Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

53 articles found · #nis-2

European Commission cloud attack — CSPM as a key control under CSSF 22/806

On March 27, 2026, the European Commission confirmed an intrusion and data exfiltration affecting Europa.eu’s cloud infrastructure. How CSPM meets CSSF 22/806 requirements and prevents such scenarios.

AEPD fines Yoti €950,000 — Automated DPIA becomes essential

On March 10, 2026, the AEPD fined Yoti €950,000 for unlawful biometrics, invalid consent and excessive retention. A tooled, automated DPIA is now key to reduce risk and evidence GDPR compliance.

Outsider Enterprise dismantled: urgent need for phishing‑resistant FIDO2 MFA

FBI, Google, and Black Lotus Labs dismantled “Outsider Enterprise,” a PhaaS linked to >1M URLs and ≈$1.9B in losses. Why FIDO2/WebAuthn MFA is now the “appropriate measure” under GDPR Article 32.

Novo Nordisk rejects $25M after 1.3 TB data theft

On June 16, 2026, FulcrumSec claimed to have stolen over 1 TB from Novo Nordisk and demanded $25M. The company confirmed a June 11 incident, is investigating, and did not pay.

FortiBleed: 73,932 Fortinet firewalls exposed — FIDO2 is now mandatory

FortiBleed exposed ~74,000 Fortinet firewalls/VPNs via stolen and reused credentials. Phishing-resistant MFA (FIDO2/WebAuthn) meets GDPR Article 32 and blocks initial access.

France Travail fined €5M: GDPR Article 32 moves from theory to audit

The CNIL fined France Travail €5M for breaches of GDPR Article 32: security measures identified in the DPIA but not implemented. A clear signal for Luxembourg organizations.

Foxconn hit by Nitrogen: 8 TB stolen — PAM becomes non-negotiable

On 13/05/2026, Foxconn confirmed an attack claimed by Nitrogen: 8 TB and 11M+ files stolen, with slowdowns at North American plants. A zero-trust PAM meets NIS 2 art. 21 and severs admin access that enables such attacks.

Shai-Hulud: supply-chain token theft — why FIDO2 MFA is non-negotiable

Zscaler documents “Shai-Hulud”: GitHub/npm/PyPI compromises, OIDC abuse, and public IOCs. Phishing-resistant FIDO2/WebAuthn MFA addresses GDPR Article 32 and blocks initial access.

AUR compromised: 400+ Arch Linux packages push an eBPF rootkit

On June 12, 2026, over 400 AUR packages were used to distribute an infostealer with an eBPF rootkit. Here’s how an EDR/XDR stack helps detect it quickly and meet NIS 2 and DORA requirements.

ILR — NIS 2 Incident Notification: 24h to alert

On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.

CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM

The CSSF opened the 2026 “PSD2 – PSP ICT Assessment” campaign: every PSP must submit an up‑to‑date ICT risk assessment via eDesk. Continuous vulnerability management aligns with NIS 2 Art. 21 and DORA Arts. 25–27.

RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.

← Newer Page 2 / 5 Older →