This week the EU sharpened its AI and data governance baseline: the EDPB finalized guidance on anonymisation and web scraping for generative AI, while the Commission’s AI Office kept building out practical implementation support for GPAI providers under the EU AI Act. In parallel, the CJEU opened an important interpretive question on whether AI-assisted expert reporting can be high-risk under the AI Act, which matters for legal-tech and forensic workflows. In the US, the FTC signaled that misleading AI accuracy claims may be treated as deceptive under Section 5, raising the bar for marketing, product labeling, and validation evidence. Financial firms should also note the ESAs’ warning that frontier AI can drive systemic cyber risk, putting AI concentration and supply-chain controls closer to the DORA and NIS2 spotlight.
GDPR / Data Protection Enforcement
EDPB finalizes AI scraping and anonymisation guidance
The EDPB adopted final guidelines on anonymisation and web scraping for generative AI on 2026-07-08. The guidance gives supervisors a current reference point for how training data, de-identification, and scraped content should be assessed under the GDPR.
Why it matters: Teams training or fine-tuning GenAI models in the EU should re-check whether their data is truly anonymous and whether web-scraped datasets have a documented lawful basis. It also strengthens the case for retention limits, provenance tracking, and rights-handling controls in model pipelines.
Read source →EU AI Act
AI Office advances GPAI compliance playbook
The European Commission’s AI Office continued publishing guidance and code-of-practice materials to operationalize AI Act obligations for GPAI providers. This creates near-term expectations for providers even before more implementing acts are finalized.
Why it matters: Providers of general-purpose AI should map their models to the AI Act scope now and align transparency, copyright, and systemic-risk controls with the emerging code structure. Voluntary codes may become the benchmark supervisors expect teams to evidence against.
Read source →CJEU referral tests AI-assisted expert reports
A CJEU preliminary reference asks whether software generating automated outcomes or using AI elements in an expert report should be treated as high-risk under the AI Act. The case creates interpretive uncertainty for litigation-support tools and other adjudicative AI use cases.
Why it matters: Legal and compliance teams using AI in judicial, expert, or evidentiary workflows should preserve human oversight, traceability, and explainability records now. Pending the Court’s answer, risk-classifying these tools conservatively reduces the chance of being caught unprepared.
Read source →US Federal & State Regulation
FTC targets deceptive AI accuracy claims
The FTC proposed a policy statement on AI accuracy on 2026-07-07 and signaled that claims or system behavior that manipulate expected accuracy may be treated as deceptive under Section 5. The proposal is not final, but it clearly indicates the agency’s enforcement posture.
Why it matters: Companies marketing AI features should substantiate claims about accuracy, reliability, and error rates with testing and validation evidence. Product teams should also review prompts, labels, and settings that could mislead users about how deterministic or precise the system really is.
Read source →DORA (Digital Operational Resilience)
ESAs warn on frontier AI cyber concentration risk
On 2026-07-07, the European Supervisory Authorities backed the ESRB’s warning that frontier AI models can create systemic cyber risks for financial markets. The message elevates AI cyber resilience as a supervisory priority for EU financial firms.
Why it matters: Institutions using frontier models in material processes should inventory those use cases, test third-party and model-supply-chain dependencies, and prepare board-level reporting on concentration and incident escalation. The warning also reinforces the need to treat AI resilience as part of operational resilience planning, not just an IT issue.
Read source →On Our Radar
AI Act implementation: The Commission’s AI Office is still issuing practical guidance for GPAI providers. Compliance teams should watch for materials that effectively set supervisory expectations before formal implementing acts land.
GenAI data provenance: With the EDPB’s final guidance on anonymisation and web scraping, EU training datasets now face closer scrutiny. Expect tougher internal review of data sourcing, lawful basis, and de-identification claims.
AI in legal workflows: The CJEU referral on AI-assisted expert reporting could shape how legal-tech and forensic tools are risk-classified under the AI Act. Teams in regulated disputes and investigations should track the outcome closely.
Frontier AI resilience: The ESAs’ warning suggests more attention on AI concentration, third-party dependencies, and systemic failure scenarios in financial services. This could feed into future DORA and supervisory expectations.