Cybersecurity

Germany approves draft law expanding cyber defense powers for federal authorities

Germany’s federal cabinet has approved draft legislation that would expand cyber defence capabilities for three federal agencies, the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA), and the Federal Police (Bundespolizei), as part of a broader effort to strenghten the country’s response to cyber threats.

Under the proposal, authorities would be able to block or disrupt software and server infrastructure used in cyberattacks, including systems located outside Germany. The BSI would also receive expanded authority to collect, store, and analyse data to detect activities indicative of attack preparation. Telecommunications providers and major digital platforms would be required to relay BSI warnings about identified threats directly to users.

The government describes the measures as ‘active cyber defence,’ arguing that they are intended to stop or disrupt ongoing attacks rather than conduct retaliatory cyber operations. Current practice involves redirecting attacks to isolated network areas; the new framework would instead authorize direct action against attacker-controlled systems.

According to the Federal Situation Report on Cybercrime 2025, presented by Federal Interior Minister Alexander Dobrindt and the Vice President of the Federal Criminal Police Office, Martina Link, Germany is among Europe’s most frequently targeted countries for cyberattacks.

Federal authorities in Germany have documented sustained campaigns against industrial companies, small and medium-sized enterprises, research institutions, government bodies, and political parties, with a portion attributed to state-affiliated actors.

The draft will now proceed to parliamentary debate. It requires a legislative vote before entering into force.

Why does it matter?

The proposal reflects a broader shift among governments toward more proactive cybersecurity strategies as cyberattacks become increasingly frequent and sophisticated. Rather than focusing solely on defending networks, authorities are seeking legal powers to disrupt malicious infrastructure before attacks cause significant harm.

The legislation also raises important questions about the scope of state cyber powers, oversight mechanisms, and the legal implications of taking action against infrastructure located outside national borders. If adopted, it would mark one of Germany’s most significant cybersecurity policy changes in recent years.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

NATO formalises cyber partnerships with Microsoft, Palo Alto Networks and ESET

NATO has announced strategic partnerships with Microsoft, Palo Alto Networks and ESET during the International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia. The non-commercial agreements are intended to facilitate information sharing, the exchange of best practices and coordination on cyber incidents of mutual concern.

The partnerships follow a commitment made at the 2023 NATO Summit in Vilnius, where member states agreed to expand structured cooperation with private-sector cyber companies. Speaking at CyCon, NATO Assistant Secretary General for Cyber and Digital Transformation Jean Charles Ellermann-Kingombe said effective cyber defence depends on both technical capabilities and shared norms, particularly as attacks on critical infrastructure become more frequent and cyber threats evolve.

The three companies bring distinct capabilities: Microsoft operates one of the largest threat intelligence networks globally; Palo Alto Networks specialises in enterprise network and cloud security; and ESET is one of the major providers of endpoint protection with significant presence in Central and Eastern Europe.

The 2026 CyCon edition, themed ‘Securing Tomorrow,’ runs 26–29 May and convenes approximately 800 participants — including policymakers, technical experts, academics, and industry representatives — from 48 countries. The conference is organised annually by NATO’s Cooperative Cyber Defence Centre of Excellence, based in Tallinn.

Why does it matter?

Governments increasingly rely on cooperation with private-sector cybersecurity companies to identify threats, protect critical infrastructure and respond to cyber incidents. The partnership reflects NATO’s recognition that much of the expertise, threat intelligence and digital infrastructure relevant to cyber defence is operated by industry.

The agreements also signal a broader effort by the alliance to strengthen cyber resilience and improve coordination as cyber threats become more sophisticated and increasingly target both civilian and military systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

ENISA identifies risk zone sectors in EU cybersecurity assessment

The European Union Agency for Cybersecurity has released its 2026 NIS360 report, assessing the cybersecurity maturity and criticality of high-criticality sectors under the NIS2 Directive.

The report says cybersecurity maturity across the EU critical sectors has steadily improved as organisations respond to evolving policy requirements and cyber threats. Banking, electricity, and telecommunications remain among the most mature and critical sectors, while trust services, aviation, and financial market infrastructures have moved into the high maturity band.

Gas, road, maritime, and health strengthened their maturity within the moderate band, although ENISA says progress remains uneven across and within sectors. Factors behind the differences include skills shortages, sector-specific characteristics, and organisational size.

The report identifies a ‘risk zone’ covering sectors with lower-than-average maturity and criticality that exceeds their maturity. ENISA lists health, railway, maritime, ICT management services, space, public administrations, and drinking and wastewater as risk-zone sectors, while gas has started moving out of the category.

ENISA says improvements have been driven by cybersecurity legislation, increased political attention, information sharing, collaboration, and operational preparedness. Regulation, including the NIS2 Directive and the Digital Operational Resilience Act, has helped increase investment and encouraged organisations to address vulnerability management, business continuity, disaster recovery, and supply-chain risk.

The report also points to AI, supply-chain and third-party exposure, and geopolitical volatility as major dynamics shaping the cybersecurity environment. ENISA says AI can improve threat detection and response, but can also support more convincing social engineering, shorter exploitation timelines, and broader access to offensive capabilities.

Why does it matter?

The NIS360 report gives the EU policymakers a comparative view of where cybersecurity maturity is improving and where critical sectors remain underprepared. The risk-zone concept is especially useful because it identifies sectors whose importance to society and the economy exceeds their current level of cyber readiness. That makes the report relevant for NIS2 implementation, national supervision, investment priorities, and resilience planning across sectors such as health, public administration, transport, space, and water.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Australian privacy concerns rise as trust in AI companies falls

The Office of the Australian Information Commissioner has released a major survey showing that privacy concerns are rising across Australia, while public trust in AI companies and social media remains extremely low.

The Australian Community Attitudes to Privacy Survey, conducted every three years, found that 87% of respondents are more concerned about privacy than they were five years ago. The survey examines Australians’ privacy attitudes and experiences, including how recent events have shaped public expectations.

Trust was especially low for emerging and data-intensive sectors. Only 4% of respondents said they trusted AI companies, while 3% said the same for social media. Trust also declined across the insurance, telecommunications, technology, retail, and real estate sectors, while remaining highest for health service providers and Australian Government agencies.

Launching the report at the Data Privacy & Consumer Protection Summit 2026, Australian Privacy Commissioner Carly Kind said Australians’ expectations about privacy continue to sharpen as the information ecosystem becomes more complex, data-intensive, and difficult to navigate.

The OAIC said privacy complaints have increased by 73% year to date. Kind said trust is uneven across sectors and that wariness of emerging technologies is increasing, particularly around fairness, accountability, and the practical ability to exercise rights.

The survey also found that 68% of Australians would be more likely to use digital services requiring personal information if they knew their data was handled fairly and responsibly. Another 92% said data collection could be acceptable under certain conditions, including a clear purpose, consent or opt-in, limited collection, and the ability to opt out of non-essential data collection.

Kind said Australians want greater transparency in understanding their privacy rights and how their information is used, adding that improving transparency would help safeguard a healthy, informed, and vibrant democracy.

Why does it matter?

The survey shows that trust is becoming a central barrier to digital adoption, especially for AI and social media services. While Australians are willing to share data under fair and transparent conditions, the very low levels of trust in AI companies suggest that privacy, accountability, and explainability will be critical for public acceptance of emerging technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UN Human Rights Office issues guidelines on child safety online

The UN Human Rights Office has called for stronger action by governments and technology companies to improve children’s safety online, warning that social media bans alone are unlikely to address the underlying causes of digital harms.

In a statement accompanying the release of new guidelines on child safety online, UN High Commissioner for Human Rights Volker Türk said children continue to face risks to their safety, privacy and well-being in digital environments, many of which stem from platform design choices and business practices.

‘The digital world that connects children to learning, community, and creativity also exposes them to real risks to their safety, privacy, and well-being,’ Türk said.

He argued that harms are not inevitable but are often linked to features designed to maximise engagement, including infinite scrolling, autoplay functions and persistent notifications.

The Office’s new guidance, Getting Children’s Safety Online Right, outlines a human rights-based approach to regulating digital platforms and protecting minors online. The guidelines come as governments around the world increasingly consider age-based restrictions on access to social media services.

Türk cautioned against treating such measures as a comprehensive solution. According to the guidelines, restrictions on children’s access to online services should be targeted at clearly identified harms and accompanied by broader measures addressing platform design, accountability and data protection.

The guidance recommends that governments require technology companies to incorporate safety protections into products and services from the outset. It also calls for mandatory child rights impact assessments, safeguards around age-verification systems, greater transparency from companies, stronger oversight mechanisms and access to remedies when children’s rights are violated.

The High Commissioner warned that regulations focused solely on age thresholds may leave unchanged the recommendation systems, algorithms and platform features that can contribute to harmful online experiences.

The guidelines also raise concerns about the privacy implications of poorly designed age-verification systems. According to the Office, such systems could fail to achieve their intended objectives while simultaneously increasing risks to the privacy of both children and adults.

The publication comes amid a growing international debate over children’s access to social media. Australia adopted legislation in late 2025 restricting access to social media platforms for users under 16, while Indonesia and Malaysia have introduced age-based restrictions. Several other countries are considering similar measures.

Türk also noted that existing experience suggests that social media bans can be circumvented and may unintentionally encourage children to migrate to less regulated or less monitored online spaces.

The UN Human Rights Office said effective child protection requires a broader approach that combines regulation, accountability, privacy safeguards and child participation in policymaking processes.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ChatGPT down as users report login and conversation issues

OpenAI reported two resolved incidents affecting ChatGPT on 29 May, following user reports of issues with conversations, logins, and account creation.

The first incident affected users trying to log in or create an account. OpenAI classified the issue as degraded performance affecting ChatGPT and APIs. The company began investigating at 03:12 a.m., applied a mitigation at 03:28 a.m., and marked the incident resolved at 04:57 a.m.

A second incident affected ChatGPT conversations. OpenAI began investigating the issue at 03:18 a.m., applied a mitigation at 03:29 a.m., and marked the incident resolved at 04:58 a.m. The company said all impacted services had fully recovered.

OpenAI’s official status page listed both incidents as degraded performance rather than a full outage. The company did not provide further details on the cause of either disruption in the incident updates.

The brief disruption highlights the growing reliance on AI services for daily work, communication, and software development, as even short periods of degraded performance can affect users and organisations that depend on cloud-based AI tools.

Why does it matter?

The incidents show how widely used AI services are becoming part of everyday digital infrastructure. Even brief login or conversation failures can disrupt work for individuals, developers, businesses, and teams that rely on ChatGPT and related API services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK and Poland deepen cyber and defence cooperation under new treaty

The United Kingdom and Poland have agreed a broad package of defence, cybersecurity and security initiatives under a new Security and Defence Partnership Treaty. The agreement strengthens cooperation on defence, sanctions, border security, technology and energy resilience.

Defence cooperation is a central element of the treaty, with both countries planning joint work on missile systems, expanded ammunition production and closer defence-industrial cooperation.

Large-scale military exercises focused on counter-drone operations, electronic warfare and missile defence are also expected to strengthen interoperability between British and Polish forces on NATO’s eastern flank.

Cybersecurity and hybrid threat response feature heavily in the agreement. Britain and Poland plan to coordinate cybersecurity efforts, sanctions enforcement and responses to foreign information manipulation and interference.

A new counter-hybrid working group will support efforts to disrupt hostile state activity, while dedicated cooperation on disinformation aims to strengthen democratic resilience and expose coordinated influence campaigns.

Additional projects include cooperation on irregular migration, maritime security, science and technology, healthcare resilience and clean energy transition. The agreement also includes cooperation on quantum technologies, digital innovation, space security and hydrogen development to strengthen economic and security resilience.

Why does it matter? 

The treaty reflects a broader trend in European security policy, where cybersecurity, technology resilience, energy security and defence are increasingly treated as interconnected challenges.

As concerns grow over hybrid threats, disinformation campaigns and critical infrastructure vulnerabilities, governments are seeking closer cooperation across both military and civilian domains.

Cooperation on missile production, sanctions enforcement, disinformation response and emerging technologies signals a long-term effort to strengthen Europe’s eastern flank while reducing dependence on fragmented supply chains and external strategic vulnerabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Singapore warns of cybersecurity risks from autonomous AI agents

Singapore’s Cyber Security Agency (CSA) has issued an advisory warning that autonomous AI agents, including OpenClaw, can pose serious cybersecurity risks if deployed without appropriate safeguards.

The advisory references to Infocomm Media Development Authority (IMDA) case study on the responsible deployment of OpenClaw and highlights risks associated with AI agents that can understand context, plan tasks, use external tools, and act on behalf of users.

CSA said such agents can offer productivity benefits but may expose users and organisations to risks, including unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning.

The agency warned that unresolved risks could lead to agent hijacking, unauthorised actions through tool or API abuse, and unauthorised access to systems or data. It cited the IMDA case study’s warning that ‘accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked’.

For individuals, CSA recommends avoiding OpenClaw’s open-source form on devices containing sensitive data, running it under least-privileged accounts, installing skills only from trusted sources, keeping sensitive data out of reach, requiring human approval for high-risk actions, and promptly applying updates.

For organisations, the advisory calls for stronger safeguards, including Zero Trust principles, narrowly scoped agents, dedicated and regularly rotated credentials, policy-enforcing proxies, persistent logging, human approval for irreversible actions, negative testing before deployment, and recovery from a known-good baseline after compromise.

CSA also noted that variants, including NanoClaw and Nvidia’s NemoClaw, have emerged since OpenClaw’s launch. It said organisations requiring agentic AI capabilities should evaluate whether such variants meet their performance and security requirements, as safeguards for agentic AI are still maturing.

Why does it matter?

Agentic AI systems are increasingly being deployed to automate tasks that involve access to data, software tools, and online services. Singapore’s advisory highlights growing concerns that autonomous agents can create new attack surfaces if security controls, oversight mechanisms, and access restrictions are not built into deployments from the start.

The guidance also reflects broader efforts by governments and regulators to develop security practices for rapidly evolving AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EuroDIG 2026 debate strengthens Council of Europe digital governance push

The Council of Europe participated in EuroDIG 2026 in Brussels, contributing to discussions on digital governance, democracy, trustworthy AI, platform accountability, and the digital public sphere.

The European Dialogue on Internet Governance took place on 26 and 27 May, bringing together governments, businesses, civil society, academia, the technical community, and other stakeholders to exchange views on internet governance.

The Council of Europe participated under its New Democratic Pact for Europe, a year-long consultation focused on democratic backsliding and digital governance. The consultation covers issues including AI, data protection, media and information society, cybercrime, online discrimination and gender-based violence, digitalisation of justice, legal education, internet governance, and youth participation.

At the opening session, Claudia Luciani, Director of the Congress of Local and Regional Authorities, said democratic safeguards are critical for the integrity and functioning of Europe’s digital public sphere. She highlighted risks linked to disinformation, information bubbles, and foreign interference and manipulation campaigns.

The Council of Europe also co-organised a debate on trustworthy AI in public services, focusing on transparency, accountability, explainability, and crisis-resilient communication when automated decision-making and AI systems are used in public administration.

Another Council of Europe co-organised session addressed platform accountability and the need to strengthen the digital public sphere. Participants discussed how engagement-driven platform design, generative AI, and synthetic media can contribute to disinformation, hate speech, and other harms, and how governance frameworks could empower users as active citizens.

The Council of Europe’s European Commission for the Efficiency of Justice and its HELP programme also organised a session on how the use of AI in justice systems is changing legal professionals’ training needs.

EuroDIG 2026 was hosted by EURid, the .eu domain name registry, and supported by the European Commission.

The event was held under the theme ‘European voices for the future of the internet – celebrating 20 years of .eu and the beginning of a new internet governance era’.

Why does it matter?

The Council of Europe’s participation in EuroDIG shows how digital governance is being folded into broader debates on democratic resilience. Its focus on trustworthy AI in public services, platform accountability, synthetic media, online discrimination, and AI in justice systems reflects a broader policy shift: digital governance is increasingly treated as part of Europe’s democracy, human rights, and rule-of-law agenda, rather than solely as a technology issue.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Child safety online debate at EuroDIG 2026 shifts focus from bans to platform design

Participants at EuroDIG 2026 debated whether social media age bans are an effective way to protect minors online, with speakers warning that blanket restrictions may oversimplify a far more complex issue involving platform design, digital literacy, privacy, and children’s rights.

The session, titled ‘Youth Online Safety – Are Social Media Age Bans a Solution?’, focused on age verification, platform accountability, recommendation systems, and the broader European regulatory response to online harms affecting children and young people.

Speakers broadly agreed on the objective of improving child safety online, but many questioned whether blanket bans or rigid age restrictions would, in practice, effectively reduce harm.

Diya Aravinthan argued that protecting children online requires approaches that are proportionate, effective, and aligned with how young people actually use digital platforms. She warned that broad social media bans risk pushing children towards workarounds such as VPNs, shared accounts, or alternative services, potentially making online risks harder to monitor rather than reducing them.

Aravinthan also stressed that social media platforms cannot be understood only as sources of harm. She said young people often rely on online spaces for communication, friendships, creativity, civic participation, learning, and access to information.

Referring to Australian research conducted after the country’s under-16 social media restrictions, she said many young people increasingly consume news and current affairs through social media rather than traditional media channels.

Several speakers, therefore, argued that policymakers should focus more on safer platform design and stronger platform accountability rather than treating online safety primarily as an access-control problem.

Aravinthan called for layered protections based on age-appropriate design rather than a binary ‘access or no access’ model. She highlighted stronger privacy defaults, limits on profiling and targeted advertising, and safer platform features for minors as examples of more proportionate safeguards.

She also argued that recommendation systems and algorithmic feeds represent a central challenge because they actively guide minors toward attention-maximising and potentially harmful content.

Lennart Wetzel of Snapchat similarly argued that platforms carry major responsibility for protecting younger users. He said services should invest continuously in safety-by-design features, moderation systems, parental tools, and age-appropriate safeguards. Wetzel also warned that restrictions targeting only selected platforms may simply push young people towards other, potentially less safe or less regulated services.

He cited Australia’s social media restrictions as an example, noting that Snapchat had disabled or locked more than 415,000 accounts in response to the law while also observing migration to alternative services.

The debate also focused heavily on age verification and age assurance technologies.

Several speakers warned that current age-verification systems remain technically imperfect and raise significant privacy, proportionality, and inclusion concerns.

Aravinthan said platforms should not need to know users’ exact identities or precise ages to provide stronger protections for minors. She supported approaches based on data minimisation and privacy-preserving verification.

Wetzel added that even small error rates in age-assurance systems can produce large-scale consequences when applied across millions of users, potentially excluding legitimate users while failing to prevent circumvention.

Carmela Troncoso provided the strongest technical critique of age-verification systems. She argued that making age restrictions difficult to bypass often requires more intrusive forms of surveillance and data collection.

Troncoso warned that some systems rely on biometrics or behavioural analysis, creating additional privacy risks for children and young people. She also said stronger anti-circumvention measures may push minors towards unsafe tools or services that themselves collect and monetise user data.

According to Troncoso, current technologies risk creating substantial privacy and exclusion harms while offering only limited practical effectiveness.

The discussion also explored the wider European regulatory context.

Andrea Tognoni of the European Commission argued that debates about social media bans should not be separated from existing EU frameworks, including the Digital Services Act (DSA), the AI Act, the Audiovisual Media Services Directive, and the Better Internet for Kids strategy.

Tognoni said several member states are already advancing national measures on child protection and age restrictions, creating growing pressure for greater European harmonisation.

Speakers repeatedly warned that fragmented national rules could create inconsistent standards across Europe and undermine the coherence of the digital single market.

Wetzel argued that a risk-based European approach under frameworks such as the DSA offers a more sustainable path than isolated national bans.

The session also highlighted concerns that youth voices remain underrepresented in debates surrounding online safety regulation.

Stefanie Quintao of TikTok said many youth-led and child-rights organisations oppose blanket bans and believe they may unintentionally push children into less protected online spaces.

Both Quintao and Aravinthan stressed that young people use digital platforms for far more than entertainment, and that policy discussions often fail to reflect the lived realities of younger users.

Several audience interventions pushed the discussion further towards the broader political economy of social media platforms.

Some participants argued that the core issue lies not primarily in children accessing technology, but in platform business models built around surveillance, engagement maximisation, and algorithmic amplification.

Others stressed that digital literacy, parental support, and education remain essential complements to regulation.

One participant compared online safety to teaching children how to cross a road: legal rules and infrastructure matter, but children also require guidance, gradual learning, and the development of judgement.

The session concluded with broad agreement that protecting minors online requires a multi-layered and rights-based approach rather than a single regulatory instrument.

Participants broadly agreed that age bans alone are unlikely to solve underlying problems linked to harmful platform design, recommendation systems, and digital business models.

The closing synthesis stressed that effective child protection requires balancing privacy, proportionality, platform accountability, harmonised regulation, digital literacy, and meaningful youth participation.

EuroDIG 2026 took place on 26 and 27 May at the Charlemagne Building of the European Commission in Brussels under the theme ‘European Voices for the Future of the Internet – Celebrating 20 Years of .eu and the Beginning of a New Internet Governance Era’.

Digital Watch Observatory followed EuroDIG 2026 through a dedicated event page, featuring session information and reporting from Brussels.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.