CISA shares lessons from GitHub credential exposure

CISA has published details of an internal CISA incident response triggered after an investigative reporter alerted the agency to Amazon AWS GovCloud keys and other internal information exposed in a public GitHub repository.

The agency said the information was identified by a security researcher whose company continuously scans public code repositories. The repository was not part of CISA’s official GitHub environment but belonged to a contractor’s personal GitHub account.

According to CISA, its Office of the Chief Information Officer immediately took the repository offline and preserved it for forensic analysis. The agency also suspended its development environment, reset affected credentials and revoked the contractor’s system access.

The investigation found that the contractor had uploaded copies of a CISA build and deployment repository to a personal GitHub account while attempting to build cloud infrastructure independently. The repository contained infrastructure-as-code, build scripts, administrator credentials and build credentials.

Forensic analysis found no evidence that the exposed credentials had been used outside CISA environments and no customer or mission data was compromised.

CISA subsequently rotated all credentials associated with environments where the contractor had administrator privileges, expanded repository allow and deny lists, and restricted users’ ability to upload code to public repositories before restoring the development environment.

The agency said the incident reinforced the value of taking external vulnerability reports seriously, applying Zero Trust principles to development environments and maintaining detailed logging that enabled rapid investigation.

It also identified several areas for improvement, including stricter controls over public repositories, better secrets detection, clearer GitHub and cloud incident response playbooks, simpler reporting channels for security researchers, stronger development environment guardrails and more mature cryptographic key management.

CISA also said organisations should maintain clear reporting channels for incidents affecting their own environments and publish reporting instructions in multiple locations rather than relying solely on a security.txt file.

The agency said publishing its own incident response experience is intended to help other organisations strengthen their security practices and improve preparedness for similar incidents.

Why does it matter?

The incident illustrates how easily sensitive credentials can be exposed through routine developer workflows and personal code repositories, even within organisations responsible for cybersecurity. It also highlights the importance of rapid detection, credential rotation and strong access controls when managing cloud infrastructure.

By publicly documenting both its response and the lessons learned, CISA is encouraging organisations to treat incident reporting, secrets management, Zero Trust architecture and developer governance as integral parts of software security rather than afterthoughts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom fines adult platform over Online Safety Act age check failures

The UK communications regulator, Ofcom, has fined the operator of Fapello.com £630,000 for breaching the Online Safety Act, marking one of its most significant enforcement actions under the new regime.

The penalty includes £600,000 for failing to implement legally required age assurance measures to prevent children from accessing pornographic content, and a further £30,000 for failing to comply with a legally binding information request. Following Ofcom’s action, Fapello.com geoblocked users in the UK, although the regulator said it will continue monitoring compliance.

Ofcom also confirmed it has opened a new investigation into Bit Hive, operator of Eporner.com, to assess whether its age verification measures meet the Act’s requirement for ‘highly effective’ age assurance.

Separately, the regulator expanded its existing investigation into Kemono.cr to examine whether the platform failed to comply with statutory information requests.

Ofcom said robust age verification is a core requirement of the Online Safety Act and warned that providers failing to implement effective protections or cooperate with regulatory investigations should expect enforcement action, including substantial financial penalties.

The regulator added that it prioritises investigations according to user reach and will continue monitoring compliance across online pornography services.

Why does it matter?

The case demonstrates that the UK’s Online Safety Act has entered a new phase of active enforcement. Rather than focusing solely on guidance and compliance deadlines, Ofcom is now imposing financial penalties and investigating platforms that fail to implement effective child protection measures.

The decision also shows that enforcement extends beyond age verification itself. Companies that fail to cooperate with regulatory investigations or provide required information may face additional sanctions, reinforcing the regulator’s ability to oversee compliance across online platforms.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

European Commission launches consultation on data sovereignty

The European Commission has launched a targeted consultation on data sovereignty, seeking feedback on challenges affecting EU organisations, cross-border data flows and strategic data dependencies.

The consultation targets stakeholders across the data value chain and a range of economic sectors. It seeks input on data-related dependencies, including barriers to accessing or using data in third countries, obstacles to transferring data into the EU, and risks associated with third-country access to sensitive data.

The European Commission supports the Data Union Strategy adopted in November 2025, which aims to strengthen the EU’s data sovereignty and reinforce its position in international data flows.

The initiative is also linked to the European Tech Sovereignty Package, which covers semiconductors, AI, cloud computing and open-source technologies. According to the Commission, these measures are intended to strengthen Europe’s digital autonomy and support its ambition to become an AI continent.

The consultation will remain open until 8 September 2026 at 23:59 CEST.

Why does it matter?

The consultation reflects the EU’s growing view that data sovereignty is both an economic competitiveness issue and a matter of strategic security. By examining cross-border data flows, third-country access and data dependencies, the Commission is seeking to reduce vulnerabilities while preserving trusted international data exchanges.

The exercise also highlights how data governance is becoming a central pillar of the EU’s broader technology sovereignty agenda. The feedback received could help shape future policies on cloud services, AI, digital infrastructure and international data transfers as Europe seeks to balance openness with greater strategic autonomy.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EDPB adopts GDPR guidance for AI, blockchain and anonymisation

The European Data Protection Board (EDPB) has adopted new guidelines on anonymisation, web scraping for generative AI, and the use of blockchain technologies under the General Data Protection Regulation (GDPR). The measures aim to provide organisations with greater regulatory clarity while protecting individuals’ personal data rights.

The anonymisation guidelines set out criteria for determining when data can be considered anonymous, focusing on whether individuals can be isolated, linked to other datasets or reidentified through inference. The framework is intended to help organisations assess when data can be used without identifying individuals.

The web scraping guidance outlines the GDPR obligations associated with collecting online data to train generative AI models. The EDPB emphasises transparency, purpose limitation, data accuracy and data minimisation, while noting that processing sensitive personal data requires additional legal safeguards.

The Board also adopted its blockchain guidelines following public consultation, explaining how different blockchain architectures may affect GDPR compliance. The recommendations are intended to help organisations deploy blockchain technologies while addressing privacy challenges associated with decentralised data processing.

Why does it matter?

The EDPB’s guidance provides greater legal certainty for organisations developing AI and blockchain applications in Europe. As generative AI increasingly relies on large-scale data collection and blockchain adoption continues to expand, clearer GDPR expectations could shape how organisations collect, process and protect personal data.

The guidance also illustrates how European regulators are adapting long-standing data protection rules to emerging technologies without creating separate privacy frameworks for each new innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

UK Treasury highlights economic value of cyber resilience

HM Treasury has published a report arguing that cyber resilience in financial services should be treated as a strategic capability rather than simply a compliance requirement or technical cost.

The report, The Value of Resilience: Cyber Resilience in Financial Services, brings together evidence on the economic and operational value of resilience, focusing on the growing impact of cyber disruption across the financial sector.

The report argues that cyber risk has intensified as financial institutions become more dependent on digital infrastructure, third-party providers, cloud services and shared technologies. It cites the Bank of England’s 2026 H1 Systemic Risk Survey, in which 82% of UK banks, insurers and asset managers identified cyberattacks as one of the financial system’s a top five risks.

HM Treasury also cites National Cyber Security Centre data showing a sharp rise in nationally significant cyber incidents during 2024–25. Highly significant incidents increased by 50% year on year, while nearly half of all incidents handled by the NCSC met the threshold for national significance.

The financial impact can be considerable. KPMG Cyber Risk Insights modelling cited in the report estimates plausible worst-case annual ransomware losses of more than £230 million for mid-sized financial firms and around £466 million for large institutions, illustrating how average loss estimates can underestimate severe but plausible cyber events.

Beyond direct financial losses, the report links major cyber incidents to operational disruption, reputational damage, lost revenue and reduced investor confidence, noting that affected firms may underperform the market for a year or longer.

At the same time, HM Treasury argues that stronger cyber resilience can reduce both the likelihood and impact of disruption through earlier detection, faster containment, more effective escalation procedures, recovery planning, service prioritisation and fallback arrangements.

The report also presents resilience as a driver of growth rather than simply a defensive measure. Citing Accenture research, it argues that highly resilient organisations generate faster revenue growth, achieve stronger profit margins and are better positioned to modernise systems, adopt AI and pursue digital transformation without disruption undermining progress.

Why does it matter?

The report reframes cyber resilience as a source of competitive advantage rather than simply a risk management function. For financial institutions, stronger resilience is presented not only as a way to protect customers and market confidence, but also as an enabler of AI adoption, digital transformation and long-term business performance.

The findings also reflect a broader shift in cyber policy. As financial services become increasingly dependent on cloud infrastructure, AI and interconnected digital ecosystems, regulators are treating operational resilience as a strategic capability that underpins both financial stability and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

European Parliament updates Digital Agenda for Europe factsheet

The European Parliament has updated its factsheet on the Digital Agenda for Europe, outlining how the EU’s digital policy has shifted from setting strategic goals to implementing rules on platforms, data, digital identity, AI and cybersecurity.

The factsheet says digital platforms and emerging technologies continue to reshape how Europeans work, communicate, shop and learn. Since 2024, the EU has focused on implementing legislation designed to strengthen digital security, promote fair competition and support digital sovereignty alongside the green transition.

The updated overview of the Digital Agenda for Europe situates current policy within a longer trajectory, from the 2010 Digital Agenda and the 2015 Digital Single Market strategy to the 2030 Digital Compass and the Digital Decade framework. Together, these initiatives set targets for digital skills, public services, business transformation and resilient digital infrastructure.

The document highlights several core policy areas. On data, it points to the EU’s framework built around the GDPR, the Data Governance Act and the Data Act. On AI, it notes that the AI Act has been in force since August 2024, with its provisions applying in stages under the oversight of the EU AI Office.

The factsheet also identified the Digital Services Act (DSA) and Digital Markets Act (DMA) as key pillars of the EU’s digital single market. It notes that the DSA has applied in full since February 2024, while DMA enforcement intensified in 2025 with the first fines imposed on designated gatekeepers.

Cybersecurity is another major focus. The document highlights the expanded scope of the NIS2 Directive, the Cyber Resilience Act, which entered into force in December 2024, and the Cyber Solidarity Act, aimed at strengthening EU-wide cyber detection and incident response.

The update also highlights digital identity, interoperability, platform work, media freedom, digital education and infrastructure resilience as continuing priorities within the EU’s broader digital policy agenda.

Why does it matter?

The update illustrates how the EU’s digital strategy has entered a new phase focused on implementation rather than legislation. With most of its major digital laws now in force, attention is shifting from adopting new rules to enforcing them consistently across member states and ensuring they deliver tangible results.

That shift is significant because the success of the EU’s digital agenda will increasingly be judged by its practical impact on competition, cybersecurity, AI governance, digital sovereignty and the functioning of the single market, rather than by the number of new regulatory initiatives.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UN explores how AI can scale human rights implementation

Digital tools and AI can help governments turn thousands of human rights recommendations into concrete action, but only if technology remains firmly guided by human expertise and institutional cooperation, speakers concluded during a WSIS Forum 2026 session on scaling digital tools for human rights monitoring.

The discussion brought together representatives from Costa Rica, the Office of the UN High Commissioner for Human Rights (OHCHR), academia, and civil society to examine how digital platforms, AI-assisted analysis, and improved data management can enhance the implementation of recommendations issued by UN human rights mechanisms.

Costa Rica shares experience with recommendation tracking

Opening the discussion, Domenico Zipoli, Head of Programmes at the Geneva Human Rights Hub, noted that governments receive thousands of recommendations every year from treaty bodies, the Universal Periodic Review (UPR), special procedures, and regional mechanisms, making implementation increasingly difficult without digital support.

Costa Rica’s Roberto Cespedes, Chargé d’Affaires at the country’s mission to the UN in Geneva, explained how the National Recommendations Tracking Database (NRTD) has transformed the country’s follow-up process.

Costa Rica established its National Mechanism for Implementation, Reporting and Follow-up (NMIRF) in 2011, bringing together ministries, parliament, the judiciary, and the national human rights institution. However, for years, the mechanism lacked an effective technological platform capable of managing recommendations from multiple international processes.

‘The database has significantly improved visibility of recommendations across institutions,’ Cespedes said.

He highlighted the tool’s ability to cluster recommendations by topic, enabling ministries to identify shared responsibilities and collaborate more effectively. Rather than working in isolation, institutions increasingly recognise the need for coordinated implementation.

Costa Rica is also working to expand access beyond government. Cespedes said civil society organisations are expected to gain direct access to the platform, allowing them to monitor implementation, provide feedback, and strengthen transparency.

OHCHR: AI can assist, but humans remain indispensable

Presenting the UN perspective, Marie Eve Boyer, Human Rights Officer at OHCHR, explained that the NRTD was developed to address the fragmentation of international human rights recommendations.

Built on the Universal Human Rights Index, the platform enables governments to consolidate recommendations, assign responsibilities across ministries, monitor progress, and prepare reports more efficiently.

Boyer noted that 20 countries are already using the NRTD, while another 40 are waiting for deployment.

She argued that AI has significant potential to support implementation by identifying relevant information, clustering recommendations, highlighting data gaps, and scaling reporting processes. However, she stressed that technology cannot replace human judgement.

‘AI can help process information, but it cannot understand the reality experienced by communities,’ she said, adding that contextual expertise remains essential when assessing whether recommendations have genuinely been implemented.

She also warned against viewing digital tools as substitutes for strong institutions, arguing that successful implementation depends on sustained human engagement alongside technological innovation.

Generative AI opens new possibilities for legal experts

Offering an academic perspective, Lukasz Szoszkiewicz, Assistant Professor at Adam Mickiewicz University in Poznań, demonstrated several prototype tools built using natural language processing and generative AI.

His projects include searchable databases of UN treaty body jurisprudence, analytical dashboards for the Universal Human Rights Index, and paragraph-level search tools for European Court of Human Rights decisions.

Szoszkiewicz argued that generative AI is fundamentally changing software development by enabling lawyers, researchers, and other domain experts to build specialised digital tools themselves rather than relying solely on IT teams.

‘Domain experts now have the possibility to develop tools that match exactly what they need,’ he explained.

He also addressed concerns about AI hallucinations, recommending that large language models be used primarily to generate deterministic software code rather than directly analysing sensitive datasets. This approach, he said, produces more reliable and verifiable results while reducing the likelihood of inaccurate outputs.

Better data still needed to measure real-world outcomes

Audience interventions highlighted persistent challenges surrounding data availability and measuring whether human rights recommendations actually improve people’s lives.

Representatives from civil society organisations working on torture prevention and disability rights pointed to the difficulty of obtaining reliable outcome data, particularly in countries where governments do not systematically publish relevant information.

Responding to these concerns, Boyer said OHCHR is exploring minimum datasets that could help governments monitor implementation more consistently while aligning human rights indicators with the Sustainable Development Goals.

Cespedes added that AI could eventually help governments identify positive actions that officials may not even realise correspond to international recommendations, making implementation more visible and easier to document.

Throughout the session, speakers agreed that AI and digital platforms should be viewed as tools to strengthen human rights implementation rather than replace human oversight. They concluded that meaningful progress will depend on better data, stronger institutional cooperation, and continued collaboration between governments, international organisations, academia, and civil society.

Track all key moments from the WSIS Forum 2026 on our dedicated WSIS page.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

ECB urges banks to prepare for AI cyber threats

The European Central Bank has called on major euro area banks to prepare action plans to address AI-enabled cybersecurity threats.

In a letter to bank CEOs, ECB Banking Supervision said emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed.

The ECB warned that AI is compressing the time between vulnerability discovery and exploitation, with potentially serious implications for the confidentiality, integrity and resilience of banks’ ICT systems.

The central bank said the change is a long-term shift in the threat landscape, not a temporary risk linked to a single tool.

Banks have been asked to submit action plans to their Joint Supervisory Teams by 31 October 2026.

The plans should set out concrete measures, resources, roles, responsibilities and implementation timelines for strengthening cyber resilience.

Short-term priorities include faster vulnerability and patch management, stronger monitoring and detection, AI-enabled defensive capabilities and updated third-party risk management.

The ECB also called for structural measures such as defence-in-depth, improved cyber hygiene, infrastructure modernisation, crisis management, recovery arrangements and information-sharing.

The letter follows a European Systemic Risk Board warning about systemic cyber risks posed by frontier AI models.

ECB Banking Supervision also said it will address cybersecurity risks linked to quantum computing in a separate letter.

Why does it matter?

The ECB letter turns AI-enabled cyber risk into a concrete supervisory issue for major euro area banks. If AI accelerates vulnerability discovery and exploit generation, banks will face shorter windows for patching, detection and response. The focus on third-party providers and supply chains is also important because financial institutions depend heavily on external ICT services. The ECB’s approach links AI cyber threats with DORA-style operational resilience, showing that advanced AI is now part of mainstream financial supervision.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Viber brings ChatGPT into its messaging app

Rakuten Viber has launched ChatGPT-powered tools inside its messaging app through a new partnership with OpenAI.

The integration allows users to ask questions in a dedicated ChatGPT chat or tab, mention @ChatGPT in supported private and group chats, summarise conversations and shared links, polish draft messages, translate messages and remix images.

Viber said most tools are available after users update the app, without requiring ChatGPT registration.

Image Remix requires users to log in to ChatGPT within Viber or create a free account. OpenAI says availability may vary by region, app version, account and chat type.

The privacy model depends on the feature used. Viber says its core messaging features remain protected by end-to-end encryption, while ChatGPT-powered tools are activated only when users choose to use them.

When a ChatGPT-powered feature is used, Viber sends OpenAI the information needed to process that request. Depending on the feature, that may include selected messages, drafts, images, prompts, link content, messages that mention @ChatGPT, timestamps, approximate location and a Viber-generated hashed user ID.

OpenAI says data sent from ChatGPT-powered features in Viber personal and group chats is not used to train its models, except for conversations in the ChatGPT tab.

If a user connects a ChatGPT account, activity may be associated with that account and handled under OpenAI’s standard retention and data settings.

Why does it matter?

The launch brings generative AI into everyday messaging, moving ChatGPT from a separate assistant into conversations, links, drafts, translations and images. That makes AI tools more accessible, but also creates a more complex privacy model. Users need to understand when messages remain inside an end-to-end encrypted chat and when selected content is sent to OpenAI for processing. For messaging platforms, the key governance challenge is adding useful AI features while preserving user control, clear consent and transparent data handling.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Finland opens consultation on platform work legislation implementing EU rules

Finland’s Ministry of Economic Affairs and Employment has opened a public consultation on a draft Platform Work Act that would transpose the EU Platform Work Directive into national law.

The consultation runs from 8 July to 28 August 2026.

A tripartite working group with representatives from government ministries, employer organisations, trade unions and occupational safety authorities prepared the draft act. The group did not reach a unanimous position.

The proposed act would introduce a legal presumption of an employment relationship for people working through digital labour platforms.

Its purpose is to make it easier to determine whether platform workers are employees or self-employed by shifting the burden of proof from the worker to the platform company.

The proposal also includes measures to increase transparency in algorithmic management, including automated decision-making and monitoring systems.

It would strengthen the protection of platform workers’ personal data and require the impact of automated systems to be considered when safeguarding workers’ health and safety.

Occupational safety and health authorities would be able to impose fines on platform companies and intermediaries that breach the rules. The draft also includes a prohibition on reprisals.

Additional national rules would require platform companies to verify workers’ identities and take reasonable steps to ensure contractual terms are appropriate.

The act is intended to enter into force on 2 December 2026 and would apply to platform work carried out in Finland, regardless of where the digital labour platform is established.

Why does it matter?

Finland’s proposal shows how the EU member states are beginning to turn the Platform Work Directive into national rules. The draft addresses two central issues in the gig economy: employment status and algorithmic management. By shifting the burden of proof to platform companies and increasing transparency around automated decision-making, the proposal could give workers stronger protections while forcing platforms to document how their systems manage work, data and safety.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!