Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
58 articles found · #solution
AEPD fines Yoti €950,000 — Automated DPIA becomes essential
On March 10, 2026, the AEPD fined Yoti €950,000 for unlawful biometrics, invalid consent and excessive retention. A tooled, automated DPIA is now key to reduce risk and evidence GDPR compliance.
Outsider Enterprise dismantled: urgent need for phishing‑resistant FIDO2 MFA
FBI, Google, and Black Lotus Labs dismantled “Outsider Enterprise,” a PhaaS linked to >1M URLs and ≈$1.9B in losses. Why FIDO2/WebAuthn MFA is now the “appropriate measure” under GDPR Article 32.
CSSF — Axios compromised (31/03/2026): EDR/XDR to detect and notify under DORA
The CSSF warns about the Axios supply‑chain compromise and reminds firms to notify a major ICT incident under Circular 25/893 (DORA). Here is how an EDR/XDR stack helps detect, contain, and notify on time.
ENISA 2026: Separate, tested backups aligned with DORA
ENISA updates its SME guide: backups separated from production, encrypted and end-to-end tested. How immutable, isolated vaults meet DORA Art. 12 and thwart ransomware.
FortiBleed: 73,932 Fortinet firewalls exposed — FIDO2 is now mandatory
FortiBleed exposed ~74,000 Fortinet firewalls/VPNs via stolen and reused credentials. Phishing-resistant MFA (FIDO2/WebAuthn) meets GDPR Article 32 and blocks initial access.
Kodak hacked: ShinyHunters claims 2.2M records
Kodak confirms an intrusion as ShinyHunters claims 2.2M records. Here’s how RGPD-compliant DLP (Art. 32 and 44‑49) reduces exfiltration and builds evidence.
Foxconn hit by Nitrogen: 8 TB stolen — PAM becomes non-negotiable
On 13/05/2026, Foxconn confirmed an attack claimed by Nitrogen: 8 TB and 11M+ files stolen, with slowdowns at North American plants. A zero-trust PAM meets NIS 2 art. 21 and severs admin access that enables such attacks.
Shai-Hulud: supply-chain token theft — why FIDO2 MFA is non-negotiable
Zscaler documents “Shai-Hulud”: GitHub/npm/PyPI compromises, OIDC abuse, and public IOCs. Phishing-resistant FIDO2/WebAuthn MFA addresses GDPR Article 32 and blocks initial access.
DSG Retail v ICO Broadens the Security Duty: Serious DLP Required
The English Court of Appeal confirms a broadened security duty: anticipate jigsaw identification. Here is how ISO 27001‑aligned DLP meets GDPR Article 32.
AUR compromised: 400+ Arch Linux packages push an eBPF rootkit
On June 12, 2026, over 400 AUR packages were used to distribute an infostealer with an eBPF rootkit. Here’s how an EDR/XDR stack helps detect it quickly and meet NIS 2 and DORA requirements.
ILR — NIS 2 Incident Notification: 24h to alert
On 5 May 2026, Luxembourg transposed NIS 2. ILR released guidance with a 24h early warning, 72h notification and a 1‑month final report. Here is how a managed SOC/SIEM helps meet these milestones calmly.
CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM
The CSSF opened the 2026 “PSD2 – PSP ICT Assessment” campaign: every PSP must submit an up‑to‑date ICT risk assessment via eDesk. Continuous vulnerability management aligns with NIS 2 Art. 21 and DORA Arts. 25–27.