Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
53 articles found · #nis-2
CSSF — DORA: ICT register due March 31, 2026; inventory is critical
The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.
Italy: €100,000 fine against Lepida over LepidaID shortcomings
Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.
ILR — NIS 2 incident notification: 24h to alert, your SOC must deliver
In June 2026, the ILR released a “NIS 2 incident notification” guide: early warning within 24h, notification at 72h, and a final report within 1 month. Here’s the SIEM/SOC stack to achieve this without panic.
CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification
On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).
BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM
In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.
DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?
On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.
ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)
ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.
NIS 2 Luxembourg: 9 days to ILR self‑registration
Essential and important entities in Luxembourg must self‑register with the ILR by 10 July 2026. Legal basis, risks, and this week’s action plan.
ANSSI — ReCyF: Microsegmentation as a key NIS 2 control
ANSSI’s ReCyF (March 17, 2026) details concrete NIS 2 measures. Network microsegmentation limits lateral movement, protects sensitive environments, and streamlines evidence of compliance.
NIS 2 in Luxembourg: ILR expectations on the 10 measures (Art. 21)
Since the 5 May 2026 law, the ILR details the 10 minimum NIS 2 Article 21 measures and related supervision. Management must approve, implement and evidence these measures, including MFA and supply chain controls.
ShinyHunters exploits Oracle zero‑day: NAIC hit, 100+ organizations
Oracle confirmed a PeopleSoft zero‑day (CVE‑2026‑35273) exploited by ShinyHunters. NAIC reports unauthorized access; 3.1 TB stolen and 100+ organizations compromised.
Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure
ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.