Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

58 articles found · #solution

FICOBA: 1.2M accounts exposed — IAM and least privilege

A compromised high-privilege account enabled access to ~1.2M FICOBA records. What happened and how least-privilege IAM addresses GDPR Art. 25 and NIS 2 Art. 21 requirements.

CNIL vs Free: €42M — why a 24/7 SOC is vital to meet NIS 2 Art. 23

After the €42M fine against Free/Free Mobile, slow detection proves costly. Under NIS 2 Art. 23, detecting and notifying within 24 hours is now an operational obligation in Luxembourg.

Google Groups abused: Lumma Stealer/Ninja Browser campaign

CTM360 warns of a campaign abusing Google Groups to deliver Lumma (Windows) and “Ninja Browser” (Linux). NIS 2-aligned controls, DMARC/SPF/DKIM, and an email security gateway are advised.

OVG NRW (20 Feb 2025): no general obligation for end-to-end encryption

OVG North Rhine-Westphalia confirms that “appropriate” encryption under GDPR Art. 32 may be limited to robust transport encryption (TLS), depending on risk. How to align legally and technically.

EDR/XDR: Continuous detection aligned with NIS 2 (Art. 21) and DORA (Art. 10)

Executives must demonstrate continuous and effective incident detection. A well‑deployed EDR/XDR stack meets NIS 2 Art. 21 and DORA Art. 10 requirements with auditable technical evidence.

Automated patching: the answer to NIS 2, Article 21

Executives must prove vulnerabilities are remediated in a timely manner. Well-configured automated patching is the safest, most auditable way to meet NIS 2 Art. 21.

Cloud CSPM: the answer to CSSF Circular 22/806 on outsourcing

To remain compliant with CSSF in 2026, moving to the cloud is not enough. A CSPM continuously proves correct configuration, monitoring, and auditability as required.

TLPT (threat‑led red team): meeting DORA Articles 26‑27

DORA requires selected financial entities to run threat‑led penetration tests on production systems. This is how a structured TLPT implementation fulfils Articles 26‑27, step by step.

Phishing‑resistant MFA (FIDO2/WebAuthn): answering GDPR Article 32

GDPR Article 32 requires state‑of‑the‑art security. Phishing‑resistant MFA with FIDO2/WebAuthn is the most robust and pragmatic way to comply without unnecessary complexity.

Immutable, isolated backups: meeting DORA on ransomware resilience

DORA requires restorable, isolated backups. Immutable backups and network isolation meet these obligations while reducing ransomware risk.

← Newer Page 5 / 5