Cybersecurity

European Union unveils tech sovereignty plan to boost digital independence

The European Commission has presented a European Technological Sovereignty Package aimed at strengthening Europe’s capacity in semiconductors, AI, cloud infrastructure, and open source technologies.

The package includes two legislative proposals, the Chips Act 2.0 and the Cloud and AI Development Act, alongside an Open Source Strategy and a Strategic Roadmap for Digitalisation and AI in Energy.

The Commission said the measures are designed to support Europe’s ambition to become an AI continent, strengthen digital autonomy, build a more sustainable digital future, and widen choice in core technologies for businesses, citizens, and public administrations.

Rising global demand for computing capacity, driven by the spread of AI, has intensified concerns over Europe’s dependence on non-EU suppliers for core digital technologies. The Commission said the package is intended to reduce structural dependencies and ensure Europe can develop, deploy, and secure the technologies it relies on.

The proposed Chips Act 2.0 aims to strengthen Europe’s semiconductor capabilities, while the Cloud and AI Development Act focuses on expanding cloud and AI infrastructure. The Open Source Strategy is intended to support Europe’s software ecosystem, and the energy roadmap links digitalisation and AI to a more sustainable energy system.

Commission President Ursula von der Leyen said Europe cannot afford to depend on others for technologies that keep hospitals running, energy grids stable, and services secure. She said the package is about protecting citizens, defending European interests, and making independent technological choices.

Why does it matter?

The package brings several major EU technology priorities under one sovereignty agenda. By linking chips, cloud, AI infrastructure, open source, and energy digitalisation, the Commission is trying to reduce structural dependencies while strengthening Europe’s capacity to build, deploy, and secure critical technologies. The key test will be whether legislative proposals and strategies translate into investment, infrastructure, and industrial scale.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Anthropic offers ENISA access to advanced AI security model

Anthropic has invited the European Commission to facilitate access for ENISA, the EU agency for cybersecurity, to its cybersecurity-focused AI model Mythos, according to Bloomberg. The invitation followed a meeting between Anthropic and the Commission in San Francisco on 29 May. The EU must now establish a mechanism with appropriate security safeguards before access can be implemented; an ENISA official confirmed the agency does not currently have active access.

Anthropic unveiled Mythos in April, describing it as a model capable of identifying and exploiting cybersecurity vulnerabilities at a level that surpasses most human experts. Bloomberg reported on 2 June that ENISA was set to receive access to the model.

European Commission spokesperson Thomas Regnier welcomed the development, saying that access could help authorities build a clearer understanding of potential risks as increasingly capable AI models enter the market. The invitation follows calls from European policymakers and cybersecurity officials for greater access to advanced AI systems and for the development of comparable European capabilities.

Why does it matter?

The emergence of AI models capable of identifying software vulnerabilities at scale is reshaping cybersecurity risk assessments for governments, regulators and critical infrastructure operators. Access to such systems can help authorities better understand their capabilities, evaluate potential threats and develop appropriate safeguards.

For the EU, granting ENISA access to Mythos could support evidence-based policymaking and strengthen preparedness as increasingly powerful cybersecurity-focused AI models become available. The move also highlights a broader challenge: ensuring that public institutions can keep pace with rapidly advancing AI capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Supply chain attack compromises Red Hat software packages on npm

Security researchers at Aikido and JFrog identified malicious code in more than 30 software packages published through a verified Red Hat Cloud Services account on npm, the widely used software package repository for developers. The packages are used across cloud application development and are installed by developers and automated systems worldwide.

According to the researchers, the attackers did not initially target individual developers. Instead, evidence suggests they gained access to the automated pipeline used to publish Red Hat Cloud Services packages to npm. Evidence indicates they gained access to the automated pipeline that publishes Red Hat Cloud Services software to npm, allowing them to distribute modified packages through an officially trusted channel. Developers and organisations following standard security practice, only installing software from verified, trusted sources, would have had no reason to suspect these packages.

Systems that installed the affected packages from 1 June onward may have executed hidden malicious code capable of harvesting credentials and transmitting them to the attackers. That code collected a wide range of credentials from the affected machine: access keys for Amazon, Google, and Microsoft cloud services; tokens used in automated software pipelines; passwords stored in cloud-based vaults; and credentials for a range of developer tools. The collected data was then transmitted to the attackers.

Researchers said the malware attempted to disguise its outbound communications by mimicking requests to an Anthropic-related service address, potentially making malicious traffic less conspicuous in network logs. The specific path used does not correspond to any real Anthropic end point, but its appearance in network logs would be inconspicuous at organisations using Anthropic products. Network defenders should treat any automated process contacting that address as a potential indicator of compromise.

The malware also installs persistent background processes that survive system restarts, and embeds hooks into several widely used AI coding assistants and developer tools. Researchers also warned that the malware may delete files if compromised credentials are revoked before the malicious software is fully removed from the affected system. Organisations investigating this incident should remove all traces of the malware before revoking any compromised credentials.

Aikido and JFrog have published a list of affected package versions and recommend treating any system that installed them on or after 1 June 2026 as potentially compromised until investigated.

Why does it matter?

Software supply chain attacks are particularly difficult to defend against because they exploit trusted distribution channels rather than relying on phishing, malware downloads or other forms of user error. In this case, developers and organisations installing software from a verified source could have unknowingly introduced malicious code into their environments.

The incident also highlights growing concerns around the security of software publishing infrastructure. As organisations increasingly depend on open-source components and automated development pipelines, compromises affecting trusted repositories can have far-reaching consequences across cloud environments, development systems and critical digital services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Hong Kong details rules on online advertisements

Hong Kong’s government has said existing laws cover deceptive online advertisements, including scam-related content, misleading trade practices, and false claims in regulated sectors.

The written reply was issued in the Legislative Council on 3 June in response to a question about pop-up advertisements, programmatic advertising, and AI deepfake scams.

The government said the Trade Descriptions Ordinance prohibits false or misleading descriptions of goods or services, including in advertisements and on online platforms. Traders engaging in bait advertising or other prohibited conduct can face up to five years in prison and a fine of HK$500,000.

The reply also said online advertisements involving deception may fall under the Theft Ordinance. Fraud carries a maximum penalty of 14 years in prison, while obtaining property by deception carries a maximum penalty of 10 years.

Advertisements for specific sectors, including real estate, education, securities, and banking, are also subject to separate laws prohibiting false or misleading claims.

Hong Kong police have been working with online platform operators and conducting regular online patrols. In 2025, police asked social media platforms to remove or review more than 116,000 scam-related pages or accounts.

The government also pointed to Scameter and Scameter+, its scam and pitfall search tools. New features introduced in October 2025 use AI to analyse suspicious website links and web page screenshots reported by the public, and to detect potential scam domain names. Within five months, the tools proactively identified more than 900 fraudulent webpages, while Scameter+ issued more than 320,000 alerts in the first quarter of 2026.

Why does it matter?

The reply shows how Hong Kong is using existing consumer protection, fraud, and sector-specific laws to address online advertising risks, rather than introducing a dedicated online advertising regime for now. The inclusion of AI deepfake scams and AI-assisted Scameter+ detection also highlights how online advertising, platform governance, fraud prevention, and automated enforcement tools are increasingly interconnected.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong launches AI-focused cybersecurity initiatives for 2026

Hong Kong’s Digital Policy Office has announced a series of AI-related cybersecurity initiatives for the second half of 2026, following a briefing on cyber resilience and emerging technology risks. The office said it would focus on improving AI security awareness and digital literacy among both organisations and the public.

Planned initiatives include a Secure AI@Work Enablement Campaign, organised with the Hong Kong Internet Registration Corporation, to help enterprises develop secure and compliant AI ecosystems. The Digital Policy Office will also collaborate with industry on an AI x Cybersecurity Challenge focused on AI-powered threat detection, cyber resilience and cybersecurity skills development.

The office said it would continue enterprise support and practical drills, including an enhanced Cybersec One+, the Cybersecurity Service Providers Connect Programme and the third Hong Kong Cybersecurity Attack and Defence Drill. Hong Kong will also consolidate the Cyber Security Summit Hong Kong and the Cybersecurity Symposium into a single Cybersecurity Symposium and Summit in December.

The Cyber Security and Technology Crime Bureau said the volume of cyber threat intelligence related to threats targeting Hong Kong continues to increase. Its Cyber Security Centre analysed more than 330,000 threat intelligence records during the first quarter of 2026, identifying phishing as the most prevalent threat category.

The bureau said it would deepen international law enforcement cooperation, strengthen intelligence sharing with sectors including critical infrastructure, and use AI and big data to improve cyber threat detection, early warning analysis, and incident response. The Hong Kong Police Force and Cyberport have also established the Smart Policing Joint AI Lab to develop technologies for detecting deepfakes and strengthening network defence capabilities.

Why does it matter?

The initiatives reflect growing efforts by governments to address the cybersecurity implications of wider AI adoption. As organisations increasingly integrate AI into business operations, concerns around secure deployment, cyber resilience and workforce readiness are becoming key policy priorities.

The programme also highlights how AI is being used both as a potential source of cyber risk and as a tool for improving threat detection, incident response and cyber defence capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic expands AI cybersecurity programme for critical infrastructure

AI company Anthropic has announced a major expansion of Project Glasswing, an initiative aimed at strengthening the security of critical software through AI-assisted vulnerability detection.

After initially providing access to around 50 organisations, the programme will expand to approximately 150 additional partners across more than 15 countries.

Project Glasswing provides selected organisations with access to Claude Mythos Preview, Anthropic’s cybersecurity-focused AI model. According to Anthropic, participating organisations have identified more than 10,000 high- and critical-severity software vulnerabilities through the programme.

The newly added participants include operators and vendors across critical infrastructure sectors such as power, water, healthcare, communications and hardware manufacturing.

Anthropic argues that increasingly capable AI systems could significantly reshape cybersecurity, creating both new defensive opportunities and new risks. The company says future AI models may enable defenders to identify, analyse and remediate vulnerabilities at greater scale, while also potentially enhancing the capabilities available to malicious actors.

Project Glasswing is intended to help critical organisations adapt before such capabilities become widely accessible.

Alongside the expansion, Anthropic said it plans to provide additional cybersecurity tools, support vulnerability remediation efforts and work with industry, governments and open-source software maintainers to strengthen cyber resilience.

Why does it matter?

The expansion of Project Glasswing highlights the growing role of AI in cybersecurity, particularly in vulnerability discovery and software security testing. As critical infrastructure operators face increasingly sophisticated cyber threats, AI-assisted tools may help identify and address security weaknesses more quickly.

At the same time, the initiative reflects broader concerns that advances in AI could benefit both defenders and attackers, increasing the importance of responsible deployment, coordinated security research and resilience planning across critical sectors.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Finland implements national framework for EU Cyber Resilience Act

Finland’s national cyber resilience law entered into force on 1 June, establishing national procedures for implementing the European Union’s Cyber Resilience Act. The Cyber Resilience Act establishes cybersecurity requirements for software and hardware products placed on the EU market.

The law assigns responsibility for implementing key provisions of the Cyber Resilience Act to the National Cyber Security Centre Finland, which operates within the Finnish Transport and Communications Agency (Traficom). The act covers market surveillance, vulnerability reporting, notification of conformity assessment bodies, administrative sanctions, and provisions linked to EU cybersecurity certification.

From 11 September 2026, manufacturers will be required to notify the National Cyber Security Centre Finland of actively exploited vulnerabilities and serious security incidents affecting their products. Notifications must be submitted within 24 hours of the manufacturer becoming aware of the vulnerability or incident.

Products covered by the Cyber Resilience Act must comply with its requirements from 11 December 2027. The requirements apply to manufacturers, importers, distributors, and open-source software stewards, while high-risk AI systems in Finland will be supervised by the authorities responsible for the Artificial Intelligence Act in their respective sectors.

Finland has also amended its Act on Electronic Communications Services to support the implementation of domain name registration requirements under the NIS2 Directive. The new obligations will apply after a three-month transition period and will extend to domain name resellers and certain domain names other than .fi and .ax, where the entity’s main establishment or designated representative is located in Finland.

Why does it matter?

The Cyber Resilience Act represents one of the EU’s most significant efforts to improve cybersecurity across connected products and software. By introducing security-by-design requirements, vulnerability reporting obligations and market surveillance mechanisms, the regulation aims to reduce cybersecurity risks throughout the digital supply chain.

Finland’s implementation measures provide the national framework needed to enforce these requirements, while the related NIS2 amendments further strengthen oversight of critical digital infrastructure and domain name services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

White House launches new AI security framework for frontier models

US President Donald Trump has signed an executive order aimed at advancing AI innovation while strengthening cybersecurity protections across government networks and critical infrastructure sectors.

The order directs federal agencies to strengthen cyber defences and expand the use of AI-powered security tools. Several federal departments have been given 30-day deadlines to begin implementing additional protections for national security systems, civilian government networks and critical infrastructure operators.

A central element of the initiative is the creation of an AI cybersecurity clearinghouse that will work with technology companies and infrastructure providers to identify software vulnerabilities, coordinate security research and support faster patch deployment.

Federal officials will also examine funding opportunities for projects focused on advanced AI vulnerability detection and expand cybersecurity recruitment programmes.

The executive order also introduces a voluntary framework for developers of advanced AI models. Under the framework, companies may choose to work with the government to determine whether their systems qualify as frontier AI models and provide secure early access for cybersecurity assessments prior to broader deployment.

Administration officials emphasised that the framework does not create mandatory licensing or government approval requirements for the release of new AI technologies.

Why does it matter? 

The order signals a US strategy of accelerating AI development while addressing emerging national security risks, reflecting growing competition among major economies to lead the next generation of advanced technologies.

Its emphasis on voluntary collaboration rather than strict regulation could influence how other countries approach AI governance, innovation and cybersecurity in the years ahead.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Greece advances digital transformation with AI, interoperability and cybersecurity measures

Greece’s Minister of Digital Governance and Artificial Intelligence, Dimitris Papastergiou, has outlined a broad digital transformation agenda in an interview with the newspaper Manifesto, highlighting new legislation, AI deployment, cybersecurity measures and digital public services.

A key element of the agenda is the implementation of the EU’s ‘once-only’ principle, which allows citizens and businesses in Greece to avoid repeatedly submitting the same information to public authorities across the EU. The legislation also introduces more than 800 new interoperability connections between government systems, aiming to reduce bureaucracy and improve service delivery.

Papastergiou highlighted the growing use of AI in public administration, including the mAigov digital assistant, which has handled more than 4.4 million citizen queries. Greece is also investing in AI infrastructure projects, including the Daedalus supercomputer and the Pharos AI Factory, while preparing national legislation aligned with the EU AI Act.

The minister also highlighted a memorandum of understanding with voice AI company ElevenLabs aimed at improving accessibility and public services through voice-based technologies. Additional initiatives include the creation of a Unified Property Hub, stronger anti-phishing measures, a National Malicious Websites Blocking List, the Defective Vehicle Recall Registry and enhancements to the MyStreet application.

On child online safety, Greece plans to introduce age-verification requirements for users under 15 through the Kids Wallet application from January 2027. According to the minister, the system will verify age without exposing or storing unnecessary personal information.

Why does it matter?

Greece’s plans illustrate how governments are increasingly combining AI deployment, digital public services and cybersecurity measures within broader digital transformation strategies.

The initiatives also reflect wider European efforts to improve interoperability, strengthen digital infrastructure, enhance online safety for children and prepare for the implementation of the EU AI Act.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Singapore consults on personal data rules for generative AI

Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation on proposed advisory guidelines governing the use of personal data in generative AI systems. Published on 2 June, the draft guidelines seek feedback on how Singapore’s Personal Data Protection Act (PDPA) applies when personal data is used in the development and deployment of generative AI systems.

The proposed guidelines address the collection and use of personal data for generative AI model development, the allocation of data protection responsibilities across the AI lifecycle, and the handling of individual rights requests relating to personal data. The guidance is organised around development, deployment, and post-deployment stages.

For model development, the draft guidelines clarify how organisations may rely on exemptions for publicly available information when using web-scraped datasets containing personal data. They also set out considerations for data behind digital barriers such as paywalls, registration requirements, authentication mechanisms, and tools that block automated access.

The PDPC proposes that general privacy notices should not be considered sufficient for obtaining consent to use personal data for large-scale AI training or fine-tuning. Organisations would instead be expected to provide AI-specific notices explaining the categories of personal data used, the purpose of the processing, the model’s intended functions, and how individuals can refuse or withdraw consent.

The proposed guidelines also outline responsibilities for model providers, system providers, and system deployers, including retention, protection, purpose limitation, and accountability obligations. The post-deployment guidance addresses access and correction requests while recognising technical challenges associated with large datasets, embeddings, temporary context windows and the removal of specific information from trained models. Interested parties may submit comments to the PDPC by 1 July 2026.

Why does it matter?

The consultation highlights the growing challenge of applying existing data protection laws to generative AI systems that rely on large-scale data collection and model training. Regulators worldwide are increasingly examining how privacy principles such as consent, transparency and purpose limitation should operate in AI development.

Singapore’s proposed guidance could provide an important reference point for organisations developing or deploying generative AI, particularly in areas such as web scraping, AI training datasets and the allocation of responsibilities across the AI value chain.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.