← Terug naar beveiligingsblog
Compliance Compliance & Regulations Regelgeving 20 maart 2026 9 min leestijd

EU Parliament Votes to Simplify AI Act, ENISA Launches CRA Survey for SMEs, DMA-GDPR Interplay Guidelines Published

The European Parliament's IMCO and LIBE committees agree on sweeping proposals to simplify the EU AI Act, including bans on AI "nudifier" systems. ENISA launches a Cyber Resilience Act readiness survey targeting SMEs. The European Commission and EDPB publish DMA-GDPR interplay consultation results. The ECCC opens a €56.2 million cybersecurity research funding call under Horizon Europe. Critical regulatory developments for compliance teams — March 20, 2026.

Is your organization AI Act & CRA compliant? KENSAI maps your security posture against NIS2, DORA, AI Act, and CRA requirements automatically.
Free Compliance Check →

🤖 EU Parliament Agrees to Simplify AI Act Rules

Breaking: AI Act Simplification Vote — March 19, 2026

The European Parliament's Internal Market (IMCO) and Civil Liberties (LIBE) committees jointly adopted proposals to simplify the EU AI Act and proposed bans on AI "nudifier" systems that generate non-consensual intimate imagery. The committees also proposed clear application dates for high-risk system requirements.

What Changed

The simplification proposals address one of the most significant criticisms of the AI Act since its passage — implementation complexity. Key changes include:

Impact on Organizations

For organizations already preparing for AI Act compliance, these simplification measures provide welcome clarity. High-risk AI system operators — particularly in healthcare, critical infrastructure, and financial services — now have concrete deadlines to work toward rather than the previous ambiguous "phased application" language.

The nudifier ban adds a new category to the AI Act's prohibited practices list, with potential enforcement implications for generative AI platforms that lack adequate content moderation safeguards.


🔒 ENISA Launches Cyber Resilience Act Survey for SMEs

CRA Readiness Assessment

The European Union Agency for Cybersecurity (ENISA) launched a comprehensive survey on March 18, 2026 targeting Small and Medium Enterprises (SMEs) to assess their readiness for the Cyber Resilience Act (CRA). The survey aims to understand:

Why This Matters

The CRA establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market. For hardware and software manufacturers, this means:

Timeline reminder: The CRA entered into force in December 2024, with most obligations applying from December 2027. The reporting obligations begin from September 2026 — just 6 months away. SMEs producing digital products must start preparing now.


⚖️ DMA-GDPR Interplay: Consultation Results Published

Resolving the Digital Markets Act vs. GDPR Tension

On March 12, 2026, the European Commission and the European Data Protection Board (EDPB) published the individual contributions received in response to the public consultation on draft joint guidelines addressing the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR).

This publication addresses a critical regulatory grey area: how designated "gatekeepers" (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft) balance DMA data-sharing obligations against GDPR data protection requirements.

Key Tension Points


📊 DMA Gatekeeper Annual Compliance Reports

All six designated gatekeepers — Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft — submitted their updated compliance measures reports on March 9, 2026, as required by the Digital Markets Act. The reports outline changes implemented and measures taken during the past year since their initial September 2023 designation.

The Commission is now reviewing these reports to assess whether gatekeepers have made sufficient progress in meeting their DMA obligations, including:


💰 €56.2 Million ECCC Cybersecurity Funding Call

Horizon Europe Programme

The European Cybersecurity Competence Centre (ECCC) opened a new call for proposals on March 17, 2026 under the Horizon Europe Programme with an indicative budget of up to €56.2 million. This represents one of the largest single cybersecurity research funding calls in EU history.

Focus Areas

While specific topic details are being published through the EU Funding & Tenders Portal, previous ECCC calls have prioritized:

For KENSAI users: Organizations performing automated security assessments are well-positioned for ECCC funding calls focused on AI-driven security tooling. Contact your national Cybersecurity Competence Centre for guidance on applying.


🌐 Digital Europe Programme Adapts

On March 19, 2026, the European Commission announced that the Digital Europe Programme is adapting to deliver for Europe's evolving digital needs. While full details are being published, the programme continues to fund:

Additionally, the EU has committed €200 million through the Connecting Europe Facility (CEF) for high-capacity network projects, including submarine cables — strengthening the digital infrastructure backbone that underpins cybersecurity resilience.


📅 NIS2 & DORA Enforcement Status — March 2026

NIS2 Update

NIS2 enforcement continues to accelerate across the EU. As of March 2026:

DORA Countdown

Financial entities have until January 17, 2025 — which has now passed — to comply with the Digital Operational Resilience Act. Key enforcement developments:


📋 Compliance Action Items — March 2026

  1. AI Act:
    • Monitor the Parliament simplification proposals as they move to trilogue
    • Audit AI systems for prohibited practices including nudifier capabilities
    • Classify all AI deployments by risk level (unacceptable/high/limited/minimal)
    • SMEs: Explore regulatory sandbox access in your member state
  2. Cyber Resilience Act:
    • SMEs: Participate in the ENISA CRA readiness survey
    • Hardware/software manufacturers: Prepare for September 2026 reporting obligations
    • Implement vulnerability handling processes now
    • Review product lifecycle security update commitments
  3. NIS2 (Active Enforcement):
    • Confirm in-scope status and complete compliance measures
    • Conduct cybersecurity exercises using ENISA's updated methodology
    • Verify 24/72-hour incident reporting capabilities
    • Document supply chain security assessments
  4. DORA (Post-Deadline):
    • Maintain ICT third-party provider registers
    • Execute threat-led penetration testing programmes
    • Review and update ICT service provider contracts
    • Prepare for supervisory authority reviews
  5. GDPR/DMA:
    • Review DMA-GDPR interplay guidelines for platform-dependent operations
    • Audit data portability mechanisms for DMA compliance
    • Update consent frameworks to align with both DMA and GDPR

Automate Your Compliance Posture with KENSAI

Continuous security assessments mapped to NIS2, DORA, CRA, AI Act, and GDPR requirements. Know your compliance gaps before regulators find them.

Start Free Security Scan →

Stay compliant. Stay ahead of enforcement.

🗡️ KENSAI Compliance Intelligence

March 20, 2026

Daily Regulation Updates

Stay informed on NIS2, DORA, GDPR, AI Act, and CRA developments.