剣 KENSAI
← All posts · security · 2026-03-26 · 5 min

EU Chips Act Implementation Dialogue, Dell & HP Ship Quantum-Resistant Security, PwC Warns AI Speeds Attacks, GitHub Expands AI Scanning, Coruna Spyware Linked to Operation Triangulation

Executive VP Virkkunen chairs a Chips Act implementation meeting with semiconductor industry leaders. Dell and HP announce quantum-resistant device security aligned with NIST PQC standards. PwC finds AI is amplifying cyberattack speed while identity theft industrialises. GitHub expands AI-powered security scanning beyond CodeQL. Kaspersky traces the Coruna exploit framework to Operation Triangulation — reigniting the EU spyware debate.


1. EU Chips Act Implementation Dialogue — Cybersecurity of Critical Infrastructure Chips

⚠️ REGULATORY SIGNAL — EU Semiconductor Supply Chain Security Under Active Review

Executive Vice-President Henna Virkkunen has convened a Chips Act implementation dialogue with semiconductor industry leaders and EU member states to discuss supply chain resilience, strategic autonomy, and the cybersecurity implications of chips used in critical infrastructure.

On March 26, 2026, Executive VP Henna Virkkunen chaired a high-level meeting bringing together semiconductor manufacturers, member state representatives, and critical infrastructure operators to assess the EU Chips Act's implementation progress. The Act, which entered into force in September 2023, aims to double the EU's global semiconductor market share to 20% by 2030.

The meeting focused on three critical areas:

NIS2 and CRA Intersection

The cybersecurity dimension is where the Chips Act meets NIS2 and the Cyber Resilience Act (CRA). Under NIS2, essential entities must secure their supply chains — and that includes the hardware they depend on. The CRA, meanwhile, will impose cybersecurity requirements on products with digital elements, which explicitly includes semiconductors with embedded firmware.

VP Virkkunen noted that "supply chain security begins at the silicon level" and signalled that future Chips Act implementing measures may include hardware security certification requirements for chips used in EU critical infrastructure.

What This Means for Your Organisation


2. Dell & HP Roll Out Quantum-Resistant Device Security

🔶 COMPLIANCE SHIFT — Post-Quantum Cryptography Arrives in Enterprise Hardware

Dell and HP have announced new quantum-resistant security capabilities for PCs and printers, aligned with NIST Post-Quantum Cryptography (PQC) standards — marking the first major wave of enterprise hardware migration to post-quantum algorithms.

Dell and HP have independently announced the integration of NIST-standardised post-quantum cryptographic algorithms into their latest enterprise device lines. Dell's new OptiPlex and Latitude series include PQC-based firmware signing and secure boot, while HP's new LaserJet Enterprise printers ship with quantum-resistant certificate chains.

This matters because of the "harvest now, decrypt later" threat: adversaries are already collecting encrypted data today, planning to decrypt it once quantum computers become powerful enough. By embedding PQC at the hardware level, Dell and HP are providing a defence against this long-term risk.

Regulatory Landscape for PQC

What This Means for Your Organisation


3. PwC: AI Amplifies Attack Speed, Identity Theft Industrialises

⚠️ THREAT INTELLIGENCE — AI-Powered Attacks Accelerating Faster Than Defences

PwC's latest Global Digital Trust report finds that AI is amplifying the speed and scale of cyberattacks, while identity theft has evolved into an industrial supply chain. The report directly challenges organisations' readiness for NIS2 identity governance requirements.

PwC's Global Digital Trust Insights 2026 survey — covering over 4,000 business and technology executives across 77 countries — delivers a sobering assessment: AI is shifting the advantage to attackers. Key findings include:

NIS2 Identity Governance Implications

Under NIS2 Article 21, essential and important entities must implement measures for access control and identity management. The PwC findings suggest that traditional identity governance — passwords, basic MFA, manual provisioning — is no longer sufficient. The regulation's "state of the art" requirement increasingly points toward:

What This Means for Your Organisation


4. GitHub Expands AI-Powered Security Scanning Beyond CodeQL

Software Supply Chain Security: GitHub has adopted AI-based vulnerability scanning for Code Security, expanding detection capabilities beyond its traditional CodeQL engine to cover more languages, frameworks, and vulnerability patterns — with direct implications for EU Cyber Resilience Act compliance.

GitHub has announced a significant expansion of its Code Security platform, integrating AI-powered scanning that goes beyond the rule-based approach of CodeQL. The new system uses large language models trained on vulnerability patterns to detect security issues in code that traditional static analysis tools miss.

Key improvements include:

EU Cyber Resilience Act Implications

The CRA requires manufacturers of products with digital elements to implement vulnerability handling processes throughout the product lifecycle. For software developers, this means:

What This Means for Your Organisation


5. Coruna iOS Exploit Framework Traced to Operation Triangulation

⚠️ SPYWARE GOVERNANCE — State-Level Exploit Kit Repurposed for Financial Crime

Kaspersky researchers have linked the Coruna exploit framework — targeting iOS devices — to the 2019 Operation Triangulation espionage campaign. The toolkit is now also being used in financial attacks, reigniting the EU debate over spyware regulation and surveillance technology export controls.

Kaspersky's latest research has established a definitive technical link between the Coruna exploit framework and Operation Triangulation, the sophisticated iOS espionage campaign first documented in 2023 but traced back to 2019. Coruna exploits zero-click vulnerabilities in iOS to install persistent surveillance capabilities without any user interaction.

The critical development is that Coruna is no longer limited to state-sponsored espionage. Kaspersky found evidence of the framework being used in financial attacks — targeting banking apps, cryptocurrency wallets, and payment systems on compromised iOS devices. This suggests the exploit kit has either been sold commercially or leaked to financially motivated threat actors.

EU Spyware Regulation Context

The Coruna revelations land at a pivotal moment for EU surveillance technology governance:

What This Means for Your Organisation


Today's Regulatory Landscape Summary

Development Regulation Impact Action Required
EU Chips Act Dialogue Chips Act / NIS2 / CRA Hardware security certification for critical chips Map semiconductor supply chain risks
Dell & HP Quantum-Resistant Security CRA / NIS2 PQC arriving in enterprise hardware Begin post-quantum migration planning
PwC AI Attack Report NIS2 Identity governance gap widening Deploy phishing-resistant MFA, continuous monitoring
GitHub AI Security Scanning CRA Shift-left security tooling expands Integrate AI scanning into CI/CD pipelines
Coruna Spyware / Operation Triangulation ePrivacy / Dual-Use State exploits repurposed for financial crime Enforce iOS patching, assess mobile device risk