Regulatory Radar — May 2026: harmonised NIS2 reporting, two DPC firsts, and an SBOM standard for AI

May 2026 was a quieter month for headline NIS2 deadlines but a busier one for the operational machinery underneath. The European Commission moved on incident-reporting harmonisation, the Belgian CCB published the operational counterpart to its April conformity-assessment regime, and the BSI led the G7's first attempt to define what a Software Bill of Materials for AI should actually contain. In parallel, Ireland's DPC issued both a sanction and a new Chapter V inquiry on the same week, and CNIL added concrete authentication deadlines for health-research data.

Six items, all traceable to primary regulator or institutional sources. Press-only material has been excluded.

1. Ireland — DPC opens inquiry into SHEIN Ireland over Chapter V transfers

5 May 2026 — Data Protection Commission

The DPC announced a section-110 inquiry into Infinite Styles Services Co. Ltd. — the Irish-established controller for SHEIN's EU/EEA operations — focused on personal-data transfers to China. The inquiry will assess compliance with GDPR Articles 5 and 13 and Chapter V (international transfers). Deputy Commissioner Doyle's framing — that EU residents' personal data must benefit from "essentially the same" protections when transferred outside the EU — signals a substantive review of adequacy mechanisms in use, not a paperwork audit.

Why it matters: this is the second Chapter V inquiry the DPC has opened against a fast-fashion / e-commerce controller with Chinese group infrastructure in the last 18 months. Multinationals with Asian parent entities or processing operations should treat the SHEIN inquiry as a leading indicator of supervisory direction, particularly on the use of SCCs and supplementary measures where downstream sub-processors operate under non-EU compulsory-disclosure regimes. The companion finding that matters for TPRM teams: the DPC is willing to scope a single inquiry across Article 5, Article 13, and Chapter V simultaneously, which extends the documentary burden well beyond the transfer-impact assessment.

Source: DPC — DPC opens inquiry into Infinite Styles Services Co. Ltd. (SHEIN Ireland)

2. Ireland — DPC fines Permanent TSB €277,500 over Open24 contact-centre failings

8 May 2026 — Data Protection Commission

The DPC published its final decision in the Permanent TSB inquiry, imposing two distinct administrative fines:

• €250,000 for breaches of GDPR Articles 5(1)(f) and 32(1) — failure to maintain integrity and confidentiality, and inadequate technical and organisational measures in the bank's Open24 contact-centre operations, which allowed fraudsters posing as customers to access accounts and alter customer details.
• €27,500 for breach of GDPR Article 33(1) — failure to notify the DPC within the 72-hour reporting window.

Why it matters: this is the rare GDPR decision that fines on both the security failure and the notification failure as separate articles, and it lands squarely in financial services — a sector where DORA's broader operational-resilience expectations now sit alongside the GDPR Article 32 baseline. For CISOs at EU-supervised credit institutions, the fact that Article 33 attracts its own multi-tens-of-thousands fine on top of the Article 32 quantum is the operationally useful reading: late notification compounds the bill rather than being absorbed into it.

Source: DPC — Data Protection Commission announces decision in Permanent TSB inquiry

3. G7 / BSI — First SBOM-for-AI guideline published under BSI and ACN leadership

12 May 2026 — German Federal Office for Information Security (BSI)

Under the direction of the BSI and Italy's Agenzia per la Cybersicurezza Nazionale (ACN), the G7 cybersecurity authorities — together with the European Commission — released Software Bill of Materials (SBOM) for Artificial Intelligence — Minimum Elements. The guidance defines seven categories of minimum information that an AI-system SBOM should document, including model specifications, training-data sources, component dependencies, and supply-chain provenance. It is the first multilateral guidance to treat AI-system documentation as a discrete SBOM problem rather than an extension of the traditional software SBOM.

Why it matters: this lands at the intersection of three live EU instruments. It pre-positions market-surveillance authorities for the AI Act's transparency requirements (general application 2 August 2026), gives CRA implementers a concrete reference for the SBOM obligations arriving 11 December 2027, and provides NIS2-covered entities a structured way to document AI components in their supply-chain risk assessments under Article 21(2)(d). Organisations that have deployed third-party AI components should treat this as the most authoritative current template for "what should be in our AI SBOM" until a CEN/CENELEC harmonised standard arrives.

Source: BSI — BSI veröffentlicht G7-Richtlinie zu Software Bill of Materials for AI

4. Belgium — CCB publishes operational incident-response "first aid" guidance

18 May 2026 — Centre for Cybersecurity Belgium

The CCB published First aid in the event of a cyber incident, a concise operational guide covering the measures organisations should have in place before, during, and after a cyber incident — with explicit emphasis on the first hours after detection. The document is positioned as a complement to the existing CyberFundamentals (CyFun®) and Safeonweb@work frameworks, translating their controls into discrete actionable steps. While it is written for organisations of all sizes, the timing — one month after the 18 April 2026 NIS2 conformity-assessment deadline for essential entities — signals where the CCB now expects practical readiness to sit.

Why it matters: NIS2 Article 23's 24-hour early-warning and 72-hour detailed-notification obligations only function if the organisation has a working incident-response playbook the moment a significant incident is suspected. The CCB guide is, in effect, the operational reference Belgian regulators will expect essential entities to have absorbed by the time supervisory verification begins in earnest. Multinationals with Belgian establishments should map the CCB's "first hours" checklist against their group-level IR runbooks and document any deviations. The document is also a useful reference for organisations outside Belgium that need a regulator-issued — rather than vendor-issued — IR baseline.

Source: CCB — First aid in the event of a cyber incident

5. Italy — Garante publishes €85,000 sanction against The European House Ambrosetti

21 May 2026 (decision dated 17 April 2026) — Garante per la protezione dei dati personali

The Italian Garante published its sanction against The European House Ambrosetti S.p.A. — €85,000 — following a 2024 data breach affecting 61,670 individuals. The technical findings reported by the Garante are unusually concrete: part of the affected password set was stored in plaintext, the remainder under cryptographic techniques that did not meet contemporary security standards. The Garante also criticised a delay of approximately two months between discovery and notification to data subjects, despite the breach presenting elevated risk to their rights and freedoms.

Why it matters: the decision is a clean Article 5(1)(f) / Article 32 / Article 33 fact pattern with a price tag attached. The plaintext-password finding is the kind of detail that auditors can point at directly when reviewing client password-storage policies, and the two-month notification delay is — like the Permanent TSB decision the same month — a reminder that supervisory authorities are increasingly willing to penalise notification latency as a distinct breach rather than fold it into the security fine. Consultancy and advisory firms holding client and employee data should treat this as a relevant peer-group precedent.

Source: Garante — Data breach, il Garante privacy sanziona The European House Ambrosetti

6. European Commission — NIS2 Cooperation Group adopts common incident-reporting templates

26 May 2026 — European Commission (Digital Strategy)

At the 39th Plenary of the NIS2 Cooperation Group (Member States, Commission, ENISA) held in Cyprus, the Cooperation Group adopted unified templates for cyber-incident reporting. The Commission committed to converting these templates into a binding implementing act that will make harmonised incident reporting mandatory across NIS2-covered entities. This addresses the most-cited operational pain-point in NIS2 transposition so far: that essential and important entities operating across multiple Member States have been facing materially different reporting forms, fields, and submission portals for the same incident.

Why it matters: this is the single most impactful item in the May window for cross-border CISOs and TPRM leads. Once the implementing act is adopted, a multinational responding to a significant incident affecting establishments in (for example) Belgium, the Netherlands, Germany, and France will report into the same template rather than four different ones. For organisations that have already invested in internal NIS2 reporting tooling, this is the time to flag the architecture as schema-flexible — the implementing act's field set will define the lowest common denominator, and any local-specifics layer should be modular. Expect a draft implementing act in Q3 2026 with a consultation period.

Source: European Commission — NIS2 Cooperation Group adopts common templates for incident reporting

What we did not include

A few items appeared in coverage during May but did not meet our verification or window criteria:

• EDPB scientific-research guidelines and Europrivacy seal opinions (16 April 2026). Adopted at the April plenary and covered in Regulatory Radar Edition 003; the May window contained no follow-up adoptions from EDPB.
• ENISA Technology and Innovation Radar methodology (April 2026). Published before the window opened; relevant for security-architecture teams tracking emerging-threat scoping, but not a May event.
• EDPS blog "Safe and Ethical AI: a big European idea for the world" (8 May 2026). Advocacy commentary, not new binding guidance; excluded under the briefing's enforcement-relevance threshold.
• CNIL — update to MR-001 and MR-003 health-research reference methodologies (26 May 2026). Verified at the source; introduces a phased multi-factor-authentication requirement (web-accessible systems by 1 January 2027, all others by 1 January 2028). Sector-specific (French health-research controllers) and operationally significant for that audience, but narrower than the briefing's cross-sector scope. Worth a direct read by health-research DPOs.
• No regulator response to the May 2026 npm supply-chain incidents. The "Mini Shai-Hulud" worm compromised OpenAI code-signing certificates and produced the first valid Sigstore provenance on malicious packages (see our defender analysis). As of the close of this window, no formal advisory linking these incidents to NIS2 supply-chain obligations has appeared from ENISA, the Sigstore project, OpenSSF, CERT-EU, NCSC-UK, or the major national CSIRTs. Vendor postmortems from Microsoft Security and OpenAI exist, but they are vendor incident reports, not regulatory guidance. The absence is itself notable: it is the largest provable supply-chain breach of the year without an institutional regulatory communication attached to it.

What to do this month

• Multinational CISOs and incident-response leads: start architecting your NIS2 incident-reporting tooling to be template-flexible. The Commission implementing act on common templates is now on the runway; designs that assume a single Member State's current portal will need adjustment.
• Financial-sector security and DPO teams: treat the Permanent TSB decision as the reference fact pattern for combined Article 32 + Article 33 exposure. Confirm that your IR runbooks treat the 72-hour notification clock as a hard internal SLA, not an upper bound.
• TPRM teams reviewing AI-component vendors: adopt the G7 SBOM-for-AI minimum elements as your interim baseline for AI vendor questionnaires until a harmonised CEN/CENELEC standard arrives. Particular focus on the training-data and provenance fields.
• Belgian-establishment essential entities: validate your incident-response runbook against the CCB "first aid" guide's first-hours checklist. Where you deviate, document why.
• Multinationals with EU/EEA-to-China data flows: treat the DPC SHEIN inquiry as the supervisory direction-of-travel for adequacy and supplementary-measures documentation, particularly where downstream sub-processors operate under compulsory-disclosure regimes.
• Consultancy and advisory firms: audit your password-storage controls and breach-notification SLAs against the Ambrosetti fact pattern; plaintext-password findings remain a fast path to a sanction.
• Health-research controllers (France): review the updated CNIL MR-001 and MR-003 requirements and the January 2027 / January 2028 MFA implementation deadlines.