The White House released its new cybersecurity strategy built on offensive operations, AI adoption, and deregulation — a direct collision course with Europe's compliance-heavy NIS2, DORA, and AI Act frameworks. Plus: Gemini AI Chrome vulnerability, Microsoft Copilot DLP changes, and March Patch Tuesday forecast.
The White House has released President Trump's seven-page cybersecurity strategy, developed by the Office of the National Cyber Director (ONCD). It represents a fundamental shift in US cyber policy by placing offensive operations at the center while actively pushing deregulation.
The strategy is built on six pillars:
| Pillar | Focus | Key Implication |
|---|---|---|
| 1. Shape Adversary Behavior | Offensive cyber operations | Proactive disruption of adversary networks before attacks |
| 2. Promote "Common Sense" Regulation | Deregulation | Rolling back mandatory cybersecurity standards |
| 3. Modernize Federal Networks | Zero trust, post-quantum, AI | Cloud migration and AI-powered defenses |
| 4. Secure Critical Infrastructure | Hardening essential services | Remove adversary vendors, secure supply chains |
| 5. Sustain Tech Superiority | AI, quantum, crypto/blockchain | First strategy to reference cryptocurrency |
| 6. Build Talent & Capacity | Workforce pipeline | Schools, industry, military cyber training |
Pillar 2 calls for stripping back "burdensome cyber regulations" while Pillar 4 demands hardening critical infrastructure. Security researchers warn these goals may be fundamentally contradictory — you can't deregulate and harden simultaneously. Organizations operating in both US and EU jurisdictions face a compliance paradox.
The strategy arrives on the heels of a confirmed FBI wiretap system breach with suspected Chinese threat group involvement (Salt Typhoon). The document explicitly warns: "Our adversaries have and will increasingly feel the consequences of their actions; we will dismantle networks, pursue hackers and spies."
The US deregulatory push creates an unprecedented transatlantic divergence in cybersecurity policy. While Washington strips mandatory standards, Brussels is accelerating enforcement:
| Area | US (Trump Strategy) | EU (NIS2/DORA/AI Act) |
|---|---|---|
| Approach | Voluntary, market-driven | Mandatory, penalty-driven |
| Regulation | Deregulate "burdensome" rules | NIS2: €10M fines, DORA: mandatory ICT risk |
| Incident Reporting | No new mandates | 24-hour mandatory reporting |
| AI Governance | Accelerate AI adoption | EU AI Act: risk-based classification |
| Supply Chain | Remove "adversary vendors" | Article 21: full supply chain liability |
| Crypto/Blockchain | Protect and promote | MiCA regulation framework |
Companies operating across both jurisdictions now face a dual compliance burden. You must simultaneously:
💡 KENSAI Recommendation: Default to the stricter standard. If you comply with NIS2 and DORA, you'll exceed any reasonable US security baseline. Use the EU framework as your floor, not your ceiling.
Google has patched CVE-2026-0628 (CVSS 8.8, High), an elevation of privilege vulnerability in Gemini AI integrated into Chrome. Discovered by Palo Alto Networks Unit 42, the flaw allowed malicious extensions with basic permissions to hijack the Gemini Live browser panel.
This is particularly concerning because:
Alongside the legitimate vulnerability, security researchers are warning about a surge in fake "AI" browser extensions appearing in app stores. These extensions mimic popular AI tools but secretly exfiltrate user data. The attack leverages user eagerness to adopt AI tools — a social engineering angle that bypasses traditional security controls.
Microsoft is addressing a critical gap in its Copilot AI assistant: data loss prevention (DLP) policies were not being enforced on files stored outside OneDrive and SharePoint. This meant Copilot could inadvertently include confidential information from locally stored files in its responses.
Starting April 2026, Microsoft will apply DLP settings by default to prevent Copilot from accessing files without proper DLP labels. Key actions:
Looking ahead to next week's Patch Tuesday:
| Date | Regulation | What Happens |
|---|---|---|
| Now | NIS2 | Enforcement active in 23/27 EU member states |
| Now | DORA | Financial entities must comply — ICT risk management mandatory |
| Apr 2026 | Microsoft Copilot DLP | Default DLP enforcement on AI assistant file access |
| Aug 2026 | EU AI Act | High-risk AI system registration deadline |
| Q3 2026 | US Cyber Strategy | Implementation memoranda and budget requests expected |
| 2027 | NIS2 full audit cycle | First enforcement review cycle across all member states |
KENSAI maps your security posture against NIS2, DORA, EU AI Act, and international standards simultaneously — so you comply everywhere, not just somewhere.
Start Free Security Scan →Published by KENSAI Threat Intelligence · March 7, 2026
Sources: CSO Online, Help Net Security, White House ONCD, Palo Alto Networks Unit 42, ENISA