← Back to Blog
Regulation
March 18, 2026
9 min read
EU Sanctions Chinese & Iranian Firms for Cyberattacks on Critical Infrastructure, Tech Giants Invest $12.5M in Open Source Security, CISOs Struggle With AI Act Readiness
The European Council imposes sanctions on three entities and two individuals for cyberattacks targeting EU critical infrastructure across six member states. Anthropic, AWS, Google, Microsoft, and OpenAI commit $12.5 million to Linux Foundation open source security initiatives. A new benchmark report reveals 67% of CISOs have limited visibility into AI usage — a critical gap as EU AI Act enforcement timelines approach.
Is your organization NIS2-compliant?
KENSAI scans your infrastructure against NIS2, DORA & GDPR requirements automatically.
Check Compliance →
65K
Devices hacked across 6 EU states by sanctioned entity
$12.5M
Tech giants' investment in open source security
67%
CISOs with limited AI security visibility
174
Vulnerabilities targeted by RondoDox botnet
1. EU Council Sanctions Chinese and Iranian Entities for Cyberattacks
The Council of the European Union announced sanctions on March 16 against three companies and two individuals for their roles in cyberattacks targeting EU critical infrastructure and member state devices. This marks the most significant expansion of the EU's cyber sanctions regime since its inception in 2019, and sends a clear signal that cyber operations against EU infrastructure carry real economic consequences.
Who Was Sanctioned
- Integrity Technology Group (China) — Provided technical and material support for hacking operations between 2022–2023 that compromised over 65,000 devices across six EU member states. The FBI linked this company in 2024 to the 'Raptor Train' botnet operated by Chinese state-sponsored group Flax Typhoon, which infected 260,000 devices globally
- Anxun Information Technology / i-Soon (China) — Offered hacker-for-hire services and conducted cyberattacks targeting "critical infrastructure and critical functions of member states and third countries" since at least 2011. Two co-founders were individually sanctioned. A February 2024 data leak exposed i-Soon's operations as a Chinese government hacking contractor
- Emennet Pasargad (Iran) — Attributed to multiple influence campaigns including hijacking advertising billboards during the 2024 Paris Olympics and compromising an SMS service in Sweden. The U.S. DOJ previously offered a $10 million reward for information on two of its contractors
NIS2 and Regulatory Implications
The sanctions carry asset freezes and travel bans. EU citizens and companies are prohibited from making funds or economic resources available to sanctioned entities. With the EU's cyber sanctions list now covering 19 individuals and 7 entities, this action demonstrates that NIS2's emphasis on supply chain security and third-country threat actors is backed by diplomatic enforcement.
NIS2 Key takeaway: Organizations subject to NIS2 essential and important entity requirements should review their supply chain relationships for any connections to sanctioned entities. Under NIS2 Article 21, supply chain security measures must account for state-sponsored threat actors and their commercial proxies.
2. Tech Giants Commit $12.5M to Open Source Security
Anthropic, AWS, Google, Microsoft, and OpenAI have collectively invested $12.5 million in the Linux Foundation's long-term security initiatives focused on open source software. The funding targets critical projects including automated vulnerability detection, secure software development lifecycle (SDLC) tooling, and Software Bill of Materials (SBOM) standardization.
Why This Matters for EU Regulation
The investment arrives at a pivotal moment for the EU Cyber Resilience Act (CRA), which requires manufacturers of products with digital elements to ensure security throughout the product lifecycle — including open source dependencies. The CRA's transitional period runs through 2027, but preparatory obligations are already in effect.
- SBOM requirements: The CRA mandates that manufacturers maintain and share SBOMs for their products. The Linux Foundation's SBOM standardization work directly supports industry compliance
- Vulnerability handling: Under CRA Article 11, manufacturers must establish coordinated vulnerability disclosure processes. The funded initiatives include automated vulnerability detection for open source components
- Supply chain transparency: NIS2 Article 21(2)(d) requires supply chain security measures. Organizations using open source libraries need visibility into their dependency trees — exactly what these investments aim to improve
- AI model dependencies: With AI companies among the investors, the funding also addresses security of AI training frameworks and inference libraries — relevant to both CRA and EU AI Act compliance
CRA Action required: Organizations using open source software in products sold in the EU should begin SBOM generation and vulnerability tracking now. The CRA's vulnerability handling obligations (Article 11) and technical documentation requirements (Annex VII) are approaching. KENSAI's dependency scanning can identify vulnerable open source components in your stack.
3. 67% of CISOs Lack AI Visibility — EU AI Act Compliance at Risk
The AI and Adversarial Testing Benchmark Report 2026, based on a survey of 300 U.S. CISOs and senior security leaders, reveals a stark reality: 67% of CISOs reported limited visibility into how AI is being used across their organization. Not a single respondent claimed full visibility. Meanwhile, AI adoption continues to accelerate, with AI systems now layered across cloud platforms, identity systems, applications, and data pipelines.
EU AI Act Implications
While the survey focused on U.S. organizations, the findings are a warning shot for EU companies approaching EU AI Act enforcement milestones:
- Prohibited AI practices enforcement began February 2, 2025 — organizations must already have identified and eliminated banned AI uses
- General-purpose AI (GPAI) model obligations took effect August 2, 2025 — providers must implement transparency, copyright compliance, and risk management
- High-risk AI system requirements apply from August 2, 2026 — mandatory risk management systems, data governance, human oversight, accuracy, robustness, and cybersecurity requirements
- Shadow AI problem: The report found organizations average 11 different GenAI tools, mostly unmanaged by IT. Under the EU AI Act, deployers of high-risk AI systems must ensure human oversight (Article 14) — impossible without first knowing what AI is deployed
⚠️ Shadow AI + EU AI Act = Compliance Time Bomb
If 67% of security leaders can't see their AI footprint, they cannot classify AI systems by risk level, implement required safeguards, or maintain the conformity documentation the EU AI Act demands. With high-risk AI requirements taking effect in August 2026 — just five months away — organizations need AI discovery and governance programs now, not after enforcement begins.
4. Apple Launches Silent Background Security Patching
Apple released its first-ever Background Security Improvements update on March 17, patching CVE-2026-20643 — a WebKit Same Origin Policy bypass flaw — across iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2. The update was applied automatically without requiring a full OS upgrade or device restart.
CRA Product Liability Angle
This is significant from a Cyber Resilience Act perspective. The CRA requires manufacturers to provide security updates for the expected product lifetime, and to deliver updates "without undue delay" after discovering vulnerabilities. Apple's new mechanism demonstrates what CRA-compliant patching infrastructure looks like:
- Rapid deployment: Patches delivered within hours of disclosure, not weeks
- Minimal user friction: Background application removes the "update fatigue" that leaves devices unpatched
- Targeted scope: Only affected components are updated, reducing the attack surface of the update itself
- Transparency: Users can view and manage Background Security Improvements through device settings
Under CRA Article 10, manufacturers must ensure that "vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates." Apple's approach may become the benchmark against which EU regulators measure other vendors' patching capabilities.
5. RondoDox Botnet Exploits 174 Vulnerabilities at Scale
The RondoDox botnet has increased its exploitation activity to 15,000 attempts per day, targeting 174 distinct vulnerabilities across networking equipment, IoT devices, and enterprise infrastructure. SecurityWeek reports the botnet is taking "a more targeted approach," focusing on organizations with exposed management interfaces.
NIS2 Vulnerability Management Requirements
- NIS2 Article 21(2)(e) requires essential and important entities to implement "vulnerability handling and disclosure" measures. A botnet targeting 174 CVEs means your vulnerability management program must cover all of them
- DORA Article 7 mandates ICT risk management frameworks for financial entities — including patch management processes that address actively exploited vulnerabilities
- Incident reporting: Under NIS2 Article 23, any successful exploitation triggering a significant incident must be reported within 24 hours (early warning) and 72 hours (incident notification)
- Automated scanning: Manual vulnerability management cannot keep pace with botnets cycling through 174 CVEs. Continuous automated scanning is now a regulatory necessity, not a nice-to-have
Regulation Status Dashboard — March 18, 2026
| Regulation |
Status |
This Week's Impact |
| NIS2 |
Enforcement active across EU |
EU sanctions demonstrate enforcement of supply chain and third-country threat actor provisions |
| GDPR |
Fully enforced (UK & EU) |
Ongoing fallout from Companies House breach; sanctions reinforce data protection in critical infrastructure |
| DORA |
Applied since Jan 17, 2025 |
RondoDox botnet targeting financial infrastructure raises ICT risk management scrutiny |
| EU AI Act |
Phased enforcement through 2027 |
67% CISO AI visibility gap threatens high-risk AI compliance deadline (Aug 2026) |
| CRA |
Transitional period until 2027 |
$12.5M open source investment + Apple silent patching set CRA compliance benchmarks |
What Organizations Should Do This Week
- Screen supply chains for sanctioned entities — Check whether any technology vendors, open source contributors, or service providers have ties to Integrity Technology Group, Anxun/i-Soon, or Emennet Pasargad. NIS2 supply chain obligations make this mandatory
- Begin SBOM generation for all products — The CRA vulnerability handling deadline is approaching. Use the Linux Foundation's standardized tooling to generate and maintain SBOMs for products containing open source components
- Launch AI discovery program — With high-risk AI requirements taking effect in 5 months, inventory all AI systems, classify by risk level, and establish governance frameworks. If you can't see it, you can't comply
- Evaluate patching infrastructure — Apple's Background Security Improvements sets the CRA bar. Assess whether your products can deliver security updates rapidly and with minimal user friction
- Audit vulnerability coverage against RondoDox target list — Cross-reference your vulnerability management program against the 174 CVEs in the RondoDox botnet's arsenal. Automated continuous scanning is the only scalable approach
Stay Compliant with NIS2, DORA & EU AI Act
KENSAI continuously scans your infrastructure for regulatory compliance gaps. Automated vulnerability assessment, NIS2 readiness checks, supply chain risk analysis, and real-time alerts when new critical CVEs affect your systems.
Start Free Compliance Scan →
← Back to Blog