Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

14 articles found · #nis-2 · Veille Luxgap

Italy: €100,000 fine against Lepida over LepidaID shortcomings

Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.

NIS 2 Luxembourg: 9 days to ILR self‑registration

Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.

ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations

Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.

Novo Nordisk rejects $25M after 1.3 TB data theft

On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.

RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.

Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h

A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.

ENISA updates crypto mechanisms: public review open until July

ENISA opens the public consultation of ACM v3 until the end of July 2026. Companies can comment on suites and key sizes that will guide EUCC and the European security “state of the art.”

WFP Gaza: warning for your enrollment portals (600,000 households)

On 2 June 2026, the WFP confirmed its self‑registration app in Palestine was compromised: data of ~600,000 Gaza households (names, IDs, mobiles, location) exfiltrated. Breach dated 14 May.

Dashlane: fewer than 20 vaults copied — lessons from a 2FA attack

On May 31, 2026, a brute-force campaign targeting 2FA allowed attackers to copy encrypted Dashlane vaults from “fewer than 20” users. Here’s what this means for your IAM controls and GDPR/NIS 2 obligations.

NIS 2 audit: method, pitfalls and quality criteria for measures

7-phase NIS 2 audit method, the 5 most common pitfalls, and the 6-criteria grid to distinguish a real SOC from a marketing product. For the 1,200+ Luxembourg entities concerned.

NIS 2 Luxembourg: 5 May 2026 law published, ILR self-registration window until 10 July 2026

Luxembourg's 5 May 2026 law transposing the NIS 2 directive entered into force on 10 May. Essential and Important Entities must self-register with the ILR by 10 July 2026.

Qilin claims cyberattack on Exclusive Networks

The Qilin ransomware group claims it compromised Exclusive Networks, a major European cybersecurity distributor. Claimed in late April 2026; supply-chain risk for customers in Luxembourg.

Page 1 / 2 Older →