← Torna al blog sicurezza
Conformità Compliance & Regulations Regolamenti
20 marzo 2026
9 min di lettura
EU Parliament Votes to Simplify AI Act, ENISA Launches CRA Survey for SMEs, DMA-GDPR Interplay Guidelines Published
The European Parliament's IMCO and LIBE committees agree on sweeping proposals to simplify the EU AI Act, including bans on AI "nudifier" systems. ENISA launches a Cyber Resilience Act readiness survey targeting SMEs. The European Commission and EDPB publish DMA-GDPR interplay consultation results. The ECCC opens a €56.2 million cybersecurity research funding call under Horizon Europe. Critical regulatory developments for compliance teams — March 20, 2026.
Is your organization AI Act & CRA compliant?
KENSAI maps your security posture against NIS2, DORA, AI Act, and CRA requirements automatically.
Free Compliance Check →
🤖 EU Parliament Agrees to Simplify AI Act Rules
Breaking: AI Act Simplification Vote — March 19, 2026
The European Parliament's Internal Market (IMCO) and Civil Liberties (LIBE) committees jointly adopted proposals to simplify the EU AI Act and proposed bans on AI "nudifier" systems that generate non-consensual intimate imagery. The committees also proposed clear application dates for high-risk system requirements.
What Changed
The simplification proposals address one of the most significant criticisms of the AI Act since its passage — implementation complexity. Key changes include:
- Streamlined compliance documentation: Reduced paperwork requirements for SMEs deploying low-risk AI systems
- Clear high-risk timelines: Specific application dates for high-risk system requirements, removing ambiguity from compliance roadmaps
- AI nudifier ban: Explicit prohibition of AI systems that generate non-consensual intimate imagery — classified alongside existing prohibited practices
- SME-friendly provisions: Regulatory sandbox access and compliance support measures for smaller companies
Impact on Organizations
For organizations already preparing for AI Act compliance, these simplification measures provide welcome clarity. High-risk AI system operators — particularly in healthcare, critical infrastructure, and financial services — now have concrete deadlines to work toward rather than the previous ambiguous "phased application" language.
The nudifier ban adds a new category to the AI Act's prohibited practices list, with potential enforcement implications for generative AI platforms that lack adequate content moderation safeguards.
🔒 ENISA Launches Cyber Resilience Act Survey for SMEs
CRA Readiness Assessment
The European Union Agency for Cybersecurity (ENISA) launched a comprehensive survey on March 18, 2026 targeting Small and Medium Enterprises (SMEs) to assess their readiness for the Cyber Resilience Act (CRA). The survey aims to understand:
- Overall CRA awareness levels among SMEs
- How ready and mature SMEs feel for CRA compliance
- What types of support SMEs would find most useful
- Current cybersecurity practices and gaps
Why This Matters
The CRA establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market. For hardware and software manufacturers, this means:
- Secure by design: Products must meet baseline cybersecurity requirements before market placement
- Vulnerability handling: Manufacturers must provide security updates and handle vulnerabilities throughout the product lifecycle
- Incident reporting: Active exploitation of vulnerabilities must be reported within 24 hours
- Documentation: Technical documentation proving conformity with essential requirements
Timeline reminder: The CRA entered into force in December 2024, with most obligations applying from December 2027. The reporting obligations begin from September 2026 — just 6 months away. SMEs producing digital products must start preparing now.
⚖️ DMA-GDPR Interplay: Consultation Results Published
Resolving the Digital Markets Act vs. GDPR Tension
On March 12, 2026, the European Commission and the European Data Protection Board (EDPB) published the individual contributions received in response to the public consultation on draft joint guidelines addressing the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR).
This publication addresses a critical regulatory grey area: how designated "gatekeepers" (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft) balance DMA data-sharing obligations against GDPR data protection requirements.
Key Tension Points
- Data portability vs. data minimization: DMA requires gatekeepers to enable data portability, but GDPR mandates data minimization — the guidelines clarify how to reconcile these obligations
- Consent frameworks: How gatekeeper consent mechanisms under DMA Article 5 interact with GDPR consent requirements
- Cross-service data combination: Restrictions on combining personal data across core platform services without explicit GDPR-compliant consent
- Third-party access rights: How third parties can exercise DMA access rights while maintaining GDPR compliance
📊 DMA Gatekeeper Annual Compliance Reports
All six designated gatekeepers — Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft — submitted their updated compliance measures reports on March 9, 2026, as required by the Digital Markets Act. The reports outline changes implemented and measures taken during the past year since their initial September 2023 designation.
The Commission is now reviewing these reports to assess whether gatekeepers have made sufficient progress in meeting their DMA obligations, including:
- Allowing third-party app stores and sideloading
- Enabling interoperability of messaging services
- Providing data portability for end users
- Ensuring fair ranking and self-preferencing restrictions
- Permitting uninstallation of pre-installed apps
💰 €56.2 Million ECCC Cybersecurity Funding Call
Horizon Europe Programme
The European Cybersecurity Competence Centre (ECCC) opened a new call for proposals on March 17, 2026 under the Horizon Europe Programme with an indicative budget of up to €56.2 million. This represents one of the largest single cybersecurity research funding calls in EU history.
Focus Areas
While specific topic details are being published through the EU Funding & Tenders Portal, previous ECCC calls have prioritized:
- AI-driven threat detection and response
- Post-quantum cryptography transition support
- Supply chain security tooling
- Cybersecurity skills development and workforce training
- Critical infrastructure protection research
- Cybersecurity for SMEs and the public sector
For KENSAI users: Organizations performing automated security assessments are well-positioned for ECCC funding calls focused on AI-driven security tooling. Contact your national Cybersecurity Competence Centre for guidance on applying.
🌐 Digital Europe Programme Adapts
On March 19, 2026, the European Commission announced that the Digital Europe Programme is adapting to deliver for Europe's evolving digital needs. While full details are being published, the programme continues to fund:
- Cybersecurity capacity building across member states
- AI deployment support for public and private sectors
- Advanced digital skills training
- European Digital Infrastructure Consortia (EDICs)
- Cloud-to-edge infrastructure development
Additionally, the EU has committed €200 million through the Connecting Europe Facility (CEF) for high-capacity network projects, including submarine cables — strengthening the digital infrastructure backbone that underpins cybersecurity resilience.
📅 NIS2 & DORA Enforcement Status — March 2026
NIS2 Update
NIS2 enforcement continues to accelerate across the EU. As of March 2026:
- First penalties issued in Q1 2026 for non-compliant essential entities
- Member states continue to finalize national transposition laws — with some still lagging behind the October 2024 deadline
- ENISA's updated Cybersecurity Exercise Methodology (published February 16, 2026) provides organizations with practical tools for NIS2-required incident response exercises
- Fines remain up to €10M or 2% of global turnover for essential entities
DORA Countdown
Financial entities have until January 17, 2025 — which has now passed — to comply with the Digital Operational Resilience Act. Key enforcement developments:
- European Supervisory Authorities (ESAs) are conducting supervisory reviews
- ICT third-party provider registers must be maintained and reportable
- Threat-led penetration testing (TLPT) requirements are being enforced for systemically important institutions
- The Critical ICT Third-Party Provider (CTPP) oversight framework is operational
📋 Compliance Action Items — March 2026
- AI Act:
- Monitor the Parliament simplification proposals as they move to trilogue
- Audit AI systems for prohibited practices including nudifier capabilities
- Classify all AI deployments by risk level (unacceptable/high/limited/minimal)
- SMEs: Explore regulatory sandbox access in your member state
- Cyber Resilience Act:
- SMEs: Participate in the ENISA CRA readiness survey
- Hardware/software manufacturers: Prepare for September 2026 reporting obligations
- Implement vulnerability handling processes now
- Review product lifecycle security update commitments
- NIS2 (Active Enforcement):
- Confirm in-scope status and complete compliance measures
- Conduct cybersecurity exercises using ENISA's updated methodology
- Verify 24/72-hour incident reporting capabilities
- Document supply chain security assessments
- DORA (Post-Deadline):
- Maintain ICT third-party provider registers
- Execute threat-led penetration testing programmes
- Review and update ICT service provider contracts
- Prepare for supervisory authority reviews
- GDPR/DMA:
- Review DMA-GDPR interplay guidelines for platform-dependent operations
- Audit data portability mechanisms for DMA compliance
- Update consent frameworks to align with both DMA and GDPR
Automate Your Compliance Posture with KENSAI
Continuous security assessments mapped to NIS2, DORA, CRA, AI Act, and GDPR requirements. Know your compliance gaps before regulators find them.
Start Free Security Scan →
Stay compliant. Stay ahead of enforcement.
🗡️ KENSAI Compliance Intelligence
March 20, 2026
Related Regulation Updates
Daily Regulation Updates
Stay informed on NIS2, DORA, GDPR, AI Act, and CRA developments.