AI Compliance Weekly — 2026-03-30

CNIL published recommendations and a practical checklist for AI system development, making clear that GDPR obligations start at the design and training stages. The guidance covers purpose limitation, legal basis, minimisation, retention, transparency, rights handling, security, and DPIAs for high-risk or AI Act-relevant systems.

Why it matters: Teams building models with personal data now need documented compliance decisions before deployment, not after. If your AI pipeline touches personal data, the development record itself may become evidence in a supervisory inquiry.

CNIL issued a methodology for assessing whether an AI model falls within GDPR scope when it can regurgitate or leak training data using reasonably likely means. Providers are expected to document anonymisation assumptions and re-identification testing before concluding the model is outside GDPR.

Why it matters: This shifts the compliance burden onto providers to prove that training data cannot be recovered in practice. If you rely on anonymisation, you will need defensible test evidence, not just a policy statement.

The EDPB opened its 2026 coordinated enforcement action on GDPR transparency and information duties. Twenty-five European DPAs will check whether notices satisfy Articles 12, 13 and 14, exchange findings later in the year, and produce a consolidated report.

Why it matters: Privacy notices and layered disclosures are now a live enforcement target across the EU. Controllers should be ready to show how transparency works in practice, not just how it reads on paper.

The Irish DPC fined LinkedIn Ireland €310 million over unlawful targeting and transparency failures, and Meta €251 million over breach-notification and privacy-by-design shortcomings. Both decisions underscore that weak lawful-basis analysis, incomplete breach handling, and poor default controls can trigger large monetary penalties.

Why it matters: These cases are a warning to review both your legal basis mapping and your breach-response evidence. Regulators are clearly willing to penalize disclosure failures and design weaknesses at scale.

The Swiss FDPIC reiterated that the Federal Act on Data Protection applies directly when generative AI or AI-supported processing involves personal data. The guidance stresses transparency about AI use, prompt handling, purpose disclosure, and rights information.

Why it matters: Swiss deployments can no longer treat AI as outside the existing data-protection framework. If your AI workflows touch Swiss personal data, you need documented transparency and rights-handling controls now.

BaFin updated its DORA information page with implementation notes, revised documentation references, and updated incident-reporting and third-party-risk materials. The page confirms DORA has applied since 17 January 2025 and that firms should be operating the relevant controls now.

Why it matters: Financial firms need their ICT risk, incident reporting, and third-party oversight processes aligned to the latest templates and filing formats. This is not a future-state exercise; regulators expect usable procedures and current registers today.

BaFin’s 2025 risk outlook highlights cyber incidents with serious consequences and IT outsourcing concentration as key supervisory concerns. It indicates continued cross-sectional analyses and special inspections focused on resilience and service-provider dependencies.

Why it matters: Boards and compliance teams should be prepared to evidence concentration-risk controls, not just generic cyber controls. Outsourcing maps, continuity testing, and management reporting will be central to supervisory scrutiny.

DORA is now applicable across the EU financial sector and sets enforceable requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight. The framework also continues to be fleshed out by technical standards on reporting, subcontracting, testing, and registers.

Why it matters: Financial entities and covered ICT providers need live compliance processes, not implementation projects. If your incident classification, testing, or vendor oversight still relies on legacy controls, it is now a supervisory exposure.

ISO/IEC 42001 is gaining momentum as the primary auditable AI governance baseline, with accredited certification now available through UKAS-recognized providers. ISO also published a package pairing ISO/IEC 42001:2023 with ISO/IEC 27001:2022 to support combined AI governance and security management.

Why it matters: Organizations now have a clearer path to audited AI governance, which is increasingly relevant for procurement and assurance. If you are building an AI management system, you should expect pressure to show evidence of governance, supplier control, and continual improvement.

The Cloud Security Alliance released an official mapping between its AI Controls Matrix and ISO/IEC 42001, along with a roadmap for STAR for AI 42001 recognition. The package is designed to help organizations identify AI-specific gaps in logging, data quality, and incident response.

Why it matters: This gives compliance teams a practical bridge between AI control frameworks and certification-style assurance. If you already use CSA or ISO 27001, you can now map AI governance more systematically to an external benchmark.

ISO/IEC 42006:2025 is now published and adds AI-specific requirements for bodies certifying ISO/IEC 42001 management systems. Certification bodies and accreditation bodies will need to operationalize the new competence and rigor requirements.

Why it matters: If you are pursuing ISO/IEC 42001 certification, you now need to vet the certifier as carefully as the standard itself. Certification quality and audit methodology are becoming part of procurement due diligence.

The FTC continued to reinforce that unsupported AI marketing claims can trigger enforcement, including orders against Workado, IntelliVision, and an accessibility-AI marketer. The agency also maintained its AI policy hub and separate inquiry into AI companion chatbots.

Why it matters: Marketing and product teams should treat accuracy, bias, and capability claims as compliance items requiring substantiation. If you sell AI tools, claim review and evidence retention are now essential controls.

The FTC opened an inquiry into AI chatbots acting as companions, focusing on products that may affect children, vulnerable users, or consumer trust. The inquiry signals attention to safety controls, disclosure, and potential harms rather than a settled rule.

Why it matters: Consumer AI products with persuasive or emotionally responsive features should be prepared for information requests on design, moderation, escalation, and monetization. Teams should review youth-facing risks and make limitations explicit to users.

HHS released an AI compliance plan and related policy materials, while also proposing HIPAA and health IT updates tied to AI-enabled interoperability and security. The materials point to tighter expectations for ePHI handling, patient access, and use-case governance.

Why it matters: Healthcare compliance teams should review how AI tools interact with HIPAA, information blocking, and vendor security obligations. Expect more scrutiny of whether patient-data use is permitted, documented, and secure across the workflow.

State trackers show continued AI bill activity in New York, California, and other jurisdictions throughout 2025 and 2026. The trend points to a patchwork of local disclosure, automated-decision, and consumer-protection rules rather than one federal standard.

Why it matters: Companies operating nationally need a jurisdiction-by-jurisdiction map for AI obligations. Modular notices, local policy variants, and state-specific review gates will be necessary if these bills keep advancing.

FINMA issued updates on Switzerland’s sanctions controls, including an amended Ukraine ordinance and a separate UN-driven update for ISIL (Da'esh) / Al-Qaida. The notices require immediate screening-list updates, asset freezes where applicable, and reporting to SECO.

Why it matters: Sanctions screening teams must update watchlists and preserve audit trails quickly when Swiss lists change. The operational risk is not just missing a name, but failing to document why freezes, holds, or releases were made.

NIST said feedback from its second Cyber AI Profile workshop is shaping the next draft of its AI-cybersecurity guidance. The agency is still reviewing extensive comments and will publish further drafts and summaries.

Why it matters: Security teams should not wait for final text before pressure-testing AI cyber controls. This is the right moment to check inventory, human-in-the-loop design, integrity controls, and model-visibility assumptions against NIST’s direction of travel.

The Swiss FDPIC adopted guidance clarifying how the Federal Act on Data Protection applies to AI-supported data processing. The guidance expects organizations to document whether models are anonymous, retain re-identification testing evidence, and provide suitable technical and organizational safeguards.

Why it matters: Swiss AI teams now need a documented position on whether their model or system is in scope for data protection law. If you rely on anonymisation, you will need stronger technical evidence and clearer documentation for deployers and users.

EU AI Act authority mapping: The EDPB wants DPAs to play a stronger role in high-risk AI oversight, but member-state authority designations still create institutional uncertainty. Watch for national implementation choices that will shape who investigates AI systems involving personal data.

AI model memorization scrutiny: CNIL and the German BfDI are both focusing on memorization, extraction risk, and re-identification in AI models. Expect more pressure to document training-data handling, anonymisation claims, and deletion or extraction controls.

Health AI and HIPAA reform: HHS materials suggest the healthcare sector should expect further policy movement on AI-enabled interoperability, security, and patient data use. The near-term risk is not just enforcement, but having to adjust controls again as proposals mature.

ISO/IEC 42001 certification uptake: Accredited certification for AI management systems is becoming more credible and more visible in procurement. Organizations that want an audit-ready AI governance story should start gap assessments now, especially if they operate across the EU, US, and Switzerland.