INTERPOL Dismantles 45,000 Malicious Servers in Massive Global Takedown, CISA Expands Cisco SD-WAN Directive, ENISA Renews International Cybersecurity Strategy, Chrome Zero-Days Exploited in the Wild
INTERPOL's Operation Synergia III coordinates 72 countries to seize 45,000 malicious IPs and arrest 94 cybercriminals — the largest coordinated cyber takedown in history. CISA adds mandatory reporting requirements to its Cisco SD-WAN directive as Ivanti EPM vulnerabilities join the KEV catalog. ENISA publishes a renewed international strategy to strengthen the EU cybersecurity ecosystem. Google patches two actively exploited Chrome zero-days with implications for the Cyber Resilience Act.
🌐 INTERPOL Operation Synergia III — Largest Global Cybercrime Takedown in History
⚠️ MAJOR LAW ENFORCEMENT ACTION — 72 COUNTRIES
INTERPOL announced the takedown of 45,000 malicious IP addresses and servers used for phishing, malware distribution, and ransomware. The operation led to 94 arrests, with 110 additional suspects under investigation. A total of 212 electronic devices and servers were seized across multiple continents.
Regulation Impact: NIS2 Cross-Border Cooperation — Budapest Convention — EU Cybercrime Directive — DORA ICT Incident Reporting
INTERPOL's Operation Synergia III represents the most ambitious coordinated cybercrime enforcement action ever undertaken. Spanning 72 countries and territories, the operation targeted the infrastructure behind phishing campaigns, malware distribution networks, and ransomware operations that have caused billions in damages globally.
In Bangladesh alone, authorities arrested 40 suspects and seized 134 electronic devices connected to loan scams, identity theft, and credit card fraud. In Togo, 10 suspects were apprehended running a fraud ring from a residential area that included social media account hijacking operations.
The scale matters. Taking down 45,000 malicious IPs in a single coordinated action sends an unmistakable signal: the infrastructure that powers cybercrime is no longer beyond the reach of international law enforcement.
NIS2 and Cross-Border Enforcement Implications
- NIS2 Article 13 mandates EU-level cooperation. The directive requires member states to establish national CSIRTs that cooperate across borders. Operation Synergia III demonstrates exactly the kind of international coordination NIS2 envisions, but at a scale that dwarfs current EU mechanisms. The EU-CyCLONe network should study this operation as a model.
- Budapest Convention enabling framework. The operation leveraged the Budapest Convention on Cybercrime — the only binding international treaty on cybercrime — which now has 76 parties. NIS2's cross-border cooperation requirements build on this foundation, but the convention's reach extends far beyond the EU.
- DORA incident reporting meets law enforcement. Financial institutions under DORA are required to report major ICT-related incidents. When INTERPOL takes down infrastructure that was attacking financial systems, DORA-regulated entities must assess whether they were affected and report accordingly.
- Ransomware infrastructure disruption supports NIS2 resilience goals. By targeting the servers powering ransomware campaigns, INTERPOL directly reduces the threat landscape that NIS2 was designed to address. Essential and important entities benefit from cleaner infrastructure even before implementing their own defenses.
⚡ DACH Takeaway
Germany's BKA (Federal Criminal Police), Austria's Bundeskriminalamt, and Switzerland's FEDPOL all participated in Operation Synergia III. DACH organizations should check their network logs against the indicators of compromise that INTERPOL will release through national CERTs. For NIS2-regulated entities, this operation validates the directive's emphasis on cross-border information sharing — the threats are global, and so must be the response.
🔒 CISA Expands Cisco SD-WAN Directive, Adds Ivanti EPM to Known Exploited Vulnerabilities
⚠️ ACTIVE EXPLOITATION — PATCH IMMEDIATELY
CISA has added mandatory reporting requirements to its existing Cisco Catalyst SD-WAN directive and added Ivanti Endpoint Manager vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. Both are under active attack in the wild.
Regulation Impact: CISA BOD 22-01 — NIS2 Vulnerability Management — CRA Vulnerability Reporting — DORA Patch Management
CISA's decision to expand an existing directive rather than issue a new one is noteworthy. The original Cisco Catalyst SD-WAN directive required federal agencies to patch; the updated version now adds mandatory reporting on exploitation status — agencies must confirm whether they've been compromised, not just whether they've patched.
Meanwhile, the Ivanti Endpoint Manager (EPM) vulnerabilities being actively exploited represent a particularly dangerous class: endpoint management tools have privileged access to every device they manage. Compromising EPM gives attackers administrative control across the entire managed fleet.
Regulatory Implications for Vulnerability Management
- NIS2 Article 21 requires vulnerability handling. Essential and important entities must implement vulnerability handling and disclosure policies. CISA's KEV catalog, while a US mechanism, has become the de facto global reference for priority patching. EU organizations should treat KEV additions as urgent under NIS2.
- CRA mandatory vulnerability reporting to ENISA. The EU Cyber Resilience Act requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours. Cisco and Ivanti, as vendors selling into the EU market, will face these obligations as CRA requirements phase in through 2027.
- CISA's reporting expansion previews NIS2 requirements. The shift from "patch it" to "patch it AND tell us if you were compromised" mirrors NIS2's incident notification requirements. EU entities should note that NIS2 requires early warning within 24 hours and full incident notification within 72 hours.
- DORA patch management under scrutiny. Financial institutions running Cisco SD-WAN or Ivanti EPM must treat these as critical ICT risk management events under DORA. The regulation specifically requires testing of ICT tools, including network infrastructure.
⚡ DACH Takeaway
Cisco SD-WAN is widely deployed across German enterprises and Swiss financial institutions. Ivanti EPM has significant market share in Austria and Germany. BSI has historically mirrored CISA KEV additions in its own advisories within 24-48 hours. DACH organizations should not wait for BSI — patch now, assess for compromise, and document the response for NIS2 compliance evidence.
🇪🇺 ENISA Publishes Renewed International Cybersecurity Strategy
Regulation Impact: NIS2 Implementation — EU Cyber Diplomacy — International Standards — Capacity Building
The European Union Agency for Cybersecurity (ENISA) has published its revised International Strategy, renewing the agency's approach to engagement with international partners. The strategy strengthens alignment with the EU's international cybersecurity policies and the promotion of EU values in global cybersecurity governance.
This is more significant than it appears. As NIS2 implementation accelerates across 27 member states, ENISA's international strategy shapes how the EU's cybersecurity framework interacts with — and potentially influences — the rest of the world. The strategy effectively positions NIS2 not just as an EU regulation, but as a model for global cybersecurity governance.
What the New Strategy Means for Regulation
- NIS2 as an export product. ENISA's strategy explicitly aims to promote EU cybersecurity standards internationally. This means NIS2-style requirements may influence regulatory frameworks in partner countries, creating a "Brussels Effect" for cybersecurity.
- Standardization leadership. The strategy reinforces ENISA's role in international standards bodies. As the CRA and NIS2 create new technical requirements, ENISA will push for these to become international standards — affecting global supply chains.
- Cyber diplomacy convergence. The strategy aligns ENISA's technical mission with the EU's cyber diplomacy toolbox, including cyber sanctions. This creates a pathway from ENISA's threat assessments to diplomatic action — relevant for state-sponsored attacks on NIS2 entities.
- Capacity building extends the regulatory perimeter. By helping non-EU countries build cybersecurity capabilities, ENISA indirectly extends the reach of EU regulatory concepts. Organizations operating globally should expect convergence toward EU-style requirements.
⚡ DACH Takeaway
Switzerland, as a non-EU country with deep economic integration, is directly affected by ENISA's international strategy. The Swiss NCSC should engage with ENISA's international cooperation framework to ensure alignment. For German and Austrian organizations with global operations, ENISA's push for international standardization means NIS2 compliance investments will likely have global applicability.
🔴 Chrome 146 Patches Two Actively Exploited Zero-Days — CRA Implications for Browser Security
⚠️ ZERO-DAY — ACTIVE EXPLOITATION
Google has patched two zero-day vulnerabilities in Chrome 146 that were being actively exploited in the wild. The flaws allow attackers to manipulate data and bypass security restrictions, potentially leading to remote code execution.
Regulation Impact: EU Cyber Resilience Act — NIS2 Supply Chain Security — Vulnerability Disclosure — DORA Digital Operational Resilience
Two Chrome zero-days patched in a single update is unusual and concerning. Chrome's market share exceeding 65% globally means these vulnerabilities exposed billions of users to potential attack. The exploitation was confirmed active before the patch, meaning attackers had a window of opportunity.
This comes just days after Google revealed it paid $17 million in bug bounties in 2025, with $3.7 million for Chrome vulnerabilities alone. Even with one of the most mature vulnerability programs in the industry, zero-days still slip through — a reality that the EU's Cyber Resilience Act must account for.
CRA and Vulnerability Management Implications
- CRA 24-hour reporting obligation applies. Under the Cyber Resilience Act, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. Google, as the manufacturer of Chrome, will face this obligation for all EU users once CRA requirements take full effect.
- NIS2 entities must patch enterprise browsers. For essential and important entities, browsers are attack surface. NIS2 requires proportionate technical measures — which includes keeping browsers updated. Two exploited zero-days make this a compliance issue, not just an IT hygiene issue.
- Browser as critical supply chain component. The CRA treats software as a product with digital elements. Chrome, used across virtually every enterprise, is a supply chain dependency. These zero-days demonstrate why the CRA's vulnerability handling requirements extend to all software, not just specialized security tools.
- DORA implications for financial services. Banks, insurers, and trading platforms that rely on browser-based interfaces must assess whether these zero-days affected their operations. DORA requires financial entities to maintain inventories of ICT assets — browsers are rarely included but clearly should be.
⚡ DACH Takeaway
Germany's BSI CERT-Bund typically issues advisories for actively exploited Chrome vulnerabilities within hours. Swiss NCSC and Austrian CERT.at should follow. For DACH enterprises, this is a reminder to implement browser auto-update policies and monitor the CISA KEV catalog. Chrome Enterprise policies can enforce update compliance — documentation that also serves as NIS2 evidence.