Tech Risk & Compliance | Weekly Digest 📅 April 28 – May 2, 2025 RegLex.ai Weekly Issue #01 | Published: May 5, 2025

Tech Risk & Compliance | Weekly Digest 📅 April 28 – May 2, 2025 RegLex.ai Weekly Issue #01 | Published: May 5, 2025

RegLex RegLex

RegLex

Simplifying Compliance, Empowering Confidence

Published May 5, 2025
+ Follow

Welcome to the inaugural issue of RegLex.ai Weekly — your trusted source for curated insights at the intersection of data protection, cybersecurity, and responsible AI.

Each week, we break down complex regulatory updates and enforcement actions across jurisdictions to help you stay informed, compliant, and ahead of the curve in today’s evolving digital risk landscape.

TL;DR (Quick Highlights)

AI:

  • 🇺🇸 FCA to Launch Live AI Testing Service 

Data Protection:

  • 🇨🇦 Privacy Regulators Raise Concerns in 23andMe Bankruptcy
  • 🇯🇵 Japanese Insurers Face Action Over Data Breaches
  • 🇯🇵 Revised Health Data Guidelines
  • 🇫🇷 CNIL Strengthens Security
  • 🇵🇱 Poland Court Ruling on Muzzle Act
  • 🇸🇪 Warner Music Investigated Over Cookie Consent
  • 🇬🇷 National Bank of Greece Fined for Data Breach 

Cybersecurity:

  • 🇬🇧 NCSC Warns Retailers
  • 🇮🇳 ICICI Bank Fined ₹97.8 Lakh
  • 🇺🇸 CISA Flags Vulnerabilities
  • 🇺🇸 FinCEN Targets Huione Group
  • 🇺🇸 Raytheon Settles Cyber Non-Compliance 

🌍 Global Regulatory Updates

Artificial Intelligence Updates: 

FCA to Launch Live AI Testing Service (29 Apr 2025)

Summary: The Financial Conduct Authority (FCA) will introduce a live AI testing service to support firms in deploying safe and responsible AI tools, helping them meet regulatory standards and better understand AI’s impact on financial markets.

Impact: The live testing service aims to fill a gap in AI adoption and will offer regulatory support for firms using consumer or market-facing AI models.

Action required: Firms can collaborate with the FCA to ensure their AI tools are ready for deployment. Feedback on the proposal is open until June 10, 2025.


Data Protection Updates:

Canada:

Privacy Regulators Raise Concerns in 23andMe Bankruptcy Case (1 May 2025)

Summary: Canadian and UK privacy authorities have urged U.S. courts to uphold data protections amid 23andMe’s Chapter 11 proceedings.

Impact: The joint letter stresses safeguarding sensitive genetic and personal data under Canadian and UK laws during any sale or transfer.

Action required: Companies handling cross-border data should ensure compliance with all applicable privacy laws, even during restructuring or insolvency.

Japan:

Insurance Companies Face Action Over Personal Data Protection Breaches (30 Apr 2025)

Summary: Four major insurance companies (Tokyo Marine & Nichido, Sompo Japan, Mitsui Sumitomo, Aioi Nissay Dowa) received guidance from the Personal Information Protection Commission (PIPC) for mishandling personal data of policyholders between 2023-2024.

Impact: The breaches involved sharing personal data of policyholders from other companies by insurance agents, violating the Personal Information Protection Act (PIPA) and triggering investigations.

Action required: Insurance companies and their agents should enhance data handling protocols, conduct internal audits, and ensure compliance with PIPA to protect personal information.

Announcement of Revised Guidelines for Handling Health Checkup Information by PHR Service Providers (30 Apr 2025)

Summary: The Ministry of Internal Affairs and Communications, Ministry of Health, Labour and Welfare, and METI have revised the "Basic Guidelines for the Handling of Health Checkup Information by Private PHR Providers" after public consultation.

Impact: The revised guidelines reflect the evolving needs of private Personal Health Record (PHR) services, ensuring they comply with updated standards for handling health information.

Action required: PHR service providers should review the revised guidelines to ensure their operations align with current best practices for managing health checkup data.

European Union:

France:

CNIL Strengthens Security for Large Databases (30 Apr 2025)

Summary: The CNIL calls for enhanced security measures following a rise in data breaches affecting millions in 2024.

Impact: Breaches were linked to weak login security, undetected data theft, and inadequate subcontractor security.

Action required: Organizations must bolster security to meet GDPR standards and prevent future breaches.

Poland:

Supreme Administrative Court Upholds Human Rights Commissioner's Appeal on Muzzle Act (30 Apr 2025)

Summary: The Supreme Administrative Court reversed the Provincial Administrative Court's decision on the Muzzle Act, siding with the Commissioner for Human Rights.

Impact: The court's ruling aligns with the new position of the Personal Data Protection Office (UODO), requiring the supervisory authority to reopen the administrative proceedings.

Action required: The UODO must now revisit the case and address the concerns raised by the Commissioner for Human Rights.

Sweden:

IMY Investigates Warner Music Over Cookie Consent Violations (30 Apr 2025)

Summary: The Swedish Data Protection Authority (IMY) initiated supervision against Warner Music Sweden after a complaint regarding cookie banners and personal data processing.

Impact: IMY found that Warner Music violated GDPR Articles 6 and 7(3) by failing to provide adequate information on the right to withdraw consent for cookie use.

Action required: Warner Music has been reprimanded under Article 58(2)(b) of the GDPR and must address the consent issues raised.

EDPB:

Imposition of a Fine on National Bank of Greece for Personal Data Breach (30 Apr 2025)

Summary: The National Bank of Greece was fined for breaching GDPR provisions related to personal data security and access requests following a data breach incident.

Impact: The bank violated multiple GDPR articles, including those on data accuracy, confidentiality, breach notifications, and access rights.

Action required: The bank must strengthen its data protection measures to ensure compliance with GDPR requirements, particularly regarding breach notifications and user access rights.


Cybersecurity Updates:

United Kingdom: 

NCSC Warns Retailers After Cyberattacks (04 May 2025) Summary: The UK NCSC has flagged rising ransomware threats targeting retailers, driven by ransomware-as-a-service models. Impact: Attacks are opportunistic and costly, with ongoing investigations into recent incidents. Action required: Retailers should review defences, join NCSC Trust Groups, and share mitigation insights.

India: 

ICICI Bank Fined ₹97.8 Lakh for Cyber & KYC Lapses (02 May 2025)

Summary: RBI penalized ICICI Bank for breaches in cybersecurity, KYC, and card-related regulations under the Banking Regulation Act.

Impact: The fine underscores regulatory scrutiny on compliance and risk management controls.

Action required: Banks should reassess adherence to RBI norms, especially in digital operations and customer onboarding.

USA: 

CISA Flags Two Actively Exploited Vulnerabilities (02 May 2025)

Summary: CISA has added CVE-2025-34028 (Commvault) and CVE-2024-58136 (Yii Framework) to its Known Exploited Vulnerabilities Catalog.

Impact: These flaws pose significant risk and are being actively exploited; remediation is mandatory for U.S. federal agencies.

Action required: All organizations are urged to patch affected systems immediately as part of robust vulnerability management.

FinCEN Targets Cambodia’s Huione Group for Money Laundering (01 May 2025 )

Summary: FinCEN has identified Huione Group as a primary money laundering concern, linked to cyber heists by North Korea and investment scams.

Impact: The proposed rule would block U.S. financial institutions from engaging with Huione, disrupting their illicit financial activities.

Action required: Financial institutions should review client risk profiles and enhance AML/KYC practices to avoid involvement in similar schemes.

Raytheon and Nightwing Group Settle Cybersecurity Non-Compliance Allegations (01 May 2025)

Summary: Raytheon, RTX Corporation, and Nightwing Group agreed to pay $8.4 million to resolve False Claims Act violations related to non-compliance with DoD cybersecurity requirements.

Impact: The settlement addresses failures between 2015-2021 regarding safeguarding sensitive defense information, affecting 29 DoD contracts and subcontracts.

Action required: Contractors should review compliance with DFARS 252.204-7012 and FAR 52.204-21 to ensure systems meet required cybersecurity controls.

🧠 Expert Insight

Bridging Innovation and Compliance: Why Live Testing & Global Enforcement Matter Now More Than Ever

As regulatory frameworks evolve to keep pace with rapid technological advancements, one trend is becoming clear: proactive collaboration with regulators is now a competitive advantage. The UK’s FCA launching a live AI testing environment exemplifies this shift—offering firms not just regulatory clarity, but a safe space to innovate responsibly.

Simultaneously, global regulators are tightening their grip on data protection and cyber resilience. Whether it's Canada and the UK intervening in cross-border bankruptcy cases, or Japan and the EU enforcing stricter privacy standards, the message is consistent: data misuse and cyber lapses will be met with tangible consequences.

Organizations that succeed in this environment will be those that treat compliance as a strategic function—not just a legal obligation. Embedding privacy and security into product development, staying ahead of exploit disclosures, and engaging early with regulators are no longer best practices—they’re prerequisites for trust and longevity in digital markets.

Follow us

LinkedIn : linkedin.com/company/reglex-solutions  

This newsletter is brought to you by RegLex Solutions, your trusted partner in global compliance.

To view or add a comment, sign in

Explore content categories