Regulations March 29, 2026 · 12 min read

EU Commission Investigates AWS Cloud Breach as Council Sanctions Chinese & Iranian Cyber Firms, Revised Cybersecurity Act Targets Foreign Suppliers

The European Commission is investigating a major breach of its Amazon cloud environment with 350GB allegedly stolen — raising urgent questions about NIS2 and DORA third-party risk management. The EU Council sanctions three companies tied to state-backed cyberattacks. A proposed Revised Cybersecurity Act would mandate removing high-risk foreign suppliers from telecom networks. The CRA Administrative Cooperation Group holds its inaugural meeting, and the AI Board convenes its seventh session on EU AI Act governance.


1. European Commission AWS Breach: 350GB Data Theft Shakes EU Cloud Security Posture

The European Commission is investigating a security breach after a threat actor gained unauthorized access to at least one of its Amazon Web Services (AWS) accounts. The attacker claims to have exfiltrated over 350 gigabytes of data, including multiple databases and email server contents belonging to Commission employees.

What Happened

According to reports from BleepingComputer, the breach was detected relatively quickly by the Commission's cybersecurity incident response team. The threat actor provided screenshots demonstrating access to employee information and internal email systems. Notably, the attacker stated they would not attempt extortion but intend to leak the data publicly at a later date.

This is the second major breach at the Commission in 2026. In February, the institution disclosed that its mobile device management (MDM) platform was compromised on January 30 — an incident linked to Ivanti EPMM code-injection vulnerabilities that also affected the Dutch Data Protection Authority and Finland's Valtori agency.

⚠️ NIS2 & DORA Implications

This breach exposes critical gaps in third-party cloud risk management — precisely the domain addressed by NIS2's supply chain security requirements (Article 21) and DORA's ICT third-party risk framework (Chapter V). If the EU's own executive body struggles with cloud security governance, it raises pointed questions about readiness expectations for private-sector entities facing compliance deadlines.

Key Regulatory Takeaways


2. EU Council Sanctions Chinese and Iranian Companies for State-Backed Cyberattacks

The Council of the European Union has imposed cyber sanctions on three companies and two individuals for orchestrating cyberattacks against member states' critical infrastructure — the most significant expansion of the EU's cyber sanctions regime since its 2019 inception.

Sanctioned Entities

EntityCountryAttribution
Integrity Technology GroupChinaProvided support leading to compromise of 65,000+ devices across 6 EU states (linked to Flax Typhoon/Raptor Train botnet)
Anxun Information Technology (i-Soon)ChinaHacker-for-hire services targeting critical infrastructure in EU states and third countries since 2011
Emennet PasargadIranInfluence campaigns, SMS service compromise in Sweden, Paris Olympics billboard hijacking

The two sanctioned individuals are co-founders of Anxun Information Technology (i-Soon), the Chinese firm whose massive data leak in February 2024 exposed its operations as a government-affiliated hacking contractor.

📊 Sanctions impact: All listed entities face EU-wide asset freezes. EU citizens and companies are prohibited from making funds or economic resources available to them. The two individuals also face travel bans across all EU territories. The EU's cyber sanctions list now covers 19 individuals and 7 entities.

Regulatory Significance

These sanctions directly reinforce the EU's evolving cyber deterrence framework under NIS2. The directive's Recital 9 explicitly references the need for coordinated responses to state-backed threats, and Article 13 tasks EU-CyCLONe (the Cyber Crisis Liaison Organisation Network) with supporting "coordinated management of large-scale cybersecurity incidents."


3. Revised Cybersecurity Act: Mandating Removal of High-Risk Foreign Suppliers

The European Commission has proposed sweeping new cybersecurity legislation that would grant it authority to mandate the removal of high-risk foreign suppliers from European telecommunications networks — moving beyond the voluntary 5G Security Toolbox introduced in 2020.

Key Provisions

🔶 Industry Impact

Although the proposal does not name specific companies, EU officials have consistently flagged concerns about Chinese vendors Huawei and ZTE. The legislation effectively codifies what several member states (France, Germany, Sweden) have already implemented voluntarily. Telecom operators relying on these vendors would face mandatory phase-out timelines once the Act passes Parliament and Council.

"Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life," said EU tech commissioner Henna Virkkunen. The Cybersecurity Act would take effect immediately upon approval, with member states having one year to implement amendments into national law.

How This Intersects with NIS2 and DORA

The Revised Cybersecurity Act complements rather than replaces NIS2. While NIS2 sets baseline security requirements for essential and important entities, this new Act specifically targets supply chain sovereignty at the infrastructure level. For financial institutions under DORA, the implication is clear: ICT third-party concentration risk involving non-EU suppliers will face heightened regulatory scrutiny.


4. Cyber Resilience Act: First Administrative Cooperation Group Meeting

The first meeting of the Administrative Cooperation Group for the Cyber Resilience Act (CRA) was held on March 20, 2026, marking a pivotal step in preparing for enforcement of the regulation that will impose mandatory cybersecurity requirements for all digital products sold in the EU.

What the CRA Requires

The CRA applies to all products with digital elements — from consumer IoT devices to industrial software. Manufacturers must:

ENISA has also launched a survey targeting SMEs to assess CRA awareness, readiness, and support needs — acknowledging that smaller businesses face disproportionate compliance burdens.

📅 Timeline: The CRA entered into force in December 2024. The reporting obligation for actively exploited vulnerabilities begins September 2026. Full compliance for all products is required by December 2027. The Administrative Cooperation Group will coordinate cross-border enforcement among national market surveillance authorities.


5. EU AI Board Seventh Meeting: Shaping AI Act Governance

The seventh meeting of the EU AI Board took place on March 20, 2026, bringing together member state representatives to discuss the latest developments in the Commission's AI strategy and the ongoing implementation of the EU AI Act.

Where the AI Act Stands

The EU AI Act's phased implementation continues on schedule:

MilestoneDateStatus
Prohibited AI practices banFebruary 2025✅ In effect
GPAI model obligationsAugust 2025✅ In effect
High-risk AI system requirementsAugust 2026⏳ 5 months away
Full enforcement for all AI systemsAugust 2027⏳ 17 months away

The AI Board serves as the primary governance body for coordinating AI Act enforcement across member states. Key discussion topics at the seventh meeting included:

🔶 Compliance Alert

Organizations deploying high-risk AI systems (Annex III categories including biometrics, critical infrastructure management, employment, and law enforcement) have until August 2, 2026 to achieve full compliance. This includes conformity assessments, technical documentation, and registration in the EU database for high-risk AI systems.


The Bigger Picture: EU's Regulatory Fortress Takes Shape

This week's developments illustrate how the EU's cybersecurity and digital regulation landscape is converging rapidly. Five major frameworks are now simultaneously active or entering enforcement:

RegulationFocusKey 2026 Milestone
NIS2Network & information securityFull national transposition & enforcement
DORAFinancial sector digital resilienceOngoing supervisory testing
CRAProduct cybersecurityVulnerability reporting begins Sep 2026
EU AI ActAI system governanceHigh-risk requirements Aug 2026
Revised Cybersecurity ActSupply chain sovereigntyParliamentary review ongoing

The Commission's own AWS breach — while embarrassing — may actually accelerate legislative urgency. Nothing motivates regulatory action quite like being the victim yourself.

Stay Ahead of EU Cybersecurity Regulations

Track NIS2, DORA, CRA, GDPR, and AI Act compliance requirements in one place.

Explore KENSAI →

Published by KENSAI Intelligence · Security Regulations Briefing · March 29, 2026

Sources: BleepingComputer, European Commission, Council of the European Union, ENISA, EU Digital Strategy

Related Articles

Redirecting... Redirecting... 微软紧急RRAS热补丁、AppsFlyer SDK供应链劫持、Chrome两个零日漏洞修补