Regulatory Radar

May 2026 closed with the European Commission adopting common NIS2 incident-reporting templates ahead of an implementing act, Ireland's DPC issuing both a sanction (€277,500 against Permanent TSB) and a Chapter V inquiry into SHEIN, the BSI publishing the G7's first SBOM-for-AI standard, the CCB Belgium issuing operational incident-response guidance, and CNIL strengthening health-research security baselines. Six items, all traceable to primary regulator or institutional sources.

April delivered the first concrete NIS2 enforcement milestones — Belgium's conformity assessment deadline, Dutch parliamentary approval of the Cyberbeveiligingswet, and Germany's KRITIS umbrella expansion to 30,000+ entities. The EDPB also adopted long-awaited research-data guidance and joint opinion on the Cybersecurity Act 2.

CNIL's €800,000 fine against Cegedim Sante was confirmed on February 13. Two weeks later, the same company disclosed the largest healthcare data breach in EU history — 15.8 million patient records. This month's Regulatory Radar covers the collision of enforcement and incident, NIS2's first penalties, DORA's approaching deadlines, and the EU AI Act countdown.

Your monthly European compliance intelligence briefing. This edition covers NIS2 transposition progress, DORA's first month of enforcement, and the Cyber Resilience Act's reporting obligations timeline.