剣 KENSAI
← All posts · security

EU संसद ने AI अधिनियम को सरल बनाने और न्यूडिफायर सिस्टम पर प्रतिबंध के लिए मतदान किया — CRA प्रवर्तन तेज, DORA TLPT समय सीमा नजदीक

क्या आप अगस्त 2026 की AI अधिनियम समय सीमा के लिए तैयार हैं? मुफ्त अनुपालन अंतर विश्लेषण — NIS2, DORA, CRA, EU AI अधिनियम
मुफ्त मूल्यांकन →

🤖 EU Parliament Proposes AI Act Simplification with Nudifier Ban

Breaking — AI Nudifier Systems Explicitly Banned

On March 18, 2026, the European Parliament's IMCO (Internal Market) and LIBE (Civil Liberties) committees agreed on proposals to simplify the EU AI Act while adding an explicit prohibition on AI "nudifier" systems — tools that generate non-consensual intimate imagery using artificial intelligence.

This marks the first significant legislative revision since the AI Act entered into force, and it sends a clear signal: the EU is willing to adjust the regulation's complexity while hardening its stance on harmful applications.

Key Changes Proposed

  • AI nudifier ban: Explicit prohibition of AI systems that generate non-consensual intimate imagery. This closes a gap in the original "prohibited practices" list and responds to the explosion of deepfake pornography targeting individuals without consent
  • Clearer high-risk application dates: MEPs propose unambiguous timelines for when high-risk AI system requirements take effect, reducing legal uncertainty for developers and deployers
  • Simplification measures: Streamlining compliance requirements to reduce the regulatory burden, particularly for SMEs and startups building AI systems
  • Proportionality focus: Adjustments to ensure obligations are proportionate to actual risk rather than creating blanket requirements

What This Means for Organizations

If these proposals advance through the full Parliament and trilogue process, organizations will benefit from:

  • Reduced compliance ambiguity: Clearer deadlines mean less legal interpretation and more certainty in compliance planning
  • Lower compliance costs for low-risk AI: Simplified requirements could reduce the documentation and assessment burden for AI systems that don't fall into high-risk categories
  • Stronger prohibited practices list: Any AI provider offering image manipulation tools must audit their systems against the expanded prohibitions

August 2, 2026 — High-Risk AI Deadline Unchanged

The simplification proposals do not delay the August 2, 2026 deadline for high-risk AI system compliance. Organizations deploying AI in critical infrastructure, employment, law enforcement, education, or essential services must have risk assessments, human oversight mechanisms, and technical documentation in place. Less than five months remain.


🏛️ CRA: Enforcement Infrastructure Now Operational

Following the first meeting of the Administrative Cooperation Group on March 20, the Cyber Resilience Act's enforcement machinery is now fully activated. National market surveillance authorities across all 27 member states are now coordinating on:

  • Harmonized enforcement procedures for consistent CRA application across the single market
  • Product testing protocols and common methodologies for verifying cybersecurity compliance
  • Cross-border cooperation for removing non-compliant products from multiple markets simultaneously
  • Penalty alignment — sanctions can reach up to €15 million or 2.5% of global annual turnover

ENISA SME Readiness Survey Still Open

ENISA's targeted survey for SMEs on CRA awareness, readiness, and support needs (launched March 18) remains open. For organizations manufacturing products with digital elements, this is both a compliance wake-up call and an opportunity to shape EU support resources.

CRA September 2026 deadline: Vulnerability and incident reporting obligations begin in six months. If you haven't started your product inventory and SBOM documentation, the runway is disappearing fast.


💶 Cyprus Presidency Sets Digital Priorities for Council

On March 19, Ministers from the Cyprus Presidency of the Council of the EU presented their priorities to European Parliament committees. While the full program spans multiple policy areas, the digital and cybersecurity priorities are notable:

  • Digital single market completion: Advancing legislation that reduces fragmentation in digital services across member states
  • Cybersecurity capacity building: Strengthening national capabilities to implement NIS2 obligations and respond to cross-border incidents
  • AI governance implementation: Supporting member states in establishing national AI authorities and enforcement bodies required under the AI Act
  • EU-US Turnberry trade deal: The INTA committee adopted positions on tariff aspects, which may include data flow and digital trade provisions with cybersecurity implications

The Presidency's focus on implementation over new legislation is significant. The EU's regulatory framework (NIS2, DORA, CRA, AI Act, GDPR) is largely complete — the challenge now is consistent enforcement across 27 member states with vastly different levels of cybersecurity maturity.


🔐 DORA: Q1 2026 Compliance Checkpoint

The Digital Operational Resilience Act has been enforceable since January 17, 2025. Financial entities should now be demonstrating active compliance. Key Q1 2026 activities:

Threat-Led Penetration Testing (TLPT)

Significant financial institutions must conduct their first cycle of TLPT under the TIBER-EU framework. This is not a standard vulnerability scan — TLPT involves intelligence-led red team exercises that simulate real-world threat actor techniques against critical production systems.

  • Scoping: TLPT scope must include live production systems and critical functions — no sandboxes, no test environments
  • Threat intelligence: Tests must be informed by current threat landscape intelligence specific to the financial sector
  • External providers: TLPT must be conducted by external, certified testing providers with appropriate accreditation
  • Supervisory involvement: National competent authorities oversee the TLPT process and validate results

ICT Third-Party Risk Management

Financial entities must maintain comprehensive registers of all ICT third-party service providers, including:

  • Criticality assessments for each provider
  • Contractual provisions ensuring audit rights and security requirements
  • Concentration risk analysis — avoiding over-dependence on single cloud or infrastructure providers
  • Exit strategies and substitution plans for critical providers

DORA Enforcement Is Live

Unlike NIS2 (where some member states are still transposing), DORA is directly applicable across all EU member states. European Supervisory Authorities (EBA, ESMA, EIOPA) can and do enforce. Financial entities not demonstrating active compliance risk supervisory action now — not at some future deadline.


🌐 Digital Europe Programme Restructured for Security

The European Commission announced on March 19 that the Digital Europe Programme is being restructured to better address evolving digital security needs. Combined with the ECCC's €56.2 million Horizon Europe call (opened March 17), this represents substantial new funding for cybersecurity capabilities:

  • National SOC networks: Cross-border Security Operations Centers for threat detection and intelligence sharing
  • Cybersecurity skills development: Training programmes addressing the estimated 500,000+ unfilled cybersecurity positions across the EU
  • SME compliance tools: Practical resources and certification assistance for smaller organizations navigating NIS2 and CRA requirements
  • AI-powered security: Research funding for AI-driven threat detection, automated vulnerability management, and intelligent incident response

€56.2M Horizon Europe Call — Apply Now

The ECCC's Horizon Europe call is one of the largest single funding rounds for EU cybersecurity R&D. Eligibility typically includes research institutions, startups, and established companies. Application deadlines are usually 90 days from announcement. If you're building cybersecurity technology in the EU, this is the funding round to target.


📊 GDPR Enforcement Trends — Q1 2026

While no landmark GDPR fines dropped this week, the broader Q1 2026 enforcement trend continues to intensify:

  • Cross-border enforcement: The one-stop-shop mechanism continues to face criticism for delays, but several major cross-border cases are expected to conclude in Q2 2026
  • AI and GDPR intersection: Data protection authorities are increasingly scrutinizing AI training data practices, particularly web scraping for large language model training
  • Cookie consent enforcement: Several member state DPAs have intensified enforcement of cookie consent requirements, with particular focus on dark patterns in consent banners
  • Children's data: The proposed AI nudifier ban intersects with GDPR's strengthened protections for minors, creating a multi-regulation enforcement surface

🗓️ Upcoming Regulatory Deadlines

DateRegulationMilestone
Jun 2026NIS2Netherlands: Entity self-assessment deadline
Aug 2, 2026EU AI ActHigh-risk AI system obligations take effect
Sep 2026CRAVulnerability & incident reporting obligations begin
Q4 2026DORAFirst TLPT cycle completion for significant entities
2027EU AI ActGeneral-purpose AI model obligations apply
Dec 2027CRAFull product compliance required

✅ Compliance Action Items This Week

  1. EU AI Act: Track the Parliament's simplification proposals. Audit any AI image generation or manipulation tools against the proposed nudifier ban. Confirm your August 2, 2026 high-risk compliance roadmap is on track.
  2. CRA: The Administrative Cooperation Group is active — enforcement is real. Begin SBOM documentation and product security assessments now. Six months to September 2026 reporting deadline.
  3. DORA: Financial institutions must verify TLPT scoping is underway. Complete ICT third-party risk registers. Ensure incident reporting uses ESA standardized templates.
  4. NIS2: Leverage ENISA's Cybersecurity Exercise Methodology to build internal testing capabilities. Update risk assessments to include state-sponsored encrypted messaging attacks (FBI warning from last week).
  5. Funding: Review the ECCC's €56.2M Horizon Europe call for cybersecurity R&D. Application window is limited.
  6. GDPR: Review AI training data practices. Audit cookie consent implementations for dark pattern compliance. Assess children's data processing in context of proposed AI Act amendments.

Automate Your Compliance with KENSAI

Continuous compliance monitoring for NIS2, DORA, CRA, GDPR, and EU AI Act. Real-time regulatory tracking with automated gap analysis.

Start मुफ्त मूल्यांकन →

Stay compliant. Stay ahead.

🗡️ KENSAI Compliance Intelligence

23 मार्च 2026

All posts · Permalink