欧盟理事会禁止AI裸体化工具,纽约强制要求水务公司网络安全,波兰核研究中心遭受网络攻击
🇪🇺 European Council Adopts AI Act Amendments — Nudification Tools Banned, Biometric Rules Tightened
⚠️ LEGISLATIVE MILESTONE
The European Council has agreed its negotiating position on amendments to the EU AI Act. The proposal adds an outright ban on AI systems that generate non-consensual sexual imagery and child sexual abuse material, and reinstates strict necessity requirements for processing biometric data. Negotiations with the European Parliament will follow.
Regulation Impact: EU AI Act · GDPR · Digital Services Act
The European Council on Friday released its proposal for streamlining the EU's landmark AI Act, adding significant new provisions that go beyond the European Commission's original amendment package. The Council's position includes a new prohibition on AI practices related to generating non-consensual sexual and intimate content, as well as child sexual abuse material — a direct response to the Grok deepfake scandal that erupted in late 2025.
The move comes just days after the European Parliament's own committee greenlit a similar ban, suggesting the final negotiated text will almost certainly include the measure. The European Commission had launched a formal investigation into X and its Grok feature in January 2026 after the chatbot was used to generate millions of non-consensual intimate images.
Beyond the nudification ban, the Council's proposal reinstates strict necessity requirements for processing special categories of personal data — including biometric data — for bias detection and correction purposes. This is a significant departure from the Commission's original proposal, which had loosened these requirements in the name of "simplification."
What This Means for AI Developers and Deployers
- Prohibited practices list expands. Any AI system capable of generating non-consensual intimate imagery will be classified as a prohibited practice under the AI Act. This affects not just dedicated deepfake tools but any generative AI system that lacks adequate safeguards — including general-purpose models with image generation capabilities.
- High-risk AI database registration maintained. The Council rejected the Commission's proposal to relax database registration requirements. Providers who claim their AI systems are not high-risk must still register them in the EU database, maintaining transparency and accountability.
- Biometric data under strict scrutiny. The reinstatement of "strict necessity" for processing biometric data means organizations using AI for facial recognition, emotion detection, or behavioral biometrics must demonstrate that no less intrusive alternative exists. This aligns with GDPR's existing data protection framework and the European Data Protection Board's guidance.
- Timeline extensions create breathing room. The Commission's proposal to extend high-risk AI system deadlines by up to 16 months, combined with expanded SME exemptions, gives organizations more time to prepare — but the nudification ban and biometric rules take effect immediately upon final adoption.
⚡ DACH Takeaway
German and Austrian companies developing or deploying generative AI systems must immediately audit their content generation safeguards. The nudification ban carries the AI Act's highest penalties — up to €35 million or 7% of global annual turnover. Swiss companies selling into the EU market are equally affected. Organizations using AI for employee monitoring, access control, or fraud detection involving biometric data should review their processing against the "strict necessity" standard before the rules are finalized.
🏛️ New York Mandates Cybersecurity for Water Utilities — America's NIS2 Moment
Regulation Impact: US State Cyber Regulation · NIS2 Parallel · Critical Infrastructure
New York has become the first US state to impose mandatory cybersecurity regulations on water and wastewater utilities, creating requirements that closely mirror the EU's NIS2 Directive approach to critical infrastructure protection. The regulations, proposed in July 2025 and recently approved, take effect with a compliance deadline of 2027.
The rules require community water systems serving more than 3,300 people to implement cybersecurity training, incident response plans, reporting requirements, and designate a cyber lead. Larger systems serving over 50,000 people face additional obligations. New York has backed the mandate with a $2.5 million grant program to help underfunded utilities meet the new standards.
"We could not wait for stalled federal mandates while cyber threats intensify," said Michaela Lee, New York's acting chief cyber officer, referencing China's Volt Typhoon campaign that has been pre-positioning within US water infrastructure for potential destructive action.
The NIS2 Parallel: Why Europeans Should Pay Attention
| Requirement | New York Water Regs | NIS2 Directive |
|---|---|---|
| Scope | Water systems >3,300 people | Essential entities including water supply |
| Incident Response | Mandatory response & recovery plans | Incident handling & business continuity (Art. 21) |
| Reporting | Mandatory incident reporting | 24h early warning, 72h notification (Art. 23) |
| Training | Certified operator cyber training | Cybersecurity awareness training (Art. 21) |
| Leadership | Designated cyber lead | Management body accountability (Art. 20) |
| Funding Support | $2.5M grant program | No direct EU funding mechanism |
The convergence between US state-level and EU regulatory approaches is striking. Both recognize that critical infrastructure operators — particularly smaller ones — lack the resources and expertise to implement cybersecurity on their own. The key difference: New York provides direct financial support, while NIS2 relies on enforcement pressure without a corresponding funding mechanism.
- State action fills the federal vacuum. After water industry lobbyists successfully fought off EPA cybersecurity mandates in 2024, states are stepping in. New York's approach — starting with financial services and healthcare before moving to water — mirrors NIS2's sector-by-sector implementation strategy.
- Volt Typhoon drives urgency. Both New York regulators and European authorities have cited Chinese state-sponsored pre-positioning in critical infrastructure as the primary threat driver. This shared threat landscape makes transatlantic regulatory alignment increasingly likely.
- Grant programs acknowledge reality. New York's $50,000 assessment grants and $100,000 upgrade grants acknowledge what NIS2 implementation has also revealed: many essential service operators simply cannot afford cybersecurity compliance without external support.
⚡ DACH Takeaway
Germany's KRITIS regulation already covers water utilities, and NIS2 transposition (NIS2UmsuCG) will expand these requirements significantly. The New York approach offers a blueprint for what German Länder might implement as supplementary state-level requirements. DACH water utilities should benchmark their cybersecurity programs against both NIS2 and the New York framework to identify gaps early.
☢️ Poland's Nuclear Research Centre Repels Cyberattack — Suspected Iranian Origin
⚠️ CRITICAL INFRASTRUCTURE INCIDENT
Poland's National Centre for Nuclear Research (NCBJ) confirmed its IT infrastructure was targeted by hackers. The attack was detected and blocked before causing impact. Poland's only nuclear reactor (MARIA) continued operating safely. Indicators point to Iranian origin, though false flags are possible.
Regulation Impact: NIS2 · EU Nuclear Safety Directive · NIS2 Incident Reporting
Poland's National Centre for Nuclear Research (NCBJ) — the country's principal nuclear research institution and operator of the MARIA research reactor — disclosed this week that hackers targeted its IT infrastructure. The institute stated that its security systems and incident response procedures detected and blocked the attack before any compromise occurred.
While NCBJ did not attribute the attack, Reuters reported that Polish authorities found indicators suggesting Iranian involvement, though investigators caution these could be false flags. The timing is notable: Poland's Defense Minister recently stated that Poland is not participating in the current Middle East conflict.
This incident follows a pattern of escalating cyber operations against Polish critical infrastructure. In January 2026, Russia's APT44 (Sandworm) attacked Poland's power grid, impacting 30 distributed energy facilities. An ICCT report from February placed Poland among the top targets of Russian cyber actors, with 31 confirmed incidents between mid-2025 and early 2026.
NIS2 and Nuclear Security Implications
- NIS2 incident reporting triggered. Even though the attack was blocked, NIS2's reporting requirements apply to "near-miss" incidents that could have had significant impact on essential services. A cyberattack on nuclear research infrastructure — even unsuccessful — falls squarely within the scope of incidents requiring notification to national CSIRTs and competent authorities.
- Successful defense validates NIS2's approach. NCBJ's statement that its security systems and procedures worked exactly as designed is a textbook example of what NIS2 aims to achieve: organizations with mature incident detection and response capabilities that can stop threats before they cause damage. The 24-hour early warning requirement exists precisely to share this threat intelligence with peer organizations.
- Nuclear sector faces elevated threat. The convergence of Iranian, Russian, and Chinese cyber operations targeting European critical infrastructure makes the case for NIS2's stringent requirements for essential entities. Nuclear research facilities handle dual-use technologies and sensitive scientific data that are high-value targets for state-sponsored espionage.
- Cross-sector threat intelligence sharing is essential. Poland's experience — attacked by Russian APTs in January and now targeted by suspected Iranian actors in March — demonstrates why NIS2 mandates information sharing between essential entities and national authorities. No single organization can maintain awareness of threats from multiple state-sponsored adversaries.
⚡ DACH Takeaway
Germany's nuclear research facilities (including Helmholtz centres and the Forschungszentrum Jülich) face similar threat profiles. As NIS2 classifies nuclear facilities as essential entities with the highest security obligations, German operators should review their incident detection capabilities against the benchmark set by Poland's NCBJ. Austria's Institute of Technology and Switzerland's Paul Scherrer Institute should similarly assess their cyber readiness.
🇺🇸 US Sanctions North Korean IT Worker Networks — Compliance Implications for Global Employers
Regulation Impact: OFAC Sanctions · KYE/KYC Due Diligence · NIS2 Supply Chain · GDPR Employment
The US Treasury Department has sanctioned six individuals and two companies supporting North Korea's massive IT worker fraud scheme, targeting operations in Vietnam, Laos, and Spain. The sanctioned entities include Amnokgang Technology Development Company (a North Korean front company managing worker delegations) and Quangvietdnbg International Services Company (a Vietnamese firm that converted approximately $2.5 million for North Korean actors between 2023 and 2025).
The scheme involves thousands of North Korean citizens secretly obtaining employment at US and European companies under false identities, earning high-paying technology salaries that are funneled back to Pyongyang. The operation generated nearly $800 million in 2024 alone, according to US officials.
What This Means for European Employers
- Know-Your-Employee due diligence is critical. European companies hiring remote IT workers — particularly freelancers and contractors — must implement robust identity verification processes. North Korean operatives use sophisticated forged credentials, AI-generated profiles, and proxy identities to pass background checks.
- OFAC sanctions compliance extends globally. Any European company doing business with sanctioned entities — even unknowingly — risks secondary sanctions. The designation of a Spanish national in this round demonstrates that the scheme extends well beyond Asia.
- NIS2 supply chain provisions apply. Organizations outsourcing IT work to freelancers or staffing agencies must assess the security of their supply chain, including the risk of inadvertently employing sanctioned individuals. NIS2 Article 21(2)(d) explicitly requires supply chain security measures.
- GDPR employment data obligations. Employers who discover they've unknowingly hired a North Korean operative face a complex GDPR situation: the personal data collected during the employment relationship was obtained through fraud, potentially triggering breach notification requirements and creating data retention questions.
⚡ DACH Takeaway
Germany's tech sector — with its high demand for remote developers and freelance IT workers — is a prime target for North Korean operatives. Companies should implement multi-factor identity verification for all new remote hires, require video interviews with real-time interaction, and cross-reference contractor details against OFAC and EU sanctions lists. The BaFin (Germany) and FMA (Austria) have issued guidance on sanctions screening that applies to employment relationships, not just financial transactions.
📡 Regulation Radar — Key Dates & Deadlines
| Date | Framework | Milestone |
|---|---|---|
| Q2 2026 | EU AI Act | Council-Parliament trilogue negotiations on AI Act amendments (nudification ban, biometric rules) |
| Aug 2, 2026 | EU AI Act | Obligations for high-risk AI systems take effect (potentially extended 16 months under amendment proposal) |
| 2027 | NY Water Regs | New York water utility cybersecurity regulations compliance deadline |
| Q3 2026 | DORA | First critical third-party ICT provider designations by European Supervisory Authorities |
| Ongoing | OFAC | Active enforcement against employers of North Korean IT workers — continuous sanctions list monitoring required |
Stay Ahead of Security Regulations
From AI Act compliance to NIS2 critical infrastructure requirements, KENSAI helps you identify security gaps before regulators do. Scan your infrastructure for vulnerabilities, misconfigurations, and compliance gaps — in minutes, not months.
Run a Free Security Scan →Published by the KENSAI Security Intelligence Team
Monitoring global security regulations so you don't have to.
Read more regulation roundups →