剣 KENSAI
← All posts · regulations · 2026-03-30 · 8 min

EU Parliament Simplifies AI Act Rules & Bans AI Nudifiers, Kills CSAM Scanning Extension, NIS2 Investment Gaps Widen, DORA-Aligned Bank Resolution Expanded

A landmark week for European cybersecurity regulation: Parliament streamlines AI Act deadlines, votes down CSAM content scanning, ENISA highlights growing NIS2 compliance investment imbalances, expanded bank resolution rules tighten DORA alignment, and the UK's £1.5B Jaguar Land Rover bailout ignites a debate about governments as cybersecurity insurers of last resort.


1. EU Parliament Simplifies AI Act — Clear Deadlines and AI Nudifier Ban

In one of the most consequential moves since the EU AI Act was adopted in 2024, the European Parliament's joint IMCO-LIBE committee has agreed on proposals to simplify the regulation's implementation. The amendments establish clear application dates for high-risk AI system requirements and introduce an explicit ban on AI "nudifier" systems — tools that generate non-consensual intimate imagery using artificial intelligence.

What Changes

⚠️ Compliance Deadline Impact

Organisations deploying high-risk AI systems should review the revised timeline immediately. The simplification removes ambiguity but also removes excuses — regulators will expect adherence to the new clear-cut dates.

Why It Matters

The AI Act has been criticised for its complexity since adoption. These simplifications signal that EU regulators are listening to industry feedback while simultaneously tightening enforcement on the most harmful applications. The nudifier ban, in particular, represents a rapid regulatory response to a technology that has exploded in misuse over the past year.


2. EU Parliament Kills CSAM Scanning Extension — Privacy Wins This Round

In a significant vote on Thursday, the European Parliament refused to prolong the interim derogation from e-Privacy rules that had allowed service providers to voluntarily detect child sexual abuse material (CSAM) in private communications.

The Background

Since 2021, a temporary derogation had permitted messaging platforms to scan private messages for CSAM without violating EU privacy law. This was always intended as an interim measure while the controversial "Chat Control" regulation was debated. With no permanent framework in place, Parliament faced a choice: extend the stopgap or let it expire.

What Happens Now

📌 Key Takeaway: This vote doesn't mean the EU is giving up on combating CSAM — it means Parliament is refusing to normalise mass surveillance of private communications as the default approach. Expect renewed push for targeted, rights-respecting alternatives.


3. ENISA Report: NIS2 Driving Investment, But Critical Gaps Emerge

The European Union Agency for Cybersecurity (ENISA) has released its 6th NIS Investments report, revealing that while NIS2 compliance is the primary driver of cybersecurity spending across the EU, the investment is flowing in concerning directions.

Key Findings

🔴 Critical Gap: The Talent Drain

ENISA's data shows a 15% year-over-year increase in cybersecurity technology spending, but only a 3% increase in workforce investment. Organisations buying SIEM platforms and EDR solutions without trained analysts to operate them are building expensive security theatre.

What Organisations Should Do


4. DORA Alignment: EU Expands Bank Resolution Rules

The European Parliament's ECON committee has adopted new rules to expand the coverage of EU bank resolution frameworks, a move that directly intersects with the Digital Operational Resilience Act (DORA) that went live in January 2025.

What's New

DORA Connection

DORA requires financial entities to maintain robust ICT risk management and report major incidents. The expanded bank resolution rules now ensure that when a financial institution does fail, its ICT infrastructure and third-party dependencies are properly accounted for in the wind-down process. This closes a gap where a bank could be technically DORA-compliant in operation but have no plan for its digital assets and contracts during resolution.


5. The "Cyber Insurer of Last Resort" Debate Intensifies

The UK government's £1.5 billion loan guarantee to Jaguar Land Rover (JLR) following a devastating cyberattack has ignited a fierce debate about whether governments should serve as cybersecurity insurers of last resort — a question with profound implications for NIS2 and DORA across Europe.

The Concern

Speaking at a Royal United Services Institute (RUSI) event, Ciaran Martin, chair of the UK Cyber Monitoring Centre, called the bailout "an unfortunate precedent" — a case-specific intervention without clear criteria for when such government action should occur.

📌 EU Regulatory Lens: Under NIS2, essential entities are already required to implement robust security measures — the regulation's logic is prevention over bailout. Under DORA, financial entities must demonstrate resilience. The JLR precedent raises the question: what happens when compliance isn't enough?

The Ripple Effect

Analysts warn that a single cyberattack can now "ripple across an entire economy" — impacting GDP, employment, and national exports. This isn't theoretical: JLR's production shutdown affected thousands of supply chain jobs across multiple countries. The question for EU policymakers is whether NIS2 and DORA's prevention-first approach is sufficient, or whether a formal framework for catastrophic cyber incidents is needed.


Regulation Radar: What to Watch This Week

Regulation Development Impact
EU AI Act Simplified high-risk deadlines, nudifier ban 🔴 High — Immediate compliance timeline changes
e-Privacy / GDPR CSAM scanning derogation expired 🟠 Medium — Platforms must reassess legal basis
NIS2 ENISA investment report highlights talent gap 🟠 Medium — Budget rebalancing needed
DORA Bank resolution rules expanded with ICT focus 🟡 Moderate — Financial sector resolution planning
EU Customs Code Major reform addressing e-commerce safety 🟡 Moderate — Supply chain security implications

Bottom Line

This week demonstrates that European cybersecurity regulation is entering its operational phase. The AI Act is being refined for real-world deployment. NIS2's influence on spending is undeniable but unbalanced. DORA is reaching into adjacent regulatory frameworks. And the fundamental question of who pays when catastrophic cyber incidents overwhelm even compliant organisations remains unanswered.

The message to security leaders: compliance is the floor, not the ceiling. Invest in your people as aggressively as your platforms. And start thinking about what your organisation's Plan B looks like if the worst happens — because your government may not be ready to be your insurer of last resort.