Prior consultations are required when a planned data processing operation is likely to result in a high risk to individuals’ rights and freedoms, even after mitigation measures have been identified. In such cases, the controller (i.e. the organisation responsible for the data processing) must consult the competent supervisory authority before proceeding.
As discussions on the simplification of the AI Act continue, progress on framework documents and governance structures is advancing in parallel. In this context, representatives of EU institutions, bodies and agencies (EUIs) gathered in Brussels on 10 February 2026 for the third meeting of the AI Act Correspondents Network.
The European digital landscape reflects a strong commitment to regulation and oversight. The Digital Markets Act (DMA), the Digital Services Act (DSA), the AI Act and the Data Act all now stand as important pillars of the EU’s digital rulebook. They each rely on the foundation provided by the General Data Protection Regulation (GDPR), and the interplay between these laws presents both challenges and opportunities.
The announcement of an ‘audit’ often raises concerns within European Union institutions, bodies, offices and agencies (EUIs). An EDPS audit may be perceived as an additional burden on already busy teams or as a signal of heightened scrutiny.
The EU public administration is currently preparing its own AI systems for the implementation of the AI Act. The EDPS has an important role in this process, as the AI Act nominated it as the market surveillance authority for the AI systems of European Institutions, Agencies and Bodies (EUIs). A new EDPS Artificial Intelligence Unit was established in October 2024.
Two years ago, the EDPS had the pleasure and honour to take part in the first high-level event on Data protection in the Western Balkans and Eastern Partnership Region, organised by the OECD SIGMA Programme, the Eastern Partnership Regional Fund for Public Administration by GIZ, the Regional Cooperation Council, and the Regional School of Public Administration.
The final EDPS-DPO meeting of 2025 brought together Data Protection Officers from across the EU institutions, bodies, offices and agencies at the European Food Safety Authority (EFSA) in Parma, Italy. Held in a hybrid format, the 57th meeting took place at a moment of significant regulatory and technological change for the EU administration. It offered DPOs and the EDPS an opportunity to reflect collectively on recent developments, share experience, and prepare for the challenges ahead.
As the clock ticks down to the launch of a new EU large scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare ETIAS for entry into operation and ensure its compliance with data protection law, and other fundamental rights under the EU Charter of Fundamental Rights.
Across sectors - from health research to financial systems - data sharing continues to drive innovation, yet it also intensifies privacy and compliance challenges, making the balance between access to data and confidentiality increasingly difficult. Secure multi-party computation (SMPC) proposes a way to reconcile these seemingly conflicting goals - enabling organisations to jointly compute insights without revealing their underlying data.
The AI Act came into force a little more than a year ago, but the momentum continues to grow across the EU institutions bodies and agencies. On 7 October 2025, more than one hundred representatives gathered, both online and in Brussels, for the second meeting of the AI Act Correspondents Network.