Network security

ENISA identifies risk zone sectors in EU cybersecurity assessment

The European Union Agency for Cybersecurity has released its 2026 NIS360 report, assessing the cybersecurity maturity and criticality of high-criticality sectors under the NIS2 Directive.

The report says cybersecurity maturity across the EU critical sectors has steadily improved as organisations respond to evolving policy requirements and cyber threats. Banking, electricity, and telecommunications remain among the most mature and critical sectors, while trust services, aviation, and financial market infrastructures have moved into the high maturity band.

Gas, road, maritime, and health strengthened their maturity within the moderate band, although ENISA says progress remains uneven across and within sectors. Factors behind the differences include skills shortages, sector-specific characteristics, and organisational size.

The report identifies a ‘risk zone’ covering sectors with lower-than-average maturity and criticality that exceeds their maturity. ENISA lists health, railway, maritime, ICT management services, space, public administrations, and drinking and wastewater as risk-zone sectors, while gas has started moving out of the category.

ENISA says improvements have been driven by cybersecurity legislation, increased political attention, information sharing, collaboration, and operational preparedness. Regulation, including the NIS2 Directive and the Digital Operational Resilience Act, has helped increase investment and encouraged organisations to address vulnerability management, business continuity, disaster recovery, and supply-chain risk.

The report also points to AI, supply-chain and third-party exposure, and geopolitical volatility as major dynamics shaping the cybersecurity environment. ENISA says AI can improve threat detection and response, but can also support more convincing social engineering, shorter exploitation timelines, and broader access to offensive capabilities.

Why does it matter?

The NIS360 report gives the EU policymakers a comparative view of where cybersecurity maturity is improving and where critical sectors remain underprepared. The risk-zone concept is especially useful because it identifies sectors whose importance to society and the economy exceeds their current level of cyber readiness. That makes the report relevant for NIS2 implementation, national supervision, investment priorities, and resilience planning across sectors such as health, public administration, transport, space, and water.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Singapore warns of cybersecurity risks from autonomous AI agents

Singapore’s Cyber Security Agency (CSA) has issued an advisory warning that autonomous AI agents, including OpenClaw, can pose serious cybersecurity risks if deployed without appropriate safeguards.

The advisory references to Infocomm Media Development Authority (IMDA) case study on the responsible deployment of OpenClaw and highlights risks associated with AI agents that can understand context, plan tasks, use external tools, and act on behalf of users.

CSA said such agents can offer productivity benefits but may expose users and organisations to risks, including unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning.

The agency warned that unresolved risks could lead to agent hijacking, unauthorised actions through tool or API abuse, and unauthorised access to systems or data. It cited the IMDA case study’s warning that ‘accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked’.

For individuals, CSA recommends avoiding OpenClaw’s open-source form on devices containing sensitive data, running it under least-privileged accounts, installing skills only from trusted sources, keeping sensitive data out of reach, requiring human approval for high-risk actions, and promptly applying updates.

For organisations, the advisory calls for stronger safeguards, including Zero Trust principles, narrowly scoped agents, dedicated and regularly rotated credentials, policy-enforcing proxies, persistent logging, human approval for irreversible actions, negative testing before deployment, and recovery from a known-good baseline after compromise.

CSA also noted that variants, including NanoClaw and Nvidia’s NemoClaw, have emerged since OpenClaw’s launch. It said organisations requiring agentic AI capabilities should evaluate whether such variants meet their performance and security requirements, as safeguards for agentic AI are still maturing.

Why does it matter?

Agentic AI systems are increasingly being deployed to automate tasks that involve access to data, software tools, and online services. Singapore’s advisory highlights growing concerns that autonomous agents can create new attack surfaces if security controls, oversight mechanisms, and access restrictions are not built into deployments from the start.

The guidance also reflects broader efforts by governments and regulators to develop security practices for rapidly evolving AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Commission’s proposal strengthens mobile satellite services rules

The European Commission has proposed a new EU-level authorisation system for mobile satellite services using the harmonised 2 GHz frequency band, following the expiry of current licences in 2027.

The proposal would establish a selection procedure for mobile satellite service providers authorised to use the 2 GHz band across all EU member states. According to the Commission, EU-level authorisation would support regulatory consistency and allow operators to develop and provide services across borders.

The 2 GHz mobile satellite services band is suited to direct-to-device services, including satellite and terrestrial connectivity directly to mobile devices. It can support high-speed internet and critical communications in areas without terrestrial coverage.

Under the proposal, one-third of the band would be reserved for governmental use, including critical communications, security, and military purposes. The services would be provided by an EU operator, which would be required to integrate with IRIS², the EU’s Secure Connectivity programme, and its current and future capabilities.

The remaining two-thirds would be allocated to commercial uses, including direct-to-device services, mobile coverage where terrestrial networks are unavailable, and internet of things applications such as fitness trackers, energy monitoring, and emergency response devices.

The commercial portion would be split equally between use by the EU operators entering the market and use by the EU and non-EU operators. The structure is intended to diversify suppliers and support the entry of the EU providers.

The proposed regulation would replace the 2008 decision that selected the current operators. The Commission said the proposal is consistent with the Digital Networks Act approach, under which satellite spectrum would be authorised at the EU level on a single set of conditions.

Why does it matter?

The proposal links satellite spectrum policy to Europe’s wider goals around connectivity, resilience, security, defence, and technological sovereignty. By moving towards EU-level authorisation for the 2 GHz band, the Commission is trying to reduce regulatory fragmentation while supporting direct-to-device services, critical communications, and future integration with IRIS².

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

YouTube expands AI transparency rules with automatic content detection

YouTube is updating its approach to AI-generated content by introducing more visible disclosure labels and new automatic detection systems designed to improve transparency for viewers and creators.

The update follows growing concerns around realistic synthetic media, manipulated videos, and generative AI tools across major digital platforms.

Under the revised system, labels for photorealistic or meaningfully AI-altered or generated content will appear directly below long-form videos and as overlays on Shorts. Less realistic, animated, or slightly altered content will continue to be disclosed in expanded video descriptions.

The company is also rolling out internal AI detection signals to identify AI-generated content when creators fail to disclose it themselves. If YouTube’s systems detect significant use of photorealistic AI, the platform may automatically apply a label.

Creators will still be able to update the disclosure status in YouTube Studio if they believe their content has been incorrectly identified as AI-generated. However, disclosures will remain permanent in some cases, including content created with YouTube’s own AI tools, such as Veo or Dream Screen, and content that contains C2PA metadata indicating that AI fully generated it.

YouTube said the updated labels are intended to balance transparency with creator control. The company also said that a disclosure label alone does not change how a video is recommended or whether it is eligible to earn money.

Why does it matter?

YouTube’s update reflects a broader shift towards platform-level governance of synthetic media and generative AI content. As realistic AI-generated video becomes easier to produce, platforms face growing pressure to make synthetic content more visible to users while preserving creator workflows and avoiding over-penalisation. The move also shows how provenance tools such as C2PA and automated detection systems are becoming part of mainstream content governance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK’s Ofcom fines adult website over missing age checks

UK regulator Ofcom has fined adult content provider Youngtek Solutions £600,000 after finding that the company failed to implement legally required age assurance measures designed to prevent children from accessing pornographic content online.

According to Ofcom, Youngtek Solutions operated four adult websites without ‘highly effective age assurance’ from 25 July to 22 September 2025, breaching obligations introduced under the UK’s Online Safety Act. The regulator imposed a £500,000 financial penalty for the age-check failures, alongside a further £100,000 fine for failing to respond on time to a legally binding request for information.

Ofcom said sites that allow pornographic material must use highly effective age assurance to prevent children from readily accessing such content. The regulator warned that companies that fail to comply with or miss deadlines for formal information requests can face enforcement action.

If a provider fails to pay a fine, Ofcom can seek recovery of the penalty. Where appropriate, it can also seek court orders for business-disruption measures, including requiring payment providers or advertisers to withdraw services from a platform or requiring internet service providers to block a site in the UK.

Youngtek Solutions has since implemented age assurance on all sites covered by the investigation. Ofcom said it will continue monitoring the sites to ensure their age-checking methods remain effective in preventing children from accessing pornographic content.

Why does it matter?

The fine shows Ofcom beginning to use its enforcement powers under the Online Safety Act against adult services that fail to implement child protection measures. The case also signals that age assurance obligations are not merely a compliance formality: non-compliant services may face financial penalties, information-gathering enforcement, and potentially business-disruptive measures if they fail to meet their legal duties.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Australia’s ASD outlines AI opportunities and risks in cyber defence

The Australian Signals Directorate (ASD) has published new guidance outlining how organisations can use AI to strengthen cyber defence while managing risks associated with AI adoption.

According to ASD, malicious actors are increasingly using AI to scale and accelerate cyber operations, including reconnaissance, vulnerability analysis, and the generation of tailored malicious content. The guidance warns that AI may lower technical barriers for less experienced threat actors and shorten the time between vulnerability discovery and exploitation.

ASD says AI can support cyber defence by improving threat detection, vulnerability analysis, incident response, and prioritisation of security risks. However, ASD stresses that AI should complement rather than replace existing cybersecurity practices and controls.

The guidance maps AI use in cyber defence to six Information Security Manual functions: Govern, Identify, Protect, Detect, Respond, and Recover. Suggested uses include analysing supply chain risks, improving asset discovery, prioritising hardening actions, scanning source code, detecting anomalous behaviour, supporting incident triage, and assisting restoration planning.

The guidance also addresses so-called ‘agentic AI’ systems capable of autonomous planning and decision-making, warning that such technologies require clear operational limits, sandboxing, and strong human oversight. ASD warns that such systems require careful adoption, clear limits, permissions, sandboxing, and strong human oversight.

Organisations adopting AI for cybersecurity are advised to apply a strong baseline aligned with the Information Security Manual and Essential Eight. ASD recommends protecting AI systems from prompt injection, model evasion, and model extraction, while ensuring least-privilege access, auditability, secure integration, and validation of AI-assisted outputs.

ASD also recommends that organisations assess AI and cybersecurity vendors against criteria including explainability, human oversight, resilience, supply-chain dependencies, fallback mechanisms, and data protection practices.

ASD concludes that AI can strengthen cyber defence when deployed securely and responsibly, but warns that poorly governed systems may introduce new vulnerabilities and operational risks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU adopts unified cyber incident reporting templates under NIS2

The NIS Cooperation Group has adopted common templates for cybersecurity incident reporting across the EU, marking a step towards more harmonised compliance requirements for companies subject to the NIS2 Directive.

The templates were adopted during the group’s 39th plenary meeting in Cyprus and are intended to provide a uniform format for reporting cyber incidents across member states. The NIS Cooperation Group brings together the EU member states, the European Commission, and the EU Agency for Cybersecurity (ENISA) as part of wider EU cybersecurity coordination efforts.

According to the Commission, the standardised templates are designed to reduce administrative burdens and simplify compliance for companies required to report cybersecurity incidents under NIS2. The move also aligns with broader EU efforts to create a single-entry point for incident reporting under the proposed Digital Omnibus initiative.

The Commission now plans to adopt the templates through an implementing act, which would make them mandatory for all member states. The EU officials say harmonised reporting fields should reduce fragmentation, simplify reporting obligations, and help strengthen cybersecurity resilience across the bloc.

Why does it matter?

Cybersecurity reporting requirements across Europe have often created complexity for companies operating in multiple jurisdictions. Common templates could reduce duplication, make reporting procedures more predictable, and improve coordination between national authorities. The move also fits into the EU’s broader push to simplify digital compliance while strengthening cyber resilience under NIS2.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

BEREC to present Digital Networks Act assessment

The Body of European Regulators for Electronic Communications (BEREC) will hold a public debriefing on 10 June 2026 in Brussels to present its final assessment of the Digital Networks Act proposal and the outcomes of its latest plenary meetings.

The event will take place at the IRG Secretariat and will be held in a hybrid format, allowing both in-person and online participation. BEREC Chair Marko Mismas of AKOS Slovenia will present the assessment with Working Group Co-Chairs and take questions from stakeholders.

The debriefing will also cover key outcomes from BEREC’s 67th plenary meetings, including updates on ongoing work and upcoming initiatives. The full agenda will be published on BEREC’s website after the plenary meetings.

BEREC experts will also introduce a newly launched public consultation on further draft guidance on 5G network slicing, prepared by the Open Internet Working Group.

The event is aimed at policymakers, industry stakeholders, and other interested parties following the evolving EU regulatory framework for electronic communications. Participants can submit questions in advance via the registration form, while online participants will be able to use a Q&A chat function during the livestream.

Why does it matter?

BEREC’s assessment will feed into the debate over the EU’s future telecoms framework, including how regulators approach network investment, competition, open internet rules, and emerging technical practices such as 5G network slicing. The debriefing also offers stakeholders an opportunity to engage directly with regulators before the Digital Networks Act debate advances further.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic says AI system identified thousands of critical software flaws

Anthropic has published an update on Project Glasswing, a cybersecurity initiative focused on identifying software vulnerabilities using AI systems.

According to Anthropic, partner organisations used Claude Mythos Preview to identify thousands of high- and critical-severity vulnerabilities across software platforms and infrastructure systems.

The company said the initiative demonstrated how AI systems are increasing the speed and scale of vulnerability discovery processes. Anthropic reported that participating organisations observed substantial increases in software vulnerability detection capabilities during testing.

Evaluations cited by Anthropic suggested the system performed strongly in vulnerability identification and exploit-detection tasks compared with earlier AI cybersecurity models.

Anthropic also said the model analysed more than 1,000 open-source projects and identified vulnerabilities affecting widely used software components. The company highlighted a vulnerability identified in the open-source cryptography library wolfSSL as one example from the project.

According to Anthropic, the vulnerability was patched after disclosure.

Anthropic said AI-assisted vulnerability discovery may increasingly shift cybersecurity challenges toward verification, disclosure, and remediation processes. The company also said similar AI cybersecurity capabilities are likely to become more widely available across the industry.

Why does it matter?

The rapid growth of AI-driven cybersecurity is becoming increasingly important as AI is fundamentally changing the balance between cyber defence and cyber threats. Systems such as Anthropic’s Project Glasswing demonstrate that advanced AI models can identify software vulnerabilities at a speed far beyond traditional human-led security testing, potentially making critical infrastructure, financial systems, cloud platforms, and open-source software both safer and more exposed at the same time.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.