إرشادات قانون المرونة السيبرانية الأوروبي صادرة، تقارير شفافية DSA مستحقة، إطار أمن 6G أُطلق
أسبوع حافل لتنظيم الأمن السيبراني في الاتحاد الأوروبي. نشرت المفوضية الأوروبية مسودة إرشادات تنفيذ CRA للمصنعين. وصلت الموجة الأولى من تقارير شفافية DSA. نشر تحالف من سبع دول إرشادات أمنية لـ 6G. وتؤكد ثغرات الذكاء الاصطناعي الجديدة — بما في ذلك استغلال Gemini عالي الخطورة — لماذا لا يمكن لقانون الذكاء الاصطناعي الأوروبي أن يأتي بالسرعة الكافية.
📋 Cyber Resilience Act: Draft Guidance Published for Feedback
New — CRA Implementation Guidance Open for Comment
On March 3, 2026, the European Commission published draft guidance to help companies meet the obligations of the Cyber Resilience Act (CRA). The guidance is open for public feedback, marking a critical milestone as the regulation moves from legislation to implementation.
The CRA, which entered into force in December 2024, establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU. Manufacturers, importers, and distributors must ensure products meet essential security requirements throughout their lifecycle.
Key CRA Deadlines
- September 2026: Reporting obligations begin — manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA
- December 2027: Full compliance required — all products with digital elements must meet essential cybersecurity requirements
- Ongoing: Security updates must be provided for the expected product lifetime or a minimum of five years
What the Draft Guidance Covers
The Commission's guidance addresses the most common implementation questions from industry:
- Scope clarification: Which products qualify as "products with digital elements" — including IoT devices, firmware, software libraries, and cloud-connected products
- Vulnerability handling: How manufacturers should establish coordinated vulnerability disclosure processes
- Conformity assessment: Which products require third-party assessment versus self-assessment
- Software Bill of Materials (SBOM): Requirements for documenting and maintaining SBOMs for all covered products
Action required: Product manufacturers, software companies, and IoT vendors operating in the EU should review the draft guidance and submit feedback before the consultation period closes. Companies should begin CRA compliance programs now — September 2026 reporting obligations are only six months away.
📊 Digital Services Act: First Transparency Reports Deadline Passes
The first round of harmonised transparency reports under the Digital Services Act (DSA) were due by the end of February 2026. Providers of intermediary services — including platforms, hosting services, and search engines — were required to publish reports detailing their content moderation activities, government requests, and algorithmic recommendation systems.
What DSA Transparency Reports Must Include
- Content moderation: Volume and types of content removed or restricted, including automated detection statistics
- Government orders: Number and nature of orders received from EU member state authorities
- Complaints and appeals: Data on user complaints about content decisions and their resolution
- Algorithmic transparency: For Very Large Online Platforms (VLOPs), details about recommender system parameters and their impact
The European Commission is now reviewing the first batch of reports. Non-compliant platforms face fines of up to 6% of global annual turnover. Several smaller intermediary services reportedly missed the deadline, and the Commission has signaled it will pursue enforcement actions.
🌐 6G Cybersecurity: Western Coalition Launches Security-by-Design Guidelines
New Framework — 6G Security Guidelines Published
On March 4, 2026, a coalition of seven Western nations — including EU member states — launched comprehensive cybersecurity guidelines for future 6G telecommunications standards. The framework mandates security-by-design principles be integrated from the earliest stages of 6G development.
The guidelines directly address lessons learned from 5G security controversies, particularly around supply chain risks and vendor trust. Key principles include:
- Zero-trust architecture: All 6G network components must implement zero-trust by default
- Supply chain integrity: Mandatory provenance verification for all network hardware and software components
- Post-quantum cryptography: 6G standards must support quantum-resistant encryption algorithms from launch
- Open RAN security: Specific security requirements for open radio access network architectures
- AI/ML security: Guidelines for securing AI-powered network optimization and management functions
The framework aligns with the EU's broader approach under NIS2 and the CRA, creating a unified regulatory posture across critical telecommunications infrastructure.
🤖 AI Security Vulnerabilities Highlight EU AI Act Urgency
This week's AI security developments underscore the critical need for the EU AI Act's regulatory framework:
Gemini AI Exploit in Chrome (CVE-2026-0628)
Google patched a high-severity vulnerability (CVSS 8.8) in its Gemini AI implementation within the Chrome browser. Reported by Palo Alto Networks' Unit 42, the elevation of privilege flaw could have allowed malicious browser extensions with basic permissions to hijack the Gemini Live panel — accessing user conversations and executing actions on behalf of the user.
Fake AI Extensions Proliferating in App Stores
Security researchers continue to flag a surge of trojanized "AI" browser extensions appearing in official app stores. These extensions claim to provide AI functionality while secretly exfiltrating user data, session tokens, and browsing activity. The trend exploits consumer demand for AI tools without adequate marketplace security.
ContextCrush: AI Development Tools Under Attack
A critical vulnerability dubbed "ContextCrush" was discovered in the Context7 MCP Server, a tool used in AI development pipelines. The flaw could allow attackers to inject malicious instructions into AI development workflows, potentially poisoning AI training data or model outputs at the source.
EU AI Act Timeline: The Act's prohibited practices provisions took effect in February 2025. High-risk AI system obligations apply from August 2026. The EU AI Office is developing harmonized standards and guidance. These vulnerabilities demonstrate exactly why mandatory AI security requirements — including risk assessments, vulnerability management, and transparency obligations — are essential.
📈 NIS2 & DORA Status Update
NIS2: Enforcement Intensifies
EU member states continue to ramp up NIS2 enforcement. Key developments this week:
- ENISA announced leadership priorities for the EU Agencies Network (EUAN) 2025-2026, with cybersecurity across agencies as a core focus area
- Germany's BSI continues its compliance verification program, with over 2,000 essential and important entities now registered
- Europol's LeakBase takedown (March 5) demonstrates the kind of cross-border enforcement cooperation that NIS2 was designed to enable — the forum had 142,000 users trading stolen credentials since 2021
- Tycoon2FA takedown (March 4) — international law enforcement dismantled a phishing-as-a-service platform, reinforcing the incident reporting obligations under NIS2
DORA: Financial Sector Compliance Countdown
The Digital Operational Resilience Act has been in effect since January 17, 2025. Financial entities should now be in full compliance. Key Q1 2026 compliance activities:
- Complete ICT third-party risk registers with all critical service providers identified
- Finalize information sharing arrangements with sector peers
- Conduct first round of threat-led penetration testing (TLPT) for significant entities
- Submit ICT risk management framework documentation to national competent authorities
🗓️ Upcoming Regulatory Deadlines
| Date | Regulation | Milestone |
|---|---|---|
| Jun 2026 | NIS2 | Netherlands: Entity self-assessment deadline |
| Aug 2026 | EU AI Act | High-risk AI system obligations apply |
| Sep 2026 | CRA | Vulnerability reporting obligations begin |
| Q4 2026 | DORA | First TLPT cycle completion for significant entities |
| Dec 2027 | CRA | Full product compliance required |
✅ Compliance Action Items This Week
- CRA: Review the European Commission's draft CRA guidance and submit feedback. Begin product inventory and SBOM documentation.
- DSA: If you're an intermediary service provider, verify your transparency report was submitted. Address any gaps before enforcement actions begin.
- NIS2: Update incident response playbooks with learnings from the LeakBase and Tycoon2FA takedowns. Review supply chain security posture.
- DORA: Ensure ICT risk management frameworks are documented and submitted. Schedule threat-led penetration testing.
- EU AI Act: Audit AI systems for the Gemini/ContextCrush vulnerability patterns. Update AI system risk classifications ahead of August 2026 obligations.
- 6G Preparedness: Telecom operators should begin reviewing the new 6G security guidelines for long-term infrastructure planning.