The European Council adopts its position on AI Act amendments, adding a prohibition on AI-generated non-consensual intimate imagery alongside stricter biometric data processing rules. New York becomes the first US state to mandate comprehensive cybersecurity regulations for water utilities β mirroring NIS2's critical infrastructure approach. Poland's national nuclear research centre repels a suspected Iranian cyberattack on its IT infrastructure. And the US Treasury sanctions North Korean IT worker networks operating across Southeast Asia.
The European Council has agreed its negotiating position on amendments to the EU AI Act. The proposal adds an outright ban on AI systems that generate non-consensual sexual imagery and child sexual abuse material, and reinstates strict necessity requirements for processing biometric data. Negotiations with the European Parliament will follow.
Regulation Impact: EU AI Act Β· GDPR Β· Digital Services Act
The European Council on Friday released its proposal for streamlining the EU's landmark AI Act, adding significant new provisions that go beyond the European Commission's original amendment package. The Council's position includes a new prohibition on AI practices related to generating non-consensual sexual and intimate content, as well as child sexual abuse material β a direct response to the Grok deepfake scandal that erupted in late 2025.
The move comes just days after the European Parliament's own committee greenlit a similar ban, suggesting the final negotiated text will almost certainly include the measure. The European Commission had launched a formal investigation into X and its Grok feature in January 2026 after the chatbot was used to generate millions of non-consensual intimate images.
Beyond the nudification ban, the Council's proposal reinstates strict necessity requirements for processing special categories of personal data β including biometric data β for bias detection and correction purposes. This is a significant departure from the Commission's original proposal, which had loosened these requirements in the name of "simplification."
German and Austrian companies developing or deploying generative AI systems must immediately audit their content generation safeguards. The nudification ban carries the AI Act's highest penalties β up to β¬35 million or 7% of global annual turnover. Swiss companies selling into the EU market are equally affected. Organizations using AI for employee monitoring, access control, or fraud detection involving biometric data should review their processing against the "strict necessity" standard before the rules are finalized.
Regulation Impact: US State Cyber Regulation Β· NIS2 Parallel Β· Critical Infrastructure
New York has become the first US state to impose mandatory cybersecurity regulations on water and wastewater utilities, creating requirements that closely mirror the EU's NIS2 Directive approach to critical infrastructure protection. The regulations, proposed in July 2025 and recently approved, take effect with a compliance deadline of 2027.
The rules require community water systems serving more than 3,300 people to implement cybersecurity training, incident response plans, reporting requirements, and designate a cyber lead. Larger systems serving over 50,000 people face additional obligations. New York has backed the mandate with a $2.5 million grant program to help underfunded utilities meet the new standards.
"We could not wait for stalled federal mandates while cyber threats intensify," said Michaela Lee, New York's acting chief cyber officer, referencing China's Volt Typhoon campaign that has been pre-positioning within US water infrastructure for potential destructive action.
| Requirement | New York Water Regs | NIS2 Directive |
|---|---|---|
| Scope | Water systems >3,300 people | Essential entities including water supply |
| Incident Response | Mandatory response & recovery plans | Incident handling & business continuity (Art. 21) |
| Reporting | Mandatory incident reporting | 24h early warning, 72h notification (Art. 23) |
| Training | Certified operator cyber training | Cybersecurity awareness training (Art. 21) |
| Leadership | Designated cyber lead | Management body accountability (Art. 20) |
| Funding Support | $2.5M grant program | No direct EU funding mechanism |
The convergence between US state-level and EU regulatory approaches is striking. Both recognize that critical infrastructure operators β particularly smaller ones β lack the resources and expertise to implement cybersecurity on their own. The key difference: New York provides direct financial support, while NIS2 relies on enforcement pressure without a corresponding funding mechanism.
Germany's KRITIS regulation already covers water utilities, and NIS2 transposition (NIS2UmsuCG) will expand these requirements significantly. The New York approach offers a blueprint for what German LΓ€nder might implement as supplementary state-level requirements. DACH water utilities should benchmark their cybersecurity programs against both NIS2 and the New York framework to identify gaps early.
Poland's National Centre for Nuclear Research (NCBJ) confirmed its IT infrastructure was targeted by hackers. The attack was detected and blocked before causing impact. Poland's only nuclear reactor (MARIA) continued operating safely. Indicators point to Iranian origin, though false flags are possible.
Regulation Impact: NIS2 Β· EU Nuclear Safety Directive Β· NIS2 Incident Reporting
Poland's National Centre for Nuclear Research (NCBJ) β the country's principal nuclear research institution and operator of the MARIA research reactor β disclosed this week that hackers targeted its IT infrastructure. The institute stated that its security systems and incident response procedures detected and blocked the attack before any compromise occurred.
While NCBJ did not attribute the attack, Reuters reported that Polish authorities found indicators suggesting Iranian involvement, though investigators caution these could be false flags. The timing is notable: Poland's Defense Minister recently stated that Poland is not participating in the current Middle East conflict.
This incident follows a pattern of escalating cyber operations against Polish critical infrastructure. In January 2026, Russia's APT44 (Sandworm) attacked Poland's power grid, impacting 30 distributed energy facilities. An ICCT report from February placed Poland among the top targets of Russian cyber actors, with 31 confirmed incidents between mid-2025 and early 2026.
Germany's nuclear research facilities (including Helmholtz centres and the Forschungszentrum JΓΌlich) face similar threat profiles. As NIS2 classifies nuclear facilities as essential entities with the highest security obligations, German operators should review their incident detection capabilities against the benchmark set by Poland's NCBJ. Austria's Institute of Technology and Switzerland's Paul Scherrer Institute should similarly assess their cyber readiness.
Regulation Impact: OFAC Sanctions Β· KYE/KYC Due Diligence Β· NIS2 Supply Chain Β· GDPR Employment
The US Treasury Department has sanctioned six individuals and two companies supporting North Korea's massive IT worker fraud scheme, targeting operations in Vietnam, Laos, and Spain. The sanctioned entities include Amnokgang Technology Development Company (a North Korean front company managing worker delegations) and Quangvietdnbg International Services Company (a Vietnamese firm that converted approximately $2.5 million for North Korean actors between 2023 and 2025).
The scheme involves thousands of North Korean citizens secretly obtaining employment at US and European companies under false identities, earning high-paying technology salaries that are funneled back to Pyongyang. The operation generated nearly $800 million in 2024 alone, according to US officials.
Germany's tech sector β with its high demand for remote developers and freelance IT workers β is a prime target for North Korean operatives. Companies should implement multi-factor identity verification for all new remote hires, require video interviews with real-time interaction, and cross-reference contractor details against OFAC and EU sanctions lists. The BaFin (Germany) and FMA (Austria) have issued guidance on sanctions screening that applies to employment relationships, not just financial transactions.
| Date | Framework | Milestone |
|---|---|---|
| Q2 2026 | EU AI Act | Council-Parliament trilogue negotiations on AI Act amendments (nudification ban, biometric rules) |
| Aug 2, 2026 | EU AI Act | Obligations for high-risk AI systems take effect (potentially extended 16 months under amendment proposal) |
| 2027 | NY Water Regs | New York water utility cybersecurity regulations compliance deadline |
| Q3 2026 | DORA | First critical third-party ICT provider designations by European Supervisory Authorities |
| Ongoing | OFAC | Active enforcement against employers of North Korean IT workers β continuous sanctions list monitoring required |
From AI Act compliance to NIS2 critical infrastructure requirements, KENSAI helps you identify security gaps before regulators do. Scan your infrastructure for vulnerabilities, misconfigurations, and compliance gaps β in minutes, not months.
Run a Free Security Scan βPublished by the KENSAI Security Intelligence Team
Monitoring global security regulations so you don't have to.
Read more regulation roundups β
π‘οΈ Is your website secure?
Discover vulnerabilities before attackers do.
Scan your website for free β