Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU unveils AI cybersecurity Action Plan

The European Commission has published an Action Plan to address the cybersecurity risks and opportunities created by advanced AI models. Released on 7 July 2026, the initiative sets out a coordinated approach to strengthening Europe’s cyber resilience as AI capabilities continue to advance.

The Action Plan brings together member states, industry and EU institutions to coordinate responses to AI-related cybersecurity challenges. Rather than introducing new legislation, it builds on the EU’s existing regulatory framework while adapting it to risks posed by increasingly capable AI systems.

The Commission says the plan will strengthen defences against vulnerabilities that AI systems may introduce or exploit. It also promotes closer cooperation between public and private stakeholders, reflecting the view that AI governance and cybersecurity must increasingly be treated as interconnected policy areas.

The Action Plan forms part of the EU’s broader strategy to strengthen digital resilience while maintaining technological competitiveness. Its implementation will depend on cooperation between governments, regulators, businesses and cybersecurity organisations across the Union.

Why does it matter?

The Action Plan reflects growing recognition that advanced AI models are changing the cybersecurity landscape by strengthening defensive capabilities while also creating new opportunities for attackers. As AI systems become more capable and autonomous, policymakers are increasingly treating AI safety and cybersecurity as part of the same strategic challenge.

The initiative also reinforces the EU’s broader digital sovereignty agenda. Rather than creating separate policies for AI and cybersecurity, the Commission is integrating the two into a common governance framework. That approach could influence how organisations deploy AI in critical sectors and provide a model for other jurisdictions developing AI cybersecurity strategies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

ENISA warns frontier AI is compressing cyberattack timelines

The European Union Agency for Cybersecurity has warned that frontier AI models are compressing cyberattack timelines and challenging traditional defence practices.

In a July 2026 paper, ENISA said advanced AI models are reducing the time between vulnerability discovery and exploitation, creating new pressure on vulnerability management, patching and incident response.

The agency said open-weight models may reach similar capabilities within 9 to 12 months, while existing models combined with skilled security experts can already produce comparable results.

ENISA warned that attackers may gain access to exploits before fixes are available, while legacy systems and end-of-life products could become more exposed to AI-assisted vulnerability discovery.

The agency also said more frequent patch releases may increase the risk of service disruption, while open-source maintainers could be overwhelmed by AI-generated vulnerability reports.

Security fundamentals still matter, but ENISA said defenders must apply them faster. It recommended shifting resources from vulnerability discovery towards risk-based prioritisation, rapid triage, remediation and risk reduction.

The paper also calls for defensive AI tools to be integrated into software development, incident response and threat modelling, with human-gated workflows and stronger workforce skills.

At the EU level, ENISA said existing frameworks, including NIS2, the Cyber Resilience Act, and the EU AI Act, should be used to assess and mitigate systemic risks linked to advanced AI models.

For defenders, the agency recommended near-real-time security operations, AI-assisted threat modelling, dynamic incident response pipelines and single-digit-minute detection and response targets.

Why does it matter?

ENISA’s paper frames frontier AI as a structural cybersecurity challenge, not just another tool for attackers or defenders. If vulnerability discovery, exploit development, and lateral movement happen at machine speed, organisations will need faster triage, stronger automation and clearer human oversight. The report also connects AI cybersecurity to the EU’s wider regulatory framework, showing that NIS2, the Cyber Resilience Act and the AI Act will all matter in managing systemic cyber risks from advanced models.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Spain pushes UN coalition to protect children in the AI era

Spain has proposed an international coalition to protect children from AI-related risks, using the first UN Global Dialogue on AI Governance in Geneva to seek wider support.

Minister for Digital Transformation and Civil Service Óscar López said Spain wants governments to agree on common safeguards to ensure AI respects children’s rights, safety and development.

The proposed coalition would operate under the UN framework. Spain said it already has support from France, the EU and Kenya in efforts to launch the initiative.

According to the Spanish government, AI can create opportunities for education and innovation, but can also amplify risks, including manipulation, harmful content, sexual deepfakes, AI-generated child sexual abuse material and algorithmic profiling of minors.

López said governments should avoid repeating mistakes made during the early growth of social media by introducing safeguards before AI technologies become deeply embedded in children’s lives.

He also argued that AI should be a broad social right rather than an ‘exclusive weapon’, calling for stronger governance based on scientific evidence, innovation and human rights.

Spain highlighted its previous AI governance work, including support for the EU AI Act, the creation of the Spanish Agency for the Supervision of Artificial Intelligence and its role in efforts to establish the UN Global Dialogue on AI Governance and the Independent Scientific Panel on AI.

Why does it matter?

Spain’s proposal places child protection within the emerging UN AI governance agenda. AI-related risks for children increasingly go beyond conventional online safety concerns, covering deepfakes, synthetic sexual abuse material, algorithmic profiling, manipulation and harmful content. A UN-linked coalition could help align national approaches and push child safety into global AI governance discussions. However, its practical impact will depend on whether governments agree on concrete safeguards and implementation mechanisms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Alberta uses Claude Code to review government systems

The Government of Alberta has used Anthropic’s Claude Code to review and secure provincial government systems, according to a case study published by the company. Anthropic said Alberta’s Ministry of Technology and Innovation used Claude Code with its Opus and Sonnet models to analyse code, identify vulnerabilities and support remediation.

According to Anthropic, the ministry scanned 466 million lines of code in about 20 hours, covering systems used across 27 provincial ministries. Around 50 AI agents worked in parallel to identify security vulnerabilities, infrastructure weaknesses and documentation gaps.

The ministry manages about 1,280 applications and 3,400 code repositories supporting services including social services, public safety and wildfire response. Anthropic said many had never undergone comprehensive security reviews, resulting in accumulated technical debt and incomplete documentation.

Alberta used a two-stage review process. A rules engine first identified known patterns, after which Claude Code analysed the results and cited the relevant files and lines for each finding. Anthropic said the approach uncovered issues that conventional automated scanning tools had missed.

Claude Code was also used to generate fixes, write tests where needed and assist with modernising legacy systems. Anthropic said ministry engineers reviewed and approved all proposed patches before deployment, maintaining human oversight throughout the remediation process.

Alberta also developed specialised Claude-based review agents for continuous security testing during software development. These include red-team agents that probe applications for vulnerabilities, blue-team agents that assess compliance with security standards, and additional agents that review code quality and public-facing content.

Why does it matter?

The case illustrates how governments are beginning to use AI coding agents to modernise and secure large portfolios of legacy software, an area that has traditionally required significant time and specialised expertise. If these tools prove reliable, they could help public administrations reduce technical debt, improve cybersecurity and accelerate software maintenance across critical public services.

At the same time, the deployment highlights the importance of governance in public-sector AI adoption. Alberta’s reported use of human review before implementing AI-generated changes reflects a growing emphasis on combining AI-assisted development with oversight, accountability and established security practices.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Sysdig reports first documented agentic ransomware case

Cloud security firm Sysdig says it has documented the first known case of agentic ransomware, after observing an AI-driven extortion operation it tracks as JADEPUFFER.

According to Sysdig, the operation began with exploiting CVE-2025-3248 on an internet-facing Langflow instance. Langflow is an open-source framework for building LLM-driven applications and agent workflows.

The attacker then pivoted towards a production database server running MySQL and Alibaba Nacos.

Sysdig said the operation was driven by a large language model rather than a traditional human-led toolkit. The agent carried out reconnaissance, credential harvesting, lateral discovery, persistence and destructive database activity.

The company said JADEPUFFER executed more than 600 distinct payloads and adapted to failures in real time. In one case, the agent moved from a failed login attempt to a corrected working approach in 31 seconds.

CyberScoop later reported Sysdig’s clarification that the attack was not fully human-free. A person still set up and directed the operation, provisioned command-and-control and staging infrastructure, chose the victim, and supplied credentials likely obtained through a prior compromise.

Sysdig also said API keys for OpenAI, Anthropic, DeepSeek and Gemini were among the material the agent collected from the compromised environment. That does not confirm which model powered the attack.

The case is notable less for novel techniques than for automation. Sysdig said the attack relied on known vulnerabilities and exposed infrastructure, but an AI agent chained the steps together quickly and carried out a ransomware-style database extortion workflow.

Why does it matter?

JADEPUFFER shows how agentic AI could change cybercrime by automating work that previously required skilled operators. Even if humans still choose targets and set up infrastructure, agents can speed up reconnaissance, credential theft, lateral movement and destructive activity once access is available. The defensive lesson is immediate: exposed AI tools, unpatched systems, leaked credentials, and internet-facing databases become more dangerous when attackers can automate exploitation and adaptation at machine speed.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

MEPs to debate EU AI cybersecurity strategy

Members of the European Parliament are set to question the European Commission on its latest AI and cybersecurity proposals, including a new AI cybersecurity strategy expected to be unveiled on 7 July.

According to the European Parliament’s plenary newsletter, the Commission’s action plan is expected to include measures to help EU member states and companies address AI-related cybersecurity risks.

The strategy is also expected to strengthen Europe’s AI cybersecurity capabilities as policymakers examine how AI is reshaping both cyber threats and cyber defence.

The debate follows the European Commission’s welcome of the G7 cybersecurity declaration on strengthening global cyber resilience. Parliament is also considering two legislative proposals collectively referred to as the ‘Cybersecurity Act 2‘.

The proposals are expected to address issues including the NIS2 framework, the role of the EU Agency for Cybersecurity (ENISA), the EU cybersecurity certification framework and ICT supply chain security.

The debate is scheduled for 7 July, as part of a European Commission statement followed by parliamentary scrutiny.

Why does it matter?

The debate shows that AI-related cybersecurity risks are becoming part of the EU’s broader cyber resilience agenda. By linking AI policy with NIS2, ENISA, certification and supply chain security, the EU is preparing to treat AI not only as an innovation priority but also as a cybersecurity concern.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF and NCA urge parents to protect children’s photos from AI misuse

The Internet Watch Foundation (IWF) and the UK’s National Crime Agency (NCA) have launched new guidance urging parents and carers to better protect images of their children online, warning that criminals are increasingly using AI to turn publicly available photographs into child sexual abuse material.

The campaign responds to a sharp rise in AI-generated child sexual abuse material and aims to help families make more informed decisions about sharing children’s image online and obtaining their consent.

The guidance accompanies a public awareness campaign across Facebook, Instagram and YouTube, encouraging families to review privacy settings, reconsider who can access children’s photographs and discuss image consent with young people.

Parents are encouraged to regularly review whether they are comfortable sharing images online, limit access through private groups where appropriate, and talk openly with their children about AI-generated imagery, deepfake nudes and online safety.

The campaign follows growing evidence that offenders are exploiting publicly accessible family and school photographs.

The IWF recently helped prevent the circulation of more than 100 AI-generated sexual images created from photographs taken from a UK school’s website after criminals attempted to blackmail the school. According to the organisations, even ordinary family photographs can now be manipulated into realistic abuse material without the knowledge of children or their parents.

The scale of the threat has grown significantly. The IWF identified 8,029 AI-generated child sexual abuse images and videos in 2025, a 14% increase on the previous year.

AI-generated videos increased from just 13 identified in 2024 to 3,443 in 2025, with nearly two-thirds classified as the UK’s most severe Category A abuse material.

The IWF argues that technology companies must strengthen safeguards around AI image generation tools before release, while continuing to support law enforcement efforts to combat online child exploitation.

Why does it matter?

Generative AI has made it significantly easier to create realistic child sexual abuse material from ordinary photographs, fundamentally changing the online child protection landscape. Images shared on social media, school websites or other public platforms can now be manipulated without a child’s knowledge, creating new risks for families and increasing the burden on law enforcement and child protection organisations.

The campaign also highlights that preventing AI-enabled abuse requires more than criminal enforcement. Stronger safeguards in AI image-generation tools, improved privacy practices, greater parental awareness and better digital literacy around image sharing and consent are all becoming essential components of online child safety.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ITU showcases AI tools to strengthen digital trust

The International Telecommunication Union (ITU) has highlighted a new generation of AI researchers developing practical tools to strengthen digital trust, improve content authenticity and combat misinformation.

Ahead of the AI for Good Global Summit in Geneva, the Young Researcher Associate Programme is showcasing projects designed to improve multimedia authenticity, helping people identify manipulated content while supporting creativity and innovation in the age of generative AI.

The initiative operates under the AI and Multimedia Authenticity Standards Collaboration, established in 2024 by the World Standards Cooperation, which brings together the International Electrotechnical Commission (IEC), the International Organization for Standardization (ISO) and the ITU.

The programme brings together early-career researchers from universities around the world to develop solutions addressing content authenticity, provenance and digital rights as AI-generated media becomes increasingly common online.

Three flagship projects illustrate the programme’s multidisciplinary approach. STOP&SCAN promotes critical thinking through a five-step framework that encourages people to assess the source, content and context of digital information before sharing it.

AMITO provides an AI-powered multimedia integrity toolkit through Telegram and WhatsApp, analysing suspicious images and videos while explaining its findings in plain language rather than simply labelling content as authentic or fake.

Meanwhile, the Policy-as-Code project maps AI-related regulations across jurisdictions, helping creators, businesses and policymakers understand how AI-generated content is regulated while laying the foundations for machine-readable compliance mechanisms.

The researchers will present their work at the AI for Good Global Summit on 9 July, demonstrating how technical innovation, behavioural science and regulatory frameworks can work together to build more trustworthy digital ecosystems. According to the ITU, strengthening digital trust requires collaboration across generations, disciplines and countries.

According to ITU, designing digital trust requires collaboration across generations, disciplines and countries to ensure AI strengthens rather than undermines confidence in online information.

Why does it matter?

As generative AI makes it easier to create convincing synthetic media, verifying the authenticity and provenance of digital content is becoming increasingly important for governments, businesses and the public. Technical tools alone are unlikely to solve the problem, making user education, common standards and transparent governance equally important.

The initiative also highlights the growing role of international standards organisations in shaping AI governance. By combining authenticity technologies, regulatory mapping and practical educational tools, the ITU and its partners are helping develop a shared foundation for trusted digital ecosystems that can operate across platforms and national borders.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Anthropic details Claude Fable 5 cyber safeguards

Anthropic has released new details about the cybersecurity safeguards protecting Claude Fable 5 and proposed a draft framework for assessing the severity of AI cyber jailbreaks.

The company said Fable 5 has now been redeployed globally and is available to all users. The update focuses on two areas: safety classifiers designed to detect and block dangerous cybersecurity activity, and a proposed framework for grading the severity of cyber-related AI jailbreaks.

Anthropic said Fable 5 uses safety classifiers to distinguish between four categories of cybersecurity activity: prohibited use, high-risk dual use, low-risk dual use and benign use. Prohibited activities include destructive cyberattacks, cyber-physical sabotage, defence evasion, command-and-control infrastructure, data exfiltration, malware development and attacks targeting internet backbone systems.

High-risk dual-use activities include penetration testing, red teaming, privilege escalation, exploit development, virtual machine escapes and advanced vulnerability discovery. Anthropic said these activities will remain restricted for Fable 5 until stronger access controls for trusted users are in place.

The proposed Cyber Jailbreak Severity (CJS) framework introduces a scale ranging from CJS-0 to CJS-4, assessing jailbreaks according to capability gain, breadth of capability gain, ease of weaponisation and discoverability.

Anthropic said the framework is intended to give AI developers, governments and security researchers a common vocabulary for describing cyber jailbreak risks. The company is seeking public feedback on the draft and has launched a HackerOne programme inviting researchers to submit potential cyber jailbreaks affecting Fable 5.

Why does it matter?

As AI models become more capable in cybersecurity, assessing jailbreaks consistently is becoming increasingly important. A common severity framework could help AI developers, researchers, and governments compare vulnerabilities, prioritise responses and communicate risks using shared criteria rather than ad hoc descriptions.

The proposal also reflects a broader shift toward treating frontier AI safety as a collaborative effort. By publishing its methodology and inviting external researchers to test Fable 5 through a coordinated disclosure programme, Anthropic is encouraging greater transparency and independent scrutiny of AI security safeguards.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!