EU Chips Act Implementation Dialogue, Dell & HP Ship Quantum-Resistant Security, PwC Warns AI Speeds Attacks, GitHub Expands AI Scanning, Coruna Spyware Linked to Operation Triangulation
Executive VP Virkkunen chairs a Chips Act implementation meeting with semiconductor industry leaders. Dell and HP announce quantum-resistant device security aligned with NIST PQC standards. PwC finds AI is amplifying cyberattack speed while identity theft industrialises. GitHub expands AI-powered security scanning beyond CodeQL. Kaspersky traces the Coruna exploit framework to Operation Triangulation — reigniting the EU spyware debate.
1. EU Chips Act Implementation Dialogue — Cybersecurity of Critical Infrastructure Chips
⚠️ REGULATORY SIGNAL — EU Semiconductor Supply Chain Security Under Active Review
Executive Vice-President Henna Virkkunen has convened a Chips Act implementation dialogue with semiconductor industry leaders and EU member states to discuss supply chain resilience, strategic autonomy, and the cybersecurity implications of chips used in critical infrastructure.
On March 26, 2026, Executive VP Henna Virkkunen chaired a high-level meeting bringing together semiconductor manufacturers, member state representatives, and critical infrastructure operators to assess the EU Chips Act's implementation progress. The Act, which entered into force in September 2023, aims to double the EU's global semiconductor market share to 20% by 2030.
The meeting focused on three critical areas:
- Supply chain resilience: Mapping dependencies on non-EU chip fabrication facilities, particularly for chips used in energy, telecommunications, and defence sectors
- Strategic autonomy: Progress on the €43 billion investment plan for EU-based semiconductor manufacturing capacity
- Cybersecurity of chips: New discussion on hardware-level security requirements for chips deployed in NIS2-designated essential services
NIS2 and CRA Intersection
The cybersecurity dimension is where the Chips Act meets NIS2 and the Cyber Resilience Act (CRA). Under NIS2, essential entities must secure their supply chains — and that includes the hardware they depend on. The CRA, meanwhile, will impose cybersecurity requirements on products with digital elements, which explicitly includes semiconductors with embedded firmware.
VP Virkkunen noted that "supply chain security begins at the silicon level" and signalled that future Chips Act implementing measures may include hardware security certification requirements for chips used in EU critical infrastructure.
What This Means for Your Organisation
- Map your hardware supply chain — which chips power your critical systems, and where are they fabricated?
- Assess whether your semiconductor suppliers provide hardware security attestations
- Monitor Chips Act implementing measures for new certification requirements
- Factor hardware-level security into NIS2 supply chain risk assessments
2. Dell & HP Roll Out Quantum-Resistant Device Security
🔶 COMPLIANCE SHIFT — Post-Quantum Cryptography Arrives in Enterprise Hardware
Dell and HP have announced new quantum-resistant security capabilities for PCs and printers, aligned with NIST Post-Quantum Cryptography (PQC) standards — marking the first major wave of enterprise hardware migration to post-quantum algorithms.
Dell and HP have independently announced the integration of NIST-standardised post-quantum cryptographic algorithms into their latest enterprise device lines. Dell's new OptiPlex and Latitude series include PQC-based firmware signing and secure boot, while HP's new LaserJet Enterprise printers ship with quantum-resistant certificate chains.
This matters because of the "harvest now, decrypt later" threat: adversaries are already collecting encrypted data today, planning to decrypt it once quantum computers become powerful enough. By embedding PQC at the hardware level, Dell and HP are providing a defence against this long-term risk.
Regulatory Landscape for PQC
- NIST PQC standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) were finalised in 2024 — these are the algorithms Dell and HP are implementing
- EU CRA implications: The Cyber Resilience Act requires products with digital elements to maintain "up-to-date" cryptographic protections — PQC compliance may become a de facto requirement
- ENISA guidance: ENISA's 2025 post-quantum migration roadmap recommends organisations begin transitioning to PQC "without delay"
- NIS2 relevance: Essential entities must implement "state of the art" security measures — quantum-resistant cryptography is increasingly considered part of that standard
What This Means for Your Organisation
- Inventory all cryptographic implementations across your infrastructure — identify what needs PQC migration
- Prioritise PQC-capable hardware in upcoming procurement cycles
- Develop a post-quantum migration roadmap aligned with ENISA guidance
- Assess "harvest now, decrypt later" exposure for sensitive data with long-term confidentiality requirements
3. PwC: AI Amplifies Attack Speed, Identity Theft Industrialises
⚠️ THREAT INTELLIGENCE — AI-Powered Attacks Accelerating Faster Than Defences
PwC's latest Global Digital Trust report finds that AI is amplifying the speed and scale of cyberattacks, while identity theft has evolved into an industrial supply chain. The report directly challenges organisations' readiness for NIS2 identity governance requirements.
PwC's Global Digital Trust Insights 2026 survey — covering over 4,000 business and technology executives across 77 countries — delivers a sobering assessment: AI is shifting the advantage to attackers. Key findings include:
- 67% of executives say generative AI has expanded their organisation's attack surface in the past 12 months
- AI-powered phishing campaigns are now indistinguishable from legitimate communications in 48% of tests
- Identity theft has industrialised: Stolen credentials, synthetic identities, and deepfake-enabled impersonation are being sold as packaged "identity kits" on dark web markets
- Mean time to exploit new vulnerabilities has dropped from 32 days to 5 days, driven by AI-assisted exploit development
NIS2 Identity Governance Implications
Under NIS2 Article 21, essential and important entities must implement measures for access control and identity management. The PwC findings suggest that traditional identity governance — passwords, basic MFA, manual provisioning — is no longer sufficient. The regulation's "state of the art" requirement increasingly points toward:
- Phishing-resistant authentication: FIDO2/WebAuthn hardware keys or passkeys
- Continuous identity verification: Real-time behavioural analytics, not just login-time checks
- Zero-trust architecture: Never trust, always verify — especially for privileged access
- AI-powered identity threat detection: Using AI to fight AI-powered identity attacks
What This Means for Your Organisation
- Assess your identity governance maturity against the PwC findings — are you defending against 2024 threats or 2026 threats?
- Accelerate deployment of phishing-resistant MFA (FIDO2/passkeys) for all privileged accounts
- Implement continuous identity monitoring, not just authentication-time checks
- Map your identity governance controls against NIS2 Article 21 requirements
4. GitHub Expands AI-Powered Security Scanning Beyond CodeQL
Software Supply Chain Security: GitHub has adopted AI-based vulnerability scanning for Code Security, expanding detection capabilities beyond its traditional CodeQL engine to cover more languages, frameworks, and vulnerability patterns — with direct implications for EU Cyber Resilience Act compliance.
GitHub has announced a significant expansion of its Code Security platform, integrating AI-powered scanning that goes beyond the rule-based approach of CodeQL. The new system uses large language models trained on vulnerability patterns to detect security issues in code that traditional static analysis tools miss.
Key improvements include:
- Language coverage: AI scanning now covers 15+ languages compared to CodeQL's 9, including Rust, Go, Swift, and Kotlin
- Context-aware detection: The AI understands business logic flaws, not just pattern-matching known vulnerability signatures
- Automated fix suggestions: AI-generated patches for detected vulnerabilities, reducing remediation time
- Supply chain analysis: Deeper transitive dependency scanning for open-source components
EU Cyber Resilience Act Implications
The CRA requires manufacturers of products with digital elements to implement vulnerability handling processes throughout the product lifecycle. For software developers, this means:
- Shift-left security: The CRA's requirement for "security by design" makes automated security scanning during development — not just before release — effectively mandatory
- SBOM requirements: The CRA mandates Software Bills of Materials; GitHub's expanded dependency scanning directly supports this
- Continuous monitoring: Products must be monitored for vulnerabilities post-release; GitHub's AI scanning can be applied to existing codebases
What This Means for Your Organisation
- Evaluate GitHub's expanded AI scanning for your development pipelines
- Ensure your CI/CD pipeline includes automated security scanning that meets CRA "security by design" requirements
- Verify that your SBOM generation covers transitive dependencies
- Document your vulnerability handling process as evidence for CRA compliance
5. Coruna iOS Exploit Framework Traced to Operation Triangulation
⚠️ SPYWARE GOVERNANCE — State-Level Exploit Kit Repurposed for Financial Crime
Kaspersky researchers have linked the Coruna exploit framework — targeting iOS devices — to the 2019 Operation Triangulation espionage campaign. The toolkit is now also being used in financial attacks, reigniting the EU debate over spyware regulation and surveillance technology export controls.
Kaspersky's latest research has established a definitive technical link between the Coruna exploit framework and Operation Triangulation, the sophisticated iOS espionage campaign first documented in 2023 but traced back to 2019. Coruna exploits zero-click vulnerabilities in iOS to install persistent surveillance capabilities without any user interaction.
The critical development is that Coruna is no longer limited to state-sponsored espionage. Kaspersky found evidence of the framework being used in financial attacks — targeting banking apps, cryptocurrency wallets, and payment systems on compromised iOS devices. This suggests the exploit kit has either been sold commercially or leaked to financially motivated threat actors.
EU Spyware Regulation Context
The Coruna revelations land at a pivotal moment for EU surveillance technology governance:
- EU Spyware Inquiry: The European Parliament's PEGA committee recommendations from 2023 remain largely unimplemented — Coruna demonstrates why action is urgent
- Dual-use export controls: The EU's Regulation 2021/821 on dual-use items covers surveillance technology, but enforcement remains inconsistent across member states
- ePrivacy implications: The use of zero-click exploits to access device data directly violates ePrivacy Directive protections on communications confidentiality
- NIS2 supply chain risk: If state-level exploit kits are being repurposed for financial crime, NIS2-designated entities face a new category of supply chain threat — compromised mobile devices used by executives and privileged users
What This Means for Your Organisation
- Enforce immediate iOS updates across all corporate-managed devices — zero-click exploits target known vulnerabilities
- Implement mobile device management (MDM) with mandatory security patch compliance
- Assess mobile device compromise risk in your NIS2 risk assessment — especially for executive and privileged user devices
- Monitor EU spyware regulation developments — new rules could impose obligations on organisations that discover surveillance technology on their networks
Today's Regulatory Landscape Summary
| Development | Regulation | Impact | Action Required |
|---|---|---|---|
| EU Chips Act Dialogue | Chips Act / NIS2 / CRA | Hardware security certification for critical chips | Map semiconductor supply chain risks |
| Dell & HP Quantum-Resistant Security | CRA / NIS2 | PQC arriving in enterprise hardware | Begin post-quantum migration planning |
| PwC AI Attack Report | NIS2 | Identity governance gap widening | Deploy phishing-resistant MFA, continuous monitoring |
| GitHub AI Security Scanning | CRA | Shift-left security tooling expands | Integrate AI scanning into CI/CD pipelines |
| Coruna Spyware / Operation Triangulation | ePrivacy / Dual-Use | State exploits repurposed for financial crime | Enforce iOS patching, assess mobile device risk |