• Home
  • Cyber monday flash

Cyber Monday Flash

We analyse the main regulatory developments, criteria of authorities and judicial pronouncements on privacy, cybersecurity and digital resilience, with a direct impact on technological governance and the responsibility of organisations.

Digital governance, AI and resilience: key regulatory issues

In an environment marked by the expansion of artificial intelligence, the intensive use of biometric data, the reinforcement of European consistency mechanisms and a growing demand for operational resilience (DORA, NIS2, Cyber Resilience Act), digital risk management is consolidating as a strategic priority at Board level.

In this edition of Cyber Monday Flash, we address in a structured and practical way the latest positions of the AEPD on AI and biometrics, the challengeability of EDPB decisions before the CJEU, the adequacy decision for Brazil, the CNMV's supervisory keys on DORA and the new European initiatives in cybersecurity.

A comprehensive analysis that connects regulation, supervision and corporate responsibility in the current digital ecosystem.



Un jugador de tenis golpea una pelota en una cancha verde.

AEPD and IAG: use of third party images and loss of control under the GDPR

The Spanish Data Protection Agency has published the guide "The use of third-party images in artificial intelligence systems and their visible and invisible risks", in which it points out that any image in which a person is identified or identifiable, even if it has been generated or modified by AI, is personal data. Uploading it to an AI system implies processing subject to the GDPR, even if the use is recreational, internal or not disseminated.

From this premise, the Agency emphasises that the risk lies not only in the possible dissemination of the content generated. In addition to the visible risks (synthetic sexualisation, credible attribution of false facts, reputational damage, or the harming of minors), it identifies structural risks inherent to processing, such as the loss of control over providers, non-transparent retention and reuse, the generation of metadata, and persistent identification. The fact that an image is available online does not legitimise its re-use in AI tools; the legal basis, the reasonable expectation of the data subject and, where appropriate, a PIA should be analysed.

The Agency will focus its action on cases of effective loss of control or generation of false but credible content attributing non-existent facts. In these cases, the lack of prior analysis, internal policies and evidence of control may lead to supervisory actions and the application of Article 83 GDPR, placing the corporate use of AI with images of third parties at the direct level of governance and responsibility of the management body.

Un ciclista compite en una pista iluminada durante la noche.

AEPD warns Worldcoin over use of biometric data

The Spanish Data Protection Agency (AEPD) has issued a formal warning to Tools for Humanity GmbH for the processing of biometric data linked to the Orb system and the so-called World ID, in the context of the resumption of its operations in Spain.

The AEPD considers that the capture of iris and face images to generate a unique code to verify the uniqueness of the user may constitute the processing of biometric data in the terms of Article 4.14 RGPD and involves the processing of special categories of personal data covered by Article 9. Although the entity invokes techniques such as Anonymized Multi-Party Computation (AMPC) and personal custody models, this does not in itself exclude the biometric nature of the processing.

It also questions the sufficiency of the PIAs provided and recalls that the use of biometrics and innovative technologies constitutes high-risk processing under Article 35 GDPR, which requires justification of necessity, proportionality and the non-existence of less intrusive alternatives. It also detects possible shortcomings in terms of transparency, legitimate grounds and the existence of a valid exception to Article 9.2 GDPR.

Dos atletas realizan un relevo en una pista de atletismo.

WhatsApp Ireland v EDPB: CJEU recognises the contestability of EDPB decisions

The Court of Justice of the European Union has held that binding decisions of the European Data Protection Board (EDPB) adopted pursuant to Article 65 GDPR are challengeable before the EU courts, upholding an appeal brought by WhatsApp Ireland.

The Court concludes that Binding Decision 1/2021, by which the EDPB obliged the Irish authority to amend its draft decision, produces its own legal effects and directly alters the legal position of the controller, leaving no discretion to the national authorities concerned.

Contrary to the view of the General Court, which had regarded that decision as a non-actionable interim measure, the CJEU holds that the EDPB's decision definitively resolves the issues covered by the consistency mechanism and is unconditionally binding on the supervisory authorities concerned. Accordingly, WhatsApp's action is declared admissible and the case is referred back to the General Court for judgment on the substance of the dispute, including any infringement of the GDPR.

Un parapentista vuela sobre un paisaje montañoso cubierto de niebla al amanecer.

European Commission adopts adequacy decision for Brazil and facilitates transfers from the EU

The European Commission has adopted the Adequacy Decision recognising Brazil as a country with an adequate level of protection for personal data, allowing transfers from the EU without the need for additional safeguards of Chapter V of the GDPR. The assessment concludes that the Brazilian framework, the constitutional recognition of the right to data protection and the independent action of its supervisory authority (the ANPD) ensure a level of protection "essentially equivalent" to the European one.

The Decision comprehensively analyses the Brazilian constitutional framework, the extraterritorial applicability of the General Data Protection Law (LGPD), the broad definition of personal and sensitive data (including biometric and genetic data), the principles of lawfulness, purpose, minimisation, security and accountability, as well as the mechanisms of judicial protection and independent supervision. It highlights the existence of limits and safeguards against access by authorities and the possibility of judicial control, in line with the standard set by the CJEU in Schrems I and Schrems II.

Adequacy consolidates Brazil as a strategic jurisdiction for cross-border digital transactions, eliminating the need for CCS, BCR or other transfer mechanisms and reducing contractual friction and compliance costs.

Un grupo de ciclistas compite en una carrera, mostrando velocidad y dinamismo en un entorno urbano.

AEPD warns about the structural risks of agentic AI in corporate environments

The Spanish Data Protection Agency has published the document "Agentic Artificial Intelligence from a data protection perspective", in which it analyses the specific risks introduced by the deployment of AI agents in personal data processing.

The AEPD stresses that these systems are not mere reactive generative models, but autonomous agents capable of planning tasks, decomposing objectives, interacting with internal and external environments, invoking tools and maintaining persistent memory, which can alter the scope, context and even the effective purpose of existing processing operations.

The paper identifies structural vulnerabilities arising from interaction with the environment, integration of services, memory management (working and management) and degree of autonomy. In particular, it warns about risks of massive access to internal data, silent exfiltration through calls to external services, contamination between treatments, inadvertent profiling and compound errors in long chains of reasoning.

Dos jugadores de hockey sobre hielo compiten por el puck en una pista de hielo.

Proposed EU Cybersecurity Regulation

The European Commission has presented a Proposal for a Cybersecurity Regulation that extends and strengthens the existing EU Cybersecurity Act (Regulation (EU) 2019/881). The aim is to harmonise obligations, avoid market fragmentation and increase resilience to cyber threats across the Union by strengthening the role of ENISA (European Union Agency for Cybersecurity) in early warning, technical support and coordination. The text foresees more accessible and demanding certification schemes and stronger safeguards in ICT supply chains, with direct impact on manufacturers, suppliers and organisations integrating digital solutions in the EU.

For businesses, the proposal translates into security by design requirements, greater traceability and verifiability of controls, and regulatory convergence with other European standards (such as NIS2 and the Cyber Resilience Act), as well as facilitating mutual acceptance of certifications. In practice, it anticipates more robust compliance programmes, third party audits and greater senior management accountability for risk management.


Dos espadachines compiten en un combate de esgrima.

CNMV and DORA: Practical keys to digital operational resilience

The CNMV has updated the DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) Frequently Asked Questions technical document which clarifies critical compliance issues. It underlines that the Board of Directors is ultimately responsible for ICT risk; that being ISO 27001 compliant is not equivalent to DORA compliance; and that a comprehensive ICT asset inventory, a register of ICT suppliers (with criticality rating and supervisor notifications ) and regular testing programmes, including TLPT (Threat-Led Penetration Testing) where appropriate, are mandatory. The BIA (Business Impact Analysis) forms the basis of the continuity framework (RTO, RPO and third party dependencies).

In legal and supervisory terms, the CNMV warns that inaction (e.g. lack of updated inventory, failure to register critical suppliers, failure to test or notify) can lead to formal requirements and sanctions, regardless of private certifications. DORA requires traceable evidence: regularly demonstrating that controls exist, work and are tested.

Un nadador se zambulle en una piscina de competición.

ENISA: official methodology for cyber-security exercises

ENISA has published an end-to-end methodological framework for planning, executing and evaluating cybersecurity exercises. Structured in six phases (initiation, design, preparation, execution, evaluation and after-actions), it integrates roles aligned with the European Cybersecurity Skills Framework, go/no-go checklists, realistic scenario building through event-incident-injects, and indicators and metrics to assess results, with references to ISO 22398 and ISO 22361.

The framework facilitates compliance and due diligence against NIS2, DORA and the Cyber Resilience Act, reducing planning errors and increasing the operational value of exercises (from table-top to technical simulations). For regulated organisations and critical operators, it provides a reproducible roadmap for testing incident response, inter-area coordination and continuous improvement.


Conclusion

The current regulatory landscape confirms that privacy and cybersecurity are no longer purely technical areas but at the core of business strategy. Authorities are reinforcing their focus on the loss of control over data, the use of emerging technologies such as agentic AI or biometrics, and the need to demonstrate - with traceable evidence - that control systems work and are continuously monitored. The requirement is no longer limited to formal compliance, but extends directly to governance, due diligence and management body accountability.

In this context, anticipation is key: reviewing legitimacy bases, strengthening EIPDs, auditing ICT supply chains, testing resilience plans and documenting strategic digital decisions. European regulatory convergence and supervisory tightening are shaping an environment where prevention, traceability and alignment between business, technology and regulatory compliance make the competitive difference. At ECIJA, we accompany organisations in this process, integrating legal, technical and strategic vision to transform digital risk into sustainable advantage.


Cybersecurity and privacy

Our holistic approach combines legal, technical and business knowledge to design compliance strategies that not only minimise risks, but also enable companies to take advantage of the opportunities of the digital environment in a safe and sustainable way.

Get to know the area