EU Commission Investigates AWS Cloud Breach as Council Sanctions Chinese & Iranian Cyber Firms, Revised Cybersecurity Act Targets Foreign Suppliers
The European Commission is investigating a major breach of its Amazon cloud environment with 350GB allegedly stolen — raising urgent questions about NIS2 and DORA third-party risk management. The EU Council sanctions three companies tied to state-backed cyberattacks. A proposed Revised Cybersecurity Act would mandate removing high-risk foreign suppliers from telecom networks. The CRA Administrative Cooperation Group holds its inaugural meeting, and the AI Board convenes its seventh session on EU AI Act governance.
1. European Commission AWS Breach: 350GB Data Theft Shakes EU Cloud Security Posture
The European Commission is investigating a security breach after a threat actor gained unauthorized access to at least one of its Amazon Web Services (AWS) accounts. The attacker claims to have exfiltrated over 350 gigabytes of data, including multiple databases and email server contents belonging to Commission employees.
What Happened
According to reports from BleepingComputer, the breach was detected relatively quickly by the Commission's cybersecurity incident response team. The threat actor provided screenshots demonstrating access to employee information and internal email systems. Notably, the attacker stated they would not attempt extortion but intend to leak the data publicly at a later date.
This is the second major breach at the Commission in 2026. In February, the institution disclosed that its mobile device management (MDM) platform was compromised on January 30 — an incident linked to Ivanti EPMM code-injection vulnerabilities that also affected the Dutch Data Protection Authority and Finland's Valtori agency.
⚠️ NIS2 & DORA Implications
This breach exposes critical gaps in third-party cloud risk management — precisely the domain addressed by NIS2's supply chain security requirements (Article 21) and DORA's ICT third-party risk framework (Chapter V). If the EU's own executive body struggles with cloud security governance, it raises pointed questions about readiness expectations for private-sector entities facing compliance deadlines.
Key Regulatory Takeaways
- NIS2 Article 21(2)(d): Requires "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers" — AWS being a direct service provider
- DORA Article 28: Mandates that financial entities and critical institutions maintain robust contractual arrangements with ICT third-party service providers, including exit strategies and data portability
- GDPR Article 33: The Commission must notify the EDPS within 72 hours if personal data of EU citizens was compromised
2. EU Council Sanctions Chinese and Iranian Companies for State-Backed Cyberattacks
The Council of the European Union has imposed cyber sanctions on three companies and two individuals for orchestrating cyberattacks against member states' critical infrastructure — the most significant expansion of the EU's cyber sanctions regime since its 2019 inception.
Sanctioned Entities
| Entity | Country | Attribution |
|---|---|---|
| Integrity Technology Group | China | Provided support leading to compromise of 65,000+ devices across 6 EU states (linked to Flax Typhoon/Raptor Train botnet) |
| Anxun Information Technology (i-Soon) | China | Hacker-for-hire services targeting critical infrastructure in EU states and third countries since 2011 |
| Emennet Pasargad | Iran | Influence campaigns, SMS service compromise in Sweden, Paris Olympics billboard hijacking |
The two sanctioned individuals are co-founders of Anxun Information Technology (i-Soon), the Chinese firm whose massive data leak in February 2024 exposed its operations as a government-affiliated hacking contractor.
📊 Sanctions impact: All listed entities face EU-wide asset freezes. EU citizens and companies are prohibited from making funds or economic resources available to them. The two individuals also face travel bans across all EU territories. The EU's cyber sanctions list now covers 19 individuals and 7 entities.
Regulatory Significance
These sanctions directly reinforce the EU's evolving cyber deterrence framework under NIS2. The directive's Recital 9 explicitly references the need for coordinated responses to state-backed threats, and Article 13 tasks EU-CyCLONe (the Cyber Crisis Liaison Organisation Network) with supporting "coordinated management of large-scale cybersecurity incidents."
3. Revised Cybersecurity Act: Mandating Removal of High-Risk Foreign Suppliers
The European Commission has proposed sweeping new cybersecurity legislation that would grant it authority to mandate the removal of high-risk foreign suppliers from European telecommunications networks — moving beyond the voluntary 5G Security Toolbox introduced in 2020.
Key Provisions
- Mandatory risk assessments: EU-wide evaluations across 18 critical sectors based on suppliers' countries of origin and national security implications
- High-risk supplier removal: Authority to restrict or ban equipment from vendors deemed security risks in mobile telecom networks
- Streamlined certification: Voluntary ENISA-managed certification schemes to reduce regulatory burden
- Enhanced ENISA powers: Early threat alerts, single entry point for incident reporting, ransomware response coordination with Europol
- Cybersecurity workforce: EU-wide skills attestation schemes and a Cybersecurity Skills Academy pilot
🔶 Industry Impact
Although the proposal does not name specific companies, EU officials have consistently flagged concerns about Chinese vendors Huawei and ZTE. The legislation effectively codifies what several member states (France, Germany, Sweden) have already implemented voluntarily. Telecom operators relying on these vendors would face mandatory phase-out timelines once the Act passes Parliament and Council.
"Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life," said EU tech commissioner Henna Virkkunen. The Cybersecurity Act would take effect immediately upon approval, with member states having one year to implement amendments into national law.
How This Intersects with NIS2 and DORA
The Revised Cybersecurity Act complements rather than replaces NIS2. While NIS2 sets baseline security requirements for essential and important entities, this new Act specifically targets supply chain sovereignty at the infrastructure level. For financial institutions under DORA, the implication is clear: ICT third-party concentration risk involving non-EU suppliers will face heightened regulatory scrutiny.
4. Cyber Resilience Act: First Administrative Cooperation Group Meeting
The first meeting of the Administrative Cooperation Group for the Cyber Resilience Act (CRA) was held on March 20, 2026, marking a pivotal step in preparing for enforcement of the regulation that will impose mandatory cybersecurity requirements for all digital products sold in the EU.
What the CRA Requires
The CRA applies to all products with digital elements — from consumer IoT devices to industrial software. Manufacturers must:
- Conduct cybersecurity risk assessments before market placement
- Provide security updates throughout the product's expected lifetime (minimum 5 years)
- Report actively exploited vulnerabilities to ENISA within 24 hours
- Maintain Software Bills of Materials (SBOMs) for all products
ENISA has also launched a survey targeting SMEs to assess CRA awareness, readiness, and support needs — acknowledging that smaller businesses face disproportionate compliance burdens.
📅 Timeline: The CRA entered into force in December 2024. The reporting obligation for actively exploited vulnerabilities begins September 2026. Full compliance for all products is required by December 2027. The Administrative Cooperation Group will coordinate cross-border enforcement among national market surveillance authorities.
5. EU AI Board Seventh Meeting: Shaping AI Act Governance
The seventh meeting of the EU AI Board took place on March 20, 2026, bringing together member state representatives to discuss the latest developments in the Commission's AI strategy and the ongoing implementation of the EU AI Act.
Where the AI Act Stands
The EU AI Act's phased implementation continues on schedule:
| Milestone | Date | Status |
|---|---|---|
| Prohibited AI practices ban | February 2025 | ✅ In effect |
| GPAI model obligations | August 2025 | ✅ In effect |
| High-risk AI system requirements | August 2026 | ⏳ 5 months away |
| Full enforcement for all AI systems | August 2027 | ⏳ 17 months away |
The AI Board serves as the primary governance body for coordinating AI Act enforcement across member states. Key discussion topics at the seventh meeting included:
- Harmonized standards for high-risk AI system assessments
- AI regulatory sandboxes — progress on implementation across member states
- Coordination with the AI Office on codes of practice for general-purpose AI models
- Cross-border enforcement cooperation mechanisms
🔶 Compliance Alert
Organizations deploying high-risk AI systems (Annex III categories including biometrics, critical infrastructure management, employment, and law enforcement) have until August 2, 2026 to achieve full compliance. This includes conformity assessments, technical documentation, and registration in the EU database for high-risk AI systems.
The Bigger Picture: EU's Regulatory Fortress Takes Shape
This week's developments illustrate how the EU's cybersecurity and digital regulation landscape is converging rapidly. Five major frameworks are now simultaneously active or entering enforcement:
| Regulation | Focus | Key 2026 Milestone |
|---|---|---|
| NIS2 | Network & information security | Full national transposition & enforcement |
| DORA | Financial sector digital resilience | Ongoing supervisory testing |
| CRA | Product cybersecurity | Vulnerability reporting begins Sep 2026 |
| EU AI Act | AI system governance | High-risk requirements Aug 2026 |
| Revised Cybersecurity Act | Supply chain sovereignty | Parliamentary review ongoing |
The Commission's own AWS breach — while embarrassing — may actually accelerate legislative urgency. Nothing motivates regulatory action quite like being the victim yourself.
Stay Ahead of EU Cybersecurity Regulations
Track NIS2, DORA, CRA, GDPR, and AI Act compliance requirements in one place.
Explore KENSAI →Published by KENSAI Intelligence · Security Regulations Briefing · March 29, 2026
Sources: BleepingComputer, European Commission, Council of the European Union, ENISA, EU Digital Strategy