The EU AI Act, a global standard for AI regulation, requires organizations worldwide to address AI risks through governance, controls, and accountability. Internal auditors must adapt to this shift, auditing AI governance, risk classification, data quality, human oversight, and third-party AI risk to ensure compliance.
NIS2, an update of the EU's cyber security framework, aims to enhance resilience against evolving threats across more sectors, covering essential and important entities. It introduces five key compliance requirements: risk management, incident reporting, cyber security practices, third-party risk management, and workforce security training. NIS2 is an ongoing process, not a one-time compliance task. The directive sets a baseline for accountability and resilience in cyber security across the EU.
The European Commission proposed a new cybersecurity package, including a revised Cybersecurity Act (CSA2) and amendments to NIS2, to strengthen the EU’s cybersecurity resilience. The CSA2 introduces a five-step mechanism to address non-technical risks in the ICT supply chain, potentially prohibiting NIS2 organizations from using ICT equipment from high-risk suppliers, particularly those from countries posing cybersecurity concerns. This framework aims to protect the EU’s ICT supply chain, with potential implications for connectivity and space operators.
IT teams face a data visibility crisis, struggling to track data across multi-cloud environments. A Veeam survey shows nearly 60% report reduced visibility due to expanding SaaS and cloud usage. This gap can lead to compliance issues, as seen with TikTok's €530 million fine. Data escapes view through various channels, complicating management. Existing tools in platforms like Microsoft 365 and Google Workspace can aid in data discovery, but more advanced tools may be needed for regulated industries. Building visibility processes into onboarding and offboarding is essential for maintaining oversight, ultimately improving incident response and compliance readiness.
https://www.spiceworks.com/security/the-data-visibility-crisis-it-teams-arent-talking-about/
NIS2 increases supply chain security requirements, emphasizing external IT risks. Companies must integrate these risks into their security strategies, transforming dependencies into management responsibilities. Effective control of supply chains involves identifying critical partners, setting security standards, and continuous risk monitoring. CISOs' roles expand to include risk communication and holistic management. Compliance under NIS2 goes beyond paperwork, demanding real security measures and transparent assessments, ultimately enhancing operational stability and turning supply chains into strategic assets.
https://www.csoonline.com/article/4128381/nis2-supply-chains-as-a-risk-factor.html
2026 mandates stronger security, governance, and risk (SGR) measures as regulators enforce compliance, particularly in AI and data privacy across global frameworks. Organizations must transition from mere compliance to building robust, audit-ready systems that demonstrate resilience. Key priorities include unifying SGR initiatives, integrating incident reporting, preparing for AI governance, and maintaining cross-border data integrity. Effective SGR strategies will enhance market access and organizational credibility, establishing SGR as a crucial driver of business success.
https://www.ibm.com/think/insights/expanding-role-security-governance-risk
Jen Ellis, co-chair of the Ransomware Task Force, predicts a partial ransom payment ban in Britain. While not a perfect solution, it addresses the ethical concerns of funding cybercrime. The ban will likely follow the implementation of the revamped Cyber Action Plan and the Cyber Security and Resilience Bill.
https://www.bankinfosecurity.com/interviews/case-for-ransom-payment-ban-when-might-happen-i-5520
Data Privacy Impact Assessments (DPIAs) are essential for identifying and mitigating privacy risks before new data processing activities begin. While initially a European concept, DPIAs are now mandated by several U.S. states, with California leading the way through its risk-based model. This model requires assessments for high-risk processing activities, such as selling personal information or using automated decision-making, and emphasizes transparency and accountability.
https://www.jdsupra.com/legalnews/why-data-privacy-impact-assessments-9691846/
EU proposes revised Cybersecurity Act to enhance resilience, secure ICT supply chains. Act introduces simpler certification, supports compliance, fortifies ENISA, and targets risks from third-country suppliers. Key amendments to NIS2 Directive facilitate legal clarity and compliance for businesses. New horizontal framework for ICT supply chain security addresses strategic risks and vulnerabilities. ENISA strengthens cybersecurity response and supports workforce development. Overall, the initiative aims to improve security and trust in EU's critical infrastructure.
The Network and Information Security 2 Directive (NIS2), intended to enhance cybersecurity across the EU, faces delays in implementation. While some countries have fully transposed the directive, others, including France and Ireland, have yet to do so. This inconsistency creates uncertainty for businesses operating across borders and raises concerns about Europe’s cybersecurity posture.
https://www.bankinfosecurity.com/european-states-spin-wheels-on-cybersecurity-directive-a-30542
