Privacy and data protection

ENISA finds Cyber Resilience Act driving SBOM adoption across industries

The European Union Agency for Cybersecurity (ENISA) has published a report on Software Bill of Materials (SBOM) adoption, finding that the Cyber Resilience Act (CRA) is accelerating investment in software supply chain transparency across organisations. The report, titled ‘SBOM Adoption State of Play – 2026‘, analyses survey results gathered at the end of 2025.

The survey examined how organisations of different sizes and across multiple sectors are approaching SBOM adoption in response to the Cyber Resilience Act. ENISA said the regulation is transforming SBOMs from a voluntary software supply chain security practice into a mandatory requirement for products with digital elements placed on the EU market.

The report found that 78% of respondents had already begun implementing SBOMs, while 44% were in a pilot or limited deployment phase. ENISA also said 79% of organisations expect to reach the necessary SBOM maturity level by the time the Cyber Resilience Act becomes fully applicable in December 2027.

Organisations are investing in SBOM generation, automation, and integration into the software development lifecycle. Respondents cited benefits including risk reduction, cost avoidance, operational efficiency, regulatory compliance, contractual alignment and competitive advantage.

ENISA also identified barriers to the adoption of SBOMs at scale. Key challenges include achieving greater SBOM completeness, improving data quality, correlating vulnerabilities, obtaining SBOMs from suppliers and third parties, and developing the necessary internal expertise and staffing.

The report says further progress will depend on shared implementation practices, supplier transparency, workforce capabilities, and clearer integration of SBOMs into operational risk management. ENISA said organisations would also benefit from external support, including reference implementations, tool-selection guidance, conformance testing, standardised formats and clearer definitions of what constitutes a sufficiently complete SBOM.

Why does it matter?

Software supply chains have become a major cybersecurity concern as organisations increasingly rely on complex networks of open-source and third-party components. SBOMs provide visibility into the software components used within products, helping organisations identify vulnerabilities, assess risks and respond more effectively to security incidents.

The report highlights how the Cyber Resilience Act is driving a shift from voluntary software transparency practices to formal compliance requirements. The findings also illustrate that while adoption is progressing, organisations continue to face technical, organisational and supply-chain challenges that could influence the effectiveness of future software security efforts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom confirms platform crisis protocols under UK Online Safety Act

UK communications regulator Ofcom has set out new crisis response measures aimed at helping online platforms respond when illegal content and content harmful to children spreads rapidly during emergencies.

The measures will be added to Ofcom’s Illegal Content Codes of Practice and Protection of Children Codes of Practice under the UK’s Online Safety Act. However, they must still complete the parliamentary process before taking effect.

Ofcom said ordinary content moderation systems may not be sufficient during exceptional events, such as public disorder, terrorist attacks, or other crises that lead to a sudden increase in harmful or illegal online activity. The regulator pointed to the violent riots that followed the 2024 Southport murders and the risk of terrorist attacks being livestreamed as examples of crises where online content can threaten public safety.

Under the measures, service providers should prepare and apply crisis protocols to manage significant increases in relevant illegal content or content harmful to children. Ofcom expects providers to deploy temporary response teams as soon as possible during a crisis, record key decisions and conduct post-crisis reviews to assess whether their response was effective.

Large platforms should also maintain dedicated communication channels for law enforcement agencies to share crisis-related information. Ofcom said the measures are intended to support faster and more coordinated public safety efforts during exceptional events.

The regulator consulted on crisis response protocols in 2025 and said further decisions on additional online safety measures are expected in autumn 2026.

Why does it matter?

The measures show how online safety regulation is moving from general content moderation duties towards operational crisis governance. In emergencies, platforms may face sudden spikes in illegal content, livestreamed harm or coordinated activity that ordinary moderation systems cannot manage quickly enough. Ofcom’s approach also formalises closer crisis-time coordination between large platforms and law enforcement, raising important questions about public safety, platform accountability, due process and safeguards under the UK Online Safety Act.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Google highlights rising online scam threats

Google has warned that online scams remain a major global challenge, citing estimates that fraud losses could reach nearly $580 billion in 2025.

In its latest fraud and scams advisory, the company said phishing attacks are becoming more sophisticated, with criminals using adversary-in-the-middle techniques and QR code phishing, also known as quishing, to steal credentials and bypass security measures.

The advisory also highlighted risks linked to cryptocurrency investment scams, malicious finance applications and police impersonation schemes. According to Google, scammers are using AI, social engineering and trusted digital services to deceive users, obtain money and collect sensitive information.

Google said its Trust & Safety teams are using AI tools, predictive analytics and policy enforcement to detect and disrupt fraudulent activity across its services. The company also pointed to measures such as stronger protections for session cookies, enforcement against deceptive crypto ads, monitoring of post-installation app behaviour and developer identity verification for apps installed on certified Android devices.

The company urged users to be cautious of unsolicited communications, unrealistic investment promises, unexpected QR codes and requests for personal or financial information.

Why does it matter?

The advisory shows how online fraud is becoming a cross-platform governance problem rather than a narrow cybersecurity issue. Scams now rely on trusted cloud services, mobile apps, messaging platforms, crypto infrastructure and impersonation of public authorities. That creates pressure on major technology companies to strengthen detection, app accountability and policy enforcement, while raising broader questions about consumer protection, platform responsibility and digital trust.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Ofcom warns platforms over online abuse ahead of FIFA World Cup 2026

Ofcom has urged online platforms to strengthen protections against illegal hate speech, abuse, threats and harassment ahead of the FIFA World Cup 2026. The UK regulator reminded technology companies that they have legal responsibilities under the Online Safety Act to reduce the risk of users encountering criminal content on their services.

The intervention follows concerns about abuse directed at players, coaches, officials and commentators during previous international tournaments. According to Ofcom, online attacks have frequently targeted individuals based on race, ethnicity, perceived sexual orientation and disability, causing significant personal and professional harm.

Under the UK’s Online Safety Act, platforms are required to operate effective reporting systems, maintain adequately resourced moderation teams and remove illegal content without undue delay. Ofcom stated that evidence of failures to meet these obligations during the tournament could be considered as part of its ongoing compliance assessments.

The regulator also highlighted a partnership established earlier this year with the UK Football Policing Unit, the Football Association, the Premier League, the English Football League, the Women’s Super League, the Professional Footballers’ Association and anti-discrimination organisation Kick It Out.

The initiative aims to strengthen information sharing and support preventative measures against online abuse targeting individuals across the football ecosystem.

Why does it matter?

Major sporting events often lead to spikes in online abuse, particularly against athletes, officials and other high-profile figures. The scale and visibility of these events can amplify harmful behaviour and place additional pressure on platforms to enforce their content moderation policies effectively.

Ofcom’s intervention highlights how online safety regulation is increasingly being tested during major public events. The regulator’s warning also signals that compliance with the Online Safety Act will be assessed not only through policies on paper but through how platforms respond to real-world surges in harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EY Malta expands AI in audit services

EY Malta has introduced enterprise-scale agentic AI across its Assurance services, integrating the technology into EY Canvas, the firm’s global audit platform.

The rollout forms part of EY’s wider global strategy to embed AI into audit workflows and support audit quality, risk assessment, and client insights.

EY said the AI-enabled framework helps auditors analyse large volumes of data, assess risks, and access updated auditing and accounting guidance in real time. The firm said the technology is designed to support, not replace, auditors, with professional judgement and human oversight remaining central to the audit process.

The system is integrated with Microsoft Azure, Microsoft Foundry, and Microsoft Fabric, reflecting EY’s broader global partnership with Microsoft on the secure and scalable deployment of AI.

EY said the rollout follows global testing and is part of its long-term investment in audit quality, technology, and workforce development. The firm added that further AI enhancements are planned over the coming years as audit teams use the tools across more stages of the audit process.

EY Malta also highlighted related assurance and advisory services linked to AI readiness, governance, and risk management. The firm said the technology would allow teams in Malta to focus more on risk and audit quality while reducing administrative work.

Why does it matter?

The rollout shows how agentic AI is moving into regulated professional services, including audit, where accuracy, accountability, and human judgement remain central. AI could help auditors analyse larger datasets and focus on higher-risk areas. Still, it also raises questions about oversight, explainability, skills, liability, and how regulators assess AI-supported audit work.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

WhatsApp seeks contempt order against NSO over spyware targeting

WhatsApp has asked a US court to hold NSO Group in contempt, alleging that the spyware company violated a permanent injunction barring it from targeting WhatsApp and its users.

The company said it disrupted spear-phishing attempts linked to NSO after investigating user reports. According to WhatsApp, the activity involved malicious links that sought to redirect users to external websites outside the messaging platform.

WhatsApp also said it identified and removed test accounts and groups created on its service as part of the suspected NSO-linked activity. The company is sharing threat indicators to help users and researchers check whether targeting attempts may have occurred across WhatsApp, text messages, email, or other channels.

The latest filing follows WhatsApp’s earlier legal victory against NSO. The company said a court found that NSO violated federal and state anti-hacking laws and issued a permanent injunction barring NSO from targeting WhatsApp and its users.

WhatsApp described commercial spyware as a national security threat, arguing that surveillance-for-hire firms target not only messaging services but also browsers, operating systems, and other applications.
The company said the targets reported for such tools include journalists, government officials, military personnel, and humanitarian organisations. It also warned against easing US restrictions on NSO, which remains on the US government’s Entity List.

WhatsApp said it is contributing to the Spyware Accountability Initiative, which supports organisations working on forensic research, user support, and advocacy against spyware.

Why does it matter?

The case shows how legal orders against spyware companies may still require active technical monitoring and enforcement. WhatsApp’s contempt request also keeps pressure on the commercial spyware industry, where surveillance tools can move across platforms, devices, browsers, and operating systems. The story matters for encrypted communications because it shows that protecting users depends not only on encryption, but also on legal accountability, threat intelligence, vulnerability research, and support for civil society targets.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

UK’s IWF backs on-device nudity detection to protect children online

The Internet Watch Foundation (IWF) has welcomed a UK government proposal that would require technology companies to introduce on-device nudity detection and blocking features for children’s internet-connected devices used by children. The charity argues that preventing explicit images from being created or shared could significantly reduce the circulation of child sexual abuse material online.

The proposal follows growing concern over the increasing volume of so-called ‘self-generated’ child sexual abuse material, in which children are manipulated or coerced into creating explicit content.

According to IWF data, 311,610 reports containing child sexual abuse material were actioned during 2025, the highest number recorded by the organisation. Of those reports, 266,397 contained at least one self-generated image or video, underscoring the scale of the issue.

According to the IWF, children are frequently groomed, manipulated or coerced into producing sexual images that are subsequently distributed online. During 2025, analysts assessed more than 111,000 criminal images and almost 29,000 videos involving self-generated abuse material. More than 25,000 of those files were classified as Category A, the most severe category under UK law.

While supporting device-level protections, the organisation emphasised that no single intervention can address the problem on its own. It argues that effective child protection requires a combination of device safeguards, platform responsibility, law enforcement action and broader online safety policies.

Why does it matter?

The proposal reflects a growing shift towards preventative online safety measures that seek to stop harmful content from being created and shared, rather than relying solely on detection and removal after distribution.

The debate also highlights increasing concern about self-generated child sexual abuse material, which has become one of the fastest-growing categories of online abuse. If implemented effectively, device-level safeguards could become an important component of broader child protection strategies that also include platform responsibility, education initiatives and law enforcement action.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EDPS debate to examine EU Omnibus data protection proposals

The European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level debate on the European Commission’s Omnibus proposals. The event, titled ‘From Omnibus to Opportunity: Driving Data Protection and Innovation’, will take place in Brussels on 8 June.

The debate will examine the Omnibus proposals and their potential implications for the GDPR and the wider EU digital regulatory framework. The event is hosted by the Representation of the Free State of Bavaria to the European Union.

According to the EDPS, the proposals introduce targeted adjustments affecting elements of the EU digital acquis, including aspects of the GDPR and the AI Act. Their stated objective is to simplify compliance requirements and reduce administrative burdens while maintaining a high level of protection for fundamental rights.

Discussions will focus on legal certainty, regulatory coherence, preserving the GDPR’s level of protection, and identifying ways to strengthen fundamental rights, innovation and competitiveness across the EU.

Participants are expected to include representatives from the European Parliament, the Council of the European Union, the European Commission, data protection authorities, academia, civil society and the private sector.

Why does it matter?

The Omnibus proposals have become a focal point in wider debates about how the European Union can strengthen competitiveness and innovation while preserving high standards of data protection and fundamental rights.

The discussion highlights growing efforts to balance regulatory simplification with legal certainty and effective safeguards, particularly as the EU seeks to implement complex frameworks such as the GDPR and AI Act while supporting digital innovation and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

India targets dark patterns with fines for PhysicsWallah and McAfee

India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.

PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.

The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.

In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.

The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.

The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.

In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.

The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.

The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.

Why does it matter?

The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Australia’s regulator warns of growing AI-powered sextortion threat

Australia’s eSafety Commissioner has launched a public awareness campaign warning that criminals are increasingly using AI and other digital tools in sextortion scams.

The initiative, titled ‘If sextortionists were honest’, uses generative AI to expose deceptive tactics used by online criminals targeting victims through dating apps and social media platforms.

According to eSafety, more than 3,300 reports of sexual extortion were received through its image-based abuse scheme in 2025. Eighty-six percent of reports came from males of all ages, while 42% of all sextortion reports involved males aged 18 to 24.

eSafety Commissioner Julie Inman Grant said offenders are already weaponising face-swapping and voice-cloning technologies, while using generative AI to create fake but convincing online characters and improve scam scripts that previously contained warning signs such as poor grammar or inconsistent messaging.

Reports made to eSafety show that first contact frequently occurs on platforms such as Tinder, Instagram, and Grindr, before conversations are moved to WhatsApp, Telegram, or other messaging apps. Offenders may then search victims’ social media accounts to identify family members and friends they can threaten to contact.

The regulator said overseas offenders often try to appear local and legitimate, including by spoofing Australian phone numbers, using intimate images taken from other victims, or using bank accounts belonging to previous victims to receive and move payments.

eSafety said the safest response is to stop contact, report the account to the platform, block the offender, preserve evidence where possible, and seek support rather than paying. The regulator also called on platforms to take proactive Safety by Design steps, including better language analysis, classifier-based detection, accessible reporting and blocking tools, swift removal pathways for image-based abuse, and cross-platform signal sharing.

Why does it matter?

The campaign shows how generative AI is making online coercion and scams harder to detect. Sextortion is no longer only a problem of fake accounts and blackmail messages: offenders can now use AI-generated personas, improved scripts, voice cloning, and deepfake-style techniques to build trust and pressure victims more effectively. That raises the importance of platform-level detection, user reporting tools, digital literacy, and victim support.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.