EU Parliament Simplifies AI Act Rules & Bans AI Nudifiers, Kills CSAM Scanning Extension, NIS2 Investment Gaps Widen, DORA-Aligned Bank Resolution Expanded
A landmark week for European cybersecurity regulation: Parliament streamlines AI Act deadlines, votes down CSAM content scanning, ENISA highlights growing NIS2 compliance investment imbalances, expanded bank resolution rules tighten DORA alignment, and the UK's £1.5B Jaguar Land Rover bailout ignites a debate about governments as cybersecurity insurers of last resort.
1. EU Parliament Simplifies AI Act — Clear Deadlines and AI Nudifier Ban
In one of the most consequential moves since the EU AI Act was adopted in 2024, the European Parliament's joint IMCO-LIBE committee has agreed on proposals to simplify the regulation's implementation. The amendments establish clear application dates for high-risk AI system requirements and introduce an explicit ban on AI "nudifier" systems — tools that generate non-consensual intimate imagery using artificial intelligence.
What Changes
- Simplified timeline: High-risk AI systems now have unambiguous compliance deadlines, ending months of industry confusion about overlapping transition periods.
- AI nudifier ban: Systems that strip or alter images to create non-consensual intimate content are now explicitly prohibited, closing a gap that advocacy groups had flagged since the Act's original text was finalised.
- Reduced burden on SMEs: Streamlined documentation requirements aim to make compliance more accessible for small and medium enterprises deploying AI in low-risk contexts.
⚠️ Compliance Deadline Impact
Organisations deploying high-risk AI systems should review the revised timeline immediately. The simplification removes ambiguity but also removes excuses — regulators will expect adherence to the new clear-cut dates.
Why It Matters
The AI Act has been criticised for its complexity since adoption. These simplifications signal that EU regulators are listening to industry feedback while simultaneously tightening enforcement on the most harmful applications. The nudifier ban, in particular, represents a rapid regulatory response to a technology that has exploded in misuse over the past year.
2. EU Parliament Kills CSAM Scanning Extension — Privacy Wins This Round
In a significant vote on Thursday, the European Parliament refused to prolong the interim derogation from e-Privacy rules that had allowed service providers to voluntarily detect child sexual abuse material (CSAM) in private communications.
The Background
Since 2021, a temporary derogation had permitted messaging platforms to scan private messages for CSAM without violating EU privacy law. This was always intended as an interim measure while the controversial "Chat Control" regulation was debated. With no permanent framework in place, Parliament faced a choice: extend the stopgap or let it expire.
What Happens Now
- Voluntary scanning ends: Platforms like Meta, Google, and Microsoft that had been proactively scanning messages will need to stop or find alternative legal bases under existing e-Privacy rules.
- Pressure on Chat Control: The vote increases urgency around the stalled Chat Control regulation, which remains deeply divisive between privacy advocates and child protection groups.
- GDPR implications: Without the derogation, any continued scanning could face challenges under GDPR Article 6 (lawfulness of processing) and Article 9 (special categories of data).
📌 Key Takeaway: This vote doesn't mean the EU is giving up on combating CSAM — it means Parliament is refusing to normalise mass surveillance of private communications as the default approach. Expect renewed push for targeted, rights-respecting alternatives.
3. ENISA Report: NIS2 Driving Investment, But Critical Gaps Emerge
The European Union Agency for Cybersecurity (ENISA) has released its 6th NIS Investments report, revealing that while NIS2 compliance is the primary driver of cybersecurity spending across the EU, the investment is flowing in concerning directions.
Key Findings
- Investment shifting from people to technology: Organisations are pouring money into tools and platforms while talent shortages deepen. The report warns this creates a dangerous imbalance — advanced security tools are only as effective as the teams operating them.
- Compliance is the top motivator: NIS2 has succeeded in getting boards to approve cybersecurity budgets, but many organisations are pursuing checkbox compliance rather than genuine security improvement.
- Implementation challenges: Despite the October 2024 transposition deadline having passed, many EU member states are still finalising their national implementations, creating a fragmented regulatory landscape.
🔴 Critical Gap: The Talent Drain
ENISA's data shows a 15% year-over-year increase in cybersecurity technology spending, but only a 3% increase in workforce investment. Organisations buying SIEM platforms and EDR solutions without trained analysts to operate them are building expensive security theatre.
What Organisations Should Do
- Rebalance cybersecurity budgets to include training, hiring, and retention programmes alongside technology purchases.
- Engage with national authorities to understand their specific NIS2 transposition status and any unique requirements.
- Move beyond checkbox compliance toward risk-based security programmes that NIS2 Article 21 actually requires.
4. DORA Alignment: EU Expands Bank Resolution Rules
The European Parliament's ECON committee has adopted new rules to expand the coverage of EU bank resolution frameworks, a move that directly intersects with the Digital Operational Resilience Act (DORA) that went live in January 2025.
What's New
- Broader coverage: The expanded rules now cover a wider range of financial institutions, ensuring that the orderly resolution of failed banks includes ICT risk assessment as a core component.
- Depositor protection: New provisions aim to minimise economic disruption from bank failures, with specific requirements around digital operational continuity — directly echoing DORA's resilience mandates.
- ICT third-party risk: Resolution plans must now explicitly address dependencies on critical ICT service providers, aligning with DORA's oversight framework for systemic third parties like major cloud providers.
DORA Connection
DORA requires financial entities to maintain robust ICT risk management and report major incidents. The expanded bank resolution rules now ensure that when a financial institution does fail, its ICT infrastructure and third-party dependencies are properly accounted for in the wind-down process. This closes a gap where a bank could be technically DORA-compliant in operation but have no plan for its digital assets and contracts during resolution.
5. The "Cyber Insurer of Last Resort" Debate Intensifies
The UK government's £1.5 billion loan guarantee to Jaguar Land Rover (JLR) following a devastating cyberattack has ignited a fierce debate about whether governments should serve as cybersecurity insurers of last resort — a question with profound implications for NIS2 and DORA across Europe.
The Concern
Speaking at a Royal United Services Institute (RUSI) event, Ciaran Martin, chair of the UK Cyber Monitoring Centre, called the bailout "an unfortunate precedent" — a case-specific intervention without clear criteria for when such government action should occur.
- Moral hazard: If governments bail out organisations after cyberattacks, it could reduce incentives to invest in security. Why spend millions on NIS2 compliance if the government will cover your losses anyway?
- Target painting: "Too important to fail" designations could make critical organisations primary targets for ransomware groups and nation-state actors.
- Insurance gap: The cyber insurance market currently cannot cover catastrophic losses. Pool Re's Tracey Paul noted that bridging the gap between potential economic loss and insured loss requires government-industry partnership.
📌 EU Regulatory Lens: Under NIS2, essential entities are already required to implement robust security measures — the regulation's logic is prevention over bailout. Under DORA, financial entities must demonstrate resilience. The JLR precedent raises the question: what happens when compliance isn't enough?
The Ripple Effect
Analysts warn that a single cyberattack can now "ripple across an entire economy" — impacting GDP, employment, and national exports. This isn't theoretical: JLR's production shutdown affected thousands of supply chain jobs across multiple countries. The question for EU policymakers is whether NIS2 and DORA's prevention-first approach is sufficient, or whether a formal framework for catastrophic cyber incidents is needed.
Regulation Radar: What to Watch This Week
| Regulation | Development | Impact |
|---|---|---|
| EU AI Act | Simplified high-risk deadlines, nudifier ban | 🔴 High — Immediate compliance timeline changes |
| e-Privacy / GDPR | CSAM scanning derogation expired | 🟠 Medium — Platforms must reassess legal basis |
| NIS2 | ENISA investment report highlights talent gap | 🟠 Medium — Budget rebalancing needed |
| DORA | Bank resolution rules expanded with ICT focus | 🟡 Moderate — Financial sector resolution planning |
| EU Customs Code | Major reform addressing e-commerce safety | 🟡 Moderate — Supply chain security implications |
Bottom Line
This week demonstrates that European cybersecurity regulation is entering its operational phase. The AI Act is being refined for real-world deployment. NIS2's influence on spending is undeniable but unbalanced. DORA is reaching into adjacent regulatory frameworks. And the fundamental question of who pays when catastrophic cyber incidents overwhelm even compliant organisations remains unanswered.
The message to security leaders: compliance is the floor, not the ceiling. Invest in your people as aggressively as your platforms. And start thinking about what your organisation's Plan B looks like if the worst happens — because your government may not be ready to be your insurer of last resort.