CISA Issues Emergency Directive Over Cisco SD-WAN Exploitation, Police Scotland Fined for GDPR Breach, OpenAI Acquires Promptfoo for AI Agent Security
🚨 CISA Issues Emergency Directive Over Actively Exploited Cisco SD-WAN Flaws
⚠️ CRITICAL — CVSS 10.0
CVE-2026-20127 is a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN with a perfect CVSS severity score of 10. CISA confirms active exploitation against US federal networks. If your organization runs Cisco SD-WAN, this requires immediate action.
Regulation Impact: NIS2 · DORA · CISA Emergency Directive 26-03
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-03, warning that attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure used across federal networks. The directive orders agencies to identify affected systems, collect forensic evidence, apply security updates, and investigate potential compromises — all by March 23, 2026.
The central vulnerability, CVE-2026-20127, is described as a critical authentication bypass with a CVSS score of 10. An unauthenticated attacker can obtain administrative access to SD-WAN infrastructure, enabling manipulation of network configurations or disruption of traffic across government systems.
The directive's emphasis on artifact collection and centralized logging suggests investigators are actively working to determine how widely the vulnerability has been exploited. "CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks," said Bobby Kuzma, director of offensive operations at ProCircular.
What This Means for NIS2 and DORA Compliance
- NIS2 incident reporting obligations apply. European essential and important entities running Cisco SD-WAN must treat this as a potential incident under NIS2's 24-hour early warning and 72-hour notification requirements. A CVSS 10 authentication bypass in actively deployed network infrastructure is exactly the type of vulnerability NIS2 was designed to force organizations to address.
- DORA ICT risk management demands action. Financial entities under DORA must assess whether Cisco SD-WAN is part of their critical ICT infrastructure. If so, the regulation requires documented risk assessment, remediation timelines, and reporting to financial supervisors.
- Supply chain exposure is broad. SD-WAN is widely used to manage distributed enterprise networks. Organizations that rely on managed service providers running Cisco SD-WAN should verify their providers have applied patches — NIS2's supply chain provisions make this the customer's responsibility, not just the provider's.
- Network segmentation under scrutiny. The ability for an unauthenticated attacker to gain admin access to network infrastructure challenges the assumption that perimeter security alone is sufficient. NIS2's requirement for "appropriate and proportionate" technical measures explicitly includes network security architecture.
⚡ DACH Takeaway
German, Austrian, and Swiss organizations using Cisco SD-WAN should immediately verify patch status. Germany's BSI has historically echoed CISA advisories within days — expect a formal warning. For KRITIS operators, this vulnerability could trigger reporting obligations under §8b BSI-Gesetz even before NIS2 transposition is complete.
🏛️ Police Scotland Fined £66,000 After Sharing Victim's Phone Data with Alleged Attacker
Regulation Impact: GDPR · UK Data Protection Act 2018 · ICO Enforcement
The UK Information Commissioner's Office (ICO) has fined Police Scotland £66,000 and issued a formal reprimand after a catastrophic data protection failure. During an internal misconduct investigation in 2021, the police force extracted the entire contents of a female officer's phone — including medical records, intimate photos, and personal contacts — and then erroneously shared all of it with the colleague she had accused of rape.
The ICO found that Police Scotland failed on multiple fronts: it did not implement appropriate technical and organizational measures to ensure data security, it did not minimize data collection to what was strictly necessary, staff handling sensitive information lacked clear guidance, and the breach was not reported to the ICO within the required 72-hour timeframe.
The victim, a detective constable who waived her right to anonymity, was not notified of the breach until June 2022 — more than a year after it occurred — and only through the Scottish Police Federation, not Police Scotland itself.
Why This Matters Beyond Law Enforcement
- Data minimization is not optional. The ICO's finding that extracting the entire phone contents was "excessive and unfair" reinforces GDPR's data minimization principle (Article 5(1)(c)). Every organization processing personal data — from employers conducting investigations to service providers handling customer data — must collect only what is strictly necessary.
- 72-hour breach notification is non-negotiable. Police Scotland's failure to report the breach within the required timeframe added a separate violation to the penalty. Under both GDPR and NIS2, timely incident reporting is a fundamental obligation. Organizations that delay notification face compounded enforcement action.
- Technical controls prevent human errors. The accidental disclosure to the accused could have been prevented with proper data classification, access controls, and review workflows. This is precisely why NIS2 and DORA mandate "appropriate technical measures" — not just policies, but actual technical safeguards.
- The human cost amplifies regulatory response. ICO Head of Investigations Sally-Anne Poole emphasized the "devastating consequences" on the individual. Regulators increasingly factor human impact into enforcement decisions, making cases involving sensitive personal data particularly high-risk for organizations.
⚡ DACH Takeaway
Germany's Landesdatenschutzbehörden (state data protection authorities) have issued similar fines for data minimization violations. The Police Scotland case is a stark reminder that GDPR enforcement is accelerating across Europe. DACH organizations should audit their data handling procedures — particularly in HR, legal, and investigation contexts — to ensure they meet both GDPR and the incoming NIS2 standards for personal data protection.
🤖 OpenAI Acquires Promptfoo — AI Agent Security Testing Becomes an Industry Imperative
Regulation Impact: EU AI Act · NIS2 AI Systems · DORA Digital Resilience
OpenAI has announced plans to acquire Promptfoo, an AI testing startup whose tools allow developers to test LLM applications against adversarial prompts, including prompt injection and jailbreak attempts. Promptfoo's technology is used by more than 25% of Fortune 500 companies and will be integrated into OpenAI's Frontier enterprise AI platform.
The acquisition is a direct response to the growing recognition that AI agents introduce fundamentally new attack surfaces that traditional security testing cannot address. As organizations deploy autonomous AI systems in business-critical workflows, the ability to systematically test for vulnerabilities like prompt injection, data leakage, and unsafe model behavior becomes essential — and, under the EU AI Act, legally required.
EU AI Act Compliance Implications
| AI Act Requirement | What Promptfoo-Style Testing Addresses |
|---|---|
| Article 9 — Risk Management | Systematic identification and mitigation of risks from AI system outputs, including adversarial prompt testing and guardrail validation |
| Article 15 — Accuracy & Robustness | Testing AI systems against adversarial inputs to ensure they maintain accuracy and resist manipulation attempts |
| Article 14 — Human Oversight | Validating that AI systems properly escalate to humans when encountering edge cases or potentially harmful outputs |
| Article 17 — Quality Management | Continuous testing and monitoring of AI system behavior as part of a documented quality management system |
This week's news follows last week's revelation by Palo Alto's Unit 42 that LLM safety guardrails can be systematically bypassed. Together, these developments make clear that AI security testing is no longer optional — it's a core compliance requirement for any organization deploying AI systems in the EU market.
AI-on-AI Red Teaming: The New Frontier
In a related development, security firm CodeWall demonstrated an autonomous AI agent red-teaming another AI agent at hiring startup Jack & Jill. CodeWall's agent chained together four individually minor bugs to achieve full platform takeover — and then autonomously gave itself a voice to conduct social engineering against the target's AI voice agents.
"Seeing the agent independently experiment with social-style manipulation against another AI system was unexpected and a bit surreal," said CodeWall CEO Paul Price. The experiment highlights a critical gap in current AI security frameworks: AI-on-AI attack scenarios that the EU AI Act's risk classifications have yet to fully address.
⚡ DACH Takeaway
German and Swiss enterprises deploying AI agents in customer-facing or business-critical workflows should begin implementing adversarial testing now — before EU AI Act enforcement deadlines arrive. The Promptfoo acquisition signals that AI security testing is transitioning from "nice to have" to "table stakes." Organizations without systematic AI testing programs will face both regulatory risk and competitive disadvantage.
🛡️ CVE Program Funding Crisis Quietly Resolved
Regulation Impact: NIS2 · Vulnerability Disclosure · Global Cybersecurity Infrastructure
The funding crisis that nearly shut down the Common Vulnerabilities and Exposures (CVE) program last year has been quietly resolved. The CVE system — the backbone of global vulnerability tracking used by every major security vendor, CERT, and regulatory framework — will continue operating with secured multi-year funding.
This matters enormously for European regulatory compliance. NIS2 explicitly requires organizations to implement vulnerability management processes, and the CVE system is the universal language for identifying, tracking, and communicating about security vulnerabilities. Had the program collapsed, the entire foundation of coordinated vulnerability disclosure — and by extension, regulatory compliance reporting — would have been severely disrupted.
Why This Matters for Compliance
- NIS2 vulnerability management. Essential and important entities must maintain "policies and procedures to assess and manage cybersecurity risks" including "vulnerability handling and disclosure." The CVE program is the infrastructure that makes this possible at scale.
- DORA incident classification. Financial entities under DORA use CVE identifiers to classify and report ICT-related incidents. Without the CVE system, standardized incident reporting would fragment across proprietary naming schemes.
- Supply chain transparency. Software Bills of Materials (SBOMs), increasingly required under both NIS2 and US executive orders, rely on CVE identifiers to map known vulnerabilities to software components.
📡 Regulation Radar — Key Dates & Deadlines
| Date | Framework | Milestone |
|---|---|---|
| Mar 23, 2026 | CISA ED 26-03 | Federal agencies must complete Cisco SD-WAN remediation and report to CISA |
| Apr 2026 | NIS2 | EU Commission expected to publish implementing acts on incident reporting formats |
| Aug 2, 2026 | EU AI Act | Obligations for high-risk AI systems take effect — including mandatory risk management and testing |
| Q3 2026 | DORA | First wave of critical third-party ICT provider designations expected from European Supervisory Authorities |
La tua infrastruttura è pronta per NIS2?
Today's CISA emergency directive is a preview of what NIS2 enforcement will look like in Europe. KENSAI scans your infrastructure for the same vulnerabilities regulators are watching — including network security, data protection gaps, and AI system risks.
Esegui una Scansione di Sicurezza Gratuita →Pubblicato dal team KENSAI Security Intelligence
Monitoriamo le normative di sicurezza globali così non devi farlo tu.
Leggi altri riepiloghi normativi →
🛡️ Il tuo sito è sicuro?
Scopri le vulnerabilità prima degli attaccanti.
Scansiona il tuo sito gratis →