CISA orders all US federal agencies to patch actively exploited Cisco SD-WAN vulnerabilities under Emergency Directive 26-03 — a wake-up call for NIS2-regulated entities running the same infrastructure. The UK ICO fines Police Scotland £66,000 after a devastating GDPR failure exposed a victim's intimate data to her alleged attacker. OpenAI acquires AI testing startup Promptfoo, signaling that EU AI Act compliance testing is becoming an industry imperative. And the CVE program's funding crisis has been quietly resolved.
CVE-2026-20127 is a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN with a perfect CVSS severity score of 10. CISA confirms active exploitation against US federal networks. If your organization runs Cisco SD-WAN, this requires immediate action.
Regulation Impact: NIS2 · DORA · CISA Emergency Directive 26-03
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, warning that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across federal networks. The directive orders agencies to identify affected systems, collect forensic evidence, apply security updates, and investigate potential compromises — all by March 23, 2026.
The central vulnerability, CVE-2026-20127, is described as a critical authentication bypass with a CVSS score of 10. An unauthenticated attacker can obtain administrative access to SD-WAN infrastructure, enabling manipulation of network configurations or disruption of traffic across government systems.
The directive's emphasis on artifact collection and centralized logging suggests investigators are actively working to determine how widely the vulnerability has been exploited. "CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks," said Bobby Kuzma, director of offensive operations at ProCircular.
German, Austrian, and Swiss organizations using Cisco SD-WAN should immediately verify patch status. Germany's BSI has historically echoed CISA advisories within days — expect a formal warning. For KRITIS operators, this vulnerability could trigger reporting obligations under §8b BSI-Gesetz even before NIS2 transposition is complete.
Regulation Impact: GDPR · UK Data Protection Act 2018 · ICO Enforcement
The UK Information Commissioner's Office (ICO) has fined Police Scotland £66,000 and issued a formal reprimand after a catastrophic data protection failure. During an internal misconduct investigation in 2021, the police force extracted the entire contents of a female officer's phone — including medical records, intimate photos, and personal contacts — and then erroneously shared all of it with the colleague she had accused of rape.
The ICO found that Police Scotland failed on multiple fronts: it did not implement appropriate technical and organizational measures to ensure data security, it did not minimize data collection to what was strictly necessary, staff handling sensitive information lacked clear guidance, and the breach was not reported to the ICO within the required 72-hour timeframe.
The victim, a detective constable who waived her right to anonymity, was not notified of the breach until June 2022 — more than a year after it occurred — and only through the Scottish Police Federation, not Police Scotland itself.
Germany's Landesdatenschutzbehörden (state data protection authorities) have issued similar fines for data minimization violations. The Police Scotland case is a stark reminder that GDPR enforcement is accelerating across Europe. DACH organizations should audit their data handling procedures — particularly in HR, legal, and investigation contexts — to ensure they meet both GDPR and the incoming NIS2 standards for personal data protection.
Regulation Impact: EU AI Act · NIS2 AI Systems · DORA Digital Resilience
OpenAI has announced plans to acquire Promptfoo, an AI testing startup whose tools allow developers to test LLM applications against adversarial prompts, including prompt injection and jailbreak attempts. Promptfoo's technology is used by more than 25% of Fortune 500 companies and will be integrated into OpenAI's Frontier enterprise AI platform.
The acquisition is a direct response to the growing recognition that AI agents introduce fundamentally new attack surfaces that traditional security testing cannot address. As organizations deploy autonomous AI systems in business-critical workflows, the ability to systematically test for vulnerabilities like prompt injection, data leakage, and unsafe model behavior becomes essential — and, under the EU AI Act, legally required.
| AI Act Requirement | What Promptfoo-Style Testing Addresses |
|---|---|
| Article 9 — Risk Management | Systematic identification and mitigation of risks from AI system outputs, including adversarial prompt testing and guardrail validation |
| Article 15 — Accuracy & Robustness | Testing AI systems against adversarial inputs to ensure they maintain accuracy and resist manipulation attempts |
| Article 14 — Human Oversight | Validating that AI systems properly escalate to humans when encountering edge cases or potentially harmful outputs |
| Article 17 — Quality Management | Continuous testing and monitoring of AI system behavior as part of a documented quality management system |
This week's news follows last week's revelation by Palo Alto's Unit 42 that LLM safety guardrails can be systematically bypassed. Together, these developments make clear that AI security testing is no longer optional — it's a core compliance requirement for any organization deploying AI systems in the EU market.
In a related development, security firm CodeWall demonstrated an autonomous AI agent red-teaming another AI agent at hiring startup Jack & Jill. CodeWall's agent chained together four individually minor bugs to achieve full platform takeover — and then autonomously gave itself a voice to conduct social engineering against the target's AI voice agents.
"Seeing the agent independently experiment with social-style manipulation against another AI system was unexpected and a bit surreal," said CodeWall CEO Paul Price. The experiment highlights a critical gap in current AI security frameworks: AI-on-AI attack scenarios that the EU AI Act's risk classifications have yet to fully address.
German and Swiss enterprises deploying AI agents in customer-facing or business-critical workflows should begin implementing adversarial testing now — before EU AI Act enforcement deadlines arrive. The Promptfoo acquisition signals that AI security testing is transitioning from "nice to have" to "table stakes." Organizations without systematic AI testing programs will face both regulatory risk and competitive disadvantage.
Regulation Impact: NIS2 · Vulnerability Disclosure · Global Cybersecurity Infrastructure
The funding crisis that nearly shut down the Common Vulnerabilities and Exposures (CVE) program last year has been quietly resolved. The CVE system — the backbone of global vulnerability tracking used by every major security vendor, CERT, and regulatory framework — will continue operating with secured multi-year funding.
This matters enormously for European regulatory compliance. NIS2 explicitly requires organizations to implement vulnerability management processes, and the CVE system is the universal language for identifying, tracking, and communicating about security vulnerabilities. Had the program collapsed, the entire foundation of coordinated vulnerability disclosure — and by extension, regulatory compliance reporting — would have been severely disrupted.
| Date | Framework | Milestone |
|---|---|---|
| Mar 23, 2026 | CISA ED 26-03 | Federal agencies must complete Cisco SD-WAN remediation and report to CISA |
| Apr 2026 | NIS2 | EU Commission expected to publish implementing acts on incident reporting formats |
| Aug 2, 2026 | EU AI Act | Obligations for high-risk AI systems take effect — including mandatory risk management and testing |
| Q3 2026 | DORA | First wave of critical third-party ICT provider designations expected from European Supervisory Authorities |
Today's CISA emergency directive is a preview of what NIS2 enforcement will look like in Europe. KENSAI scans your infrastructure for the same vulnerabilities regulators are watching — including network security, data protection gaps, and AI system risks.
Run a Free Security Scan →Published by the KENSAI Security Intelligence Team
Monitoring global security regulations so you don't have to.
Read more regulation roundups →