The AI, Cyber & Data return to school: what not to miss (Newsletter September 2025)
The regulatory start is busy... and we know how difficult it can be to keep up with everything (GDPR, cybersecurity, AI...).
Good news 👉 we have prepared the essentials to remember. Because you are concerned about data, compliance and cybersecurity issues, we are sharing with you today key news from recent weeks, explained simply, without jargon.
The objective?
✅ Stay up to date on your legal obligations “cyber & data”
✅ Move forward calmly in your compliance
✅ Strengthen your organization’s cybersecurity
Let's get to the heart of the matter. Good reading👇
🚨 Cyberattacks in France (August 2025)
The month of August once again showed how vulnerable French companies remain to hackers. Here are some attacks recorded:
- Sneg Cleanliness
Professional cleaning services (August 26). - Selartex
Wholesale trade of textiles (August 23). - Peggy Sage
Cosmetics and beauty (August 15). - SMEF Azur
Climate engineering and installations (August 14). - Orange France
Telecommunications and digital services (August 17). - Pansard & Associates
Law firm (August 6). - Afpa
Professional training and integration (August 6). - FranceLink
Digital Services (August 13).
💡 These attacks remind us that all businesses, small or large, can be targeted. Cybersecurity is no longer an option, but a necessity. Protect yourself and educate your teams about cybersecurity, find out our eLearning training courses.
🌍 Data Privacy Framework: data transfers to the USA (again) validated
For a long time, European companies did not know whether they could transfer their data to American providers (e.g. cloud hosts, collaboration tools). Several agreements have already been canceled in the past (Safe Harbor in 2015, Privacy Shield in 2020).
Good news: the September 3, 2025, the EU General Court confirmed the validity of the Data Privacy Framework (DPF). Concretely:
- Transfers to the USA are still possible.
- Companies can work with American DPF certified service providers.
- But be careful: the decision can be contested.
💡 The role of the DPO is precisely d’anticipate : keep a plan B (Standard Contractual Clauses) and follow the news to avoid unpleasant surprises.
📅 Data Act: a new right to your data
Our connected objects (watches, cars, electricity meters, industrial machines...) constantly collect valuable information. Until now, only manufacturing companies had access to it.
From the September 12, 2025, the Data Act change everything:
- THE users (individuals or companies) will have a right of direct access to their data.
- They will be able to share with third parties (other companies, public authorities...).
- THE SME will be protected against abusive contracts.
- THE cloud providers must guarantee portability (changing service provider will be simpler).
⚖️ GDPR + Data Act: two complementary texts.
- The GDPR protects personal data (name, email, health, etc.).
- The Data Act targets technical and industrial data.
Result: the data becomes one economic wealth that everyone can exploit.
🍪 CNIL: Google and Shein sanctioned for misuse of cookies
Advertising cookies remain a priority of control for the CNIL. Early September:
- Google : 325 million€ fine for inserting advertising into Gmail and placing cookies without clear consent.
- Shein : 150 million€ fine for placing advertising cookies before consent and making the refusal deliberately complex.
The message is simple:
- Cookies must be freely accepted or refused.
- The information must be clear and understandable.
- No business is safe whatsoever GAFAM or SME.
⚖️ Anonymous or personal data? The CJEU clarifies
On September 4, 2025, the Court of Justice of the EU clarified the difference between pseudonymized data and anonymous data :
- For whoever holds the key (e.g. a hospital), the data remains personal.
- For those who receive pseudonymized data without being able to re-identify (e.g. a researcher), it can be considered as anonymous.
This opens up perspectives for the’innovation : researchers and companies can reuse certain data more freely, provided they prove that no re-identification is possible.
💳 IBAN data leaks and thefts: how to react?
Data breaches are increasing. They may concern:
- your IBAN (fraudulent withdrawals possible),
- your identity (credits opened in your name),
- your online accounts (hacking via phishing or SIM-swapping).
💡 Immediate reflexes:
- Monitor your bank accounts.
- Change your priority passwords.
- Enable two-factor authentication (2FA).
- File a complaint in the event of fraud.
For businesses:
- Quickly block compromised accounts.
- Alert your bank.
- Notify the CNIL within 72 hours if personal data is concerned.
🤖 IA Act: what has changed since August 2, 2025
THEcompanies, which develop"general purpose" artificial intelligenceand those that modify and reusethese AIs, to offer them on the market, must nowlay your cards on the table: explain how they were trained, with what data, and prove that they respect copyright. If an AI is judged too risky, she will be underspecial monitoring: security testing, constant monitoring, and obligation to report any problems.
Even companies outside of Europe must have one official representative in Europe to respond to the authorities.
Each EU country must designate controllers to check that the rules are respected. Rather than a single authority, france entrusts AI surveillance to around fifteen organizations already competent depending on the sector (health, finance, education, audiovisual...). Piloting will be provided by the DGCCRF (market control) and the DGE (strategic coordination and representation to the EU). There CNIL will manage uses related to personal data, l’Arcomdigital content and other specialized regulators will each intervene in their field. A system based on specialization, but which could seem complex.
💡 Companies using AI must also remain vigilant:
- Verify the compliance of their AI providers.
- Supervise contracts with transparency and accountability clauses.
- Train their teams in AI issues.
Need to see clearly? Plan a trade free with one of our experts
🔒 NIS2: transposition further delayed in France
The European directive NIS2, which imposes new cybersecurity obligations on several thousand organizations in France (health, energy, digital, finance...), sees its timetable postponed again.
At issue: government instability. The law was to be examined in September, but the fall of the Bayrou government delayed the process. Result: already almost a year late.
🎙 Our next webinars
- september 18.
Simplify your GDPR compliance in just a few clicks (demo)
- oct 2.
NIS2 Directive: understanding and assessing its compliance
- oct 9.
AI Act & GDPR: everything you need to know to stay compliant (AI Special)
📚 Our free guides to download
- 6 reasons to choose one Outsourced DPO
- 10 reasons to choose one GDPR software
- Compliance checklists GDPR, NIS2, DORA, AI Act
📗 Download them here ➡️ Practical guides
______________________________________________
The regulatory start is full of news: cookies, data transfers, AI, cybersecurity... The issues are concrete and the risks very real.
At Data Comply One, with our outsourced DPO platform and experts, we already help over 1,000 businesses in 22 countries:
- Simplify their GDPR compliance,
- Anticipate NIS2, DORA and AI Act,
- Train their teams data protection and cybersecurity.
💡 Need to see things more clearly? Make an appointment with one of our experts
Remember: cybersecurity protects, compliance reassures!
Thank you for your attention and see you soon
The team Data Comply One (ex GDPR Mission)
