Governance, Risk & Compliance
-

ISO 19011:2026, the art of auditing updates: hybrid audits, digital evidence and auditor competence
In May 2026 the fourth edition of ISO 19011 was published, the international guidance for auditing management systems, transposed as UNI CEI EN ISO 19011 and entering the national body of standards on 27 May 2026. Remote and hybrid audits treated as ordinary modes, digital evidence alongside interviews and direct observation, vocabulary aligned with the…
-

Mapping the risks of Artificial Intelligence: NIST, MIT, CSA and ENISA compared
Before managing AI risks you have to be able to name them. Four tools, all public and free, offer as many perspectives: NIST’s management framework, MIT’s taxonomic repository with over 1,700 catalogued risks, the Cloud Security Alliance’s controls matrix and ENISA’s cybersecurity framework. A reasoned map for those building AI governance. Anyone setting out to…
-

Records of processing and SMEs: the simplification of Article 30(5) GDPR seen by the EDPB and EDPS
Extending the exemption from the obligation to keep a record of processing activities to organisations with fewer than 750 employees: this is the Commission’s proposal on which the EDPB and the EDPS pronounced in Joint Opinion 01/2025. Favour for the lightening, but with a warning: the register is not just an obligation, it is a…
-

The EDPB DPIA template: towards a harmonised impact assessment across the European Economic Area
On 14 April 2026 the EDPB adopted a template for data-protection impact assessments, put out for public consultation until 9 June 2026: predefined fields, an explanatory document and the ambition to become the single model — or the “meta-template” — of the authorities across the entire EEA. What changes, in practice, for controllers and DPOs?…
-

ISO/IEC 42005 and the impact assessment of AI systems: a compass between FRIA and DPIA
Published in May 2025, ISO/IEC 42005 offers organisations guidance for assessing the impact of AI systems on individuals, groups and society. A voluntary tool that sits in an ecosystem crowded with mandatory assessments: the FRIA of Article 27 of the AI Act and the DPIA of Article 35 of the GDPR. How do these three…
-

NIS 2, DORA and the Cyber Resilience Act: how to find your way when perimeters overlap
Three European acts, three regulatory logics, one goal: digital resilience. But for those who fall within several perimeters — from a bank to a software vendor — the question is concrete: which discipline prevails? The answer lies in the coordination clauses: Article 4 of NIS 2, the lex specialis of DORA and the complementarity of…
-

Certifying Artificial Intelligence: how an AIMS scheme works and what it does not promise
With ISO/IEC 42001 came the first certifiable standard on Artificial Intelligence management systems; with ISO/IEC 42006:2025 came the requirements for the bodies issuing the certifications. But how does an AIMS scheme actually work? And why is the certificate not — and cannot be — a “conformity licence” for the AI Act? The distinction between the…
-

The AI Act on the horizon: what will happen to Italian municipalities?
The AI Act’s prohibitions apply from 2 February 2025, most of its provisions from 2 August 2026, while the obligations for high-risk systems slip — by effect of the Digital Omnibus — to 2 December 2027 and 2 August 2028. Italian municipalities are part of this moving calendar too: not spectators, but deployers of AI…
-

The Garante’s 2026 inspection plan: the areas in the spotlight and the lessons of the Emirates case
By deliberation No. 797 of 30 December 2025 the Italian Garante planned its inspection activity for the first half of 2026: artificial intelligence in schools, data breaches of public databases, whistleblowing, health dossiers, energy-sector telemarketing, and anonymisation of Telco big data. And the recent Emirates fine shows that even a lawful legal basis does not…
-

ISO/IEC 42001 and the AI Act: why certification is not (yet) a presumption of conformity
On 18 March 2026 EN ISO/IEC 42001:2026 was published, the European adoption of the standard on Artificial Intelligence management systems, while the work of CEN-CLC/JTC 21 on harmonised standards supporting the AI Act proceeds rapidly. But beware of confusing the levels: the AIMS of ISO/IEC 42001 is not the quality-management system required by Article 17…