Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

65 articles found · #cybersecurite

CSSF — DORA: ICT register due March 31, 2026; inventory is critical

The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.

ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver

In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.

CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification

On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).

BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM

In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.

ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)

ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.

UniCredit Romania: €12k GDPR fine — preventing misdirected emails

On 29 May 2026, Romania’s ANSPDCP fined UniCredit Bank SA for security shortcomings (Art. 32) and late breach notification (Art. 33) after mailings to wrong recipients. Here is practical DLP that prevents this and evidences compliance.

NIS 2 Luxembourg: 9 days to ILR self‑registration

Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.

ANSSI — ReCyF: Microsegmentation as a key NIS 2 control

ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.

NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)

Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.

Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure

ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.

CSSF 26/906: governance and DORA-grade immutable backups by June 30

CSSF 26/906 requires PSPs/EMIs to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the DORA-proof of ransomware resilience.

European Commission cloud attack — CSPM as a key control under CSSF 22/806

On March 27, 2026, the European Commission confirmed an intrusion and data exfiltration affecting Europa.eu’s cloud infrastructure. How CSPM meets CSSF 22/806 requirements and prevents such scenarios.

Page 1 / 6 Older →