Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
65 articles found · #cybersecurite
CSSF — DORA: ICT register due March 31, 2026; inventory is critical
The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.
ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver
In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.
CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification
On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).
BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM
In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.
ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)
ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.
UniCredit Romania: €12k GDPR fine — preventing misdirected emails
On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ANSSI — ReCyF: Microsegmentation as a key NIS 2 control
ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.
NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)
Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.
Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure
ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.
CSSF 26/906: governance and DORA-grade immutable backups by June 30
CSSF 26/906 requires PSPs/EMIs to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the DORA-proof of ransomware resilience.
European Commission cloud attack — CSPM as a key control under CSSF 22/806
On March 27, 2026, the European Commission confirmed an intrusion and data exfiltration affecting Europa.eu’s cloud infrastructure. How CSPM meets CSSF 22/806 requirements and prevents such scenarios.