incyber.org Marie De Freminville
26.08.25
La directive NIS2 (Network and Information Security 2), adoptée par l'Union européenne, devait être transposée par chaque État membre de l’UE en droit national, au plus tard en octobre 2024, avec des processus et plannings de transposition spécifiques à chaque pays.
Compte-tenu de l’augmentation des menaces cyber, elle impose des normes plus strictes en matière de cybersécurité, de gestion des risques, et de réaction aux incidents, que la directive NIS, datant de 2016.
Cette nouvelle directive élargit les attentes et le champ d’application. Elle a pour objectif d’anticiper les nouvelles formes d’attaques, de passer d’une approche réactive à une stratégie proactive, et de mettre en place une collaboration étendue, pour l’ensemble de l’écosystème, afin d’assurer la résilience des infrastructures critiques.
Son champ d’application est plus large et s’étend aux entités considérées comme essentielles ou importantes (ex. : énergie, transport, santé, infrastructures numériques, administration publique, etc.). Pour plus de détails, consulter https://monespacenis2.cyber.gouv.fr/directive/.
NIS2 n’est pas directement applicable en Suisse. Néanmoins, une entreprise suisse, est concernée, notamment si elle fait partie de la chaîne d’approvisionnement critique d’entreprises de l’Union européenne soumises à NIS2. Par exemple en tant que fournisseur de services numériques, ou infrastructures critiques transfrontalières, ou si elle opère au sein de l’Union européenne, à travers une filiale, qui rentre dans le périmètre de NIS2 (champ d’application mentionné ci-dessus).
Au-delà de la stricte conformité, le respect des standards européens dans le domaine numérique constitue un pilier de la confiance entre les entreprises suisses et leurs partenaires ou clients européens, et l’application de ces standards renforcera la sécurité des entités suisses qui s’y conformeront.
Les principales questions à se poser:
Mon entreprise a-t-elle une filiale, succursale, ou entité juridique dans un pays de l’UE ?
Mon entreprise fournit-elle des services à des clients situés dans l’UE (entreprises, États, infrastructures critiques) ?
Mon entreprise héberge-t-elle, traite-t-elle ou transporte-t-elle des données de citoyens européens ?
Mon entreprise opère-t-elle dans un secteur “essentiel” ( énergie, santé, banques, transport, infrastructures numériques, eau, espace, administration publique) ou important (agroalimentaire, services numériques, recherche, chimie, déchets, fabrication critique)?
Si l’entreprise suisse répond à l’un de ces critères, ou si le contrat qui la lie à son client contient des obligations de conformité à NIS2, elle doit s’assurer que son dispositif de cybersécurité comprend notamment:
Un CISO ou responsable cybersécurité clairement identifié,
Une politique de cybersécurité formelle, validée par la direction,
Une procédure de gestion des incidents (notification ≤ 24h),
Des analyses de risques réguliers, des audits et tests, visant à s’assurer de la solidité du dispositif,
Des formations à la cybersécurité pour administrateurs et dirigeants.
Dans le secteur financier, les institutions bancaires ayant une filiale / succursale dans l’UE ou agissant en tant que sous-traitant ou partenaire de banques/acteurs européens devront mettre en place:
Une gouvernance de la cybersécurité au niveau du conseil d’administration, nommer un responsable cybersécurité (CISO) au niveau exécutif, réviser la stratégie de cybersécurité, mettre en place un comité de sécurité informatique.
Une cartographie et une gestion des risques liés à la sécurité des systèmes d’information : identifier les actifs essentiels au fonctionnement de la banque, inclure la chaîne d’approvisionnement, les fournisseurs IT et interconnexions.
Des procédures de notification d’incidents dans des délais très courts (24 heures), et un plan de réponse aux incidents cyber.
Des audits de conformité, et un tableau de bord (suivi des indicateurs de sécurité et des exigences NIS2).
Une vérification de la maturité des fournisseurs de services bancaires numériques, IT, cloud, etc. dans le domaine de la cybersécurité, c’est-à-dire leur imposer le respect des standards NIS2.
Un programme de sensibilisation et formation pour les collaborateurs, les dirigeants et le conseil d’administration.
Une mise à jour des contrats avec les fournisseurs IT, et une vérification des niveaux de sécurité des sous-traitants.
Le secteur bancaire est déjà très réglementé : la FINMA (autorité des marchés financiers en Suisse) impose des exigences strictes via ses circulaires, comme 2018/3 « Outsourcing » et 2023/1 « Gestion des risques informatiques », fondées sur le risque et la proportionnalité.
Les initiatives de la Confédération (NCSC) s’inscrivent aussi dans une logique de rapprochement avec les standards européens.
Autres entités essentielles du secteur financier, les IMF (Infrastructures de Marchés Financiers) : plateformes de négociation (bourses, MTF- Multi Trading Facilities, OTF- Organised Trading Facilities, systèmes de cotation), chambres de compensation (CCP), dépositaires centraux de titres (CSD), systèmes de règlement, fournisseurs d’indicateurs de référence critiques, opérateurs de données de marché réglementés.
En Suisse, ces entités incluent des acteurs comme SIX Group, SIX x-clear, SIX SIS, ou Swiss Interbank Clearing (SIC), qui gèrent des systèmes critiques nationaux, mais aussi interconnectés avec l’UE.
Bien que la Suisse ne soit pas soumise directement à NIS2, ses IMF opèrent à l’international, en particulier dans l’UE et traitent des données financières critiques, souvent partagées avec des contreparties européennes.
Bien qu’elles soient déjà soumises à des réglementations rigoureuses, comme LFIN, LBVM, Règlement sur l’infrastructure des marchés financiers, directives FINMA, standards ISO 27001/22301, etc., les IMF suisses devront démontrer leur conformité équivalente aux exigences NIS2, même de façon contractuelle ou opérationnelle.
Dans le secteur de la santé, les hôpitaux et cliniques, les laboratoires, les fournisseurs de soins critiques, les entreprises technologiques médicales (eHealth, MedTech, télémédecine) et les prestataires IT (cloud santé, DMP, plateformes de données médicales) collaborant avec l’UE, sont considérés comme entités essentielles (Annexe I de NIS2).
Comme dans l’industrie bancaire, les entreprises de ce secteur ont de nouvelles obligations et doivent être en mesure de produire les documents suivants:
Politique cybersécurité Santé (avec exigences NIS2),
Analyse de risques IT / DMP / IoMT,
Procédure de notification d’incidents,
Registre de conformité / tableau de bord,
Rapports d’audit / plans de remédiation,
Attestations de sensibilisation / format.
Dans le secteur de l’énergie, les opérateurs de réseaux, les producteurs, les fournisseurs, et les prestataires techniques (ex : SCADA: système de supervision industrielle, OT : operational technology, cloud industriel) doivent se conformer à NIS2, dans la mesure où ils doivent répondre aux attentes de partenaires européens et autorités européennes, avec un objectif de renforcer la résilience des infrastructures critiques.
Par ailleurs, les entreprises de ce secteur doivent anticiper l’évolution du droit suisse (LSI, OICN, etc.), qui doit converger avec NIS2, par le biais de l’Ordonnance sur la protection des infrastructures critiques (OICN) et les directives de l’OFEN et du NCSC.
Les particularités du secteur de l’énergie sont les suivantes:
Inclure l’OT, la production, les fournisseurs et la télégestion dans la politique de sécurité
Créer un comité cybersécurité interdisciplinaire avec les représentants IT, OT, opérations, conformité,
Cartographier les systèmes critiques : supervision automatisée, contrôle distribué, réseaux de distribution, postes haute tension, infrastructures partagées avec l’UE
Renforcer les mesures de sécurité sur les systèmes informatiques industriels (notamment séparation des environnements et contrôle des accès), détecter les incidents, mettre en place un plan de continuité d’activité / reprise des activités, revoir les contrats des fournisseurs IT avec une clause de conformité NIS2.
Former les administrateurs et dirigeants, mais aussi les opérateurs industriels et informatiques.
Dans le secteur des transports, la directive NIS2 couvre toutes les formes de transport critiques: aérien (compagnies aériennes, gestionnaires d’aéroports, contrôle aérien), ferroviaire (opérateurs ferroviaires, gestionnaires d’infrastructures, services d’aiguillage), maritime (ports, transporteurs maritimes, systèmes de navigation, opérateurs de fret), et routier (sociétés d’autoroutes, gestion du trafic, plateformes logistiques essentielles (moins prioritaire mais possible selon les pays membres)
La Suisse étant étroitement interconnectée avec les réseaux européens, est partie prenante d’accords transfrontaliers (ex : transport ferroviaire européen, sécurité aérienne avec l’EASA, corridors logistiques). Elle est soumise à ses propres cadres de cybersécurité (p. ex. OICN, LSI, exigences de l’Office fédéral des transports – OFT) et ses entreprises de transport sont donc fortement incitées à s’aligner volontairement sur NIS2, et notamment à sécuriser les systèmes industriels (isolation, segmentation réseau, surveillance des SCADA), identifierindemtifier les systèmes interconnectés avec l’UE.
Enfin, les infrastructures numériques suisses sont étroitement interconnectées à celles de l’UE ( interconnexion Internet, transit IP, cloud européens, réseaux transfrontaliers), elles sont susceptibles d’héberger ou transporter des données européennes (dans le cas d’acteurs cloud ou de services numériques globaux).
Elles sont soumises à la Loi sur la sécurité de l’information (LSI), la Loi sur les télécommunications (LTC), et aux recommandations du NCSC et du SEFRI.qui sont un pilier central de la directive NIS2.
Les fournisseurs d’infrastructure numérique suisses (fournisseurs de services DNS, registres de noms de domaine, services cloud critiques, data centers critiques, réseaux de diffusion de contenu, points d’échange Internet ) opérant en Europe ou servant des clients européens doivent démontrer un niveau de sécurité équivalent à celui exigé par NIS2, souvent via des audits, certifications ou clauses contractuelles.
Elles doivent donc cartographier les clients/services exposés à l’UE, renforcer détection, résilience, surveillance, définir des procédures claires, audits, documentation, contrôler leurs sous-traitants et leur conformitéconformiter à NIS2 (clause à introduire à leurs contrats).
En conclusion, bien que la Suisse impose à ses entreprises des réglementations dans le domaine des risques cyber, les attentes et le champ d’application ne sont pas exactement les mêmes que dans la directive NIS2.
Il est donc important de vérifier, pour les entreprises suisses qui entrent dans le champ d’application NIS2, et qui opèrent avec l’UE, quelles actions mener pour renforcer le dispositif de cybersécurité, indispensable pour maintenir des relations de confiance avec les clients et partenaires, et pour répondre à leurs exigences règlementaires.
therecord.media -Germany’s highest court on Thursday ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three year maximum sentence.
The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.
The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.
The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.
Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release.
Law enforcement use of spyware “enables the interception and analysis of all raw data exchanged and thus has an exceptional reach, particularly given the realities of modern information technology and its significance for communication relations,” the press release said.
computerweekly.com - The Austrian government is likely to face legal challenges after it succeeded on its fifth attempt to pass a law this month giving the country’s intelligence service legal powers to deploy spyware on phones and computers. Civil society groups are holding discussions with MPs on far-right Freedom Party (FPO) and the Greens, both of which voted against the new surveillance measures, regarding a legal challenge to Austria’s constitutional court.
Austria’s lower house passed the law on 9 July 2025, giving the Austrian intelligence service – the Directorate of State Protection and Intelligence (DSN) – the capability to deploy spyware, known as “a state trojan”, to monitor encrypted communications on services such as WhatsApp and Signal.
The three coalition governing parties, ÖVP, SPÖ and NEOS, agreed to changes to the State Protection and Intelligence Service Act (SNG), the Telecommunications Act 2021, the Security Police Act (SPG) and other laws to allow the state to spy on encrypted messages and gather other data stored on electronic devices.
The coalition government, headed by chancellor Christian Stocker, argued that Austria should have a legal framework to enable it to monitor encrypted messaging services in line with countries such as the UK and the US.
Austrian politicians pressed the case after a tip-off from the US Central Intelligence Agency (CIA) warning of an impending attack at a Taylor Swift concert, part of the Eras Tour, in August 2024 led to the cancellation of three concerts in the country. US intelligence reportedly identified that one of the suspects pledged to ISIS-K on the Telegram messaging app.
Former chancellor Karl Nehammer also cited Austria’s biggest spying scandal, the Egisto Ott affair, as a reason for the DSN to be given more tools to act against foreign intelligence services, including the ability to intercept encrypted messaging services.
The new law has been criticised by civil society groups and some technology companies, which argue that the introduction of a “state trojan” will undermine internet security for Austrian citizens.
In July, 50 civil society groups from 16 countries wrote an open letter to MPs and the Austrian National Council, warning that the move to increase state surveillance would be a historic step backwards for IT security.
The civil society groups said the draft law was based on a “legal fiction” that would mean that, rather than protecting the population from cyber security risks, the state would instead promote and maintain security vulnerabilities, which will inevitably be discovered and exploited by hackers and hostile nation-states.
They point to the WannaCry ransomware attacks, which exploited a security vulnerability developed by the US National Security Agency (NSA) to infiltrate computer systems, causing severe disruption of hospitals, trains and mobile phone networks in 2017.
Thomas Lohninger, executive director of digital rights organisation Epicenter.Works, told Computer Weekly, that his organisation will “try everything” to challenge the new law in Austria’s constitutional court. This includes bringing a constitutional challenge from the opposition Green Party and far right FPÖ MPs before the law is enacted – a move that requires support from a third of MPs.
reuters.com - Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.
WASHINGTON, July 22 (Reuters) - Bleach maker Clorox (CLX.N), opens new tab said Tuesday that it has sued information technology provider Cognizant (CTSH.O), opens new tab over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords.
Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom.
The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them.
"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit, opens new tab reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over."
Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.
The Irish Data Privacy Commission announced that TikTok is facing a new European Union privacy investigation into user data sent to China.
TikTok is facing a fresh European Union privacy investigation into user data sent to China, regulators said Thursday.
The Data Protection Commission opened the inquiry as a follow up to a previous investigation that ended earlier this year with a 530 million euro ($620 million) fine after it found the video sharing app put users at risk of spying by allowing remote access their data from China.
The Irish national watchdog serves as TikTok’s lead data privacy regulator in the 27-nation EU because the company’s European headquarters is based in Dublin.
During an earlier investigation, TikTok initially told the regulator it didn’t store European user data in China, and that data was only accessed remotely by staff in China. However, it later backtracked and said that some data had in fact been stored on Chinese servers. The watchdog responded at the time by saying it would consider further regulatory action.
“As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok,” the watchdog said.
“The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers,” the regulator said, referring to the European Union’s strict privacy rules, known as the General Data Protection Regulation.
TikTok, which is owned by China’s ByteDance, has been under scrutiny in Europe over how it handles personal user information amid concerns from Western officials that it poses a security risk.
TikTok noted that it was one that notified the Data Protection Commission, after it embarked on a data localization project called Project Clover that involved building three data centers in Europe to ease security concerns.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” the company said in a statement. “We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”
Under GDPR, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. Only 15 countries or territories are deemed to have the same data privacy standard as the EU, but China is not one of them.
Categories: U.S. Federal Law, Cybersecurity, Enforcement
In a surprising development in the US Securities and Exchange Commission’s (“SEC’s”) ongoing securities fraud case against SolarWinds Corp. (“SolarWinds”) and its former chief information security officer (“CISO”), Timothy Brown, all three parties have petitioned the judge for a stay pending final settlement. Until the SEC’s four commissioners can vote to approve the settlement, the parties have requested the stay until at least September 12, 2025.
As we previously reported, in October 2023, the SEC sued software developer SolarWinds and its former CISO, alleging that SolarWinds misled investors about a series of heavily publicized cyberattacks that targeted the company, culminating in the December 2020 Sunburst malware attack. In addition to alleging securities fraud and violations of SEC reporting provisions, the SEC also alleged that SolarWinds violated Sarbanes-Oxley internal control provisions.
In July 2024, U.S. District Judge Paul A. Engelmayer granted SolarWinds’ and the company’s former CISO’s motions to dismiss on most claims. A single set of fraud claims survived concerning alleged misstatements and omissions in a “Security Statement” that was published on SolarWinds’ website. The Security Statement described the company’s various cybersecurity practices, which the SEC alleges painted an incomplete and misleading picture. As recently as June 2025, the SEC indicated it was ready to try the case and filed a motion in opposition to the defendants’ motion to dismiss the remaining claim.
On July 2, 2025, all three parties—the SEC, SolarWinds and the company’s former CISO—sent a joint letter to the judge indicating they had reached an agreement in principle to settle the case. Any settlement is subject to approval of the four SEC commissioners. As noted above, the parties’ joint letter requested a stay until at least September 12, 2025 to give the SEC commissioners time to review the matter. Two of the sitting commissioners have been critical of the SEC’s case.
It is difficult to speculate what the final terms of settlement may be. Unrelated to this case, with the change in presidential administration, the SEC has dismissed numerous enforcement cases targeting the cryptocurrency industry on the grounds that the cases were imprudently brought. It is possible this philosophy has now been extended to the SolarWinds case, and the SEC may seek to drop the case entirely. It also is possible that this movement by the SEC staff is more in line with other settled cases, and could simply entail reduced charges and remedies acceptable to all parties. The fact that the SEC enforcement staff still needs approval by the SEC commissioners may imply that this latter scenario is more likely. Like any plaintiff, the SEC does from time to time settle enforcement cases after they have entered litigation for any number of reasons.
Germany's data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere.
FRANKFURT, June 27 (Reuters) - Germany's data protection commissioner has asked Apple (AAPL.O), opens new tab and Google (GOOGL.O), opens new tab to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, following a similar crackdown elsewhere.
Commissioner Meike Kamp said in a statement on Friday that she had made the request because DeepSeek illegally transfers users' personal data to China.
The two U.S. tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe.
Google said it had received the notice and was reviewing it.
DeepSeek did not respond to a request for comment. Apple was not immediately available for comment.
According to its own privacy policy, opens new tab, DeepSeek stores numerous pieces of personal data, such as requests to its AI programme or uploaded files, on computers in China.
"DeepSeek has not been able to provide my agency with convincing evidence that German users' data is protected in China to a level equivalent to that in the European Union," Kamp said.
"Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies," she added.
The Danish government is to clamp down on the creation and dissemination of AI-generated deepfakes by changing copyright law to ensure that everybody has the right to their own body, facial features and voice.
The Danish government said on Thursday it would strengthen protection against digital imitations of people’s identities with what it believes to be the first law of its kind in Europe.
Having secured broad cross-party agreement, the department of culture plans to submit a proposal to amend the current law for consultation before the summer recess and then submit the amendment in the autumn.
It defines a deepfake as a very realistic digital representation of a person, including their appearance and voice.
The Danish culture minister, Jakob Engel-Schmidt, said he hoped the bill before parliament would send an “unequivocal message” that everybody had the right to the way they looked and sounded.
He told the Guardian: “In the bill we agree and are sending an unequivocal message that everybody has the right to their own body, their own voice and their own facial features, which is apparently not how the current law is protecting people against generative AI.”
He added: “Human beings can be run through the digital copy machine and be misused for all sorts of purposes and I’m not willing to accept that.”
The move, which is believed to have the backing of nine in 10 MPs, comes amid rapidly developing AI technology that has made it easier than ever to create a convincing fake image, video or sound to mimic the features of another person.
The changes to Danish copyright law will, once approved, theoretically give people in Denmark the right to demand that online platforms remove such content if it is shared without consent.
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
La Confédération n'avait pas établi de distinction entre les fournisseurs de services de communication dérivés. Toutes les entreprises classées comme FSDC sont soumises à des obligations de coopération moins strictes – jusqu'à présent. Le Conseil fédéral souhaite désormais introduire une catégorisation plus précise pour les FSDC. Il prévoit à cet effet un modèle à trois niveaux, à savoir les FSDC avec des obligations «minimales», avec des obligations «restreintes» et avec des obligations «complètes».
Une révision partielle des ordonnances relatives au service de surveillance de la correspondance postale et des télécommunications (service SCPT) fait des remous dans le secteur technologique suisse. La pierre d'achoppement est une nouvelle classification des entreprises qui doivent aider le service SCPT dans ses activités de surveillance.
Jusqu'à présent, la Confédération faisait la distinction entre les fournisseurs de services de télécommunication (FST) et les fournisseurs de services de communication dérivés (FSDC), selon un communiqué de la Confédération. La Confédération divisait également les FST en deux sous-catégories, à savoir ceux les FST ayant des obligations complètes et les FST ayant des obligations restreintes.
Trois nouveaux niveaux
La Confédération n'avait pas établi de distinction entre les fournisseurs de services de communication dérivés. Toutes les entreprises classées comme FSDC sont soumises à des obligations de coopération moins strictes – jusqu'à présent. Le Conseil fédéral souhaite désormais introduire une catégorisation plus précise pour les FSDC. Il prévoit à cet effet un modèle à trois niveaux, à savoir les FSDC avec des obligations «minimales», avec des obligations «restreintes» et avec des obligations «complètes».
In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.
Switzerland's National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery.
Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, were arrested in Spain and the Netherlands.
The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
Elle estimait que la société chargée du renouvellement de ses serveurs informatiques avait failli dans sa mission.
Telegram reveals that the communications platform has fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement.
Chinese social media platforms like WeChat, Douyin, Zhihu, Xiaohongshu, and Weibo now required popular users’ legal names to be made visible to the public.
Meta has been fined €251 million (around $263 million) in the European Union for a Facebook security breach that affected millions of users, which the
Health care breaches lead to legislation
Highlights of the new standard include:
An international law enforcement operation led to the arrest of one of the three administrators of the dual dark web market 'Bohemia/Cannabia,' known for hosting ads for drug sales and distributed denial of service (DDoS) attacks.
