Cybersecurity

EU tests cyber crisis response for rail and maritime networks

The European Commission has carried out Cyber Europe 2026, a large-scale cybersecurity exercise testing how Europe would respond to attacks on rail and maritime transport networks.

Organised by the EU Agency for Cybersecurity, the exercise took place on 10 and 11 June and involved around 5,000 experts from across the EU, industry and partner countries. Participants included cybersecurity specialists from the public and private sectors, policymakers, the EU institutions and representatives from the UK, Norway, Switzerland and Ukraine.

The scenario simulated cyberattacks on Europe’s rail and maritime networks, causing severe operational disruption and escalating into a wider cybersecurity crisis. The exercise was designed to test coordination between authorities, industry and institutions during a major cross-border incident affecting critical transport infrastructure.

Cyber Europe 2026 was also the first EU-wide test of the 2025 EU Cyber Blueprint, which clarifies roles and responsibilities during a cyber crisis. The exercise also tested the Cybersecurity Reserve, created under the Cyber Solidarity Act to provide support during significant cybersecurity incidents.

The Commission said lessons from the exercise will help consolidate the Cyber Blueprint and embed cyber crisis management more firmly into the EU’s wider emergency preparedness and response frameworks.

Why does it matter?

Transport networks are critical infrastructure, and cyber incidents affecting ports, railways or logistics systems can disrupt trade, supply chains, military mobility and emergency response across borders. Cyber Europe 2026 is important because it tests not only technical response, but also EU-level coordination, crisis decision-making and support mechanisms under newer cyber resilience tools such as the Cyber Blueprint and Cybersecurity Reserve.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Europol-backed operation dismantles crypto laundering service used by ransomware gangs

An international law enforcement operation has dismantled a cryptocurrency laundering service allegedly used by ransomware gangs and cybercriminal networks to process more than €336 million in illicit funds.

The platform, known as ‘AudiA6’, is suspected of laundering proceeds from ransomware attacks, large-scale cryptocurrency thefts and other cybercrime activity between 2022 and 2025. Europol said the service was linked through its analysis to more than 15 international cybercrime investigations.

The coordinated action, supported by Europol and Eurojust, led to the arrest of two alleged administrators in Georgia. Authorities also took down 25 domains, seized more than 30 servers, blocked Telegram accounts used by the network and froze or seized cryptocurrency assets worth more than €778,000.

Investigators allege that the service used thousands of fraudulent exchange accounts created with stolen or purchased identities. Criminal clients allegedly transferred cryptocurrency to wallets controlled by the group and received laundered funds through complex transaction chains designed to obscure the money trail.

Authorities also confiscated more than 80 vehicles and several properties in Georgia. Europol said the case highlights how specialised money laundering services help sustain ransomware and other forms of cybercrime by making it easier for criminal groups to cash out stolen digital assets.

Why does it matter?

Crypto laundering services are a key part of the cybercrime economy because they allow ransomware groups and other attackers to turn stolen digital assets into usable funds. Disrupting such infrastructure can weaken criminal business models. Still, the case also shows why cybercrime investigations increasingly require cooperation between cyber units, financial investigators, prosecutors, crypto exchanges and cross-border law enforcement agencies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Canada introduces Safe Social Media Act targeting online harms and AI chatbots

Canada has introduced the Safe Social Media Act, legislation that would establish new online safety requirements for social media platforms and certain AI chatbot services. Bill C-34 aims to make regulated services more accountable for addressing online harms before they occur.

The Safe Social Media Act would create a new legislative and regulatory framework through the proposed Digital Safety Act. Regulated services would be required to identify, assess and mitigate risks on their platforms, implement safety-by-design features, make user guidelines easily accessible, provide tools such as blocking and reporting mechanisms, and publish Digital Safety Plans.

The bill would prohibit children under the age of 16 from holding social media accounts. Social media services could seek an exemption if they demonstrate that sufficient safeguards for children are in place.

The Safe Social Media Act is organised around three core duties: a Duty to Protect Children, a Duty to Act Responsibly and a Duty to Make Certain Content Inaccessible. Social media services would be required to assess and mitigate risks associated with seven categories of harmful content, including child sexual victimisation, content inducing a child to self-harm, cyberbullying, hatred, violence, terrorism or violent extremism, and intimate content shared without consent.

Regulated social media services would also be required to make certain content inaccessible to users in Canada, including content that sexually victimises a child or revictimises a survivor, and intimate content communicated without consent, including sexualised deepfakes. The government said these categories can cause substantial and lasting harm even when a single item is shared.

Under the proposed legislation, AI chatbot services would be subject to a tailored Duty to Act Responsibly. The proposed requirements include mitigating the risk that chatbots communicate harmful content, being transparent about reporting thresholds in crisis situations, and reducing the risk of harmful chatbot behaviour.

The legislation would establish an independent Digital Safety Commission of Canada responsible for enforcing the framework, assessing compliance, conducting audits and inspections, issuing compliance orders and imposing administrative monetary penalties. The Commission would also handle certain complaints, develop guidance and support research on online safety best practices.

Why does it matter?

The Safe Social Media Act reflects a growing international shift towards preventative online safety regulation. Rather than focusing solely on the removal of illegal content after it appears, the proposed framework would require platforms and AI services to assess risks proactively and implement measures designed to reduce harm before it occurs.

The inclusion of AI chatbot services is particularly notable, as governments worldwide are increasingly examining the safety implications of generative AI systems. If adopted, the legislation could position Canada among the first countries to apply a comprehensive online safety framework that combines platform accountability, child protection measures and AI-specific obligations under a single regulatory regime.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

ILO highlights child protection risks amid digital transformation

The International Labour Organization (ILO), together with UNICEF and the Food and Agriculture Organization (FAO), used a high-level roundtable in Türkiye to highlight the growing connection between digital transformation and child protection.

While the event focused primarily on eliminating child labour, discussions also examined the opportunities and risks associated with rapid technological change.

ILO Türkiye Director Yasser Hassan noted that digital transformation can support economic development, productivity growth and poverty reduction. However, he warned that rapidly evolving technologies may also expose children to new forms of exploitation, including technology-enabled commercial sexual exploitation and other online harms.

Participants stressed that child protection considerations should be incorporated into the design, deployment and governance of digital technologies from the outset. The discussion reflected growing international concern that digitalisation can create new vulnerabilities alongside economic opportunities, particularly for children and young people.

The ILO roundtable also highlighted Türkiye’s broader policy agenda, including digital transformation initiatives within the National Employment Strategy 2025–2028. Stakeholders emphasised the importance of ensuring that digital innovation is accompanied by education, social protection, labour rights protections and child safeguarding measures.

Why does it matter?

The discussion reflects an increasingly important policy debate: how digital transformation can be harnessed while protecting vulnerable groups from emerging risks.

As governments, businesses and international organisations accelerate the adoption of AI, digital platforms and connected technologies, concerns about online child exploitation, digital rights and technology governance are becoming more prominent.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU publishes the final Code for labelling AI-generated content

The European Commission has published the final Code of Practice on marking and labelling AI-generated content, offering practical guidance for providers and deployers preparing to comply with transparency obligations under the EU AI Act.

The code is voluntary, but the underlying transparency obligations in Article 50 of the AI Act will apply from 2 August 2026. The Commission said the code is intended to help organisations implement those obligations in a consistent, practical and proportionate way.

The framework covers two main areas. Providers of generative AI systems are guided on marking and detecting AI-generated or manipulated audio, image, video and text content, including through machine-readable solutions where technically feasible. Deployers are guided on labelling deepfakes and AI-generated or manipulated text published to inform the public on matters of public interest.

Under the AI Act, users must also be informed when they are interacting with interactive AI systems, such as chatbots. The transparency requirements are intended to help people recognise when content has been generated or altered by AI and to reduce the risk of deception and manipulation.

The Commission has also published a set of the EU icons that deployers may use to label certain AI-generated content. The code does not replace the AI Act or future Commission guidelines on Article 50, which are expected before the transparency obligations begin to apply.

The Commission and the AI Board will now assess the code’s adequacy. If assessed positively, providers and deployers who sign the code may use its measures to help demonstrate compliance with the AI Act’s transparency rules.

Why does it matter?

The code is an important step in turning the AI Act’s transparency provisions into operational practice. Labelling and machine-readable marking rules could shape how platforms, AI providers, media organisations and other deployers handle synthetic text, images, audio and video. The measures are especially relevant for public-interest information, where undisclosed AI-generated or manipulated content can affect trust, elections, journalism and public debate.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

CISA updates vulnerability remediation rules

The US Cybersecurity and Infrastructure Security Agency has issued a binding directive requiring federal civilian agencies to prioritise vulnerability remediation based on risk.

Binding Operational Directive 26-04 directs agencies to align their vulnerability management policies around four criteria: whether an affected asset is exposed, whether a vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalogue, whether exploitation can be automated and the likely technical impact after exploitation.

CISA said the directive consolidates and updates earlier requirements for internet-accessible systems and known exploited vulnerabilities. The agency said the approach is intended to help federal civilian agencies focus remediation on the vulnerabilities most likely to cause serious harm.

The directive comes as threat actors continue to exploit unpatched vulnerabilities, with CISA warning that AI software services could help attackers identify and exploit weaknesses more quickly. The agency said AI-enabled exploitation may further reduce the time defenders have between a patch release and attempted compromise.

The directive also requires agencies to consider whether a system may already be compromised before applying a patch. CISA said applying a patch generally does not remove an attacker who already has access to a system, making compromise checks important for risk management.

CISA will monitor agency compliance and provide implementation support. Although the directive is binding only for federal civilian agencies, CISA encouraged other organisations to adopt similar risk-based vulnerability management practices.

Why does it matter?

The directive reflects a shift in federal cybersecurity from treating vulnerability remediation as a fixed checklist to prioritising flaws based on exploitation risk, exposure, and potential impact. That matters because attackers increasingly move quickly from disclosure to exploitation, and AI tools may further shorten that window. For governments and critical organisations, vulnerability management is becoming a continuous risk-management process rather than a periodic patching exercise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Canada expands AI strategy with safety measures

Canada will invest C$50 million to expand the Canadian AI Safety Institute as part of its new national AI strategy, with a focus on emerging AI risks, technical research and transparent evaluations of AI models.

The strategy, titled ‘AI for All’, says trustworthy AI infrastructure is necessary as AI capabilities grow and agentic AI systems become more widely adopted. According to the government, citizens, businesses, and public institutions need clearer ways to identify which AI systems are safe to use, how risks are assessed and what standards apply.

Canada also plans to work on AI transparency measures, including watermarking of AI-generated content, to help people understand when they are interacting with AI systems or AI-generated material. The government said such measures should support more informed choices about AI products and content.

The strategy also includes plans to create a Canada Trusted AI Certification programme to help users identify trustworthy AI products in the market. Canada will renew funding for the Standards Council of Canada’s AI Programme to support AI testing, certification, interoperability and participation in global standards work.

The AI strategy links safety measures with wider work on privacy, online harms and democratic resilience. The government says it will modernise consumer privacy legislation, introduce online safety laws and protect elections and democratic institutions from AI-enabled misinformation and foreign interference.

Canada also plans to accelerate applied AI research, testing and deployment with law enforcement, security and intelligence agencies in areas such as fraud and extortion prevention, cyber defence, threat detection and data protection.

Why does it matter?

Canada’s strategy treats AI safety not only as research, but as part of the infrastructure needed for adoption and public trust. Certification, model evaluation, watermarking and standards can shape how governments, businesses and citizens decide which AI systems to use. The strategy also shows how AI governance is expanding across privacy, online safety, cybersecurity, elections and national security, rather than remaining limited to innovation policy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New NIST study reveals inherent weaknesses in AI defences 

A new study by a researcher at the US National Institute of Standards and Technology suggests that fixed AI guardrails cannot provide complete protection against adaptive adversarial prompts.

The paper, published in IEEE Security & Privacy by NIST senior scientist Apostol Vassilev, uses logic linked to Kurt Gödel’s incompleteness theorems to argue that a finite set of AI safety rules cannot be universally robust against every possible prompt-based attack.

According to NIST, the finding does not mean AI systems cannot be hardened. Instead, it supports moving away from a ‘one and done’ security model towards continuous monitoring, testing and updating.

The recommended approach includes ongoing red-team work to identify adversarial prompts before attackers exploit them, continuous updates to strengthen guardrails and operational resilience measures that limit the impact of successful attacks and enable quick recovery.

NIST said the goal is not to eliminate all vulnerabilities, but to make exploitation more difficult and costly. As AI systems are deployed more widely, organisations should treat AI security as a permanent operational process rather than a problem that can be solved through a fixed set of controls.

Why does it matter?

The study reinforces a central challenge in AI governance: security controls for AI systems cannot be treated as static compliance measures. As AI tools are integrated into business operations, public services and security-sensitive environments, organisations may need continuous red-teaming, guardrail updates, monitoring and incident response. The policy relevance lies in shifting AI risk management from one-time assurance towards ongoing operational resilience.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

India’s human rights commission examines impact of digital arrest scams

The National Human Rights Commission of India (NHRC) held an open house discussion on safeguarding human rights against digital arrest scams, highlighting their growing impact on individual rights, dignity and personal security.

The NHRC Chairperson said cybersecurity-enabled fraud has caused significant financial losses and noted that digital arrest scams often exploit fear of law enforcement authorities to coerce victims into transferring money. Participants also highlighted the challenges victims face in recovering stolen funds and obtaining effective redress.

Speakers stressed the need for stronger protections for vulnerable groups, particularly older adults, alongside improved data protection, public awareness campaigns and faster support mechanisms for victims. Participants also reviewed existing government measures, AI-powered detection tools and industry initiatives aimed at preventing and detecting fraud.

Key recommendations included recognising digital arrest scams as a distinct criminal offence, strengthening measures against mule accounts and the fraudulent misuse of official identities, improving compensation and recovery mechanisms, and enhancing cooperation among government agencies, industry and other stakeholders in India.

Why does it matter?

Digital arrest scams have emerged as a growing form of cyber-enabled fraud, combining social engineering techniques with the impersonation of law enforcement and government authorities. By exploiting fear and urgency, such scams can cause significant financial losses and psychological harm, particularly among vulnerable groups.

The discussion highlights the increasing intersection between cybersecurity, consumer protection and human rights. As digital fraud becomes more sophisticated, policymakers are placing greater emphasis on prevention, victim support, data protection and coordinated responses involving government agencies, technology providers and financial institutions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Anthropic launches Claude Fable 5 with advanced safety safeguards

Anthropic has launched Claude Fable 5, a new general-purpose AI model, alongside Claude Mythos 5, a more capable version reserved for selected cyber defence and infrastructure partners.

The company described Fable 5 as its most capable generally available model to date, with strong performance across software engineering, knowledge work, vision and scientific research. Anthropic said the model’s advanced capabilities pose misuse risks, particularly in cybersecurity and research biology.

To reduce those risks, Fable 5 includes additional safety classifiers designed to detect potential misuse, including attempts to bypass safeguards. When certain high-risk requests are detected, users may receive a response from Anthropic’s next-most-capable model, Claude Opus 4.8, rather than Fable 5.

Anthropic said the safeguards have been tuned conservatively and may sometimes block benign requests. According to the company, the fallback mechanism is triggered in less than 5% of sessions on average.

Claude Mythos 5 uses the same underlying model as Fable 5, but with some safeguards lifted in specific areas. Anthropic said it will initially deploy Mythos 5 through Project Glasswing, in collaboration with the US government, for a limited group of cyber defenders and critical software infrastructure providers.

The launch highlights a growing model governance approach in which access to frontier AI capabilities is tiered according to use case and risk. Anthropic said it plans to expand trusted access to Mythos 5 while continuing to refine safeguards for broader public use.

Why does it matter?

The release shows how frontier AI providers are increasingly linking capability deployment to access controls, model routing and domain-specific safeguards. As advanced systems become more useful for software engineering, cybersecurity and scientific research, companies face pressure to provide broad access while limiting misuse in dual-use areas. Anthropic’s split between Fable 5 and Mythos 5 reflects a wider governance question: who should receive access to the most capable AI systems, under what conditions, and with what oversight.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.