Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
65 articles found · #cybersecurite
ILR — NIS 2 guidelines for governing bodies (17/02/2026)
ILR reiterates the 24‑hour early warning via SERIMA, then 72 hours and 1 month. See how a managed SOC/SIEM helps meet NIS 2 deadlines without stress.
Tycoon 2FA: device code campaign bypasses Microsoft MFA
On May 12, 2026, eSentire detailed a Tycoon 2FA campaign abusing the OAuth Device Code flow to steal tokens without passwords. Why phishing-resistant FIDO2/WebAuthn MFA is required to meet GDPR Article 32.
French Supreme Court (Mar 5, 2026) reshapes qualified e-signatures
Since March 5, 2026, only a Qualified Electronic Signature (QES) shifts the burden of proof. How to evidence QTSP, QSCD and LTV to secure contracts and compliance.
West Pharmaceutical (4 May 2026): why immutable, isolated backups are vital (DORA)
On 4 May 2026, West Pharmaceutical suffered a ransomware attack with data theft and encryption, halting manufacturing and shipping. Here is the backup architecture that prevents prolonged outages and meets DORA.
Instructure/Canvas: 275M users at risk — 24/7 SOC to meet NIS2 Art. 23
ShinyHunters breached Instructure/Canvas, threatening up to 275M records. How a managed SOC/SIEM enables 24h qualification and ILR notification under NIS2 Art. 23.
ENISA 2026: Exercise Methodology to Operationalize DORA Article 24
ENISA releases a cybersecurity exercise methodology with ready-to-use kits. In practice: DORA Article 24–aligned tabletop tests to speed decision-making and reduce ransomware impact.
FlowerStorm (KrakVM) evades email filters and the NIS 2 stakes
The FlowerStorm phishing kit runs obfuscated JavaScript in KrakVM to intercept MFA. Here is how an email gateway, DMARC/SPF/DKIM, and a 24/7 SOC help meet NIS 2 in Luxembourg.
CSSF — Circular 25/893: tightened ICT alerting and reporting under DORA
The CSSF tightens ICT incident classification and notification under DORA via eDesk. Here is how an EDR/XDR stack enables timely detection, qualification, and reporting with harmonized deadlines.
CSSF 25/883 amends 22/806: continuous cloud oversight
On 9 April 2025, the CSSF adjusted 22/806 via 25/883 to align ICT outsourcing with DORA. Here’s how a robust CSPM prevents cloud leaks and demonstrates compliance.
ChipSoft ransomware: why immutable, isolated backups are non-negotiable
The ChipSoft (HiX) attack disrupted hospital services and exposed data. Here’s how immutable backups and an isolated backup network meet DORA/NIS 2 and prevent prolonged outages.
Okta/SSO hit by vishing: how FIDO2 blocks MFA bypass
In January 2026, Okta/Entra accounts were breached via vishing and AiTM proxies capturing OTP/push in real time. Phishing-resistant FIDO2/WebAuthn meets GDPR Article 32 requirements.
AZ Monica crippled by ransomware: why immutable backups matter
Belgium’s AZ Monica hospital shut down its servers after a cyberattack. Here’s how immutable, isolated backups enable fast recovery aligned with DORA/NIS 2.