GDPR and IA Act compliance: summary of the major news of March 2026

The European authorities are tightening the tone on transparency and France is clarifying its governance of artificial intelligence. The compliance officer must now pilot a unified ecosystem. For businesses, this acceleration results in an accumulation of acronyms that are often perceived as disconnected constraints, but an overview reveals that by meeting the requirements of one, we are laying the foundations necessary to satisfy all the others.

‍

‍

Sanctions and decisions: strengthening the accountability of platforms

‍

‍

The sanctions news was marked by a major judicial setback for Meta on March 25, 2026, with a conviction worth $375 million in the state of New Mexico. This decision sanctions the group for deceiving its users about the safety of its social networks and facilitating the sexual exploitation of minors through design failures. This verdict validates the idea that platforms' security choices are no longer just technical issues but foundations of legal responsibility.

‍

In Europe, 19 March 2026 marked the launch of a coordinated action by the European Data Protection Board (EDPS) dedicated to transparency. Twenty-five national authorities are now screening the clarity of information to put an end to the legal facade that would mask an opacity on algorithmic profiling.

‍

Finally, the closure of the injunction against Kaspr on 6 March 2026 is a reminder that the loyalty of the collection of prospecting data remains a point of absolute surveillance for the regulator.

‍

‍

Cybersecurity: dealing with the escalation of systemic threats

‍

‍

The month of March was the scene of security incidents on an adverse scale, underlining the fragility of value chains. On March 24, 2026, claims concerning a massive data leak of 590 TB at a major hosting provider increased the pressure on business continuity plans.

‍

At the same time, the WorldLeaks ransomware group hit the Los Angeles Metro network by stealing nearly 160GB of data, while a new threat called DarkSword targets millions of mobile devices. These events demonstrate that compliance under Article 32 of the GDPR can no longer be a simple contractual clause but must result in a continuous technical audit of the subcontracting chain. The leaks reported in Mid-March in the education and health sectors confirm that sensitive data and that of minors remain the priority targets of attackers.

‍

‍

Regulatory convergence: structuring the architecture of trust

‍

‍

The French legal framework was structured with the adoption by the Senate, on 12 March 2026, of the Resilience Bill, ensuring the joint transposition of NIS 2 and DORA. This advance creates a bridge between general cybersecurity and financial resilience. On March 17, 2026, the ANSSI published the Cyber France Repository (ReCyF), which becomes the compass for essential entities that need to align their measures with a demanding national standard.

‍

On March 18, 2026, the official designation of the CNIL as the supervisory authority for the IA Act in France closed a major institutional debate, guaranteeing consistency between data protection and the regulation of algorithms. For financial institutions, the March 20, 2026 deadline for submitting the third party information register served as the first truth test for managing risks related to technology providers.

‍

‍

Society and identity: the ethical challenges of generative AI

‍

‍

Beyond the regulations, the InCyber Forum, which opened on 31 March in Lille, highlights the concept of the dilation of the present. In a digital world that forgets nothing, every trace and every past word is frozen by the endless memory of servers, a concept theorized by Alex Türk who experiences that forgetting has become the exception and memory the rule.

‍

This persistence is multiplied by generative artificial intelligence that uses old data to predict or manipulate our future. Data protection no longer only serves to preserve one's privacy but is becoming the indispensable tool to guarantee the authenticity of one's own identity. The fight for privacy in 2026 is the fight for the right to evolution and change, in the face of a digital system that tends to lock us into an unchangeable version of our past.

‍

‍

Strategic perspectives: managing compliance in a transversal mode

‍

‍

The success of organizations will depend on their ability to break the silos between legal and technical departments. The interoperability of evidence is the driving force behind this simplification:

• A security policy designed for NIS 2 must instantly feed the GDPR processing register.
• The requirements of the IA Act must be integrated natively into data governance
• The DPO becomes an architect of digital trust to secure innovation

‍

The role of the DPO is now strategic in preventing potentially devastating sanctions. Compliance is no longer a one-off constraint but a permanent state of vigilance that becomes a driver of performance and sovereignty for the company.

‍

‍

FAQ - the compliance challenges of March 2026

‍

‍

Who is the supervisory authority for the IA Act in France?

‍The CNIL was officially designated on March 18, 2026 as the authority responsible for market surveillance and compliance with the IA Act in France, thus ensuring consistency between personal data protection and algorithmic regulation.

‍

What was the Resilience Law adopted in March 2026?

‍Adopted on March 12, 2026 by the Senate, the Resilience Law ensures the joint transposition of the European NIS 2 and DORA directives, creating a unified framework for cybersecurity and the financial resilience of companies.

‍

What is the ANSSI Cyber France Repository (ReCyF)?The ReCyF is the compass published by ANSSI on 17 March 2026, allowing essential entities to align their security measures with a demanding national standard in response to systemic threats.