EU Cybersecurity Package 2026 — NIS2 amendment COM(2026) 13 + Cybersecurity Act 2; PQC Article 7(2)(k) explicit obligation; CRA Single Reporting Platform 11 September 2026

Swiss Post Cybersecurity released its first Swiss Threat Landscape Report on 2026-06-23, presented at its Hack'Events conference, drawing on the firm's own SOC, incident-response and offensive-security engagement data rather than global aggregates (Swiss Post Cybersecurity, 2026-06-23). It names phishing, identity-based attacks (credential stuffing, account takeover, MFA-bypass chains) and AI-enabled threats as the dominant categories seen in Swiss incident intake, and argues the governance centre of gravity has moved from prevention to detection, response and recovery. [SINGLE-SOURCE] and vendor-authored, so the top-line categories are not novel; the value for a Swiss SOC is that the ranking is grounded in domestic operational data, which supports weighting identity-layer telemetry (Entra ID / AD sign-in logs, OAuth token-grant anomalies, MFA-fatigue patterns — T1621) and AI-assisted-phishing detection that leans on header/anomaly scoring rather than content heuristics (T1566.001). The full report is registration-gated (see § 7).

UPDATE (originally covered 2026-06-21): At least nine Klue customers have now publicly confirmed Salesforce-CRM data impact from the 11–12 June Icarus intrusion: HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social (SecurityWeek, 2026-06-22). Exposed data is sales-account and contact information — names, business emails, job titles, phone numbers and addresses — exfiltrated via OAuth tokens from a dormant Klue→Salesforce integration; the actor (Icarus, also tracked as UNC6395) had set a 22 June publication deadline.

The concentration of cybersecurity vendors in the victim list is the notable delta: contact data for security-operations staff at those firms' customers now sits in a threat-actor corpus and is prime material for precision spear-phishing aimed at security roles. The structural lesson is unchanged from first coverage — enumerate and revoke unused third-party OAuth grants in Salesforce (Setup → Identity → OAuth Usage), scope active grants to minimum-necessary objects, and alert via Salesforce Event Monitoring on a connected app pulling thousands of account records in a single short session.

The G7 Cybersecurity Working Group declaration, adopted around the Évian summit (15–17 June), names post-quantum cryptography an "urgent priority" with a call for coordinated industry-government migration, alongside AI-cyber dual-use risk, telecom resilience and SME cybersecurity; the European Commission issued a welcome statement linking it to the NIS2/CRA stack (ANSSI; European Commission, 2026-06-17). The PQC-urgency framing aligns with Swiss federal cryptographic-migration planning. Resolving the W24 looking-ahead watch item: the NCSC-CH-predicted hacktivist DDoS did materialise — NoName057(16) ran layer-7 DDoS on 15 June against public-sector and tourism sites in the Swiss-bordering Haute-Savoie department (Évian-les-Bains, Thonon-les-Bains, Saint-Gingolph municipalities, the EVA'D transport portal), causing temporary outages with no data compromise (Cyberattaque.org, 2026-06-16; NCSC-CH pre-event advisory). Attribution rests on the group's Telegram self-claim; no Swiss federal sites were reported hit. The lesson reconfirmed: NCSC-CH's pre-event DDoS guidance for summit-adjacent organisations was correctly calibrated, and the NoName057(16) pattern around Swiss-adjacent summits (cf. Bürgenstock 2024) holds.

The eighth edition of ENISA's biennial Cyber Europe exercise ran on 10–11 June and put the 2025 EU Cyber Blueprint to the test alongside the first exercise activation of the EU Cybersecurity Reserve established under the Cyber Solidarity Act (ENISA, 2026-06-11). More than 5,000 participants from national cybersecurity agencies, EU institutions, the private sector and partner countries — including Switzerland, the UK, Norway and Ukraine — worked through a multi-stage scenario in which attacks on interconnected European rail and maritime transport networks escalated into a declared cross-border cyber crisis (Brussels Morning, 2026-06-11). The drill exercised the Reserve's standard operating procedure — the pathway by which a Member State CSIRT can request pre-vetted incident-response services and ENISA activates them within hours — and the political-level escalation procedures of the Blueprint.

Why it matters to us: Swiss federal defenders (BACS/NCSC-CH) took part as a partner country, and the scenario (ransomware against cross-border transport OT layered with disinformation) maps directly onto the threat picture in ENISA's NIS360 and NCSC-CH's mandatory-reporting data. Knowing the Reserve activation pathway — who can invoke it, the severity threshold, and the hours-scale SOP — is the operational takeaway for anyone who might one day need EU-level surge support during a major incident.

Dragos's 8th annual OT industrial-IR retrospective (covered 2026-05-08) is the week's most directly actionable annual-report reference for Swiss / EU CI operators reading after the Polish water OT attribution: Dragos's blog announcement records that 65 percent of sites assessed had insecure remote-access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions, and that many organisations believe they have proper IT/OT network segmentation while routine penetration tests reveal hidden connections. The report's NIS2 Annex-I compliance discussion directly contextualises the ABW 2025 Annual Report observation (§ 4) that the five Polish water-treatment facilities fell below the NIS2 essential-entity threshold and that legislative action is being considered to extend NIS2 obligations to critical-function entities regardless of headcount. The IEC 62443 zoning and conduit model is the recommended remediation reference architecture; the Swiss NCSC sector-specific ICS guidance (SARI framework) is the equivalent CH-side baseline. The defender lesson from the Dragos AI-assisted water utility attack item (2026-05-07) lands in the same line: AI tooling is progressively reducing the technical bar for OT-targeting attacks; prevention-only OT security strategies are inadequate as primary defences (daily 2026-05-08, daily 2026-05-07 — AI-assisted ICS attack).

The European Commission's 20 January 2026 cybersecurity package bundles a targeted NIS2 amendment (COM(2026) 13) with a new Cybersecurity Act 2 (CSA2). Public-feedback period closed 22 April 2026 — the package is now in the European Parliament preparatory phase, with political agreement targeted for early 2027. Key NIS2-amendment changes obligations-relevant to Swiss / EU public-sector SOCs: (1) scope expansion to submarine data-transmission infrastructure (SDTI) operators and European Digital Identity Wallet providers as essential entities; (2) mandatory ransomware reporting — competent authorities can demand whether a ransom was paid, to whom, and how much, when a reported incident involves ransomware; (3) Article 21 harmonised technical requirements at Commission level create a regulatory ceiling, blocking member states from adding further technical obligations — meaning an EU certification scheme can demonstrate compliance portably; (4) new Article 7(2)(k) mandates member-state PQC transition policies aligned with the 2030 (critical uses) / 2035 (medium/low uses) roadmap — the first time post-quantum is an explicit named NIS2 obligation rather than implied "state of the art" interpretation (DLA Piper, 2026-02-16 · Skadden, 2026-03-27 · PostQuantum.com — EU PQC NIS2, 2026-02-13).

CSA2 introduces the EU's first horizontal ICT supply-chain security framework: the Commission designates "key ICT assets" used by NIS2-essential entities, identifies high-risk supplier countries, and may prohibit or restrict their components in those assets — directly analogous to 5G supply-chain restrictions, now extended to all essential sectors. ENISA's budget rises 75%+ and it takes on operational functions including the European Vulnerability Database (EUVD), early-warning publication, and the CRA Single Reporting Platform (SRP) — live 11 September 2026 (Covington — Cybersecurity Act 2, 2026-01-23). What defenders need to do differently: (1) inventory current "state of the art" cryptography claims that relied on implicit NIS2 interpretation — the explicit PQC Article creates a documented compliance gap supervisors can cite in audit findings; (2) plan for SRP single-report submission flow ahead of 11 September 2026 — public-sector and vendor PSIRTs operating in NIS2-essential categories will be expected to publish through this channel rather than parallel-submit to member-state CSIRTs; (3) ransomware playbooks should anticipate the documentation question chain on payment-or-not, intermediary used, amount transferred. NIS2 amendment requires 12-month transposition; CSA2 applies directly.

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).