Newsletter #119: AI Act, Cybersecurity, and European Biotech Act

;)

Newsletter (119)

20 Apr 2026 Here we are again with the latest EDPS Newsletter!

This time around, we look at upcoming events, our strategic vision under the AI Act, two more joint opinions we issued with the European Data Protection Board (relating to cybersecurity and biotech proposals), and more.

In this issue

Celebrate Europe Day with us!

Europe Day is coming up on 9 May. As usual, the European institutions will mark the occasion by opening their doors to the public.

We will be set up in the premises of the European Parliament, and we would love to meet you in person.

Test our Face Detection Tool to see how facial recognition tech functions in real life, have a go at our quiz, and spin our Data Protection Roulette!

• When: Saturday, 9 May 2026, from 10:00 to 18:00 (CET)
• Where: European Parliament (Rue Wiertz 60, Brussels) See you there for a day full of discovery and interaction!

For more info

Blog post on early oversight in justice and law enforcement

In a recent blogpost, Supervisor Wojciech Wiewiórowski explains the value of prior consultation. This is the mechanism by which EU institutions, bodies, offices and agencies responsible for data processing consult the EDPS before proceeding with operations likely present a high risk to individuals’ rights and freedoms.

Prior consultations are particularly significant in the field of law enforcement and judicial cooperation in criminal matters, where data processing can have far-reaching consequences for individuals.

In the blogpost, the Supervisor explains what makes prior consultations meaningful instruments that help shape lawful and proportionate data processing in areas of significant public interest. You’ll also find links to 10 examples of prior consultations carried out by the EDPS in 2025 within the Area of Freedom, Security and Justice.

Read the blogpost

High-level debate on the Digital Omnibus and GDPR

On 8 June 2026, there will be a high-level debate in Brussels on the European Commission’s Digital Omnibus proposals and their implications for the GDPR and the broader EU digital regulatory framework.

‘From Omnibus to Opportunity: Driving Data Protection and Innovation’ runs from 18:30 to 20:30 (accreditation from 18:00), and will be followed by a reception.

The event is co-organised by the EDPS, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the Bavarian Data Protection Commissioner (BayLfD), and hosted by the Representation of the Free State of Bavaria to the European Union in Brussels.

Find out more and save the date

EDPB and EDPS support stronger cybersecurity rules while calling for privacy safeguards

The European Data Protection Board (EDPB) and EDPS have adopted a joint opinion on the European Commission's cybersecurity package, which includes a revised Cybersecurity Act (CSA2) and targeted amendments to the Network and Information Security 2 (NIS2) Directive.

The package aims to further strengthen cybersecurity across Europe while easing compliance for organisations. The two bodies broadly welcome the proposal's objectives, including the strengthened role of the EU Agency for Cybersecurity (ENISA) in supporting digital resilience and facilitating uptake of cybersecurity certification.

At the same time, they recall that security controls should be implemented in a way that does not undermine individuals’ fundamental rights and freedoms. Against this background, they welcome the opportunities for synergies and cooperation with ENISA to create a robust ecosystem where security and privacy go hand in hand.

The EDPB and EDPS also offer specific recommendations in relation to cybersecurity, such as:

• greater clarity on the relationship between the European Cybersecurity Certification Framework and GDPR certification;
• take into account that certification schemes for products and services likely to be used in data processing may also help to demonstrate GDPR compliance;
• ENISA to consult the EDPB before adopting any certification scheme relating to the security of personal data processing. Consistent with the earlier EDPB-EDPS position on the Digital Omnibus, the joint opinion also reiterates support for a single-entry point for notifying personal data breaches. This measure would reduce the administrative burden on organisations without weakening protection for individuals.

On the proposed NIS2 amendments, the two bodies welcome the designation of European Digital Identity Wallet and European Business Wallet providers as ‘essential entities’, bringing with it more rigorous risk management requirements and supervisory oversight.

Read the joint opinion here

Read the press release here

The EDPS outlines its new role under the AI Act

Under the AI Act, the EDPS now serves as the market surveillance authority for the AI systems of the EU institutions, bodies, offices and agencies (EUIs), and as their notified body for certain high-risk AI systems.

With the aim of setting out how it will approach these new responsibilities and support trustworthy AI in EU public administration, the EDPS has published the ‘EDPS Compass for its new role under the AI Act’.

Building on the AI Preparedness Strategy launched in May 2024 and the establishment of the EDPS AI Unit, the Compass outlines the EDPS’s new tasks and strategic vision under the AI Act, its operational approach to supervising EUIs’ AI systems, and the four strategic pillars guiding its dual role as both regulator and assessor. The overarching aim is to ensure that AI across EU public administration is safe, compliant, and human-centric.

You can find the EDPS Compass here

EDPB and EDPS support European Biotech Act, call for safeguards on health data

In a joint opinion, the EDPB and EDPS welcomed the European Commission’s proposal for a European Biotech Act, which aims to strengthen Europe’s biotechnology and biomanufacturing sectors by streamlining the regulatory framework and updating the rules for clinical trials.

The two bodies welcome the proposal’s steps towards reducing fragmentation in the application of the Clinical Trials Regulation (CTR) and establishing a single legal basis for the processing of personal data by sponsors and investigators.

At the same time, they underlined the sensitivity of health and genetic data. Processing such data in the context of clinical trials requires a high standard of protection.

Key recommendations include:

• clarifying the data protection roles of actors involved in funding and conducting trials;
• limiting data retention;
• clearly defining when further processing of trial data for scientific research is allowed;
• requiring pseudonymisation of data whenever directly identifiable personal data isn’t necessary. The joint opinion also addresses coherence with the AI Act.

Read the joint opinion

Read the press release

EDPS Tips & Tricks: EDPS investigations

More than a process, it’s privacy protection.

As part of our role, and when necessary, we conduct investigations to establish whether an EU institution, body, office or agency (EUI) has breached applicable rules.

To help with the process, as an EUI you must document your personal data processing operations and cooperate with the EDPS.

During an investigation, you also have the right to be heard, and you need to apply our corrective measures, if applicable.

Together, we protect people’s personal information.

Click here for the step-by-step guide to EDPS investigations

AI Supervision by EDPS Public Events Supervision by EDPS General Data Protection Regulation Health Cybersecurity