- within International Law and Wealth Management topic(s)
European Commission Confirms Cyber Intrusion Affecting EU Cloud Infrastructure
On 29 April 2026, EU lawmakers and Member States failed to reach an agreement on proposed amendments to the EU Artificial Intelligence Act (“AI Act”) following approximately twelve hours of negotiations conducted under the European Commission’s Digital Omnibus initiative. The discussions focused on postponing certain AI Act obligations, including rules applicable to high-risk AI systems, until December 2027.
The negotiations reportedly collapsed over disagreements on whether AI systems integrated into products already subject to sector-specific regulation, such as medical devices and industrial machinery, should remain within the direct scope of the AI Act. As no compromise was reached, the AI Act’s original compliance timeline, including the August 2026 obligations for high-risk AI systems, remains applicable for the time being. While another trilogue session is expected within the coming weeks, no official date has yet been confirmed.
Belgian DPA Publishes Guidance on AI Systems and Privacy Risks
On 13 April 2026, the Belgian Data Protection Authority published a new guidance brochure titled “The Impact of Artificial Intelligence on Privacy” as part of its broader “AI & Data Protection” initiative. The publication aims to raise awareness among citizens regarding how AI systems process personal data, the privacy risks associated with AI technologies, and the data subject rights available under the GDPR.
The brochure also explains the lifecycle of AI systems, including data collection, storage, training, deployment, monitoring, and deletion processes, while highlighting risks such as profiling, automated decision-making, excessive data collection, and the inference of sensitive personal data. It further provides practical recommendations aimed at helping individuals maintain greater control over their personal data when interacting with AI systems.
U.S. Court Rules That AI Chats May Not Be Privileged
On 15 April 2026, reports emerged that U.S. law firms had begun warning clients against treating AI chatbots such as OpenAI’s ChatGPT and Anthropic’s Claude as confidential legal advisers following a recent federal court ruling concerning attorney-client privilege. The warnings followed a February 2026 decision by Jed S. Rakoff requiring a criminal defendant to disclose documents generated through interactions with Anthropic’s Claude chatbot during the preparation of his legal defence.
In its decision, the court held that communications with AI chatbots are not protected by attorney-client privilege or work product doctrine, emphasising that no attorney-client relationship can exist between a user and an AI platform. The court also noted that Anthropic’s privacy terms expressly permit the collection and disclosure of user inputs and outputs, undermining any reasonable expectation of confidentiality. Following the ruling, several U.S. law firms reportedly began issuing internal guidance and contractual warnings regarding the disclosure of privileged legal information through AI systems.
Europol Highlights Growing Use of AI and Encryption in Cybercrime
On 28 April 2026, Europol published the 2026 edition of its Internet Organised Crime Threat Assessment (“IOCTA”), warning that cybercrime threats across the EU are becoming increasingly sophisticated due to the growing use of artificial intelligence, encryption technologies, proxies, and cryptocurrencies. The report highlighted the continued resilience of dark web marketplaces and the increasing use of privacy-focused cryptocurrencies and offshore exchange services to facilitate ransomware payments and money laundering activities.
The report further noted that generative AI tools are increasingly being used to automate and personalise online fraud schemes and social engineering attacks, while ransomware actors are increasingly combining data theft and data release threats with cyberattacks. Europol also warned of rising online child sexual exploitation risks, including the growing production of synthetic child abuse material and the increased use of end-to-end encrypted messaging applications by offenders.
Uffizi Galleries Confirm Cyberattack on Museum IT Systems
On 3 April 2026, the Uffizi Galleries confirmed that its IT systems had been targeted in a cyberattack reportedly involving unauthorised access to internal operational data and a subsequent ransom demand. Italian media reports alleged that attackers had extracted information relating to internal maps, CCTV camera locations, and security infrastructure across the Uffizi Galleries, Palazzo Pitti, and Boboli Gardens.
The museum denied that its core security systems had been compromised, stating that the relevant infrastructure operated through closed internal networks and that no passwords or sensitive security credentials had been stolen. The Uffizi further stated that no artworks or archival materials had been lost and that restoration measures and broader security upgrades had already been accelerated following the incident.
Cyber Attack Disrupts Northern Ireland School IT Network
On 5 April 2026, the Education Authority (“EA”) of Northern Ireland confirmed that it was continuing efforts to restore school IT systems following a cyberattack affecting the C2K network used by schools across the region. The incident reportedly prevented pupils and staff from accessing online learning systems, educational resources, and school accounts during the Easter revision period ahead of GCSE, AS and A-Level examinations.
In response to the incident, the EA implemented a full password reset across the network as a “critical security measure” and stated that restorationeffortswerebeingprioritisedforpost- primary schools. The authority also confirmed that it had engaged with the Information Commissioner’s Office and relevant authorities as part of its response, while investigations into the incident and any potential impact on personal data remain ongoing.
UK Warns of AI- Driven Cyber “Perfect Storm” at CYBERUK 2026
At the National Cyber Security Centre (“NCSC”)’s annual CYBERUK conference on 22 April 2026, the NCSC’s Chief Executive warned that the UK is facing a cyber “perfect storm” driven by rapid AI developments and increasing geopolitical tensions. The NCSC stated that cyber threats linked to nation-state actors, including China, Russia and Iran, continue to represent some of the most significant risks facing UK organisations, while frontier AI systems are accelerating the discovery and exploitation of software vulnerabilities at scale.
During the conference, the UK Security Minister announced a £90 million cybersecurity funding package aimed at strengthening national cyber resilience, particularly for small and medium- sized businesses. The initiative includes support for wider adoption of the Cyber Essentials certification scheme and a new Cyber Resilience Pledge encouraging organisations to elevate cybersecurity governance and strengthen supply chain security practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
