Last week the European Commission published long awaited draft guidance on classifying high-risk AI systems under Article 6 of the EU AI Act (the Guidance). The draft Guidance is currently open for public consultation until 23 June 2026. 

The Guidance is aimed at providers, deployers and market surveillance authorities. It focuses exclusively on classification (i.e. whether a system is high‑risk), with further guidance on compliance obligations to follow. The guidelines were originally due to be published by 2 February 2026 and, as such, their arrival has been eagerly anticipated. 

Structure of the Guidance

The Guidance is delivered across three

Continue Reading High Risk AI System Guidance Published

The Council of the EU has announced that a provisional agreement has been reached on proposed measures to amend the EU AI Act with the aim of streamlining rules and facilitating compliance. Whilst the full text of the proposal has not yet been published, we outline below the key points which have been announced. 

High-risk AI obligations delayed

Obligations for high-risk AI (HRAI) systems outlined in Annex III (such as AI systems used in recruitment and HR) which were due to come into effect on 2 August 2026 have now been delayed until 2 December 2027. The obligations

Continue Reading Key Points from the AI Omnibus Deal

Context

In recent months there has been a lot of commentary on the timelines for the implementation of key requirements under the EU AI Act, with discussions of extending deadlines, delaying implementation and introducing ‘stop the clock’ mechanisms. It is difficult to keep track of how the implementation of the EU AI Act might change and how this may impact businesses.

The purpose of this note is to provide a brief overview of the proposed changes to the compliance timeline as known on 6 March 2026.

EU AI Act – the Current Timeline 

The obligations under the EU AI Act

Continue Reading EU AI Act – Timeline Update

The Department of Enterprise, Tourism and Employment (DETE) published the General Scheme of the Regulation of Artificial Intelligence Bill 2026 on 4 February 2026 (the Scheme). The Scheme forms the basis for the national Irish legislation which will implement certain aspects of the EU AI Act into Irish law.

We set out below some points to note resulting from the Scheme.

New AI Office  – Oifig gIS na hÉireann 

The Scheme proposes to establish a new independent statutory body called ‘Oifig Intleachta Shaorga na hÉireann’ or the ‘AI Office of Ireland’ (the Office). The Office will serve as

Continue Reading Key Points from the General Scheme of the Regulation of Artificial Intelligence Bill 2026 

On 19 November 2025, the General Court of the European Union (the General Court) delivered a significant judgment in Case T-367/23, dismissing Amazon EU Sàrl (Amazon)’s challenge to the European Commission (EC)’s decision to designate Amazon Store as a “very large online platform” (VLOP) under the Regulation (EU)  2022/2065 (the Digital Services Act or DSA). This decision follows the decision in Case T-348/23 Zalando v Commission in September 2025 (the Zalando decision) (see our analysis of that decision here), and is the second decision in a number

Continue Reading Amazon v Commission: EU’s General Court dismisses Amazon’s challenge to VLOP designation

On 12 September 2025, the European Data Protection Board (EDPB) published its draft Guidelines on the interplay between the DSA and the GDPR (the Draft Guidelines). The Draft Guidelines aim to clarify how intermediary service providers (ISPs) should interpret and apply the GDPR when processing personal data in the context of DSA requirements. The Draft Guidelines are currently open to submissions as part of a public consultation until 31 October 2025.

Continue Reading EDPB Publishes Draft Guidelines on GDPR-DSA  Interplay

On 24 June 2025, Ireland’s National Cyber Security Centre (NCSC) published a set of proposed Risk Management Measures (RMMs) and launched Cyber Fundamentals, a framework designed to assist organisations to comply with the EU’s Directive (EU) 2022/2555 (the NIS2 Directive). The NIS2 Directive sets out high level measures for cybersecurity for in-scope entities across the EU and is to be transposed in Ireland by the upcoming National Cybersecurity Bill. 

RMMs

Who do they apply to?

The RMMs are intended to apply to essential and important entities within scope of the NIS2 Directive and which are

Continue Reading Risk Management Measures and Cyber Fundamentals: the NCSC’s roadmap towards NIS2 compliance

On 11 June 2025, the Minister for Justice, Jim O’Callaghan announced:

  1. The General Scheme of the Criminal Justice (International Cooperation Office) Bill 2025 (General Scheme) to (i) implement the eEvidence Regulation (EU) 2023/1543 (the Regulation) and (ii) transpose the Legal Representative Directive (EU) 2023/1544 (the Directive); 
  1. the establishment of the new Criminal Justice International Cooperation Office (CJICO).

The Director of the CJICO will operate as the designated (i) enforcing authority under the Regulation and (ii) central authority under the Directive. 

The eEvidence Regulation and Directive 

The eEvidence Regulation creates a mechanism for EU

Continue Reading Establishment of the Criminal Justice International Cooperation Office

On February 13, the European Commission (EC) and the European Board for Digital Services (EBDS) endorsed the integration of the Code of Practice on Disinformation (the Disinformation Code) into the framework of the Digital Services Act (DSA). 

Article 45 of the DSA provides for the formation of voluntary codes of conduct at EU level to ”contribute to the proper application of” the DSA. The Disinformation Code is the second code integrated into the DSA via Article 45, following the EC’s recent integration of the Code of Conduct on Countering Illegal Hate

Continue Reading EU’s Code of Conduct on Disinformation Integrated into DSA
  • The Opinion concerns the scope of “personal data” under Regulation 2018/1725 (which is the EU institutions’ equivalent to the GDPR and which mirrors much of the same language and principles as the GDPR). It proposes a broader conceptualisation
Continue Reading One man’s pseudonymisation is another man’s anonymisation: The AG Opinion in SRB v EDPS and the scope of “personal data”