剣 KENSAI
← All posts · regulations · 2026-03-15 · 4 min

INTERPOL's 45,000-IP Takedown, DMA-GDPR Interplay Guidelines, and Nuclear Facility Cyberattacks Test NIS2 Resilience

A landmark week for cybersecurity enforcement: INTERPOL conducts its largest coordinated takedown of 45,000 malicious IPs across 72 countries. The European Commission and EDPB publish joint guidelines on DMA-GDPR interplay. Poland's nuclear research centre suffers a cyberattack. Chrome patches two actively exploited zero-days. Supply chain attacks hit AppsFlyer SDK. Iran-linked groups target critical infrastructure worldwide.


🚨 INTERPOL Dismantles 45,000 Malicious IPs — 94 Arrested

INTERPOL announced its most sweeping cybercrime operation to date, seizing 45,000 malicious IP addresses and servers used in phishing, malware, and ransomware campaigns across 72 countries and territories.

Operation Scale

94 individuals arrested, 110 more under investigation. 212 electronic devices and servers seized during coordinated raids. Bangladesh alone arrested 40 suspects and seized 134 devices related to loan scams, identity theft, and credit card fraud. In Togo, 10 suspects operating a fraud ring from a residential area were apprehended.

Regulatory Significance

This operation demonstrates the growing operational capacity of international law enforcement in the cyber domain — a key pillar of the NIS2 Directive's emphasis on cross-border cooperation and information sharing. For compliance teams, the takedown reinforces several regulatory expectations:

SocksEscort Botnet Disrupted

In a parallel operation, authorities dismantled SocksEscort, a criminal proxy service that enslaved 369,000 residential routers across 163 countries into a botnet since 2020. The service marketed "static residential IPs with unlimited bandwidth" to bypass spam blocklists, with nearly 8,000 infected routers active as of February 2026.

Compliance implication: Organizations using residential proxy services for web scraping, ad verification, or market research must ensure their providers are not operating on compromised infrastructure — a supply chain due diligence obligation under both NIS2 and DORA.


⚖️ EU Publishes DMA-GDPR Interplay Guidelines

The European Commission and the European Data Protection Board (EDPB) have published individual contributions from the public consultation on draft joint guidelines addressing the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR).

Why This Matters

The DMA requires gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft) to enable data portability and interoperability. But GDPR restricts how personal data can be shared and processed. These guidelines clarify where the two regulations intersect, overlap, and potentially conflict.

Key Areas of Clarification

Gatekeeper Compliance Reports

Simultaneously, the six designated gatekeepers have submitted updated compliance reports on changes implemented during the past year. The Commission is reviewing these reports for enforcement action where obligations are not met.

Action required: Organizations interacting with gatekeeper platforms — as business users, advertisers, or app developers — should review the draft guidelines to understand how DMA data access rights interact with their GDPR obligations.


☢️ Poland's Nuclear Research Centre Targeted by Cyberattack

Poland's National Centre for Nuclear Research (NCBJ) confirmed that hackers targeted its IT infrastructure. The attack was detected and blocked before causing operational impact, but the incident highlights escalating threats against critical infrastructure in the EU.

NIS2 Critical Infrastructure Alert

Nuclear research facilities fall under NIS2's essential entity classification. The attack on NCBJ — regardless of its outcome — triggers mandatory incident reporting obligations under NIS2 Article 23: initial notification within 24 hours, full incident report within 72 hours, and a final report within one month.

Iran-Linked Threats to Critical Infrastructure

In parallel developments, security researchers report that Iran-linked hacking groups are expanding their targeting from Middle Eastern infrastructure to US defense contractors, power stations, and water plants. The Iran-linked attack on medical device manufacturer Stryker disrupted manufacturing and shipping operations, with attackers using existing endpoint management software rather than traditional malware to wipe devices.

Regulatory Implications

Framework Relevance
NIS2 Nuclear, energy, and healthcare entities are essential entities requiring enhanced cybersecurity measures and incident reporting
DORA Financial entities relying on ICT services from targeted sectors face third-party risk exposure requiring reassessment
EU AI Act AI systems used in critical infrastructure management are classified as high-risk, requiring conformity assessments
GDPR Attacks on healthcare and research facilities may compromise personal data, triggering breach notification under Article 33

🔓 Chrome Zero-Days & Supply Chain Attacks

Chrome 146: Two Actively Exploited Zero-Days Patched

Google released Chrome 146 patching two zero-day vulnerabilities being actively exploited in the wild. The flaws allow attackers to manipulate data and bypass security restrictions, potentially leading to code execution. Google paid out $17 million in bug bounty rewards during 2025 — including $3.7 million for Chrome vulnerabilities alone.

AppsFlyer SDK Supply Chain Attack

The AppsFlyer Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency. The supply chain compromise affected websites using the popular mobile attribution and marketing analytics platform.

NIS2 supply chain requirements: Both incidents underscore why NIS2 Article 21(2)(d) mandates supply chain security assessments. Organizations must evaluate the security posture of their software dependencies — from browser infrastructure to third-party SDKs.

DORA ICT third-party risk: Financial entities using AppsFlyer for marketing analytics must assess whether the SDK compromise constitutes a reportable ICT incident under DORA's classification framework.

Microsoft OOB Hotpatch

Microsoft released an out-of-band hotpatch update to fix a Remote Code Execution (RCE) vulnerability in Windows 11 Enterprise's Routing and Remote Access Service (RRAS). Separately, a Samsung-specific issue is preventing Windows 11 users from accessing their C: drive after February 2026 security updates.


🏛️ DSA Expansion: EU Enlargement Countries Workshop

DG CONNECT and DG ENEST hosted representatives from EU enlargement countries in a TAIEX workshop on the Digital Services Act (DSA), supporting the accession process in platform regulation. This signals the EU's intent to extend its digital regulatory framework beyond current member states.

For organizations operating in candidate countries (Western Balkans, Ukraine, Moldova, Turkey, Georgia), early adoption of EU digital compliance frameworks — including DSA, DMA, and NIS2 — will become a competitive advantage as accession negotiations progress.


📋 This Week's Compliance Action Items

  1. Patch immediately: Chrome 146 (two exploited zero-days), Windows 11 RRAS RCE hotpatch, HPE AOS-CX admin password reset vulnerability
  2. Supply chain audit: Check if AppsFlyer Web SDK is used in any properties; verify integrity of third-party JavaScript dependencies
  3. Review DMA-GDPR guidelines: If your organization interacts with designated gatekeeper platforms, assess how the interplay affects your data processing obligations
  4. Incident response drill: The Poland nuclear centre attack is a reminder — test your 24/72-hour NIS2 incident reporting procedures
  5. Third-party risk review: Reassess ICT providers in sectors targeted by state-sponsored actors (healthcare, manufacturing, critical infrastructure)
  6. Proxy service audit: If using residential proxy services, verify they are not operating on compromised infrastructure (SocksEscort takedown)