Cybersecurity

EU targets eight members states over cybersecurity directive implementation delay

Eight EU countries, including Ireland, Spain, France, Bulgaria, Luxembourg, the Netherlands, Portugal, and Sweden, have been warned by the European Commission for failing to meet the deadline on the implementation of the NIS2 Directive.

What is the NIS2 Directive about?

The NIS2 Directive, adopted by the EU in 2022, is an updated legal framework designed to strengthen the cybersecurity and resilience of critical infrastructure and essential services. Essentially, this directive replaces the 2016 NIS Directive, the EU’s first legislation to improve cybersecurity across crucial sectors such as energy, transport, banking, and healthcare. It set baseline security and incident reporting requirements for critical infrastructure operators and digital service providers to enhance the overall resilience of network and information systems in the EU.

With the adoption of the NIS2 Directive, the EU aims to broaden the scope to include not only traditional sectors like energy, transport, banking, and healthcare, but also public administration, space, manufacturing of critical products, food production, postal services, and a wide range of digital service providers.

NIS2 introduces stricter risk management, supply-chain security requirements, and enhanced incident reporting rules, with early warnings due within 24 hours. It increases management accountability, requiring leadership to oversee compliance and undergo cybersecurity training.

It also imposes heavy penalties for violations, including up to €10 million or 2% of global annual turnover for essential entities. The Directive also aims to strengthen EU-level cooperation through bodies like ENISA and EU-CyCLONe.

Member States were expected to transpose NIS2 into national law by 17 October 2024, making timely compliance preparation critical.

What is a directive?

There are two main types of the EU laws: regulations and directives. Regulations apply automatically and uniformly across all member states once adopted by the EU.

In contrast, directives set specific goals that member states must achieve but leave it up to each country to decide how to implement them, allowing for different approaches based on each member state’s capacities and legal systems.

So, why is there a delay in implementing the NIS2 Directive?

According to Insecurity Magazine, the delay is due to member states’ implementation challenges, and many companies across the EU are ‘not fully ready to comply with the directive.’ Six critical infrastructure sectors are facing challenges, including:

  • IT service management is challenged by its cross-border nature and diverse entities
  • Space, with limited cybersecurity knowledge and heavy reliance on commercial off-the-shelf components
  • Public administrations, which “lack the support and experience seen in more mature sectors”
  • Maritime, facing operational technology-related challenges and needing tailored cybersecurity risk management guidance
  • Health, relying on complex supply chains, legacy systems, and poorly secured medical devices
  • Gas, which must improve incident readiness and response capabilities

The deadline for the implementation was 17 October 2024. In May 2025, the European Commission warned 19 member states about delays, giving them two months to act or risk referral to the Court of Justice of the EU. It remains unclear whether the eight remaining holdouts will face further legal consequences.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Data breach hits cervical cancer screening programme

Hackers have stolen personal and medical information from nearly 500,000 participants in the Netherlands’ cervical cancer screening programme. The attack targeted the NMDL laboratory in Rijswijk between 3 and 6 July, but authorities were only informed on 6 August.

Data includes names, addresses, birth dates, citizen service numbers, possible test results and healthcare provider details. For some victims, phone numbers and email addresses were also stolen. The lab, owned by Eurofins Scientific, has suspended operations while a security review occurs.

The Dutch Population Screening Association has switched to a different laboratory to process future tests and is warning those affected of the risk of fraud. Local media reports suggest hackers may also have accessed up to 300GB of data on other patients from the past three years.

Security experts say the breach underscores the dangers of weak links in healthcare supply chains. Victims are now being contacted by the authorities, who have expressed regret for the distress caused.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Turkish authorities detain Ethereum developer amid legal probe

Ethereum developer Federico Carrone, known as Fede’s Intern, was detained in Turkey over allegations of helping misuse the Ethereum network. The incident happened at Izmir airport, where authorities informed him of a pending criminal charge likely linked to his privacy protocol work.

After intervention from the Ethereum community and legal support, Carrone was released and allowed to leave. The case seems tied to blockchain privacy tools, which face rising government scrutiny.

Carrone’s team previously came under attention for Tutela, a study on Ethereum and Tornado Cash user privacy. He emphasised that creating privacy code does not make developers criminals, comparing it to blaming software creators for misuse.

Growing legal challenges face developers building privacy and self-custody tools. Tornado Cash co-founder Alexey Roman recently received a criminal conviction and may face prison.

Crypto advocates warn lawsuits against developers risk stifling innovation and highlight ongoing legal uncertainty.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Elderly patient hospitalised after ChatGPT’s dangerous dietary advice

Hospital records show that a man in his sixties ended up hospitalised with neurological and psychiatric symptoms after replacing table salt with sodium bromide, based on AI-generated advice from ChatGPT. The condition, known as bromism, includes paranoia, hallucinations and coordination issues.

Medical staff noted unusual thirst and paranoia around drinking water. Shortly after admission, the patient experienced auditory and visual hallucinations and was placed under an involuntary psychiatric hold due to grave disability.

The incident underscores the serious risks of relying on AI tools for health guidance. In this case, ChatGPT did not issue warnings or ask for medical context when recommending sodium bromide, a toxic alternative.

Experts stress that AI should never replace professional healthcare consultation, particularly for complex or rare conditions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ministers urged to forge a secure path for UK government’s digital future

TechUK has issued a comprehensive framework to guide the UK government’s digital transformation, emphasising the importance of secure technological progress as a national imperative.

The proposal outlines three foundational pillars: shaping digital regulation, strengthening countries and regions through digital investment, and advancing international digital trade.

It also calls for sweeping investments in digital skills to ensure citizens are prepared for the digital era. The trade body underscores the need for a digitally confident workforce to sustain the nation’s tech-driven ambitions.

Taken together, these recommendations aim to keep the UK a competitive and resilient digital economy that works for all citizens, supports sustainable growth, and adapts confidently to evolving global digital realities.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Huawei’s dominance in AI sparks national security debate in Indonesia

Indonesia is urgently working to secure strategic autonomy in AI as Huawei rapidly expands its presence in the country’s critical infrastructure. Officials are under pressure to swiftly adopt enforceable safeguards to balance innovation and security. The aim is to prevent critical vulnerabilities from emerging.

Huawei’s telecom dominance extends into AI through 5G infrastructure, network tools, and AI cloud centres. Partnerships with local telecoms, along with government engagement, position the company at the heart of Indonesia’s digital landscape.

Experts warn that concentrating AI under one foreign supplier could compromise data sovereignty and heighten security risks. Current governance relies on two non-binding guidelines, providing no enforceable oversight or urgent baseline for protecting critical infrastructure.

The withdrawal of Malaysia from Huawei’s AI projects highlights urgent geopolitical stakes. Indonesia’s fragmented approach, with ministries acting separately, risks producing conflicting policies and leaving immediate gaps in security oversight.

Analysts suggest a robust framework should require supply chain transparency, disclosure of system origins, and adherence to data protection laws. Indonesia must act swiftly to establish these rules and coordinate policy across ministries to safeguard its infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

US charges four over global romance scam and BEC scheme

Four Ghanaian nationals have been extradited to the United States over an international cybercrime scheme that stole more than $100 million, allegedly through sophisticated romance scams and business email compromise (BEC) attacks targeting individuals and companies nationwide.

The syndicate, led by Isaac Oduro Boateng, Inusah Ahmed, Derrick van Yeboah, and Patrick Kwame Asare, used fake romantic relationships and email spoofing to deceive victims. Businesses were targeted by altering payment details to divert funds.

US prosecutors say the group maintained a global infrastructure, with command and control elements in West Africa. Stolen funds were laundered through a hierarchical network to ‘chairmen’ who coordinated operations and directed subordinate operators executing fraud schemes.

Investigators found the romance scams used detailed victim profiling, while BEC attacks monitored transactions and swapped banking details. Multiple schemes ran concurrently under strict operational security to avoid detection.

Following their extradition, three suspects arrived in the United States on 7 August 2025, arranged through cooperation between US authorities and the Economic and Organised Crime Office of Ghana.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

China pushes back on Nvidia chip sales, undercutting Trump’s proposed export deal

China is quietly urging domestic companies to steer clear of Nvidia’s H20 processors, especially for government or security-related projects, throwing a wrench into US efforts to turn those sales into a revenue source for Washington.

Over recent weeks, Chinese authorities have sent private notices to firms questioning their reliance on US chips and promoting domestic alternatives.

The guidance comes just as Nvidia and AMD gained approval from the Trump administration to resume selling certain AI chips to China, under a rare arrangement that requires the companies to share 15% of related revenue with the US government.

While the directive stops short of an outright ban, Beijing has placed the H20 under the same kind of partial restrictions previously imposed on Tesla vehicles, Apple iPhones, and Micron chips, citing security concerns.

Officials have floated fears that Nvidia hardware could carry location-tracking or remote shutdown features, claims the company firmly denies. At the same time, China is accelerating efforts to boost its homegrown semiconductor industry, urging firms to shift away from Western technology in favour of local suppliers, such as Huawei, even though domestic capacity still falls short of market demand.

The campaign highlights a broader geopolitical irony: US officials defended the resumption of H20 exports by arguing that the chip was already widely available in China and technologically inferior to top US models.

Trump has called it ‘obsolete,’ framing the sales as a way to keep Chinese AI systems dependent on American-made, less advanced hardware.

Behind the scenes, officials have linked the deal to a broader trade arrangement involving Chinese rare-earth minerals, though Beijing has publicly denied any such quid pro quo.

For Nvidia, the H20 remains strategically important. Although less potent than its flagship Blackwell series, the chip’s high memory bandwidth makes it well-suited for AI inference, a crucial stage in which models interpret and respond to data.

Chinese tech giants like Alibaba and Tencent have sought the H20 to offset supply shortages from Huawei, which is struggling to produce enough advanced chips to meet domestic demand.

Analysts warn that losing access to the H20 could raise the cost of running AI models in China by up to six times.

Still, Beijing’s stance appears to be a balancing act. RAND researcher Lennart Heim notes that China uses regulatory pressure to channel demand toward Huawei without cutting off access to Nvidia products, ensuring that companies can still meet their needs while domestic capabilities mature.

However, the Chinese government’s selective pressure could deepen uncertainty for US chipmakers counting on China, the world’s largest semiconductor market, to offset lost sales elsewhere.

While Washington’s new export-for-revenue-sharing model is already unprecedented, Beijing’s countermeasures show that even approved sales may face political headwinds.

For Nvidia and AMD, the challenge is no longer just securing US permission, but also convincing China to buy.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Quantum computing breakthroughs push 2025 into a new era

Quantum computing is set to shift from theory to real-world applications in 2025, driven by breakthroughs from Google and IBM. With error-corrected qubits and faster processing, the market is projected to reach $292 billion by 2035.

New chips, such as Google’s Willow, have significantly reduced errors, while interconnect innovations link multiple processors. Hybrid quantum-classical systems are emerging, with AI refining results for logistics, energy grids, and secure financial transactions.

The technology is accelerating drug discovery, climate modelling, and materials science, cutting R&D timelines and improving simulation accuracy. Global firms like Pasqal are scaling production in Saudi Arabia and South Korea, even as geopolitical tensions rise.

Risks remain high, from the energy demands of quantum data centres to threats against current encryption. Experts urge rapid adoption of post-quantum cryptography and fault-tolerant systems before mass deployment.

As the UN marks 2025 as the International Year of Quantum Science, quantum computing is quietly being integrated into operations worldwide, solving problems that surpass those of classical machines. The revolution has begun, largely unnoticed but poised to redefine economies and technology.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Black Hat demo reveals risks in hybrid Microsoft environments

Security researcher Dirk-jan Mollema demonstrated methods for bypassing authentication in hybrid Active Directory (AD) and Entra ID environments at the Black Hat conference in Las Vegas. The techniques could let attackers impersonate any synced hybrid user, including privileged accounts, without triggering alerts.

Mollema demonstrated how a low-privilege cloud account can be converted into a hybrid user, granting administrative rights. He also demonstrated ways to modify internal API policies, bypass enforcement controls, and impersonate Exchange mailboxes to access emails, documents, and attachments.

Microsoft has addressed some issues by hardening global administrator security and removing specific API permissions from synchronised accounts. However, a complete fix is expected only in October 2025, when hybrid Exchange and Entra ID services will be separated.

Until then, Microsoft recommends auditing synchronisation servers, using hardware key storage, monitoring unusual API calls, enabling hybrid application splitting, rotating SSO keys, and limiting user permissions.

Experts say hybrid environments remain vulnerable if the weakest link is exploited, making proactive monitoring and least-privilege policies critical to defending against these threats.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!