ECB urges banks to prepare for AI cyber threats

The European Central Bank has called on major euro area banks to prepare action plans to address AI-enabled cybersecurity threats.

In a letter to bank CEOs, ECB Banking Supervision said emerging AI models can identify software vulnerabilities and generate functioning exploits at unprecedented speed.

The ECB warned that AI is compressing the time between vulnerability discovery and exploitation, with potentially serious implications for the confidentiality, integrity and resilience of banks’ ICT systems.

The central bank said the change is a long-term shift in the threat landscape, not a temporary risk linked to a single tool.

Banks have been asked to submit action plans to their Joint Supervisory Teams by 31 October 2026.

The plans should set out concrete measures, resources, roles, responsibilities and implementation timelines for strengthening cyber resilience.

Short-term priorities include faster vulnerability and patch management, stronger monitoring and detection, AI-enabled defensive capabilities and updated third-party risk management.

The ECB also called for structural measures such as defence-in-depth, improved cyber hygiene, infrastructure modernisation, crisis management, recovery arrangements and information-sharing.

The letter follows a European Systemic Risk Board warning about systemic cyber risks posed by frontier AI models.

ECB Banking Supervision also said it will address cybersecurity risks linked to quantum computing in a separate letter.

Why does it matter?

The ECB letter turns AI-enabled cyber risk into a concrete supervisory issue for major euro area banks. If AI accelerates vulnerability discovery and exploit generation, banks will face shorter windows for patching, detection and response. The focus on third-party providers and supply chains is also important because financial institutions depend heavily on external ICT services. The ECB’s approach links AI cyber threats with DORA-style operational resilience, showing that advanced AI is now part of mainstream financial supervision.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Viber brings ChatGPT into its messaging app

Rakuten Viber has launched ChatGPT-powered tools inside its messaging app through a new partnership with OpenAI.

The integration allows users to ask questions in a dedicated ChatGPT chat or tab, mention @ChatGPT in supported private and group chats, summarise conversations and shared links, polish draft messages, translate messages and remix images.

Viber said most tools are available after users update the app, without requiring ChatGPT registration.

Image Remix requires users to log in to ChatGPT within Viber or create a free account. OpenAI says availability may vary by region, app version, account and chat type.

The privacy model depends on the feature used. Viber says its core messaging features remain protected by end-to-end encryption, while ChatGPT-powered tools are activated only when users choose to use them.

When a ChatGPT-powered feature is used, Viber sends OpenAI the information needed to process that request. Depending on the feature, that may include selected messages, drafts, images, prompts, link content, messages that mention @ChatGPT, timestamps, approximate location and a Viber-generated hashed user ID.

OpenAI says data sent from ChatGPT-powered features in Viber personal and group chats is not used to train its models, except for conversations in the ChatGPT tab.

If a user connects a ChatGPT account, activity may be associated with that account and handled under OpenAI’s standard retention and data settings.

Why does it matter?

The launch brings generative AI into everyday messaging, moving ChatGPT from a separate assistant into conversations, links, drafts, translations and images. That makes AI tools more accessible, but also creates a more complex privacy model. Users need to understand when messages remain inside an end-to-end encrypted chat and when selected content is sent to OpenAI for processing. For messaging platforms, the key governance challenge is adding useful AI features while preserving user control, clear consent and transparent data handling.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Finland opens consultation on platform work legislation implementing EU rules

Finland’s Ministry of Economic Affairs and Employment has opened a public consultation on a draft Platform Work Act that would transpose the EU Platform Work Directive into national law.

The consultation runs from 8 July to 28 August 2026.

A tripartite working group with representatives from government ministries, employer organisations, trade unions and occupational safety authorities prepared the draft act. The group did not reach a unanimous position.

The proposed act would introduce a legal presumption of an employment relationship for people working through digital labour platforms.

Its purpose is to make it easier to determine whether platform workers are employees or self-employed by shifting the burden of proof from the worker to the platform company.

The proposal also includes measures to increase transparency in algorithmic management, including automated decision-making and monitoring systems.

It would strengthen the protection of platform workers’ personal data and require the impact of automated systems to be considered when safeguarding workers’ health and safety.

Occupational safety and health authorities would be able to impose fines on platform companies and intermediaries that breach the rules. The draft also includes a prohibition on reprisals.

Additional national rules would require platform companies to verify workers’ identities and take reasonable steps to ensure contractual terms are appropriate.

The act is intended to enter into force on 2 December 2026 and would apply to platform work carried out in Finland, regardless of where the digital labour platform is established.

Why does it matter?

Finland’s proposal shows how the EU member states are beginning to turn the Platform Work Directive into national rules. The draft addresses two central issues in the gig economy: employment status and algorithmic management. By shifting the burden of proof to platform companies and increasing transparency around automated decision-making, the proposal could give workers stronger protections while forcing platforms to document how their systems manage work, data and safety.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UN AI dialogue urges human rights to become the foundation of AI governance

Human rights must move from the margins to the centre of AI governance if societies are to harness AI without undermining democracy, equality and public trust, speakers argued during the fourth thematic discussion of the UN Global Dialogue on AI Governance.

Bringing together governments, UN agencies, civil society, academia and industry, the session examined how AI systems can better respect human rights through stronger transparency, accountability and human oversight. Participants agreed that AI governance should be grounded in international human rights law throughout the entire AI lifecycle, from design and development to deployment and oversight.

AI deserves the same safeguards as medicines

UN High Commissioner for Human Rights Volker Türk opened the discussion by comparing AI regulation to the approval process for new medicines. Drugs undergo years of testing before reaching patients, he noted, yet AI systems are being deployed at unprecedented speed despite already contributing to mass surveillance, online disinformation, discrimination and growing risks to children.

Türk rejected the notion that regulation inevitably slows innovation, arguing instead that robust safeguards enable societies to trust new technologies. International human rights law, he said, already provides a binding framework for addressing issues such as privacy, equality, non-discrimination and access to justice, and should guide AI governance rather than being treated as an afterthought.

He also stressed that human oversight must be meaningful rather than symbolic, with clearly identified individuals empowered to intervene or halt AI systems when necessary. Summarising his vision for responsible innovation, Türk contrasted the technology industry’s pursuit of ‘bigger, faster, better’ with what he described as a more appropriate goal: ‘smarter, kinder, wiser.’

Women and children bear disproportionate AI risks

The first panel focused on how AI is amplifying existing inequalities, particularly for women, children and other vulnerable groups.

UN Women Executive Director Sima Bahous presented evidence showing that 44% of assessed AI systems exhibit gender bias, while up to 99% of online sexual deepfakes target women. She also noted that women remain significantly underrepresented in AI development, with only a minority of national AI strategies explicitly addressing gender equality.

Bahous argued that governments remain the primary duty bearers under international human rights law and called for mandatory human rights impact assessments before and after AI deployment, alongside the meaningful participation of women, indigenous communities, disability advocates and civil society in AI governance.

Sonia Livingstone, a member of the Independent International Scientific Panel on AI, highlighted growing evidence that AI-generated child sexual abuse material is increasing rapidly and warned that many AI companion systems currently fail basic child safety standards. Rather than excluding young people from digital technologies, she argued, policymakers should ensure that children’s rights to participation, education and expression remain protected while embedding safeguards into AI systems from the outset.

Agentic AI raises new accountability challenges

Speakers also warned that increasingly autonomous AI systems are exposing significant legal and governance gaps.

Morocco’s Minister Delegate Amal El Fallah Seghrouchni described agentic AI as one of the most important governance challenges of the coming decade. As AI systems increasingly rely on networks of autonomous agents making decisions without direct human instruction, identifying responsibility when something goes wrong becomes considerably more difficult.

She proposed several practical measures, including documenting the actions of AI agents throughout decision-making processes, ensuring that a clearly identifiable human remains responsible for AI-enabled public services, and guaranteeing timely avenues for redress when individuals are harmed.

Samuel Arias Arzeno, Judge of the Supreme Court of the Dominican Republic, similarly argued that governance only becomes meaningful when someone believes an AI system has violated their rights and seeks justice. Courts, he said, must remain central institutions for ensuring that AI-assisted decisions remain subject to human accountability.

Rights protections should not depend on geography

A recurring concern throughout the discussion was that meaningful human rights protections are often applied unevenly across different regions.

Digital Rights Foundation founder Nighat Dad argued that robust human rights due diligence is largely conducted only where legislation requires it, particularly in Europe, while identical AI systems may be deployed elsewhere without comparable safeguards. She described this as a structural choice rather than a capacity gap, creating what she called a ‘two-tier’ human rights regime.

Dad called for mandatory gender and child rights impact assessments before deployment, consistent due diligence obligations across all markets where AI systems operate, and repeated assessments whenever AI capabilities change significantly.

Alvitta Ottley, also a member of the Independent Scientific Panel on AI, highlighted what she described as an ‘evaluation mismatch’. Current AI assessments often measure technical performance such as speed and accuracy, she explained, while policymakers and societies are instead asking whether AI protects human rights, strengthens accountability and improves people’s lives. Closing this evidence gap will require interdisciplinary research and much stronger evaluation of AI’s long-term societal impacts.

UN Assistant Secretary-General for Youth Affairs Felipe Paullier added that young people remain among AI’s most active users and innovators, yet rarely participate in decisions shaping the technology’s future. He urged governments to create meaningful opportunities for youth participation within national AI governance frameworks.

Global South voices call for more inclusive governance

Audience interventions reinforced the need for AI governance that is genuinely inclusive rather than shaped primarily by a handful of countries and companies.

Brazil highlighted its Digital Statute for Children and Adolescents, which requires child protection measures to be incorporated from the design stage and restricts platform features that encourage excessive use. Poland pointed to the Council of Europe Framework Convention on AI as an important legally binding instrument placing AI within the broader framework of human rights, democracy and the rule of law, while the Republic of Korea presented its AI Basic Act, which requires human rights assessments for high-impact AI systems.

Civil society organisations called for stronger global action. Access Now urged governments to establish binding human rights safeguards and prohibit AI applications that pose unacceptable risks, while the Association for Progressive Communications argued that communities should be viewed as ‘the first mile, not the last mile’ of AI governance, emphasising that meaningful connectivity and local participation remain prerequisites for equitable AI development.

In the closing discussion, co-chair Linda Bonyo highlighted another overlooked barrier to inclusive governance: many Global South experts remain unable to participate in international discussions because of restrictive visa processes, illustrating that exclusion from AI governance can begin long before negotiations start.

Closing the session, Spain’s Minister for Digital Transformation and Public Service Óscar López Águeda acknowledged that governments are already behind the pace of technological change but insisted the direction ahead is clear. AI governance, he argued, is ultimately about defending democracy, human dignity and human agency, ensuring that AI helps societies become better rather than simply more technologically advanced.

Track all key moments from the Global Dialogue on AI Governance inaugural meeting on our dedicated page.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Europol denies bypassing EU data protection rules

Europol has rejected allegations that it operated a ‘secret’ or ‘shadow’ database outside the EU data protection rules.

In a new fact-check, the agency said recent reports misrepresented two long-established operational environments used to support digital investigations and online information analysis.

Europol said its Computer Forensic Network is used to analyse complex digital evidence securely in support of criminal investigations.

It also said the Internet-Facing Operational Environment is used to collect and triage publicly available online information before relevant material is transferred to Europol’s operational systems in accordance with applicable legal requirements.

The agency said neither environment was created to bypass oversight or data protection obligations.

Europol also published a timeline showing that both systems have existed for many years and have evolved alongside changes to its legal framework, governance and supervisory arrangements.

The agency said it has worked with the European Data Protection Supervisor on governance improvements, technical modernisation and safeguards, including after regulatory changes introduced in 2022.

Europol said public debate on law enforcement and privacy should be based on accurate descriptions of operational systems and their oversight.

Why does it matter?

The dispute highlights the tension between law enforcement’s need to process large volumes of digital evidence and the privacy safeguards required under the EU law. Europol’s response is important because operational data systems used in cybercrime, terrorism and serious organised crime investigations can affect fundamental rights if oversight, retention and access rules are unclear. The case also shows why transparency about investigative infrastructure matters for public trust, especially as law enforcement agencies modernise their data-processing capabilities.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Portugal presents AMALIA as open European Portuguese language model

Portugal has presented AMALIA, its first open language model developed in European Portuguese, as part of a wider effort to strengthen national AI capacity and modernise the public sector.

Prime Minister Luís Montenegro said the project shows Portugal’s ability to develop advanced technology and contribute to Europe’s strategic autonomy.

AMALIA, short for Automatic Artificial Intelligence Multimodal Language Assistant, was developed by a consortium of Portuguese universities and research centres.

The project received an initial €5.5 million through Portugal’s Recovery and Resilience Facility, with a further €1.5 million planned for a new development phase in 2027.

Available as open code, AMALIA is intended to allow public administration bodies, companies, universities and research centres to develop their own applications.

The government says the model can support customer service, administrative process automation, knowledge management and decision-making across public services.

The AMALIA website says the project is designed to promote European Portuguese, preserve Portuguese cultural representation and support data sovereignty by enabling AI use in public administration without sensitive data leaving national territory.

The model is also expected to support use cases in education, culture and museums, media and science.

Why does it matter?

AMALIA addresses a gap in AI language infrastructure by focusing specifically on European Portuguese, a language variety often underrepresented or conflated with Brazilian Portuguese in multilingual AI systems. Open access also matters because it allows public bodies, universities and companies to adapt the model rather than relying only on closed commercial tools. The project fits a broader European debate on AI sovereignty, where governments are seeking domestic or regional capabilities in language models, data governance and public-sector AI infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Australia records highest data breach notifications since 2018

Australia recorded its highest annual number of data breach notifications in 2025 since mandatory reporting began in 2018, according to the Office of the Australian Information Commissioner.

The regulator received 1,205 notifications under the Notifiable Data Breaches scheme in 2025, an 8% increase from 1,112 in 2024.

Organisations covered by the Privacy Act must notify the OAIC of data breaches that are likely to result in serious harm to affected individuals.

Malicious or criminal activity remained the leading cause of reported breaches, accounting for 716 notifications. Cyber hacking continued to be the main cause of reported incidents.

Health service providers were the most affected sector, reporting 225 breaches, or 19% of the annual total. Financial services, Australian government agencies, business and professional associations, education providers and legal, accounting and management services were also among the most affected sectors.

The OAIC has released a new quick reference guide to help organisations assess potential breaches, decide whether notification is required and understand how to report incidents.

Privacy Commissioner of Australia, Carly Kind, said the threat posed by data breaches to Australian businesses and organisations is substantial and rising year on year.

The regulator’s latest privacy attitudes survey also found that data breaches remain the top privacy concern for Australians, with 82% expressing concern, up from 74% in 2023.

Why does it matter?

Rising breach notifications show that data protection is becoming a persistent operational and regulatory challenge for Australian organisations. The dominance of malicious activity and cyber hacking links privacy compliance directly to cybersecurity preparedness, especially in sensitive sectors such as health. OAIC’s new guide also signals a push towards faster, clearer breach assessment and notification, which matters for affected individuals as well as regulated entities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Stronger health data governance seen as key to trusted AI and digital health at WSIS Forum 2026

Strong legislative frameworks for health data governance are becoming essential to ensure that AI and digital health technologies remain trustworthy, equitable and rights-based, speakers said during a session at the WSIS Forum 2026.

The discussion brought together representatives from governments, international organisations, civil society and the private sector, who agreed that while AI and digital technologies are transforming healthcare, governance frameworks have not always kept pace. Speakers repeatedly argued that stronger legislation, greater international coordination and broader stakeholder participation will be necessary to build public trust and enable responsible data sharing across borders.

The session formed part of the WSIS Forum 2026, held in Geneva from 6 to 10 July. Co-organised by the International Telecommunication Union (ITU), UNESCO, UNDP and UNCTAD together with more than 50 UN organisations, the forum serves as one of the UN’s principal multistakeholder platforms for digital cooperation and sustainable development.

Trust begins with governance

Opening the discussion, Mathilde Forslund of Transform Health argued that health data has become the foundation of modern healthcare, powering everything from patient care and disease surveillance to AI innovation and health system planning.

However, she stressed that technological progress alone is insufficient.

‘Digital technologies and AI are transforming health systems rapidly, but these benefits will only be realised equitably and responsibly if governance keeps pace and public trust is maintained,’ she said.

Forslund argued that trusted governance requires legislation grounded in human rights, transparency and equity, alongside inclusive decision-making that informs citizens how their health data is collected, shared and protected. She also called for stronger national legal frameworks governing both health data and AI while encouraging greater regional and international alignment to prevent fragmented rules from undermining interoperability and cross-border cooperation.

Rather than starting from scratch, she noted that countries can already build on existing resources, including Transform Health’s Health Data Governance Principles, WHO guidance on AI, OECD recommendations and emerging regional initiatives such as the European Health Data Space (EHDS) and the Africa CDC’s work on continental health data governance.

National legislation provides legal certainty

Drawing on Zambia’s experience, Andrew Kashoka, Director of Information Technology at the Ministry of Health of Zambia, explained that governments increasingly recognise the need for legal certainty as digital health systems expand.

He argued that while policies and strategies provide direction, legislation ultimately establishes enforceable rights and obligations governing consent, privacy, accountability and access to health data.

‘Technology moves faster than policy and policy moves faster than legislation,’ Kashoka observed.

He described Zambia’s National Digital Health Strategy and the country’s participation in the WHO Global Initiative on Digital Health (GUIDE), noting that electronic health records, digital public infrastructure and AI all require strong legal foundations to maintain public confidence.

Kashoka also highlighted the Africa CDC’s continental health data governance framework, saying it provides African countries with shared principles that support legal interoperability, trusted cross-border collaboration, regional disease surveillance and responsible AI innovation.

Coordination, not policy, remains the biggest challenge

Several speakers suggested that governance challenges stem less from the absence of policies than from fragmented implementation.

Linda Bonyo, Founder of the Lawyers Hub and the Africa AI Policy Lab, argued that numerous organisations are already developing health data and AI governance initiatives, but often work independently with limited coordination.

She criticised the exclusion of parliaments and judicial institutions from governance discussions, arguing that legislators and courts play essential roles in creating and interpreting legal frameworks.

Bonyo also called for stronger institutional capacity, particularly among national data protection authorities that increasingly find themselves overseeing AI without sufficient technical expertise or financial resources.

She further highlighted practical barriers limiting African participation in international governance discussions, including visa restrictions and the high cost of attending Geneva-based meetings.

Summarising the challenge, Bonyo remarked that the problem is ‘not a policy problem… it’s implementation,’ urging countries to develop governance frameworks rooted in local realities rather than simply adopting foreign regulatory models.

Private sector and technical standards also matter

Representing the technical and private-sector perspective, Simão Ferraz de Campos Neto, Senior Counsellor at the International Telecommunication Union (ITU), argued that clearer rules and common technical standards are essential if health data is to be shared safely without discouraging innovation.

He noted that organisations frequently hesitate to share data not because they oppose collaboration, but because legal uncertainty creates concerns about liability.

Campos Neto called for interoperable technical standards, machine-readable datasets and standardised data-sharing agreements that could make trusted health data exchange significantly easier.

He also cautioned against treating AI as a single technology requiring uniform regulation.

Instead, he advocated proportionate, risk-based regulation that reflects the diversity of AI applications, while avoiding excessive regulatory burdens that could slow innovation.

Momentum builds towards global action

Closing the discussion, Jamal Alshanfari, Ambassador and Head of Oman Health office in Geneva, pointed to growing political momentum following discussions at the World Health Assembly, where member states expressed broad support for developing stronger global health data governance arrangements.

He identified four priorities for the next phase of work. The phases are expanding international consensus, strengthening national legislation and institutional capacity, providing practical implementation guidance, and ensuring that governments, civil society, academia, industry and end users all participate in shaping future frameworks.

Alshanfari also reminded participants that governance discussions should ultimately focus on those most affected by digital health technologies.

‘Everybody forgets about the end user,’ he said, stressing that trust depends on governance frameworks serving citizens as much as institutions.

In her closing remarks, Forslund said the discussion demonstrated encouraging progress across national, regional and global initiatives, while acknowledging that implementation remains the greatest challenge. She pointed to the upcoming World Health Assembly as an important opportunity to advance work on a possible global resolution on health data governance.

The session concluded with broad agreement that trusted AI in healthcare will depend not only on technological innovation but also on stronger legislation, greater international coordination, practical implementation, and governance frameworks that place citizens’ rights and public trust at their centre.

Track all key moments from the WSIS Forum 2026 on our dedicated WSIS page.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

MEPs to debate EU AI cybersecurity strategy

Members of the European Parliament are set to question the European Commission on its latest AI and cybersecurity proposals, including a new AI cybersecurity strategy expected to be unveiled on 7 July.

According to the European Parliament’s plenary newsletter, the Commission’s action plan is expected to include measures to help EU member states and companies address AI-related cybersecurity risks.

The strategy is also expected to strengthen Europe’s AI cybersecurity capabilities as policymakers examine how AI is reshaping both cyber threats and cyber defence.

The debate follows the European Commission’s welcome of the G7 cybersecurity declaration on strengthening global cyber resilience. Parliament is also considering two legislative proposals collectively referred to as the ‘Cybersecurity Act 2‘.

The proposals are expected to address issues including the NIS2 framework, the role of the EU Agency for Cybersecurity (ENISA), the EU cybersecurity certification framework and ICT supply chain security.

The debate is scheduled for 7 July, as part of a European Commission statement followed by parliamentary scrutiny.

Why does it matter?

The debate shows that AI-related cybersecurity risks are becoming part of the EU’s broader cyber resilience agenda. By linking AI policy with NIS2, ENISA, certification and supply chain security, the EU is preparing to treat AI not only as an innovation priority but also as a cybersecurity concern.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Hong Kong launches AI privacy sandbox for schools

Hong Kong’s Office of the Privacy Commissioner for Personal Data and the Digital Policy Office have launched an AI privacy sandbox to support responsible AI adoption in schools.

The Safeguarding Personal Data AI Sandbox will provide a collaborative platform for schools exploring AI solutions while managing the risks to personal data protection.

The first phase will run for six months and select 15 school applicants. It is open to publicly funded primary and secondary schools, with applications accepted until 30 October 2026.

Selected schools will receive guidance from the Privacy Commissioner’s office on compliance with the Personal Data (Privacy) Ordinance.

They will also receive support from the Digital Policy Office on Hong Kong’s Generative Artificial Intelligence Technical and Application Guideline.

Cyberport, Hong Kong, and the Hong Kong Productivity Council will provide technical advice.

A briefing session for interested schools is scheduled for 28 August 2026.

Why does it matter?

Schools are increasingly exploring AI tools, but their use of student data creates specific privacy, safety and governance risks. Hong Kong’s sandbox offers a practical way to test AI adoption in education while giving schools regulatory and technical support. The initiative also shows how governments can move beyond broad AI principles by creating sector-specific support mechanisms for institutions that may lack in-house expertise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!