← Retour au blog sécurité
Compliance & Réglementation
Analyse
9 mars 2026
11 min de lecture
6G Security-by-Design Guidelines Launched, AI Insider Risk Reaches Critique Levels, Entreprise Zero-Days Hit All-Time Élevé — Security Réglementation Roundup
Seven Western nations publish security-by-design principles for 6G réseaux before standards are even finalized. Mimecast reports AI-driven menaces internes have become a "critical business threat" — 42% of organisations saw increases in both malveillant and negligent insider incidents. Google's Renseignement sur les menaces Group tracked 90 zero-days in 2025, with entreprise software now the primary target. Microsoft responds to Copilot data leakage concerns with new DLP controls. And a high-severity Gemini AI vulnérabilité in Chrome raises fresh questions about sécurité de l'IA under the EU AI Act. Here's what regulators and conformité teams need to act on this week.
📡 GCOT Launches 6G Security-by-Design Principles
The Global Coalition on Telecoms (GCOT) — comprising Australia, Canada, Finland, Japan, Sweden, the UK, and the US — released voluntary 6G Security and Resilience Principles at Mobile World Congress 2026 in Barcelona. Industry partners including AT&T, BT, Ericsson, NVIDIA, Nokia, Qualcomm, Samsung, and Vodafone endorsed the framework.
Why This Matters Before 6G Exists
With 6G commercial rollouts not expected until 2029-2030, this is one of the earliest instances of security-by-design regulation preceding the technology it governs. The coalition assessed that 6G will bring more virtualized réseau functions, disaggregated architectures with standardized interfaces, and native AI integration — each creating nouvelle surface d'attaques that must be addressed at the standards level, not retrofitted after déployerment.
The Eight Principles
GCOT defined four security and four resilience objectives:
| Catégorie | Principle | Key Requirement |
| Security | Containment | Limit propagation of acteurs malveillants through the réseau |
| Security | Confidentiality | Privacy-by-design for user data, secure against eavesdropping |
| Security | Integrity | Data integrity guarantees across réseau transit and infrastructure |
| Security | Access Control | Authentication and authorization for all réseau components |
| Resilience | Service Continuity | Maintain availability under challenging circumstances |
| Resilience | Supply Chain | Multi-vendor security with trusted supplier assurance |
| Resilience | Physical Security | Resilience against physical and environmental threats |
| Resilience | Recovery | Rapid restoration after incident de sécurités or disruptions |
Regulatory Alignment
These principles directly map to existing and emerging EU regulations:
- NIS2 Article 21: The security principles mirror NIS2's gestion des risques measures for essential entities in the telecommunications sector — containment, integrity, and contrôle d'accès are core NIS2 requirements
- EU Cyber Resilience Act (CRA): The chaîne d'approvisionnement and security-by-design principles align with CRA's product security requirements, which will apply to 6G réseau equipment when commercialized
- European Electronic Communications Code (EECC): GCOT's resilience principles complement EECC Articles 40-41 on réseau security and integrity
- EU AI Act: With AI natively integrated into 6G réseaux, the gouvernance de l'IA requirements under Articles 6-49 will apply to AI components in 6G infrastructure classified as high-risk
Compliance Takeaway
Telecom operators and réseau equipment manufacturers should begin mapping GCOT principles against their existing NIS2 and CRA conformité programs now. When 6G standards are finalized by 3GPP, organisations with security-by-design embedded in their development processes will have a significant conformité head start. This is the rare opportunity to shape regulatory expectations before they become obligatoire.
🤖 AI-Driven Insider Risk: A "Critique Business Menace"
42% of Organisations Report Rising Insider Menaces
Mimecast's State of Human Risk Report 2026, based on a survey of 2,500 IT security decision makers across North America, Europe, Southeast Asia, and Australia, finds that risque interne has escalated to critical levels — driven in large part by employees misusing outils IA and attackers weaponizing AI for more effective ingénierie sociale.
Key Findings
- 42% increase in malveillant insider incidents: Employees deliberately stealing, manipulating, or destroying data — often using outils IA to locate and exfiltrer sensitive information à grande échelle
- 42% increase in negligent incidents: Employees using personal cloud accounts, weak passwords, or falling for AI-enhanced phishing — carelessness amplified by the false sense of security that AI productivity tools provide
- 10% year-over-year growth in CISO concern about malveillant insiders, with security leaders now expecting an average of six insider-driven threats per month
- AI as both weapon and vulnérabilité: Attackers use AI to craft more convincing phishing lures, while insiders use AI to search for and extract sensitive data more efficiently
EU AI Act Implications
The EU AI Act's risk-based framework has direct relevance to AI-driven menaces internes:
- Article 9 (Risk Management): Élevé-risk systèmes d'IA déployé in workplace environments must include gestion des risques systems that address misuse scenarios — including deliberate abuse by authorized users
- Article 14 (Human Oversight): outils IA used in corporate environments must maintain human oversight capabilities, including the ability to detect and prevent exfiltration de données patterns
- Article 13 (Transparency): Organisations déployering AI productivity tools must inform users about the system's capabilities and limitations — employees must understand what data outils IA can access
- Article 52 (Specific Transparency): systèmes d'IA generating content or interacting with humans must be identifiable as AI — this applies to AI-crafted phishing emails targeting employees
NIS2 and DORA Requirements
Insider threats are explicitly within scope of both frameworks:
- NIS2 Article 21(2)(i): Requires "human resources security" measures, including background checks, security awareness, and access management — AI tool governance must now be part of this
- NIS2 Article 21(2)(a): Risk analysis and information system security policies must account for AI-amplified risque interne scenarios
- DORA Article 5: Financial entities must include menace interne scenarios in their gestion des risques TIC frameworks, with AI-driven threats requiring specific detection and response capabilities
- DORA Article 13: Learning and evolving requirements mean entités financières must update their renseignement sur les menaces to include AI-enabled insider attack patterns
Action Required
Organisations should immédiatement audit which outils IA employees are using (shadow AI), implement DLP controls on AI-assisted data access, and update their menace interne detection baselines. Under NIS2 and DORA, failure to address known AI-driven risque interne patterns is now a conformité gap. Include AI misuse scenarios in your next tabletop exercise.
🎯 Entreprise Zero-Days Reach All-Time Élevé: 90 in 2025
Entreprise Software Now the Primary Cible
Google Renseignement sur les menaces Group (GTIG) reported that 90 zero-day vulnérabilités were activement exploiteré in 2025 — up from 78 in 2024. The critical shift: 48% now target entreprise software and appliances, up from 46% in 2024, with security and réseauing products bearing the heaviest impact.
The Entreprise Shift
Google's analysis reveals a structural change in the paysage des menaces:
- 43 zero-days targeted entreprise products — security appliances, réseauing equipment, virtualization platforms, and entreprise applications
- 21 of those (nearly half) targeted security and réseauing solutions — pare-feux, VPNs, routeurs, and security gateways that sit at the réseau edge
- Edge devices are blind spots: Security appliances often lack terminal detection and response (EDR) coverage, making exploiter zero-dayation harder to detect
- Attackers are embedding deeply in critical business infrastructure, using compromis entreprise tools for élévation de privilèges and lateral movement
Additional GTIG Findings
- Windows remains most targeted OS: Of the 47 end-user zero-days, 24 (27% of total) targeted operating systems, with Microsoft Windows leading
- Mobile zero-days surged: 15 mobile OS zero-days in 2025, up from 9 in 2024 — a 67% increase
- Navigateur zero-days hit historic low: As navigateur sandboxing improves, attackers are shifting to less hardened targets
- CVE-2026-0628 (Gemini AI in Chrome): A Élevé-severity (CVSS 8.8) élévation de privilèges vulnérabilité allowing extensions malveillantes to hijack Gemini Live in the Chrome navigateur panel
Regulatory Implications
| Framework | Requirement | Impact of Zero-Day Surge |
| NIS2 | Art. 21(2)(e) — Vulnérabilité handling | Essential entities must have processes for zero-day detection, triage, and emergency corrigering of entreprise infrastructure |
| DORA | Art. 9 — gestion des risques TIC | Financial entities must include entreprise zero-day scenarios in évaluation des risquess and maintain emergency corrigering procedures |
| CRA | Art. 11 — Vulnérabilité reporting | Product manufacturers face obligatoire 24-hour reporting of activement exploiteré vulnérabilités starting September 2026 |
| EU AI Act | Art. 15 — Accuracy, robustness, security | systèmes d'IA must be resilient to exploiteration — the Gemini Chrome CVE demonstrates AI components create new vulnérabilité classes |
Compliance Takeaway
The shift to entreprise-targeted zero-days means your security infrastructure itself is now the primary surface d'attaque. NIS2 and DORA conformité programs must include specific procedures for zero-day response in security appliances, not just traditional terminaux. Organisations should implement réseau segmentation that assumes security appliances may be compromis, and déployer out-of-band monitoring for edge devices.
🛡️ Microsoft Copilot Data Protection: AI Governance in Practice
Microsoft announced new prévention de la perte de données (DLP) controls for Microsoft 365 Copilot, responding to répandu customer complaints that Copilot was including confidential information in its AI-generated reports. The new controls extend DLP policies to locally saved files — previously, DLP only protected files stored in OneDrive and SharePoint.
What Changed
The core issue: Microsoft 365 Copilot's assistant IA could access and process files stored locally on users' machines, even when DLP policies restricted those same files on OneDrive and SharePoint. This gap meant confidential documents — marked as sensitive by DLP rules — could be summarized, quoted, or referenced in Copilot-generated reports without any protection applied.
- New default behavior (April 2026): DLP policies will apply to all files Copilot accesses, regardless of storage location
- Applied by default: Organisations do not need to opt in — the protection will be automatic
- Retroactive application: Existing DLP policies will extend to cover Copilot's local file access
Regulatory Significance
This episode illustrates a regulatory pattern that conformité teams must internalize:
- GDPR Article 25 (Data Protection by Design): Copilot's original behavior — processing confidential data without applying existing DLP rules — arguably violated the principle of data protection by design and by default. Organisations that déployé Copilot without verifying DLP coverage may face controller liability
- EU AI Act Article 9 (Risk Management): systèmes d'IA that process personal or confidential data must include controls to prevent non autorisé exposition de données. Copilot's DLP gap is exactly the type of risk that Article 9 gestion des risques systems must identify and atténuer
- DORA Article 28 (Third-Party ICT Risk): Financial entities using Microsoft 365 Copilot must treat this DLP gap as a material risque TIC event. Document the gap, the timeline for remédiation (April 2026), and any interim compensating controls in your third-party risk register
- NIS2 Article 21(2)(d) — Supply chain security: Copilot is a third-party AI component in your ICT environment. Its data handling behavior is a chaîne d'approvisionnement risk that must be continuously assessed
Action Required
Do not wait until April. Audit your Copilot déployerment now to identify what confidential data it may have already processed without DLP protection. Under GDPR Article 33, if personal data a été exposé through Copilot's DLP gap, you may have a reportable violation de données. Document your assessment and any compensating controls for your supervisory authority.
⚠️ Fake AI Navigateur Extensions: Consumer Protection Gap
Malicious "AI" Extensions Flooding App Stores
Security researchers confirmé a growing trend of malveillant navigateur extensions masquerading as AI productivity tools, appearing in major app stores and successfully bypassing initial review processes. These extensions provide some expected AI functionality while silently harvesting user data, identifiants, and browsing history.
The Regulatory Gap
This trend exposes lacune critiques in existing regulatory frameworks:
- EU AI Act Article 52 (Transparency): systèmes d'IA interacting with users must be identifiable as AI and disclose their purpose. Fake AI extensions violate both transparency and purpose limitation requirements, but application mechanisms for app store distribution are undefined
- Digital Services Act (DSA): App stores qualify as "online platforms" under the DSA and must implement measures to prevent the distribution of extensions malveillantes. This includes proactive security review obligations for Very Large Online Platforms (VLOPs)
- GDPR Article 5(1)(b) — Purpose Limitation: Extensions that collect data beyond their stated AI functionality violate the purpose limitation principle. Data protection authorities should prioritize application against these actors
- CRA Product Security: When CRA reporting obligations take effect in September 2026, app stores may face requirements to report activement exploiteré vulnérabilités in distributed software, including extensions malveillantes
Entreprise Recommendation
Implement navigateur extension allowlisting for all corporate environments. Under NIS2 Article 21(2)(i), organisations must ensure employees cannot install unvetted extensions on corporate devices. Maintain an approved extension list and use group policy to block all others. AI tool governance is now a security control, not an IT convenience.
📅 Regulatory Calendar: Key Dates Ahead
| Date | Framework | Milestone |
| March 11, 2026 | Correctif Tuesday | Microsoft Mars 2026 release — after 90 zero-days in 2025, prepare for significant corrigeres |
| April 2026 | Microsoft | Copilot DLP local file protection applied by default — verify your DLP policies cover all data categories |
| May 2, 2026 | EU AI Act | GPAI model transparency obligations take effect — AI providers must publish training data summaries |
| August 2, 2026 | EU AI Act | Élevé-risk système d'IA requirements enforceable (Articles 6-49) — full conformité stack required |
| September 11, 2026 | CRA | Obligatoire reporting of activement exploiteré vulnérabilités begins — 24-hour notification requirement |
| October 17, 2026 | NIS2 | Member state transposition deadline — all 27 EU countries must have NIS2 in national law |
| 2029-2030 | GCOT/6G | Expected initial 6G commercial rollouts — security-by-design principles must be embedded in standards by then |
🔑 Points clés for Compliance Teams
- 6G security standards are being shaped now. GCOT's eight principles set expectations that will become exigences obligatoires. Telecom operators and equipment manufacturers should align their security-by-design processes with these principles today — waiting for final standards means playing catch-up.
- AI risque interne is a conformité obligation, not an HR issue. With 42% of organisations reporting increases in AI-driven menaces internes, NIS2 and DORA conformité programs must include specific AI tool governance controls — shadow AI audits, DLP for AI-assisted access, and menace interne baselines that account for AI capabilities.
- Your security infrastructure is the target. Google's 90 zero-days finding, with nearly half targeting entreprise security and réseauing appliances, means vulnérabilité management programs must prioritize the tools meant to protect you. Assume compromise of edge devices and implement out-of-band monitoring.
- Microsoft Copilot's DLP gap is a preview of gouvernance de l'IA failures. Organisations déployering AI productivity tools without verifying data handling controls face GDPR, EU AI Act, and NIS2 liability. Audit AI tool data access before regulators ask questions.
- Fake AI extensions are a consumer protection crisis. Until DSA and CRA application catches up, entreprise navigateur extension allowlisting is your only reliable defense. Implement it now.
- Correctif Tuesday preparation is not optional. After a record year of entreprise zero-days, DORA and NIS2 entities without documented, tested emergency corrigering procedures are running a conformité deficit that supervisors will identify.
Automate Your Compliance Monitoring
KENSAI's continuous security scanning identifies zero-day exposures, AI-related vulnérabilités, and conformité gaps across your infrastructure — aligned with NIS2, DORA, and EU AI Act requirements.
Lancer un scan de sécurité gratuit →
Publié par the KENSAI Security Recherche Team — 9 mars 2026
Sources: GCOT, UK Gouvernement, Google GTIG, Mimecast, Palo Alto Réseaus, Microsoft, Help Net Security, Infosecurity Magazine, ENISA