< ciso
brief />
Tag Banner

All news with #regulatory action tag

353 articles · page 9 of 18

Criticism of Kritis Umbrella Law Raises Patchwork Concerns

⚠️ The German Association of Cities warns the coalition's proposed Kritis umbrella law, due for a Bundestag vote, is insufficient because its 500,000‑inhabitant threshold excludes many essential facilities and weakens crisis preparedness. The draft tightens obligations for classified operators — including reporting duties and fines — but the Städtetag urges lowering the cutoff to 150,000 to cover medium-sized municipalities. The association also warns that allowing federal states to designate additional facilities risks creating a fragmented patchwork. In response to a January power-supply arson in Berlin, the amendment asks the government to review and remove publicly available infrastructure data to limit attacker intelligence, a shift Chancellor Friedrich Merz framed as moving from broad transparency toward greater resilience.
read more →

EU Opens DSA Probe into X Over Alleged Grok Sexual Images

⚖️ The European Commission has opened formal proceedings under the Digital Services Act to examine whether X properly assessed risks before deploying the Grok AI tool, after reports it produced sexually explicit and potentially child sexual abuse material. UK and Californian authorities are conducting parallel probes, and regulators say these apparent harms “seem to have materialised.” X later restricted image-generation and editing to paid subscribers while it faces enforcement as a VLOP and a recent c120 million fine for DSA transparency breaches.
read more →

Ireland Seeks New Police Powers for Digital Surveillance

🕵️ The Irish government proposes new powers to allow police to intercept communications, including encrypted messages, and to authorize targeted, warrant-backed use of spyware. The draft measures would expand legal authority for interception, compel assistance from service providers and device makers, and define covert access procedures along with oversight obligations. Civil liberties groups and security experts warn the reforms risk weakening encryption, increasing misuse, and eroding privacy without robust independent safeguards.
read more →

Germany to Authorize Cross-Border Cyber Counterstrikes

🛡️ Germany plans to adopt a more offensive cyber posture, saying it will "strike back, also abroad," and aim to disrupt attackers and destroy their infrastructure. The Interior Ministry proposes joint operational responsibility for the Federal Criminal Police Office (BKA) and intelligence services and is creating a new defense center against hybrid threats. Minister Alexander Dobrindt said he will introduce laws in the first half of the year to expand intelligence powers for information gathering and operational action.
read more →

Over 160,000 Companies Notify Regulators of GDPR Breaches

📈 The number of organisations reporting GDPR breaches rose 22% in 2025 to a daily average of 443, according to DLA Piper, making this the first year since 2018 that notifications topped 400. Germany, the Netherlands and Poland recorded the most reports, and analysts pointed to geopolitical unrest and emerging AI-enabled threats as contributors. Annual GDPR fines remained stable at €1.2bn, with Ireland issuing the largest share, including a €530m penalty for TikTok over international data transfers.
read more →

Internet Voting Remains Too Insecure for Elections

🔐 Bruce Schneier and a broad group of security scientists warn that internet voting is fundamentally insecure and that no known or foreseeable technology can make it safe for public elections. They criticize persistent claims from vendors and advocates—specifically naming Bradley Tusk and the Mobile Voting Foundation—for promoting misleading assurances. The letter calls on election officials and policymakers to reject online voting and stick with proven, auditable processes.
read more →

EU-led GCVE launched as decentralized CVE alternative

🌐 The open-source Global Cybersecurity Vulnerability Enumeration (GCVE) has launched as a community-driven, European-headquartered alternative to the US-led CVE program. Hosted by CIRCL at db.gcve.eu, the initiative aggregates vulnerability data from more than 25 public sources and empowers GCVE Numbering Authorities (GNAs) to allocate identifiers independently. Backers say the model reduces single points of failure, strengthens digital sovereignty by combining open-source software with European-controlled infrastructure, and—if kept compatible with existing conventions—could speed and diversify vulnerability disclosure without causing tracking misalignment.
read more →

EU Cybersecurity Overhaul to Bar High-Risk Suppliers

🔒 The European Commission has proposed a comprehensive cybersecurity package that would require the removal of high-risk suppliers from sensitive telecommunications networks and give Brussels authority to coordinate EU-wide risk assessments. The measure aims to strengthen defenses against state-backed actors and cybercrime targeting critical infrastructure while addressing uneven uptake of the 2020 5G Security Toolbox. The proposal also expands ENISA's remit to issue early threat alerts, centralize incident reporting, streamline voluntary certification, and support joint assessments across 18 critical sectors, with member states required to transpose changes within one year of approval.
read more →

Tudou Guarantee Marketplace Halts Public Transactions

🔍 Elliptic reports that Tudou Guarantee, a Telegram-based guarantee marketplace, has effectively ceased processing transactions through its public Telegram groups after rapid growth and is estimated to have handled over $12 billion, ranking it among the largest illicit marketplaces. Some operations, notably gambling services, remain active, so Elliptic says this may be a staged shutdown or a strategic pivot. The pause in public activity coincides with law enforcement moves tied to the arrest and extradition of Prince Group CEO Chen Zhi.
read more →

Hacker Pleads Guilty After Leaking Supreme Court Data

🔓 Nicholas Moore, 24, pleaded guilty to hacking the U.S. Supreme Court's restricted electronic filing system and breaching AmeriCorps and VA accounts. Prosecutors say Moore used stolen credentials to access the Court's system at least 25 times between August and October 2023, sometimes logging in multiple times per day, and posted screenshots and victims' data to an Instagram account, @ihackedthegovernment. He also accessed an AmeriCorps account seven times and a VA My HealtheVet account five times, viewing sensitive personal and health information. Moore admitted to one count of computer fraud.
read more →

Jordanian Pleads Guilty to Selling Network Access to Firms

🔒 Feras Khalil Ahmad Albashiti (known online as "r1z") pleaded guilty to selling access credentials to the networks of at least 50 companies. Extradited from Georgia in July 2024, he admitted selling access to an undercover law enforcement officer for cryptocurrency on May 19, 2023. He faces up to 10 years in prison and fines; sentencing is set for May 11, 2026.
read more →

CIRO Breach Exposed Data of 750,000 Canadian Investors

🔒 The Canadian Investment Regulatory Organization (CIRO) confirmed a data breach that affected roughly 750,000 Canadian investors. The threat was identified on August 11 and disclosed on August 18, with an extensive forensic analysis completed January 14. Compromised records vary by person and may include dates of birth, phone numbers, income details, social insurance numbers, government IDs, account numbers, and statements. CIRO said it does not store login credentials and will offer two years of free credit monitoring to impacted investors.
read more →

FTC Restricts GM from Selling Drivers' Location Data

📍 The Federal Trade Commission has finalized an order prohibiting General Motors and its OnStar unit from collecting, using, or sharing consumers' precise geolocation and driving-behavior data without express consent. The FTC said GM harvested location data every three seconds through the discontinued Smart Driver feature and sold it to third parties, including consumer reporting agencies, which could affect insurance outcomes. Under the order GM is barred from sharing such data with consumer reporting agencies for five years, must obtain express consent for collection and sharing for 20 years, and must give U.S. customers access, deletion rights, and the ability to disable precise location tracking.
read more →

International Takedown of RedVDS Cybercrime Service

🛡️ International law enforcement, together with Microsoft, dismantled the RedVDS cybercrime service after seizing servers hosted in Germany. Authorities from Germany, the United States and the United Kingdom, confirmed by the ZIT and the State Criminal Police Office of Brandenburg, say the platform enabled large-scale phishing and boss‑scam frauds. Microsoft reports $40 million in US losses over seven months and highlights prolific phishing volumes from rented virtual machines. No arrests have been reported; suspects are believed to be located in an unspecified Middle Eastern country.
read more →

Ransomware gangs extort victims with compliance threats

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.
read more →

France Fines Free Mobile €42M Over 2024 Data Breach

🔒 The French data protection authority, CNIL, fined Free Mobile and parent company Free a combined €42 million for insufficient protection of customer data after an October 2024 breach that exposed information of nearly 23 million subscribers. CNIL cited weak VPN authentication, poor detection of abnormal activity, delayed notifications, and excessive data retention. The companies must complete security fixes and perform mandated data clean-up within required deadlines.
read more →

G7 Sets 2034 Deadline for Financial PQC Migration Plan

🔐 The G7 Cyber Expert Group has published a recommended roadmap asking financial firms and public entities to complete transition to post-quantum cryptography (PQC) by 2034 to anticipate future quantum-enabled threats. The non-prescriptive guidance outlines six phased activities from awareness and inventory to migration, testing and validation, with overlapping timelines beginning in 2025. It stresses a risk- and standards-based approach, crypto agility and cross-jurisdiction collaboration to reduce fragmentation and enhance interoperability.
read more →

State and Local Cybersecurity: Framework in Place to Act

🛡️ The White House’s March 2025 Executive Order and Congress’s State and Local Cybersecurity Grant Program (SLCGP) together create a framework for strengthening defenses at state, local and tribal levels. The proposed PILLAR Act would extend and reinforce funding, oversight and scope. Success requires restoring disbursements, aligning with NIST standards, and building local capacity through partnerships and workforce development.
read more →

Congressional Delays Weaken U.S. Cybersecurity Posture

⚠️ The White House renominated seasoned Coast Guard and Energy Department cyber official Sean Plankey to lead CISA, a step that eases an urgent leadership gap but does not resolve broader legislative gridlock. Experts cite both executive deprioritization and congressional dysfunction—blocked confirmations, holds, and delayed reports—as drivers of a hollowed-out agency. Quick Senate confirmation, reauthorization of CISA 2015, and restored grant funding are needed to begin rebuilding capacity.
read more →

Dutch Hacker Sentenced to Seven Years for Port Hacks

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.
read more →