EU orders Google to open Android AI features

The European Commission has issued two sets of binding measures under the Digital Markets Act requiring Google to improve competition in AI assistants and online search.

The first decision requires Google to give competing AI services access to 11 key Android features on terms equivalent to those available to its own services, including Gemini.

Users will be able to activate their preferred AI assistant via voice commands and have it to perform tasks across apps, such as sending messages, booking services, or retrieving contextual information.

Alternative providers will also gain access to features covering device context, background execution, on-device models, system integration and automated actions, subject to user consent and security safeguards.

Google must implement most of the measures in Android 18 and no later than 1 August 2027. Concurrent voice activation for multiple AI assistants must be introduced with Android 19 by August 2028.

The second decision requires Google to share anonymised search data with eligible third-party search engines, including AI chatbots that provide online search functions.

The data may include queries, rankings, clicks and views that Google uses to improve its own search service. Recipients may use it to develop search technology, improve retrieval and ground AI-generated answers in current online information.

The measures do not require Google to share its search algorithms, and recipients cannot use the data to train general-purpose AI models or for advertising and consumer profiling.

Google must also establish a transparent application process and a pricing model based primarily on the costs of providing access.

The Commission said the measures are intended to expand consumer choice and prevent Google’s advantages in Android and search from limiting competition in AI services.

Why does it matter?

The decisions apply established DMA interoperability and data-access rules directly to the emerging AI market. Rival assistants could gain deeper access to Android, while search providers and AI chatbots may use Google’s data to improve retrieval and compete more effectively. The measures could lower barriers created by control over operating systems and search data, although implementation will require careful protection of privacy, cybersecurity and commercially sensitive information.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

White House launches GOLD EAGLE cybersecurity initiative

The White House has announced the launch of GOLD EAGLE, a cybersecurity vulnerability coordination initiative established under President Donald Trump’s Executive Order 14410, Promoting Advanced Artificial Intelligence Innovation and Security.

According to the administration, the initiative brings together federal agencies, open-source software partners and operators of critical infrastructure to accelerate the identification and remediation of cybersecurity vulnerabilities using AI.

The initiative is being implemented through collaboration between the White House, the Department of the Treasury, the Department of Homeland Security, including the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of War. The administration said GOLD EAGLE is intended to reduce duplicative vulnerability scanning, improve exploit detection and provide prioritised threat and remediation information to government and private-sector defenders.

According to the announcement, GOLD EAGLE has already begun receiving and prioritising reported cybersecurity vulnerabilities from multiple sectors, coordinating verification efforts and supporting remediation activities. The White House said the initiative represents a new operational model for cyber defence that combines government resources with private-sector capabilities to strengthen the resilience of critical infrastructure and software systems.

Why does it matter?

GOLD EAGLE marks a shift towards more centralised public-private coordination of cybersecurity vulnerability management in the USA. By combining AI-assisted vulnerability prioritisation with information sharing across government agencies and critical infrastructure operators, the initiative aims to accelerate the detection and remediation of cyber threats.

It also reflects the Trump administration’s broader strategy of linking AI innovation with national cybersecurity and critical infrastructure protection.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

OpenAI calls for aligned US AI safety framework

OpenAI has called for closer alignment between US state and federal AI safety efforts, arguing that a common framework is needed to govern frontier AI systems.

In a policy blog post, the company said recent frontier AI legislation in California, New York and Illinois shows how states can help create a shared baseline before a single federal framework is in place.

OpenAI describes this process as ‘reverse federalism’, where state laws move in similar directions and gradually shape a de facto national standard.

The company says core elements should include documented safety frameworks, risk assessments for frontier models, public disclosure of results, serious incident reporting and independent audits.

At the federal level, OpenAI argues that the US government should lead testing and evaluation of the most advanced AI systems, particularly when national security and cybersecurity are at stake.

It says a consistent federal testing framework would help advanced AI tools reach trusted users, including government agencies, critical infrastructure defenders, allies and other partners.

OpenAI also supports clearer requirements for companies developing the most capable systems, including strong security standards, incident reporting, independent audits and whistle-blower protections.

The company warns that neither a fragmented patchwork of state laws nor an undefined federal process would create a coherent frontier safety regime.

Why does it matter?

OpenAI’s proposal highlights the growing tension in US AI governance between state-led action, federal oversight and international standard-setting. A shared framework could reduce regulatory fragmentation and create clearer expectations for frontier model developers. Still, the company’s position also reflects the interests of a major AI lab seeking predictable rules for deployment, testing and access. The debate will shape how the US balances safety, innovation, national security and global influence in AI governance.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

India approves €13 billion Semicon 2.0 strategy

The Government of India has approved Semicon 2.0, a long-term strategy worth Rs. 1.275 trillion (approximately €13 billion) to accelerate the development of the country’s semiconductor design and manufacturing ecosystem.

Building on Semicon 1.0, the programme aims to strengthen India’s position across the semiconductor value chain through sustained public investment, industrial incentives and workforce development.

The strategy is organised around six pillars, such as semiconductor design, manufacturing equipment and materials, fabrication facilities, advanced packaging technologies, research and development, and talent development.

India plans to expand chip design capabilities, attract additional fabrication plants, encourage investment in ATMP and OSAT facilities, strengthen domestic production of critical materials and manufacturing equipment, and support the development of advanced semiconductor technologies.

The government also highlighted progress under Semicon 1.0. Twelve semiconductor manufacturing facilities have been approved with cumulative investments exceeding Rs. 1.64 trillion, covering silicon fabrication, silicon carbide, gallium nitride display manufacturing and advanced packaging. Three facilities have already entered commercial production, while additional projects are expected to become operational during 2026.

On the design side, 24 semiconductor startups have received financial support and 105 have gained access to advanced chip design tools to develop technologies for AI, IoT, telecommunications, satellite communications and smart devices.

According to the government, Semicon 2.0 is intended to strengthen India’s technological sovereignty, improve semiconductor supply chain resilience and establish the country as a globally competitive hub for semiconductor innovation, manufacturing and intellectual property.

Why does it matter?

Semicon 2.0 reflects the growing use of industrial policy to strengthen domestic semiconductor ecosystems amid global competition for advanced chip manufacturing. By investing across design, production, research and skills, India is seeking to reduce external dependencies while building long-term technological capacity.

The strategy also demonstrates that semiconductor competitiveness increasingly depends on developing the entire value chain rather than attracting fabrication plants alone. If successfully implemented, the programme could strengthen India’s position in global semiconductor supply chains while supporting wider ambitions in AI, telecommunications and advanced manufacturing.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Digital Omnibus on AI: The EU’s AI Act simplification and new AI Office powers

On 29 June 2026, the Council of the European Union gave its final green light to the Digital Omnibus on AI, a package of amendments that eases and delays parts of the EU AI Act, completing a legislative procedure that began when the European Commission published its proposal on 19 November 2025. It amends the EU AI Act, together with the EU’s civil aviation rules and machinery regulation. According to the European Parliament’s Legislative Observatory, the final act was signed on 8 July 2026, and the Digital Omnibus is now awaiting publication in the Official Journal of the European Union, a necessary step before it can enter into force, ahead of the original 2 August 2026 deadline for several high-risk AI obligations.

Much of the public attention on the Digital Omnibus has focused on the delay to high-risk AI rules and the new ban on AI-generated intimate imagery. The full legal text of the amending regulation also reorganises, in detail, responsibility for supervising AI systems that operate within very large online platforms regulated under the Digital Services Act, and amends several other elements of the way the AI Act is enforced, points that have drawn less attention so far.

The Council describes this regulation as part of a wider legislative package known as Omnibus VII, one of several ‘omnibus’ simplification efforts the Commission has proposed across different policy areas. It was also listed in the Parliament and the Council in their Joint Declaration on EU legislative priorities for 2026, signalling the priority both institutions attached to its rapid finalisation.

Why the Commission proposed the amendments

 Architecture, Building, Office Building, City, Urban, High Rise, Flag

According to the recitals of the Digital Omnibus on AI, the amendments respond to problems identified once parts of the AI Act began to apply in August 2024. The recitals point to delays in the preparation of harmonised technical standards needed by providers of high-risk AI systems in order to demonstrate compliance, as well as delays by several member states in setting up the national authorities and conformity assessment bodies responsible for checking that compliance. Taken together, the recitals state that these delays created a heavier compliance burden than originally expected.

The Commission’s proposal also links the amendments to a broader competitiveness rationale, describing them as part of a wider effort by EU leaders to reduce administrative burdens on business, following the recommendations of the Draghi and Letta reports on European competitiveness. Industry associations also lobbied for the amendments throughout 2025.

The trade group DIGITALEUROPE told policymakers that compliance with the AI Act could cost companies in the region of EUR 3.3 billion a year across the EU, and that a company of around 50 employees developing an AI-based product could face initial compliance costs of between EUR 320,000 and EUR 600,000.

How the Digital Omnibus was negotiated

 People, Person, Audience, Crowd, Indoors, Lecture, Room, Seminar, Adult, Male, Man, Female, Woman, Head

The AI-specific amendments were separated from the wider Digital Omnibus package, which also proposes amendments to the GDPR, the ePrivacy Directive, the Data Act, and the NIS2 Directive on cybersecurity, due to the approaching deadline for high-risk AI obligations. According to the Legislative Observatory’s procedure record, Parliament’s Internal Market Committee voted on the proposed regulation on 18 March 2026, and the Parliament adopted its first-reading position on 26 March 2026.

The Parliament and the Council negotiators reached a political agreement on the Digital Omnibus early on 7 May 2026. The Council’s Permanent Representatives Committee confirmed the agreement in a letter dated 13 May 2026. The Parliament formally adopted the Digital Omnibus on 16 June 2026, the Council gave its final approval on 29 June 2026, and the final act was signed on 8 July 2026.

The regulation’s preamble records that the European Central Bank was consulted and issued a formal opinion, published in the Official Journal in April 2026, as required under EU legislation for measures affecting payments and financial infrastructure. The European Economic and Social Committee delivered its opinion on 18 March 2026, and the Committee of the Regions gave its opinion on 7 May 2026. National parliaments, including those of Czechia, Italy, the Netherlands, Portugal, Romania, Germany, Poland and France, also submitted subsidiarity contributions during the process. The Parliament’s public transparency register separately records meetings on this regulation between the two co-rapporteurs and organisations, including Google, the AI start-up Mistral AI, the digital rights group EDRi, the privacy group noyb, and the standards and conformity body TIC Council, reflecting the range of interests, from large technology firms to civil society, that engaged with the negotiations.

New deadlines for high-risk AI obligations

Under the amended Article 113 of the AI Act, the obligations for high-risk AI systems set out in Sections 1 to 3 of Chapter III will now apply from 2 December 2027 for systems classified as high-risk under Article 6(2) and Annex III, which covers areas such as biometrics, critical infrastructure, education, employment, law enforcement, migration and border management. For systems classified as high-risk under Article 6(1) and Annex I, meaning AI systems embedded in products already covered by other EU safety legislation, such as machinery or medical devices, the new deadline is 2 August 2028. Both deadlines were originally set for 2 August 2026.

A separate provision clarifies how the AI Act’s grace period for so-called legacy systems, set out in Article 111(2), applies. Once at least one unit of a given type and model of high-risk AI system has been lawfully placed on the market before the relevant cut-off date, further units of the same type and model can continue to be placed on the market or put into service without additional certification, as long as the system’s design does not change significantly. Any significant redesign after the cut-off date triggers full compliance with the AI Act, including conformity assessment.

To help providers meet the new deadlines, the Digital Omnibus requires the Commission to request that European standardisation bodies develop technical standards aligned with existing product-safety standards, reducing duplication for companies that have to comply with both the AI Act and sectoral legislation. The Commission must also publish guidance on post-market monitoring plans by 2 September 2027, as well as guidance to help providers of Annex I high-risk systems apply the AI Act alongside sectoral rules by 1 August 2027. Watermarking obligations for AI-generated content, which allow such content to be detected and traced, benefit from a separate four-month transitional period for systems already on the market before 2 August 2026.

Changes to AI literacy and the use of sensitive data for bias correction

 Person, Security, First Aid, Fungus, Plant

A further amendment loosens the AI Act’s AI literacy obligation. Instead of requiring providers and deployers to ensure a sufficient level of AI literacy among their staff, the amended Article 4 requires them to take measures supporting the development of that literacy among staff and other people involved in the operation of their AI systems. The European Artificial Intelligence Board is tasked with adopting recommendations that set common objectives to guide how the Commission and member states support this obligation.

A new Article 4a allows providers and deployers of AI systems to process special categories of personal data, such as data revealing ethnicity or health status, for the specific purpose of detecting and correcting bias, subject to a list of privacy safeguards, including data minimisation, restrictions on transferring the data to third parties, and deletion once the bias has been corrected. The final text requires this processing to be strictly necessary, a stricter standard than the version originally proposed by the Commission. This followed a joint opinion issued by the European Data Protection Board and the European Data Protection Supervisor in January 2026, which recommended reinstating the stricter standard.

AI Office gains exclusive powers over general-purpose AI and large platforms

 Logo, Nature, Night, Outdoors, Text, Symbol

Article 75 of the AI Act, which governs the market surveillance of AI systems, has been substantially rewritten. Under the new provisions, the Commission’s AI Office becomes exclusively responsible for supervising two categories of AI systems. The first category comprises AI systems built on general-purpose AI models, where the same provider, or providers belonging to the same undertaking, developed both the underlying model and the AI system built on it. This exclusive competence carries several exceptions. It does not apply to AI systems related to products already covered by EU product-safety legislation, AI systems used as critical infrastructure, systems provided by law enforcement authorities, border management authorities or financial institutions in specific circumstances, or certain systems used in the administration of justice, all of which remain under national supervision.

The second category covers AI systems that constitute, or are integrated into, a very large online platform or a very large online search engine designated under the Digital Services Act (DSA), the EU’s rulebook for online platforms. The recitals state that empowering the Commission, through the AI Office, to act as a market surveillance authority for these systems is intended to ensure that enforcement of the AI Act and the DSA is carried out consistently, given the scale and potential societal impact of very large platforms and search engines.

For AI systems that are embedded in, or form part of, a designated very large platform or search engine, the Digital Omnibus specifies that the DSA’s own risk assessment, mitigation, and audit obligations, laid down in Articles 34, 35, and 37 of that regulation, serve as the first point of entry for assessing the AI system. This is without prejudice to the AI Office’s separate power to investigate and enforce breaches of the AI Act after the fact. The Commission services that enforce the DSA and the AI Office are required to coordinate, exchange views regularly, and take account of any fines already imposed on the same company for the same conduct, so that the combined penalties remain proportionate and do not amount to double punishment for the same infringement.

Outside this narrower platform-related category, national market surveillance authorities retain a role. Where a national authority has well-founded reasons to suspect that a provider or deployer of an AI system under the AI Office’s exclusive competence has breached the AI Act, it may ask the AI Office, through a designated national contact point, to investigate. The AI Office must tell that authority within four months whether it intends to act, and keep it informed of major developments and the eventual outcome.

The recitals acknowledge that taking on this expanded role will require the AI Office to be adequately staffed and resourced. Whether the Commission allocates sufficient capacity for the AI Office to supervise both general-purpose AI models and large platforms is an operational question that will only become clear as implementation proceeds, rather than one resolved by the legislation itself.

New ban on AI-generated intimate imagery and child sexual abuse material

image

The Digital Omnibus amends Article 5 of the AI Act, which lists AI practices that are prohibited outright. It adds a prohibition against placing on the market, putting into service, or using AI systems that generate or manipulate realistic images, video or audio of an identifiable person’s intimate parts, or of that person engaged in sexually explicit activity, without that person’s free, specific, informed and unambiguous consent. It adds a parallel prohibition covering AI systems that generate or manipulate child sexual abuse material, subject to a narrow exception for activities that are lawful under national law, such as material generated by law enforcement authorities for the purposes of criminal investigation.

For providers, the prohibition applies in two situations: where generating or manipulating such material is the system’s intended purpose, or where that outcome is a reasonably foreseeable and reproducible result of the system’s design and the provider has not put in place reasonable and adequate safeguards, such as content filtering or abuse-detection mechanisms, to prevent it. For deployers, the prohibition applies only where the AI system is actually used for that purpose, meaning the ordinary use of a lawful system for unrelated purposes is not covered, nor is accidental generation of such content.

The prohibited material is defined narrowly. It covers realistic depictions, meaning a person’s face, voice or body shown in a credible, real-life manner, and specifically named intimate parts or depictions of sexually explicit activity. Cartoonish or physically impossible depictions fall outside the prohibition, as does content generated with the depicted person’s consent, non-realistic artistic nude work that does not depict an identifiable person, and legitimate medical applications such as anatomical simulations. Simple enhancements to existing images, such as adjusting brightness or adding a caption, are not treated as prohibited manipulation unless they increase the level of nudity or explicitness shown. Companies have to ensure that their systems comply with these rules by 2 December 2026.

Other simplification measures

The Digital Omnibus extends several compliance simplifications that previously applied only to small and medium-sized enterprises to a new category of small mid-cap enterprises, companies that have outgrown the SME definition but remain much smaller than large corporations. It also gives all SMEs, including start-ups, the option to comply with parts of the AI Act’s quality management system requirements in a simplified way, an option previously limited to microenterprises.

The deadline for each member state to have at least one operational national AI regulatory sandbox, a controlled environment in which providers can test AI systems under regulatory supervision, has been extended to 2 August 2027. The same provisions allow the AI Office itself to set up an EU-level sandbox for AI systems that fall under its exclusive competence, with priority access for SMEs, start-ups and small mid-cap enterprises, operating alongside, and not instead of, national sandboxes.

A further change moves the EU machinery regulation from one section of the AI Act’s product-safety annex to another, shifting AI-enabled machinery towards a more sector-specific approach. Under the new arrangement, the Commission must adopt delegated acts by 2 August 2028 incorporating the AI Act’s health and safety requirements directly into the machinery regulation, rather than requiring manufacturers to apply both frameworks in parallel.

Data protection authorities raise fundamental rights concerns

 Guitar, Musical Instrument, Accessories, Diamond, Gemstone, Jewelry

Before the political agreement was reached, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the Commission’s initial proposal. The two authorities said they supported the general aim of addressing implementation issues, but raised concerns that several measures could weaken human rights protections built into the AI Act. They warned that extending the legacy systems exception would allow more high-risk AI systems to reach the market without being subject to the Act’s safeguards and urged the co-legislators to keep any delay to transparency obligations as short as possible.

The two authorities also opposed the Commission’s original plan to remove the registration obligation for providers who conclude that their Annex III systems are not high-risk, arguing that this would weaken accountability and make it harder for market surveillance authorities to respond quickly to problem systems. That registration obligation was retained, in a streamlined form, in the Digital Omnibus as finally approved in June. As set out above, the authorities’ recommendation to apply a strict necessity standard to the processing of sensitive data for bias correction was also reflected in the final version of the Digital Omnibus.

Not all of the authorities’ recommendations were taken on board in the same way. Their broader concern, that postponing obligations for high-risk AI systems may leave fundamental rights protections unenforced for longer in a fast-moving technological area, remains a live point of disagreement between the co-legislators and civil society groups, as discussed further below.

Reactions: competitiveness framing meets rights concerns

 Astronomy, Outer Space

Council and Parliament negotiators presented the changes as a way to make the AI Act more workable without altering its underlying risk-based structure. Co-rapporteur Arba Kokalari said the agreement showed that politics can move just as quickly as technology, linking the simplification to the Commission’s broader competitiveness agenda. Co-rapporteur Michael McNamara said the deal combined simplification measures with new safeguards against nudification apps and AI-generated child sexual abuse material.

Civil society organisations took a more critical view of the overall direction of the package. The digital rights group Liberties argued that the final agreement weakens several safeguards contained in the original AI Act, and described the postponement of high-risk obligations as a delay to fundamental rights protections that were due to take effect in August 2026.

Industry associations generally welcomed the changes. DIGITALEUROPE, which had been among the most vocal critics of the AI Act’s original compliance costs and timeline, broadly supported the direction of the simplification package, while continuing to call for further alignment between the AI Act and other overlapping EU digital rules.

What happens next

The Digital Omnibus on AI will enter into force once it is published in the Official Journal of the European Union. Until then, the AI Act’s original provisions and timeline remain legally in force, including the prohibitions on unacceptable AI practices and the obligations applicable to general-purpose AI models that have applied since August 2025.

A separate Commission exercise, the Digital Fitness Check, is expected to examine the DSA and the wider digital rulebook directly, with a report on its findings due in the first quarter of 2027 according to legal commentary on the process. That exercise, rather than the AI Omnibus itself, is where the more direct question of simplifying the DSA is likely to be decided and where the institutional link now established between the AI Office and DSA-regulated platforms may be revisited.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ENISA introduces cybersecurity assessment tool for SMEs

The European Union Agency for Cybersecurity (ENISA) has introduced a Cyber Resilience Maturity Assessment Model to help micro, small and medium-sized enterprises (SMEs) strengthen cybersecurity and prepare for the EU’s Cyber Resilience Act (CRA). The framework offers a structured way for organisations to assess their current cyber resilience, identify weaknesses and improve product security over time.

Designed primarily for manufacturers of products with digital elements, the framework provides a structured way for organisations to assess their cyber resilience, identify weaknesses and improve product security over time. It evaluates five areas, such as governance, risk management, vulnerability management, product lifecycle management and cybersecurity skills.

Businesses are classified as having basic, intermediate or advanced cybersecurity maturity. A downloadable assessment tool allows organisations to track progress through repeated self-assessments, although ENISA notes that achieving a higher maturity level does not replace compliance with the CRA.

Alongside the framework, ENISA published the results of a survey of 194 organisations across 31 countries. While 66% of respondents were aware of the CRA, many said they had only a limited understanding of its practical requirements. Medium-sized companies generally demonstrated stronger cybersecurity maturity than micro-enterprises, with incident response and product lifecycle management emerging as the weakest areas.

More than 70% of SMEs said they needed practical support, including technical guidance and secure development templates. Respondents also cited limited budgets, staff and time as major barriers to compliance, prompting ENISA to recommend targeted guidance, financial support and stronger outreach to smaller businesses.

Why does it matter?

SMEs make up a large share of Europe’s digital economy and supply chains, yet many lack the resources needed to meet increasingly demanding cybersecurity requirements. ENISA’s maturity model gives organisations a practical way to assess their readiness, strengthen product security and prepare for compliance with the Cyber Resilience Act.

The findings also highlight that regulation alone is unlikely to improve cybersecurity. Smaller businesses will need practical guidance, technical support and investment to meet new standards, making implementation as important as the legislation itself.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Greece launches €10 million call to accelerate municipal digital transformation

The Greek Ministry of Digital Governance and Artificial Intelligence has launched a €10 million funding programme to accelerate digital transformation across 35 municipalities, supporting the modernisation of local public services and digital infrastructure.

Municipalities in Greece will be able to develop and upgrade digital public services, citizen request management platforms and mobile applications. The programme also supports projects in civil protection, crisis management, telemedicine, remote care for vulnerable groups and digital tourism, including interactive maps, virtual and augmented reality applications, and the digitisation of historical and cultural archives.

The programme also places a strong emphasis on cybersecurity, the long-term sustainability of digital services and the resilience of municipal information systems.

According to the ministry, the initiative forms part of Greece’s broader strategy to build more resilient, modern and citizen-centred municipalities by investing in digital infrastructure tailored to local needs.

Why does it matter?

The programme reflects Greece’s continued effort to extend digital transformation beyond central government and strengthen the digital capabilities of local authorities. By investing in public services, cybersecurity, telemedicine and smart city applications, the initiative aims to improve service delivery while supporting more resilient and connected communities.

It also highlights the growing role of municipalities in national digital strategies. As local governments increasingly deliver services through digital platforms, investment in secure infrastructure and modern public administration is becoming an important part of broader digital transformation efforts across Europe.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Canada funds AI mining innovation projects

Canada has announced CAD 6.7 million in federal funding for two AI-enabled mining innovation projects aimed at improving critical minerals extraction and ecological restoration.

The two projects, worth a combined CAD 19.8 million, are led by Novamera Inc. of Oakville, Ontario, and Koonkie Canada Inc. of Vancouver, British Columbia. Funding is being provided through Canada’s Digital Technology Cluster (DIGITAL).

Novamera will receive CAD 3.8 million for a CAD 10.9 million project to advance its Surgical Mining technology, which combines subsurface imaging, AI, robotics and conventional drilling equipment to access mineral deposits with greater precision.

The technology is designed to enable more targeted extraction of critical minerals, including copper and rare earth elements. According to the government, the project will help move the technology from development towards commercial deployment.

Koonkie will receive CAD 2.9 million for a CAD 8.9 million project to develop an AI-powered mine restoration platform. The system will combine environmental DNA analysis, soil health data, remote sensing and Indigenous ecological knowledge to monitor biodiversity and ecological recovery.

Project partners estimate the platform could shorten ecological restoration timelines by five to ten years while reducing restoration costs by up to 40% compared with conventional approaches.

The projects are expected to create up to 35 jobs and maintain a further 37. The government said the investments support Canada’s broader strategy to strengthen critical mineral supply chains, advance clean technologies and improve industrial competitiveness.

Industry Minister Mélanie Joly said the investments would help Canadian companies develop and deploy technologies that improve the precision of critical minerals extraction, support responsible resource development and strengthen mine restoration.

Why does it matter?

Critical minerals such as copper and rare earth elements are essential for AI infrastructure, semiconductors, batteries and clean energy technologies, making mining innovation an increasingly important part of national industrial strategies. AI is also expanding beyond mineral exploration into operational efficiency and environmental management, helping companies improve resource recovery while reducing environmental impacts.

The projects illustrate how governments are using AI to strengthen both the competitiveness and sustainability of critical mineral supply chains. By combining automation, environmental monitoring and Indigenous knowledge, Canada is positioning digital technologies as a key component of responsible resource development.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

CISA shares lessons from GitHub credential exposure

CISA has published details of an internal CISA incident response triggered after an investigative reporter alerted the agency to Amazon AWS GovCloud keys and other internal information exposed in a public GitHub repository.

The agency said the information was identified by a security researcher whose company continuously scans public code repositories. The repository was not part of CISA’s official GitHub environment but belonged to a contractor’s personal GitHub account.

According to CISA, its Office of the Chief Information Officer immediately took the repository offline and preserved it for forensic analysis. The agency also suspended its development environment, reset affected credentials and revoked the contractor’s system access.

The investigation found that the contractor had uploaded copies of a CISA build and deployment repository to a personal GitHub account while attempting to build cloud infrastructure independently. The repository contained infrastructure-as-code, build scripts, administrator credentials and build credentials.

Forensic analysis found no evidence that the exposed credentials had been used outside CISA environments and no customer or mission data was compromised.

CISA subsequently rotated all credentials associated with environments where the contractor had administrator privileges, expanded repository allow and deny lists, and restricted users’ ability to upload code to public repositories before restoring the development environment.

The agency said the incident reinforced the value of taking external vulnerability reports seriously, applying Zero Trust principles to development environments and maintaining detailed logging that enabled rapid investigation.

It also identified several areas for improvement, including stricter controls over public repositories, better secrets detection, clearer GitHub and cloud incident response playbooks, simpler reporting channels for security researchers, stronger development environment guardrails and more mature cryptographic key management.

CISA also said organisations should maintain clear reporting channels for incidents affecting their own environments and publish reporting instructions in multiple locations rather than relying solely on a security.txt file.

The agency said publishing its own incident response experience is intended to help other organisations strengthen their security practices and improve preparedness for similar incidents.

Why does it matter?

The incident illustrates how easily sensitive credentials can be exposed through routine developer workflows and personal code repositories, even within organisations responsible for cybersecurity. It also highlights the importance of rapid detection, credential rotation and strong access controls when managing cloud infrastructure.

By publicly documenting both its response and the lessons learned, CISA is encouraging organisations to treat incident reporting, secrets management, Zero Trust architecture and developer governance as integral parts of software security rather than afterthoughts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft expands AI-powered Windows security

Microsoft is expanding its Windows security strategy by using AI to accelerate vulnerability discovery, analysis and remediation across its software development process. The company says AI is helping security teams identify potential issues faster across large codebases, shortening the time between discovering vulnerabilities and protecting customers.

The updated approach combines AI-powered security analysis tools with Microsoft’s multi-model agentic scanning systems to detect vulnerabilities, validate findings and prioritise high-confidence risks. Microsoft is also integrating AI into its engineering workflows to help developers investigate issues, recommend fixes and improve testing while maintaining human oversight throughout the process.

Microsoft said faster vulnerability detection will be matched by rigorous update validation to preserve reliability and compatibility across devices and applications. The company is also investing in automated patching, vulnerability management and deployment tools that help organisations apply security updates more efficiently.

As AI strengthens both cyber defence and offensive capabilities, Microsoft says it aims to reduce risk by combining faster vulnerability detection, responsible remediation and stronger security foundations across the Windows ecosystem.

Why does it matter?

AI is accelerating both cyberattacks and cyber defence, making speed an increasingly important factor in vulnerability management. As attackers use AI to identify and exploit weaknesses more quickly, software developers are under growing pressure to shorten the time between vulnerability discovery and remediation.

Microsoft’s approach reflects a broader shift towards continuous, AI-assisted security engineering rather than periodic security updates. By embedding AI throughout the software development lifecycle while retaining human oversight, the company is signalling how large technology providers may adapt software security to an increasingly AI-driven threat landscape.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot