France's ANSSI confirms ransomware attacks on French organizations dropped significantly in 2025 โ a signal that regulation-driven security investment is paying off. Meanwhile, Google completes its landmark $32 billion Wiz acquisition, reshaping cloud security compliance forever. Palo Alto's Unit 42 discovers that LLM safety guardrails can be trivially bypassed, raising urgent questions for EU AI Act compliance. And UK cyber-attacks are surging at four times the global rate.
Regulation Impact: NIS2 ยท DORA ยท French National Cybersecurity Strategy
France's national cybersecurity agency ANSSI has released its annual threat report confirming that ransomware attacks on French organizations declined in 2025. Small and medium businesses remained the most targeted segment, but overall attack volumes dropped โ a departure from the relentless upward trend of previous years.
The timing is significant. France was among the first EU member states to begin enforcing NIS2 requirements in late 2024, with mandatory incident reporting and risk management obligations taking effect for essential and important entities. ANSSI's report suggests that the combination of regulatory pressure, increased security spending, and improved resilience postures is starting to show measurable results.
Germany's BSI and Austria's NIS authority should expect similar trends as their NIS2 transposition matures. Organizations in the DACH region still working toward compliance should treat France's results as validation that security investment under regulatory frameworks delivers measurable ROI.
Regulation Impact: DORA ยท NIS2 Cloud Provider Requirements ยท EU Data Sovereignty
Google has officially closed its $32 billion acquisition of Wiz, the largest cybersecurity deal in history. Wiz will operate within Google Cloud while maintaining its brand identity and multi-cloud support โ a critical detail for European customers navigating DORA and NIS2 cloud provider requirements.
The deal fundamentally reshapes the cloud security compliance landscape. Wiz's Cloud Native Application Protection Platform (CNAPP) capabilities โ spanning vulnerability management, misconfigurations, identity risks, and runtime threats โ are now backed by Google's infrastructure and data sovereignty investments in Europe.
| Framework | Impact |
|---|---|
| DORA | Financial entities using Google Cloud gain integrated ICT risk management tooling. Third-party risk assessments for cloud providers become more complex with consolidated security stacks. |
| NIS2 | Essential entities must assess whether Wiz's integration into Google Cloud changes their supply chain risk profile. Multi-cloud monitoring capabilities become a competitive differentiator. |
| EU Data Sovereignty | Google's commitment to maintaining Wiz's multi-cloud support means organizations aren't locked into a single provider โ critical for sovereign cloud strategies across the EU. |
Palo Alto Networks' Unit 42 research team has developed successful attacks that bypass safety guardrails in popular generative AI tools. Organizations deploying AI systems under the EU AI Act's risk classifications must urgently reassess their guardrail implementations.
Researchers at Palo Alto's Unit 42 have published findings demonstrating that safety guardrails in major LLM platforms can be systematically bypassed. The attacks are not theoretical โ they work against production systems and can force AI tools to generate harmful, biased, or non-compliant outputs.
This research lands at a critical moment. The EU AI Act's risk-based framework requires that high-risk AI systems implement robust safety measures, including output filtering, bias detection, and human oversight mechanisms. If the very guardrails designed to ensure compliance can be trivially circumvented, the entire regulatory framework's effectiveness comes into question.
Regulation Impact: Post-Brexit Cyber Strategy ยท UK GDPR ยท Critical Infrastructure Protection
Check Point's latest data reveals that cyber-attack volumes against UK organizations are growing at four times the global average. The surge affects all sectors, with financial services, healthcare, and critical infrastructure facing the heaviest targeting.
The UK's post-Brexit regulatory divergence from the EU creates a particularly interesting comparison point. While EU member states benefit from the coordinated NIS2 framework, the UK is pursuing its own Cyber Security and Resilience Bill and updated Network and Information Systems (NIS) regulations independently.
For organizations operating across both the EU and UK, this divergence creates dual compliance obligations:
Regulation Impact: EU AI Act ยท AI Security Standards ยท Conformity Assessments
OpenAI has announced its acquisition of Promptfoo, an AI security testing startup that helps developers identify vulnerabilities in LLM applications. The deal signals that even AI's biggest players recognize the critical gap between AI capabilities and AI security โ exactly the gap the EU AI Act is designed to address.
Promptfoo's platform enables automated red-teaming, safety evaluations, and security testing for AI agents โ capabilities that map directly to EU AI Act requirements for conformity assessments and ongoing monitoring of high-risk AI systems.
Regulation Impact: US-EU Cyber Cooperation ยท Transatlantic Data Flows ยท Critical Infrastructure Defense
The US Senate has confirmed Joshua Rudd to lead both the National Security Agency and US Cyber Command under the controversial "dual-hat" arrangement. The confirmation comes as transatlantic cybersecurity cooperation faces scrutiny under shifting US administration priorities.
For European organizations, US cyber leadership changes matter because of the deep interconnection between US and EU critical infrastructure defense, intelligence sharing under the EU-US Data Privacy Framework, and coordinated responses to nation-state threats. Any shift in US cyber doctrine ripples through NATO's cooperative cyber defense posture and bilateral agreements with EU member states.
| Regulation | Status | Key Deadline | Action Required |
|---|---|---|---|
| NIS2 | โก Enforcing | Oct 2024 (transposed) | Full compliance mandatory. Incident reporting active. |
| DORA | โก Enforcing | Jan 17, 2025 | Financial entities must have ICT risk frameworks operational. |
| EU AI Act | ๐ถ Phasing In | Aug 2025 (prohibited AI) / Aug 2026 (high-risk) | Classify AI systems. Begin conformity assessments for high-risk. |
| GDPR | โ Mature | Ongoing | 72-hour breach notification. DPO requirements. Cross-border transfers. |
| CRA | ๐ก Transitioning | Dec 2027 (full) | Digital product manufacturers must plan for security-by-design obligations. |
KENSAI's automated security scanning maps directly to NIS2, DORA, and EU AI Act compliance requirements. Know where you stand in minutes, not months.
Run a Free Compliance Scan โPublished by the KENSAI Security Research Team ยท March 12, 2026
Sources: ANSSI, Infosecurity Magazine, SecurityWeek, Check Point Research, Palo Alto Unit 42
๐ก๏ธ Is your website secure?
Discover vulnerabilities before attackers do.
Scan your website for free โ