Agefi Luxembourg - janvier 2026

AGEFI Luxembourg 38 Janvier 2026 Informatique financière Cinq tendances qui déplacent le contrôle des données, des processus et de la prise de décision L ’intelligence artificielle (IA) évolue plus rapidement que de nombreuses organisa- tions ne peuvent l’absorber. Ce qui a commencé comme un simple outil devient, à l’horizon 2026, un fac- teur déterminant des pro- cessus métier, de la prise de décision et de la gouver- nance. Les organisations qui continuent à considérer l’IA comme une technolo- gie isolée risquent de se heurter à des données frag- mentées, à un manque de contrôle et à des responsabili- tés floues. Sur la base des évo- lutions mondiales, SAP identifie cinq tendances qui montrent pourquoi re- pousser des choix structurels en matière d’IA n’est plus une option. 1. Les modèles d’IA spécialisés supplantent les modèles généralistes La première vague d’IA générative reposait sur de grands modèles de langage polyvalents. Ceux-ci sont adaptés à la génération de texte, aux résumés et aux analyses simples, mais atteignent leurs limites lorsqu’il s’agit de calcul, de prévision ou de traitement de données d’entreprise struc- turées. En 2026, l’attention se déplace vers des modèles d’IA spécialisés, entraînés sur des types de données spécifiques tels que les ta- bleaux, les transactions et les données de planification. Ces modèles sont capa- bles de produire des prévisions plus ra- pides et plus précises, par exemple concernant les délais de livraison, l’évo- lution de la demande ou les risques dans la chaîne logistique. Le temps de mise en œuvre des applica- tions d’IA passe ainsi de plusieurs mois à quelques jours, rendant l’IA réellement exploitable pour les processus clés de la finance, de la logistique et de la production. 2. Les logiciels d’entreprise sont conçus autour de l’IA Aujourd’hui, de nombreuses organisations ajoutent l’IA à des systèmes existants. En 2026, cette approche change radicalement : les logiciels sont conçus dès le départ avec l’IA comme prin- cipe directeur. Au lieu de processus figés et de workflows ri- gides, émergent des systèmes capables d’appren- dre, de réfléchir et de s’adapter au contexte. Cela exige une base solide de données fiables et de rè- gles métier clairement définies. L’IA ne fonctionne plus de manière isolée, mais comme une couche d’intelligence supplémen- taire au-dessus des systèmes existants. Le résultat : des logiciels capables de détecter eux-mêmes les anomalies, de proposer des alternatives et, dans certains cas, d’exécuter automatiquement des processus dans des cadres prédéfinis. 3. La gouvernance des agents IA devient une condition essentielle Les agents IA, des systèmes capables de planifier et d’exécuter des tâches demanière autonome, se- ront largement déployés en 2026. Ils peuvent gérer des processus complexes, tels que l’analyse de dossiers, la planification de déplacements ou la préparation de décisions. Cette autonomie néces- site de nouvelles formes de supervision. Les organisations devront gérer un grand nombre d’agents IA prenant des décisions et manipulant des données sensibles. Sans accords clairs, le risque de perte de contrôle est réel. La gestion des agents IA devient donc aussi importante que la gestion du personnel, avec des règles sur les res- ponsabilités, la traçabilité des décisions, des limites clairement définies et une surveillance continue des performances. 4. Le travail basé sur l’intention remplace les inter- faces classiques La manière dont les collaborateurs interagissent avec les logiciels d’entreprise évolueprofondément. Au lieudenaviguer entredemultiples applications, il suffit de plus en plus souvent d’exprimer un ob- jectif. Le collaborateur n’aplus besoinde savoir dans quel système se trouve quelle fonction : il indique simplement ce qu’il souhaite atteindre. Les assistants IArassemblent alors les informations pertinentes, créent des vues d’ensemble et exécu- tent des actions. Cela se fait non seulement par le texte, mais aussi via des graphiques générés auto- matiquement, des résumés et des tableauxde bord. Les interfaces classiques ne disparaissent pas, mais passent à l’arrière-plan, au profit de la simplicité et de la clarté. 5. La souveraineté numérique oriente les choix en matière d’IA Les tensions géopolitiques et le durcissement de la réglementation renforcent l’attentionportée à la sou- veraineté numérique. Les organisations veulent sa- voir oùse trouvent leursdonnées, qui développe les modèles d’IA et sous quel cadre juridique ils opè- rent. En 2026, cela se traduit par une demande ac- crue de solutions d’IA régionales et sectorielles, conformes aux exigences locales. Le marché évolue ainsi des plateformes mondiales standardisées versdes solutions plusflexibles, com- binant innovation technologique et conformité aux réglementationsnationales. Pourdenombreuses or- ganisations, ce critère devient décisif dans le choix de leurs solutions d’IA et de cloud. L’IA comme composante structurelle de l’organisation Le fil conducteur de ces tendances est clair : l’IA n’est plus un simple ajout, mais une composante structurelle de l’organisation. Une utilisation réus- sie repose sur des données de qualité, des accords clairs et une organisation réfléchie des processus et des responsabilités. « La prochaine phase de l’IA ne porte pas sur da- vantage de technologie, mais sur la maturité », constate Veerle Van Puyenbroeck (portrait), Country Manager Belux chez SAP. « En 2026, on verra clairement quelles organisations utilisent l’IA comme un accélérateur de leur fonctionne- ment et lesquelles restent bloquées au stade de l’expérimentation. C’est ce qui fera la différence entre des gains d’efficacité temporaires et une création de valeur durablae. » L’IAcontraint les organisations à faire des choix en 2026 By Vincent WELLENS, Avocat à la Cour, Ottavio COVOLO, Avocat à la Cour (portraits) & Jill VAN OVERBEKE, Associate, NautaDutilh O n 12December 2025, the newre- gulationn°2025/2518was publi- shed, containing additional procedural requirements to govern cross-border cases under the General Data ProtectionRegu- lation (EURegulation 2016/679, “GDPR”) whichwill apply from2April 2027.We have previously commented on the initial proposal of this re- gulation (also referred to as the “GDPREnforcement Regula- tion”) as an improvement to the cooperationbetweenData Pro- tectionAuthorities (“DPAs”) and GDPRenforcement overall, what has chan- ged in the final version? Solving issues with the one-stop-shop As a reminder, since its entry into force on 25 May 2018, the GDPR has been enforced by the national DPAs, each DPA being competent on the territory of its ownMember State. However, in cross-border situations, i.e., where processing of personal data takes place in more than one Member State, the GDPR establishes a “ one-stop-shop ” mechanism under which a “lead”DPA conducts the investiga- tion, pursuant to its national procedural law, whilst cooperating with the other concerned DPAs. While thismechanismaims at ensuring a consistent interpretation and enforcement of the GDPR throughout the EU, it has also shed light on impor- tant differences between national administrative procedures (e.g., in terms of timelines for carrying out investigations and adopting decisions) which have hindered the efficiency of themechanismand incitedDPAs tonevertheless take actiondespite not being the lead DPA. This is where the GDPR Enforcement Regulation steps in to introduce additional requirements to curb this enforcement fragmentation. A limited scope – Cross-border cases The scope of the GDPR Enforcement Regulation is limited to procedural aspects regarding “the han- dling of complaints and the conduct on investigations” where cross border processing is at play (and there- fore implying that twoormoreDPAs are involved). Within this scope, the GDPR Enforcement Regula- tion sets out provisions targeted towards data sub- jects : chapters II and IVharmonise respectively the formof complaints and the access and confidential- ity of the administrative file relating to such com- plaint ; and provisions targeted to the cooperation between supervisory authorities : chapters III, V, and VI deal respectively with cooperation within the one-stop shopmechanism, the resolutionof dis- putes betweenDPAs, and the possibility to request urgent opinions or decisions of the European Data Protection Board (“EDPB”). The final wording of the regulation however spec- ifies that the provisions thereof do not create nor limit the rights of individuals under investigation. The final version also includes – for the avoidance of doubt – not only rejections of complaints (imply- ing that the complaintwas admissible, but theDPA disagreed on its merits) but also dismissals of the complaints (limited to setting aside the complaint on admissibility grounds). The vast amendments proposed by the European Parliament in integrating common principles ap- plicable to all national procedural rules, stemming from the fundamental right to a fair trial (e.g., right to be heard and to a fair transparent procedure) were not accepted, with such safeguards being left to the procedural autonomy of member States. Handling of complaints – Better access to rights for data subjects? For the time being, national DPAs have formal re- quirements regarding complaints, meaning that the same complaint could be accepted by some DPAs and rejected by others, with such rejection taking different forms froma formal rejection to no reaction at all. Chapter II of the regulation aims at harmonising the contents thereof, although getting rid of the standardised complaint form found in the original proposal, thus making complainants responsible to ensure the admissibility of their complaint. Pursuant to the GDPR Enforcement Regulation, once the complaint is filed by the data subject, the DPA which receives the complaint will assess its admissibility and will transmit it to the lead DPA. Unlike the current procedure, the lead DPA would not have to reexamine the admissibility of the complaint. Cooperation between DPAs – Reaching a consensus The GDPR Enforcement Regulation would not replace the “ one-stop-shop ” mechanism as laid down by the GDPR. Therefore, the pro- cedural steps as described in the GDPR are maintained and would only be supplemented by the GDPR Enforcement Regulation. The GDPR Enforcement Regulation implements extra procedural stepswithin the framework of co- operation between DPAs. The aim is to encourage the formation of early consensus and to minimise conflicts later in the process that would necessitate activating the dispute resolutionmechanism. This includes the introduction of a “Summary of key issues” which the lead DPA must share with the other DPAs concerned early-on in the procedure (i.a., the main relevant facts of the case, a prelimi- nary indication of the facts of the scope of the in- vestigation, the identification of the relevant complex legal and technological assessments …). Although this chapter of the GDPR Enforcement Regulation is focused on the cooperation between DPAs, the regulation does foresee a “right” to be heard by the complainant, and the party under in- vestigationbefore the issuance of a reviseddraft de- cision by the lead DPA, irrespective of the usefulness or relevance of the complainant’s views (unlike in the original draft). The most notable addition when compared to the initial proposal is the addition of a time limits in order to force the lead DPA to respond to requests by other DPAs as well as to provide them with a draft decision in relation to the complaint forwhich the lead DPA confirmed its competence to ensure, according to the recitals of the regulation, that the procedure progresses and concludes within a rea- sonable time. These time limits shall be “considered” in view of determining whether the proceedings were con- cluded in a reasonable timeframe, which becomes relevant where the entity under investigation wishes to claima breach of their fundamental right to an effective judicial remedy. Early resolution and simple(r) cooperation In the final version of the GDPR Enforcement Reg- ulation, the DPAs involved with a complaint re- garding data subject rights (e.g., a right of access or right to be forgotten) may formally close the case if it is satisfied that the alleged infringement has been brought to an end, thus depriving the compliant fromany purpose. The data subject may still forman objection to such early resolutionwithin4weeks, forcing theproceed- ings to formally continue. Itmay therefore beuseful for controllers in such litigious setting to tryand for- malise a settlement with the data subject in order to preclude such objection being raisedwith theDPA. Thefinal versionalso features a“simple cooperation procedure”, designed for cases where the scope of the investigation is clear and not sufficiently com- plex as tomerit additional cooperation between the leadDPA and the others. This may be proposed by the lead DPA and will apply unless an objection is raised by another DPA. Rights of parties under investigations Theparties under investigation, i.e., data controllers and data processors suspected of breaching their obligations under GDPRwill obtain under the reg- ulationadditional rights toaccess the administrative filepreparedby the leadsupervisoryauthority, con- taining any and all information on a case, both in- culpatory and exculpatory, safe communications with the complainant.Withaviewto respecting the right to fair and impartial proceedings, parties under investigationwill benefit from the right to be heard at key stages in the procedure. Inaddition, theparties under investigationmay for- mulate confidentiality claims in order to restrict the access to confidential information (including i.a. trade secrets), notably vis-à-vis the complainant whowill receive access toanon-confidential version of the preliminary findings. Contrary to the proposal, the final version stream- lined the access to the administrative file regarding the article 60 GDPR cooperation mechanism with an explicit reservation that it iswithout prejudice to more favourable rules providedunder national law of the leadDPA. In terms of confidentiality, thefinal version also excludes from this administrative file to be accessed by the entity under investigation the correspondence between the DPAs, as well as any informationconsideredconfidential innatureby the leadDPA and resulting from its national law. The role of the complainant remains arguably lim- ited in the proceedings, as it does not enjoy the right to be heard to the same level as the party under in- vestigation. Interestingly, the statement that the in- vestigationbyaDPA “doesnotconstituteanadversarial procedure between the complainant and the parties under investigation” has been deleted in the final version. New GDPR procedural rules published