Despite its (public and often well deserved) image of bureaucratic overregulation, the EU has its moments of clarity. Doing the right thing at the right time in (mostly) the right manner. A good example of this is the NIS2 directive, aimed at bolstering cybersecurity and resilience while also establishing a framework for much better cooperation between the member countries through coordination, information-sharing, and joint crisis response.
Too bad that the member countries are reluctant or unable to transform the directive into national law. This may be, if not understandable then at least explainable in the case of Germany, where there was a string of political crisis in late 2024 resulting in snap elections early this year. But why are the other 18 Member States delayed? Nobody knows, least the EU, which opted to open infringement procedures.
But NIS2 is only one of the tools in the EU’s strategy to gain more technological sovereignty and better cybersecurity. Lots of activities went in similar directions, such as a new EU vulnerability database and even a European Domain Name System. Sweet!
There was, of course, more going on in both cybersecurity and data protection – neither of which fails to entertain with interesting news and developments. As in every quarter.
And before we forget: we saw a data breach of truly gargantuan proportions. With 16 billion (you read that right) passwords exposed, it is the largest data breach. Ever. So far.
Let’s have a look, shall we?
NIS2 – the Special
NIS2 Tracker – Where do We Stand?
One of the issues with EU directives is that they must be transformed into national law. That should be a relatively uniform process in theory, but in practice it’s not. The national lawmakers work at varying speeds, emphasizing different aspects, and there are typically some choices to make by design of the directive itself: deadlines, registration obligations, and maximum fines vary widely.
For those reasons, businesses working in a transnational environment need to know where each member state stands and how NIS2 is implemented.
The European Cyber Security Organization (ECSO) comes to the rescue by providing a NIS2 transposition tracker, mapping how each Member State is implementing the directive.
That also means businesses no longer have excuses. Regularly check where your local obligations are. And if your company has not mapped their suppliers in other jurisdictions yet, it might be a jolly good idea to start now. Supply chain security will be one of NIS2’s biggest challenges.
EU Commission Launches Infringement Procedures
By May 7th, 2025, the European Commission issued formal reasoned opinions to 19 (!) member states, including heavyweights like Germany, France, and the Netherlands, for failing to fully transpose the NIS2 Directive into national law. We may remind our readers that there are only 27 member states in all.
To put all this in perspective: the original deadline expired on October 17th, 2024 - meaning some countries have now been in breach for over six months. And while there may be good reasons (for Germany: a crisis in the ruling coalition that blocked any political action and then led to early elections at the beginning of this year), the reason why nobody seems to act is rather unclear.
The EU commission sees this not just as a minor technical delay. Rather, by initiating infringement proceedings, the Commission is signaling that it takes cybersecurity to be a vital element of the EU’s digital sovereignty project - and that excuses for dragging out transposition will no longer be tolerated. If Member States do not respond with credible action plans, the Commission can – and most likely will – escalate these cases to the European Court of Justice (ECJ), which has the power to impose hefty fines until compliance is achieved.
For businesses, this patchwork status quo is more than an administrative nuisance. In practice, it means organizations operating across borders are left with inconsistent rules on incident reporting, supply chain security, and registration requirements - while also facing different timelines for when national authorities might begin enforcing penalties.
The big takeaway? Legal uncertainty is now a real compliance risk. Businesses cannot assume that national regulators will turn a blind eye indefinitely. With enforcement looming, it is more important than ever to monitor local legislative updates, create working internal policies, and keep the board fully briefed on the situation.
ENISA Issues Practical Technical Guidance for NIS2
In late June 2025, the European Union Agency for Cybersecurity (ENISA) stepped up to close a practical gap that many companies have been worrying about for months: how to implement the broad security obligations under the NIS2 Directive. The newly released Technical Implementation Guidance translates the headline requirements of the October 2024 Implementing Regulation into a practical roadmap, complete with detailed best practices, control checklists, and real-life evidence examples.
This guidance is more than a nice-to-have for CISOs - it’s the EU’s blueprint for what “appropriate” or “state-of-the-art” means in practice when regulators come knocking. It addresses key pillars like incident detection, supply chain security, business continuity, and governance - but also sets clear expectations for how to document compliance and demonstrates that measures are genuinely embedded in day-to-day operations.
For essential infrastructure operators, ICT service providers, and digital platforms, this means there’s little room left for ambiguity. National supervisory authorities will likely use ENISA’s guide as a benchmark during audits, meaning that gaps in evidence or vague processes won’t cut down on it anymore. In short, the bar for “due diligence” just got higher - and it’s harmonized across the EU.
The takeaway for businesses is clear: download the ENISA guidance, map it against your current policies, and plug the gaps now - before the first audit letter lands on your desk. Make sure your documentation is not just a paper exercise but shows a clear line from risk assessment to technical and organizational measures. This isn’t just good practice - it’s the best defense when enforcement steps up.
Public Initiatives and Developments
NIS2 is just one tool in the Union’s arsenal to gain digital sovereignty. Because to be sovereign here means having control over its own digital systems. This, of course, includes the flashy surface of the big US tech companies. But it also encompasses the rather boring – but even more important – digital infrastructure.
DNS4EU Goes Live - a European DNS
One crucial example of such digital infrastructure is the DNS.
When you type a web address, your computer or other device asks the Domain Name System (DNS) to find where that address is Think of this as a phonebook (in case you still remember those). For the longest time, Europe’s DNS traffic flowed through servers run by big tech players outside the Union.
That is about to change. With DNS4EU, the EU has officially launched its own privacy-oriented resolver service. The idea is not only to reduce dependency though, but also to improve resilience, and make DNS filtering more GDPR compliant (mostly by not storing or monetizing user query logs).
Public bodies and operators of essential services (in NIS2-lingo) may soon have to mandatorily use DNS4EU. But individuals or smaller businesses can benefit, too – simply by configuring devices accordingly. The service may become the best practice even for those who do not have to use it.
A Blueprint for Unavoidable Cyber Crises
Most businesses think about firewalls and patching when discussing cybersecurity. And that is not wrong, but it is not enough. As we know: every cybersecurity measure can – and will eventually – fail. The question is: what then?
To answer that question for the public sector, the EU Council published a helpful (as of now: draft) Cybersecurity Crisis Management Blueprint. It stipulates who does what if a major incident spills across borders. The addresses include national agencies, ENISA, and the European Commission. Think of it as a playbook for digital catastrophes.
There is, of course, lots to be learned here for private organizations as well as, in essence, the situation is the same. And that also means that the resulting questions are very similar.
For those reasons: check your own crisis and business continuity plans. Do you have clear escalation paths? Does your board know when to notify authorities under NIS2 – and how quickly (hint: 24 hours)?
Now is the time to test those scenarios. And in case we have not mentioned it: your IAM services should be part of this assessment. As an identity provider / IDaaS, we at Engity are happy to be of assistance!
EU Vulnerability Database: From CVE to EUVD
Cybersecurity, just like glacier hiking, also means knowing where the cracks are. Ideally, of course, one would be able to fix them before attackers utilize them for nefarious purposes. For decades, Europe’s software developers and IT teams have relied on the US-CVE system (public list that assigns a unique ID to every newly discovered software weakness so that companies can track, fix, and share information about it).
To gain strategic independence in this field as well, the EU switched on its own EU Vulnerability Database (EUVD). This new database assigns EU-specific IDs to vulnerabilities and will be integrated into the European Union Agency for Cybersecurity (ENISA) threat intelligence and coordination systems over time.
The idea for the public sector is, of course, to ensure more consistent information sharing within the EU and to tailor threat coordination to European needs and supply chains.
However, pro private software developers, tech vendors, and IT service providers, this is also relevant and more than just a shiny new website. It will be not only best practice, but most likely a NIS2 requirement to monitor the EUVD. Missing a vulnerability that was listed there may not be a good idea.
Healthcare Gets Life Support
It is a sad fact that hospitals and clinics remain some juiciest targets for ransomware attacks (our digest reported). And for good reason: they hold huge amounts of very sensitive personal data, rely on digital systems for patient care, and often run on shoe-string budgets that leave cybersecurity underfunded. At the same time, the stakes are painfully high: when systems go down, lives can literally be at risk. That creates a big incentive for hospitals to “just pay” any ransom.
To tackle this, the EU has now kicked off work on a dedicated “Healthcare Cyber Support Center”. The idea is to give hospitals and healthcare providers access to better training, real-time threat intelligence, and crisis response support. The center is planned to be up and running by 2026.
As in the example discussed before: this is not just a help but, in many ways, also a challenge as it raises the bar. Better support will come hand in hand with tougher standards. If your business is a cloud provider, software vendor, or IT partner catering to the healthcare sector, expect supplier onboarding to become more challenging and procurement rules to tighten. Hospitals will increasingly demand evidence that security practices meet recognized standards. Or shorter: The state of the art will shift upwards. Having an ISO 27001 certification or an equivalent security framework will no longer be a “nice to have” but may become the bare minimum.
Cybersecurity and Data Breaches
The UBS attack – why supply chain security matters
All recent privacy and cybersecurity laws put an emphasis on supply chains. Think of commissioned data processing in the GDPR, but also of the supply chain stipulations of NIS2 or – to shift to private standards – the respective controls of ISO 27001.
Why this is so important shows the case of UBS, a Swiss bank.
In June 2025, the bank confirmed that a cyberattack on its procurement services provider, Chain IQ, had resulted in – sensitive – data from more than 130,000 employees ending up for sale on the dark web. The record reportedly included ID details, and internal documents, making identity thieves and social engineers rub their hands.
UBS’s own systems are said to be hardened with top-tier security measures. But the attackers hit a third-party supplier. A rather stark reminder that security is only as strong as the weakest link in the supply chain.
This is, of course, not just a banking problem. Most companies have dozens (if not hundreds) of suppliers, contractors, and IT partners who handle everything from payroll to cloud hosting. If those partners have no solid cybersecurity in place, sensitive data is at risk.
And that is the reason why third-party risk management is a core part of any security and compliance program.
16 billion Passwords Exposed in the mother of all credential compilations
In June, cybersecurity researchers from Cybernews uncovered a giant repository of around 16 billion stolen login credentials in the dark web. This huge collection is believed to be patched together from a number of malware campaigns - the kind of malicious software that quietly runs on infected devices and collects usernames, passwords, and cookies without the user noticing.
The alarming fact is the sheer scale of the database. The leaked credentials cover everything from big names like Google, Apple, and Facebook, to smaller sites and work accounts. These details can be abused for “credential stuffing” attacks and other nefarious activities.
The gargantuan password dump is not just a problem for individuals but also a serious supply chain risk for businesses. One weak password reused on multiple platforms can become the open door an attacker needs to infiltrate a whole company network.
As an identity provider we at Engity do not get tired of preaching: treat credentials like the keys to your house. Review your password policies, push for multi-factor authentication (MFA) wherever possible, and make sure your people know not to reuse passwords across services. A single careless login could be the point of entry for your next cyber incident.
Privacy Developments
Tweaking the GDPR - Small Companies May Catch a Break
There has been a very heated and drawn-out discussion about whether the GDPR is the savior of personal freedom and liberty or a bloated piece of unnecessary bureaucracy standing in the way of business and scientific progress. As so often, the answer is: both. The GDPR does protect individuals, but it also creates real compliance overhead.
One of the specifically paperwork-heavy parts is the obligation for companies to keep detailed Records of Processing Activities (RoPAs). These records act akin to a logbook, showing what personal data is being collected, for what purpose, whom they are shared with, and how long they are kept.
After a very long discussion and input from many sides, the EU is considering raising the GDPR’s record-keeping exemption threshold from 250 to 750 employees. For high-growth SMEs, this could cut paperwork and streamline processes. Unless the business has high-risk processing activities as they always trigger documentation obligations.
If this change comes about, it could be a welcome chance for a leaner administration.
Blockchain in the Privacy Spotlight
Our digest has quite a few times reported about the tension between privacy and blockchain. By their very design, blockchains - the tech behind cryptocurrencies but also other decentralized systems like freight logs - store information across many computers at once, making it practically unchangeable. That is truly fantastic for transparency and security. It is much less great if the law says people have the right to be forgotten. Which is exactly what the GDPR stipulates.
For that reason, one of the EU’s trickiest privacy headaches has always been how to handle blockchain technology under the GDPR.
Let’s think of a practical case to illustrate the issue. Imagine personal data is recorded in a blockchain-based land register, or in a smart contract for an insurance payout. What happens if the data subject later wants that data deleted? With a traditional database, the record could be removed or overwritten. But with a blockchain, once it’s written in, it’s there forever – which is exactly the idea.
To address this conflict, the European Data Protection Board (EDPB) ran a public consultation on how to balance privacy rights with blockchain’s technical realities. That consultation has now closed, and final guidance is expected later this year.
This will matter. The EU considers blockchain to be a key future technology, and it might be a good idea not to strangle it in red tape. Once the guidance is out, it will shape what companies using distributed ledgers, smart contracts, or crypto-based apps must do to stay GDPR compliant. The focus will likely be on smart design: for example, using pseudonymization (storing data in a way that keeps it linked to a user only via an alias) or ensuring that truly personal data never actually sits on the chain itself – just links or references to it.
Faster GDPR Enforcement is Coming
The GDPR, in theory, should make it easy for individuals to enforce their privacy rights. And, again in theory, the process of enforcement should be very much the same across the continent. That should be true even when companies operate across multiple EU countries. One should be able to file a complaint with the local Data Protection Authority (DPA) and get a fair, timely result, no matter where the company’s headquarters are.
In practice, things are a bit more difficult. In fact, enforcement often turns into a legal maze. Some DPAs are notoriously under-resourced, or very slow, or – at least that is the rumor – keen on protecting the companies headquartered in the country.
This has led to a form or “forum shopping” - companies use the country that has the slowest or most lenient regulator and then base their EU operations there. It creates an unfair advantage for big players who can afford to play the system, while smaller companies and regular people get stuck with legal uncertainty. If you think “Ireland”, where the EU headquarters of US Big-Tech is located, is generating billions in tax revenue, you might be on the right track.
To fix this, in June 2025, the EU Council and Parliament finally agreed on new rules to harmonize how cross-border GDPR cases are handled. The goal is to make it clear when complaints are admissible, which DPA is in charge, and how deadlines must be met. This should make it much harder for companies to exploit gaps between national regulators - and ensure that citizens can enforce their rights in time.
Court Decisions & Enforcement
TikTok and a €530 Million Data Privacy Lesson
Like every quarter, there is also enforcement news. And this time the spotlight is on a company under scrutiny not just in the EU but in other jurisdictions as well: TikTok.
Ireland’s Data Protection Commission (DPC) hit the platform with a massive €530 million penalty for sending personal data of EU citizens to China without proper legal safeguards in place.
Under the GDPR, any time somebody transfers personal data from the EU to a country outside the EU - especially one that doesn’t have the same strong privacy laws – one needs to prove that the data is just as protected as it would be at home. This often means putting in place special contracts (known as Standard Contractual Clauses, or “SCC”) and doing a transfer impact assessment (TIA) to check whether local surveillance laws or government access might put that data at risk.
In TikTok’s case, the DPC found that not only did the company fail to implement sufficient legal safeguards, but it also wasn’t fully transparent with users about where their data would end up and who could access it.
Whether or not TikTok with its connection to China is a special case can be debated. But the EU’s privacy enforcers generally have no plans to go soft on big tech or major international transfers. And in many ways that is a laudable approach.
GDPR Damage Claims: The ECJ Gives Guidance and Sets Limits
One question that lawyers, national courts, and data protection agencies have been discussing over the last years has been when citizens can demand damages if their personal data were mishandled. The European Court of Justice (ECJ) had to step in and clarify the issue.
In its ruling, the court made it clear that “just” feeling worried that your personal data might have been misused isn’t enough to justify damages. One needs to prove there was actual, concrete harm. Things like financial loss, identity theft, or demonstrable emotional distress.
This is good news for businesses facing a rising wave of rather dubious claims - where some individuals or even litigation firms file complaints hoping for easy settlements.