Dear colleagues,
In this issue, we look at current developments at national and international level: The BSI commented on the new government draft on NIS-2 implementation, the OAIC (Australia) published the regulatory priorities for 2025-26, the EBA launches a consultation on third-country branches of financial institutions and warns against the careless use of innovative compliance technologies in connection with money laundering risks. The Californian CPPA presents new regulations on cyber risk assessment under the California Consumer Privacy Act.
Table of Contents
- Harmonization of reporting: EBA launches consultation on third country branches
- NIS 2 implementation: BSI publishes government draft
- Australia: OAIC sets regulatory priorities for 2025-26
- EBA: Careless use of innovative compliance technologies can increase money laundering risks
- California: CPPA issues new cyber risk assessment regulations under the CCPA
- Now receive the most important compliance notifications every week free of charge
Harmonization of reporting: EBA launches consultation on third country branches
Applicable to:
- Compliance officers
- Regulatory and reporting officers
- Management boards
- Central units of banking groups with third-country branches in the EU.
Main measures:
- Establish group-wide reporting coordination processes for uniform data collection and consolidation across all EU branches.
- Analysis of potential disclosure risks with regard to sensitive data on personnel, business models and strategic importance.
- Early preparation for supervisory follow-up activities, e.g. structured data queries, business model checks or location comparisons.
- Integration of the new obligations into control and audit processes, including audit-proof documentation and quality assurance.
- Involvement of Group management in the strategic assessment of the regulatory impact on market presence and governance.
NIS 2 implementation: BSI publishes government draft
Applicable for:
- IT security officers
- Management boards
- Operators of critical infrastructures
- Companies in the energy, transport, health, digital services, waste management, postal services, food industry, research institutions and industrial production sectors (50 employees or more or €10 million annual turnover)
Measures required:
- Check whether your own company will be considered an “important” or “particularly important facility” within the meaning of NIS-2 in future
- Establishment or adaptation of a comprehensive risk management system for cyber security (incl. technical, organizational and physical measures)
- Training management on the new responsibility and possible liability in the event of a breach of duty
- Introduction or optimization of reporting processes for IT security incidents – including 24-hour initial notification and 72-hour follow-up analysis to the BSI
- Preparation for possible inspections and audits by the BSI; ensuring compliance with documentation obligations
- Early strategic integration of the new requirements into internal governance, compliance and IT security structures
Australia: OAIC sets regulatory priorities for 2025-26
Applicable for:
- Data Protection Officers
- International companies with business operations in Australia
- Digital service providers
- AdTech and PropTech platforms
- AI developers
- Public authorities
Measures required:
- Ensure transparency in AI and automated decisions: Assess all AI-powered systems for fair, accountable decision-making processes – especially in profiling or scoring
- Revise tracking and AdTech practices: Reduce pixel tracking, third-party cookies and links to data brokers; check for data protection-compliant consent and purpose limitation
- Implement data minimization: Minimize the collection and storage period of personal data – especially for location data, biometric data and behavioural tracking
- Check the processing of sensitive data by authorities: Implement transparent processes for handling requests for information and for the use of messaging apps by public authorities
EBA: Careless use of innovative compliance technologies can increase money laundering risks
Applicable for:
- Money laundering officers
- Financial service providers
- FinTechs
- Providers of digital compliance solutions
Measures required:
- Critical evaluation of deployed RegTech/compliance technologies in terms of their effectiveness and security risks
- Ensure that new systems are integrated into existing risk assessment processes and do not lead to blind spots
- Conduct regular tests and audits to prevent unintentional AML/CFT breaches through technology tools
California: CPPA issues new cyber risk assessment regulations under the CCPA
Applicable to:
- US compliance officers
- Data protection officers of internationally operating companies
- IT and cybersecurity teams
Measures required:
- Revision of internal cybersecurity assessment processes with regard to the new risk assessment obligation
- Integration of the new requirements into CCPA compliance strategies, especially when processing sensitive personal data
- Documentation and regular updating of technical and organizational protective measures in accordance with CPPA requirements
Now receive the most important compliance notifications every week free of charge
Many compliance officers already use our free service and receive the most important news from the areas of compliance, money laundering prevention, data protection and IT security. We provide a weekly overview of the most important reports and categorize them.
Subscribe now free of charge.
Would you like to be up to date every day?
Our legal rights monitoring software gives you access to all notifications and allows you to filter them by relevance, type and area. You can create and download summaries. Get in touch with us.
We wish you a successful week.
Your Riscreen team