Cybersecurity

EPRS reveals critical Cybersecurity Act impact assessment gaps

The European Parliamentary Research Service has published an initial appraisal of the European Commission’s impact assessment for the proposed revision of the Cybersecurity Act, finding that the Commission makes a strong case for reform while leaving several analytical gaps.

The Commission proposed the revision on 20 January 2026, alongside a directive on simplification measures under the NIS2 Directive. The proposals were referred to the European Parliament’s Committee on Industry, Research and Energy.

The package covers ENISA’s mandate, the European Cybersecurity Certification Framework, NIS2 compliance simplification and a proposed EU-level framework for ICT supply chain security. EPRS said the impact assessment responds to a more complex cybersecurity landscape, stalled implementation of certification rules, fragmented compliance requirements and growing supply chain risks.

The briefing found that the Commission’s assessment effectively substantiates the need to revise the Cybersecurity Act. It praised the problem definition, intervention logic, use of qualitative and quantitative analysis, SME test, competitiveness check and transparency around evidence and methodology.

However, EPRS also identified weaknesses. It said the assessment lacks operational objectives, does not include a subsidiarity grid despite the initiative’s political significance, and has no distinct proportionality section. The briefing also questioned whether some policy options are sufficiently distinct, noting that they appear partly cumulative.

EPRS said stakeholder consultation feedback could have been reflected more clearly, especially in the analysis of policy options, impacts and the preferred approach. It also noted that the Regulatory Scrutiny Board first issued a negative opinion on the draft impact assessment, then later issued a positive opinion with reservations.

The briefing concluded that the Commission’s legislative proposals are mostly aligned with the preferred options in the impact assessment, although some issues remain.

Why does it matter?

The Cybersecurity Act revision could reshape several pillars of the EU cyber policy at once, including ENISA’s role, cybersecurity certification, NIS2 compliance and ICT supply chain security. EPRS’s appraisal matters because it provides lawmakers with an early quality check of the evidence underpinning the Commission’s proposal. The briefing suggests the policy case for reform is strong, but also highlights gaps that may become important during parliamentary scrutiny, especially around proportionality, subsidiarity and the design of policy options.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK plans major social media ban for under-16s

The UK government plans to introduce a social media ban for children under 16 as part of a wider package of online safety measures aimed at reducing children’s exposure to harmful content and risky online interactions.

Prime Minister Keir Starmer said the planned restrictions are intended to protect children from harmful material, excessive screen time and contact with unknown adults online. The measure is expected to apply to major social media platforms, while gaming and livestreaming services could face restrictions on features that allow children to interact with strangers.

The move follows a national consultation on children’s online safety, which examined possible age restrictions on social media and other online services, as well as limits on addictive design features and risky functionalities.

Further details are expected on implementation and enforcement, including how platforms would be required to verify users’ ages. The government has previously said that restrictions on children’s access to social media should be considered alongside broader protections for gaming platforms, AI chatbots and other online services used by young people.

The proposal would place the UK among a growing number of countries moving towards age-based restrictions on children’s access to social media. Australia has already adopted an under-16 social media ban, while other governments are considering similar approaches.

Supporters argue that age restrictions could reduce online harms and give parents clearer backing in setting boundaries for children’s technology use. Critics warn that enforcement may raise privacy concerns, increase reliance on age-verification systems and push children towards less regulated online spaces.

Why does it matter?

The proposal would move the UK closer to an age-based model of online safety regulation, where platforms may be expected to prevent under-16s from accessing certain services rather than only reduce harmful content after children join. That raises major governance questions around age assurance, privacy, platform design, parental responsibility and enforcement. The measure could also increase pressure on social media, gaming, livestreaming and AI chatbot services to redesign features that expose children to unknown adults, addictive interaction patterns or harmful content.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IMF chief calls for stronger cooperation on AI-related cybersecurity risks

International Monetary Fund (IMF) Managing Director Kristalina Georgieva has called for greater international cooperation to address cybersecurity risks associated with advanced AI systems, warning that rapidly evolving AI capabilities could pose challenges for the global financial system if misused.

Speaking to journalists in Brussels, Georgieva said new AI models are increasing the ability to identify cybersecurity vulnerabilities at a scale previously unavailable. She noted that these capabilities can support efforts to strengthen cyber defences by helping organisations detect and address weaknesses more quickly.

At the same time, Georgieva said the same capabilities could be misused by malicious actors. Referring to recent developments in advanced AI systems, she said that frontier models can be used positively to identify cybersecurity vulnerabilities but that, ‘in the wrong hands,’ those capabilities could be directed against financial infrastructure.

Her comments come amid growing discussion among policymakers, regulators, and financial institutions about the implications of increasingly capable AI systems for cybersecurity and financial stability. Earlier this year, Georgieva warned that the international monetary system was not adequately prepared to address rapidly evolving AI-related cyber risks and called for greater attention to safeguards needed to protect financial stability.

According to Georgieva, stronger cooperation will be necessary across countries and sectors to address these risks. She highlighted the importance of collaboration between advanced and developing economies, as well as between public institutions and private-sector actors responsible for critical digital infrastructure.

She also pointed to the interconnected nature of the global financial system, arguing that vulnerabilities in one jurisdiction can have wider implications. Because financial systems are closely linked across borders, weaknesses in cybersecurity protections may create risks beyond the countries where they originate.

In addition to cooperation, Georgieva stressed the importance of investing in cyber resilience. She said governments should consider cybersecurity requirements when planning public spending and ensure that sufficient resources are available to strengthen defences against evolving threats.

Her remarks align with broader concerns raised by financial authorities regarding the growing role of AI in cybersecurity. While advanced models may help identify vulnerabilities and improve defensive capabilities, they may also lower barriers for conducting sophisticated cyber operations. Financial institutions and regulators have increasingly examined how to strengthen preparedness and resilience in response to these developments.

Georgieva also referred to broader risks associated with rapid AI adoption, including the potential for market volatility driven to changing expectations for AI technologies. She described such risks as low-probability but potentially high-impact events.

The IMF has previously highlighted the economic implications of AI, including its potential effects on labour markets and productivity. Georgieva has argued that governments should prepare for significant technological change while ensuring that the benefits of AI are broadly shared.

Why does it matter?

The comments in Brussels place cybersecurity and financial resilience at the centre of ongoing discussions about AI governance. As governments, regulators, and financial institutions continue to assess the implications of increasingly capable AI systems, questions around international cooperation, preparedness, and cyber resilience are expected to remain a key focus of policy discussions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cyber Europe 2026 tests EU response to large-scale cyber crises

The EU Agency for Cybersecurity has led Cyber Europe 2026, a two-day exercise testing Europe’s response to large-scale cyberattacks on rail and maritime transport networks.

The exercise, held on 10 and 11 June, brought together more than 5,000 participants from national cybersecurity agencies, EU and EFTA public and private sector organisations, the EU entities and industry. It was designed to strengthen cyber preparedness and test the continuity of essential services during a major crisis affecting interconnected transport systems.

The scenario simulated coordinated attacks on critical maritime and railway infrastructure across Europe. Port logistics and navigation systems were compromised, cargo movements were halted, and safety risks emerged. Railway networks were also disrupted, with cross-border trains frozen and passengers and supplies delayed.

Participants also had to respond to ransomware attacks affecting transport authorities and ticketing services, as well as exposure of sensitive passenger and emergency information. ENISA said the scenario required information-sharing and coordination at technical, operational and political levels.

Cyber Europe 2026 also tested the EU Cybersecurity Blueprint, revised in 2025 to strengthen crisis management for large-scale incidents. For the first time, the EU Cybersecurity Reserve was tested under Cyber Europe, using a scenario that required participants to follow ENISA procedures for activating incident response support under the mechanism.

ENISA said findings from the exercise will be analysed in after-action reports to identify weaknesses and improve Europe’s preparedness and response processes.

Why does it matter?

The exercise shows how cyber incidents affecting transport infrastructure can quickly move beyond technical disruption into broader economic, safety and crisis-management risks. Ports, railways, logistics systems, ticketing platforms and navigation tools are increasingly interconnected, often combining legacy operational technology with modern digital systems. Testing EU-level coordination matters because attacks on transport networks can affect trade, military mobility, emergency response and public trust across borders.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Singapore warns of Microsoft impersonation scams causing major losses

The Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have warned the public about technical support scams that impersonate Microsoft. Authorities said at least 10 cases had been reported since February 2026, with total losses exceeding S$1.7 million.

In this scam variant, victims typically encounter a pop-up alert in their web browser. The alert falsely appears to originate from Microsoft and claims that the user’s device has been hacked or compromised.

Victims are then instructed to contact a so-called technical support officer through an internet-based phone number. After making contact, victims may be transferred to another scammer posing as a police officer, who claims that their device has been used for criminal activities such as money laundering.

Authorities in Singapore said victims may be instructed to make bank transfers, provide banking credentials, or grant remote access to their devices. In some cases, scammers asked victims to download remote access applications or click links that allowed them to take control of bank accounts.

SPF and CSA advised members of the public to verify alerts through official software provider channels. They noted that Microsoft does not include phone numbers in error or warning messages, and that users should not call numbers displayed in suspicious pop-ups or click links or buttons within such alerts.

People who believe they have fallen victim to the scam are advised to disconnect their computer from the internet, contact their bank, remove applications installed under the scammer’s instructions, and run an anti-virus scan. They should also change passwords and banking credentials using a trusted device, remove unauthorised payees, and report the incident to the police and CSA’s SingCERT.

Why does it matter?

Technical support scams remain one of the most effective forms of cyber-enabled fraud because they combine social engineering, impersonation and remote access techniques. By exploiting trust in well-known brands such as Microsoft and creating a sense of urgency, scammers can persuade victims to hand over sensitive information or direct access to their devices.

The cases also highlight how cybersecurity and financial security are increasingly interconnected. Basic cyber hygiene practices, such as verifying security alerts through official channels, avoiding unsolicited remote access requests and reporting incidents quickly, can help prevent account compromise and reduce financial losses.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Japan strengthens generative AI procurement guidelines

Japan has approved updated guidelines for the procurement and use of generative AI across government information systems, strengthening governance and risk-management requirements for public administration.

The revised document, titled ‘The Guideline for Japanese Government’s Procurements and Utilizations of Generative AI for the sake of Evolution and Innovation of Public Administration’, was approved on 12 June 2026 by the Council for the Promotion of a Digital Society Executive Board Meeting.

The guidelines update a first version adopted in May 2025 and reflect advances in generative AI technologies, expanded government use cases and domestic and international AI policy developments. They are intended to promote the use of generative AI in government while setting rules for governance, procurement, development, operation and use.

The document covers generative AI systems and models, large language models, AI governance frameworks, high-risk generative AI projects, Chief AI Officers and risk management throughout the lifecycle of government AI systems.

Each ministry and agency is expected to promote the use of generative AI while assessing risks for specific use cases. Chief AI Officers will be responsible for centrally managing generative AI systems, including planning, administrative data handling, procurement, operation and risk cases.

The guidelines also set out a framework for high-risk uses of generative AI. Chief AI Officers must assess risk classifications with planners, use a high-risk project assessment tool and report likely high-risk projects to the Advanced AI Utilization Advisory Board, including project details, objectives, mitigation measures and quality assurance plans.

Why does it matter?

Japan’s update shows how governments are moving from experimentation with generative AI towards formal operating rules for public-sector deployment. The guidelines link AI adoption to procurement controls, lifecycle governance, high-risk assessment and institutional accountability through Chief AI Officers. That matters because public administrations are under pressure to use GenAI to improve services and efficiency, while also managing risks related to security, administrative decision-making, personal data, intellectual property, and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU tests cyber crisis response for rail and maritime networks

The European Commission has carried out Cyber Europe 2026, a large-scale cybersecurity exercise testing how Europe would respond to attacks on rail and maritime transport networks.

Organised by the EU Agency for Cybersecurity, the exercise took place on 10 and 11 June and involved around 5,000 experts from across the EU, industry and partner countries. Participants included cybersecurity specialists from the public and private sectors, policymakers, the EU institutions and representatives from the UK, Norway, Switzerland and Ukraine.

The scenario simulated cyberattacks on Europe’s rail and maritime networks, causing severe operational disruption and escalating into a wider cybersecurity crisis. The exercise was designed to test coordination between authorities, industry and institutions during a major cross-border incident affecting critical transport infrastructure.

Cyber Europe 2026 was also the first EU-wide test of the 2025 EU Cyber Blueprint, which clarifies roles and responsibilities during a cyber crisis. The exercise also tested the Cybersecurity Reserve, created under the Cyber Solidarity Act to provide support during significant cybersecurity incidents.

The Commission said lessons from the exercise will help consolidate the Cyber Blueprint and embed cyber crisis management more firmly into the EU’s wider emergency preparedness and response frameworks.

Why does it matter?

Transport networks are critical infrastructure, and cyber incidents affecting ports, railways or logistics systems can disrupt trade, supply chains, military mobility and emergency response across borders. Cyber Europe 2026 is important because it tests not only technical response, but also EU-level coordination, crisis decision-making and support mechanisms under newer cyber resilience tools such as the Cyber Blueprint and Cybersecurity Reserve.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Europol-backed operation dismantles crypto laundering service used by ransomware gangs

An international law enforcement operation has dismantled a cryptocurrency laundering service allegedly used by ransomware gangs and cybercriminal networks to process more than €336 million in illicit funds.

The platform, known as ‘AudiA6’, is suspected of laundering proceeds from ransomware attacks, large-scale cryptocurrency thefts and other cybercrime activity between 2022 and 2025. Europol said the service was linked through its analysis to more than 15 international cybercrime investigations.

The coordinated action, supported by Europol and Eurojust, led to the arrest of two alleged administrators in Georgia. Authorities also took down 25 domains, seized more than 30 servers, blocked Telegram accounts used by the network and froze or seized cryptocurrency assets worth more than €778,000.

Investigators allege that the service used thousands of fraudulent exchange accounts created with stolen or purchased identities. Criminal clients allegedly transferred cryptocurrency to wallets controlled by the group and received laundered funds through complex transaction chains designed to obscure the money trail.

Authorities also confiscated more than 80 vehicles and several properties in Georgia. Europol said the case highlights how specialised money laundering services help sustain ransomware and other forms of cybercrime by making it easier for criminal groups to cash out stolen digital assets.

Why does it matter?

Crypto laundering services are a key part of the cybercrime economy because they allow ransomware groups and other attackers to turn stolen digital assets into usable funds. Disrupting such infrastructure can weaken criminal business models. Still, the case also shows why cybercrime investigations increasingly require cooperation between cyber units, financial investigators, prosecutors, crypto exchanges and cross-border law enforcement agencies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Canada introduces Safe Social Media Act targeting online harms and AI chatbots

Canada has introduced the Safe Social Media Act, legislation that would establish new online safety requirements for social media platforms and certain AI chatbot services. Bill C-34 aims to make regulated services more accountable for addressing online harms before they occur.

The Safe Social Media Act would create a new legislative and regulatory framework through the proposed Digital Safety Act. Regulated services would be required to identify, assess and mitigate risks on their platforms, implement safety-by-design features, make user guidelines easily accessible, provide tools such as blocking and reporting mechanisms, and publish Digital Safety Plans.

The bill would prohibit children under the age of 16 from holding social media accounts. Social media services could seek an exemption if they demonstrate that sufficient safeguards for children are in place.

The Safe Social Media Act is organised around three core duties: a Duty to Protect Children, a Duty to Act Responsibly and a Duty to Make Certain Content Inaccessible. Social media services would be required to assess and mitigate risks associated with seven categories of harmful content, including child sexual victimisation, content inducing a child to self-harm, cyberbullying, hatred, violence, terrorism or violent extremism, and intimate content shared without consent.

Regulated social media services would also be required to make certain content inaccessible to users in Canada, including content that sexually victimises a child or revictimises a survivor, and intimate content communicated without consent, including sexualised deepfakes. The government said these categories can cause substantial and lasting harm even when a single item is shared.

Under the proposed legislation, AI chatbot services would be subject to a tailored Duty to Act Responsibly. The proposed requirements include mitigating the risk that chatbots communicate harmful content, being transparent about reporting thresholds in crisis situations, and reducing the risk of harmful chatbot behaviour.

The legislation would establish an independent Digital Safety Commission of Canada responsible for enforcing the framework, assessing compliance, conducting audits and inspections, issuing compliance orders and imposing administrative monetary penalties. The Commission would also handle certain complaints, develop guidance and support research on online safety best practices.

Why does it matter?

The Safe Social Media Act reflects a growing international shift towards preventative online safety regulation. Rather than focusing solely on the removal of illegal content after it appears, the proposed framework would require platforms and AI services to assess risks proactively and implement measures designed to reduce harm before it occurs.

The inclusion of AI chatbot services is particularly notable, as governments worldwide are increasingly examining the safety implications of generative AI systems. If adopted, the legislation could position Canada among the first countries to apply a comprehensive online safety framework that combines platform accountability, child protection measures and AI-specific obligations under a single regulatory regime.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ILO highlights child protection risks amid digital transformation

The International Labour Organization (ILO), together with UNICEF and the Food and Agriculture Organization (FAO), used a high-level roundtable in Türkiye to highlight the growing connection between digital transformation and child protection.

While the event focused primarily on eliminating child labour, discussions also examined the opportunities and risks associated with rapid technological change.

ILO Türkiye Director Yasser Hassan noted that digital transformation can support economic development, productivity growth and poverty reduction. However, he warned that rapidly evolving technologies may also expose children to new forms of exploitation, including technology-enabled commercial sexual exploitation and other online harms.

Participants stressed that child protection considerations should be incorporated into the design, deployment and governance of digital technologies from the outset. The discussion reflected growing international concern that digitalisation can create new vulnerabilities alongside economic opportunities, particularly for children and young people.

The ILO roundtable also highlighted Türkiye’s broader policy agenda, including digital transformation initiatives within the National Employment Strategy 2025–2028. Stakeholders emphasised the importance of ensuring that digital innovation is accompanied by education, social protection, labour rights protections and child safeguarding measures.

Why does it matter?

The discussion reflects an increasingly important policy debate: how digital transformation can be harnessed while protecting vulnerable groups from emerging risks.

As governments, businesses and international organisations accelerate the adoption of AI, digital platforms and connected technologies, concerns about online child exploitation, digital rights and technology governance are becoming more prominent.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.