Finland implements national framework for EU Cyber Resilience Act

Finland’s national cyber resilience law entered into force on 1 June, establishing national procedures for implementing the European Union’s Cyber Resilience Act. The Cyber Resilience Act establishes cybersecurity requirements for software and hardware products placed on the EU market.

The law assigns responsibility for implementing key provisions of the Cyber Resilience Act to the National Cyber Security Centre Finland, which operates within the Finnish Transport and Communications Agency (Traficom). The act covers market surveillance, vulnerability reporting, notification of conformity assessment bodies, administrative sanctions, and provisions linked to EU cybersecurity certification.

From 11 September 2026, manufacturers will be required to notify the National Cyber Security Centre Finland of actively exploited vulnerabilities and serious security incidents affecting their products. Notifications must be submitted within 24 hours of the manufacturer becoming aware of the vulnerability or incident.

Products covered by the Cyber Resilience Act must comply with its requirements from 11 December 2027. The requirements apply to manufacturers, importers, distributors, and open-source software stewards, while high-risk AI systems in Finland will be supervised by the authorities responsible for the Artificial Intelligence Act in their respective sectors.

Finland has also amended its Act on Electronic Communications Services to support the implementation of domain name registration requirements under the NIS2 Directive. The new obligations will apply after a three-month transition period and will extend to domain name resellers and certain domain names other than .fi and .ax, where the entity’s main establishment or designated representative is located in Finland.

Why does it matter?

The Cyber Resilience Act represents one of the EU’s most significant efforts to improve cybersecurity across connected products and software. By introducing security-by-design requirements, vulnerability reporting obligations and market surveillance mechanisms, the regulation aims to reduce cybersecurity risks throughout the digital supply chain.

Finland’s implementation measures provide the national framework needed to enforce these requirements, while the related NIS2 amendments further strengthen oversight of critical digital infrastructure and domain name services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

IWF, PIR and NetBeacon expand cooperation against online child abuse content

The Internet Watch Foundation (IWF) has announced a new partnership with Public Interest Registry (PIR) and the NetBeacon Institute aimed at strengthening efforts to identify and disrupt online child sexual abuse material (CSAM).

The initiative introduces a reporting mechanism that enables suspected child sexual abuse content to be reported through NetBeacon Reporter alongside existing DNS abuse categories, including phishing, malware and spam. Reports are forwarded to IWF analysts, who assess the material under UK law and initiate appropriate action when illegal content is confirmed.

The partnership also expands registrars’ access to IWF domain protection services. Through PIR sponsorship, registrars will be able to access IWF Domain Alerts and the Top-Level Domain Hopping List free of charge.

According to the organisations, the programme already covers approximately 55 million domains and is intended to make it more difficult for criminals to use domain infrastructure to host or distribute child sexual abuse material.

Why does it matter?

Child sexual abuse material remains a significant online safety challenge, requiring coordination across platforms, hosting providers, registries and registrars. Integrating CSAM reporting into existing DNS abuse workflows could help speed up the identification of illegal content and improve coordination between reporting mechanisms and domain operators.

The initiative also reflects growing efforts to use domain-level tools and threat intelligence services to disrupt the infrastructure that supports the distribution of harmful and illegal content online.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU launches consultation on trusted flagger guidelines under the DSA

The European Commission has launched a public consultation on draft guidelines for trusted flaggers under the Digital Services Act, aiming to establish a clearer and more consistent framework for organisations that identify and report illegal online content.

Trusted flaggers are specialised entities whose notices about illegal content must be prioritised by online platforms under the DSA. Platforms remain responsible for assessing whether the reported content is illegal.

More than 70 trusted flaggers have already been designated across the EU, covering areas such as child sexual abuse material, intellectual property infringements, online fraud, financial scams, and online harassment.

The proposed guidelines clarify the criteria and procedures used by national Digital Services Coordinators to grant trusted flagger status. They also set out technical requirements for trusted flaggers and platforms when processing notices of illegal content.

The draft guidelines include safeguards intended to ensure that trusted flaggers remain independent, objective, and accountable while operating in full respect of freedom of expression. They also include measures to prevent misuse of the mechanism, including public annual transparency reports and procedures to suspend or revoke trusted flagger status.

The Commission is inviting feedback from platforms, trusted flaggers, applicants, researchers, civil society organisations, and other stakeholders until 26 June 2026. Following the consultation, the Commission plans to adopt the final guidelines in the second half of 2026.

Why does it matter?

Trusted flaggers are becoming an important procedural tool in the EU’s online safety framework. Clearer rules could improve the reporting and handling of illegal content while reducing fragmentation across member states. The safeguards are also important because prioritised notices must be balanced with accountability, transparency, and protection of freedom of expression.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

NATO formalises cyber partnerships with Microsoft, Palo Alto Networks and ESET

NATO has announced strategic partnerships with Microsoft, Palo Alto Networks and ESET during the International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia. The non-commercial agreements are intended to facilitate information sharing, the exchange of best practices and coordination on cyber incidents of mutual concern.

The partnerships follow a commitment made at the 2023 NATO Summit in Vilnius, where member states agreed to expand structured cooperation with private-sector cyber companies. Speaking at CyCon, NATO Assistant Secretary General for Cyber and Digital Transformation Jean Charles Ellermann-Kingombe said effective cyber defence depends on both technical capabilities and shared norms, particularly as attacks on critical infrastructure become more frequent and cyber threats evolve.

The three companies bring distinct capabilities: Microsoft operates one of the largest threat intelligence networks globally; Palo Alto Networks specialises in enterprise network and cloud security; and ESET is one of the major providers of endpoint protection with significant presence in Central and Eastern Europe.

The 2026 CyCon edition, themed ‘Securing Tomorrow,’ runs 26–29 May and convenes approximately 800 participants — including policymakers, technical experts, academics, and industry representatives — from 48 countries. The conference is organised annually by NATO’s Cooperative Cyber Defence Centre of Excellence, based in Tallinn.

Why does it matter?

Governments increasingly rely on cooperation with private-sector cybersecurity companies to identify threats, protect critical infrastructure and respond to cyber incidents. The partnership reflects NATO’s recognition that much of the expertise, threat intelligence and digital infrastructure relevant to cyber defence is operated by industry.

The agreements also signal a broader effort by the alliance to strengthen cyber resilience and improve coordination as cyber threats become more sophisticated and increasingly target both civilian and military systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

ENISA identifies risk zone sectors in EU cybersecurity assessment

The European Union Agency for Cybersecurity has released its 2026 NIS360 report, assessing the cybersecurity maturity and criticality of high-criticality sectors under the NIS2 Directive.

The report says cybersecurity maturity across the EU critical sectors has steadily improved as organisations respond to evolving policy requirements and cyber threats. Banking, electricity, and telecommunications remain among the most mature and critical sectors, while trust services, aviation, and financial market infrastructures have moved into the high maturity band.

Gas, road, maritime, and health strengthened their maturity within the moderate band, although ENISA says progress remains uneven across and within sectors. Factors behind the differences include skills shortages, sector-specific characteristics, and organisational size.

The report identifies a ‘risk zone’ covering sectors with lower-than-average maturity and criticality that exceeds their maturity. ENISA lists health, railway, maritime, ICT management services, space, public administrations, and drinking and wastewater as risk-zone sectors, while gas has started moving out of the category.

ENISA says improvements have been driven by cybersecurity legislation, increased political attention, information sharing, collaboration, and operational preparedness. Regulation, including the NIS2 Directive and the Digital Operational Resilience Act, has helped increase investment and encouraged organisations to address vulnerability management, business continuity, disaster recovery, and supply-chain risk.

The report also points to AI, supply-chain and third-party exposure, and geopolitical volatility as major dynamics shaping the cybersecurity environment. ENISA says AI can improve threat detection and response, but can also support more convincing social engineering, shorter exploitation timelines, and broader access to offensive capabilities.

Why does it matter?

The NIS360 report gives the EU policymakers a comparative view of where cybersecurity maturity is improving and where critical sectors remain underprepared. The risk-zone concept is especially useful because it identifies sectors whose importance to society and the economy exceeds their current level of cyber readiness. That makes the report relevant for NIS2 implementation, national supervision, investment priorities, and resilience planning across sectors such as health, public administration, transport, space, and water.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Singapore warns of cybersecurity risks from autonomous AI agents

Singapore’s Cyber Security Agency (CSA) has issued an advisory warning that autonomous AI agents, including OpenClaw, can pose serious cybersecurity risks if deployed without appropriate safeguards.

The advisory references to Infocomm Media Development Authority (IMDA) case study on the responsible deployment of OpenClaw and highlights risks associated with AI agents that can understand context, plan tasks, use external tools, and act on behalf of users.

CSA said such agents can offer productivity benefits but may expose users and organisations to risks, including unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning.

The agency warned that unresolved risks could lead to agent hijacking, unauthorised actions through tool or API abuse, and unauthorised access to systems or data. It cited the IMDA case study’s warning that ‘accepting the risks associated with granting OpenClaw broader capabilities should be an intentional decision, and not the result of default configurations that were overlooked’.

For individuals, CSA recommends avoiding OpenClaw’s open-source form on devices containing sensitive data, running it under least-privileged accounts, installing skills only from trusted sources, keeping sensitive data out of reach, requiring human approval for high-risk actions, and promptly applying updates.

For organisations, the advisory calls for stronger safeguards, including Zero Trust principles, narrowly scoped agents, dedicated and regularly rotated credentials, policy-enforcing proxies, persistent logging, human approval for irreversible actions, negative testing before deployment, and recovery from a known-good baseline after compromise.

CSA also noted that variants, including NanoClaw and Nvidia’s NemoClaw, have emerged since OpenClaw’s launch. It said organisations requiring agentic AI capabilities should evaluate whether such variants meet their performance and security requirements, as safeguards for agentic AI are still maturing.

Why does it matter?

Agentic AI systems are increasingly being deployed to automate tasks that involve access to data, software tools, and online services. Singapore’s advisory highlights growing concerns that autonomous agents can create new attack surfaces if security controls, oversight mechanisms, and access restrictions are not built into deployments from the start.

The guidance also reflects broader efforts by governments and regulators to develop security practices for rapidly evolving AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Commission’s proposal strengthens mobile satellite services rules

The European Commission has proposed a new EU-level authorisation system for mobile satellite services using the harmonised 2 GHz frequency band, following the expiry of current licences in 2027.

The proposal would establish a selection procedure for mobile satellite service providers authorised to use the 2 GHz band across all EU member states. According to the Commission, EU-level authorisation would support regulatory consistency and allow operators to develop and provide services across borders.

The 2 GHz mobile satellite services band is suited to direct-to-device services, including satellite and terrestrial connectivity directly to mobile devices. It can support high-speed internet and critical communications in areas without terrestrial coverage.

Under the proposal, one-third of the band would be reserved for governmental use, including critical communications, security, and military purposes. The services would be provided by an EU operator, which would be required to integrate with IRIS², the EU’s Secure Connectivity programme, and its current and future capabilities.

The remaining two-thirds would be allocated to commercial uses, including direct-to-device services, mobile coverage where terrestrial networks are unavailable, and internet of things applications such as fitness trackers, energy monitoring, and emergency response devices.

The commercial portion would be split equally between use by the EU operators entering the market and use by the EU and non-EU operators. The structure is intended to diversify suppliers and support the entry of the EU providers.

The proposed regulation would replace the 2008 decision that selected the current operators. The Commission said the proposal is consistent with the Digital Networks Act approach, under which satellite spectrum would be authorised at the EU level on a single set of conditions.

Why does it matter?

The proposal links satellite spectrum policy to Europe’s wider goals around connectivity, resilience, security, defence, and technological sovereignty. By moving towards EU-level authorisation for the 2 GHz band, the Commission is trying to reduce regulatory fragmentation while supporting direct-to-device services, critical communications, and future integration with IRIS².

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

YouTube expands AI transparency rules with automatic content detection

YouTube is updating its approach to AI-generated content by introducing more visible disclosure labels and new automatic detection systems designed to improve transparency for viewers and creators.

The update follows growing concerns around realistic synthetic media, manipulated videos, and generative AI tools across major digital platforms.

Under the revised system, labels for photorealistic or meaningfully AI-altered or generated content will appear directly below long-form videos and as overlays on Shorts. Less realistic, animated, or slightly altered content will continue to be disclosed in expanded video descriptions.

The company is also rolling out internal AI detection signals to identify AI-generated content when creators fail to disclose it themselves. If YouTube’s systems detect significant use of photorealistic AI, the platform may automatically apply a label.

Creators will still be able to update the disclosure status in YouTube Studio if they believe their content has been incorrectly identified as AI-generated. However, disclosures will remain permanent in some cases, including content created with YouTube’s own AI tools, such as Veo or Dream Screen, and content that contains C2PA metadata indicating that AI fully generated it.

YouTube said the updated labels are intended to balance transparency with creator control. The company also said that a disclosure label alone does not change how a video is recommended or whether it is eligible to earn money.

Why does it matter?

YouTube’s update reflects a broader shift towards platform-level governance of synthetic media and generative AI content. As realistic AI-generated video becomes easier to produce, platforms face growing pressure to make synthetic content more visible to users while preserving creator workflows and avoiding over-penalisation. The move also shows how provenance tools such as C2PA and automated detection systems are becoming part of mainstream content governance.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

UK’s Ofcom fines adult website over missing age checks

UK regulator Ofcom has fined adult content provider Youngtek Solutions £600,000 after finding that the company failed to implement legally required age assurance measures designed to prevent children from accessing pornographic content online.

According to Ofcom, Youngtek Solutions operated four adult websites without ‘highly effective age assurance’ from 25 July to 22 September 2025, breaching obligations introduced under the UK’s Online Safety Act. The regulator imposed a £500,000 financial penalty for the age-check failures, alongside a further £100,000 fine for failing to respond on time to a legally binding request for information.

Ofcom said sites that allow pornographic material must use highly effective age assurance to prevent children from readily accessing such content. The regulator warned that companies that fail to comply with or miss deadlines for formal information requests can face enforcement action.

If a provider fails to pay a fine, Ofcom can seek recovery of the penalty. Where appropriate, it can also seek court orders for business-disruption measures, including requiring payment providers or advertisers to withdraw services from a platform or requiring internet service providers to block a site in the UK.

Youngtek Solutions has since implemented age assurance on all sites covered by the investigation. Ofcom said it will continue monitoring the sites to ensure their age-checking methods remain effective in preventing children from accessing pornographic content.

Why does it matter?

The fine shows Ofcom beginning to use its enforcement powers under the Online Safety Act against adult services that fail to implement child protection measures. The case also signals that age assurance obligations are not merely a compliance formality: non-compliant services may face financial penalties, information-gathering enforcement, and potentially business-disruptive measures if they fail to meet their legal duties.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

CrowdStrike disrupts Glassworm botnet targeting software developers worldwide

CrowdStrike has announced the coordinated disruption of the Glassworm botnet, a cyber operation targeting software developers through open-source software supply chains.

Working with Google and the Shadowserver Foundation, the cybersecurity company said it simultaneously disabled four command-and-control channels used by the malware infrastructure.

According to CrowdStrike, Glassworm targeted developers through trojanised VSCode extensions, malicious npm and Python packages, and compromised GitHub repositories containing poisoned code. The campaign affected Windows, macOS, and Linux systems and targeted the theft of developer credentials and the maintenance of persistent access to development environments.

CrowdStrike said the botnet had compromised hundreds of GitHub repositories using stolen developer credentials, posing risks to downstream software supply chains. The company warned that attackers are increasingly targeting developers because compromising a single workstation, repository, or package can spread malicious code across many organisations, services, and users.

The company also highlighted the growing resilience of cybercriminal infrastructure. It said Glassworm combined blockchain technology, peer-to-peer systems, legitimate online services, and traditional servers to make takedown attempts more difficult.

The disruption cuts off the botnet’s known command-and-control channels, but CrowdStrike said organisations should continue checking for compromised developer environments, malicious packages, and exposed credentials.

Why does it matter?

The Glassworm campaign shows how developer tools and open-source ecosystems have become critical attack surfaces. Rather than attacking only large enterprises directly, threat actors can compromise repositories, extensions, libraries, or credentials used by developers and then move through the software supply chain. Such attacks can create cascading risks for cloud services, enterprise software, financial systems, public services, and other organisations that rely on shared code and development infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!