The EU Commission — the body that writes cybersecurity regulation — has been breached by ShinyHunters, with 350GB of sensitive data stolen. Meanwhile, critical-severity zero-days in Citrix NetScaler and F5 BIG-IP are under active exploitation, Fortinet FortiClient EMS is being weaponized, and a new study reveals LLMs are silently breaking organizational access controls. Here's what it all means for NIS2, DORA, GDPR, and EU AI Act compliance.
The European Commission has confirmed a data breach after its Europa.eu platform was hacked. ShinyHunters claims to have stolen over 350GB including mail server dumps, databases, confidential documents, and contracts. This is the Commission's second breach in two months.
In what can only be described as a sobering irony, the European Commission — the institution responsible for crafting and enforcing the EU's cybersecurity regulatory framework — has itself fallen victim to a major data breach. The ShinyHunters extortion gang claimed responsibility after compromising at least one of the Commission's AWS (Amazon Web Services) accounts and exfiltrating over 350GB of data.
The stolen data allegedly includes mail server dumps, databases, confidential documents, and contracts. ShinyHunters has already published a 90GB sample archive on their dark web leak site. The Commission confirmed the breach in a press release, noting that internal systems were not affected but acknowledging that "data have been taken from those websites."
This comes just weeks after the Commission disclosed a separate breach in February involving its mobile device management platform. Two major security incidents within the same EU institution in under two months raises serious questions about the Commission's own security posture — particularly as it pushes member states toward strict NIS2 compliance.
GDPR: The breach exposes employee personal data, triggering notification obligations under Articles 33-34. If the data includes information about citizens of member states, affected Data Protection Authorities must be notified within 72 hours. The Commission itself must follow the very rules it enforces.
NIS2: As a Union institution operating essential digital services, the Commission falls under obligations parallel to NIS2. The breach of cloud infrastructure (AWS accounts) highlights the exact supply chain and cloud security risks NIS2 was designed to address. Organizations should examine whether their own cloud configurations would survive a similar attack.
A critical vulnerability (CVSS 9.3) in Citrix NetScaler ADC and Gateway is being actively exploited to leak sensitive data including authenticated administrator session IDs. Patch immediately.
A critical-severity vulnerability in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS 9.3) is under active exploitation as of March 27, 2026. The flaw is an insufficient input validation leading to memory overread, allowing attackers to leak sensitive information from application memory — including authenticated administrative session IDs.
Successful exploitation requires the appliance to be configured as a SAML Identity Provider (SAML IDP), which narrows the attack surface but still affects a significant number of enterprise deployments. Once an attacker captures an admin session ID from memory, they can hijack the session and take full control of the appliance — including modifying traffic inspection rules, SSL certificates, and access policies.
Citrix NetScaler sits at the network edge for thousands of organizations across Europe, serving as both a load balancer and VPN gateway. Compromising these devices gives attackers a privileged position to intercept, redirect, or manipulate traffic flowing through the organization's infrastructure.
NIS2: NetScaler appliances are considered critical network infrastructure under NIS2 Article 21 requirements for "vulnerability handling and disclosure." Organizations classified as essential or important entities that fail to patch within a reasonable timeframe risk penalties of up to €10M or 2% of global revenue. NIS2 also requires incident reporting to CSIRTs within 24 hours of becoming aware of exploitation.
DORA: Financial institutions using Citrix NetScaler for remote access or application delivery must treat this as a major ICT-related incident under DORA Article 19 if exploitation is detected. DORA requires financial entities to maintain a register of all ICT assets and ensure continuous vulnerability management — including edge network devices.
F5 has reclassified a BIG-IP APM vulnerability from high-severity DoS to critical-severity remote code execution. Attackers are actively deploying webshells on unpatched devices.
In a concerning development, F5 has reclassified a BIG-IP Access Policy Manager (APM) vulnerability that was initially disclosed as a high-severity denial-of-service flaw. The vulnerability is now rated critical-severity remote code execution (RCE), and attackers are already exploiting it in the wild to deploy webshells on unpatched devices.
This reclassification matters enormously. Organizations that assessed the original DoS advisory and deprioritized patching based on a risk-acceptable DoS classification now face an entirely different threat: persistent remote access through webshells. BIG-IP appliances handle SSL offloading, load balancing, and application delivery for many of the world's largest financial institutions, healthcare providers, and government agencies.
A webshell on a BIG-IP device gives attackers the ability to intercept encrypted traffic, redirect users, inject malicious content, and pivot deeper into the internal network — all while appearing as legitimate traffic to downstream security controls.
DORA: Financial institutions using BIG-IP for application delivery face immediate obligations. DORA Article 9 requires financial entities to implement policies for ICT asset management that include timely patching of critical vulnerabilities. A vulnerability reclassification from DoS to RCE should trigger an immediate reassessment of risk and patching priority. Regulators will not accept "we assessed it as DoS and deprioritized it" as a defense.
NIS2: BIG-IP devices serving as load balancers for essential services (healthcare, energy, transport) fall squarely under NIS2's vulnerability management requirements. The deployment of webshells constitutes a significant incident requiring CSIRT notification.
A critical vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS) is now being actively exploited. Compromising EMS gives attackers control over endpoint security policies across the entire organization.
Attackers are actively exploiting a critical vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS), the centralized platform that manages Fortinet's endpoint security agents across enterprise environments. Threat intelligence company Defused confirmed active exploitation in the wild.
FortiClient EMS is particularly dangerous to compromise because it is the management plane for endpoint security. An attacker who controls EMS can push malicious configurations to all managed endpoints, disable security policies, whitelist malware, or deploy backdoors — all through the legitimate management infrastructure that security teams trust.
This attack follows a troubling trend: threat actors are increasingly targeting security management infrastructure itself rather than individual endpoints. We've seen similar campaigns against Cisco FMC, Ivanti EPMM, and SolarWinds — the tools organizations depend on to maintain security are becoming the primary attack vectors.
NIS2 Article 21(2)(d) requires essential and important entities to implement "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." Endpoint management platforms are the epitome of supply chain trust — if the management server is compromised, every managed endpoint is compromised by extension. Organizations must ensure their security management infrastructure receives the highest patching priority, not equal priority with the assets it manages.
New research reveals that LLMs can write syntactically correct access control policies (Rego, Cedar) that contain subtle logical errors — silently dismantling least-privilege security models.
A research study published this week reveals a critical and underappreciated risk of using Large Language Models (LLMs) in security operations: AI systems can write syntactically correct access control policies that contain subtle logical errors, quietly eroding organizational security without triggering any alarms.
The phenomenon, dubbed "Silent Drift," occurs when organizations use LLMs to generate or modify access control policies written in languages like Rego (used by Open Policy Agent) or Cedar (used by AWS Verified Access). The LLM produces policies that compile without errors and pass basic testing, but contain missing conditions, hallucinated attributes, or incorrect logical operators that grant broader access than intended.
Unlike a misconfigured firewall rule — which might be caught by traffic analysis — an overly permissive access control policy may never trigger alerts. The access it grants is technically "authorized" by the policy, even if it wasn't the administrator's intent. This creates a slow, invisible expansion of access that compounds over time as more AI-generated policies are deployed.
EU AI Act: Access control systems that determine who can access sensitive data or critical infrastructure may qualify as high-risk AI systems under Annex III of the EU AI Act. If LLMs are used to generate or modify these policies, organizations must implement human oversight mechanisms (Article 14) and ensure the AI system's outputs are interpretable and auditable. Blindly deploying LLM-generated access policies without human review could constitute non-compliance.
GDPR: Access control is a foundational element of GDPR Article 32 ("security of processing"). If AI-generated policies inadvertently grant excessive access to personal data, the organization may be in violation of data minimization (Article 5(1)(c)) and fail to demonstrate "appropriate technical measures" to protect personal data. The fact that an AI wrote the policy is not a defense — the data controller remains responsible.
Healthcare IT firm CareCloud has disclosed a breach involving one of its electronic health record environments. Patient data has been exposed.
Healthcare IT firm CareCloud has disclosed a cybersecurity incident involving one of its electronic health record (EHR) environments. The attack caused an approximately eight-hour network disruption and resulted in the theft of sensitive patient data. While the full scope is still being investigated, any breach involving EHR data is classified as among the most sensitive under both GDPR and sector-specific healthcare regulations.
Healthcare remains the most targeted sector for ransomware and data theft, with the average healthcare breach costing $10.93 million according to IBM's latest Cost of a Data Breach report. The CareCloud incident underscores that managed service providers handling healthcare data are high-value targets — compromising one MSP can expose data from hundreds of healthcare providers.
GDPR: Health data is classified as a special category of personal data under Article 9, with the highest protection requirements. Breaches involving health data almost always require individual notification to affected patients and carry the maximum penalty potential (€20M or 4% of global revenue).
NIS2: Healthcare is explicitly listed as an essential sector under NIS2. Cloud-based EHR platforms serving multiple healthcare providers qualify as critical digital infrastructure. Both CareCloud and its healthcare clients face NIS2 incident reporting obligations.
| Threat | Regulation | Priority Action |
|---|---|---|
| Europa.eu breach (ShinyHunters) | GDPR, NIS2 | Audit cloud IAM, review SSO security, prepare breach notification workflows |
| Citrix NetScaler CVE-2026-3055 | NIS2, DORA | Patch immediately, disable SAML IDP if unable to patch |
| F5 BIG-IP RCE (reclassified) | DORA, NIS2 | Emergency patch, scan for webshells, reassess risk |
| FortiClient EMS exploitation | NIS2 | Patch, restrict management access, audit policy changes |
| LLM access control drift | EU AI Act, GDPR | Implement human review for AI-generated policies, document AI usage |
| CareCloud healthcare breach | GDPR, NIS2 | Assess healthcare MSP exposure, review processor agreements |
KENSAI continuously monitors your attack surface for vulnerabilities like the ones exploited this week — and maps findings to NIS2, DORA, and GDPR compliance requirements automatically.
Start Your Free Security Scan →KENSAI Security Research · Daily Regulations Briefing
Published March 31, 2026 · Next briefing tomorrow at 05:30 CET