Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
15 articles found · #ransomware
Lithuania: €450,000 GDPR fine for lack of MFA at InMedica
Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).
CSSF 26/906: governance and DORA-grade immutable backups by June 30
CSSF 26/906 requires PSPs/EMIs to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the DORA-proof of ransomware resilience.
Clinical Diagnostics (NL): gynecological records leak — GDPR-aligned DLP
After the massive leak at Clinical Diagnostics, a modern DLP aligned with GDPR (Art. 32 and 44–49) reduces exfiltration and provides the evidence authorities expect.
ENISA 2026: Separate, tested backups aligned with DORA
ENISA updates its SME guide: backups separated from production, encrypted and end-to-end tested. How immutable, isolated vaults meet DORA Art. 12 and thwart ransomware.
Foxconn hit by Nitrogen: 8 TB stolen — PAM becomes non-negotiable
On 13/05/2026, Foxconn confirmed an attack claimed by Nitrogen: 8 TB and 11M+ files stolen, with slowdowns at North American plants. A zero-trust PAM meets NIS 2 art. 21 and severs admin access that enables such attacks.
RUAG pays a ransom to Akira: red alert for executive boards
On 6 June 2026, RUAG confirmed it paid a ransom to the Akira gang after its US subsidiary was hit. A rare admission that quantifies ransomware’s economic impact: paying, even a “small amount,” to retrieve data.
Qilin exploits a Check Point zero-day: VPNs breached, patch within 72h
A critical zero-day (CVE‑2026‑50751) in Check Point VPNs is being actively exploited by Qilin. CISA mandates a fix by June 11, 2026. Luxembourg NIS 2 entities must check IKEv1, patch, and notify via SERIMA if an incident occurs.
Unimed (DE): 72,000+ patient files stolen — DLP, Article 32 and GDPR transfers
In mid‑April 2026, outsourcer Unimed had 72,000+ patient records stolen. Here is a concrete DLP stack to prevent exfiltration and demonstrate compliance with GDPR Article 32 and cross‑border transfers (Arts. 44‑49).
West Pharmaceutical (4 May 2026): why immutable, isolated backups are vital (DORA)
On 4 May 2026, West Pharmaceutical suffered a ransomware attack with data theft and encryption, halting manufacturing and shipping. Here is the backup architecture that prevents prolonged outages and meets DORA.
ENISA 2026: Exercise Methodology to Operationalize DORA Article 24
ENISA releases a cybersecurity exercise methodology with ready-to-use kits. In practice: DORA Article 24–aligned tabletop tests to speed decision-making and reduce ransomware impact.
ChipSoft ransomware: why immutable, isolated backups are non-negotiable
The ChipSoft (HiX) attack disrupted hospital services and exposed data. Here’s how immutable backups and an isolated backup network meet DORA/NIS 2 and prevent prolonged outages.
AZ Monica crippled by ransomware: why immutable backups matter
Belgium’s AZ Monica hospital shut down its servers after a cyberattack. Here’s how immutable, isolated backups enable fast recovery aligned with DORA/NIS 2.