Mozilla Firefox, Thunderbird Vulnerabilities (CVSS 8.8)
CERT-Bund has issued an advisory regarding multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird, with a CVSS Base Score of 8.8. The advisory has been updated multiple times to include specific product versions and affected operating systems.
FreeRDP Vulnerabilities - Remote Code Execution
CERT-Bund has issued an advisory for multiple vulnerabilities in FreeRDP, a Remote Desktop Protocol implementation. The vulnerabilities have a CVSS base score of 8.8 and allow for remote code execution, denial-of-service, and information disclosure.
CPython Vulnerabilities Allow Remote Code Execution
The German Federal Office for Information Security (BSI) has issued a security advisory regarding multiple vulnerabilities in CPython, with a CVSS base score of 7.7. These vulnerabilities allow remote attackers to manipulate files or execute arbitrary code on affected systems.
Vim Vulnerability Allows Code Execution (CVSS 6.6)
The German National Cybersecurity Agency (BSI) has issued a security advisory for a vulnerability in the Vim text editor. The vulnerability, with a CVSS score of 6.6, allows local attackers to execute arbitrary code. Mitigation is available.
Microsoft ASP.NET/.NET Vulnerabilities Advisory
This advisory updates information on multiple vulnerabilities in Microsoft ASP.NET and .NET, with a CVSS Base Score of 7.8. The update includes affected products on Ubuntu, Oracle, and Red Hat Linux, in addition to previously listed Microsoft ASP.NET Core and .NET versions.
CISA Adds Two Exploited Vulnerabilities to KEV Catalog
CISA has added two new vulnerabilities, CVE-2026-3909 and CVE-2026-3910, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities per Binding Operational Directive (BOD) 22-01.
Privacy Commissioner Warns of Construction Worker Recruitment Fraud
The Hong Kong Privacy Commissioner's Office issued a warning regarding fraudulent recruitment advertisements targeting construction workers. The office received 42 complaints in two weeks involving scams that requested sensitive personal data, including construction site "Three Essentials." The PCPD urges vigilance and provides guidance on safeguarding personal data during job applications.
Privacy Commissioner Reports 2025 Work and Data Security Incidents
The Office of the Privacy Commissioner for Personal Data (PCPD) reported on its 2025 activities, including a 23% increase in complaints and a 21% rise in data breach notifications. The PCPD also intervened in three data security incidents and conducted 435 compliance checks.
AI Security and Cybersecurity Summit for Enterprises Registration Open
The Office of the Privacy Commissioner for Personal Data (PCPD) and HKIRC are co-organising an AI Security and Cybersecurity Summit for Enterprises on March 31, 2026. Registration is now open for organizations to address AI security and cybersecurity risks. The event aims to raise awareness and readiness among businesses, including SMEs.
Global Privacy Authorities Joint Statement on AI-Generated Imagery
The Office of the Privacy Commissioner for Personal Data (PCPD) and 60 other global privacy authorities have issued a joint statement expressing concern over AI-generated imagery and its potential for harm. The statement urges organizations to develop and use AI content generation systems lawfully, with specific measures to protect data subjects, particularly children.
Hong Kong PCPD Arrests Two for Suspected Doxxing
The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) arrested two men for suspected doxxing and disclosure of personal data without consent, in contravention of the Personal Data (Privacy) Ordinance. The arrests stem from a monetary dispute where personal data and family photos were posted online.
AI Chatbots Provide Biased Voting Advice, Ignoring Local Parties
The Dutch Data Protection Authority (AP) released a study showing AI chatbots rarely recommend local political parties when providing voting advice. The AP warns that this bias makes chatbots unreliable voting aids and calls on providers to implement measures to prevent their systems from being used for voting advice, especially in light of the EU AI Act.
Critical Cisco Secure Firewall Management Center Vulnerabilities Addressed
Cisco has released security updates for critical vulnerabilities (CVSS 10.0) in its Secure Firewall Management Center software. Users of affected on-premises versions are advised to update immediately to prevent root access and arbitrary code execution.
Microsoft Security Patches for Critical Vulnerabilities
The Cyber Security Agency of Singapore (CSA) has issued an alert regarding Microsoft's release of security patches for critical vulnerabilities in its software. These patches address multiple security flaws, some with a base score of 9.8, requiring immediate attention from users and organizations.
HPE Patches Critical Aruba Networking AOS-CX Vulnerabilities
Hewlett Packard Enterprise (HPE) has released patches for critical vulnerabilities in its Aruba Networking AOS-CX operating system. The most severe flaw (CVE-2026-23813) allows unauthenticated remote attackers to reset administrator passwords. Users are urged to update immediately.
Fortinet Vulnerabilities Require Immediate Updates
The Cyber Security Agency of Singapore (CSA) has issued an alert regarding high-severity vulnerabilities in multiple Fortinet enterprise products. Users are strongly advised to update affected systems immediately to mitigate risks of unauthorized code execution, authentication bypass, and privilege escalation.
Data Breach Decision Highlights Security Lapses
The Singapore Personal Data Protection Commission (PDPC) issued a decision regarding a data breach affecting 665,000 individuals due to system misconfiguration. The case highlights lapses in security practices and emphasizes the need for robust technical and governance measures.
PDPC Publishes Four Undertakings on Ransomware and Unauthorized Access
Singapore's Personal Data Protection Commission (PDPC) has published four undertakings from organizations that experienced ransomware attacks and unauthorized access. These undertakings detail remediation measures to strengthen cybersecurity defenses and data protection practices.
Data Protection Breaches Result in Financial Penalties
Singapore's Personal Data Protection Commission issued financial penalties to four organizations for data protection breaches affecting over 1 million individuals. These breaches stemmed from inadequate security measures, including poor patch management and lack of data protection policies. An additional organization committed to an undertaking following a ransomware attack.
PDPC Steps Up NRIC Misuse Enforcement and Issues New Advisory
The Singapore Personal Data Protection Commission (PDPC) is stepping up enforcement against private organizations misusing NRIC numbers for authentication starting January 1, 2027. New advisories are also being issued to guide organizations on data protection lapses and recommend more secure authentication methods.
Ransomware Incident Data Breach and Security Lapses
Singapore's Personal Data Protection Commission issued a decision regarding a ransomware incident affecting 39,000 individuals' data due to security lapses. Three separate undertakings were also accepted for similar incidents. The Commission directed the organization to strengthen its security posture and highlighted key takeaways for all organizations to prevent future breaches.
Privacy Commissioner Statement on Bunnings Facial Recognition Decision
The Australian Privacy Commissioner has issued a statement regarding the Administrative Review Tribunal's decision on Bunnings' use of facial recognition technology. The statement clarifies that while the Tribunal allowed Bunnings to use the technology for specific crime prevention purposes, significant privacy safeguards and notification requirements remain crucial.
Cambridge Analytica Payment Program Registration Deadline
Eligible Australian Facebook users impacted by the Cambridge Analytica matter must register for a payment program by December 31, 2025. The program, established by Meta Platforms as part of an enforceable undertaking with the Australian Information Commissioner, offers payments to over 300,000 affected individuals.
OAIC Highlights Improved Transparency in Government Automated Decision-Making
The Australian Information Commissioner (OAIC) has released a report highlighting opportunities for government agencies to improve transparency in automated decision-making (ADM). The report follows a review of 23 agencies and identifies a significant gap in public disclosure of ADM use, with only 17% of agencies disclosing it.
OAIC Statement on Bunnings Facial Recognition Technology Decision
The Australian Information Commissioner (OAIC) issued a statement regarding the Administrative Review Tribunal's decision on Bunnings' use of facial recognition technology (FRT). The Tribunal affirmed findings that Bunnings contravened privacy principles by failing to provide adequate notice and conduct a formal risk assessment for its FRT system.
Hungarian Data Protection Authority Launches Freedom of Information Development Project
The Hungarian National Authority for Data Protection and Freedom of Information has launched a development project funded by an EU grant to enhance the enforcement of freedom of information. The project aims to investigate current practices, identify obstacles, and develop proposals for optimisation.
Publication Obligation for Public Data Registry and Transparency Procedure
Hungary's National Authority for Data Protection and Freedom of Information has issued a notice regarding a new publication obligation for budgetary organs. All budgetary organs, except national security services, must publish financial management data bi-monthly on a new online platform, with potential fines for non-compliance.
NAIH launches AWARE project for GDPR awareness
The National Authority for Data Protection and Freedom of Information (NAIH) has launched the EU-funded AWARE project to increase GDPR awareness among micro and small enterprises, particularly in the beauty and private healthcare sectors. The project will run from 2025 to 2027 and includes research, an information website, webinars, and training.
Hungary Ratifies Council of Europe Convention 108+
Hungary has become the 30th party to ratify the Council of Europe's Convention 108+, an international treaty concerning data protection. This action signifies Hungary's commitment to aligning its data protection laws with international standards.
Hungarian Information Rights System 30th Anniversary Celebration
The Hungarian data protection authority celebrated the 30th anniversary of the country's information rights system with an international conference on September 17, 2025. The event reviewed past achievements, challenges, and future tasks in data protection and freedom of information.
Real Estate Agency Fined EUR 100,000 for GDPR Violations
The Croatian Personal Data Protection Agency has imposed a EUR 100,000 fine on a real estate agency for processing personal data in violation of the General Data Protection Regulation. This action highlights the agency's commitment to enforcing data protection laws.
Real Estate Agency Fined for GDPR Violations
The Croatian Personal Data Protection Agency has fined a real estate agency EUR 100,000.00 for processing personal data in violation of the General Data Protection Regulation (GDPR). The agency acted as a controller in this case.
Real Estate Agency Fined 100,000 EUR
The Croatian Personal Data Protection Agency (AZOP) has fined a real estate agency 100,000 EUR for violations related to data protection. The agency also announced a conference on Data Protection in AI Systems.
Real Estate Agency Fined EUR 100,000 for GDPR Violations
The Croatian Personal Data Protection Agency has fined a real estate agency EUR 100,000 for violating GDPR provisions. The agency acted as a controller and processed data contrary to the regulation.
Croatian Data Protection Agency Fines Real Estate Agency
The Croatian Personal Data Protection Agency has imposed a EUR 100,000 fine on a real estate agency for processing personal data in violation of the GDPR. The agency acted as a data controller and processed data contrary to the regulation's provisions.
DSB Circular on Freedom of Information Act
The Austrian Data Protection Authority (DSB) issued a supplementary circular on December 12, 2025, regarding the Freedom of Information Act. This circular clarifies a previous communication, adjusting a reporting deadline for data submissions.
Data Protection Authority Joint Database Launched
The Austrian Data Protection Authority and the Parliamentary Committee for Data Protection (PDK) have launched a joint database for their decisions within the legal information system (RIS). This new application, named 'Datenschutz-Aufsichtsbehörden', aims to streamline access to data protection rulings.
Irish and Austrian Data Protection Authorities Meeting
The Austrian Data Protection Authority hosted officials from the Irish Data Protection Commission for a meeting on January 13, 2026. The meeting aimed to discuss matters of mutual interest and further strengthen the close cooperation between the two regulatory bodies, particularly concerning cross-border data protection cases.
Data Protection Authority 2026 Focus Audits on Processing Security
The Austrian Data Protection Authority (DSB) announced its 2026 focus audits will target processing security under Article 32 GDPR. Procedures against selected controllers and processors are scheduled to begin in March 2026, with a second part announced in June 2026.
Data Protection Authorities of Slovakia and Austria Meet
Data protection authorities from Slovakia and Austria met on December 10, 2025, in Bratislava to discuss cooperation and upcoming regulatory changes, including GDPR amendments and new EU digital laws. This meeting follows previous bilateral and regional discussions.
Hellenic Data Protection Authority Holds Dialogue Day with Research Community
The Hellenic Data Protection Authority (HDPA) successfully held its "1st Dialogue Day with the Research Community" on October 1, 2025. The event focused on strengthening cooperation with academic and research institutions on data protection issues, including AI applications and privacy-friendly digital wallets.
byRisk Project Newsletter 2 Supports SMEs with Data Protection Risks
The Hellenic Data Protection Authority has released the second newsletter for the European byRisk project, which aims to support small and medium-sized enterprises (SMEs) in identifying and analyzing data protection risks. This issue details project progress, including risk categorization and the design of a new risk assessment tool.
Hellenic DPA byRisk Project: Data Protection for SMEs and Public Awareness
The Hellenic Data Protection Authority has launched the byRisk project, co-funded by the European Commission, to support SMEs in data protection risk assessment and raise public awareness. The project aims to develop tools for SMEs and the general public, with pilot operations expected by March 2026 and an international conference planned for October 2026.
Hellenic DPA Information Day 2026 on Data Protection and AI
The Hellenic Data Protection Authority (HDPA) held an Information Day on Data Protection Day 2026, discussing the GDPR, the proposed AI Act, and the HDPA's role. The event highlighted the need for effective implementation of regulations and adequate resources for the HDPA.
Seminar on Privacy Risks from Personal Data Processing
The Hellenic Data Protection Authority and the University of Piraeus are organizing an online seminar on privacy risks associated with personal data processing, particularly concerning Artificial Intelligence. The seminar is part of the byRisk project and is open to the general public.
CNPD AI Data Protection Training Session
The CNPD is offering a 4-hour in-person training session on Data Protection Basics: Artificial Intelligence. The session, held on April 7, 2026, aims to explain the challenges of AI in relation to data protection and the GDPR.
CNPD Workshop on DAAZ Diploma Ceremony
The CNPD is hosting a workshop and DAAZ diploma ceremony on April 29, 2026, in Luxembourg. The event aims to provide feedback on a previous workshop and recognize participants' achievements in the DAAZ tool.
CNPD AI Data Protection Training Session
The CNPD is offering a 4-hour in-person training session on Data Protection Basics: Artificial Intelligence. The training aims to help participants understand the challenges of AI concerning data protection and the GDPR, and is scheduled for May 5, 2026.
Data Protection Basics Training - RGPD Introduction
The CNPD (Luxembourg's data protection authority) is offering a 5-hour introductory training session on data protection basics and the RGPD. The training is aimed at individuals new to data protection and will be held in French on April 14, 2026, in Belval.
Data Protection Basics Training Session
The CNPD of Luxembourg is offering a free 'Data Protection Basics' training session in French on June 16, 2026. The 5-hour session is designed for individuals new to data protection and aims to explain the core principles of the RGPD. Registration is required via email.
National Supervisory Authority Fines Lenjeria Magică SRL for Data Processing Violation
The National Supervisory Authority for Personal Data Processing in Romania has fined Lenjeria Magică SRL 15,000 lei for violating data processing laws related to website cookies. The company stored non-essential cookies without explicit user consent, breaching provisions of Law no. 506/2004 and Regulation (EU) 2016/679.
Data Protection Authority Fines iHUNT TECHNOLOGY for Privacy Violations
The National Supervisory Authority for Personal Data Processing in Romania has fined S.C. iHUNT TECHNOLOGY IMPORT-EXPORT SA 20,000 lei for violating data protection laws regarding cookie consent. The investigation found that the company stored non-essential cookies without user consent.
GDPR Sanction for Roumasport S.R.L.
The National Supervisory Authority for Personal Data Processing in Romania has sanctioned Roumasport S.R.L. with a fine of 10,000 euros for violating GDPR provisions related to data security. The investigation followed a personal data security breach due to unauthorized access following cyberattacks.
CJEU Judgment: Online Marketplace Operator as Data Controller
The Court of Justice of the European Union ruled in Case C-492/23 that an online marketplace operator is a data controller under GDPR. The operator must identify and verify sensitive data in advertisements before publication and obtain explicit consent.
GDPR Sanction for Ordonul Asistenților Medicali Neamț
The National Supervisory Authority for Personal Data Processing in Romania sanctioned Ordonul Asistenților Medicali Generaliști, Moașelor și Asistenților Medicali din România – Filiala Neamț for GDPR violations. The entity received a fine of 2,000 euros and two reprimands for issues related to video surveillance and data subject information.
Garante Monitors 'Family in Woods' Case, Recalls Child Protection
The Italian Data Protection Authority (Garante) is monitoring the "family in woods" case and has issued a press release reminding media outlets of their obligations regarding child protection and data privacy. The Garante urges caution in disseminating information that could identify minors.
Garante Privacy Orders Amazon to Stop Worker Surveillance
The Italian Data Protection Authority (Garante privacy) has ordered Amazon Italia Logistica to immediately stop its worker surveillance system. The authority found that Amazon collected sensitive information on employees, including health conditions, union activities, and personal/family life, violating data protection regulations.
Italian Privacy Authority Fines Intesa Sanpaolo €17.6 Million
The Italian Privacy Authority has fined Intesa Sanpaolo €17.6 million for unlawfully processing the data of approximately 2.4 million customers. The fine stems from the transfer of customer data to its wholly-owned subsidiary, Isybank, as part of a corporate operation.
Italian DPA Newsletter: Aldilapp Fine, Camera Rules, Delegation Platform, AI Concerns
The Italian Data Protection Authority (Garante) issued a newsletter on March 9, 2026, detailing several key actions. It includes a fine against Aldilapp for digital cemetery services, new rules for non-compliant cameras, approval for a delegation management platform, and global data protection authorities' concerns about AI-generated intimate content.
Garante Privacy Fines Acea Energia €2 Million for Unauthorized Contracts
The Italian Garante privacy has fined Acea Energia spa €2 million for significant violations of personal data protection laws. The company was found to have used inaccurate customer data to activate over 1,200 unsolicited energy contracts through door-to-door agents.
Microsoft Loop, PowerBI, Teams Vulnerability Disclosure
The French National Cybersecurity Agency (ANSSI) has issued a notice regarding a vulnerability (CVE-2026-26133) affecting Microsoft Loop, PowerBI, and Teams. The vulnerability can lead to data confidentiality breaches. Users are advised to consult Microsoft's security bulletin for patch information.
Microsoft Office Vulnerability Advisory CVE-2026-26133
The French National Cybersecurity Agency (ANSSI) has issued an advisory regarding a vulnerability (CVE-2026-26133) in Microsoft Office applications. The vulnerability could lead to data confidentiality breaches.
Microsoft Edge Vulnerability Poses Data Confidentiality Risk
The French National Cybersecurity Agency (ANSSI) has issued a notice regarding a vulnerability in Microsoft Edge for Android and iOS. The vulnerability, identified as CVE-2026-26133, poses a risk of data confidentiality breaches. Users are advised to refer to Microsoft's security bulletin for patch information.
Multiple Vulnerabilities Found in IBM Products
The French National Cybersecurity Agency (ANSSI) has issued a notice regarding multiple vulnerabilities discovered in various IBM products. These vulnerabilities could allow remote code execution, denial of service, and data breaches. Affected users are advised to consult IBM's security bulletins for patch information.
Debian Linux Kernel Vulnerabilities Affecting Confidentiality and Security
The French National Cybersecurity Agency (ANSSI) has issued a notice regarding multiple vulnerabilities discovered in the Debian Linux kernel. These vulnerabilities can lead to privilege escalation, data confidentiality breaches, and denial of service, affecting specific versions of Debian bookworm and trixie.
PIPEDA Investigation into Google Search Compliance
The Office of the Privacy Commissioner of Canada (OPC) has concluded its investigation into Google's search engine compliance with PIPEDA. The investigation found that Google's accuracy obligations do not extend to the underlying content of linked articles, but it must ensure personal information in search results is accurate.
Joint Investigation of TikTok by Canadian Privacy Commissioners
Canadian privacy commissioners have concluded a joint investigation into TikTok's collection, use, and disclosure of personal information, particularly concerning children. The findings address appropriate purposes for data handling and the validity of user consent for ad targeting and content personalization.
Staples Canada ULC Investigated for Privacy Practices on Resold Devices
The Office of the Privacy Commissioner of Canada investigated Staples Canada ULC regarding its Openbox program for resold electronic devices. The investigation found deficiencies in data wiping procedures and employee training, leading to recommendations for Staples to improve its practices within nine months.
Loblaw PC Optimum Data Retention Investigated Under PIPEDA
The Office of the Privacy Commissioner of Canada has concluded an investigation into Loblaw Companies Ltd.'s retention of PC Optimum loyalty program member data. The findings highlight the importance of ensuring anonymized data cannot be re-identified and that personal information is destroyed or anonymized when no longer necessary.
CISA: Ignition Software Vulnerable to Code Execution
CISA issued an advisory for Inductive Automation Ignition Software versions prior to 8.3.0, identifying a deserialization vulnerability (CVE-2025-13913) that could allow remote code execution. Users are recommended to upgrade to version 8.3.0 or later.
CPPA Seeks Comments on Opt-out Preference Signals Rulemaking
The California Privacy Protection Agency (CPPA) is seeking preliminary public comments on potential rulemaking regarding Opt-out Preference Signals (OOPS). The agency is gathering information to explore whether regulatory changes are necessary to reduce friction in exercising privacy rights. Comments are due by April 6, 2026.
Accessible Deletion Mechanism for Data Brokers
The California Privacy Protection Agency has finalized regulations establishing an Accessible Deletion Mechanism (DROP) for data brokers, effective January 1, 2026. This system allows consumers to request the deletion of their personal information from registered data brokers through a single request to the agency.
California Adopts CCPA Regulations on Risk Assessments and Cybersecurity
The California Privacy Protection Agency has adopted final regulations updating the CCPA. These regulations implement requirements for risk assessments, annual cybersecurity audits, and consumers' rights regarding automated decision-making technology, effective January 1, 2026.
Data Broker Registration Fee Regulations
The California Privacy Protection Agency (CPPA) is now responsible for the state's data broker registry, effective January 1, 2024. Data brokers must pay an annual registration fee, which the CPPA may adjust. Final regulations for the fee structure have been published for 2024, 2025, and 2026 registrations.
CPPA Seeks Comments on Reducing Privacy Rights Friction
The California Privacy Protection Agency (CPPA) is seeking preliminary comments on potential regulatory changes to reduce friction in how consumers exercise their privacy rights. The comment period is open from March 6, 2026, until April 6, 2026.
ENISA Report: Cybersecurity Investments and NIS2 Challenges
ENISA's 6th NIS Investments report reveals a shift in cybersecurity spending from personnel to technology and services across 1080 EU organizations. The report highlights persistent talent shortages and challenges in implementing the NIS2 Directive, despite compliance being a key investment driver.
ENISA Seeks Feedback on Software Supply Chain Security Guidance
ENISA has launched public consultations on draft guidance for software supply chain security. Feedback is sought on an SBOM Landscape Analysis and a Technical Advisory for Secure Use of Package Managers, with a deadline of January 23, 2026.
ENISA Cybersecurity Exercise Methodology Guidance
ENISA has released a new cybersecurity exercise methodology to guide organizations in planning and executing effective cybersecurity exercises. The methodology provides a framework for simulating cyber crises, training response capabilities, and building resilience against cyber threats.
ENISA Report: EU Public Administrations Targeted by DDoS Attacks
ENISA has released a report detailing that EU public administrations are increasingly targeted by cyberattacks, primarily DDoS attacks, with central governments being the most affected. The report analyzes 586 incidents from 2024 and highlights the sector's developing cybersecurity resilience under the NIS2 Directive.
ENISA Updates International Cybersecurity Strategy
ENISA has updated its International Strategy to enhance engagement with international partners and align with the EU's cybersecurity policies. The revised strategy focuses on cooperation with countries sharing EU values and includes specific working arrangements with Ukraine and the US, support for EU candidate countries, and operationalizing the EU Cybersecurity Reserve for third countries.
Joint Advisory on SD-WAN Appliance Exploitation
The NSA, CISA, and international cybersecurity agencies have issued a joint advisory regarding the exploitation of Cisco SD-WAN appliances. Threat actors are exploiting a specific vulnerability (CVE-2026-20127) to gain root access and establish persistence. The advisory includes a threat hunt guide and mitigation recommendations.
NIST CSF 2.0 Cybersecurity Risk Management Guidance
The National Institute of Standards and Technology (NIST) has released version 2.0 of its Cybersecurity Framework (CSF). This updated guidance provides a comprehensive taxonomy for organizations of all sizes and sectors to manage cybersecurity risks, offering a flexible approach to assessing and communicating cybersecurity efforts.
NIST Cybersecurity Framework 2.0 Implementation Resources
The National Institute of Standards and Technology (NIST) has released quick start guides and implementation resources for the Cybersecurity Framework (CSF) 2.0. These resources aim to help organizations of all sizes, including small businesses, understand and implement the updated framework.
NIST Cybersecurity Framework 2.0 Profiles and Resources
The National Institute of Standards and Technology (NIST) has released updated resources for its Cybersecurity Framework (CSF) 2.0, including organizational profile templates and community profiles. These resources aim to help organizations assess and improve their cybersecurity posture.
NIST Cybersecurity Framework (CSF) 2.0 Anniversary and Updates
NIST is celebrating the two-year anniversary of the Cybersecurity Framework (CSF) 2.0. The blog post highlights updates and resources released over the past two years, including expanded guidance on governance and informative references to other standards, emphasizing the framework's widespread adoption and ongoing development.
Ivanti EPM Authentication Bypass Vulnerability
CISA has added a vulnerability (CVE-2026-1603) in Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, an authentication bypass allowing credential data leakage, affects versions before 2024 SU5.
Apple Use-After-Free Vulnerability Fixed in iOS/iPadOS 17
CISA has added a use-after-free vulnerability (CVE-2023-41974) affecting Apple iOS and iPadOS to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, which could allow an app to execute arbitrary code with kernel privileges, has been fixed by Apple in iOS 17, iPadOS 17, iOS 15.8.7, and iPadOS 15.8.7.
SolarWinds Web Help Desk RCE Vulnerability CVE-2025-26399
CISA has added CVE-2025-26399, a critical remote code execution vulnerability in SolarWinds Web Help Desk, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects versions 12.8.7 and below and allows unauthenticated attackers to run commands on the host machine.
VMware Workspace ONE UEM SSRF Vulnerability CVE-2021-22054
CISA has added VMware Workspace ONE UEM console versions to the Known Exploited Vulnerabilities (KEV) catalog due to an SSRF vulnerability (CVE-2021-22054). This vulnerability may allow a malicious actor to gain access to sensitive information.
n8n RCE Vulnerability CVE-2025-68613
CISA has added CVE-2025-68613, a critical Remote Code Execution vulnerability in n8n's workflow evaluation system, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects versions prior to 1.120.4, 1.121.1, and 1.122.0 and allows authenticated attackers to execute arbitrary code.
PCI SSC Establishes India-South Asia Regional Engagement Board
The PCI Security Standards Council (PCI SSC) has established its first Regional Engagement Board (REB) for the India and South Asia region, effective for 2025-2026. The board comprises 27 organizations from the payment industry to advise on payment security issues and promote awareness of PCI SSC standards.
PCI SSC Meeting Advances Payment Security and AI Guidance
The PCI Security Standards Council held its North America Community Meeting, focusing on advancing payment security and launching AI guidance. The event brought together over 1,200 stakeholders to discuss evolving standards, best practices for AI in payments, and cross-industry collaboration.
PCI SSC Asia-Pacific Community Meeting on Payment Security
The PCI Security Standards Council (PCI SSC) is hosting its annual Asia-Pacific Community Meeting in Bangkok on November 5-6, 2025. The event will bring together payment security experts to discuss evolving threats, new technologies, and best practices for preventing cyberattacks and fraud in the region.
PCI Security Standards Council Publishes Inaugural Annual Report
The PCI Security Standards Council has released its first-ever Annual Report, detailing progress in payment security during 2025 and outlining its vision for 2026. The report highlights advancements in standards, global collaboration, and the adoption of a product-led operating model.
EU AI Act Omnibus: New Compliance Deadlines and Deepfake Ban
Members of the European Parliament have reached a preliminary agreement on amendments to the EU AI Act, including extended compliance deadlines for high-risk systems and a ban on non-consensual deepfakes. The agreement aims to provide legal certainty and allow more time for technical standards and guidance development.
Maine Privacy Bill Advances, Oregon AI Chatbot Bill Clears Legislature
Maine's legislature has advanced a comprehensive privacy bill, the Maine Online Data Privacy Act, through both chambers. Oregon's Senate Bill 1546, an AI chatbot safety bill, has also cleared its state legislature and is heading to the governor. Both bills represent significant state-level regulatory developments.
US House Committee Advances KIDS Act and Other Online Safety Bills
The U.S. House Committee on Energy and Commerce advanced the KIDS Act, Sammy's Law, and the App Store Accountability Act to a full House vote. These bills aim to enhance children's online safety by addressing issues like dangerous content, age verification, and app store policies.
AI Training Compliance Guidance Post-SRB Ruling
This guidance analyzes the impact of the EU Court of Justice's Single Resolution Board ruling on AI training compliance for engineers. It outlines two pathways for compliance, emphasizing engineering choices in defining identifiability and data protection.
South Korea Overhauls PIPA with 10% Turnover Fines and CEO Accountability
South Korea has significantly amended its Personal Information Protection Act (PIPA), introducing fines up to 10% of total turnover and assigning direct supervisory liability to CEOs. These changes, effective September 11, 2026, aim to strengthen deterrence and promote proactive data protection investment.
HITRUST 2025 H2 Threat Analysis on AI Tactics and Assessments
HITRUST released its 2025 H2 Cyber Threat Adaptive Report, indicating that its e1, i1, and r2 assessments effectively mitigate top attack techniques, including AI-driven tactics. The report analyzed threat indicators, intelligence articles, and breaches, mapping data to the MITRE ATT&CK framework.
HITRUST CSF v11.6 Assessment Creation Deadline
HITRUST has announced deadlines for creating and submitting e1 and i1 assessments using CSF v11.6.0. The ability to create new assessments using v11.6.0 will be disabled on March 31, 2026, and submission will be disabled on June 30, 2026.
HITRUST CSF v11.6 Assessment Creation Deadline
HITRUST has announced that effective August 22, 2025, all new e1 and i1 assessments must be created using CSF v11.6.0. Existing assessments using v11.5.1 can still be submitted, with a future deadline to be announced.
HITRUST CSF v11.7.0 Release Notes
HITRUST has released version 11.7.0 of its Common Security Framework (CSF), effective December 18, 2025. This update includes new authoritative sources, consolidation of requirement statements, and modifications to the e1 and i1 assessment baselines.
HITRUST Assessment Handbook v1.2 Updates Released
HITRUST has released version 1.2 of its Assessment Handbook, introducing updates to procedures for evidence generation, testing expectations, reporting, and inheritance eligibility. These changes will be enforced for assessments submitted on or after April 15, 2026.
ISO 20022 Becomes Standard for Cross-Border Payments
As of November 22, 2025, ISO 20022 is the mandatory standard for cross-border payments, replacing the MT message format. This change aims to enhance efficiency, data richness, and compliance for financial institutions worldwide, supporting G20 goals for international payments.
ISO 20022 Payments Standard Deadline Approaching
SWIFT has issued a notice reminding financial institutions that the ISO 20022 standard for cross-border payments will become mandatory on November 22, 2025, ending the coexistence period with older MT formats. Institutions must complete their migration and testing to avoid disruptions and potential charges.
ISO 20022: AI for Structured Postal Data Transition
SWIFT is providing an open-source AI solution to help financial institutions transition from unstructured to structured postal data for ISO 20022 payment messages. This is a mandatory change required by November 2026 to avoid message rejection and ensure data integrity for AML efforts.
CYBERUK 2026 Conference Announcement
The UK's National Cyber Security Centre (NCSC) has announced details for the flagship CYBERUK 2026 conference in Glasgow, scheduled for April 21-23. The event will focus on accelerating cyber defences and will feature international security chiefs and industry leaders. Registration for private sector delegates remains open until April 2, 2026.
NCSC Warns of Hacktivist DoS Attacks on UK Organisations
The UK's National Cyber Security Centre (NCSC) has issued a warning regarding persistent denial of service (DoS) attacks by Russian-aligned hacktivist groups targeting UK organisations, particularly local government and critical infrastructure operators. The NCSC urges organisations to review their cyber defences and resilience measures.
NCSC: Pro-Russia Hacktivists Target UK Organisations with DDoS Attacks
The UK's National Cyber Security Centre (NCSC) has issued guidance warning that pro-Russia hacktivist groups, particularly NoName057(16), continue to target UK organisations with DDoS attacks. The NCSC urges local government and critical infrastructure operators to review and harden their denial-of-service defences.
NCSC Advises UK Organizations on Middle East Conflict Cyber Threats
The UK's National Cyber Security Centre (NCSC) has issued an alert advising UK organizations to review their cybersecurity posture due to the evolving conflict in the Middle East. The advisory highlights a heightened risk of indirect cyber threats and encourages organizations to implement enhanced monitoring and review their external attack surface.
NCSC Alert: Cisco SD-WAN Exploited Globally
The UK's NCSC, along with international partners, has issued an alert regarding the exploitation of Cisco Catalyst SD-WAN devices. Threat actors are gaining root and persistent access, and organizations are urged to investigate potential compromises and apply security updates.
Siemens Heliox EV Chargers Vulnerability Advisory
CISA has issued an advisory regarding a vulnerability in Siemens Heliox EV Chargers that could allow unauthorized access. Siemens has released updated versions and recommends immediate updates to mitigate the risk.
Siemens RUGGEDCOM APE1808 Devices Vulnerabilities
CISA has issued an advisory regarding multiple vulnerabilities affecting Siemens RUGGEDCOM APE1808 devices. These vulnerabilities, related to HTTP request smuggling and authentication bypass, have been assigned high CVSS scores. Siemens recommends updating to the latest version to address these security risks.
Siemens SIDIS Prime Vulnerabilities Advisory
CISA has issued an advisory regarding multiple vulnerabilities in Siemens SIDIS Prime versions prior to V4.0.800, affecting components like OpenSSL, SQLite, and Node.js packages. Siemens recommends updating to the latest version to address these high-severity issues.
CISA Advisory: Trane Tracer SC/SC+/Concierge Vulnerabilities
CISA issued an advisory regarding multiple vulnerabilities (CVE-2026-28252, CVE-2026-28253, CVE-2026-28254) affecting Trane Tracer SC, Tracer SC+, and Tracer Concierge systems. Exploitation could lead to sensitive information disclosure, arbitrary command execution, or denial-of-service.
NCSC Paper on Assessing 'Forgivable' vs 'Unforgivable' Vulnerabilities
The UK's National Cyber Security Centre (NCSC) has published a paper proposing a method to assess software vulnerabilities as 'forgivable' or 'unforgivable'. The research aims to help vendors eradicate common vulnerability classes by making top-level mitigations easier to implement.
UK Legal Sector Cyber Threat Report
The UK's National Cyber Security Centre (NCSC) has released a cyber threat report for the legal sector, detailing common threats and providing guidance for law firms of all sizes to enhance their resilience. The report highlights the extent to which the sector is being targeted, with an average of four nationally significant cyber attacks occurring weekly across the UK.
NCSC Assessment: Impact of AI on Cyber Threats 2027
The UK's National Cyber Security Centre (NCSC) has released an assessment detailing how Artificial Intelligence (AI) is expected to significantly increase cyber threats by 2027. The report highlights that AI will make intrusion operations more effective and efficient, potentially leading to a digital divide in system vulnerability.
NCSC Report: AI to Increase Cyber Attack Volume and Impact
The UK's National Cyber Security Centre (NCSC) has released a report assessing the near-term impact of Artificial Intelligence on the cyber threat. The assessment concludes that AI will almost certainly increase the volume and impact of cyber attacks over the next two years, though the effect will be uneven across different threat actors.
Active Cyber Defence Programme - Sixth Year Report
The UK's National Cyber Security Centre has published the sixth-year report on its Active Cyber Defence (ACD) programme. The report details findings on how the programme has protected the UK from cyber attacks since its launch in 2017.
GDPR Rights Procedure Resolution Against CaixaBank Payments
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure against CaixaBank Payments & Consumer. The case involves a consumer's complaint about inclusion in a debt collection file without proper notification or justification of debt assignment.
AEPD Resolution on GDPR Rights Procedure
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a GDPR rights procedure. The resolution addresses a complaint where a data subject exercised their right of access, and the data controller failed to provide a legally established response within the stipulated timeframe. The AEPD admitted the claim for processing.
EDPB Letter to EC on US Entry Privacy Implications
The European Data Protection Board (EDPB) has sent a letter to the European Commission expressing concerns regarding the privacy implications of recent US legislative developments affecting entry conditions for EEA citizens. The letter highlights potential risks to data protection and fundamental rights.
EDPB-EDPS Opinion on Biotech Act Privacy Implications
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the privacy implications of the proposed European Biotech Act. The opinion provides guidance on the GDPR compliance aspects of the proposed legislation.