CTI Weekly Summary — 2026-W21 (Mon 18 – Sun 24, 2026)

Exchange CVE-2026-42897 — active OWA-XSS exploitation persisting; no permanent patch; Exchange 2016/2019 permanently exposed without ESU Period 2

If you did nothing this week: Exchange 2016 and 2019 organisations without the Emergency Mitigation Service (EM Service) enabled are being actively targeted via stored-XSS in OWA. Microsoft has no security update — the MSRC advisory states verbatim: "We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards." Exchange 2016/2019 organisations that did not purchase ESU Period 2 licences will never receive the permanent patch and remain reliant on EM Service mitigation indefinitely.

CVE-2026-42897 (CVSS 8.1, CWE-79) is a stored XSS in Exchange Online Web Access. Active exploitation was confirmed by the time the daily brief covered the DEVCORE Pwn2Own Berlin three-bug SYSTEM RCE chain disclosure on 2026-05-16. The EM Service mitigation (M2.1.x) deploys automatically when EM Service is enabled and the server can reach officemitigations.microsoft.com — verify via C:\Program Files\Microsoft\Exchange Server\V15\Logging\MitigationService\MitigationService.log that mitigation ID M2 shows "Applied". Exchange SE is the only version that will receive a public security update; 2016/2019 permanently enter ESU-or-nothing posture for this CVE.

The DEVCORE chain (three chained bugs achieving SYSTEM RCE) disclosed at Pwn2Own Berlin adds a separate exploitation surface — Microsoft has not formally confirmed whether the chain is being weaponised against the same OWA initial-access vector, but the compound-exploitation risk is assessed HIGH given the active OWA-XSS exploitation underway.

Cisco Catalyst SD-WAN CVE-2026-20182 — pre-auth authentication bypass under active exploitation; CISA KEV-listed

If you did nothing this week: Internet-exposed SD-WAN Manager instances without the patched build applied are high-value initial-access targets. The pre-auth authentication bypass in Cisco Catalyst SD-WAN Manager and Controller (CVSS 10.0) is under active exploitation. CISA has added CVE-2026-20182 to the Known Exploited Vulnerabilities catalogue.

The vulnerability arises from improper validation of API request parameters, allowing an unauthenticated remote attacker to bypass authentication and execute administrative functions, including creating admin-level accounts and modifying device configuration. Talos confirmed exploitation in the wild in its 2026-05-14 advisory, documenting a cluster tracked as UAT-8616 among others. Talos documents 10 exploitation clusters targeting older CVE-2026-20133 / CVE-2026-20128 / CVE-2026-20122 vulnerabilities in the same product line — active exploitation of CVE-2026-20182 specifically is confirmed by Cisco PSIRT. Patched builds per Cisco PSIRT: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1; older releases require upgrade.

NGINX CVE-2026-42945 ("NGINX Rift") — in-the-wild exploitation confirmed 2026-05-17; patch now mandatory

If you did nothing this week: VulnCheck honeypot network data confirms active exploitation of CVE-2026-42945 as of 2026-05-17. This was a known-but-unpatched vulnerability in NGINX Open Source through 1.30.0 and NGINX Plus through R34; the transition from disclosure to confirmed ITW occurred within two days. NGINX is the most-deployed reverse proxy and load balancer in Swiss federal and EU public-sector web stacks.

The heap buffer overflow in ngx_http_rewrite_module (present since NGINX 0.6.27, 2008) is triggered by crafted HTTP requests against a specific rewrite-directive configuration pattern using unnamed PCRE capture groups with ? characters followed by another rewrite, if, or set directive. Unauthenticated attackers can crash NGINX worker processes (confirmed DoS); RCE requires ASLR disabled, which occurs on embedded and edge configurations. AlmaLinux errata shipped 2026-05-13. F5 patched this in NGINX 1.28.0 (stable) / NGINX Plus R35. Detection: access logs showing malformed requests producing rapid 502/504 patterns or NGINX worker SIGABRT crashes. ASLR check: cat /proc/sys/kernel/randomize_va_space (0 = disabled = RCE-capable configurations).

PAN-OS CVE-2026-0300 — active exploitation ongoing; wave 2 patch builds delayed to 2026-05-28 [SINGLE-SOURCE: Palo Alto PSIRT]

If you did nothing this week: Palo Alto PAN-OS managed firewalls running eight specific build trains remain on mitigation-only posture through 2026-05-28. This CWE-787 buffer overflow in GlobalProtect Gateway is under active exploitation per CISA KEV. Audit for rogue admin accounts created by the attacker before applying wave 2 patches, as installation may overwrite implant artefacts.

Wave 1 patched builds (available 2026-05-13) cover most build trains; wave 2 (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7) are scheduled for 2026-05-28. PAN-OS is widely deployed in Swiss cantonal and federal perimeter networks. No status change from W20 end — the wave 2 schedule is unchanged.

TeamPCP / Mini Shai-Hulud supply-chain worm — wave 5 reaches Packagist (PHP); framework source code leaked; OpenAI named as victim

The Mini Shai-Hulud campaign (attributed to TeamPCP / UNC6780) dominated the week's supply-chain security coverage across all five daily briefs, each adding a new layer.

At the start of the coverage window (2026-05-12), the Checkmarx Jenkins AST plugin backdoor became the third Checkmarx ecosystem component compromised — TeamPCP's pivot from npm into a CI/CD tooling vendor's plugin distribution. By 2026-05-13, wave-4 npm packages (160+ versions) hit TanStack, UiPath, Mistral AI, and OpenSearch; the worm's self-propagating mechanism — OIDC-token reuse to publish new malicious versions under victim-held package namespaces — was fully documented by StepSecurity. By 2026-05-15, OpenAI was named as a victim of the wave-4 infection and conducted a code-signing certificate rotation; Datadog Security Labs published a full static analysis of the leaked "Shai-Hulud" offensive framework source code, documenting IDE-hook persistence (.claude/settings.json, .vscode/tasks.json), Sigstore-provenance-bypass techniques, and the multi-registry OIDC-token propagation architecture. By 2026-05-16, node-ipc (90+ dependent packages) was backdoored via expired-domain account takeover — a separate but thematically linked supply-chain incident. On 2026-05-16, Socket.dev and Semgrep confirmed wave 5: intercom/intercom-php@5.0.2 weaponised as a Composer plugin, extending the worm to PHP Packagist (20.7M lifetime installs). As of 2026-05-18, Cargo (Rust) and Maven (Java) have not been confirmed as targets.

Defenders: lock intercom/intercom-php to ≤ 5.0.1; audit Composer install logs for unexpected outbound connections from composer install processes; pre-stage hunts for IDE-hook entries in .claude/settings.json and .vscode/tasks.json; enable Sigstore provenance verification for npm packages; monitor OIDC token scope claims in CI/CD pipeline logs.

Instructure Canvas — ShinyHunters double-intrusion, ransom paid, US House investigation, EU/CH GDPR notification clock

On 2026-05-12, Inside Higher Ed confirmed Instructure paid the ShinyHunters ransom with a "shred logs" agreement — legally unverifiable from the victim side. A second intrusion was confirmed simultaneously, raising questions about whether remediation was complete before payment. By 2026-05-13, the US House Homeland Security Committee opened a formal investigation, with Chairman Garbarino's letter requesting a closed-door CEO briefing by 2026-05-21 covering both intrusion circumstances, data scope, IR adequacy, and CISA coordination.

As of 2026-05-18, Instructure has not confirmed whether CEO Steve Daly or a designated cybersecurity executive will comply with the 2026-05-21 Congressional deadline. Non-compliance carries no immediate legal enforcement mechanism without a formal subpoena. For CH/EU higher-education institutions (Canvas is deployed at ETH Zurich, EPFL, major EU university systems): the GDPR Art. 33/34 notification clock runs from when institutions "became aware" of the breach — the 2026-05-11 ransom disclosure may have triggered that clock for EU-hosted Canvas deployments. Swiss institutions face nFADP Art. 24 notification obligations if the breach poses high risk to data subjects.

Windows zero-day proliferation — YellowKey (BitLocker), GreenPlasma (CTFMON SYSTEM LPE), MiniPlasma — three PoCs, no OOB patch

On 2026-05-15, two zero-days from "Nightmare Eclipse" / "Chaotic Eclipse" appeared simultaneously: "YellowKey" (TPM-only BitLocker bypass via WinRE FsTx path manipulation) and "GreenPlasma" (CTFMON.exe SYSTEM privilege escalation via IPC flaw). Both had working public PoCs with no CVE assigned. By 2026-05-17, a third PoC — "MiniPlasma" — appeared, targeting CVE-2020-17103 in the Cloud Filter driver (cldflt.sys) — a different vulnerability class from the CTFMON-based GreenPlasma, attributed to the same researcher ecosystem. Microsoft has not released an out-of-band patch for any of the three. The earliest expected fix window is June 2026 Patch Tuesday (approximately 2026-06-10).

YellowKey particularly affects laptops with TPM-only BitLocker (no PIN), which is the default configuration in most cantonal and federal laptop refresh programmes. Controls while awaiting patch: enable BitLocker Network Unlock for domain-joined workstations (eliminates the WinRE bypass vector when off-network); apply AppLocker/WDAC rules blocking unsigned code injection into ctfmon.exe; hunt via Sysmon EID 10 (process access to ctfmon.exe from anomalous parent processes) and Event ID 4688 (process creation). No confirmed ITW exploitation of any of the three as of 2026-05-18.

CVE-2026-42897 — Microsoft Exchange Server: OWA stored-XSS, no permanent update, ESU gap

See § 1 for full operational framing. Key update this week: the Exchange Team Blog (2026-05-17) confirmed the EM Service mitigation requires active connectivity to officemitigations.microsoft.com — servers without EM Service enabled or without outbound connectivity to the Microsoft endpoint are unmitigated. Exchange 2016/2019 without ESU Period 2 are permanently stranded on mitigation-only posture. The DEVCORE Pwn2Own three-bug SYSTEM RCE chain (disclosed 2026-05-16 via ZDI) is a separate vulnerability class not yet formally linked to the OWA-XSS exploitation path.

CVE-2026-20182 — Cisco Catalyst SD-WAN: pre-auth authentication bypass, Active ITW, CISA KEV

The pre-auth bypass in Cisco Catalyst SD-WAN Manager and Controller (CVSS 10.0) — including exploitation by a cluster Talos tracks as UAT-8616 — allows administrative account creation and device-configuration modification without authentication. CISA KEV-listed. Patched builds per Cisco PSIRT (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.18.2.2, 26.1.1.1) must be applied immediately; older releases require upgrade. Swiss and EU operators should treat this at Kritisch/Critical urgency based on active exploitation rate.

CVE-2026-42945 — NGINX Open Source / Plus: 18-year-old heap buffer overflow, ITW confirmed

First covered 2026-05-15 as disclosure-only; upgraded to Active ITW on 2026-05-17 via VulnCheck honeypot data. This is the fastest-to-exploitation transition in the week's CVE set. Patch to NGINX 1.28.0 (stable) / NGINX Plus R35 immediately. For environments unable to patch, identify nginx.conf rewrite blocks with unnamed PCRE capture groups and add upstream rate-limiting or WAF rules filtering ?-containing rewrite-matching requests.

Defense and intelligence — Russian FSB + Belarusian GRU-aligned operators both active against NATO/EU targets

2026-05-14: Microsoft documented Secret Blizzard (Turla / FSB Centre 16) evolving Kazuar into a three-module peer-to-peer botnet architecture — the Bridge module implements a mesh C2 network using victim machines as relay nodes, reducing Kazuar's historic reliance on single-hop CDN-based C2 infrastructure. 2026-05-15: ESET documented FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned) conducting a March–May 2026 campaign targeting Ukrainian government organisations with spear-phishing (PDF lures impersonating Ukrtelecom) delivering PicassoLoader and Cobalt Strike. Both actors target NATO and EU government organisations; CH/EU intelligence services and defence ministries should treat both campaigns as on-network threats to the same organisational categories they serve.

Public administration — SD-WAN, Windows zero-days, and qualified e-signature infrastructure at risk

CVE-2026-20182 (Cisco SD-WAN) signals that network infrastructure serving public-sector WAN-connected sites is the primary exploitation target this week. Simultaneously, the Windows zero-day cluster (YellowKey/GreenPlasma/MiniPlasma) without OOB patch represents a persistent risk to the Windows-centric desktop estates that are standard in CH/EU federal and cantonal administrations. Poland's CERT-PL disclosed CVE-2026-44088 in SzafirHost, a vendor providing JAR-signed qualified electronic signature services to public administration — a JAR zip-polyglot bypass / class-loading split-brain vulnerability enabling RCE via signed-JAR + ZIP combination.

Technology and developer toolchain — CI/CD pipeline supply chain under sustained assault

The week saw three distinct supply-chain attack vectors against developer infrastructure: (1) TeamPCP/Mini Shai-Hulud cross-ecosystem worm (npm/PyPI/Packagist), exploiting OIDC-token propagation and Composer plugin execution; (2) node-ipc npm package backdoor via expired-domain account takeover on 2026-05-16 — the 90+ dependent packages demonstrate the dependency-graph amplification risk; (3) Grafana Labs Pwn-Request GitHub Actions breach — pull_request_target misconfiguration allowed fork-injected code to exfiltrate a privileged GitHub token and clone the full private codebase. All three vectors exploit weak CI/CD pipeline trust models (OIDC token scoping, GitHub Actions trigger semantics, npm supply-chain authentication). The SentinelOne CI/CD subversion taxonomy from 2026-05-16 provides the detection-engineering framework spanning all three.

Education — Canvas/Instructure breach and EU/CH GDPR exposure

Canvas LMS serves Swiss federal universities (ETH, EPFL), cantonal university systems, and major EU higher-education institutions. The ShinyHunters double-intrusion and ransom payment create ongoing GDPR Art. 33/34 notification exposure for all EU institutions that deployed Canvas and received student-data-scope notifications from Instructure. The US House investigation deadline (2026-05-21) is a political milestone; the regulatory follow-up from EU supervisory authorities (Germany, Austria, Switzerland) is the operationally relevant compliance risk for this audience.

Grafana Labs / CoinbaseCartel — Pwn-Request GitHub Actions breach; private codebase exfiltrated; ransom rejected

On 2026-05-16, Grafana Labs disclosed that CoinbaseCartel — a data-extortion group active since September 2025, focusing exclusively on theft without encryption — exploited a pull_request_target GitHub Actions workflow misconfiguration ("Pwn Request") to exfiltrate a privileged GitHub token and clone the private codebase. The attack vector: fork a public repository, inject curl into the pull_request_target workflow to dump environment variables to an encrypted file, delete the fork to erase evidence. Grafana detected the exfiltration via a triggered canary token embedded in the private code (not from automated secrets-scanning). Ransom was demanded and rejected. Grafana confirmed no customer data, production systems, or running infrastructure was accessed — the exposure was private source code. The canary-token detection is an instructive model; the pull_request_target vulnerability class is the same pattern documented in tj-actions/changed-files (SLSA gap).

Hunt for this in your own GitHub organisation: audit logs for pull_request_target workflow runs where head_repository.owner differs from the base repository owner.

Foxconn / Nitrogen ransomware — North American manufacturing sites confirmed affected; Apple and Nvidia data claimed

On 2026-05-13, Foxconn confirmed the Nitrogen ransomware group crippled North American manufacturing sites. The group claimed theft of data belonging to Apple, Nvidia, Google, Dell, and Intel. Foxconn has not confirmed the data claim's accuracy; no victim disclosure or SEC 8-K has been filed for North American operations as of this writing. Nitrogen is a financially-motivated RaaS; this is the highest-profile public manufacturing-sector incident of the week.

BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day unauthorised access to guest reservation system

2026-05-13: BWH Hotels disclosed approximately 190-day unauthorised access (October 2025–April 2026) to a web application handling guest reservation data. Affected data includes names, email addresses, and booking details; BWH confirmed no payment or financial information was exposed. The access duration (~6 months) demonstrates the chronic detection-gap problem in hospitality PMS and web-booking systems. No named attacker group; root cause attributed to a web application vulnerability. European guests in scope given BWH's EU hotel portfolio.

Clinical Diagnostics / NMDL — Dutch IGJ formal NEN 7510 non-conformance ruling; healthcare-sector regulatory enforcement template

2026-05-14: The Dutch Health and Youth Care Inspectorate (IGJ) ruled that Clinical Diagnostics (NMDL) failed to implement NEN 7510 information-security standard obligations — the Dutch transposition of ISO/IEC 27799 for healthcare. This is a sector-level enforcement template: a regulator citing a named healthcare lab for failure to implement a specific national standard creates precedent for similar enforcement actions across EU healthcare NIS2 Essential-Entity scope. Swiss healthcare entities should note FOPH's equivalent obligations under the revised HIA (nKVG) digital-health provisions.

West Pharmaceutical Services — SEC Form 8-K Item 1.05 cybersecurity incident disclosure

2026-05-12: West Pharmaceutical Services filed a cybersecurity incident notification under SEC Form 8-K Item 1.05. No attacker group identified; incident scope under investigation. This is a watch item for EU/CH manufacturing-sector monitoring: West produces drug delivery components for pharmaceutical manufacturers including EU entities; supply-chain disruption risk to pharmaceutical production lines is the secondary exposure to track.

Verizon DBIR 2026 (19th edition) — publication confirmed; full PDF expected post-webinar 2026-05-19

The 2026 Data Breach Investigations Report (incidents November 2024–October 2025) has been confirmed as published; a companion author webinar is scheduled for 2026-05-19 11:00 ET on BrightTalk after which the full statistical breakdown is expected to be publicly accessible. The thematic conclusions anticipated from prior-year DBIR trajectories — credential-path attacks as the leading initial-access vector, edge-device zero-day exploitation acceleration, and third-party/supply-chain breach growth — map directly to this week's operational items: CVE-2026-0300, CVE-2026-20182, CVE-2026-42945, TeamPCP/Mini Shai-Hulud, and Grafana/CoinbaseCartel.

Specific statistics will be incorporated in next week's brief after the full PDF is verified post-webinar. The Verizon DBIR 2026 landing page confirms publication and the 2026-05-19 webinar date. [SINGLE-SOURCE for specific statistics pending full-PDF release.]

Five Eyes + CISA/NSA joint guidance on agentic AI security — five risk categories for autonomous AI in enterprise and critical infrastructure

Published 2026-05-01, "Careful Adoption of Agentic AI Services" (CISA, NSA, ASD ACSC, CCCS, NCSC-NZ, NCSC-UK) is the first coordinated international guidance specifically addressing agentic AI deployment risks. Five risk categories:

1. Privilege risks — agents operating with excessive permissions enabling lateral movement when compromised (mitigated by least-privilege tool-permission scoping).
2. Design and configuration risks — prompt injection and goal-misspecification allowing unexpected autonomous actions (mitigated by input validation and bounded goal-spaces).
3. Behavioral risks — hallucination or adversarial manipulation leading to harmful autonomous decisions (mitigated by human-in-the-loop gates for irreversible or high-impact actions).
4. Structural risks — agent-to-agent trust escalation in multi-agent orchestration where one compromised agent impersonates a higher-privileged agent (mitigated by agent-identity isolation and mutual authentication between orchestrators).
5. Accountability risks — audit trail gaps when automated reasoning is opaque (mitigated by mandatory logging of all agent reasoning traces and tool invocations to an append-only audit log).

Notable absence: BSI, ANSSI, and NCSC-CH are not co-authors. DORA-regulated entities should assess how these five risk categories interact with ICT risk management obligations for novel technology; ENISA agentic AI guidance is anticipated but not yet published. Swiss federal entities operating AI-agent-driven procurement or case-management systems face a guidance gap until a CH-specific equivalent emerges.

Secret Blizzard / Turla (FSB Centre 16) — Kazuar evolves into three-module P2P botnet [SINGLE-SOURCE: Microsoft]

Microsoft's 2026-05-14 analysis documents Kazuar's architectural evolution: three distinct modules — Kernel (core backdoor), Bridge (P2P relay mesh using victim machines as C2 relay infrastructure), and Worker (staged deployment and task execution). The P2P mesh eliminates reliance on single-hop CDN-based C2, dramatically improving Secret Blizzard's resilience to sinkholing and domain takedowns. This follows the broader pattern of state-sponsored operators rebuilding after the 2024–2025 takedown cycle. Defender implication: network-level C2 blocking becomes insufficient; behavioural detection on Kernel backdoor staging sequences and lateral-movement TTPs (T1021.002 SMB, T1055 process injection) is the only reliable detection layer.

FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned) — March–May 2026 campaign confirmed [SINGLE-SOURCE: ESET]

ESET's May 2026 analysis documented an ongoing campaign targeting Ukrainian government organisations with spear-phishing — PDF lures impersonating Ukrtelecom delivering PicassoLoader and Cobalt Strike as initial foothold. The campaign overlaps with the historical Ghostwriter disinformation operations against Ukrainian and EU audiences. Swiss and EU government and media entities with Ukraine-related policy exposure should treat FrostyNeighbor as an active threat. No developments beyond the ESET disclosure surfaced in the W21 research window.

GTIG UNC6671 "BlackFile" — DLS shutdown / probable rebrand; vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration [SINGLE-SOURCE: GTIG]

GTIG's 2026-05-16 documentation of UNC6671's leak-site shutdown signals a probable operator rebrand. The distinctive TTP set — multi-stage vishing to establish rapport, adversary-in-the-middle (AiTM) phishing page for credential capture, rogue MFA device registration (T1621), and then programmatic SharePoint exfiltration using the stolen session — is technically sophisticated enough to suggest continued operation under a new brand. GTIG documents victims across North America, Australia, and the UK. Watch for a new data-leak site using the same distinctive TTP fingerprint (vishing → AiTM → rogue-MFA → SharePoint exfiltration). Detection: audit conditional-access logs for MFA device registrations from anomalous IP ranges; alert on SharePoint API calls using recently-registered device tokens at unusual hours.

Kimsuky (North Korea-nexus) — Rust-based HelloDoor + TryCloudflare-tunnel C2 expansion documented [SINGLE-SOURCE: Kaspersky]

Kaspersky GReAT's 2026-05-14 analysis adds HelloDoor (Rust backdoor) and TryCloudflare-tunnel-based C2 to the known Kimsuky toolchain, deployed alongside the legacy AppleseedDoor and PebbleDash implants. TryCloudflare-tunnel C2 abuse is a low-indicator-of-compromise technique: it uses legitimate Cloudflare infrastructure for C2 relay, producing no unusual certificate or domain patterns. The Rust rewrite reflects the broader nation-state operator trend toward memory-safe implant development to harden against fuzzing-based detection. Swiss entities in government, research, or think-tank roles with Korean Peninsula policy exposure should treat Kimsuky as an active threat.

"The Gentlemen" RaaS — communications overhaul underway; operations continuing post-database-leak [SINGLE-SOURCE: Check Point]

As of 2026-05-14, Check Point published full analysis of the leaked 16.22 GB "Rocket" database. Administrator zeta88 announced a communications-infrastructure overhaul (new Tor addresses, new affiliate channels) rather than shutdown — the operator is actively hardening against exposure rather than exiting. Bedrock Safeguard's decryptor covered the pre-patch binary; the operator has claimed to patch the binary. Continued victim activity is expected. No new victim disclosures or Tor-address confirmations surfaced in W21 research; watch for new DLS address announcement.

EU AI Act Digital Omnibus — Annex III high-risk deadline extended to 2 December 2027; new CSAM/non-consensual-imagery prohibitions with 2 December 2026 hard stop

The 7 May 2026 provisional political agreement (Council + EP) on the Digital Omnibus on AI materially restructures the AI Act compliance timeline for Swiss and EU organisations:

• Annex III (biometrics, employment, education, credit scoring, critical infrastructure, law enforcement, justice, migration): extended from 2 August 2026 → 2 December 2027. Swiss public-sector deployers of high-risk AI in these categories (border management AI, judicial AI, benefits assessment AI) gain 16 months of additional runway.
• Annex I (AI embedded in regulated products: medical devices, machinery, toys): extended to 2 August 2028.
• AI watermarking (Article 50(2)): extended to 2 December 2026.
• New Article 5 prohibitions: AI generating non-consensual intimate imagery (deepfake nudification) and CSAM must cease by 2 December 2026 — no transition period.
• Prohibited practices under the existing Article 5 list and AI literacy requirements remain applicable from February 2025 with no new transition.

The extension does NOT relieve organisations of ongoing risk assessment or gap analysis obligations — ESAs have signalled that supervisory expectations for DORA-regulated entities using high-risk AI systems remain aligned with the AI Act obligations regardless of extension. Formal parliamentary and Council votes are expected June–July 2026.

EU cyber sanctions regime extended to 18 May 2027 — 19 individuals and 7 entities remain listed; Swiss SECO ordinance update expected [SINGLE-SOURCE: Digital Watch Observatory]

The Council of the EU adopted on 11 May 2026 the annual renewal of individual and entity listings under the cyber sanctions regime (Decision 2019/797 / Regulation 2019/796) for one year, until 18 May 2027. The renewal preserves the current composition without new additions: 19 individuals and 7 entities subject to asset freezes, travel bans, and fund-transfer prohibitions. Switzerland aligns with EU cyber sanctions via SECO ordinances (SR 946.231.176.72); a corresponding SECO ordinance update is expected within days of the Council decision. Swiss financial institutions and operators conducting counterparty screening should monitor SECO for the updated ordinance.

Germany NIS2UmsuCG — registration deadline passed 6 March 2026; significant non-compliance; BSI withholding sanctions for now

Germany's NIS2 implementation act (NIS2UmsuCG, in force 6 December 2025) set a registration deadline of 6 March 2026 — three months post-entry-into-force. Post-deadline analysis indicates a significant compliance gap — the majority of expected in-scope entities did not register by the deadline. BSI has publicly stated it will not impose sanctions for missed registrations at this stage, citing the novelty of the regime and scope-determination complexity. Maximum penalties for registration failures reach up to €500,000 per K&L Gates analysis; substantive NIS2 violations under NIS2 Article 34 of the directive carry higher ceilings for Essential Entities.

Swiss digital infrastructure providers, cloud operators, and essential-service subsidiaries operating in Germany must confirm their NIS2UmsuCG registration status. The registration gap creates an artificial window — Swiss entities operating in Germany should register now before BSI enforcement posture hardens.

KRITIS-DachG — in force 17 March 2026; July 17 registration deadline approaching; threshold ordinance still pending

Germany's Critical Installations Resilience Act (KRITIS-DachG, implementing EU CER Directive 2022/2557) entered into force 17 March 2026. Registration deadline: 17 July 2026 (60 days). Significant open question: the Schwellenwertverordnung (threshold ordinance defining exactly which facilities meet the "critical facility" threshold) has not yet been published by the German BMI. Swiss cross-border critical-infrastructure operators (energy, transport, water in border regions with German operations) should track the BMI threshold ordinance publication — once the ordinance is published, qualification timelines will accelerate.

Registration requires: entity name, legal form, 24/7 contact point, facility details, critical service, sector category, supply/service metrics, geolocation. Post-registration: 9-month deadline for risk assessment, 10-month deadline for implementing resilience measures, written resilience plan mandatory. Incident reporting: 24 hours from awareness to the joint BSI-BBK reporting portal.

Europol EU Anti-Scam Platform — weekly law-enforcement-only fraud intelligence; EC3 + EFECC operational hub [SINGLE-SOURCE: AML Intelligence]

Europol launched the EU Anti-Scam Platform (~29 April 2026) at the European Anti-Financial Crime Summit. The platform produces weekly law-enforcement-only briefings (via SIENA) covering prevalent fraud types, financial losses, victim demographics, scammer TTPs, and transaction footprints. Swiss fedpol and KOBIK have Europol liaison access via bilateral agreements; financial intelligence outputs may feed into MROS/AMLA channels. Swiss financial sector entities under AMLA supervision should note this as an emerging source of new suspicious-transaction-report typologies. [SINGLE-SOURCE]

ENISA CNA root — 4 new European CNAs onboarded; 7 migrate from MITRE Root; 11 total under ENISA coordination

ENISA (6 May 2026) confirmed four new European organisations joined the CVE Programme as CNAs under ENISA Root and seven existing European CNAs migrated from MITRE Root. Total under ENISA coordination: 11. The expansion matters for Swiss defenders because CNAs under ENISA Root publish CVEs with EU-specific contextual metadata (NIS2 Art. 23 reporting linkages, EUVD cross-references) not present in MITRE-rooted records. ENISA EUVD (euvd.enisa.europa.eu) is the parallel European publication channel. [SINGLE-SOURCE-NATIONAL-CERT]