剣 KENSAI
← All posts · security · 2026-03-18 · 8 min

EU Sanctions Chinese & Iranian Firms for Cyberattacks on Critical Infrastructure, Tech Giants Invest $12.5M in Open Source Security, CISOs Struggle With AI Act Readiness

The European Council imposes sanctions on three entities and two individuals for cyberattacks targeting EU critical infrastructure across six member states. Anthropic, AWS, Google, Microsoft, and OpenAI commit $12.5 million to Linux Foundation open source security initiatives. A new benchmark report reveals 67% of CISOs have limited visibility into AI usage — a critical gap as EU AI Act enforcement timelines approach.

Is your organization NIS2-compliant? KENSAI scans your infrastructure against NIS2, DORA & GDPR requirements automatically.
Check Compliance →

65K
Devices hacked across 6 EU states by sanctioned entity
$12.5M
Tech giants' investment in open source security
67%
CISOs with limited AI security visibility
174
Vulnerabilities targeted by RondoDox botnet

1. EU Council Sanctions Chinese and Iranian Entities for Cyberattacks

The Council of the European Union announced sanctions on March 16 against three companies and two individuals for their roles in cyberattacks targeting EU critical infrastructure and member state devices. This marks the most significant expansion of the EU's cyber sanctions regime since its inception in 2019, and sends a clear signal that cyber operations against EU infrastructure carry real economic consequences.

Who Was Sanctioned

NIS2 and Regulatory Implications

The sanctions carry asset freezes and travel bans. EU citizens and companies are prohibited from making funds or economic resources available to sanctioned entities. With the EU's cyber sanctions list now covering 19 individuals and 7 entities, this action demonstrates that NIS2's emphasis on supply chain security and third-country threat actors is backed by diplomatic enforcement.

NIS2 Key takeaway: Organizations subject to NIS2 essential and important entity requirements should review their supply chain relationships for any connections to sanctioned entities. Under NIS2 Article 21, supply chain security measures must account for state-sponsored threat actors and their commercial proxies.

2. Tech Giants Commit $12.5M to Open Source Security

Anthropic, AWS, Google, Microsoft, and OpenAI have collectively invested $12.5 million in the Linux Foundation's long-term security initiatives focused on open source software. The funding targets critical projects including automated vulnerability detection, secure software development lifecycle (SDLC) tooling, and Software Bill of Materials (SBOM) standardization.

Why This Matters for EU Regulation

The investment arrives at a pivotal moment for the EU Cyber Resilience Act (CRA), which requires manufacturers of products with digital elements to ensure security throughout the product lifecycle — including open source dependencies. The CRA's transitional period runs through 2027, but preparatory obligations are already in effect.

CRA Action required: Organizations using open source software in products sold in the EU should begin SBOM generation and vulnerability tracking now. The CRA's vulnerability handling obligations (Article 11) and technical documentation requirements (Annex VII) are approaching. KENSAI's dependency scanning can identify vulnerable open source components in your stack.

3. 67% of CISOs Lack AI Visibility — EU AI Act Compliance at Risk

The AI and Adversarial Testing Benchmark Report 2026, based on a survey of 300 U.S. CISOs and senior security leaders, reveals a stark reality: 67% of CISOs reported limited visibility into how AI is being used across their organization. Not a single respondent claimed full visibility. Meanwhile, AI adoption continues to accelerate, with AI systems now layered across cloud platforms, identity systems, applications, and data pipelines.

EU AI Act Implications

While the survey focused on U.S. organizations, the findings are a warning shot for EU companies approaching EU AI Act enforcement milestones:

⚠️ Shadow AI + EU AI Act = Compliance Time Bomb

If 67% of security leaders can't see their AI footprint, they cannot classify AI systems by risk level, implement required safeguards, or maintain the conformity documentation the EU AI Act demands. With high-risk AI requirements taking effect in August 2026 — just five months away — organizations need AI discovery and governance programs now, not after enforcement begins.

4. Apple Launches Silent Background Security Patching

Apple released its first-ever Background Security Improvements update on March 17, patching CVE-2026-20643 — a WebKit Same Origin Policy bypass flaw — across iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2. The update was applied automatically without requiring a full OS upgrade or device restart.

CRA Product Liability Angle

This is significant from a Cyber Resilience Act perspective. The CRA requires manufacturers to provide security updates for the expected product lifetime, and to deliver updates "without undue delay" after discovering vulnerabilities. Apple's new mechanism demonstrates what CRA-compliant patching infrastructure looks like:

Under CRA Article 10, manufacturers must ensure that "vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates." Apple's approach may become the benchmark against which EU regulators measure other vendors' patching capabilities.

5. RondoDox Botnet Exploits 174 Vulnerabilities at Scale

The RondoDox botnet has increased its exploitation activity to 15,000 attempts per day, targeting 174 distinct vulnerabilities across networking equipment, IoT devices, and enterprise infrastructure. SecurityWeek reports the botnet is taking "a more targeted approach," focusing on organizations with exposed management interfaces.

NIS2 Vulnerability Management Requirements

Regulation Status Dashboard — March 18, 2026

Regulation Status This Week's Impact
NIS2 Enforcement active across EU EU sanctions demonstrate enforcement of supply chain and third-country threat actor provisions
GDPR Fully enforced (UK & EU) Ongoing fallout from Companies House breach; sanctions reinforce data protection in critical infrastructure
DORA Applied since Jan 17, 2025 RondoDox botnet targeting financial infrastructure raises ICT risk management scrutiny
EU AI Act Phased enforcement through 2027 67% CISO AI visibility gap threatens high-risk AI compliance deadline (Aug 2026)
CRA Transitional period until 2027 $12.5M open source investment + Apple silent patching set CRA compliance benchmarks

What Organizations Should Do This Week

  1. Screen supply chains for sanctioned entities — Check whether any technology vendors, open source contributors, or service providers have ties to Integrity Technology Group, Anxun/i-Soon, or Emennet Pasargad. NIS2 supply chain obligations make this mandatory
  2. Begin SBOM generation for all products — The CRA vulnerability handling deadline is approaching. Use the Linux Foundation's standardized tooling to generate and maintain SBOMs for products containing open source components
  3. Launch AI discovery program — With high-risk AI requirements taking effect in 5 months, inventory all AI systems, classify by risk level, and establish governance frameworks. If you can't see it, you can't comply
  4. Evaluate patching infrastructure — Apple's Background Security Improvements sets the CRA bar. Assess whether your products can deliver security updates rapidly and with minimal user friction
  5. Audit vulnerability coverage against RondoDox target list — Cross-reference your vulnerability management program against the 174 CVEs in the RondoDox botnet's arsenal. Automated continuous scanning is the only scalable approach