← Back to Security Blog
Compliance & Regulaciones
Breaking
7 de marzo de 2026
9 min de lectura
Sistema de vigilancia del FBI vulnerado, nuevo CISO del Pentágono nombrado, CISA amplía KEV — Resumen regulatorio 7 de marzo de 2026
El FBI investiga la brecha de un sistema de vigilancia sensible. El Pentágono nombra al nuevo CISO James Aaron Bishop. CISA añade las fallas iOS del kit de exploits Coruna a la lista KEV. La seguridad de la IA bajo el foco mientras las prácticas prohibidas de la Ley de IA de la UE entran en vigor. Noticias diarias de regulación de seguridad.
🔴 FBI Investigating Breach of Surveillance System
Critical Government Security Incident
The FBI ha confirmado it is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau notified members of Congress about the incident and is working to determine the scope and impact of the compromise.
Regulatory Implications
This incident carries significant implications for government cybersecurity regulation and oversight:
- Congressional oversight: La brecha is likely to accelerate legislative action on federal cybersecurity mandates, with both intelligence committees expected to hold classified briefings
- FISMA compliance: Questions will arise about whether the compromised system met Federal Information Security Modernization Act requirements
- Surveillance reform: La brecha of surveillance-related data may reignite debates around Section 702 of FISA and data protection safeguards for intelligence systems
- Cadena de suministro concerns: Investigators are examining whether la brecha originated through a third-party vendor, echoing NIS2 and DORA cadena de suministro security requirements
For EU organizations, this incident underscores the importance of NIS2 Article 21 requirements for incident handling and crisis management — even the most security-focused agencies remain vulnerable.
🛡️ Pentagon Appoints New CISO: James "Aaron" Bishop
James "Aaron" Bishop has been selected to serve as the new Pentagon Chief Information Security Officer, replacing David McKeown, who will transition to the private sector after 40 years of government service. The appointment signals continued prioritization of cybersecurity at the highest levels of U.S. defense.
¿Qué significa esto? for Regulation
The Pentagon CISO oversees cybersecurity policy for the Department of Defense — the world's largest organization by headcount. Bishop's appointment comes at una crítica time:
- CMMC 2.0 enforcement: The Cybersecurity Maturity Model Certification program is entering full enforcement, requiring all defense contractors to meet verified cybersecurity standards
- Zero trust architecture: DoD's zero trust implementation deadline is approaching, with all components expected to achieve target-level maturity
- International alignment: Increasing coordination between U.S. defense cybersecurity standards and EU frameworks (NIS2, DORA) for allied interoperability
- AI/ML security: DoD's expanding use of AI systems requires alignment with emerging AI security standards — paralleling the EU AI Act's high-risk AI requirements
⚠️ CISA Adds Coruna Exploit Kit iOS Flaws to KEV Catalog
23 iOS Vulnerabilities Added to Known Exploited Vulnerabilities Catalog
CISA has added iOS vulnerabilities exploited by the Coruna exploit kit — described as a "estado-nación-grade" tool — to the Known Exploited Vulnerabilities (KEV) catalog. El exploit kit targets 23 vulnerabilities affecting iOS versions 13 through 17.2.1.
Impacto en el cumplimiento
Under Binding Operational Directive (BOD) 22-01, all U.S. federal civilian agencies must remediate KEV-listed vulnerabilities within prescribed timelines. But the regulatory impact extends far beyond the U.S.:
- NIS2 (EU): Article 21 mandates vulnerability handling and disclosure — organizations using iOS devices in essential/important entity operations must patch immediately
- DORA (Financial): Financial entities under DORA must include mobile device vulnerabilities in their ICT gestión de riesgos frameworks and reporte de incidentes
- GDPR: Exploitation of these vulnerabilities could lead to personal data exfiltration, triggering 72-hour notificación de brechas obligations under Article 33
- EU AI Act: AI systems running on compromised iOS infrastructure may fail high-risk AI system security requirements under Article 15
Coruna Exploit Kit: Key Details
| Attribute | Detail |
| Classification | Nation-state grade commercial exploit kit |
| Target | iOS 13 through iOS 17.2.1 |
| Vulnerabilities | 23 chained exploits for full device compromise |
| Capability | Zero-click ejecución remota de código, persistent access |
| KEV Status | All 23 CVEs now in CISA KEV catalog |
🤖 AI Security Under Fire: Chrome Gemini Vulnerability & Fake Extensions
Two developments this week highlight the growing intersection of AI security and regulatory compliance:
Chrome Gemini Vulnerability (CVE-2026-0628)
Google patched CVE-2026-0628 (CVSS 8.8 — High), an elevation-of-privilege vulnerability in the Gemini AI integration within Chrome. Reported by Palo Alto Networks Unit 42, la falla allowed malicious browser extensions with basic permissions to hijack the Gemini Live panel, potentially accessing:
- User conversations with the AI assistant
- Browsing context and page content shared with Gemini
- Any data processed through the AI panel
Fake AI Extensions Epidemic
Investigadores de seguridad continue to flag malicious browser extensions masquerading as AI tools in official app stores. These extensions provide superficial AI functionality while silently exfiltrating user data, keystroke logs, and authentication tokens.
EU AI Act Relevance
As of 2 de febrero de 2026, the EU AI Act's prohibited practices (Article 5) are now enforceable. While these specific vulnerabilities don't fall under prohibited AI categories, they highlight critical gaps in AI system security that the Act's high-risk AI requirements (effective August 2026) will address:
- Article 15: High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity
- Article 9: Gestión de riesgos systems must address cybersecurity threats to AI components
- GPAI transparency (May 2026): General-purpose AI model providers must document cybersecurity measures protecting model integrity
📊 Google Zero-Day Report: 90 Exploited Vulnerabilities in 2025
Google's annual zero-day exploitation analysis reveals 90 zero-day vulnerabilities fueron explotados en circulación during 2025 — with a significant shift toward enterprise-targeting:
- 50% targeted enterprise products — security appliances, VPN gateways, network infrastructure
- Spyware vendors remain the most prolific zero-day users, with commercial surveillance tools accounting for the largest attributed share
- China-linked groups led estado-nación attribution, focusing on network edge devices and infraestructura crítica
- Less than half of all zero-days could be attributed to specific actores de amenazas
Regulatory Takeaway
The enterprise focus of zero-day exploitation directly validates the regulatory approach of NIS2 and DORA:
- NIS2 essential entities operating network infrastructure are prime targets — Article 21 gestión de riesgos measures are not optional recommendations but survival requirements
- DORA's operational resilience testing (including threat-led penetration testing) reflects the reality that financial sector infrastructure faces sustained, sophisticated attacks
- EU Cyber Resilience Act (CRA) requirements for manufacturers to provide security updates and vulnerability handling become critical as attackers increasingly target product-level flaws
🔄 Microsoft Copilot Data Protection Updates
Microsoft announced new controls over which files its Microsoft 365 Copilot AI assistant can access during data processing. The change comes in direct response to customer reports that Copilot was including confidential information in its outputs.
Key Changes
- DLP enforcement expansion: Data Loss Prevention labels will now apply to local files, not just OneDrive/SharePoint — preventing Copilot from accessing DLP-restricted content regardless of storage location
- Default protection: The new controls will be applied by default starting April 2026
- User responsibility: Organizations must properly configure DLP labels on sensitive files to prevent AI access
GDPR & AI Act Compliance
This development is directly relevant to EU compliance:
- GDPR Article 5(1)(f): Integrity and confidentiality — AI tools accessing data beyond their intended scope may violate the principle of appropriate security
- GDPR Article 25: Data protection by design — Microsoft's change reflects the regulatory expectation of built-in privacy safeguards
- EU AI Act Article 10: Data governance requirements for AI systems must ensure training and processing data meets quality and relevance standards
⚡ Cisco SD-WAN Vulnerabilities Exploited in the Wild
Cisco confirmed that two recently patched Catalyst SD-WAN vulnerabilities — CVE-2026-20128 and CVE-2026-20122 — están siendo activamente explotados. SD-WAN infrastructure is classified as infraestructura crítica in multiple regulatory frameworks.
NIS2 Infraestructura crítica Alert
Organizations operating SD-WAN infrastructure that falls under NIS2 essential or important entity classifications must treat these exploited vulnerabilities as mandatory immediate patches. Under Article 21, failure to address known-exploited vulnerabilities in critical network infrastructure may constitute a compliance violation subject to administrative fines.
📋 Compliance Action Items — Week of 7 de marzo de 2026
- Patch iOS devices immediately — All 23 Coruna exploit kit CVEs now in CISA KEV; NIS2/DORA-regulated entities must prioritize
- Update Cisco SD-WAN — CVE-2026-20128 and CVE-2026-20122 activamente explotado; infraestructura crítica risk
- Audit AI tool permissions — Review browser extensions claiming AI functionality; remove unverified extensions
- Configure Microsoft 365 DLP — Ensure DLP labels are applied to sensitive files before Copilot default protections activate in April
- Review Chrome security updates — Patch CVE-2026-0628 (Gemini vulnerability); assess AI-integrated browser components
- EU AI Act readiness — Prohibited practices now enforceable; inventory AI systems for compliance by August 2026 high-risk deadline
- NIS2 respuesta a incidentes drill — The FBI breach underscores that even top-tier security organizations face compromise; test your 24-hour early warning procedures
Automate Your Compliance Monitoring
KENSAI continuously monitors your infrastructure against NIS2, DORA, GDPR, and EU AI Act requirements. Real-time vulnerability detection meets regulatory mapping.
Start Free Compliance Scan
Stay regulated. Stay protected.
🗡️ KENSAI Compliance Intelligence
7 de marzo de 2026