Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
58 articles found · #solution
CSSF — DORA: ICT register due March 31, 2026; inventory is critical
The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.
ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver
In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.
CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification
On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).
BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM
In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.
ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)
ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.
UniCredit Romania: €12k GDPR fine — preventing misdirected emails
On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.
ANSSI — ReCyF: Microsegmentation as a key NIS 2 control
ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.
Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure
ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.
CSSF 26/906: governance and DORA-grade immutable backups by June 30
CSSF 26/906 requires PSPs/EMIs to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the DORA-proof of ransomware resilience.
European Commission cloud attack — CSPM as a key control under CSSF 22/806
On March 27, 2026, the European Commission confirmed an intrusion and data exfiltration affecting Europa.eu’s cloud infrastructure. How CSPM meets CSSF 22/806 requirements and prevents such scenarios.
Romania: €125,000 fine against Renault for security failures (GDPR Art. 32)
On 25 March 2026, Romania’s ANSPDCP fined Renault Commercial Romania (~€125,000) for GDPR Article 32 failures and processor governance. Modern DLP evidences “appropriate” measures and curbs uncontrolled data transfers.
Clinical Diagnostics (NL): gynecological records leak — GDPR-aligned DLP
After the massive leak at Clinical Diagnostics, a modern DLP aligned with GDPR (Art. 32 and 44–49) reduces exfiltration and provides the evidence authorities expect.