepers and other market participants manage their data protection obligations. More information can be found here.
AI Office kicks off Code of Practice for AI content labelling
The AI Office has launched a voluntary Code of Practice to support compliance with the AI Act’s transparency rules. These rules require providers and deployers of generative AI systems to mark, detect, and label AI- generated or manipulated content, including deepfakes. The drafting process involves a broad range of stakeholders and will run for seven months, with finalisation expected by mid-2026. Organisations active in generative AI should consider engaging with this process to ensure the Code reflects practical industry needs.
European Commission publishes Data Act interoperability study
The European Commission has published a study supporting the EU repository for harmonised standards and open specifications under the Data Act. The study identifies specifications that meet interoperability requirements, including portability and seamless switching across data processing services. For businesses offering or relying on data processing services, the study provides early insight into the technical standards that will underpin compliance with the Data Act's interoperability obligations.
NIS Cooperation Group adopts EU ICT Supply Chain Security Toolbox
The NIS Cooperation Group — comprising Member State authorities, the European Commission, and ENISA — has adopted a new EU ICT Supply Chain Security Toolbox. It sets out a common approach for identifying, assessing, and mitigating cybersecurity risks in ICT supply chains, including addressing dependencies on high-risk suppliers. The toolbox supports the revised Cybersecurity Act published in January 2026 and will be an important reference point for organisations seeking to strengthen their supply chain risk management frameworks.
CJEU: Even first-time access requests can be abusive
In Brillen Rottler (Case C-526/24), the Court of Justice of the European Union (“CJEU”) addressed whether a single data subject access request can be deemed excessive and therefore abusive. The case involved an individual who submitted an access request just two weeks after subscribing to a company’s newsletter and subsequently sought non-material damages when the company refused to comply. The CJEU concluded that even a first access request can be excessive where it does not genuinely serve the purpose of the right of access and the data subject is artificially creating conditions to gain an advantage. This ruling provides welcome clarity for organisations facing potentially vexatious access requests.
EDPB – EDPS issue opinion on Cybersecurity Act 2 and NIS2 amendments
The EDPB and the European Data Protection Supervisor (“EDPS”) have published their joint views on the EU’s proposal for Cybersecurity Act 2 and amendments to the NIS2 Directive. They broadly welcome the effort to strengthen Europe’s cybersecurity framework — in particular, clearer roles for ENISA, simplified breach reporting, and enhanced supply-chain security. At the same time, they emphasise the need to balance security objectives with data protection requirements and call for clearer alignment between cybersecurity certifications and GDPR obligations. Organisations should monitor these developments closely, as the final framework will shape the intersection of cybersecurity and privacy compliance across the EU.
EDPB – EDPS weigh in on the European Biotech Act
The EDPB and EDPS have issued their joint opinion on the EU’s proposed European Biotech Act, which aims to strengthen Europe’s biotechnology and biomanufacturing sectors. They support clearer, more harmonised rules for the processing of personal data in clinical trials and biotechnology projects, and welcome new safeguards for individuals' health data. They also encourage greater transparency when AI is used in clinical trials and call for more clarity on data retention periods. Stakeholders in the life sciences and biotech sectors should take note, as the final legislation will directly affect how personal and health data is handled in research and development.
EDPB – EDPS issue opinion on Digital Omnibus reforms
The EDPB and EDPS have issued their joint opinion on the EU’s Digital Omnibus proposal, which aims to streamline and modernise significant parts of the EU’s digital rulebook, including the GDPR, ePrivacy rules, and the Data Act. They welcome efforts to simplify compliance and reduce unnecessary burdens — particularly around data breach notifications, scientific research, and biometric authentication. However, they raise strong concerns about proposals to narrow the definition of personal data and introduce broad new exceptions for AI, warning that such changes could weaken protections for individuals. This opinion underscores the critical tension the EU must navigate as it seeks to simplify its digital regulatory framework without compromising data protection standards — a balance that will have far-reaching implications for businesses across all sectors.
Key Takeaways
The convergence of AI regulation, cybersecurity reform, and data protection enforcement signals a clear trajectory: compliance is no longer a siloed exercise but a cross-disciplinary imperative. With the AI Act's transparency obligations approaching, the Digital Omnibus reshaping key data protection concepts, and new supply-chain security standards emerging, organisations should adopt an integrated approach to regulatory readiness.
At the same time, recent enforcement activity — from the Greek DPA's fine to the CJEU's ruling on abusive access requests — shows that regulators and courts are increasingly willing to scrutinise operational compliance in practice, not just on paper. Businesses that invest now in robust governance frameworks, cross-functional compliance programmes, and proactive engagement with evolving standards will be best positioned to navigate this rapidly shifting environment.
Our team continues to monitor these developments closely and stands ready to assist clients in assessing their exposure and preparing for what lies ahead.