Agefi Luxembourg - décembre 2025

AGEFI Luxembourg 22 Décembre 2025 Consultance S ince its entry into application in 2018, theGeneral Data ProtectionRegulation (GDPR) has shapeddata gover- nance across Europe. Seven years later, the digital world looks no- thing like it used to: cloud ecosys- tems have become the backbone of modernbusiness, cybersecurity threats are intensifying, generative AI is everywhere, and regulatory frameworks (fromtheAIAct (1) to NIS 2 directive (2) andDORA (3) ) are emerging at speed.As artificial in- telligence (AI) reshapes the digital landscape and the EUCommission released its proposal for theDigital Omnibus, Data ProtectionOfficers (DPOs) find themselves at a defi- ning crossroad. Increaseduse ofAI As a first preliminary observation, all or- ganisationsarefacingtheuseofAIasare- ality,sincepublicopen-sourceAItoolsare powerful and available to anyone (e.g. DeepL, ChatGPT, Claude, Copilot or Per- plexity, among others) and are therefore likely to be useful to most employees in their dailywork. Secondly, many organi- sationsareusingorareconsideringimple- menting sophisticated or customised enterpriseAI solutions to support a selec- tionof use cases theyhavedetermined, or they areworking ondefining. Companies can no longer afford to sim- ply ban AI tools across their workforce. In today’s competitive landscape, refus- ing to engage with AI means ceding ground to competitors who are already leveraging these technologies for effi- ciency gains and innovation. The ques- tion isno longerwhether toadoptAI, but how to do so responsibly. Fororganisations,astructuredgovernance approach is essential and requires: - ongoing compliance monitoring: DPOs should continuously assess adherence to the data protection legal framework, rather than treating compliance as a one- offexercise; -riskthresholdmanagement:establishing clearboundariesforacceptableAIuseand ensuring solutions remain within these parameters; - technical due diligence: examining the operational details ofAI systems (includ- ing data flows and decision-making pro- cesses)toaccuratelyclassifyrisklevels;and - practical safeguards: moving beyond theoretical policies to implement concrete measures that protect both the organisa- tion and its stakeholders. The challenge becomes particularly acute withpublicAItools.Itisnearlyimpossible to effectively monitor employee use of these platforms without implementing strict surveillance protocols, which then may conflict with data protection obliga- tions. Unlike enterprise solutions with built-in audit trails and access controls, public AI tools operate outside corporate infrastructure, making it difficult to track whatinformationemployees’input,what outputs they relyupon, orwhether confi- dential data has been inadvertently dis- closed. This monitoring dilemma raises a fundamental question: should organisa- tions banpublicAI tools entirely? While anoutright prohibitionmay seem like the safest approach, it risks driving use underground, with employees con- tinuing to use AI tools covertly without any guidance or safeguards. A more pragmatic approach involves establish- ing clear usage policies, providing ap- proved alternatives where feasible, and fosteringa cultureof transparencywhere employees understand both the risks and the acceptable boundaries for using external AI platforms. Given their crucial role in safeguarding organisational data integrity and confi- dentiality, DPOs find themselves at the centre of this transformation. Their in- volvementindecision-makingbodiesad- dressingAI implementation is no longer just optional but nowessential. This reality creates an urgent imperative forDPOstodevelopsubstantialexpertise in AI technologies. They must be equippedtoasktherightquestionswhen evaluating AI solutions: what data is being processed and where? How are algorithms making decisions? What are the retentionpolicies?Where are the vul- nerabilities? Beyond identifying risks, DPOs need sufficient technical literacy to propose viable alternatives, challenge vendor claims, and distinguish between genuine safeguards and superficial com- pliancemeasures. Upcoming changes in existing rules - Digital Omnibus The ambition of the recent EU Commission proposal for the Digital Omnibus published on 19 November (Proposal) is clear: tosimplify,modernise, and harmonise the EU’s complex digital regulatory ecosystem, aligning it with emergingopportunities,technologiesand risks. As 2026 approaches, a new chapter of dataprotectionhistorymay soonopen, whichwilllikelystartwithaperiodofdis- cussion, alignment, interpretation within industries and data privacy professional communities. The Proposal encompasses a comprehensive reformof the legislative frameworkthroughamendmentstovari- ous texts, including GDPR and Directive 2002/58/EC concerning the processing of personal data and theprotectionof priva- cyintheelectroniccommunicationssector (ePrivacyDirective). The Proposal introduces several changes that will reshape the way organisations handle compliance. A first update relates to the fact that data would no longer be consideredpersonaldataforacontrollerif the controller does not have “ reasonable” means to identify the individual towhich itrelates.Thetextalsoopensthepossibility of considering pseudonymised data as non-personalundercertain“ meansandcri- teria ”, through the inclusion in the GDPR of a new article which should enable the EU Commission to adopt corresponding implementing acts. In addition, newpossibilities for process- ing special categories of data, typically benefiting fromhigher protectionaccord- ing to the GDPR, should be granted be- cause developing and operating AI systems ormodelswould explicitly qual- ify as a “legitimate interest” of the con- troller,ontheconditionthat:(i)processing personaldataisnecessaryforthispurpose, (ii) the controller’s interest does not over- ride the rights and freedoms of data sub- jectsand(iii)specialcategoriesofpersonal data should be removed or kept fromAI datasets as much as possible. Also, con- trollers may refuse requests or at least charge a reasonable fee if data subjects abuse their rights for purposes unrelated todata protection. As soon as the Digital Omnibus is fi- nalised, DPOswillmove to the forefront, taskedwith decoding its practical impli- cations for their organisations. This means systematicallyevaluating impacts on current operations, stress-testing ex- isting GDPR compliance measures against new requirements, identifying emerging risks, and orchestrating the necessary organisational changes to en- sure continued compliance. The evolving role ofDPOs The traditional DPOmission of ensuring GDPR compliance is being reshaped by the rapidly expanding digital landscape and evolving regulatory environment. Today’sDPOs cannot afford tobeGDPR specialists alone. They need to develop andmaintain up-to-date expertise across multiple domains, including cross-regu- latory understanding (DORA, NIS 2 Di- rectiveandbeyond),technicalknowledge onavailableAIsolutionsandpracticalun- derstanding of howAI is actually being deployedwithin their organisations. This broad scope is essential to anticipate risks beforetheymaterialise,determineappro- priate safeguards, and recognise red-flag situationsrequiringimmediateescalation. The challenge lies in the relentless pace of change. Technological developments have accelerated dramatically, accom- panied by a constant stream of product announcements andaproliferatingmar- ketplace of AI tools and platforms. DPOs must find methods to reconcile competingdemands in their dailywork: tracking technological developments, fulfilling core data protection responsi- bilities, providing strategic advisory ser- vices on data processing activities, and continuouslyupdating corporate frame- works to reflect emerging technology uses. This balancing act becomes even more critical as the accountability prin- ciple is repeatedly reinforced in the latest regulatory texts. In short, the role of theDPOis transition- ing (or must transition) towards “DPO 2.0” profiles with broader regulatory expertise and thorough technical knowl- edge, enabling DPOs to guide their organisationsthroughdigitaltransforma- tion,maintaintheirstrategicadvisoryrole and navigate upcoming opportunities and challenges. The future calls for DPO 2.0 as a service. Some organisations may recognise that theirDPO lacks the evolved skill set these developmentsdemand. Somewill bridge the competency gap through intensive training, participation inworking groups orengagementwithprofessionalcommu- nities.Others,however,maybeunwilling or unable to broaden their investigative scope or fundamentally shift their pro- cesses.Fortheseorganisations,DPO-as-a- service presents an increasingly attractive alternative,withexternalDPOseithersup- plementing existing teams or assuming the full scope of the function. DPO-as-a-service packages have gained considerable traction in recent years, de- livering clear advantages: organisations can access dedicated expert teams with deepspecialisationandsignificantmarket insightwithout the commitment of aper- manent hire. The model offers flexibility, guaranteedavailability,servicecontinuity, and rapid response times, all ofwhichare especially valuable during data breaches, regulatory enquiries, or client complaints. Moreover,experiencedexternalproviders, such asArendt, bring additional strategic value through established relationships withsupervisoryauthorities,includingthe Commission de Surveillance du Secteur Fi- nancier (CSSF) and the Commission Na- tionale de Protection des Données (CNPD). These connections prove invaluable in navigating regulatory interactions to- gether with the market insight we can share. Arendt’s multi-disciplinary struc- ture (encompassing tech lawyers, CISO and Regulatory ICT, Litigation, Forensic Investigations) means that the right spe- cialist can be deployed at the right mo- ment, covering the full spectrumof issues a data protectionmattermay involve. Conclusion Organisations’ data protection frame- works must evolve in tandem with emergingAI applications and upcoming regulatory developments. Organisations must ensure that whoever assumes the DPOrole—whetherinternalorexternal— has the right mix of regulatory, technical, andstrategic skills toguide themthrough this evolving landscape. Faustine CACHERA, Counsel,Arendt &Medernach Bénédicte d’ALLARD, Director,Arendt Regulatory&Consulting Delphine GARNIER, SeniorManager,Arendt Regulatory&Consulting 1)Regulation(EU)2024/1689layingdownharmonised rulesonartificial intelligence. 2)Directive(EU)2022/2555oftheEuropeanParliament andoftheCouncilof14December2022onmeasuresfor ahighcommon levelofcybersecurityacrosstheUnion. 3) Regulation (EU) 2022/2554 of 14December 2022 on digitaloperationalresilience forthe financialsector. 2026 will challenge DPOs: how DPO-as-a-service can help C laireMunck, CEOde BeAngels, a dressé d’emblée un constat limpide en s’adressant récem- ment auxmembres d’EcofinClub Luxembourg : « l’avenir économique et la souveraineté technologique de l’Eu- rope se joueront désormais sur la façon dont ses citoyens gèreront leurs portefeuilles d’investissement et (re)dirigeront leur épargne. » Si l’Europe dispose d’un niveau d’épargnetrèsélevé,«ellesouffred’une faible orientation vers l’investissement productif et l’innovation » estime-t-elle. L’Union européenne tente de réagir, no- tamment enencourageant lamobilisation de l’épargne vers les start-ups et scale-ups àtraversle28 e Régimeetd’autresinitiatives visant à créer un véritablemarché européen du capital dit « patient ». Pour BeAngels, acteur im- portant dans l’écosystème du business angel investing depuis 2003, avec plus de 85 millions EUR engagés, quelque600investisseursetprèsde450sociétésfinan- cées, l’enjeu est critique. Incitants fiscaux Le financement de l’innovation s’appuie principalement sur les business angels et les fonds de venture capital . Fort de ce constat, poursuit Clair Munck, « les incitants fiscaux sont cruciaux pour réorienter une partie de l’épargne vers cette classe d’actif, intrinsèque- ment risquée. » EnBelgique,l’absencedetaxationsur les plus-values sur actions (jusqu’à présent!)etl’existenceduTaxShel- ter pour start-up ont fait de ce pays l’un des plus dynamiques en matière de réseaux de Bu- siness Angels à l’échelle de l’Europe. Le projet de taxation sur les plus-values à l’étude pour 2026, s’il n’est pas assorti d’exo- nérations ciblées pour l’investissement à risque, « risque de réduire à néant tout cet écosys- tème ». Le durcissement fiscal attendu réduira l’offre definancementdisponiblepourlesjeunesentreprises et ralentira l’innovation en phase d’amorçage. Autre cas avec le Royaume-Uni. Près de 88 % des investis- seursbritanniquesinterrogéslorsd’unrécentsondage déclarentqu’ilscesseraientd’investirdanslesstart-ups sans ces incitants fiscaux. Le Luxembourg, futur start-up nation ? L’activité de BeAngels ne se cantonne pas à la Bel- gique. Le groupe est également actif dans les Hauts deFranceetauGrand-DuchéduLuxembourg.Selon ClairMunck, cedernier pays joueun rôle stratégique en tant que « hub européen pour l’investissement transfrontalier ». Le Grand-Duché offre en effet un cadre juridique particulièrement attractif pour les fondsd’investissementalternatifs(SIF,SICAR,RAIF), assurantuneproximitéréglementaireaveclesacteurs européensducapital-risque.Surtout,leLuxembourg maintientunefiscalitécompétitivesurlesplus-values de participations substantielles. L’ambitionduLuxembourgdedevenir une véritable start-up nation est toutefois handicapée par des défis structurels.Sidesdiscussionssontencourspourcréer desdispositifsfiscauxplusavantageuxpourlesinves- tissements dans les jeunes pousses, divers problèmes persistent, épingle l’oratrice, comme la difficulté à créerouàfermerunesociété,àouvriruncompteban- caireouencoreun dealflow limité,nécessitantdescol- laborations transfrontalières. Grandir enEurope L’enjeu fondamental poursuit Claire Munck est de «préserverlacapacitéd’innovationeuropéennepour construire une Europe compétitive et souveraine. » Cela implique d’aligner les politiques fiscales sur les objectifsd’innovationetdecroissance,derenforcerles dispositifs d’investissement à risque et d’encourager la collaboration entre réseaux de business angels et fonds institutionnels à l’échelle européenne. Ces ob- jectifs sont lancés, avec l’émergence de nouveaux fonds européens pour les scale-ups et la sollicitation des fonds de pension. Et Claire Munck de conclure en insistant sur l’indis- pensable renforcement des écosystèmes qui permet- tront aux entrepreneurs de se lancer et de grandir en Europe. «C’est dans la gestionde nos portefeuilles et laréorientationdenotreépargnequesejoueralapros- périté collective de demain. » Hugo Leblud Claire Munck, CEO de BeAngels à l’Ecofin Club Luxembourg Quelle stratégie pour l’investissement « patient » en Europe ?