In summer 2025, the EU adopted significant amendments to the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CS3D). The aim of these changes is to reduce the burden on companies without compromising the EU’s sustainability and human rights objectives. The new regulations affect thresholds, reporting obligations, and due diligence requirements – with considerable implications for Governance, Risk Management, and Compliance (GRC).

Key Takeaways

• Higher thresholds for CSRD and CS3D applicability
• Removal of reporting obligations for listed SMEs
• Risk-based approach to due diligence
• Extended implementation deadline until July 26, 2028
• Goal: Reduce bureaucracy while maintaining sustainability and human rights standards

Why the Changes Were Introduced

The original requirements of CSRD and CS3D drew criticism, particularly from mid-sized companies and industry associations. Main concerns included excessive administrative workload, lack of resources for implementation, and insufficient consideration of sector-specific risks. The EU responded with a revision that makes the requirements more risk-oriented and less administratively demanding, while keeping the core objectives intact.

What Has Changed

1. Higher Thresholds

The turnover and employee thresholds that determine whether the directives apply have been raised. This means fewer companies are subject to reporting and due diligence obligations.

2. Removal of Reporting Obligations for Listed SMEs

Listed small and medium-sized enterprises (SMEs) are no longer required to produce detailed sustainability reports under the CSRD.

3. Risk-Based Due Diligence

Companies must now implement due diligence primarily where human rights and environmental risks are highest. This enables a more targeted and resource-efficient approach.

4. Extended Implementation Deadline

The deadline for implementing the directives has been extended to July 26, 2028, giving companies more time to adapt their processes and systems.

Impact on Governance, Risk & Compliance

These changes highlight the growing importance of integrated GRC strategies. Companies that proactively align their governance and risk management processes with the new requirements will not only ensure compliance but also gain competitive advantages.
A risk-based approach also means companies must enhance their risk assessment processes – covering everything from supply chain oversight to internal operations and strategic decision-making.

Conclusion

By adjusting the CSRD and CS3D, the EU is addressing valid concerns from businesses without abandoning its ambitious sustainability goals. For companies, this is an opportunity to refine their sustainability and compliance strategies in a more focused and efficient way.

---

FAQ

1. What is the CSRD?
The Corporate Sustainability Reporting Directive requires certain companies to disclose their sustainability and ESG data.

2. What is the CS3D?
The Corporate Sustainability Due Diligence Directive establishes due diligence obligations for companies to prevent human rights and environmental violations throughout their value chains.

3. Which companies are affected by the changes?
Primarily mid-sized companies, listed SMEs, and businesses with international supply chains.

4. Why is the EU adopting a risk-based approach?
To direct resources to areas with the highest risks while reducing administrative burdens.

5. How should companies prepare?
By reviewing internal risk assessments, updating GRC processes, and integrating the new requirements into their overall strategy early on.

The European Union is launching a new era of regulated artificial intelligence with the AI Act (Regulation 2024/1689). Starting August 2, 2025, binding rules will apply to both providers and users of General Purpose AI (GPAI) models. Organizations that build or integrate AI systems – particularly in generative AI, machine learning, natural language processing, or automated decision-making – must realign their governance, risk management, and compliance structures.

This does not only concern tech companies – the regulation affects all industries, including financial services, healthcare, manufacturing, retail, and public institutions.

Key Takeaways

• Effective Date: August 2, 2025 – new legal obligations for GPAI models like ChatGPT, Claude, Gemini, Mistral, and LLaMA
• New Obligations for Providers & Users:
  • Transparency on training data & model architecture
  • Risk analysis and conformity assessments
  • Copyright protection and documentation
• Governance Requirements:
  • Internal responsibilities, audit trails, and supervisory structures
  • Mandatory employee training (AI Literacy)
• Penalties for Violations: up to €35 million or 7% of global annual turnover
• Voluntary “Code of Practice” for GPAI providers – reduces compliance risks

1. What Is the AI Act?

The AI Act is the world’s first comprehensive law regulating artificial intelligence. It classifies AI into four risk levels (prohibited, high-risk, limited-risk, minimal-risk) and assigns different obligations accordingly.

As of August 2, 2025, mandatory requirements apply for General Purpose AI (GPAI) – large AI models that can be used for a wide variety of applications such as text, image, code, speech, and data analysis.

Examples include:

• ChatGPT (OpenAI / Microsoft)
• Claude (Anthropic)
• Gemini (Google DeepMind)
• Mistral
• LLaMA (Meta)

2. Who Is Affected?

The new rules apply to:

• GPAI model developers and providers, regardless of whether they’re based in the EU
• Distributors and vendors of GPAI-based software
• Enterprise users of generative AI tools and services
• Finetuners and companies that customize existing base models

Even companies using ChatGPT Enterprise, Microsoft Copilot, Gemini for Workspace, or other generative AI platforms must comply if AI is involved in decisions or data processing.

3. What Will Be Mandatory from August 2, 2025?

A) Transparency & Documentation

• Disclosure of training data sources
• Explanation of model architecture and intended use
• Documentation for bias mitigation, safety, and fairness

B) Copyright & IP Protection

• GPAI models must prevent copyright infringement and respect third-party rights

C) Risk Assessment & Governance

• Formal AI risk assessments and impact analysis
• Establishment of internal controls and AI governance frameworks
• Ensure traceability and auditability of model outputs

D) Employee Training (AI Literacy)

• Employees must understand, evaluate, and monitor AI systems

E) Supervision by Notified Bodies

• Collaboration with Notified Bodies for inspections and certifications
• Authorities may require access to models, documentation, and audits

4. What Are the Penalties?

Non-compliance may result in administrative fines of up to €35 million or 7% of annual global turnover, depending on severity.

5. The GPAI Code of Practice: Voluntary but Strategic

The European Commission has introduced a non-binding Code of Practice for GPAI developers. Companies who implement this code benefit from:

• Regulatory relief and legal certainty
• Reduced audit burdens
• Stronger trust positioning in the EU market

6. Integrating AI into Risk Management & Compliance (GRC)

To meet the AI Act’s demands, organizations must:

• Embed AI into their enterprise risk management (ERM) frameworks
• Extend internal control systems (ICS) and ISMS policies to cover AI
• Maintain governance documentation for AI roles, models, and tools
• Track compliance obligations across jurisdictions
• Enable cross-functional collaboration between legal, data science, and IT security teams

7. How This Relates to GRC

These AI obligations are not just regulatory formalities – they directly connect to Governance, Risk, and Compliance (GRC) principles. Here’s how:

• Governance assigns responsibility for AI oversight and decision-making
• Risk Management ensures companies identify, assess, and monitor AI risks (e.g. bias, model drift, data leakage)
• Compliance ensures all legal and regulatory AI requirements are met and documented

A well-structured GRC platform enables companies to manage AI-related risks and controls alongside traditional areas such as ISO 27001, GDPR, and ESG. This leads to:

• Centralized audit readiness
• Consistent enterprise-wide documentation
• Greater visibility into emerging risks
• Stronger stakeholder trust

Conclusion

August 2, 2025 is not just another deadline – it marks the beginning of a new compliance era for artificial intelligence in Europe.

Whether you are building AI or simply integrating it into your workflows, the AI Act requires companies to demonstrate transparency, accountability, and responsible usage.

Those who act early, document thoroughly, and align with GRC frameworks will be better positioned to innovate with confidence, reduce legal exposure, and gain a long-term competitive edge.

FAQ – New EU AI Rules from August 2, 2025

What is General Purpose AI (GPAI)?
AI systems designed for broad, cross-domain use cases such as generating text, code, images, or speech. These include large foundation models like ChatGPT or Gemini.

Do the rules only affect tech companies?
No – all companies using AI tools operationally are impacted, particularly when AI influences decisions, data handling, or compliance-sensitive processes.

Is the Code of Practice mandatory?
No – it’s voluntary. But those who adopt it benefit from lower risk of sanctions and simplified compliance checks.

What are the financial penalties?
Up to €35 million or 7% of global annual revenue, depending on the type and severity of the violation.

How should companies prepare?

1. Inventory and classify all AI systems
2. Map model risks and use cases
3. Integrate AI oversight into GRC programs
4. Assign responsible officers for AI governance
5. Provide AI literacy training across the company

---

Let me know if you’d like a condensed version for a newsletter, an infographic, or a press release based on this article.

The European Union is currently increasing pressure on its member states to stop politically blocking cross-border bank mergers. The goal is a more integrated European banking sector that remains internationally competitive and better absorbs systemic risks. The debate surrounding planned mergers in Spain, Italy, and potentially Germany raises fundamental questions from a GRC perspective: Who governs the European banking market? Which risks take precedence? And how well are regulatory requirements being met?

Governance: Who Calls the Shots in the European Banking Sector?

At the heart of the dispute is the question of authority. Under EU law and the Banking Union, the power to approve cross-border bank mergers lies with European institutions such as the European Central Bank (ECB) and the European Commission. However, national governments like those in Italy or Spain are using so-called “Golden Power” laws to effectively claim a veto right.

From a governance standpoint, this creates conflict: The single market relies on uniform rules, while national interests (e.g., protecting domestic banks) push against them.

A strong GRC framework requires clear decision-making processes, institutional transparency, and a clear separation from political interference.

Risk: Systemic Risks vs. National Protective Interests

The EU sees mergers as a way to reduce systemic risks: Larger, more stable institutions with stronger capital positions and cross-border diversification are considered more resilient in economic crises.

In contrast, member states such as Germany or Italy fear loss of control, job cuts, or the concentration of risk in a few mega-banks.

From a GRC perspective, this represents a clash of risk paradigms. Sustainable risk management should take both views into account—systemic stability and national resilience—and translate them into objective, transparent risk assessments.

Compliance: National Exceptions vs. European Law

The EU accuses certain countries of violating principles of free capital movement and key Banking Union directives. Blocking mergers involving EU-supervised banks on a national level risks triggering infringement proceedings.

For GRC professionals, this is a textbook case of compliance failure: Domestic legal frameworks undermine international standards, creating uncertainty in the regulatory landscape.

A functioning compliance management system at the supranational level must reconcile federal diversity with legal harmonization.

Conclusion: Bank Mergers as a Test Case for European GRC

The current debate illustrates how closely economic integration, institutional governance, and regulatory coherence are intertwined. GRC is not just a corporate tool—it is an essential part of functioning financial markets.

The EU must demonstrate that it can effectively oversee cross-border mergers and that its institutional GRC philosophy leads to a more stable, efficient, and competitive banking system in the long run.

FAQ: Bank Mergers and GRC

What is GRC in the context of the financial sector?
GRC stands for Governance, Risk, and Compliance. In banking, it refers to the integration of corporate decision-making with regulatory requirements and stability goals.

Why is the EU pushing for more bank mergers?
The EU aims to create internationally competitive banks, reduce systemic risk, and strengthen the single market. Mergers are seen as a means to consolidate and increase efficiency.

What role does compliance play in bank mergers?
Compliance ensures that mergers follow legal standards and EU-wide rules. National interventions that violate EU law undermine this principle.

Why is there resistance to bank mergers?
National governments fear job losses, loss of control over systemically important institutions, or politically sensitive ownership changes.

How does the Banking Union relate to this?
The Banking Union seeks to harmonize rules for supervision, resolution, and deposit insurance. Bank mergers are a logical next step toward deeper integration.

The new EU directive NIS2 (Network and Information Security Directive 2) brings significant requirements for companies across the EU. The goal is to comprehensively improve cybersecurity in critical and important sectors. But what exactly does that mean for governance, risk, and compliance management (GRC) in your organization?

What is NIS2?

NIS2 replaces the previous NIS directive and significantly expands its scope. It no longer only affects critical infrastructure, but also many medium and large enterprises in sectors such as:

• Energy, transportation, healthcare, drinking water
• IT services, digital infrastructure
• Public administration, space, research

New requirements:

• Risk management for cyber and information security
• Incident reporting within 24 hours
• Company-wide security strategy
• Responsibility at management level
• Obligation to perform audits and provide evidence

What does NIS2 mean for your GRC system?

A modern GRC system is key to meeting the new requirements. Only with a systematic approach can risks, controls, reporting obligations, and responsibilities be documented and managed efficiently.

Specifically, this means:

• Risk Management: Integration of IT and cyber risks into the central risk register
• Compliance Monitoring: Tracking of obligations and deadlines according to NIS2
• Action Management: Assignment and tracking of protective and response measures
• Audit Trail & Documentation: Complete traceability for audits

Immediate actions to prepare for NIS2

1. Clarify whether you are affected: Is your company directly or indirectly subject to NIS2?
2. Conduct a gap analysis: What gaps exist in your current security and GRC structure?
3. Define responsibilities: Who is responsible for cybersecurity and reporting?
4. Upgrade GRC systems: Can your system integrate NIS2 requirements?
5. Train and raise awareness: Prepare management and key personnel

Conclusion: Action is needed now

NIS2 not only brings new regulatory obligations, but also offers a chance to embed cyber resilience strategically. Companies that already use a powerful GRC system—or upgrade now—gain a real competitive edge. Important: don’t wait for national legislation—the time to prepare is now.

---

FAQ on NIS2 and GRC

When does NIS2 take effect?

The EU directive has been in force since January 2023. National implementation must occur by October 2024. Companies should begin preparing now.

Which companies are affected?

All medium and large companies in certain critical and important sectors. This includes IT, energy, healthcare, transportation, and digital services.

What happens in case of non-compliance?

Severe fines and reputational damage. Liability may extend to the company’s management.

How does a GRC system help with NIS2?

It enables structured management of risks, actions, reporting obligations, and compliance requirements in a single integrated system.

How does NIS2 differ from ISO 27001?

NIS2 is a legal obligation; ISO 27001 is a voluntary standard. However, both complement each other: an ISMS in accordance with ISO 27001 can cover many NIS2 requirements.

Introduction: The Cyber Resilience Act Transforms GRC and Cybersecurity

In today’s digital landscape, cyberattacks are no longer exceptions — they’re part of everyday business risks. With the introduction of the EU Cyber Resilience Act (CRA), the European Union is setting a groundbreaking global standard for the security of digital products and software. Companies now face the challenge of embedding cybersecurity deeply into their Governance, Risk, and Compliance (GRC) frameworks.

This article explains what the CRA entails, the obligations businesses must meet, and how a smart, AI-powered compliance strategy can help mitigate risks while creating competitive advantages.

1. What Is the EU Cyber Resilience Act (CRA)

The Cyber Resilience Act is the first EU-wide regulation mandating cybersecurity requirements for all “digital products” — including software, connected devices, and IoT applications. Its goal is to systematically reduce vulnerabilities and strengthen Europe’s resilience against cyber threats.

Key Elements of the CRA:

• Mandatory security by design & by default
• Continuous vulnerability management throughout the product lifecycle
• 24-hour incident notification obligations
• Conformity assessments for high-risk products
• Strict rules for incorporating open-source software in commercial offerings

The CRA complements existing regulations like the NIS2 Directive and supply chain laws, creating a direct link between product responsibility and IT security.

2. The Impact on Governance, Risk & Compliance (GRC)

The CRA redefines cybersecurity responsibilities. It’s no longer just an IT issue — cybersecurity becomes a board-level priority and a core component of GRC strategies.

Governance:

• Establishing cybersecurity policies at the executive level
• Defining clear responsibilities for security processes and product oversight

Risk Management:

• Systematic identification of cyber risks across the entire value chain
• Evaluating third-party software and supply chain dependencies

Compliance:

• Developing compliance frameworks aligned with technical security mandates
• Documenting all actions to meet CRA requirements
• Preparing for audits and avoiding significant penalties

Failing to act now could result in heavy fines and severe reputational damage.

3. Leveraging AI-Powered Compliance to Meet CRA Requirements

The CRA’s complexity is undeniable — but modern technology offers effective solutions. Artificial Intelligence (AI) can streamline GRC processes, making them more efficient, accurate, and resilient.

How AI Supports CRA Compliance:

• Automated Vulnerability Management:
  AI-driven tools detect security gaps in real time and prioritize remediation efforts.
• Predictive Risk Analytics:
  Machine learning forecasts future cyber threats, enabling proactive risk strategies.
• Documentation & Reporting:
  Natural Language Processing (NLP) automates compliance reports and ensures timely incident notifications.
• Supply Chain Monitoring:
  AI continuously scans third-party software for known vulnerabilities (e.g., CVE databases).

The Advantage: Companies integrating AI into their GRC strategies not only meet regulatory demands faster but also foster an agile security culture that anticipates threats rather than merely responding to them.

4. Best Practices for Successful CRA Implementation

1. Conduct an Early Gap Analysis:
   Identify where current processes align with CRA requirements and where improvements are needed.
2. Build Cross-Functional Teams:
   Foster collaboration between compliance, IT, product development, and legal departments.
3. Invest in Technology:
   Deploy AI-powered GRC tools to automate tasks and increase efficiency.
4. Raise Employee Awareness:
   Cybersecurity is a cultural issue — ongoing training is essential.
5. Align with Existing Regulations:
   Leverage synergies with NIS2, GDPR, and supply chain compliance to optimize resources.

Conclusion: Turning Cyber Resilience Into a Competitive Edge

The EU Cyber Resilience Act signals a new era where cybersecurity is a foundational pillar of Governance, Risk & Compliance. Companies that act strategically today — and embrace modern, AI-driven solutions — can transform regulatory obligations into opportunities for trust, security, and market leadership.

---

FAQ: EU Cyber Resilience Act (CRA)

What is the EU Cyber Resilience Act (CRA)?
The CRA is an EU regulation introducing mandatory cybersecurity requirements for all digital products and software to enhance resilience against cyberattacks.

Who is affected by the CRA?
All businesses that manufacture, distribute, or use digital products or software within the EU — from startups to large enterprises, including importers and resellers.

What obligations does the CRA impose?
Companies must implement security by design, maintain continuous vulnerability management, and report security incidents within 24 hours.

When does the CRA come into effect?
The CRA is expected to take effect in 2025, with transition periods of up to 36 months for certain provisions.

How can AI help with CRA compliance?
AI tools automate vulnerability detection, enhance risk analysis, and simplify compliance documentation and reporting processes.

What are the penalties for non-compliance?
Fines of up to €15 million or 2.5% of global annual turnover — whichever is higher.

Data is a non-rival good. They can be consumed many times without the fear that the supply can be dwindled. The volume of data is growing perennially. It was estimated that 33 zettabytes of data were generated in the year of 2018, and it is expected to reach around 175 zettabytes in 2025. It is an under-exploited and tapped prospect. Research shows that 80% of industrial data is never used. With the aim to bolster a sturdy and fair data-driven economy as well as to guide the Digital transformation by 2030, the EU Commission on 23 February 2022 proposed harmonized rules on fair access to and use of data known as the Data Act. These rules will ensure that data generated by Internet of Things (IoT) devices are used and distributed fairly between the relevant actors, and clarify at the same time as to who can create value from data and under which conditions. By creating opportunities for different actors involved in creating and keeping data, to earn incentives, the EU is expecting to create EUR 270 billion of additional GDP by 2028.

The proposed Data Act

1. provisions to allow the users of connected devices to have access to data generated by them, which is mostly seen to be garnered by the manufacturers unilaterally, to share such data with third parties for the purpose of providing aftermarket and/or other data-driven innovative services. This will enable the manufacturers to invest in high-quality data generation and claim incentives for the transfer accordingly which will obviously exclude the use of shared data in direct competition with their product.
2. measures to allow SMEs to rebalance negotiation power by preventing them from the abuse of contractual imbalances in data-sharing contracts. SMEs are often found to be on the weaker side as regards data sharing contracts and/or pre-contractual negotiation of data sharing contracts. The Commission, in this regard, has vowed to draft and negotiate fair data-sharing contracts in order to eradicate intricacies and help such companies.
3. provisions to allow public sector bodies to access and use data that are held by private sector entities. This will help public sector entities to acquire data that are necessary for exceptional circumstances such as floods, wildfires, and pandemics, where it could sometimes be seen that the data are not otherwise available.
4. provisions that will allow the customers to effectively switch between different cloud data-processing service providers that will also put the necessary protections in place for the customers against any unlawful data transfer.

The Data Act will enable consumers and businesses to have access to the data of their devices to use it for aftermarket and value-added services such as predictive maintenance which will be a great help for consumers such as farmers, airlines, or construction companies in taking better decisions for buying higher quality or more sustainable products and services especially to contribute to the Green Deal objectives. By virtue of this legislation, Business and industrial players will be predisposed towards having more data available and thus be able to benefit from a competitive data market.

Aftermarket service is one of the most crucial mentions of the Act. Aftermarket service providers, by dint of this Act, will be able to provide more personalized services and make them able to compete on an equal footing with other manufacturers or service providers who provide equivalent services. This Act, without a doubt, will create many economic opportunities for consumers, businesses, public sector entities, and private sector entities.

What this means

As Thierry Breton, Commissioner for Internal Market stated:

“It is an important step in unlocking a wealth of industrial data in Europe, benefitting businesses, consumers, public services, and society as a whole. So far, only a small part of industrial data is used and the potential for growth and innovation is enormous. The Data Act will ensure that industrial data is shared, stored, and processed in full respect of European rules. It will form the cornerstone of a strong, innovative, and sovereign European digital economy.”

GDPR and the EU view on privacy

The enactment of the EU General Data Protection Regulation (GDPR) has elevated the significance of personal data protection for institutions operating in the European Union (EU) and beyond. Global tech companies like Meta Platforms Inc. (Meta), Google, and Microsoft have faced heightened scrutiny in this regard. Meta and the EU have recently engaged in a diplomatic dispute over data protection issues affecting EU citizens. Meta has threatened to withdraw Facebook and Instagram from the EU unless data transfers to the US can continue, as negotiations are underway to replace the invalidated transatlantic data transfer pact.

Though it would be wrong to say that personal data protection issues were not stressed before the enactment of the EU General Data Protection Regulation (GDPR); however, ever since the advent of GDPR, the matter of data protection has been at the heart of importance for institutions whose activities involve keeping and/or sharing personal data in the European Union (EU) and elsewhere. It has been a superlative concern, particularly for major global tech companies such as Meta Platforms Inc. (Meta), Google, Microsoft etc.

Meta and the EU, in recent times, have been in a diplomatic brawl over the issues of data protection of EU citizens. Both Meta and the EU seem to be very bellicose in their approach which is indeed not a good thing for the overall U.S.-EU relationship and of course for the millions of Facebook and Instagram users in the EU.

META and the US view on privacy

Meta has warned to pull Facebook and Instagram from the EU if it cannot keep transferring data of the EU users back to the U.S. while negotiations are ongoing between the regulators to substitute the transatlantic data transfer pact that was struck down by the Court of Justice of the European Union (CJEU) in July 2020 in a case known as ‘Schrems II’ brought by an Austrian privacy advocate Max Schrems, who complained that the Facebook data contract clauses do not provide adequate protection to the Europeans from the government inspection and monitoring in the U.S. The CJEU has categorically stated that it is impossible to ensure that the data of the EU citizens are adequately protected once they enter the U.S. According to some experts and renowned journalists such a decision will have a significant implication on the U.S. companies and the U.S. Congress, since it calls the adequacy of privacy protection in the United States into question.

Meta said in its annual report published on 3 February 2022, “If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”

However, in an emailed statement a Meta spokesperson said, “We have absolutely no desire and no plans to withdraw from Europe, but the simple reality is that Meta, and many other businesses, organizations, and services rely on data transfers between the EU and the U.S. in order to operate global services.”

Conflicting views

Reactions are also coming from the EU counterparts with the same kind of pugnaciousness. French Finance Minister Bruno Le Maire said that “digital giants must understand that the European continent will resist and affirm its sovereignty.”

A German Minister said, “Life has been fantastic without Facebook and Twitter.”

A European lawmaker said, “Meta cannot just blackmail the EU into giving up its data protection standards.” A counterargument can, however, be made that, are the U.S. data protection law standards not compatible with that of its EU counterpart. But frankly speaking, such conversational jousts will bring favorable outcomes for either of the parties.

Following these skirmish statements from both sides, Meta has already seen their shares fell as much as 4.5% in trading in New York earlier this month.

A meek statement has been put forward by a spokesperson of the European Commission who said, “Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic.” The question therefore arises, is the ball in the court of the CJEU?

Closing thoughts

On a different note, while both sides are making aggressive statements over the shutting down of Facebook and Instagram in the EU, are they keeping the millions of Facebook and Instagram users in the EU into consideration, for whom using these social media has essentially become an inextricable part of their lifestyle, education, work and, professional activities? While we are concentrating outright on the legal aspects of personal data protection and rightly so, are we not advertently/inadvertently averting our eyes from the rights of the individuals to make personal choices? All we know today, the last word has not been spoken yet..