Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

28 articles found · #dora

DORA Art. 28: CSSF turns up the heat on the ICT dependencies register

As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.

Microsoft: cryptominer via SEO/AI — EDR/XDR and NIS 2 in action

Microsoft disclosed an active cryptomining campaign spread via SEO poisoning and AI recommendations. Here’s how an EDR/XDR stack detects, contains, and evidences compliance with NIS 2 and DORA.

Luxgap SealedMail: the first email server where your CIO cannot read you

Launch of SealedMail, zero-knowledge email server hosted in Luxembourg, designed for executives. End-to-end encryption with X25519 asymmetric keys. Neither IT admin nor Luxgap can read your mailboxes. Works with your usual Outlook.

West Pharmaceutical (4 May 2026): why immutable, isolated backups are vital (DORA)

On 4 May 2026, West Pharmaceutical suffered a ransomware attack with data theft and encryption, halting manufacturing and shipping. Here is the backup architecture that prevents prolonged outages and meets DORA.

ENISA 2026: Exercise Methodology to Operationalize DORA Article 24

ENISA releases a cybersecurity exercise methodology with ready-to-use kits. In practice: DORA Article 24–aligned tabletop tests to speed decision-making and reduce ransomware impact.

CSSF — Circular 25/893: tightened ICT alerting and reporting under DORA

The CSSF tightens ICT incident classification and notification under DORA via eDesk. Here is how an EDR/XDR stack enables timely detection, qualification, and reporting with harmonized deadlines.

CSSF 25/883 amends 22/806: continuous cloud oversight

On 9 April 2025, the CSSF adjusted 22/806 via 25/883 to align ICT outsourcing with DORA. Here’s how a robust CSPM prevents cloud leaks and demonstrates compliance.

ChipSoft ransomware: why immutable, isolated backups are non-negotiable

The ChipSoft (HiX) attack disrupted hospital services and exposed data. Here’s how immutable backups and an isolated backup network meet DORA/NIS 2 and prevent prolonged outages.

AZ Monica crippled by ransomware: why immutable backups matter

Belgium’s AZ Monica hospital shut down its servers after a cyberattack. Here’s how immutable, isolated backups enable fast recovery aligned with DORA/NIS 2.

CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)

CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.

DORA — TLPT framed by Delegated Regulation (EU) 2025/1190

The Commission clarified TLPT under DORA via Delegated Regulation (EU) 2025/1190. In Luxembourg, the CSSF is the TLPT authority: timeline, scope, and method are now clear.

EDR/XDR: Continuous detection aligned with NIS 2 (Art. 21) and DORA (Art. 10)

Executives must demonstrate continuous and effective incident detection. A well‑deployed EDR/XDR stack meets NIS 2 Art. 21 and DORA Art. 10 requirements with auditable technical evidence.

← Newer Page 2 / 3 Older →