Spring 2026 EU cybersecurity update: What changed & how to prepare

Introduction

On March 24, 2026, attackers accessed the European Commission's AWS cloud accounts and exfiltrated over 350GB of data before being blocked.

The ShinyHunters extortion group claimed responsibility. The Commission confirmed the breach on March 30, making it the most significant EU institutional compromise of the year and a precise illustration of the threat environment in which four major EU cybersecurity regulations are now being enforced simultaneously.

Spring 2026 marks a convergence: the January 20 NIS2 amendments and CSA2 proposal, active DORA enforcement by national regulators, and the September 11 CRA reporting deadline approaching fast.

The EU also imposed its first cyber sanctions of the year on March 16, targeting Chinese and Iranian threat actors. These are not background events — they are the enforcement context every IT leader and compliance officer needs to understand now.

Key takeaways

  • European Commission data breach confirmed: On March 30, 2026, ShinyHunters stole over 350GB from its AWS cloud accounts, including databases, contracts, and mail server dumps.
  • First EU cyber sanctions of 2026: On March 16, the EU Council imposed restrictive measures against three entities — Integrity Technology Group, Anxun Information Technology (China), and Emennet Pasargad (Iran) — and two individuals.
  • NIS2 and CSA2 amendments proposed: On January 20, 2026, the European Commission introduced changes clarifying jurisdiction, scope, and certification obligations across both frameworks.
  • CRA reporting deadline approaching: Mandatory vulnerability and incident reporting obligations under the Cyber Resilience Act begin September 11, 2026.
  • DORA enforcement is active: Fully applicable since January 17, 2025, with BaFin and other national regulators conducting audits throughout 2026.

The threat context that made these changes necessary

The threat context that made these changes necessary

The Spring 2026 EU regulatory acceleration is a direct response to a documented surge in attacks on European institutions and critical infrastructure. The European Commission breach, the EU's first cyber sanctions of 2026, and the statistical picture from ENISA and independent incident responders all point in the same direction: the threat is real, targeted, and ongoing.

The European Commission breach (March 2026)

The March 24 attack on the Commission's AWS-hosted Europa.eu platform is the clearest recent example of cloud supply chain risk. ShinyHunters — the same extortion group behind multiple high-profile data theft campaigns — claimed to have taken over 350GB of data: mail server dumps, databases, confidential documents, and contracts.

A 90GB archive appeared on their dark web leak site. The Commission's internal systems were not affected, but the incident exposed a structural vulnerability: public-facing cloud infrastructure operated without the access controls and credential hygiene that NIS2 and DORA are designed to mandate.

"Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission's internal systems were not affected by the cyber-attack." — European Commission Press Release, March 27, 2026

This was the Commission's second breach in 2026. A February incident had already compromised the mobile device management platform used to manage staff devices. Two significant breaches in two months at a single institution is not a coincidence — it reflects a sustained targeting campaign.

EU cyber sanctions — March 16, 2026

On March 16, 2026, the EU Council imposed restrictive measures against three entities and two individuals under the EU's cyber diplomacy toolbox — the first EU cyber sanctions of the year.

The sanctioned parties:

  • Integrity Technology Group (China): Provided products used to compromise over 65,000 devices across six EU member states between 2022 and 2023.
  • Anxun Information Technology (China): Provided hacking services targeting EU critical infrastructure. Two co-founders were individually sanctioned.
  • Emennet Pasargad (Iran): Breached a French subscriber database, compromised advertising billboards during the 2024 Paris Olympics to spread disinformation, and compromised a Swedish SMS service.

All listed entities face asset freezes. The two individuals also face travel bans. The EU cyber sanctions regime now covers 19 individuals and 7 entities.

The statistical backdrop

According to the ENISA Threat Landscape 2025 report, DDoS attacks accounted for 77% of all recorded EU cyber incidents, driven primarily by hacktivist groups. Ransomware remains the most operationally damaging threat: 81.1% of cybercrime incidents targeting EU organizations involved ransomware.

Public administration was the most targeted sector, representing 38% of all incidents. State-aligned groups intensified long-term espionage campaigns against telecommunications, logistics, and manufacturing.

The picture from incident responders on the ground is equally direct. Eye Security's 2026 incident report — based on 630 investigations across Benelux and Germany — found that 70% of all cases were Business Email Compromise (BEC). More telling: 62% of classified cases since January 2025 involved MFA bypass. Attackers are not breaking encryption — they are stealing or bypassing credentials. That is the vector NIS2, DORA, and GDPR enforcement are all designed to close.

The European Commission breach followed a well-documented pattern: compromised cloud credentials, no audit trail, no access boundaries. Passwork gives IT teams a structured vault with role-based access, granular permissions, and a full activity log — the controls NIS2 and DORA explicitly require. Try Passwork free

NIS2 amendments: What changed on January 20, 2026

On January 20, 2026, the European Commission proposed amendments to NIS2 focused on legal certainty, streamlined compliance, and clarified jurisdictional rules. The proposal also introduced a revised Cybersecurity Act (CSA2) that expands ENISA's mandate and moves toward mandatory cybersecurity certification for products and services used in critical sectors.

The three practical changes in NIS2

The amendments address three pain points that emerged during the first year of implementation across member states:

  1. Jurisdictional clarity. The amendments specify which member state holds supervisory authority over cross-border entities — a major source of compliance uncertainty for multinational organizations operating in multiple EU jurisdictions simultaneously.
  2. Ransomware data collection. The proposal standardizes the collection of ransomware-related incident data across member states, enabling more consistent threat intelligence sharing at the EU level.
  3. Scope refinement. A new "small mid-cap" category adjusts the thresholds determining whether organizations fall under NIS2's essential or important entity classification.

CSA2: The more significant structural shift

The CSA2 revision expands both the material and subjective scope of the EU cybersecurity framework. The critical change: certification for ICT products and services used in critical sectors moves from voluntary to mandatory. Organizations that have relied on the current voluntary ENISA certification schemes will need to reassess their product portfolios and supplier contracts once CSA2 is adopted — expected late 2026 or 2027.

Germany: NIS2 implementation is already in force

Germany's NIS2 implementation law (NIS2UmsuCG) entered into force on December 6, 2025. The BSI registration deadline was March 6, 2026. Approximately 30,000 companies in Germany fall under NIS2. A survey by nis2-check.de found that 80% of affected companies were unaware of their obligations (ADVISORI, February 2026). The law introduces personal liability for management under §38 NIS2UmsuCG — a first in German cybersecurity law.

NIS2 incident reporting requirements

Report type Deadline Content
Initial notification Within 24 hours Indication of incident; whether it may be cross-border
Intermediate report Within 72 hours Updated assessment; initial severity and impact
Final report Within 1 month Full description, root cause, measures taken

DORA: Enforcement begins in 2026

DORA (Regulation EU 2022/2554) has been directly applicable since January 17, 2025. There is no national implementation law required and no postponement possible. In 2026, national regulators including Germany's BaFin are conducting active audits of financial institutions and their ICT third-party providers.

Who DORA covers

DORA applies to the entire financial sector: credit institutions, insurance companies, investment firms, payment service providers, crypto-asset service providers, and — critically — the ICT third-party providers supplying critical services to these entities.

A cloud provider hosting core banking systems falls under DORA as an ICT third-party provider, as does the bank itself. The regulation's reach extends well beyond traditional financial services.

The five compliance pillars

DORA organizes its requirements around five areas: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.

The most demanding requirement is Threat-Led Penetration Testing (TLPT) — mandatory for systemically important institutions. TLPT requires specialized red teams to simulate real attack scenarios based on current threat intelligence, not generic penetration testing methodologies.

Compliance gaps remain significant

Despite DORA being in force for over a year, readiness across the sector is incomplete. A Veeam survey found that 96% of EMEA financial organizations believe they need to improve their resilience to meet DORA requirements.

A Computerwoche survey found that 44% of affected companies report significant implementation problems. Specific gaps: 24% have not identified a DORA implementation lead, and 23% have not conducted digital operational resilience testing.

These numbers mean BaFin auditors are walking into organizations that have not completed basic readiness steps — with enforcement consequences that include license revocation, not just fines.

Cyber Resilience Act: The September 2026 deadline

The Cyber Resilience Act entered into force on December 10, 2024. From September 11, 2026, manufacturers and importers of digital products must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Full CRA requirements — including security-by-design obligations — apply from December 11, 2027.

What the September 2026 milestone covers

Two specific obligations activate on September 11:

  • Vulnerability reporting: Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them.
  • Incident reporting: Severe incidents with an impact on the security of digital products must also be reported to ENISA within 24 hours.

The full CRA requirements — security by design, software bill of materials (SBOM), ongoing vulnerability management, and CE marking for digital products — apply from December 2027. Organizations that have not started preparation by mid-2026 will struggle to meet that deadline. The maximum CRA fine is €15 million or 2.5% of global annual turnover, whichever is higher.

NIS2 vs. DORA vs. CRA vs. CSA2: Which regulation applies to you?

NIS2 vs. DORA vs. CRA vs. CSA2: Which regulation applies to you?

The lex specialis principle means that sector-specific regulations take precedence over general ones. Financial entities subject to DORA are exempt from certain NIS2 obligations where DORA provides equivalent or stricter requirements. All four regulations can overlap for large organizations operating across sectors — a cloud provider serving financial institutions while also manufacturing IoT hardware may face obligations under all four simultaneously.

Regulation comparison

Regulation Who is in scope Core duty Next critical deadline Max fine
NIS2 (amended Jan 2026) ~160,000 entities across the EU in 18 sectors; essential and important entities Cybersecurity risk management, incident reporting, registration Q1 2026 (transposition deadlines vary by member state) €10M or 2% of global revenue
DORA (in force Jan 2025) Financial sector + ICT third-party providers ICT risk management, TLPT, third-party oversight Q1–Q2 2026 (BaFin audits) Sector-specific, incl. license revocation
CRA (in force Dec 2024) Manufacturers and importers of digital products with digital elements Security by design, SBOM, vulnerability management September 11, 2026 (reporting obligations) €15M or 2.5% of global revenue
CSA2 (proposed Jan 2026) Manufacturers/providers in critical sectors; expands ENISA mandate Mandatory cybersecurity certification Expected adoption: late 2026 or 2027 TBD

Decision matrix: Does this regulation apply to you?

Question If YES If NO
Does your organization operate in one of NIS2's 18 sectors with 50+ employees and €10M+ revenue? NIS2 applies Check CSA2 if you manufacture digital products
Is your organization a financial institution, insurance company, or ICT provider to the financial sector? DORA applies (NIS2 may apply with lex specialis carve-outs)
Does your organization manufacture or import digital products with digital elements (software, hardware, IoT)? CRA applies
Does your organization provide ICT products/services to critical sectors and seek EU market access? CSA2 certification will apply
DORA requires documented access controls and audit trails for all privileged ICT accounts. Passwork's secure credential sharing and activity logging give compliance teams the evidence trail auditors ask for.

Practical compliance checklist for Spring/Summer 2026

With 62% of EU cyber incidents in 2025 involving MFA bypass and 70% classified as Business Email Compromise, the most immediate technical measures are identity-focused: enforce MFA everywhere, audit privileged access, and assess third-party credential exposure. Regulatory compliance and operational security point to the same controls.

Immediate actions (April – June 2026)

  1. Complete BSI registration (Germany) if not yet done. Contact BSI immediately and document the attempt — even if the March 6 deadline has passed, the record of good-faith effort matters in enforcement proceedings.
  2. Conduct a NIS2 impact analysis. Determine whether your organization and its subsidiaries, joint ventures, and critical suppliers fall under NIS2's essential or important entity classification.
  3. Establish a 24/72-hour incident reporting process. Assign clear ownership, create notification templates, and test the escalation path end-to-end before an incident forces you to use it.
  4. Enforce MFA across all remote access and privileged accounts. Given that 62% of classified EU incidents involved MFA bypass (Eye Security, 2026), this is the single highest-ROI control available.
  5. Audit third-party ICT providers. DORA requires contractual security obligations for all critical ICT suppliers. NIS2 requires supply chain security assessments. Both regulations demand documented evidence of third-party oversight.
  6. Implement a secure credential management policy. Centralize password management for privileged accounts to prevent the credential theft vector used in the ShinyHunters breach. Unmanaged shared credentials remain the most common entry point in BEC and cloud account compromise cases.

Mid-term actions (July – September 2026)

  1. Prepare for CRA reporting obligations (effective September 11, 2026). Establish a vulnerability disclosure process, designate a contact point for ENISA reporting, and confirm that your product inventory accurately reflects which items qualify as "digital products with digital elements."
  2. Conduct a DORA resilience test. At minimum, run a tabletop exercise. Systemically important institutions must plan for full TLPT with a qualified red team operating against current threat intelligence.
  3. Begin CSA2 certification assessment. Identify which products or services will require mandatory EU cybersecurity certification under CSA2 and engage a notified body early — certification timelines are long.
  4. Review GDPR compliance. The French Conseil d'État upheld a €40 million GDPR fine against Criteo on March 4, 2026. Total GDPR fines since 2018 now exceed €7.1 billion, with €1.2 billion issued in 2025 alone (Kiteworks, March 2026). Data protection enforcement is at peak intensity — treat it as a parallel track, not a separate program.

Conclusion

Conclusion

The threat and regulatory context are converging. The Spring 2026 EU cybersecurity environment is defined by simultaneous tightening of regulation and escalation of attacks. The European Commission breach and the EU's first cyber sanctions of the year are not isolated events — they are the enforcement context for NIS2, DORA, CRA, and CSA2.

Identity security is the immediate priority. Credential theft via cloud account compromise is precisely what NIS2's "appropriate technical measures" requirement is designed to prevent. With 62% of EU incidents in 2025 involving MFA bypass, enforcing MFA, auditing privileged access, and centralizing credential management are foundational controls — ones that simultaneously reduce breach risk and satisfy requirements across NIS2, DORA, and GDPR.

The deadlines are fixed. The September 11, 2026 CRA reporting deadline is six months away. DORA audits are underway. NIS2 registration in Germany closed on March 6. Organizations that treat compliance as a documentation exercise rather than a security improvement program face both regulatory penalties and operational exposure.

The common assumption across all four frameworks: organizations maintain documented, auditable control over who accesses what credentials, when, and why. That is the starting point for any serious compliance program — and the baseline regulators will test against.

Passwork is a self-hosted corporate password manager with role-based access control, detailed activity logs, and zero-knowledge encryption — deployed entirely within your own infrastructure. It addresses the credential management controls required under NIS2, DORA, and GDPR in a single, auditable system. Try Passwork free in your infrastructure

FAQ: EU cybersecurity regulations in Spring 2026

FAQ: EU cybersecurity regulations in Spring 2026

What changed in EU cybersecurity law in Spring 2026?

The European Commission proposed amendments to NIS2 and a new Cybersecurity Act (CSA2) on January 20, 2026. The CRA's reporting obligations begin September 11, 2026. DORA has been in active enforcement since January 2025. The EU also imposed its first cyber sanctions of 2026 on March 16, targeting Chinese and Iranian threat actors.

What is the difference between NIS2 and DORA?

NIS2 is a broad directive covering 18 sectors and focusing on cybersecurity risk management and incident reporting. DORA is a regulation specific to the financial sector, with deeper requirements for ICT risk management, resilience testing, and third-party oversight. The lex specialis principle means DORA takes precedence for financial entities where its requirements are stricter than NIS2's equivalent obligations.

What are the penalties for NIS2 non-compliance in 2026?

Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global revenue. Germany's NIS2 implementation law (§38 NIS2UmsuCG) also introduces personal liability for management — a first in German cybersecurity law.

When does the Cyber Resilience Act take effect?

The CRA entered into force on December 10, 2024. Mandatory vulnerability and incident reporting obligations begin September 11, 2026. Full security-by-design requirements and CE marking obligations apply from December 11, 2027. Organizations that delay preparation until late 2026 will face a compressed timeline for the 2027 deadline.

Who was sanctioned under EU cyber sanctions in March 2026?

On March 16, 2026, the EU Council sanctioned Integrity Technology Group and Anxun Information Technology (both China-based) and Emennet Pasargad (Iran-based), along with two Chinese individuals. Sanctions include asset freezes; the two individuals also face travel bans. The EU cyber sanctions regime now covers 19 individuals and 7 entities total.

What is the EU Cybersecurity Act 2 (CSA2)?

CSA2 is the proposed revision to the EU Cybersecurity Act, announced January 20, 2026. It expands ENISA's mandate and introduces mandatory cybersecurity certification for ICT products and services used in critical sectors — replacing the current voluntary certification framework for those categories. Expected adoption: late 2026 or 2027.

Does NIS2 or DORA apply to cloud providers?

A cloud provider supplying critical services to financial institutions falls under DORA as an ICT third-party provider. If the same provider also operates in one of NIS2's 18 sectors with the relevant size thresholds, NIS2 applies independently. The two regulations can — and frequently do — apply simultaneously to the same organization.

What happened in the European Commission data breach of 2026?

On March 24, 2026, attackers accessed the European Commission's AWS cloud accounts hosting the Europa.eu platform. The ShinyHunters extortion group claimed responsibility and alleged theft of over 350GB of data, including databases, contracts, and confidential documents. The Commission confirmed the breach on March 30, 2026.

NIS2 password requirements: What European companies must do in 2026
Credential gaps are the leading NIS2 audit failure point in 2026. This guide covers Article 21 password requirements, NIST SP 800-63B alignment, AD hardening steps, and the audit evidence regulators ask for first.
Passwork BlogAlex Muntyan
Password Manager Deployment Models: Cloud, Self-Hosted & Hybrid
Choosing where to run your password manager matters as much as choosing which one. This guide breaks down cloud, self-hosted, and hybrid deployment — with a compliance matrix for GDPR, HIPAA, and NIS2, and a clear look at the trade-offs each model carries.
Passwork BlogAlex Muntyan
What is a passkey? Guide to passwordless authentication
A passkey is a phishing-resistant credential stored on your device. Sign in with a biometric tap — no password to remember or steal. This guide covers the technical mechanics, platform setup, real-world performance data, and what the transition means for enterprise teams.
Passwork BlogAlex Muntyan