← Back to Security Blog
Compliance & Regulations 2026년 3월 7일 9분 읽기

EU 사이버 복원력 법 지침 발표, DSA 보고 마감, 6G 보안 프레임워크 출범

A packed week for EU cybersecurity regulation. The European Commission published draft CRA implementation guidance for product manufacturers. The first wave of DSA transparency reports landed. A seven-nation coalition released 6G security-by-design guidelines. And new AI 취약점 — including a high-severity Gemini 익스플로잇 — underscore why the EU AI Act cannot arrive fast enough.


📋 사이버 복원력 법: 피드백용 초안 지침 발표

New — CRA Implementation Guidance Open for Comment

On March 3, 2026, the European Commission published draft guidance to help companies meet the obligations of the Cyber Resilience Act (CRA). The guidance is open for public feedback, marking a critical milestone as the regulation moves from legislation to implementation.

The CRA, which entered into force in December 2024, establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU. Manufacturers, importers, and distributors must ensure products meet essential security requirements throughout their lifecycle.

Key CRA Deadlines

What the Draft Guidance Covers

The Commission's guidance addresses the most common implementation questions from industry:

Action required: 제품 manufacturers, software companies, and IoT vendors operating in the EU should review the draft guidance and submit feedback before the consultation period closes. Companies should begin CRA compliance programs now — September 2026 reporting obligations are only six months away.


📊 디지털 서비스 법: 첫 투명성 보고 마감일 경과

The first round of harmonised transparency reports under the Digital Services Act (DSA) were due by the end of February 2026. Providers of intermediary services — including platforms, hosting services, and search engines — were required to publish reports detailing their content moderation activities, government requests, and algorithmic recommendation systems.

What DSA Transparency Reports Must Include

The European Commission is now reviewing the first batch of reports. 아니오n-compliant platforms face 최대 벌금 6% of global annual turnover. Several smaller intermediary services reportedly missed the deadline, and the Commission has signaled it will pursue 집행 조치.


🌐 6G 사이버보안: 서방 연합 보안 설계 지침 발표

New Framework — 6G Security Guidelines Published

On March 4, 2026, a coalition of seven Western nations — including EU member states — launched comprehensive cybersecurity guidelines for future 6G telecommunications standards. The framework mandates security-by-design principles be integrated from the earliest stages of 6G development.

The guidelines directly address lessons learned from 5G security controversies, particularly around supply chain risks and vendor trust. Key principles include:

The framework aligns with the EU's broader approach under NIS2 and the CRA, creating a unified regulatory posture across critical telecommunications infrastructure.


🤖 AI 보안 취약점이 EU AI Act 긴급성을 부각

이번 주's AI security developments underscore the critical need for the EU AI Act's 규제 프레임워크:

Gemini AI Exploit in Chrome (CVE-2026-0628)

Google patched a high-severity 취약점 (CVSS 8.8) in its Gemini AI implementation within the Chrome browser. Reported by Palo Alto Networks' Unit 42, the elevation of privilege flaw could have allowed malicious browser extensions with basic permissions to hijack the Gemini Live panel — accessing user conversations and executing actions on behalf of the user.

Fake AI Extensions Proliferating in App Stores

Security researchers continue to flag a surge of trojanized "AI" browser extensions appearing in official app stores. These extensions claim to provide AI functionality while secretly exfiltrating user data, session tokens, and browsing activity. The trend 익스플로잇s consumer demand for AI tools without adequate marketplace security.

ContextCrush: AI Development Tools Under Attack

A critical 취약점 dubbed "ContextCrush" 발견되었습니다 in the Context7 MCP Server, a tool used in AI development pipelines. 이 취약점은 공격자가 할 수 있게 할 수 있습니다 inject malicious instructions into AI development workflows, potentially poisoning AI training data or model outputs at the source.

EU AI Act 타임라인: The Act's prohibited practices provisions took effect in February 2025. 높음-risk AI system obligations apply from August 2026. The EU AI Office is developing harmonized standards and guidance. These 취약점 demonstrate exactly why mandatory AI security requirements — including 위험 평가s, 취약점 management, and transparency obligations — are essential.


📈 NIS2 & DORA 현황 업데이트

NIS2: Enforcement Intensifies

EU member states continue to ramp up NIS2 enforcement. Key developments 이번 주:

DORA: Financial Sector Compliance Countdown

The Digital Operational Resilience Act has been in effect since January 17, 2025. Financial entities should now be in full compliance. Key Q1 2026 compliance activities:


🗓️ 다가오는 규제 마감일

날짜 Regulation Milestone
Jun 2026 NIS2 Netherlands: Entity self-assessment deadline
Aug 2026 EU AI Act 높음-risk AI system obligations apply
Sep 2026 CRA 취약점 reporting obligations begin
Q4 2026 DORA First TLPT cycle completion for significant entities
Dec 2027 CRA Full product compliance required

✅ 이번 주 규정 준수 조치 사항

  1. CRA: Review the European Commission's draft CRA guidance and submit feedback. Begin product inventory and SBOM documentation.
  2. DSA: If you're an intermediary service provider, verify your transparency report was submitted. Address any gaps before 집행 조치 begin.
  3. NIS2: Update incident response playbooks with learnings from the LeakBase and Tycoon2FA takedowns. Review supply chain security posture.
  4. DORA: Ensure ICT 위험 관리 frameworks are documented and submitted. Schedule threat-led penetration testing.
  5. EU AI Act: Audit AI systems for the Gemini/ContextCrush 취약점 patterns. Update AI system risk classifications ahead of August 2026 obligations.
  6. 6G Preparedness: Telecom operators should begin reviewing the new 6G security guidelines for long-term infrastructure planning.

Automate Your Compliance with KENSAI

Continuous compliance monitoring for NIS2, DORA, CRA, GDPR, and EU AI Act. Real-time regulatory tracking with automated gap analysis.

Start Free Assessment →

Stay compliant. Stay ahead.

🗡️ KENSAI Compliance Intelligence

March 7, 2026