Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
28 articles found · #dora
DORA Art. 28: CSSF turns up the heat on the ICT dependencies register
As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.
Microsoft: cryptominer via SEO/AI — EDR/XDR and NIS 2 in action
Microsoft disclosed an active cryptomining campaign spread via SEO poisoning and AI recommendations. Here’s how an EDR/XDR stack detects, contains, and evidences compliance with NIS 2 and DORA.
Luxgap SealedMail: the first email server where your CIO cannot read you
Launch of SealedMail, zero-knowledge email server hosted in Luxembourg, designed for executives. End-to-end encryption with X25519 asymmetric keys. Neither IT admin nor Luxgap can read your mailboxes. Works with your usual Outlook.
West Pharmaceutical (4 May 2026): why immutable, isolated backups are vital (DORA)
On 4 May 2026, West Pharmaceutical suffered a ransomware attack with data theft and encryption, halting manufacturing and shipping. Here is the backup architecture that prevents prolonged outages and meets DORA.
ENISA 2026: Exercise Methodology to Operationalize DORA Article 24
ENISA releases a cybersecurity exercise methodology with ready-to-use kits. In practice: DORA Article 24–aligned tabletop tests to speed decision-making and reduce ransomware impact.
CSSF — Circular 25/893: tightened ICT alerting and reporting under DORA
The CSSF tightens ICT incident classification and notification under DORA via eDesk. Here is how an EDR/XDR stack enables timely detection, qualification, and reporting with harmonized deadlines.
CSSF 25/883 amends 22/806: continuous cloud oversight
On 9 April 2025, the CSSF adjusted 22/806 via 25/883 to align ICT outsourcing with DORA. Here’s how a robust CSPM prevents cloud leaks and demonstrates compliance.
ChipSoft ransomware: why immutable, isolated backups are non-negotiable
The ChipSoft (HiX) attack disrupted hospital services and exposed data. Here’s how immutable backups and an isolated backup network meet DORA/NIS 2 and prevent prolonged outages.
AZ Monica crippled by ransomware: why immutable backups matter
Belgium’s AZ Monica hospital shut down its servers after a cyberattack. Here’s how immutable, isolated backups enable fast recovery aligned with DORA/NIS 2.
CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)
CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.
DORA — TLPT framed by Delegated Regulation (EU) 2025/1190
The Commission clarified TLPT under DORA via Delegated Regulation (EU) 2025/1190. In Luxembourg, the CSSF is the TLPT authority: timeline, scope, and method are now clear.
EDR/XDR: Continuous detection aligned with NIS 2 (Art. 21) and DORA (Art. 10)
Executives must demonstrate continuous and effective incident detection. A well‑deployed EDR/XDR stack meets NIS 2 Art. 21 and DORA Art. 10 requirements with auditable technical evidence.