SieberEdu
Contact
← All issues
Digest issue
14 June 2026Issue #1

AI, security & GDPR — what changed this week

Four updates worth your time: where the EU AI Act stands, the phishing pressure on SMBs, how GDPR keeps meeting AI, and the EU-residency trend in global SaaS.

  1. AdvisoryEU-wideAI

    EU AI Act: obligations keep phasing in through 2026

    The EU AI Act applies in stages. Bans on prohibited practices and AI-literacy duties already apply; transparency and general-purpose AI obligations follow on a staggered timeline.

    Why it matters & what to do

    If you use AI tools (chatbots, generators, scoring), start an AI inventory now and assign owners. Confirm staff AI-literacy and add a short usage policy — these are low-cost steps that de-risk later audits.

    Especially affects:Service ProvidersLegal & Law FirmsFinance & Accounting
    Regions:EU (other)
    Source
  2. Action requiredCountry-specificSecurity

    BSI: phishing and ransomware pressure on SMBs stays high

    Germany's Federal Office for Information Security continues to rate the threat level for small and medium businesses as high, with invoice-fraud and credential-phishing the most common entry points.

    Why it matters & what to do

    Turn on multi-factor authentication everywhere, verify payment-detail changes by phone, and run a 15-minute phishing refresher with your team this week. These three controls stop the majority of SMB incidents.

    Especially affects:HealthcareGastronomieService ProvidersStores / Retail
    Regions:Germany
    Source
  3. AdvisoryEU-wideData protection

    EDPB keeps sharpening how GDPR applies to AI

    The European Data Protection Board continues to publish opinions on lawful bases for AI training and deployment, including legitimate interest, anonymisation and handling of scraped personal data.

    Why it matters & what to do

    Before adopting an AI feature that touches client data, check the vendor's lawful basis and whether your data is used for training. For health or other Art. 9 data, default to 'do not enter it' unless a DPA explicitly covers it.

    Especially affects:HealthcareLegal & Law FirmsFinance & Accounting
    Regions:EU (other)
    Source
  4. InformationalWorldwideData protection

    More global SaaS vendors ship EU data-residency options

    Major productivity, CRM and AI vendors increasingly offer an EU data region plus a GDPR data-processing agreement (DPA) — narrowing the gap with EU-native tools.

    Why it matters & what to do

    If a tool you like was previously 'US-only', re-check it: an EU region + signed DPA may now make it viable. Always pair it with a transfer assessment when any processing still touches the US.

    Especially affects:Service ProvidersStores / Retail
    Regions:Global
    Source