← All Posts
Regulations & Compliance πŸ“… March 10, 2026 ⏱️ 8 min read

AI Systems Under Fire: Gemini Chrome Exploit, Copilot DLP Gaps & NIS2 Cloud Attack Surge

A critical Gemini AI vulnerability in Chrome exposes EU AI Act gaps, Microsoft Copilot's upcoming DLP changes raise GDPR red flags, Google Cloud attack patterns shift toward software exploitation with NIS2 implications, and Russian state-sponsored messaging hijacks demand immediate incident reporting under European frameworks.


πŸ”΄ CVE-2026-0628: Gemini AI Chrome Vulnerability & EU AI Act Implications

⚠️ HIGH SEVERITY β€” CVSS 8.8

CVE-2026-0628 β€” Elevation of privilege vulnerability in Google's Gemini AI integration within Chrome. Malicious browser extensions can exploit the flaw to gain elevated access to AI-processed data and system resources.

This vulnerability strikes at the heart of a growing regulatory concern: AI systems embedded in consumer products are becoming attack vectors. Under the EU AI Act, which entered its enforcement phase in February 2025, AI system providers bear explicit responsibility for security throughout the product lifecycle.

Regulatory Framework Impact

Regulation Requirement Impact of CVE-2026-0628
EU AI Act (Art. 15) AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity Elevation of privilege via AI component directly violates robustness requirements
EU AI Act (Art. 9) Risk management system must address foreseeable misuse Extension-based exploitation is a foreseeable attack vector for browser-embedded AI
NIS2 (Art. 21) Supply chain security and vulnerability handling Organizations using Chrome with Gemini must patch within mandated timeframes

πŸ›‘οΈ Compliance Action Required

Organizations deploying Chrome with Gemini AI features in regulated environments should:


☁️ Google Cloud Attack Shift: Software Flaws Overtake Credentials as Top Vector

New research reveals a fundamental shift in how attackers compromise Google Cloud environments: software vulnerability exploitation has overtaken weak credentials as the primary initial access vector. This development has significant implications for NIS2-mandated vulnerability management programs.

For years, cloud security focused on identity and access management β€” strong passwords, MFA, least privilege. While these remain essential, the attack surface has shifted. Threat actors are now primarily targeting unpatched software components, misconfigured APIs, and vulnerable third-party integrations within cloud workloads.

NIS2 Vulnerability Management Obligations

Under NIS2 Article 21, essential and important entities must implement "vulnerability handling and disclosure" as a core cybersecurity risk management measure. This cloud attack trend makes the requirement more critical than ever:

⚠️ DORA Consideration for Financial Entities

Financial institutions running workloads on Google Cloud must align this threat shift with their DORA ICT risk management framework. DORA Article 7 mandates that ICT risk management includes identification of "all sources of ICT risk" β€” a shift in attack patterns qualifies as a material change requiring framework updates.


πŸ€– Microsoft Copilot DLP Changes: GDPR Data Protection Under Pressure

Microsoft has announced upcoming changes to Data Loss Prevention (DLP) controls for Copilot, scheduled for April 2026. The changes will alter how Copilot interacts with files labeled as confidential or restricted β€” and compliance officers should take notice now.

The core concern: AI assistants with broad file access can inadvertently surface, summarize, or transmit personal data in ways that undermine existing DLP policies. If Copilot can read a confidential HR document and include its contents in a meeting summary, the data processing may exceed the original legal basis under GDPR.

Key GDPR Implications

πŸ“‹ Pre-April Compliance Checklist


πŸ•΅οΈ Russian State-Sponsored Signal & WhatsApp Hijacking: NIS2 Incident Reporting Triggered

The Dutch government's AIVD intelligence service has issued a formal warning about Russian state-sponsored actors hijacking Signal and WhatsApp accounts of government officials and critical infrastructure personnel. The campaign uses device-linking features to silently mirror encrypted conversations.

This is not merely an intelligence concern β€” it has direct regulatory consequences under multiple European frameworks.

Regulatory Reporting Obligations

Framework Reporting Requirement Timeline
NIS2 (Art. 23) Significant incidents affecting essential/important entities must be reported to national CSIRT Early warning within 24 hours; full notification within 72 hours
GDPR (Art. 33) Personal data breach notification to supervisory authority Without undue delay, within 72 hours
DORA (Art. 19) Major ICT-related incidents in financial entities Initial notification within 4 hours of classification

⚠️ Critical for Government & Critical Infrastructure

If your organization is classified as an essential or important entity under NIS2, any confirmed or suspected compromise of employee messaging accounts constitutes a reportable incident. The state-sponsored nature elevates severity classification.

Immediate Actions


🎣 Microsoft Teams Phishing & Fake AI Extensions: Supply Chain Security Under DORA and EU AI Act

Two concurrent threats highlight the expanding attack surface of collaboration tools and AI-branded software:

Microsoft Teams phishing campaigns are deploying the A0Backdoor malware, primarily targeting financial services and healthcare organizations β€” sectors directly regulated by DORA and NIS2 respectively.

Fake AI browser extensions masquerading as legitimate AI tools are stealing credentials, browsing data, and session tokens. These extensions exploit consumer trust in AI branding to distribute malware through official browser extension stores.

Regulatory Intersection

πŸ” Supply Chain Verification Steps


Stay Ahead of Regulatory Requirements with KENSAI

KENSAI automates compliance monitoring across NIS2, DORA, GDPR, and the EU AI Act β€” mapping real-time threats to your regulatory obligations. AI-powered risk assessment, automated gap analysis, and audit-ready reporting.

Request a Compliance Demo

🎯 Actionable Takeaways for Compliance Officers

  1. Patch CVE-2026-0628 immediately β€” Update Chrome and audit browser extensions; document in EU AI Act risk management records
  2. Reassess cloud vulnerability management β€” The shift to software-flaw exploitation means NIS2 vulnerability handling programs must evolve beyond credential-focused controls
  3. Prepare for Copilot DLP changes β€” Conduct or update DPIAs before April; review sensitivity labels and AI access scopes under GDPR
  4. Update incident response for messaging hijacks β€” State-sponsored Signal/WhatsApp compromise is a NIS2-reportable incident; ensure 24-hour early warning capability
  5. Harden collaboration tool supply chains β€” Teams phishing and fake AI extensions require DORA-compliant detection mechanisms and EU AI Act supply chain verification

Stay compliant, stay secure,
The KENSAI Regulatory Intelligence Team

Weekly regulations & compliance analysis powered by AI threat intelligence. Published every Monday at 06:00 CET.

πŸ›‘οΈ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free β†’

Related Articles

Exploit React2Shell di Next.js compromette 766 host, Drift Protocol perde $280M Microsoft緊ζ€₯RRASγƒ›γƒƒγƒˆγƒ‘γƒƒγƒγ€AppsFlyer SDKγ‚΅γƒ—γƒ©γ‚€γƒγ‚§γƒΌγƒ³δΉ—γ£ε–γ‚Š Enterprise DORA Digital Operational Resilience Testing Security Platform