The UK's NCSC chief uses RSAC 2026 to push for mandatory security guardrails in AI code-generation tools. The FCA aligns cyber incident reporting with DORA principles. Essex Police suspends facial recognition deployment after Cambridge study finds racial bias — a test case for EU AI Act high-risk provisions. The UK government opens digital ID consultation with unanswered GDPR questions. ENISA publishes a practical NIS2 cybersecurity exercise framework for EU organisations.
NCSC CEO Richard Horne used his RSAC 2026 keynote to call on the cybersecurity industry to "seize the disruptive vibe coding opportunity" while building mandatory security safeguards into AI code-generation tools.
At RSA Conference 2026 in San Francisco, Richard Horne, chief executive of the UK's National Cyber Security Centre (NCSC), delivered what amounts to a regulatory warning shot: the explosion of AI-assisted software development — widely called "vibe coding" — is both a massive opportunity and a systemic risk that the industry must address now, not in five years.
In parallel, NCSC CTO David C published the agency's "Secure Vibe Coding Commandments":
The NCSC's position aligns directly with the EU AI Act's requirements for AI systems used in critical infrastructure. Under the Act, AI code-generation tools used to build software for essential services would likely qualify as high-risk AI systems, requiring conformity assessments, transparency obligations, and human oversight. The NCSC's commandments read like a preview of the technical standards the EU will eventually mandate.
For DACH organisations already preparing for the EU AI Act's August 2026 general-purpose AI obligations, this is a signal to start evaluating how AI-generated code is governed in their development pipelines today.
The UK Financial Conduct Authority has issued streamlined incident reporting rules covering both internal cyber events and third-party outages, creating a single reporting portal with the PRA and Bank of England.
The FCA's new reporting regime addresses a long-standing complaint from financial institutions: confusion about what to report, when to report it, and what information to include. The update includes:
While the UK is no longer subject to EU regulations, the FCA's update clearly draws from the Digital Operational Resilience Act (DORA) playbook. DORA's incident reporting framework — which requires EU financial entities to report major ICT-related incidents to their national competent authority — has set the benchmark. The FCA's move to include third-party incidents mirrors DORA's focus on critical ICT third-party providers.
FCA Director Mark Francis noted: "Resilience is being tested like never before, with firms facing growing cyber threats and increasing reliance on third parties." The data backs this up — 40% of incidents reported to the FCA in 2025 involved a third party, including high-profile outages at AWS and Cloudflare.
For organisations operating in both the UK and EU, the convergence is good news — the reporting frameworks are increasingly aligned. However, differences remain in scope, timelines, and specific requirements. Dual-regulated firms should map their incident reporting workflows against both DORA and the new FCA regime to identify gaps.
Essex Police has paused its live facial recognition deployment after a Cambridge University study found the system was statistically more likely to identify Black individuals, raising direct questions about EU AI Act compliance for similar systems.
A controlled field experiment by Cambridge University researchers found that Essex Police's live facial recognition (LFR) system showed statistically significant racial bias — it was more likely to correctly identify Black participants than those from other ethnic groups. While the researchers cautioned this could reflect the limited number of false positives rather than a systematic effect, Essex Police chose to pause deployments and work with the algorithm provider to address the issue.
The findings come as the UK government is actively expanding facial recognition use in policing — spending over £26 million on a national system and £11.6 million on additional LFR-equipped vans.
Under the EU AI Act, real-time remote biometric identification in public spaces by law enforcement is classified as a prohibited practice with narrow exceptions. Even post-identification (after the fact) is classified as high-risk, requiring:
This case is a textbook example of why the EU AI Act exists. The bias was only caught because Essex Police commissioned independent academic studies — many organisations deploying similar systems never perform this level of scrutiny.
Facial recognition isn't just a policing tool. Banks, airports, retailers, and access control systems across the EU use biometric identification. If your organisation deploys any form of biometric AI, the Essex Police case is a warning: test for bias proactively, or regulators will test for you.
The UK government has launched a public consultation on its digital ID scheme, initially covering right-to-work checks, with plans to expand to benefits, pensions, and student loans. Critical GDPR-aligned questions remain unanswered.
The UK government's digital identity consultation has opened, outlining a scheme that would initially cover right-to-work checks with plans to expand across government services. But the consultation is notably silent on several critical privacy issues:
While the UK has diverged from the EU on some data protection matters post-Brexit, the UK GDPR (retained from EU law) still applies. Key concerns include:
The EU's own eIDAS 2.0 regulation mandates European Digital Identity Wallets by 2026-2027, and the UK's consultation provides useful cautionary lessons. The EU framework includes stronger privacy protections — including selective disclosure (proving you're over 18 without revealing your birth date) and prohibitions on tracking across services. EU member states should watch the UK scheme's privacy gaps as examples of what to avoid.
NIS2 Compliance Resource: The EU Agency for Cybersecurity (ENISA) has published a comprehensive methodology for building cybersecurity exercises, designed to help organisations meet NIS2's incident response preparedness requirements. This is a practical, step-by-step guide — not theoretical guidance.
ENISA's Cybersecurity Exercise Methodology is designed to "empower and guide organisations in developing effective cybersecurity exercises from start to finish." Under NIS2 Article 21, essential and important entities must implement measures for incident handling, including regular testing and exercises.
The methodology covers:
Many organisations subject to NIS2 are still struggling with the practical question: "How do we actually test our incident response capabilities?" ENISA's methodology provides a concrete, EU-endorsed answer. National competent authorities will likely reference this framework when assessing compliance, making it de facto required reading.
| Development | Regulation | Impact | Action Required |
|---|---|---|---|
| NCSC Vibe Coding Safeguards | EU AI Act | AI code-gen tools face new security standards | Audit AI coding tools, prepare for compliance |
| FCA Incident Reporting Overhaul | DORA | UK aligns with EU third-party risk framework | Update reporting workflows by March 2027 |
| Facial Recognition Bias Suspension | EU AI Act | Real-world proof that bias testing is essential | Audit all biometric AI for bias |
| UK Digital ID Consultation | GDPR / eIDAS 2.0 | Privacy gaps in national ID scheme | Submit consultation feedback, assess data flows |
| ENISA Exercise Methodology | NIS2 | Practical compliance framework published | Schedule Q2 2026 cybersecurity exercise |
Regulatory compliance starts with knowing your attack surface. KENSAI provides automated security scanning across your web applications, APIs, and infrastructure — with compliance mapping built in.
Start Your Free Security Scan →Published by the KENSAI Regulatory Intelligence Team · March 25, 2026
Stay compliant. Stay protected. Read more briefings →