Senior Associate

Thomas Dubuisson

Languages

French
English
Dutch
Spanish

Social media

Thomas specialises in data protection (GDPR), intellectual property (IP), artificial intelligence (AI), technology, and cybersecurity. His experience, for multinational corporations, innovative startups, and public sector entities, includes both contentious and non-contentious matters in these areas. He has also conducted various due diligence reviews for M&A transactions involving technology-driven investments. Additionally, Thomas is acting as an external Data Protection Officer (DPO) for various clients across multiple sectors.

He holds an LL.M. degree from Maastricht University in the Netherlands and The George Washington University in the United States. This dual qualification provides him with a comprehensive understanding of both civil and common law systems. He further honed his skills through traineeships at the major IP institutions, namely the EU Intellectual Property Office (EUIPO), the EU Patent Office (EPO) and the World Intellectual Property Organisation (WIPO).

Thomas is a key member of CMS Belgium’s Tech&Data team, recognised by Legal500 and International Chambers Directory as one of the leading practices (Tier 1/Band 1) for privacy and data protection in Belgium. Since 2021, Legal500 has consistently recognised Thomas as a key lawyer in EU Privacy and Data Protection, particularly for data-related litigation. The latest Legal500 edition specifically highlights Thomas for his “strong specialisms in data protection, cybersecurity, AI and broader digital regulation”.

He is also a member of the EU Incubator of the Brussels Bar and of the CMS Belgium AI Group, positioning him at the forefront of legal innovation in technology and data protection.

He is also a regular speaker at client-focused events and international conferences, including the “AI Legal Summit” in Brussels (2025 and 2026 editions), where he addressed the key known and unknown risks of deploying AI and the copyright implications of AI training. Recently, he has been appointed as a professor within the Brussels Bar School program, where he will be teaching 2 courses on AI: “Introduction to Artificial Intelligence” and “Advanced AI for legal professionals”.

Thomas is a prolific writer, contributing numerous articles to the press (e.g. Echo, Trends) and legal journals (e.g. European Data Protection Law Review, Revue Expertises des systèmes d’information – Droit, technologies et prospective).

Thomas has an extensive knowledge in the following areas:

Privacy and data protection
Artificial intelligence (AI)
IT and data-related litigation
Intellectual property
Cybersecurity (e.g. NIS2 Directive, Cyber Resilience Act (CRA))
Data-related legislation (e.g. GDPR, Data Act (DA))
Data breaches and cyberattacks
Technology law

Publications

Thomas has contributed to prestigious publications.

In January 2025, Thomas Dubuisson published an article in the journal European Data Protection Law Review (EDPL) on the interaction between the GDPR and the EU regulation on artificial intelligence, based on the guidelines of the Belgian Data Protection Authority.

In December2024, Thomas Dubuisson authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, providing crucial insights into ensuring compliance with data protection laws in the evolving landscape of AI technologies.

In October 2023, Thomas Dubuisson and Tom De Cordier authored an article in the “Revue Expertises des systèmes d’information – Droit, technologies et prospectives” Law Review, exploring the implications of the Data Act. Their article delves into the legal, technical, and financial challenges that this regulatory framework is poised to present to a wide spectrum of economic stakeholders.

In August 2021, Thomas contributed, together with other lawyers, to the Belgian chapter of the book "Law of Raw Data", published by Wolters Kluwer. This book gives an overview of the legislation on raw data around the world. For more information click here.

In October 2021, Thomas published an article in the European Data Protection Law Review (EDPL) on new policies on GDPR infringement aspects and litigation before the Belgian Data Protection Authority.

Thomas also publishes numerous articles in the press and on our CMS.law website:

DUBUISSON (T.), “Un avocat condamné pour avoir remis des conclusions fantaisistes rédigées par l’intelligence artificielle”, Interview in RTBF, 25 December 2025, available here.
DE CORDIER (T.), DUBUISSON (T.), et al., “The EU Digital Omnibus: Consolidation, Simplification and Realignment Across the EU’s Digital Rulebook”, 22 December 2025, available here.
DUBUISSON (T.), UYTTERS (M.), et al., “Cyber-fraud and banking vigilance: French case law and lessons for Belgium”, 31 October 2025, available here.
DE CORDIER (T.), DUBUISSON (T.), et al., “EU Cybersecurity Month: Protecting your business from investment fraud”, 16 October 2025, available here.
VAN DEN BRANDE (S.), DUBUISSON (T.), et al., “AIPPI 2025 – Study Question. Copyright and Artificial Intelligence”, Ing.-Cons., 2025/2, 4 September 2025, p. 274-326, available here.
DE CORDIER (T.), DUBUISSON (T.), et al., “Decoding the NIS2 Directive: Practical guidelines from the EU Agency for Cybersecurity on NIS2 risk management and skills”, 21 August 2025, available here.
DE CORDIER (T.), DUBUISSON (T.), “Launch of new portal for data breach notification by the Belgian Data Protection Authority”, 17 June 2025, available here.
DE CORDIER (T.), DUBUISSON (T.), “CMS GDPR Enforcement Tracker Report”, 23 May 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Avec moins de 50 amendes en sept ans, le raz-de-marée de sanctions en lien avec le RGPD n'a pas eu lieu”, Interview in l’Echo, 22 May 2025, available here
DE CORDIER (T.), DUBUISSON (T.), et al., “The comeback is on: how the EU plans to reclaim digital sovereignty”, 29 April 2025, available here
DUBUISSON (T.), “Rançongiciel : un hôpital sanctionné pour manquement à la sécurité de ses données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 510, March 2025, available here
DUBUISSON (T.), “Deepseek AI - What is it and what do legal teams need to know about it?”, 25 February 2025, LexisNexis, available here
DE CORDIER (T.), DUBUISSON (T.), et al., “Should privacy professionals take on AI governance roles?”, 11 February 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Is the EU-U.S. Data Privacy Framework in danger”, 28 Jan. 2025, available here
DUBUISSON (T.), “Belgium – AI under the microscope of the GDPR: the Belgian Data Protection Authority deciphers the challenges of data protection in the development and use of AI”, European Data Protection Law Review, Volume 10 (2024), Issue 4, Jan. 2025, available here
DE CORDIER (T.), DUBUISSON (T.), “Compulsory or optional? AI literacy a central component of compliance with AI Act”, 18 December 2024, available here
DUBUISSON (T.), “L’IA sous la loupe du RGPD”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 507, December 2024, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Resilience Act comes into effect on 10 December”, 03/12/2024, available here
DE CORDIER (T.), DUBUISSON (T.), “EU’s NIS 2 enters into force: compliance is now mandatory”, 22/10/2024, available here
DE CORDIER (T.), DUBUISSON (T.), “The Belgian Data Protection Authority publishes an informative brochure on artificial intelligence systems and the GDPR”, 25/09/2024, available here
DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), and Co., “News from the CJEU on GDPR compensation”, 02/02/2024, available here
DUBUISSON (T.), “Corporate Disputes - Ransomware and data privacy: class action litigation”, Financier Worldwide Magazine, Jan-Mar 2024 issue, 01/2024, available here
DE CORDIER (T.), DUBUISSON (T.), DOBBELAERE (D.) and DE PAUW (V.), « With EU Cyber Resilience Act, EU gets tough on IoT supply chain cybersecurity », 13/12/23, available here
DE CORDIER (T.), DUBUISSON (T.), “How to draft an AI policy?” 23/10/2023, available here
DUBUISSON (T.), “Phishing : Votre employé est-il responsable ?”, Trends-Tendances, 19/10/2023, available here
DUBUISSON (T.), “Un cybercriminel m’a contacté par e-mail, SMS, téléphone et j’ai malheureusement partagé mes informations personnelles. Que puis-je faire ?”, La Libre Belgique, 16/10/2023, available here
DUBUISSON (T.), “EU Cybersecurity Month: The looming threat of a single phishing click to your business”, 09/10/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Règlement sur les données (Data Act) : Un pas décisif vers une société fondée sur les données”, Revue Expertises des systèmes d'information – Droit, technologies et prospectives, n° 494, October 2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Summer Snapshot: Tech and Data Highlights You Might Have Missed”, 11/09/2023, available here
DUBUISSON (T.), "Data Protection and Privacy" (Belgium), InDepth Features, Financier Worldwide, 13/07/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Adequacy decision on EU-US Data Privacy Framework adopted”, 10/07/2023, available here;
DE CORDIER (T.), DUBUISSON (T.), “The GDPR turns 5 | Europe-wide analysis reveals data protection fines totaling EUR 2.7 billion in over 1,500 cases”, 23/05/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “The Belgian Whistleblowing Act enters into force. What do you need to know regarding data protection?”, 15/02/2023, available here
DE CORDIER (T.), DUBUISSON (T.), “Happy Data Protection Day! What’s on the horizon for 2023?”, 27/01/2023, available here
DE CORDIER (T.), DUBUISSON (T.), « Les cybercriminels vont-ils profiter du succès de ChatGPT pour tromper votre entreprise? », l’Echo, 23/01/2023, available here
DE CORDIER (T.), DUBUISSON (T.), « Quelle stratégie adopter face aux attaques par rançongiciel? », l’Echo, 11/01/2023, available here
DUBUISSON (T.), FONTEYN (B.), “Belgian DPA again clarifies the right of access to medical records”, 20/12/2022, available here
DUBUISSON (T.), HEREMANS (T.), “The Digital Services Act has entered into force: Here's a quick recap”, 25/11/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: mobile devices can pose a risk to your business”, 20/10/2022, available here
DOMOKOS (M.), DUBUISSON (T.), HORVATH (K.), PETRANYI (D.), “European Commission proposes new Cyber Resilience Act”, 12/10/2022, available here
DE VISSCHER (F.), DUBUISSON (T.), MARIANO (M.), JANSSENS (M-C.), VAN DE GEHUCHTE (T.), Moral rights in « Les travaux de l’AIPPI », Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2022/2 - 1 septembre 2022, p. 297-324.
DE GRAAF (E.), DUBUISSON (T.), “How to handle your (ex)-employees’ health data? The BDPA provides new guidelines regarding manager’s communication”, 08/08/2022, available here
DUBUISSON (T.), FONTEYN (B.) “Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR”, 13/07/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “Another cookie enforcement case: Belgian privacy watchdog reconfirms cookie consent rules”, 31/01/2022, available here
DE CORDIER (T.), DUBUISSON (T.), “Éradiquer le fléau des ransomware en interdisant le paiement des rançons?”, l’Echo, 23/11/2021, available here
DUBUISSON (T.), “Data Protection Authority Provides New Policies on GDPR Infringements and Litigation Proceedings Aspects”, 15/10/2021, European Data Protection Law Review, 2021/3, p. 435-449
Van den Brande (S.), Lens (S.), Dubuisson (T.), Lhote (A-N.), Meyer (G.), Law of Raw Data, Belgium chapter, Kluwer Law International, 2021, available here
DE CORDIER (T.), DUBUISSON (T.), “EU Cybersecurity Month: Hybrid working makes phishing attacks harder to spot”, 13/10/2021, available here
DE CORDIER (T.), DUBUISSON (T.), “Summer legal recap of data protection law”, 3/09/2021, available here
DE CORDIER (T.), DUBUISSON (T.), “EU finally adopts new data transfer clauses”, 09/06/2021 available here
DE CORDIER (T.), DUBUISSON (T.), “EU Court of Justice clarifies concept of “informed consent” for collection of personal data”, 17/11/2020, available here
DUBUISSON (T.), « Télétravail et cybersécurité : vos employés sont-ils bien formés ? »,Trends Tendances, 12/11/2020, available on Linkedin
DUBUISSON (T.), “Que faire en cas de chantage à la pornographie ?”, 03/11/2020, available on Linkedin
DE CORDIER (T.), DUBUISSON (T.), “EU Cyber Security Month: learn how multi-factor authentication can protect your company's most valuable assets”, 29/10/2020, available in The Wire
DUBUISSON (T.), Simonart (B.), “How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine”, 23/10/2020, available here
DUBUISSON (T.), “Le « revenge porn » (vengeance pornographique) est désormais dans le Code pénal !” 25/08/2020, available on Linkedin
DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “Schrems strikes again: EU-US Privacy Shield invalid; Standard Contractual Clauses upheld but due diligence required”, 17/07/2020, available here
DUBUISSON (T.), Van den Brande, S., de Visscher, F., Lens, S., Vandewynckel, S., Anne Namalie Lhote and Meyer, G., Rights in Data in « Les travaux de l'AIPPI », 19/05/2020, Revue de droit intellectuel - L'ingénieur conseil / Tijdschrift intellectuele eigendom, 2020/2, p.360-395
DE CORDIER (T.), DUBUISSON (T.), “Belgian Data Protection Authority provides new guidance on cookies”, 25/05/2020, available here
DE CORDIER (T.), DUBUISSON (T.), “Deadline approaching for notifying CCTV cameras to Belgian police”, 14/05/2020, available here
DE CORDIER (T.), DUBUISSON (T.), “Belgian DPA publishes new detailed guidelines on direct marketing”, 14/02/2020, available here
DE CORDIER (T.), DUBUISSON (T.), VAN DAELE (J.), “EU Advocate-General opinion hints Europe’s top court is unlikely to disrupt international data flows in pending decision”, 20/12/2019, available in The Wire
DUBUISSON (T.), “L'employé est-il responsable lorsqu’il mord au “phishing””, 28/11/2019, Trends Tendances, available on Trends
DE CORDIER (T.), DUBUISSON (T.),” EU Cybersecurity Month: When a simple phishing click can severely harm your company”, 10/10/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “Time to update your cookie consent and policy! CJEU says preticked checkboxes are not valid”, 02/10/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “Using social plug-ins on your website? You and the social network will be jointly liable for the data processing”, 31/07/2019, available here
DE CORDIER (T.), DUBUISSON (T.), “First Belgian GDPR sanction: DPA fines mayor EUR 2,000”,31/05/2019, available here
DE CORDIER (T.), DUBUISSON (T.), "EU Advocate General gives Internet cookie opinion that could impact data privacy regs”, 02/04/2019, available here
DE CORDIER (T.), DUBUISSON (T.), GORIS (A-M), “Belgium's privacy watchdog publishes guidance on the notions of controller and processor”, 17/01/2019, available here

Memberships & Roles

Member of the International Association of Privacy Professionals (IAPP)
Member of the Belgian National Association for the Protection of Industrial Property (ANBPPI / BNVBIE)
Member of the International Association for the Protection of Intellectual Property (AIPPI)

Lectures list

Thomas is a frequent speaker at conferences in his fields of interest, such as:

The Royal Academy of Belgium and the French Bar Association of Brussels, “Will AI Replace Judges and Lawyers?” (April 8, 2026)
AI Legal Summit 2026, “AI training and copyright: Navigating the global copyright crisis” (18-19 February, 2026)
EU Commission LITEL project: “How to draft an AI policy?” (4 and 5 December 2025)
Brussels Bar School program: “Introduction to Artificial Intelligence” and “Advanced AI for legal professionals” (September 2025 - June 2026)
CMS webinar: “Decoding the definition of AI system under the AI Act” (10 June 2025)
European Company Lawyers Association (ECLA), “AI systems in the context of the AI Act” (30 April 2025)
AI Legal Summit 2025, “What are the biggest known and unknown risks associated with integrating AI into our law practice and operations? How can we proactively address and mitigate these potential threats?” (27-28 February, 2025)
Luxembourg House of Cybersecurity – « Retour de 12 mois de réponse à incident par le team CSIRT d’Excellium – Panorama des types d’incidents et principaux enseignements à retenir » (18th October 2022)
New York University (NYU) "Cybersecurity, An International & Commercial Perspective" (14th July 2022)
"Lutte contre le blanchiment / Les défis du Compliance Officer : Le RGPD souffle ses 6 bougies. Tant de choses à accomplir (encore) ?" (31st May 2022)

Education

2015 - Bar admission (Brussels, Belgium)
2012 - George Washington University Law School - United States of America (LL.M in Intellectual Property Law)
2011 - Maastricht University - Netherlands (LL.M in Intellectual Property Law and Knowledge Management)
2010 - University of Louvain, UCLouvain - Belgium (Law Degree)

Practice Areas

Intellectual Property Commercial Law

sectors

TMC - Technology, Media & Communications

Insights by Thomas

See all Insights

Publication International

The EU Digital Omnibus

22 Dec 2025 9 min read

Legal Update Belgium

Cyber-fraud and banking vigilance: French case law and lessons for Belgium

30 Oct 2025 8 min read

Legal Update Belgium

EU Cybersecurity Month: Protecting your business from investment fraud

16 Oct 2025 5 min read

Legal Update Belgium

Decoding the NIS2 Directive: Practical guidelines from the EU Agency for Cybersecurity on NIS2 risk management and skills

20 Aug 2025 5 min read

Select your region

Thomas Dubuisson

Languages

Social media

Publications

Memberships & Roles

Lectures list

Education

Practice Areas

sectors

Insights by Thomas

The EU Digital Omnibus

Cyber-fraud and banking vigilance: French case law and lessons for Belgium

EU Cybersecurity Month: Protecting your business from investment fraud

Decoding the NIS2 Directive: Practical guidelines from the EU Agency for Cybersecurity on NIS2 risk management and skills