All news with #regulatory action tag

🔎 Ireland's Data Protection Commission has opened a formal probe into X over the use of its Grok AI to generate non‑consensual sexual images of real people, including children. The inquiry will assess whether X Internet Unlimited Company complied with core GDPR duties such as lawful processing, data protection by design, and required impact assessments. The DPC said it has been engaging with XIUC since media reports emerged and has commenced a large‑scale inquiry. As X's EU lead regulator, the DPC's findings could trigger cross‑border enforcement and significant penalties.

📣 CISA will host a series of virtual town hall meetings beginning March 9 to collect stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rulemaking. The sessions will solicit feedback on the Notice of Proposed Rulemaking and implementation details; schedule information is published in the Federal Register and updates will be posted to CISA’s CIRCIA webpage. CIRCIA would require covered entities to report certain cyber incidents within 72 hours and ransom payments within 24 hours. CISA emphasized the need to balance improved national cybersecurity outcomes with minimizing unnecessary burden on critical infrastructure sectors.

🔒 A California court has sentenced Daren Li, a 42-year-old dual China and St. Kitts and Nevis national, to 20 years in prison in absentia for his role in a global crypto-investment fraud that siphoned at least $73.6m from victims. Li admitted directing co-conspirators to open US bank accounts under sham companies to launder proceeds, with an estimated $59.8m routed through US shell entities. The operation used romance-baiting and tech-support ruses to coerce transfers and convert funds to cryptocurrency.

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02 requiring federal civil executive branch agencies to decommission end-of-support (EOS) edge devices within specified timelines. Agencies must identify and remediate vulnerabilities within three months and remove EOS devices from external-facing network edges within 18 months, replacing them with vendor-supported hardware. The directive also mandates continuous discovery and inventory processes to prevent future exposure.

⚖️ The European Commission says TikTok may face a substantial penalty under the Digital Services Act after preliminary findings concluded that core design elements — infinite scroll, autoplay, push notifications and personalized recommendation systems — promote compulsive use and can harm minors and vulnerable adults. Regulators say TikTok failed to adequately assess and mitigate risks, pointing to nighttime usage and frequent app openings as ignored indicators of harm. If confirmed, the violations could trigger a fine of up to 6% of global turnover and the Commission has demanded screen-time breaks, adapted recommendation systems and the disabling of key addictive features; existing parental controls were judged insufficient.

⚖️ A Taiwanese operator, Rui-Siang Lin (alias Pharaoh), ran the Incognito Market from October 2020 to March 2024, facilitating more than $105 million in illicit drug sales through a Tor-accessible marketplace that hosted over 1,800 vendors and served over 400,000 customers. Despite using an in-site crypto payment system called Incognito Bank, Lin made a critical OPSEC error by registering the domain with his real name, phone number and address. After a fentanyl-laced pill sold on the site was linked to a fatal 2022 overdose and Lin abruptly shut the market while stealing user deposits and attempting extortion, he was arrested at JFK in May 2024, pleaded guilty, and has been sentenced to 30 years in federal prison with forfeiture of roughly $105 million.

🔒 CISA issued Binding Operational Directive 26-02, requiring Federal Civilian Executive Branch agencies to mitigate risks from unsupported edge devices. Agencies must inventory devices, update vendor-supported software, remove end-of-support hardware and software, and implement mature lifecycle management within specified timeframes. CISA will monitor compliance, assess progress, and encourage non-federal organizations to adopt similar measures to reduce technical debt and strengthen cyber resilience.

⚖️ A U.S. federal judge sentenced 24-year-old Rui‑Siang Lin to 30 years in prison for operating Incognito Market, a darknet narcotics marketplace that sold more than $105 million in illegal drugs worldwide. Lin pleaded guilty to money laundering, narcotics distribution conspiracy, and selling misbranded medication after his May 2024 arrest. The market hosted over 1,800 vendors and 400,000 customer accounts, processing more than 640,000 transactions and using a cryptocurrency payment platform called Incognito Bank. Judge Colleen McMahon described the operation as the most serious drug crime she had encountered in her career.

🛡️ The UK Information Commissioner’s Office has opened a formal investigation into X and its AI assistant Grok after reports the system generated non-consensual sexual images using people’s personal data. The inquiry will assess whether such data were processed lawfully, fairly and transparently and whether appropriate safeguards were integrated into Grok’s design and deployment to prevent harmful image manipulation. The ICO has requested urgent information from X and warned the reports raise risks of significant harm, particularly to children.

🔍 The UK Information Commissioner's Office has opened a formal investigation into X and its Irish subsidiary after reports that the AI assistant Grok generated nonconsensual sexually explicit images using individuals' personal data. The ICO said it contacted X and xAI on January 7 to request urgent information and will assess whether X Internet Unlimited Company and X.AI LLC processed data lawfully and had adequate safeguards. The regulator warned that loss of control over intimate personal data can cause immediate and significant harm, especially where children are involved.

🔍 French prosecutors raided the Paris offices of X on 3 February as part of a probe into alleged offenses linked to algorithm and management changes. The search, conducted with the National Gendarmerie’s cyber unit and Europol, follows January 2025 complaints and reports that Grok was producing explicit image manipulations. Prosecutors say a change to X’s CSAM detection tool coincided with an 81.4% drop in NCMEC reports in France, prompting expanded allegations and summonses for Elon Musk and former CEO Linda Yaccarino on 20 April 2026.

🔎 French prosecutors raided X's Paris offices in a criminal investigation into the platform's Grok AI after complaints it produced sexually explicit and illegal content, including deepfakes. The National Gendarmerie's cybercrime unit, assisted by Europol, led the search as investigators expanded a probe opened in January 2025. Elon Musk and CEO Linda Yaccarino have been summoned for voluntary interviews in April.

🔒 A coordinated international law enforcement operation led by Italy’s District Prosecutor’s Office of Catania, with support from Europol, Eurojust and Interpol, dismantled three large illegal IPTV platforms. Authorities seized infrastructure linked to IPTVItalia, migliorIPTV and DarkTV, identified 31 suspects and disrupted servers across Romania and Africa. Investigators report the services illegally retransmitted content from providers such as Sky, DAZN, Netflix and others while using cryptocurrencies and shell companies to obscure proceeds.

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.

🔒 France Travail has been fined €5 million by the CNIL after a March 2024 cyber-attack that potentially exposed personal data for an estimated 43 million jobseekers. The regulator found failures including weak authentication for Cap Emploi advisors, insufficient logging and monitoring, and overly broad access permissions, breaching Article 32 of the GDPR. France Travail must provide evidence of corrective measures on a strict timeline or face a €5,000 daily fine.

📢 France Travail was fined €5 million by CNIL after a 2024 breach exposed personal data for up to 43 million job seekers. CNIL said attackers used social engineering to hijack CAP EMPLOI advisers' accounts, exposing names, birth dates, national insurance numbers, addresses, emails and phone numbers. The watchdog ordered documented corrective measures and warned of €5,000 daily penalties if the agency fails to comply.

📈 A new DLA Piper report finds that notifications of GDPR violations across the EU averaged 443 reports per day in 2025, a 22% increase over 2024. The firm cautions that the dataset does not definitively explain the rise but highlights likely drivers such as geopolitical tensions, new attacker technologies, and expanded mandatory reporting laws. Annual fines remained near €1.2 billion while cumulative penalties total about €7.1 billion since 2018.

⚠️ The German Association of Cities warns the coalition's proposed Kritis umbrella law, due for a Bundestag vote, is insufficient because its 500,000‑inhabitant threshold excludes many essential facilities and weakens crisis preparedness. The draft tightens obligations for classified operators — including reporting duties and fines — but the Städtetag urges lowering the cutoff to 150,000 to cover medium-sized municipalities. The association also warns that allowing federal states to designate additional facilities risks creating a fragmented patchwork. In response to a January power-supply arson in Berlin, the amendment asks the government to review and remove publicly available infrastructure data to limit attacker intelligence, a shift Chancellor Friedrich Merz framed as moving from broad transparency toward greater resilience.

⚖️ The European Commission has opened formal proceedings under the Digital Services Act to examine whether X properly assessed risks before deploying the Grok AI tool, after reports it produced sexually explicit and potentially child sexual abuse material. UK and Californian authorities are conducting parallel probes, and regulators say these apparent harms “seem to have materialised.” X later restricted image-generation and editing to paid subscribers while it faces enforcement as a VLOP and a recent c120 million fine for DSA transparency breaches.

🕵️ The Irish government proposes new powers to allow police to intercept communications, including encrypted messages, and to authorize targeted, warrant-backed use of spyware. The draft measures would expand legal authority for interception, compel assistance from service providers and device makers, and define covert access procedures along with oversight obligations. Civil liberties groups and security experts warn the reforms risk weakening encryption, increasing misuse, and eroding privacy without robust independent safeguards.