Cybersecurity

Finland proposes rules for EU Cyber Resilience Act

The Finnish Government has proposed the approval of national provisions supplementing the EU Cyber Resilience Act, which sets cybersecurity requirements for products with digital elements.

The legislation will enter into force on 1 June 2026, with phased application aligned with the Cyber Resilience Act’s transitional periods during 2026 and 2027. The aim is to improve the cybersecurity of connected devices and software placed on the EU market.

The Cyber Resilience Act will be supplemented in Finland by a new national act on the cyber resilience of certain products and cybersecurity certification. The act covers supervision of product-related obligations, notification of conformity assessment bodies under the Cyber Resilience Act, administrative sanctions, and national provisions linked to the EU cybersecurity certification.

Market surveillance under the Cyber Resilience Act, along with the designation and supervision of notified bodies, will be assigned to the Finnish Transport and Communications Agency, Traficom. Market surveillance of high-risk AI systems will be carried out by the authorities responsible for supervising compliance with the AI Act, depending on the sector.

Conformity assessment bodies will be able to apply to Traficom from 11 June 2026 to be notified for assessment tasks under the Cyber Resilience Act. Bodies notified by Finland will be able to carry out conformity assessments across the EU member states within their area of competence.

Finland will also add a new chapter to the Act on Electronic Communications Services concerning the collection and disclosure of domain name registration data under the NIS2 Directive. The obligations will extend beyond .fi and .ax domains where the registrar or top-level domain registry is located in Finland, after a three-month transitional period.

The Government said the domain name provisions will complement Finland’s national implementation of NIS2 and improve the availability of registration data, making it easier to tackle illegal activity online.

Why does it matter?

Finland’s legislation shows how EU cybersecurity rules are being translated into national enforcement structures. The Cyber Resilience Act sets product security obligations at the EU level, but member states still need national provisions for supervision, notified bodies, sanctions, and certification. The added NIS2 domain registration rules also show how cybersecurity implementation is expanding beyond products into online infrastructure and data availability for enforcement.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

GCHQ outlines AI-driven cyber defence programme for protecting critical infrastructure

The UK’s signals intelligence agency GCHQ has announced plans to develop an AI-powered national cyber defence capability that would use autonomous software agents to identify and respond to cyber threats at machine speed. Speaking publicly, GCHQ director Anne Keast-Butler described the initiative as a ‘blueprint for a new national cyber defence capability’ to be operational within five years.

The programme would apply agentic AI to monitor and protect critical sectors including energy, water, healthcare, transport, and financial services. According to Keast-Butler, advances in AI are accelerating the discovery of software vulnerabilities, increasing pressure on defenders to identify and mitigate risks more quickly.

UK Security Minister Dan Jarvis had previously outlined the national cyber shield concept in April, noting that protecting critical infrastructure in an AI-enabled environment would require approaches beyond standard commercial security products. The Cabinet Office has since approached AI companies to contribute to the development of these capabilities.

GCHQ is separately integrating AI into its intelligence analysis workflows, including language translation and large-scale data processing.

Alongside the cyber defence announcement, Keast-Butler addressed two further technical priorities. On quantum computing, she noted that post-quantum encryption is now an active planning requirement rather than a future consideration, pointing to National Cyber Security Centre guidance on transitioning to quantum-resistant algorithms. On space, she observed that the volume of orbital infrastructure has grown substantially — over 10,000 new objects launched in three years — with GCHQ working to secure space-based systems that underpin data transmission globally.

GCHQ’s Mathematics directorate is developing new cryptographic methods suited to the post-quantum environment, building on the agency’s role in pioneering public-key cryptography in the 1970s.

Taken together, the announcements sketch a broader shift in how GCHQ positions its role. The announcements suggest a broader role for GCHQ, combining intelligence, cybersecurity, cryptography and infrastructure protection as part of the UK’s wider digital resilience strategy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Germany approves draft law expanding cyber defense powers for federal authorities

Germany’s federal cabinet has approved draft legislation that would expand cyber defence capabilities for three federal agencies, the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA), and the Federal Police (Bundespolizei), as part of a broader effort to strenghten the country’s response to cyber threats.

Under the proposal, authorities would be able to block or disrupt software and server infrastructure used in cyberattacks, including systems located outside Germany. The BSI would also receive expanded authority to collect, store, and analyse data to detect activities indicative of attack preparation. Telecommunications providers and major digital platforms would be required to relay BSI warnings about identified threats directly to users.

The government describes the measures as ‘active cyber defence,’ arguing that they are intended to stop or disrupt ongoing attacks rather than conduct retaliatory cyber operations. Current practice involves redirecting attacks to isolated network areas; the new framework would instead authorize direct action against attacker-controlled systems.

According to the Federal Situation Report on Cybercrime 2025, presented by Federal Interior Minister Alexander Dobrindt and the Vice President of the Federal Criminal Police Office, Martina Link, Germany is among Europe’s most frequently targeted countries for cyberattacks.

Federal authorities in Germany have documented sustained campaigns against industrial companies, small and medium-sized enterprises, research institutions, government bodies, and political parties, with a portion attributed to state-affiliated actors.

The draft will now proceed to parliamentary debate. It requires a legislative vote before entering into force.

Why does it matter?

The proposal reflects a broader shift among governments toward more proactive cybersecurity strategies as cyberattacks become increasingly frequent and sophisticated. Rather than focusing solely on defending networks, authorities are seeking legal powers to disrupt malicious infrastructure before attacks cause significant harm.

The legislation also raises important questions about the scope of state cyber powers, oversight mechanisms, and the legal implications of taking action against infrastructure located outside national borders. If adopted, it would mark one of Germany’s most significant cybersecurity policy changes in recent years.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

NATO formalises cyber partnerships with Microsoft, Palo Alto Networks and ESET

NATO has announced strategic partnerships with Microsoft, Palo Alto Networks and ESET during the International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia. The non-commercial agreements are intended to facilitate information sharing, the exchange of best practices and coordination on cyber incidents of mutual concern.

The partnerships follow a commitment made at the 2023 NATO Summit in Vilnius, where member states agreed to expand structured cooperation with private-sector cyber companies. Speaking at CyCon, NATO Assistant Secretary General for Cyber and Digital Transformation Jean Charles Ellermann-Kingombe said effective cyber defence depends on both technical capabilities and shared norms, particularly as attacks on critical infrastructure become more frequent and cyber threats evolve.

The three companies bring distinct capabilities: Microsoft operates one of the largest threat intelligence networks globally; Palo Alto Networks specialises in enterprise network and cloud security; and ESET is one of the major providers of endpoint protection with significant presence in Central and Eastern Europe.

The 2026 CyCon edition, themed ‘Securing Tomorrow,’ runs 26–29 May and convenes approximately 800 participants — including policymakers, technical experts, academics, and industry representatives — from 48 countries. The conference is organised annually by NATO’s Cooperative Cyber Defence Centre of Excellence, based in Tallinn.

Why does it matter?

Governments increasingly rely on cooperation with private-sector cybersecurity companies to identify threats, protect critical infrastructure and respond to cyber incidents. The partnership reflects NATO’s recognition that much of the expertise, threat intelligence and digital infrastructure relevant to cyber defence is operated by industry.

The agreements also signal a broader effort by the alliance to strengthen cyber resilience and improve coordination as cyber threats become more sophisticated and increasingly target both civilian and military systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

ENISA identifies risk zone sectors in EU cybersecurity assessment

The European Union Agency for Cybersecurity has released its 2026 NIS360 report, assessing the cybersecurity maturity and criticality of high-criticality sectors under the NIS2 Directive.

The report says cybersecurity maturity across the EU critical sectors has steadily improved as organisations respond to evolving policy requirements and cyber threats. Banking, electricity, and telecommunications remain among the most mature and critical sectors, while trust services, aviation, and financial market infrastructures have moved into the high maturity band.

Gas, road, maritime, and health strengthened their maturity within the moderate band, although ENISA says progress remains uneven across and within sectors. Factors behind the differences include skills shortages, sector-specific characteristics, and organisational size.

The report identifies a ‘risk zone’ covering sectors with lower-than-average maturity and criticality that exceeds their maturity. ENISA lists health, railway, maritime, ICT management services, space, public administrations, and drinking and wastewater as risk-zone sectors, while gas has started moving out of the category.

ENISA says improvements have been driven by cybersecurity legislation, increased political attention, information sharing, collaboration, and operational preparedness. Regulation, including the NIS2 Directive and the Digital Operational Resilience Act, has helped increase investment and encouraged organisations to address vulnerability management, business continuity, disaster recovery, and supply-chain risk.

The report also points to AI, supply-chain and third-party exposure, and geopolitical volatility as major dynamics shaping the cybersecurity environment. ENISA says AI can improve threat detection and response, but can also support more convincing social engineering, shorter exploitation timelines, and broader access to offensive capabilities.

Why does it matter?

The NIS360 report gives the EU policymakers a comparative view of where cybersecurity maturity is improving and where critical sectors remain underprepared. The risk-zone concept is especially useful because it identifies sectors whose importance to society and the economy exceeds their current level of cyber readiness. That makes the report relevant for NIS2 implementation, national supervision, investment priorities, and resilience planning across sectors such as health, public administration, transport, space, and water.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australian privacy concerns rise as trust in AI companies falls

The Office of the Australian Information Commissioner has released a major survey showing that privacy concerns are rising across Australia, while public trust in AI companies and social media remains extremely low.

The Australian Community Attitudes to Privacy Survey, conducted every three years, found that 87% of respondents are more concerned about privacy than they were five years ago. The survey examines Australians’ privacy attitudes and experiences, including how recent events have shaped public expectations.

Trust was especially low for emerging and data-intensive sectors. Only 4% of respondents said they trusted AI companies, while 3% said the same for social media. Trust also declined across the insurance, telecommunications, technology, retail, and real estate sectors, while remaining highest for health service providers and Australian Government agencies.

Launching the report at the Data Privacy & Consumer Protection Summit 2026, Australian Privacy Commissioner Carly Kind said Australians’ expectations about privacy continue to sharpen as the information ecosystem becomes more complex, data-intensive, and difficult to navigate.

The OAIC said privacy complaints have increased by 73% year to date. Kind said trust is uneven across sectors and that wariness of emerging technologies is increasing, particularly around fairness, accountability, and the practical ability to exercise rights.

The survey also found that 68% of Australians would be more likely to use digital services requiring personal information if they knew their data was handled fairly and responsibly. Another 92% said data collection could be acceptable under certain conditions, including a clear purpose, consent or opt-in, limited collection, and the ability to opt out of non-essential data collection.

Kind said Australians want greater transparency in understanding their privacy rights and how their information is used, adding that improving transparency would help safeguard a healthy, informed, and vibrant democracy.

Why does it matter?

The survey shows that trust is becoming a central barrier to digital adoption, especially for AI and social media services. While Australians are willing to share data under fair and transparent conditions, the very low levels of trust in AI companies suggest that privacy, accountability, and explainability will be critical for public acceptance of emerging technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UN Human Rights Office issues guidelines on child safety online

The UN Human Rights Office has called for stronger action by governments and technology companies to improve children’s safety online, warning that social media bans alone are unlikely to address the underlying causes of digital harms.

In a statement accompanying the release of new guidelines on child safety online, UN High Commissioner for Human Rights Volker Türk said children continue to face risks to their safety, privacy and well-being in digital environments, many of which stem from platform design choices and business practices.

‘The digital world that connects children to learning, community, and creativity also exposes them to real risks to their safety, privacy, and well-being,’ Türk said.

He argued that harms are not inevitable but are often linked to features designed to maximise engagement, including infinite scrolling, autoplay functions and persistent notifications.

The Office’s new guidance, Getting Children’s Safety Online Right, outlines a human rights-based approach to regulating digital platforms and protecting minors online. The guidelines come as governments around the world increasingly consider age-based restrictions on access to social media services.

Türk cautioned against treating such measures as a comprehensive solution. According to the guidelines, restrictions on children’s access to online services should be targeted at clearly identified harms and accompanied by broader measures addressing platform design, accountability and data protection.

The guidance recommends that governments require technology companies to incorporate safety protections into products and services from the outset. It also calls for mandatory child rights impact assessments, safeguards around age-verification systems, greater transparency from companies, stronger oversight mechanisms and access to remedies when children’s rights are violated.

The High Commissioner warned that regulations focused solely on age thresholds may leave unchanged the recommendation systems, algorithms and platform features that can contribute to harmful online experiences.

The guidelines also raise concerns about the privacy implications of poorly designed age-verification systems. According to the Office, such systems could fail to achieve their intended objectives while simultaneously increasing risks to the privacy of both children and adults.

The publication comes amid a growing international debate over children’s access to social media. Australia adopted legislation in late 2025 restricting access to social media platforms for users under 16, while Indonesia and Malaysia have introduced age-based restrictions. Several other countries are considering similar measures.

Türk also noted that existing experience suggests that social media bans can be circumvented and may unintentionally encourage children to migrate to less regulated or less monitored online spaces.

The UN Human Rights Office said effective child protection requires a broader approach that combines regulation, accountability, privacy safeguards and child participation in policymaking processes.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ChatGPT down as users report login and conversation issues

OpenAI reported two resolved incidents affecting ChatGPT on 29 May, following user reports of issues with conversations, logins, and account creation.

The first incident affected users trying to log in or create an account. OpenAI classified the issue as degraded performance affecting ChatGPT and APIs. The company began investigating at 03:12 a.m., applied a mitigation at 03:28 a.m., and marked the incident resolved at 04:57 a.m.

A second incident affected ChatGPT conversations. OpenAI began investigating the issue at 03:18 a.m., applied a mitigation at 03:29 a.m., and marked the incident resolved at 04:58 a.m. The company said all impacted services had fully recovered.

OpenAI’s official status page listed both incidents as degraded performance rather than a full outage. The company did not provide further details on the cause of either disruption in the incident updates.

The brief disruption highlights the growing reliance on AI services for daily work, communication, and software development, as even short periods of degraded performance can affect users and organisations that depend on cloud-based AI tools.

Why does it matter?

The incidents show how widely used AI services are becoming part of everyday digital infrastructure. Even brief login or conversation failures can disrupt work for individuals, developers, businesses, and teams that rely on ChatGPT and related API services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK and Poland deepen cyber and defence cooperation under new treaty

The United Kingdom and Poland have agreed a broad package of defence, cybersecurity and security initiatives under a new Security and Defence Partnership Treaty. The agreement strengthens cooperation on defence, sanctions, border security, technology and energy resilience.

Defence cooperation is a central element of the treaty, with both countries planning joint work on missile systems, expanded ammunition production and closer defence-industrial cooperation.

Large-scale military exercises focused on counter-drone operations, electronic warfare and missile defence are also expected to strengthen interoperability between British and Polish forces on NATO’s eastern flank.

Cybersecurity and hybrid threat response feature heavily in the agreement. Britain and Poland plan to coordinate cybersecurity efforts, sanctions enforcement and responses to foreign information manipulation and interference.

A new counter-hybrid working group will support efforts to disrupt hostile state activity, while dedicated cooperation on disinformation aims to strengthen democratic resilience and expose coordinated influence campaigns.

Additional projects include cooperation on irregular migration, maritime security, science and technology, healthcare resilience and clean energy transition. The agreement also includes cooperation on quantum technologies, digital innovation, space security and hydrogen development to strengthen economic and security resilience.

Why does it matter? 

The treaty reflects a broader trend in European security policy, where cybersecurity, technology resilience, energy security and defence are increasingly treated as interconnected challenges.

As concerns grow over hybrid threats, disinformation campaigns and critical infrastructure vulnerabilities, governments are seeking closer cooperation across both military and civilian domains.

Cooperation on missile production, sanctions enforcement, disinformation response and emerging technologies signals a long-term effort to strengthen Europe’s eastern flank while reducing dependence on fragmented supply chains and external strategic vulnerabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Singapore warns of cybersecurity risks from autonomous AI agents

Singapore’s Cyber Security Agency (CSA) has issued an advisory warning that autonomous AI agents, including OpenClaw, can pose serious cybersecurity risks if deployed without appropriate safeguards.

The advisory references to Infocomm Media Development Authority (IMDA) case study on the responsible deployment of OpenClaw and highlights risks associated with AI agents that can understand context, plan tasks, use external tools, and act on behalf of users.

CSA said such agents can offer productivity benefits but may expose users and organisations to risks, including unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning.

The agency warned that unresolved risks could lead to agent hijacking, unauthorised actions through tool or API abuse, and unauthorised access to systems or data. It cited the IMDA case study’s warning that ‘accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked’.

For individuals, CSA recommends avoiding OpenClaw’s open-source form on devices containing sensitive data, running it under least-privileged accounts, installing skills only from trusted sources, keeping sensitive data out of reach, requiring human approval for high-risk actions, and promptly applying updates.

For organisations, the advisory calls for stronger safeguards, including Zero Trust principles, narrowly scoped agents, dedicated and regularly rotated credentials, policy-enforcing proxies, persistent logging, human approval for irreversible actions, negative testing before deployment, and recovery from a known-good baseline after compromise.

CSA also noted that variants, including NanoClaw and Nvidia’s NemoClaw, have emerged since OpenClaw’s launch. It said organisations requiring agentic AI capabilities should evaluate whether such variants meet their performance and security requirements, as safeguards for agentic AI are still maturing.

Why does it matter?

Agentic AI systems are increasingly being deployed to automate tasks that involve access to data, software tools, and online services. Singapore’s advisory highlights growing concerns that autonomous agents can create new attack surfaces if security controls, oversight mechanisms, and access restrictions are not built into deployments from the start.

The guidance also reflects broader efforts by governments and regulators to develop security practices for rapidly evolving AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.