- within Consumer Protection, Antitrust/Competition Law and Privacy topic(s)
The European Union’s digital transformation comes with strengthened regulation. The AI Act and the Data Act establish a governance framework built on transparency and accountability. In Luxembourg, the CNPD is expected to play a central role in their implementation.
AI Act
Under the AI Act, EU Member States were required to designate their competent authorities by 2 August 2025 and notify the European Commission of this information. In Luxembourg, Draft Bill No. 8476 proposes to assign this key responsibility to the CNPD, which would become the country's national supervisory authority for AI.
The AI Act – the first comprehensive regulatory framework on artificial intelligence worldwide – will be phased in gradually. It prohibits certain "unacceptable risk" practices such as social scoring from February 2025, imposes specific requirements for general-purpose AI (GPAI) models from August 2025, and applies fully from August 2026 to high-risk AI systems (for example, those used in employment, education, critical infrastructure management or justice).
The first entities affected will be GPAI providers. As from August 2025, they must publish summaries of their training data, document the functioning of their models, share information with developers, implement copyright compliance policies, and, if established outside the EU, appoint a legal representative within the Union.
An additional layer of scrutiny applies to "systemic risk" models, those powerful enough to cause large-scale harm. Their providers will have to conduct regular evaluations, monitor serious incidents and strengthen cybersecurity. The aim is to contain potential misuse from the most advanced models, often developed by a small number of global players.
Obligations also extend to users of high-risk AI systems. Companies deploying such systems must demonstrate effective control over their operations, including data quality checks, adherence to the provider's instructions, human oversight by qualified staff and proper information of employees or affected persons. They must also retain system logs, monitor and report incidents, and cooperate with supervisory authorities when requested.
Finally, sanctions are severe: up to 7% of global annual turnover for the most serious infringements.
In practice, both the AI Act and the Data Act require businesses to maintain ongoing compliance.
Jeanclaude Lacatena
Digital regulation is no longer a distant prospect: it is already shaping corporate governance and day-to-day practices.
Data Act
Effective since 12 September 2025, the Data Act complements the AI Act as one of the cornerstones of Europe's new digital governance. It aims to regulate access to, use of and sharing of data generated by users and connected devices, ensuring transparency, security and fairness.
In Luxembourg, no draft national law has yet been introduced and no competent authority officially designated. However, the CNPD is expected to be involved, having already indicated that its mandate would expand to reflect the evolution of the EU legal landscape.
Among the Data Act's key obligations, manufacturers of connected products must now design their devices to enable users, whether consumers or businesses, to easily access and share the data they generate with third parties upon request. However, a "gatekeeper" within the meaning of the Digital Markets Act (i.e., a dominant platform such as Google, Amazon, Apple or Meta) is not considered an eligible third party to receive user-generated data.
Digital service providers, particularly cloud providers, are also subject to strengthened data portability obligations. They must facilitate seamless data transfers, eliminate switching fees and ensure interoperability between services.
The regulation governs data-sharing contracts, prohibiting unfair clauses that could limit access or reuse of data. It also requires greater transparency regarding the nature and frequency of data collection, and the establishment of internal procedures to handle data access or sharing requests.
Each Member State must also introduce a system of sanctions, administrative fines or civil remedies, that is effective, proportionate and dissuasive. To comply, companies will need to adapt product design, review contracts, map data flows and train teams on the new requirements.
Ultimately, the Data Act complements the GDPR by promoting responsible and equitable data governance while unlocking the economic potential of data across the EU.
Together, the AI Act and the Data Act set out a new foundation for digital governance based on transparency and traceability.
Alice Ferré
In conclusion, in Luxembourg, the CNPD will take the lead. For companies, compliance is now an ongoing process, essential to managing risk and ensuring operational security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
