Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
65 articles found · #cybersecurite
ILR — NIS 2 Incident Notification: 24h to alert
On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.
CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM
The CSSF opened the 2026 “PSD2 – PSP ICT Assessment” campaign: every PSP must submit an up‑to‑date ICT risk assessment via eDesk. Continuous vulnerability management aligns with NIS 2 Art. 21 and DORA Arts. 25–27.
Council of State (13/02/2026): Pseudonymization ≠ Anonymization — DLP and GDPR Transfers
France’s Council of State confirms: “pseudonymized” health data remain personal if re-identifiable. Here’s how strong DLP secures flows and compliance with GDPR Articles 32 and 44–49.
Stryker: mass device wipe — why immutable, isolated backups are vital
After the remote wipe of tens of thousands of Stryker devices, immutable and isolated backup architecture is essential to recover quickly and demonstrate DORA compliance.
Unimed (DE): 72,000+ patient files stolen — DLP, Article 32 and GDPR transfers
In mid‑April 2026, outsourcer Unimed had 72,000+ patient records stolen. Here is a concrete DLP stack to prevent exfiltration and demonstrate compliance with GDPR Article 32 and cross‑border transfers (Arts. 44‑49).
VG Düsseldorf clarifies email: TLS may suffice, no default E2E
On 02/04/2026, the VG Düsseldorf ruled that under GDPR Art. 32, email does not require default E2E: transport encryption (TLS) may suffice based on risk.
SMEs under NIS 2: defensive AI more effective and cheaper than a classic SOC
Classic antivirus, EDR and SIEM miss the 0-day and the attack that diverts legitimate tools. An on-premise defensive AI that reasons on behaviour rather than signatures detects those unknown attacks, reacts in under 30 seconds and costs a fraction of a traditional SOC. Demonstrated on a concrete case, minute by minute.
ANSSI risk analysis on encryption: actions for GDPR Art. 32 and CSSF 22/806
On 27/05/2026, ANSSI released an encryption risk analysis. This article turns the guidance into an at‑rest and in‑transit architecture aligned with GDPR Art. 32 and CSSF 22/806, including a post‑quantum roadmap.
Microsoft: cryptominer via SEO/AI — EDR/XDR and NIS 2 in action
Microsoft disclosed an active cryptomining campaign spread via SEO poisoning and AI recommendations. Here’s how an EDR/XDR stack detects, contains, and evidences compliance with NIS 2 and DORA.
Magecart 1×1 SVG skimmer on Magento: DLP and GDPR compliance
Sansec reveals a credit-card skimmer hidden in a 1×1 SVG targeting ~100 Magento stores, exfiltrating to 23.137.249.67. Here’s how well‑tuned DLP addresses GDPR Articles 32 and 44‑49.
Charter: 4.9M emails exposed — phishing‑resistant MFA is now essential
A vishing attack abused a Microsoft Entra account to exfiltrate customer data from Salesforce. FIDO2/WebAuthn MFA is now the state of the art expected by GDPR Article 32.
French Council of State 2026 — Health Data Hub: DLP impact and EU transfers
The French Council of State (20/03/2026) upholds CNIL’s authorization for Health Data Hub on Microsoft Ireland in France and confirms no transfers outside the EU. A well‑configured DLP proves and enforces these flow limits technically.