剣 KENSAI
← All posts · security · 2026-04-01 · 4 min

Forum InCyber 2026 Launches Cybersecurity Skills Push as EU Parliament Simplifies AI Act, Bans Nudifier AI, and e-Privacy CSAM Derogation Expires

The European Commission unveils new Cybersecurity Skills Academy commitments at Forum InCyber 2026 in Lille. MEPs vote to simplify AI Act high-risk system requirements and ban AI nudifier tools. The e-Privacy CSAM voluntary detection derogation expires without renewal. AI agent risk categorization emerges as a critical governance challenge under EU AI Act enforcement. Meanwhile, the Commission's own breach investigation raises uncomfortable NIS2 compliance questions.


1. Forum InCyber 2026: New Cybersecurity Skills Academy Commitments Unveiled in Lille

The European Commission announced a significant expansion of its Cybersecurity Skills Academy initiative at the Forum InCyber 2026 conference, which opened on March 31 in Lille and runs through April 2. The event, one of Europe's premier cybersecurity gatherings, served as the launchpad for new pledges aimed at closing the continent's worsening cybersecurity talent gap.

The Skills Crisis in Numbers

Europe faces a cybersecurity workforce shortage of approximately 500,000 professionals, according to ENISA's latest NIS Investments report published in December 2025. The sixth edition of that report revealed a troubling trend: organizations are shifting investment from people to technology, even as talent shortages deepen — creating a dangerous imbalance where sophisticated tools lack skilled operators.

⚠️ NIS2 Skills Mandate

NIS2 Article 20 requires that management bodies of essential and important entities undergo cybersecurity training and offer regular training to employees. With national transposition now in effect across member states, entities that cannot demonstrate adequate skills development programs face supervisory action. The Skills Academy commitments directly address this compliance requirement at the EU level.

What Was Announced

Regulatory Context

The timing is deliberate. With DORA's Threat-Led Penetration Testing (TLPT) framework now operational and the CRA's vulnerability reporting obligations arriving in September 2026, the demand for qualified cybersecurity professionals will spike dramatically. The Revised Cybersecurity Act proposal — currently under Parliamentary review — also includes provisions for workforce development as a strategic security priority.


2. EU Parliament Votes to Simplify AI Act and Ban AI Nudifier Systems

In a landmark vote on March 26, the European Parliament adopted proposals to simplify the EU AI Act's implementation framework while simultaneously introducing a categorical ban on AI-powered nudifier systems — tools that generate non-consensual intimate imagery using artificial intelligence.

AI Act Simplification

The Parliament's IMCO and LIBE committees pushed through amendments that clarify and streamline several aspects of the AI Act's high-risk system requirements:

📊 Implementation timeline update: With the simplification vote, the Parliament has effectively confirmed that high-risk AI system requirements will apply from August 2, 2026 — now just four months away. Organizations must complete conformity assessments, prepare technical documentation, and register in the EU database by this date.

AI Nudifier Ban

The ban on AI nudifier systems adds a new prohibited practice under Article 5 of the AI Act. MEPs classified these tools as presenting an "unacceptable risk" to fundamental rights, specifically dignity, privacy, and protection from gender-based violence.

The prohibition covers:

🔶 GDPR & AI Act Intersection

The nudifier ban reinforces existing GDPR protections around biometric data (Article 9) and the right to erasure (Article 17). Victims of AI-generated intimate imagery can now invoke both the AI Act's prohibited practices framework and GDPR's special category data protections. National data protection authorities gain additional enforcement tools, with penalties under the AI Act reaching up to €35 million or 7% of global annual turnover for prohibited practices.


3. e-Privacy CSAM Derogation Expires: Voluntary Detection Ends

In a controversial decision with far-reaching implications, the European Parliament voted not to renew the interim derogation from e-Privacy rules that had allowed online service providers to voluntarily detect child sexual abuse material (CSAM) in private communications.

What This Means

Since 2021, an interim regulation had provided a legal basis for platforms like Meta, Google, and Microsoft to scan private messages for known CSAM imagery using hash-matching technology. Without renewal, these voluntary scanning activities become legally problematic under the e-Privacy Directive, which protects the confidentiality of electronic communications.

AspectBefore ExpiryAfter Expiry
Voluntary CSAM scanning✅ Legal under derogation❌ Conflicts with e-Privacy
Hash-matching technology✅ Permitted⚠️ Legal uncertainty
Platform liabilitySafe harbor for good-faith scanningRisk of privacy complaints
NCMEC reportingOngoing from EU platformsExpected significant decrease

The Regulatory Deadlock

The expiry highlights the unresolved tension between the proposed CSAM Regulation (often called "Chat Control") and fundamental rights to privacy. The Council of the EU and Parliament remain at odds over the scope of client-side scanning mandates, with several member states' constitutional courts flagging concerns about mass surveillance.

📌 GDPR implications: Service providers that continue voluntary scanning without the derogation may face complaints under GDPR Article 5(1)(a) (lawfulness) and the e-Privacy Directive Article 5(1) (confidentiality of communications). The European Data Protection Board has urged legislators to find a solution that balances child protection with fundamental rights — but no compromise has materialized.


4. AI Agent Risk Governance: The Emerging Regulatory Challenge

As enterprises rapidly deploy autonomous AI agents that can reason, plan, and execute actions across business systems, a critical governance gap is emerging under the EU AI Act framework. Industry experts are warning that current risk categorization approaches are insufficient for the agentic AI paradigm.

Three Categories of AI Agent Risk

Security researchers have proposed a risk framework based on two variables: access (what systems and data an agent can reach) and autonomy (how independently it operates):

Agent TypeAccess LevelAutonomyRisk Profile
Agentic ChatbotsPlatform-confinedHuman-triggeredLow–Medium
Local AgentsInherit user permissionsUser-delegatedMedium–High
Production AgentsEnterprise-wideFully autonomousCritical

EU AI Act Alignment Challenges

The AI Act's risk-based classification (minimal, limited, high-risk, unacceptable) was designed primarily for static AI systems with predictable outputs. Agentic AI systems that dynamically expand their own access, chain tool calls, and make autonomous decisions across multiple enterprise systems don't fit neatly into these categories.

🔶 Compliance Gap Alert

With the AI Act's high-risk system requirements taking effect in August 2026, organizations deploying production AI agents in critical infrastructure, finance, or HR processes must determine now whether their agentic systems qualify as high-risk under Annex III. The simplification vote helps clarify timelines, but the fundamental question of how to classify dynamically behaving agents remains unresolved at the regulatory level.


5. European Commission Breach Investigation: NIS2 Compliance Under the Microscope

The European Commission's ongoing investigation into the breach of its public-facing web infrastructure — disclosed on March 24 after attackers compromised Europa-hosted websites — continues to raise pointed questions about the institution's own compliance with the regulations it champions.

Latest Developments

According to The Register's reporting, the Commission has confirmed that data was exfiltrated from its cloud systems hosting Europa websites, but has provided minimal detail about the scope, impact, or attack vector. The institution is notifying "Union entities" whose data may have been affected.

This is the Commission's second security incident in 2026, following the February disclosure that staff mobile phones were compromised — potentially exposing names and numbers. Separately, BleepingComputer reported that a threat actor may have accessed the Commission's AWS cloud environment, claiming exfiltration of over 350 GB of data.

⚠️ The NIS2 Credibility Question

The Commission's bare-bones disclosure stands in stark contrast to the transparency requirements it expects from regulated entities under NIS2. Article 23 mandates that essential entities report significant incidents to competent authorities within 24 hours (early warning), 72 hours (incident notification), and one month (final report). While EU institutions operate under a separate framework (Regulation 2023/2841), the optics of the body enforcing NIS2 struggling with its own incident disclosure are — to put it diplomatically — unhelpful.

Implications for DORA and Cloud Concentration Risk

The breach also spotlights a risk that DORA's ICT third-party concentration provisions (Article 29) were designed to address: over-reliance on a single cloud provider for critical systems. If the Commission's AWS environment was indeed the entry point, it validates the regulatory logic behind DORA's requirement for exit strategies and multi-cloud resilience planning — requirements that financial entities must now implement.


The Bigger Picture: April 2026 Regulation Tracker

As Q2 2026 begins, the EU's digital regulatory framework is entering its most consequential phase. Here's where the major instruments stand:

RegulationStatusNext Critical Date
NIS2National transposition in effectOngoing supervisory enforcement
DORAFully applicable since Jan 2025TLPT testing cycles underway
EU AI ActProhibited practices & GPAI in effectHigh-risk requirements: Aug 2, 2026
CRAIn force, implementation phaseVulnerability reporting: Sep 2026
GDPRFully applicableAI nudifier enforcement coordination
Revised Cybersecurity ActParliamentary reviewExpected Council position Q3 2026
Cybersecurity Skills AcademyExpanded at Forum InCyberPilot programs launching Q2 2026

The convergence of these frameworks creates both compliance complexity and strategic opportunity. Organizations that build unified governance structures spanning NIS2, DORA, and the AI Act will find that investments compound — a risk assessment framework built for one regulation often satisfies requirements across several.