CSA Warns Registrants About Malicious Impersonation Scam Emails

The Canadian Securities Administrators (CSA) has issued a warning to registrants about a malicious spear phishing scam. The emails impersonate the CSA and aim to obtain personal or confidential business information. Registrants are urged to be vigilant, verify sender addresses, and report suspicious emails.

OSFI Speech: Credit Risk, Accountability, and Liquidity Updates

The Office of the Superintendent of Financial Institutions (OSFI) announced a six-month consultation on credit risk management and a nine-month consultation on senior leader accountability. Additionally, the final Liquidity Adequacy Requirements Guideline for 2026 was released, effective May 1, 2026.

OSFI Quarterly Release: Guidance and Risk Management Updates

The Office of the Superintendent of Financial Institutions (OSFI) has released its first quarterly update of 2026, finalizing new liquidity guidance and launching consultations on credit risk management and board accountability. The release also confirms the continuation of loan-to-income limits for uninsured mortgages.

OSFI Finalizes Liquidity Adequacy Requirements Guideline

The Office of the Superintendent of Financial Institutions (OSFI) has published the final Liquidity Adequacy Requirements (LAR) Guideline for 2026. This guideline, effective May 1, 2026, clarifies definitions and treatments for deposits and structured notes to enhance the financial resilience of federally regulated deposit-taking institutions.

OSFI Discusses Canadian Banking Risks and Regulations

Superintendent Peter Routledge of OSFI discussed key risks facing Canadian financial institutions, including credit, liquidity, and governance. OSFI has launched consultations on credit risk management guidance and senior leader accountability, and issued final liquidity adequacy requirements.

OSFI Superintendent Discusses Climate Risk at CatIQ Conference

OSFI Superintendent Peter Routledge discussed the findings of the first Climate Risk Returns from 10 large Canadian institutions at the 2026 CatIQ conference. The returns provide detailed insights into physical and transition climate risks across various asset classes and sectors, highlighting areas of vulnerability and the need for improved data discipline.

EIOPA Consults on Revised Solvency II Group Solvency Guidelines

The European Insurance and Occupational Pensions Authority (EIOPA) has launched consultations on revised Guidelines for group solvency calculations and supervisory reporting under Solvency II. The revisions aim to align with the amended Solvency II framework and simplify existing guidelines, proposing significant reductions in the number of individual guidelines.

EIOPA Updates Solvency II Volatility Adjustment Reference Portfolios

The European Insurance and Occupational Pensions Authority (EIOPA) has published updated reference portfolios for calculating the volatility adjustment to risk-free interest rates under Solvency II. These updated portfolios will be used for the VA calculation from the end of March 2026.

EIOPA Consults on EU Insurance Recovery and Resolution Framework

EIOPA has launched seven consultations on draft guidelines and technical standards for the implementation of the EU's Insurance Recovery and Resolution Directive (IRRD). These consultations cover pre-emptive recovery plans, simplified obligations, and the independence of valuers, with the IRRD set to become operational in January 2027.

EIOPA Consultation on Private Equity Firm Supervision Statement

EIOPA has launched a public consultation on a draft supervisory statement concerning the authorisation and ongoing supervision of insurance and reinsurance undertakings owned by private equity firms. The consultation seeks feedback on proposed supervisory expectations to address risks associated with these acquisitions and ensure consistent supervision across the EU.

EIOPA Seeks Input on Solvency II NatCat Insurance Adaptation Measures

The European Insurance and Occupational Pensions Authority (EIOPA) has launched a public consultation on the prudential treatment of adaptation measures for natural catastrophe insurance under Solvency II. The consultation seeks feedback on potential adjustments to the standard formula to better reflect these measures and aims to reduce the insurance protection gap.

OPSG Paper on Typology of Multi-Pillar Pension Systems in Europe

The European Insurance and Occupational Pensions Authority (EIOPA) has published a paper detailing the typology of multi-pillar pension systems across Europe. This guidance aims to provide a framework for understanding the diverse pension landscape within the EU.

EIOPA DC Pensions Toolkit Development - OPSG Input

The Occupational Pensions Stakeholder Group (OPSG) has submitted its response to the European Insurance and Occupational Pensions Authority's (EIOPA) call for evidence regarding the development of a DC pensions toolkit. This input is intended to inform EIOPA's ongoing work in this area.

EU and UK Authorities MoU on DORA ICT Provider Oversight

The European Supervisory Authorities (ESAs) and the Bank of England, PRA, and FCA have signed a Memorandum of Understanding to enhance cooperation on overseeing critical ICT third-party service providers under DORA. This agreement facilitates joint oversight and equivalence assessments between EU and UK authorities.

EIOPA delegates DORA Q&A adoption to Chairperson

EIOPA, in cooperation with EBA and ESMA, has adopted a decision to delegate the adoption of answers to straightforward DORA questions to the EIOPA Chairperson. This aims to simplify procedures and optimize resource utilization.

European Commission notifies Meta over AI assistants exclusion from WhatsApp

The European Commission has sent a Statement of Objections to Meta, alleging a breach of EU antitrust rules by excluding third-party AI assistants from WhatsApp. The Commission intends to impose interim measures to prevent serious and irreparable harm to the market.

ESMA Notifications of Compliance with Guidelines Overview Table

The European Securities and Markets Authority (ESMA) has published an overview table detailing notifications of compliance with its guidelines. This document serves as a reference for market participants regarding adherence to ESMA's technical standards and guidelines.

MiCA Reverse Solicitation Guidelines Compliance Table

The European Securities and Markets Authority (ESMA) has published a compliance table for its Markets in Crypto-Assets (MiCA) Regulation reverse solicitation guidelines. This document aims to assist entities in understanding and adhering to the new requirements regarding unsolicited marketing of crypto-asset services.

MiCA Crypto-Asset Transfer Guidelines Compliance Table

The European Securities and Markets Authority (ESMA) has published a compliance table for its MiCA crypto-asset transfer guidelines. This document serves as a reference for entities to assess their adherence to the new regulatory framework for crypto-asset service providers.

Garante Privacy Fines Nursery, Approves IT-Wallet, CEREBRO, AI in Schools

The Italian Garante Privacy has fined a nursery school €10,000 for privacy violations related to children's photos and video surveillance. The authority also approved the experimentation of IT-Wallet, the use of CEREBRO for asset investigations, and issued guidelines for AI in schools.

GDPR Fines and Guidance on AI, Healthcare, and Public Transparency

The Italian Data Protection Authority (Garante privacy) issued a newsletter detailing several enforcement actions and guidance. Fines were issued to a bank (€100,000) and a municipality for transparency violations, and a hospital (€80,000) for improper access to patient health records. Global data protection authorities also affirmed that data protection fully applies to AI.

Hospital Fined €70k for Data Breach; FAQs on Public Tender Data Published

The Italian Data Protection Authority (Garante privacy) has fined a company managing a hospital €70,000 for the unauthorized disposal of a patient's tissue sample and failure to notify a data breach. The newsletter also announced new FAQs on data processing and transparency in public tenders.

Garante Privacy Fines Verisure Italia and Aimag for GDPR Violations

The Italian Data Protection Authority (Garante Privacy) has fined Verisure Italia €400,000 for unlawful marketing practices and Aimag for inadequate security measures. Both companies are ordered to cease unlawful data processing and comply with GDPR.

GDPR Fines for Employee Monitoring and Email Privacy

The Italian DPA has issued a €120,000 fine to an agricultural seed company for unlawfully monitoring employee driving habits via company vehicles. The newsletter also covers GDPR implications for accessing a dismissed employee's email and new tools against telemarketing.

EU Implementing Regulations and Decisions - February 2026

The EU Official Journal L series for February 9, 2026, includes several implementing regulations and decisions. These cover amendments to lists of third countries authorised for imports of fresh poultry meat, germinal products of equine animals, registration of geographical indications, and harmonised standards for construction products.

EU Official Journal L Series Daily View - February 10, 2026

The EU Official Journal L series for February 10, 2026, includes several new implementing and delegated regulations. These cover diverse areas such as mental health data, consumer product disclosure, rail transport interoperability, plant health, and anti-dumping measures on steel wires from China.

EU Official Journal C Series - February 10, 2026

The EU Official Journal C series for February 10, 2026, includes notices on State aid authorisations where no objections were raised, a non-opposition to a notified concentration, and communications from the Hungarian Ministry of Energy regarding hydrocarbon exploration and production authorisations.

EU Official Journal L Series Daily View - February 11, 2026

The EU Official Journal L series for February 11, 2026, has been published, including new regulations and implementing decisions. These cover various sectors such as securities supervision fees, greenhouse gas exemptions for semiconductor manufacturing, pesticide approvals, and animal health import requirements.

EU Legislation and Regulatory Notices - February 11, 2026

The EU Official Journal C series published several notices on February 11, 2026. These include communications on State aid, media service provider declarations under the European Media Freedom Act, renewable fuels in maritime transport, restrictive measures concerning Ukraine, and prior notifications of concentrations.

IMY Fines Trygg-Hansa SEK 35 Million for Data Exposure

The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 35 million against Trygg-Hansa. This action follows a data exposure incident where information for 650,000 customers was accessible to unauthorized persons via the internet for over two years.

Administrative Fine for Data Collection Without Security

The Swedish Privacy Protection Authority (IMY) has issued an administrative fine of SEK 100,000 against the Equality Ombudsman (DO) for insufficient security measures during personal data collection via a web form. The incident led to the inadvertent disclosure of approximately 500 tips and complaints.

GDPR Breach Fines for SL Group Companies

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines of SEK 75,000 each to Aktiebolaget Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB). The fines were imposed for processing personal data related to employee sobriety tests in breach of the GDPR, specifically regarding excessive data storage and handling of potentially sensitive health data.

Apoteket and Apohem Fined for GDPR Violations

The Swedish Authority for Privacy Protection (IMY) has fined Apoteket AB SEK 37 million and Apohem AB SEK 8 million for GDPR violations. The companies improperly transferred sensitive personal data to Meta via the Meta Pixel tool, failing to implement adequate protective measures.

Sportadmin Fined SEK 6 Million for GDPR Data Leak

The Swedish Authority for Privacy Protection (IMY) has imposed an administrative fine of SEK 6 million on Sportadmin following a data leak that exposed personal data of over 2.1 million individuals. The authority found that Sportadmin did not maintain an appropriate level of security to protect the data, violating GDPR Article 32.

AEPD Resolves GDPR Breach: 492 Individuals' Data Published

The Spanish Data Protection Agency (AEPD) has initiated a sanctioning procedure against the Consejería de Hacienda y Administración Pública of the Junta de Extremadura for publishing the personal data (name, surname, and DNI) of 492 individuals on its website. The data was published without consent as part of a public employment selection process and has been accessible since September 2019.

Spanish DPA Resolution on Data Rights Claim

The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data rights claim (EXP202517310). The claimant exercised their right of access, and after initial non-compliance, the respondent has now demonstrated that the right was attended to and a response was provided.

Data Protection Commission 2024 Annual Report

The Data Protection Commission (DPC) has published its 2024 Annual Report, detailing €652 million in administrative fines issued, including significant penalties against Meta and LinkedIn. The report also highlights the conclusion of numerous inquiries and breach notifications.

DPC Fines CDETB €125,000 for GDPR Data Breach

The Irish Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) €125,000 for a GDPR data breach. The inquiry found CDETB infringed multiple GDPR articles related to security measures, breach notification to the DPC, and notification to data subjects.

DPC Inquiry into TikTok Data Transfers to China

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

Data Protection Commission Opens Inquiry into Children's Health Ireland

The Data Protection Commission (DPC) has opened a formal inquiry into Children's Health Ireland (CHI) concerning the security of children's health records at Tallaght University Hospital. The inquiry follows protected disclosures and a breach notification, and will examine CHI's GDPR compliance regarding physical data security.

CJEU Rules Pre-Ticked Checkboxes Invalid for Cookie Consent

The European Court of Justice (CJEU) ruled that pre-ticked checkboxes are invalid for obtaining cookie consent. This decision, welcomed by data protection authorities, clarifies that active user behavior is required for valid consent regarding data processing.

Bundestag Strengthens Data Protection Authority

The German Bundestag's Budget Committee has allocated an additional 67 posts to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for the upcoming year. This funding aims to enhance supervision of security authorities, support new digitalization tasks in the health sector, and improve international cooperation.

BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

EDPB Agrees on GDPR Evaluation and Suggests Cooperation Improvements

The European Data Protection Board (EDPB) has agreed to contribute to the European Commission's evaluation of the GDPR. The EDPB suggests improvements in cooperation between data protection authorities and revisions to standard contractual clauses for data transfers.

ECJ Invalidates Privacy Shield, Impacts International Data Transfers

The European Court of Justice (ECJ) has declared the EU-US Privacy Shield invalid, impacting international data transfers. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated that companies and authorities can no longer rely on the Privacy Shield for data exchange with the USA, requiring special safeguards and adherence to fundamental rights.

France Travail fined €5 million for data security breach

The CNIL has fined FRANCE TRAVAIL (formerly Pôle Emploi) €5 million for failing to implement adequate security measures to protect job seeker data, following a hack in early 2024. The fine addresses inadequate technical and organizational measures, including weak authentication and logging.

CNIL Work Programme 2026-2028 on Data Economy

The CNIL has published its work programme for 2026-2028, focusing on understanding data-related business models and measuring the economic impact of its decisions. The programme aims to deepen expertise in data protection's economic implications and contribute to public debate on the data economy.

CNIL Annual Report: 2025 Fines and Sanctions

The CNIL reported imposing €486.8 million in fines and 83 sanctions in 2025, primarily for violations related to cookies, employee monitoring, and data security. The report details 143 compliance orders and 31 reminders of legal obligations issued during the year.

EDPB Guidelines on Article 48 GDPR

The European Data Protection Board (EDPB) has published final guidelines on Article 48 of the GDPR, concerning the recognition of judgments and decisions of public authorities of third countries. These guidelines clarify the conditions under which such judgments can be relied upon for international data transfers.

EDPB Consultation on DSA and GDPR Interplay Guidelines

The European Data Protection Board (EDPB) has opened a public consultation on its draft Guidelines 3/2025 concerning the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The consultation period is open until October 31, 2025.