← Back to Security Blog
Compliance & Regulations Analysis March 9, 2026 11 min read

6G Security-by-Design Guidelines Launched, AI Insider Risk Reaches Critical Levels, Enterprise Zero-Days Hit All-Time High — Security Regulation Roundup

Seven Western nations publish security-by-design principles for 6G networks before standards are even finalized. Mimecast reports AI-driven insider threats have become a "critical business threat" — 42% of organizations saw increases in both malicious and negligent insider incidents. Google's Threat Intelligence Group tracked 90 zero-days in 2025, with enterprise software now the primary target. Microsoft responds to Copilot data leakage concerns with new DLP controls. And a high-severity Gemini AI vulnerability in Chrome raises fresh questions about AI security under the EU AI Act. Here's what regulators and compliance teams need to act on this week.


📡 GCOT Launches 6G Security-by-Design Principles

The Global Coalition on Telecoms (GCOT) — comprising Australia, Canada, Finland, Japan, Sweden, the UK, and the US — released voluntary 6G Security and Resilience Principles at Mobile World Congress 2026 in Barcelona. Industry partners including AT&T, BT, Ericsson, NVIDIA, Nokia, Qualcomm, Samsung, and Vodafone endorsed the framework.

Why This Matters Before 6G Exists

With 6G commercial rollouts not expected until 2029-2030, this is one of the earliest instances of security-by-design regulation preceding the technology it governs. The coalition assessed that 6G will bring more virtualized network functions, disaggregated architectures with standardized interfaces, and native AI integration — each creating new attack surfaces that must be addressed at the standards level, not retrofitted after deployment.

The Eight Principles

GCOT defined four security and four resilience objectives:

CategoryPrincipleKey Requirement
SecurityContainmentLimit propagation of malicious actors through the network
SecurityConfidentialityPrivacy-by-design for user data, secure against eavesdropping
SecurityIntegrityData integrity guarantees across network transit and infrastructure
SecurityAccess ControlAuthentication and authorization for all network components
ResilienceService ContinuityMaintain availability under challenging circumstances
ResilienceSupply ChainMulti-vendor security with trusted supplier assurance
ResiliencePhysical SecurityResilience against physical and environmental threats
ResilienceRecoveryRapid restoration after security incidents or disruptions

Regulatory Alignment

These principles directly map to existing and emerging EU regulations:

Compliance Takeaway

Telecom operators and network equipment manufacturers should begin mapping GCOT principles against their existing NIS2 and CRA compliance programs now. When 6G standards are finalized by 3GPP, organizations with security-by-design embedded in their development processes will have a significant compliance head start. This is the rare opportunity to shape regulatory expectations before they become mandatory.


🤖 AI-Driven Insider Risk: A "Critical Business Threat"

42% of Organizations Report Rising Insider Threats

Mimecast's State of Human Risk Report 2026, based on a survey of 2,500 IT security decision makers across North America, Europe, Southeast Asia, and Australia, finds that insider risk has escalated to critical levels — driven in large part by employees misusing AI tools and attackers weaponizing AI for more effective social engineering.

Key Findings

EU AI Act Implications

The EU AI Act's risk-based framework has direct relevance to AI-driven insider threats:

NIS2 and DORA Requirements

Insider threats are explicitly within scope of both frameworks:

Action Required

Organizations should immediately audit which AI tools employees are using (shadow AI), implement DLP controls on AI-assisted data access, and update their insider threat detection baselines. Under NIS2 and DORA, failure to address known AI-driven insider risk patterns is now a compliance gap. Include AI misuse scenarios in your next tabletop exercise.


🎯 Enterprise Zero-Days Reach All-Time High: 90 in 2025

Enterprise Software Now the Primary Target

Google Threat Intelligence Group (GTIG) reported that 90 zero-day vulnerabilities were actively exploited in 2025 — up from 78 in 2024. The critical shift: 48% now target enterprise software and appliances, up from 46% in 2024, with security and networking products bearing the heaviest impact.

The Enterprise Shift

Google's analysis reveals a structural change in the threat landscape:

Additional GTIG Findings

Regulatory Implications

FrameworkRequirementImpact of Zero-Day Surge
NIS2Art. 21(2)(e) — Vulnerability handlingEssential entities must have processes for zero-day detection, triage, and emergency patching of enterprise infrastructure
DORAArt. 9 — ICT risk managementFinancial entities must include enterprise zero-day scenarios in risk assessments and maintain emergency patching procedures
CRAArt. 11 — Vulnerability reportingProduct manufacturers face mandatory 24-hour reporting of actively exploited vulnerabilities starting September 2026
EU AI ActArt. 15 — Accuracy, robustness, securityAI systems must be resilient to exploitation — the Gemini Chrome CVE demonstrates AI components create new vulnerability classes

Compliance Takeaway

The shift to enterprise-targeted zero-days means your security infrastructure itself is now the primary attack surface. NIS2 and DORA compliance programs must include specific procedures for zero-day response in security appliances, not just traditional endpoints. Organizations should implement network segmentation that assumes security appliances may be compromised, and deploy out-of-band monitoring for edge devices.


🛡️ Microsoft Copilot Data Protection: AI Governance in Practice

Microsoft announced new data loss prevention (DLP) controls for Microsoft 365 Copilot, responding to widespread customer complaints that Copilot was including confidential information in its AI-generated reports. The new controls extend DLP policies to locally saved files — previously, DLP only protected files stored in OneDrive and SharePoint.

What Changed

The core issue: Microsoft 365 Copilot's AI assistant could access and process files stored locally on users' machines, even when DLP policies restricted those same files on OneDrive and SharePoint. This gap meant confidential documents — marked as sensitive by DLP rules — could be summarized, quoted, or referenced in Copilot-generated reports without any protection applied.

Regulatory Significance

This episode illustrates a regulatory pattern that compliance teams must internalize:

Action Required

Do not wait until April. Audit your Copilot deployment now to identify what confidential data it may have already processed without DLP protection. Under GDPR Article 33, if personal data was exposed through Copilot's DLP gap, you may have a reportable data breach. Document your assessment and any compensating controls for your supervisory authority.


⚠️ Fake AI Browser Extensions: Consumer Protection Gap

Malicious "AI" Extensions Flooding App Stores

Security researchers confirmed a growing trend of malicious browser extensions masquerading as AI productivity tools, appearing in major app stores and successfully bypassing initial review processes. These extensions provide some expected AI functionality while silently harvesting user data, credentials, and browsing history.

The Regulatory Gap

This trend exposes critical gaps in existing regulatory frameworks:

Enterprise Recommendation

Implement browser extension allowlisting for all corporate environments. Under NIS2 Article 21(2)(i), organizations must ensure employees cannot install unvetted extensions on corporate devices. Maintain an approved extension list and use group policy to block all others. AI tool governance is now a security control, not an IT convenience.


📅 Regulatory Calendar: Key Dates Ahead

DateFrameworkMilestone
March 11, 2026Patch TuesdayMicrosoft March 2026 release — after 90 zero-days in 2025, prepare for significant patches
April 2026MicrosoftCopilot DLP local file protection applied by default — verify your DLP policies cover all data categories
May 2, 2026EU AI ActGPAI model transparency obligations take effect — AI providers must publish training data summaries
August 2, 2026EU AI ActHigh-risk AI system requirements enforceable (Articles 6-49) — full compliance stack required
September 11, 2026CRAMandatory reporting of actively exploited vulnerabilities begins — 24-hour notification requirement
October 17, 2026NIS2Member state transposition deadline — all 27 EU countries must have NIS2 in national law
2029-2030GCOT/6GExpected initial 6G commercial rollouts — security-by-design principles must be embedded in standards by then

🔑 Key Takeaways for Compliance Teams

  1. 6G security standards are being shaped now. GCOT's eight principles set expectations that will become mandatory requirements. Telecom operators and equipment manufacturers should align their security-by-design processes with these principles today — waiting for final standards means playing catch-up.
  2. AI insider risk is a compliance obligation, not an HR issue. With 42% of organizations reporting increases in AI-driven insider threats, NIS2 and DORA compliance programs must include specific AI tool governance controls — shadow AI audits, DLP for AI-assisted access, and insider threat baselines that account for AI capabilities.
  3. Your security infrastructure is the target. Google's 90 zero-days finding, with nearly half targeting enterprise security and networking appliances, means vulnerability management programs must prioritize the tools meant to protect you. Assume compromise of edge devices and implement out-of-band monitoring.
  4. Microsoft Copilot's DLP gap is a preview of AI governance failures. Organizations deploying AI productivity tools without verifying data handling controls face GDPR, EU AI Act, and NIS2 liability. Audit AI tool data access before regulators ask questions.
  5. Fake AI extensions are a consumer protection crisis. Until DSA and CRA enforcement catches up, enterprise browser extension allowlisting is your only reliable defense. Implement it now.
  6. Patch Tuesday preparation is not optional. After a record year of enterprise zero-days, DORA and NIS2 entities without documented, tested emergency patching procedures are running a compliance deficit that supervisors will identify.

Automate Your Compliance Monitoring

KENSAI's continuous security scanning identifies zero-day exposures, AI-related vulnerabilities, and compliance gaps across your infrastructure — aligned with NIS2, DORA, and EU AI Act requirements.

Start Free Security Scan →

Published by the KENSAI Security Research Team — March 9, 2026

Sources: GCOT, UK Government, Google GTIG, Mimecast, Palo Alto Networks, Microsoft, Help Net Security, Infosecurity Magazine, ENISA

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles