← Back to Security Blog
Compliance & Regulations March 23, 2026 9 min read

EU Parliament Votes to Simplify AI Act and Ban Nudifier Systems — CRA Enforcement Accelerates, DORA TLPT Deadlines Loom

The European Parliament's IMCO and LIBE committees propose sweeping simplification of the EU AI Act — including an explicit ban on AI "nudifier" systems and clearer application dates for high-risk requirements. Meanwhile, the Cyber Resilience Act's enforcement machinery is now operational with the first Administrative Cooperation Group meeting, and DORA's threat-led penetration testing deadlines are closing in on financial institutions. Here's everything that moved this week.

Are you ready for the AI Act's August 2026 deadline? Free compliance gap analysis — NIS2, DORA, CRA, EU AI Act
Free Assessment →

🤖 EU Parliament Proposes AI Act Simplification with Nudifier Ban

Breaking — AI Nudifier Systems Explicitly Banned

On March 18, 2026, the European Parliament's IMCO (Internal Market) and LIBE (Civil Liberties) committees agreed on proposals to simplify the EU AI Act while adding an explicit prohibition on AI "nudifier" systems — tools that generate non-consensual intimate imagery using artificial intelligence.

This marks the first significant legislative revision since the AI Act entered into force, and it sends a clear signal: the EU is willing to adjust the regulation's complexity while hardening its stance on harmful applications.

Key Changes Proposed

What This Means for Organizations

If these proposals advance through the full Parliament and trilogue process, organizations will benefit from:

August 2, 2026 — High-Risk AI Deadline Unchanged

The simplification proposals do not delay the August 2, 2026 deadline for high-risk AI system compliance. Organizations deploying AI in critical infrastructure, employment, law enforcement, education, or essential services must have risk assessments, human oversight mechanisms, and technical documentation in place. Less than five months remain.


🏛️ CRA: Enforcement Infrastructure Now Operational

Following the first meeting of the Administrative Cooperation Group on March 20, the Cyber Resilience Act's enforcement machinery is now fully activated. National market surveillance authorities across all 27 member states are now coordinating on:

ENISA SME Readiness Survey Still Open

ENISA's targeted survey for SMEs on CRA awareness, readiness, and support needs (launched March 18) remains open. For organizations manufacturing products with digital elements, this is both a compliance wake-up call and an opportunity to shape EU support resources.

CRA September 2026 deadline: Vulnerability and incident reporting obligations begin in six months. If you haven't started your product inventory and SBOM documentation, the runway is disappearing fast.


💶 Cyprus Presidency Sets Digital Priorities for Council

On March 19, Ministers from the Cyprus Presidency of the Council of the EU presented their priorities to European Parliament committees. While the full program spans multiple policy areas, the digital and cybersecurity priorities are notable:

The Presidency's focus on implementation over new legislation is significant. The EU's regulatory framework (NIS2, DORA, CRA, AI Act, GDPR) is largely complete — the challenge now is consistent enforcement across 27 member states with vastly different levels of cybersecurity maturity.


🔐 DORA: Q1 2026 Compliance Checkpoint

The Digital Operational Resilience Act has been enforceable since January 17, 2025. Financial entities should now be demonstrating active compliance. Key Q1 2026 activities:

Threat-Led Penetration Testing (TLPT)

Significant financial institutions must conduct their first cycle of TLPT under the TIBER-EU framework. This is not a standard vulnerability scan — TLPT involves intelligence-led red team exercises that simulate real-world threat actor techniques against critical production systems.

ICT Third-Party Risk Management

Financial entities must maintain comprehensive registers of all ICT third-party service providers, including:

DORA Enforcement Is Live

Unlike NIS2 (where some member states are still transposing), DORA is directly applicable across all EU member states. European Supervisory Authorities (EBA, ESMA, EIOPA) can and do enforce. Financial entities not demonstrating active compliance risk supervisory action now — not at some future deadline.


🌐 Digital Europe Programme Restructured for Security

The European Commission announced on March 19 that the Digital Europe Programme is being restructured to better address evolving digital security needs. Combined with the ECCC's €56.2 million Horizon Europe call (opened March 17), this represents substantial new funding for cybersecurity capabilities:

€56.2M Horizon Europe Call — Apply Now

The ECCC's Horizon Europe call is one of the largest single funding rounds for EU cybersecurity R&D. Eligibility typically includes research institutions, startups, and established companies. Application deadlines are usually 90 days from announcement. If you're building cybersecurity technology in the EU, this is the funding round to target.


📊 GDPR Enforcement Trends — Q1 2026

While no landmark GDPR fines dropped this week, the broader Q1 2026 enforcement trend continues to intensify:


🗓️ Upcoming Regulatory Deadlines

DateRegulationMilestone
Jun 2026NIS2Netherlands: Entity self-assessment deadline
Aug 2, 2026EU AI ActHigh-risk AI system obligations take effect
Sep 2026CRAVulnerability & incident reporting obligations begin
Q4 2026DORAFirst TLPT cycle completion for significant entities
2027EU AI ActGeneral-purpose AI model obligations apply
Dec 2027CRAFull product compliance required

✅ Compliance Action Items This Week

  1. EU AI Act: Track the Parliament's simplification proposals. Audit any AI image generation or manipulation tools against the proposed nudifier ban. Confirm your August 2, 2026 high-risk compliance roadmap is on track.
  2. CRA: The Administrative Cooperation Group is active — enforcement is real. Begin SBOM documentation and product security assessments now. Six months to September 2026 reporting deadline.
  3. DORA: Financial institutions must verify TLPT scoping is underway. Complete ICT third-party risk registers. Ensure incident reporting uses ESA standardized templates.
  4. NIS2: Leverage ENISA's Cybersecurity Exercise Methodology to build internal testing capabilities. Update risk assessments to include state-sponsored encrypted messaging attacks (FBI warning from last week).
  5. Funding: Review the ECCC's €56.2M Horizon Europe call for cybersecurity R&D. Application window is limited.
  6. GDPR: Review AI training data practices. Audit cookie consent implementations for dark pattern compliance. Assess children's data processing in context of proposed AI Act amendments.

Automate Your Compliance with KENSAI

Continuous compliance monitoring for NIS2, DORA, CRA, GDPR, and EU AI Act. Real-time regulatory tracking with automated gap analysis.

Start Free Assessment →

Stay compliant. Stay ahead.

🗡️ KENSAI Compliance Intelligence

March 23, 2026

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles