← Back to Security Blog
Compliance & Regulations
Analysis
2026년 3월 9일
11분 읽기
6G 보안 설계 지침, AI 내부자 위험 임계 수준 도달, 기업 제로데이 사상 최고 — 규제 라운드업 2026년 3월 9일
Seven Western nations publish security-by-design principles for 6G networks before standards are even finalized. Mimecast reports AI-driven insider threats have become a "critical business threat" — 42% of organizations saw increases in both malicious and negligent insider incidents. Google's Threat Intelligence Group tracked 90 zero-days in 2025, with enterprise software now the primary target. Microsoft responds to Copilot data leakage concerns with new DLP controls. And a high-severity Gemini AI 취약점 in Chrome raises fresh questions about AI security under the EU AI Act. Here's what regulators and 규정 준수팀 need to act on 이번 주.
📡 GCOT, 6G 보안 설계 원칙 발표
The Global Coalition on Telecoms (GCOT) — comprising Australia, Canada, Finland, Japan, Sweden, the UK, and the US — released voluntary 6G Security and Resilience Principles at Mobile World Congress 2026 in Barcelona. Industry partners including AT&T, BT, Ericsson, NVIDIA, 아니오kia, Qualcomm, Samsung, and Vodafone endorsed the framework.
Why This Matters Before 6G Exists
With 6G commercial rollouts not expected until 2029-2030, this is one of the earliest instances of security-by-design regulation preceding the technology it governs. The coalition assessed that 6G will bring more virtualized network functions, disaggregated architectures with standardized interfaces, and native AI integration — each creating new attack surfaces that 해결해야 합니다 at the standards level, not retrofitted after deployment.
The Eight Principles
GCOT defined four security and four resilience objectives:
| Category | Principle | Key Requirement |
| Security | Containment | Limit propagation of malicious actors through the network |
| Security | Confidentiality | Privacy-by-design for user data, secure against eavesdropping |
| Security | Integrity | Data integrity guarantees across network transit and infrastructure |
| Security | Access Control | Authentication and authorization for all network components |
| Resilience | Service Continuity | Maintain availability under challenging circumstances |
| Resilience | Supply Chain | Multi-vendor security with trusted supplier assurance |
| Resilience | Physical Security | Resilience against physical and environmental threats |
| Resilience | Recovery | Rapid restoration after security incidents or disruptions |
Regulatory Alignment
These principles directly map to existing and emerging EU regulations:
- NIS2 Article 21: The security principles mirror NIS2's 위험 관리 measures for essential entities in the telecommunications sector — containment, integrity, and access control are core NIS2 requirements
- EU Cyber Resilience Act (CRA): The supply chain and security-by-design principles align with CRA's product security requirements, which will apply to 6G network equipment when commercialized
- European Electronic Communications Code (EECC): GCOT's resilience principles complement EECC Articles 40-41 on network security and integrity
- EU AI Act: With AI natively integrated into 6G networks, the AI governance requirements under Articles 6-49 will apply to AI components in 6G infrastructure classified as high-risk
Compliance Takeaway
Telecom operators and network equipment manufacturers should begin mapping GCOT principles against their existing NIS2 and CRA compliance programs now. When 6G standards are finalized by 3GPP, organizations with security-by-design embedded in their development processes will have a significant compliance head start. This is the rare opportunity to shape regulatory expectations before they become mandatory.
🤖 AI 기반 내부자 위험: "핵심 비즈니스 위협"
42% of Organizations Report Rising Insider Threats
Mimecast's State of Human Risk Report 2026, based on a survey of 2,500 IT security decision makers across 아니오rth America, Europe, Southeast Asia, and Australia, finds that insider risk has escalated to critical levels — driven in large part by employees misusing AI tools and attackers weaponizing AI for more effective 소셜 엔지니어링.
Key Findings
- 42% increase in malicious insider incidents: Employees deliberately stealing, manipulating, or destroying data — often using AI tools to locate and exfiltrate sensitive information 대규모로
- 42% increase in negligent incidents: Employees using personal cloud accounts, weak passwords, or falling for AI-enhanced 피싱 — carelessness amplified by the false sense of security that AI productivity tools provide
- 10% year-over-year growth in CISO concern about malicious insiders, with security leaders now expecting an average of six insider-driven threats per month
- AI as both weapon and 취약점: Attackers use AI to craft more convincing 피싱 lures, while insiders use AI to search for and extract sensitive data more efficiently
EU AI Act Implications
The EU AI Act's risk-based framework has direct relevance to AI-driven insider threats:
- Article 9 (위험 관리): 높음-risk AI systems deployed in workplace environments must include 위험 관리 systems that address misuse scenarios — including deliberate abuse by authorized users
- Article 14 (Human Oversight): AI tools used in corporate environments must maintain human oversight capabilities, including the ability to detect and prevent 데이터 유출 patterns
- Article 13 (Transparency): Organizations deploying AI productivity tools must inform users about the system's capabilities and limitations — employees must understand what data AI tools can access
- Article 52 (Specific Transparency): AI systems generating content or interacting with humans must be identifiable as AI — this applies to AI-crafted 피싱 emails targeting employees
NIS2 and DORA Requirements
Insider threats are explicitly within scope of both frameworks:
- NIS2 Article 21(2)(i): Requires "human resources security" measures, including background checks, security awareness, and access management — AI tool governance must now be part of this
- NIS2 Article 21(2)(a): Risk analysis and information system security policies must account for AI-amplified insider risk scenarios
- DORA Article 5: Financial entities must include insider threat scenarios in their ICT 위험 관리 frameworks, with AI-driven threats requiring specific detection and response capabilities
- DORA Article 13: Learning and evolving requirements mean financial entities must update their threat intelligence to include AI-enabled insider attack patterns
Action Required
조직은 해야 합니다 immediately audit which AI tools employees are using (shadow AI), implement DLP controls on AI-assisted data access, and update their insider threat detection baselines. Under NIS2 and DORA, failure to address known AI-driven insider risk patterns is now a compliance gap. Include AI misuse scenarios in your next tabletop exercise.
🎯 기업 제로데이 사상 최고치: 2025년 90건
Enterprise Software 아니오w the Primary Target
Google Threat Intelligence Group (GTIG) reported that 90 zero-day 취약점 were actively 익스플로잇ed in 2025 — up from 78 in 2024. The critical shift: 48% now target enterprise software and appliances, up from 46% in 2024, with security and networking products bearing the heaviest impact.
The Enterprise Shift
Google's analysis reveals a structural change in the threat landscape:
- 43 zero-days targeted enterprise products — security appliances, networking equipment, virtualization platforms, and enterprise applications
- 21 of those (nearly half) targeted security and networking solutions — firewalls, VPNs, routers, and security gateways that sit at the network edge
- Edge devices are blind spots: Security appliances often lack endpoint detection and response (EDR) coverage, making zero-day 익스플로잇ation harder to detect
- Attackers are embedding deeply in critical business infrastructure, using compromised enterprise tools for 권한 상승 and 횡적 이동
Additional GTIG Findings
- Windows remains most targeted OS: Of the 47 end-user zero-days, 24 (27% of total) targeted operating systems, with Microsoft Windows leading
- Mobile zero-days surged: 15 mobile OS zero-days in 2025, up from 9 in 2024 — a 67% increase
- Browser zero-days hit historic low: As browser sandboxing improves, attackers are shifting to less hardened targets
- CVE-2026-0628 (Gemini AI in Chrome): A 높음-severity (CVSS 8.8) elevation of privilege 취약점 allowing malicious extensions to hijack Gemini Live in the Chrome browser panel
Regulatory Implications
| Framework | Requirement | 영향 of Zero-Day Surge |
| NIS2 | Art. 21(2)(e) — 취약점 handling | Essential entities must have processes for zero-day detection, triage, and emergency patching of enterprise infrastructure |
| DORA | Art. 9 — ICT 위험 관리 | Financial entities must include enterprise zero-day scenarios in 위험 평가s and maintain emergency patching procedures |
| CRA | Art. 11 — 취약점 reporting | 제품 manufacturers face mandatory 24-hour reporting of actively 익스플로잇ed 취약점 starting September 2026 |
| EU AI Act | Art. 15 — Accuracy, robustness, security | AI systems must be resilient to 익스플로잇ation — the Gemini Chrome CVE demonstrates AI components create new 취약점 classes |
Compliance Takeaway
The shift to enterprise-targeted zero-days means your security infrastructure itself is now the primary attack surface. NIS2 and DORA compliance programs must include specific procedures for zero-day response in security appliances, not just traditional endpoints. 조직은 해야 합니다 implement network segmentation that assumes security appliances may be compromised, and deploy out-of-band monitoring for edge devices.
🛡️ Microsoft Copilot 데이터 보호: 실전 AI 거버넌스
Microsoft announced new data loss prevention (DLP) controls for Microsoft 365 Copilot, responding to widespread customer complaints that Copilot was including confidential information in its AI-generated reports. The new controls extend DLP policies to locally saved files — previously, DLP only protected files stored in OneDrive and SharePoint.
What Changed
The core issue: Microsoft 365 Copilot's AI assistant could access and process files stored locally on users' machines, even when DLP policies restricted those same files on OneDrive and SharePoint. This gap meant confidential documents — marked as sensitive by DLP rules — could be summarized, quoted, or referenced in Copilot-generated reports without any protection applied.
- New default behavior (April 2026): DLP policies will apply to all files Copilot accesses, regardless of storage location
- Applied by default: Organizations do not need to opt in — the protection will be automatic
- Retroactive enforcement: Existing DLP policies will extend to cover Copilot's local file access
Regulatory Significance
This episode illustrates a regulatory pattern that 규정 준수팀 must internalize:
- GDPR Article 25 (Data Protection by Design): Copilot's original behavior — processing confidential data without applying existing DLP rules — arguably violated the principle of data protection by design and by default. Organizations that deployed Copilot without verifying DLP coverage may face controller liability
- EU AI Act Article 9 (위험 관리): AI systems that process personal or confidential data must include controls to prevent unauthorized 데이터 노출. Copilot's DLP gap is exactly the type of risk that Article 9 위험 관리 systems must identify and mitigate
- DORA Article 28 (Third-Party ICT Risk): Financial entities using Microsoft 365 Copilot must treat this DLP gap as a material ICT risk event. Document the gap, the timeline for remediation (April 2026), and any interim compensating controls in your third-party risk register
- NIS2 Article 21(2)(d) — Supply chain security: Copilot is a third-party AI component in your ICT environment. Its data handling behavior is a supply chain risk that must be continuously assessed
Action Required
Do not wait until April. Audit your Copilot deployment now to identify what confidential data it may have already processed without DLP protection. Under GDPR Article 33, if personal data 노출되었습니다 through Copilot's DLP gap, you may have a reportable data breach. Document your assessment and any compensating controls for your supervisory authority.
⚠️ 가짜 AI 브라우저 확장 프로그램: 소비자 보호 공백
Malicious "AI" Extensions Flooding App Stores
Security researchers confirmed a growing trend of malicious browser extensions masquerading as AI productivity tools, appearing in major app stores and successfully bypassing initial review processes. These extensions provide some expected AI functionality while silently harvesting user data, 자격 증명s, and browsing history.
The Regulatory Gap
This trend exposes critical gaps in existing 규제 프레임워크s:
- EU AI Act Article 52 (Transparency): AI systems interacting with users must be identifiable as AI and disclose their purpose. Fake AI extensions violate both transparency and purpose limitation requirements, but enforcement mechanisms for app store distribution are undefined
- Digital Services Act (DSA): App stores qualify as "online platforms" under the DSA and must implement measures to prevent the distribution of malicious extensions. This includes proactive security review obligations for Very Large Online Platforms (VLOPs)
- GDPR Article 5(1)(b) — Purpose Limitation: Extensions that collect data beyond their stated AI functionality violate the purpose limitation principle. Data protection authorities should prioritize enforcement against these actors
- CRA 제품 Security: When CRA reporting obligations take effect in September 2026, app stores may face requirements to report actively 익스플로잇ed 취약점 in distributed software, including malicious extensions
Enterprise Recommendation
Implement browser extension allowlisting for all corporate environments. Under NIS2 Article 21(2)(i), organizations must ensure employees cannot install unvetted extensions on corporate devices. Maintain an approved extension list and use group policy to block all others. AI tool governance is now a security control, not an IT convenience.
📅 규제 일정: 주요 예정일
| 날짜 | Framework | Milestone |
| March 11, 2026 | Patch Tuesday | Microsoft March 2026 release — after 90 zero-days in 2025, prepare for significant patches |
| April 2026 | Microsoft | Copilot DLP local file protection applied by default — verify your DLP policies cover all data categories |
| May 2, 2026 | EU AI Act | GPAI model transparency obligations take effect — AI providers must publish training data summaries |
| August 2, 2026 | EU AI Act | 높음-risk AI system requirements enforceable (Articles 6-49) — full compliance stack required |
| September 11, 2026 | CRA | 의무 보고 of actively 익스플로잇ed 취약점 begins — 24-hour notification requirement |
| October 17, 2026 | NIS2 | Member state transposition deadline — all 27 EU countries must have NIS2 in national law |
| 2029-2030 | GCOT/6G | Expected initial 6G commercial rollouts — security-by-design principles must be embedded in standards by then |
🔑 규정 준수 팀을 위한 핵심 포인트
- 6G security standards are being shaped now. GCOT's eight principles set expectations that will become mandatory requirements. Telecom operators and equipment manufacturers should align their security-by-design processes with these principles today — waiting for final standards means playing catch-up.
- AI insider risk is a compliance obligation, not an HR issue. With 42% of organizations reporting increases in AI-driven insider threats, NIS2 and DORA compliance programs must include specific AI tool governance controls — shadow AI audits, DLP for AI-assisted access, and insider threat baselines that account for AI capabilities.
- Your security infrastructure is the target. Google's 90 zero-days finding, with nearly half targeting enterprise security and networking appliances, means 취약점 management programs must prioritize the tools meant to protect you. Assume compromise of edge devices and implement out-of-band monitoring.
- Microsoft Copilot's DLP gap is a preview of AI governance failures. Organizations deploying AI productivity tools without verifying data handling controls face GDPR, EU AI Act, and NIS2 liability. Audit AI tool data access before regulators ask questions.
- Fake AI extensions are a consumer protection crisis. Until DSA and CRA enforcement catches up, enterprise browser extension allowlisting is your only reliable defense. Implement it now.
- Patch Tuesday preparation is not optional. After a record year of enterprise zero-days, DORA and NIS2 entities without documented, tested emergency patching procedures are running a compliance deficit that supervisors will identify.
Automate Your Compliance 모니터링ing
KENSAI's continuous security scanning identifies zero-day exposures, AI-related 취약점, and compliance gaps across your infrastructure — aligned with NIS2, DORA, and EU AI Act requirements.
Start Free Security Scan →
Published by the KENSAI Security Research Team — March 9, 2026
Sources: GCOT, UK Government, Google GTIG, Mimecast, Palo Alto Networks, Microsoft, Help Net Security, Infosecurity Magazine, ENISA