The European Commission accuses Meta of failing to protect children, allowing users under 13 on Instagram and Facebook, in breach of the DSA rules.

The European Commission has accused Meta of violating child safety rules. Instagram and Facebook allegedly failed to prevent children under 13 from accessing their platforms. According to the Commission, Meta did not properly assess and mitigate risks to minors, breaching obligations under the Digital Services Act (DSA).

“The European Commission has preliminarily found Meta’s Instagram and Facebook in breach of the Digital Services Act (DSA) for failing to diligently identify, assess and mitigate the risks of minors under 13 years old accessing their services.” reads the press release. “Despite Meta’s own terms and conditions setting the minimum age to access Instagram and Facebook safely at 13, the measures put in place by the company to enforce these restrictions do not seem to be effective. The measures do not adequately prevent minors under the age of 13 from accessing their services nor promptly identify and remove them, if they already gained access.”

Minors under 13 can easily bypass age rules on Instagram and Facebook by entering false birth dates, as Meta lacks effective verification checks. Reporting tools are also weak: they require multiple steps, are not user-friendly, and often fail to trigger proper action, allowing underage users to remain active. The European Commission says Meta’s risk assessment is incomplete and ignores evidence that 10–12% of under-13s use these platforms, as well as research showing younger children are more vulnerable to harm. As a result, Meta is urged to revise its risk evaluation methods and strengthen measures to detect, prevent, and remove underage users, ensuring better privacy, safety, and protection for minors.

“At this stage, the Commission considers that Instagram and Facebook must change their risk assessment methodology, in order to evaluate which risks arise on Instagram and Facebook in the European Union, and how they manifest.” continues the press release. “Moreover, Instagram and Facebook need to strengthen their measures to prevent, detect and remove minors under the age of 13 from their service.”

Instagram and Facebook can now review the Commission’s evidence and respond to the preliminary findings, while also taking steps to address the issues under the 2025 DSA Guidelines. The European Board for Digital Services will be consulted. If breaches are confirmed, Meta could face fines of up to 6% of its global annual turnover, along with periodic penalties to enforce compliance. These findings are not final.

The case stems from formal proceedings launched in May 2024, based on extensive analysis of internal data, risk reports, and input from experts and civil society. The Commission used DSA guidelines as a benchmark, stressing the need for effective age verification tools that are accurate, reliable, and privacy-friendly, and has proposed an EU age verification app as a reference model.

“The Commission continues its investigation into other potential breaches that are part of these ongoing proceedings, including Meta’s compliance with DSA obligations to protect minors and the physical and mental well-being of users of all ages.” concludes the press release. “This investigation covers also the assessment and mitigation of risks arising from the design of Facebook’s and Instagram’s online interfaces, which may exploit the vulnerabilities and inexperience of minors, leading to addictive behaviour and reinforcing the so-called ‘rabbit hole’ effects.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, European Commission)

The European Commission cloud breach did not begin with a dramatic system hack or a visible outage. It started quietly, with a trusted tool, a routine update, and a single compromised credential. Within days, that was enough to expose nearly 91.7 GB of data and drag multiple EU entities into a widening cybersecurity incident. Disclosed publicly on March 27, the European Commission cloud breach is now being treated as a clear example of how supply-chain attacks are reshaping risk in cloud environments. Not because defenses were absent, but because the entry point looked legitimate.

European Commission Cloud Breach Traced to Compromised Trivy Tool

Investigators from CERT-EU say, with high confidence, that the European Commission cloud breach began with a supply-chain compromise involving Trivy, a widely used security scanning tool. The malicious version, attributed to a threat actor known as TeamPCP, was unknowingly used within the Commission’s environment after being delivered through standard update channels. On March 19, the attacker obtained an AWS secret, an API key—with management-level permissions. That single key became the gateway into the Commission’s cloud infrastructure. From there, the activity was deliberate. The attacker attempted to uncover more credentials using TruffleHog, a tool designed to scan for secrets and validate access through AWS Security Token Service (STS). They also created a new access key tied to an existing user, an attempt to maintain access while avoiding detection. The European Commission cloud breach did not rely on breaking in. It relied on blending in.

Data Theft and Dark Web Leak

The impact became clearer days later. A large volume of data, around 91.7 GB compressed, or roughly 340 GB uncompressed—was exfiltrated from the compromised AWS account. On March 28, the data extortion group ShinyHunters published the dataset on its dark web leak site. The group claimed it included “data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material”. Early analysis confirms that the European Commission cloud breach exposed personal data, including names, usernames, and email addresses. The dataset also contains more than 51,000 files linked to outbound email communications. While most of these emails are automated notifications, some “bounce-back” messages may include original user-submitted content. That detail matters, as it raises the risk of unintended personal data exposure across systems that rely on user interaction.

Wider Impact Across EU Entities

The European Commission cloud breach goes beyond a single institution. The compromised AWS account is part of the infrastructure behind the “europa.eu” web hosting platform, which supports dozens of websites. Data linked to up to 71 clients may be affected, 42 internal European Commission services and at least 29 other Union entities. This shared infrastructure model is efficient, but it also means that one compromised component can have a broader footprint. Despite this, officials have confirmed that no websites were defaced, taken offline, or altered during the incident. There were no service disruptions. But the absence of visible damage should not be mistaken for limited impact.

Timeline Shows Speed of Supply-Chain Attacks

The timeline of the European Commission cloud breach highlights how quickly such incidents can unfold:

• March 19: AWS credential obtained via compromised Trivy tool
• March 24: Alerts triggered over unusual API activity and traffic spikes
• March 25: CERT-EU notified; access secured and keys revoked
• March 27: Public disclosure by the European Commission
• March 28: Data published by ShinyHunters

In less than ten days, the attack moved from initial access to public data exposure.

Response and Containment Efforts

The European Commission acted quickly once the breach was identified. The compromised AWS secret was secured, newly created access keys were disabled, and all known exposed credentials were deactivated or deleted. Authorities also followed regulatory protocol, informing data protection bodies, including the European Data Protection Supervisor (EDPS), and notifying impacted entities. Direct communication with affected clients began on March 31. Importantly, the Commission has stated that its internal systems were not affected. However, the European Commission cloud breach remains under active investigation, particularly as analysis of the exposed databases continues.

A Familiar Weakness, Repeating

If the European Commission cloud breach feels familiar, it’s because the pattern is becoming more common. Attackers are no longer forcing their way in, they are entering through trusted software, CI/CD pipelines, and third-party tools. The compromised Trivy version was not flagged as malicious during installation. It behaved as expected—until it didn’t. This is the real shift. Security teams are being asked to defend not just their infrastructure, but every dependency connected to it.

What This Breach Really Signals

The European Commission cloud breach is not just about one incident or one tool. It reflects a deeper issue: the growing difficulty of verifying trust in modern software ecosystems. Cloud environments, automation pipelines, and open-source tools have made operations faster and more efficient. But they have also introduced new blind spots. The lesson here is uncomfortable but clear—security controls worked, but they worked late. Detection came after access had already been established and data had already moved. And that is where the real risk lies.

CERT-EU says a European Commission cloud hack exposed data from 30 EU entities and links the breach to the TeamPCP group.

CERT-EU attributed a European Commission cloud breach to the TeamPCP threat group, revealing that data from at least 30 EU entities was exposed. The incident was publicly disclosed on March 27 after inquiries confirmed that the Commission’s Amazon cloud environment had been compromised.

On March 24, the European Commission detected a cyberattack affecting the cloud infrastructure hosting its Europa.eu websites. The incident was quickly contained, with mitigation measures applied and no disruption to website availability. Early findings suggested some data may have been accessed, and potentially affected EU entities are being notified. The Commission alerted CERT-EU two days before disclosure, noting no signs of compromise until March 24, five days after the initial breach.

“Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident.” reads the press release published by the European Commission. “The Commission’s services are still investigating the full impact of the incident.  “

The EU has launched an investigation into the security breach to determine its full impact. However, the Commission initially pointed out that its internal systems were not affected, limiting the overall impact of the attack.

The Commission said its internal systems were not affected and will continue monitoring the situation while strengthening protections. It announced it will improve cybersecurity, as the EU faces ongoing cyber and hybrid threats targeting critical services and institutions.

BleepingComputer first reported the incident, claiming that threat actors breached the European Commission’s AWS account, stealing hundreds of gigabytes of data, including databases, and providing screenshots as proof.

“On March 25, CERT-EU received a notification from the European Commission that one of their AWS cloud accounts had been compromised. The first alerts, indicating potential misuse of Amazon APIs, potential account compromise, and an unusual volume of network traffic, had been detected by their Cybersecurity Operations Centre (CSOC) team the previous day.

An investigation uncovered that a malicious actor acquired an Amazon Web Services (AWS) secret (an API key) on March 19 through the Trivy supply chain compromise. This key granted control over other AWS accounts affiliated with the European Commission. On the same day, the threat actor attempted to discover additional secrets by launching TruffleHog, a tool commonly used for scanning secrets and validating AWS credentials by calling the Security Token Service (STS). STS is an AWS service that generates short-lived security credentials for accessing AWS resources and verifying identities.” reported CERT-EU. “The threat actor used the compromised AWS secret to create and attach a new access key to an existing user, aiming to evade detection. They then carried out reconnaissance activities.”

TeamPCP reportedly accessed the EU’s AWS environment on March 10 using a stolen API key from the Trivy supply-chain attack.

They then used tools like TruffleHog to find more credentials, created new access keys to stay hidden, and carried out reconnaissance and data theft. TeamPCP is also linked to supply-chain attacks on platforms like GitHub, PyPI, NPM, and Docker, including a compromised LiteLLM package used to spread data-stealing malware.

“The European Commission and CERT-EU have assessed with high confidence that the initial access vector was the Trivy supply-chain compromise, publicly attributed to TeamPCP by Aqua Security. The firm has provided comprehensive details on this compromise in its advisory.” continues CERT-EU.

“This assessment is based on three main factors:

• The timing of the Trivy supply-chain compromise coincides with the observed initial compromise on March 19.
• The specific resources being targeted: AWS credentials and cloud infrastructure.
• The European Commission was unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.”

On March 28, the ShinyHunters group published 350GB of stolen from the European Commission, containing emails, names, and usernames, dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.

CERT-EU confirmed tens of thousands of files were taken, affecting up to 71 Europa web hosting clients, including 42 Commission entities and at least 29 other EU bodies, using a compromised AWS credential.

“The threat actor used the compromised AWS secret to exfiltrate data from the affected cloud environment.” added CERT-EU. “The exfiltrated data relates to websites hosted for up to 71 clients of the Europa web hosting service: 42 internal clients of the European Commission, and at least 29 other Union entities.”

Analysis shows the leaked dataset includes personal data such as names, usernames, and email addresses, mainly from European Commission websites but possibly affecting multiple EU entities. It also contains over 51,000 outbound email files, mostly automated, though some bounce-back messages may expose user-submitted content, increasing the risk of data exposure.

“The analysis of the databases linked to the hosted websites is underway. Given the volume and intricate nature of the data involved, this process requires a considerable amount of time.” concludes CERT-EU.

Summarizing, a compromised AWS account tied to the europa.eu hosting service exposed data from 42 European Commission clients and at least 29 other EU entities. Despite the breach, no websites were disrupted or altered. The Commission has notified affected parties and, with CERT-EU, continues investigating and will share further findings as they emerge.

On 30 January, the European Commission detected another cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours.

Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-EU)

A new investigation into Black Friday discounts across Europe has revealed a troubling pattern, many online deals may not be as genuine as they appear. According to findings released by the European Commission and consumer protection authorities, nearly one in three traders failed to display discounts correctly during major sale events like Black Friday and Cyber Monday. The coordinated “sweep” examined 314 online traders across 23 EU Member States, along with Iceland and Norway. The goal was simple: check whether Black Friday discounts and pricing practices actually comply with EU consumer protection laws. The results suggest that a significant portion of online retailers are still falling short.

Black Friday Discounts Often Misleading

At the core of the issue is how Black Friday discounts are calculated and presented. Under EU rules, any advertised discount must be based on the lowest price a product had in the previous 30 days. However, 30% of the traders checked failed to follow this requirement. This means that many “discounts” shoppers see may not reflect real savings, but rather inflated comparisons designed to create the illusion of a better deal. It’s a reminder that misleading discounts remain a widespread issue, even in regulated markets.

Online Sales Tactics Raise More Concerns

Beyond incorrect Black Friday discounts, the sweep uncovered several other questionable online pricing practices.

• 36% of traders added optional items to shopping carts, often without clear consent from users
• 34% used price comparisons, but 60% of those failed to explain what those comparisons were based on
• 18% used pressure-selling tactics like fake scarcity or countdown timers, with more than half found to be misleading
• 10% used “drip pricing,” adding extra costs such as shipping fees late in the checkout process

These tactics are not just aggressive, they are illegal under EU consumer protection laws when used deceptively. The findings show that the issue goes beyond Black Friday discounts alone. It reflects a broader pattern of how online platforms influence consumer decisions.

EU Consumer Protection Rules Put to the Test

The investigation highlights the growing importance of EU consumer protection frameworks in the digital shopping era. While regulations like the Price Indication Directive and Unfair Commercial Practices Directive are in place, enforcement remains key. Consumer authorities across Europe can now take action against businesses found violating these rules. The scale of the problem suggests that compliance is still inconsistent. Despite clear guidelines, many traders continue to rely on tactics that blur the line between marketing and manipulation.

Trust at the Center of the Issue

The conversation around Black Friday discounts is ultimately about trust. When consumers see a discount, they expect it to be real—not a marketing trick. As Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, stated, “Black Friday and Cyber Monday offer great opportunities for both businesses and consumers. However, a great bargain is no excuse to cheat the rules. Consumers expect a fair treatment, whether they are shopping online or offline. Our sweep should act as a reminder: Businesses that treat their customers fairly always benefit.” Echoing this, Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, said, “Trust is essential for both consumers and businesses. Misleading discounts and false ‘promotions’ undermine that trust. EU consumer protection rules strike a careful balance, ensuring a fair market that serves the interests of both businesses and consumers. This sweep gives us a comprehensive view of the market, helping us identify where further action is needed to keep it fair, transparent, and competitive. “ The findings serve as a reality check for both regulators and consumers. While Black Friday discounts continue to attract millions of shoppers, not all deals are as transparent as they seem. For regulators, the message is clear, stronger enforcement may be needed. For consumers, it’s a reminder to look beyond flashy discounts and question how prices are presented.

The European Commission has allegedly been breached by ShinyHunters, with reported data dumps including content from mail servers.

The European Commission has allegedly been breached by ShinyHunters, with reported data dumps including content from mail servers and internal communications systems.

The cybercrime group added the Commission to its Tor data leak site, claiming the theft of over 350 GB+ of data. Stolen data may include data dumps of mail servers, databases, confidential documents, contracts, and much more sensitive material.

The European Commission has allegedly been breached by ShinyHunters including data dumps of mail servers pic.twitter.com/J8T5H5o1M4

— Dominic Alvieri (@AlvieriD) March 28, 2026

On March 24, the European Commission detected a cyberattack affecting the cloud infrastructure hosting its Europa.eu websites. The incident was quickly contained, with mitigation measures applied and no disruption to website availability. Early findings suggest some data may have been accessed, and potentially affected EU entities are being notified.

“Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident.” reads the press release published by the European Commission. “The Commission’s services are still investigating the full impact of the incident.  “

The EU has launched an investigation into the security breach to determine its full impact. However, the Commission pointed out that its internal systems were not affected, limiting the overall impact of the attack.

The Commission said its internal systems were not affected and will continue monitoring the situation while strengthening protections. It will analyze the incident to improve cybersecurity, as the EU faces ongoing cyber and hybrid threats targeting critical services and institutions.

BleepingComputer first reported the incident, claiming that threat actors breached the European Commission’s AWS account, stealing hundreds of gigabytes of data, including databases, and providing screenshots as proof. The exact type of stolen data remains unclear. AWS said it did not suffer a security incident and that its services functioned as expected.

The attack vector is still unknown.

On 30 January, the European Commission detected another cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours.

Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

The ShinyHunters extortion group has recently targeted major companies, leaking data when ransom demands fail. Victims include Odido, Figure, Canada Goose, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, European Commission)

ShinyHunters claims it breached European Commission systems, leaking 350GB of data. Officials are investigating, with no independent verification yet.

The European Commission confirmed a cyberattack affecting part of its cloud systems, now contained, with no impact on internal networks.

On March 24, the European Commission detected a cyberattack affecting the cloud infrastructure hosting its Europa.eu websites. The incident was quickly contained, with mitigation measures applied and no disruption to website availability. Early findings suggest some data may have been accessed, and potentially affected EU entities are being notified.

“Early findings of our ongoing investigation suggest that data have been taken from those websites. The Commission is duly notifying the Union entities who might have been affected by the incident.” reads the press release published by the European Commission. “The Commission’s services are still investigating the full impact of the incident.  “

The EU has launched an investigation into the security breach to determine its full impact. However, the Commission pointed out that its internal systems were not affected, limiting the overall impact of the attack.

The Commission said its internal systems were not affected and will continue monitoring the situation while strengthening protections. It will analyze the incident to improve cybersecurity, as the EU faces ongoing cyber and hybrid threats targeting critical services and institutions.

BleepingComputer first reported the incident, claiming that threat actors breached the European Commission’s AWS account, stealing hundreds of gigabytes of data, including databases, and providing screenshots as proof. The exact type of stolen data remains unclear.

“The European Commission, the European Union’s main executive body, is investigating a security breach after a threat actor gained access to the Commission’s Amazon cloud environment.” reported BleepingComputer. “Although the EU’s executive cabinet has yet to disclose the incident publicly, BleepingComputer has learned that the breach affected at least one of the Commission’s AWS (Amazon Web Services) accounts.”

AWS said it did not suffer a security incident and that its services functioned as expected.

While the Commission has not shared details, the attacker claimed to have stolen over 350 GB of data, including databases, and provided BleepingComputer screenshots as proof of access to employee data and an email server. The attack vector is still unknown. The attacker said they do not plan to extort the Commission but may release the data publicly later.

On 30 January, the European Commission detected another cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours.

Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, European Commission)

The European Commission has launched a formal DSA child protection investigation into Snapchat, examining whether the platform is meeting its obligations to ensure a high level of safety, privacy, and security for minors. The move comes under the framework of the Digital Services Act (DSA), which sets strict standards for online platforms operating in the European Union and can impose fines of up to 6% of global annual turnover for non-compliance.

Age Assurance Under Digital Services Act Scrutiny

At the center of the DSA child protection investigation is Snapchat’s approach to age assurance. According to its terms, users must be at least 13 years old to access the platform. However, the Commission suspects that Snapchat’s reliance on self-declaration is insufficient. It raises concerns that this method neither prevents children under 13 from accessing the service nor adequately verifies whether users are under 17, which is necessary to ensure age-appropriate experiences. There are also concerns that tools to report underage users may not be easily accessible within the app. The investigation also focuses on the risk of minors being exposed to grooming attempts and recruitment for criminal purposes. The Commission suspects that Snapchat may not be doing enough to prevent users with harmful intent from contacting children, particularly in cases where individuals misrepresent their age or manipulate their profiles. This includes concerns around exposure to harmful content, conduct, and contact that could place minors at risk.

Default Settings And Privacy Concerns 

Another key area under the DSA child protection investigation is Snapchat’s default account settings. The Commission believes that the platform may not provide sufficient privacy, safety, and security protections for minors by default. Features such as the “Find Friends” system, which recommends users, and push notifications that remain enabled by default are under scrutiny. The Commission also notes that users may not receive adequate guidance during account creation on how to manage privacy and safety settings, or how to adjust them effectively.

Illegal Content And Reporting Mechanisms Under Review

The investigation further examines whether Snapchat is effectively preventing the dissemination of illegal content, including information related to the sale of drugs and age-restricted products such as alcohol and vapes. Under the DSA, platforms are required to mitigate systemic risks arising from their services. The Commission suspects that current content moderation measures may not be sufficient to block or limit access to such content, especially for younger users. Reporting mechanisms for illegal content are also part of the Digital Services Act child protection investigation. The Commission raises concerns that these systems may not be easy to access or user-friendly and could involve design practices that make reporting less straightforward. There are also concerns that users may not be properly informed about complaint procedures or available redress options within the platform.

Next Steps in DSA Child Protection Investigation

The European Commission will now conduct an in-depth investigation by gathering further evidence, including requesting information from Snapchat and conducting interviews or inspections. The opening of formal proceedings allows the Commission to take further enforcement actions, including adopting interim measures or issuing a non-compliance decision. It can also accept commitments from Snapchat to address the issues identified during the investigation. The action against Snapchat builds on broader regulatory efforts under the Digital Services Act to strengthen online child protection across platforms. The Commission has used its 2025 DSA Guidelines on the protection of minors as a benchmark for evaluating compliance, emphasizing that self-declaration alone should not be considered a reliable age assurance method and that default settings should offer the highest level of protection for minors.

“From grooming and exposure to illegal products to account settings that undermine minors’ safety, Snapchat appears to have overlooked that the Digital Services Act demands high safety standards for all users. With this investigation, we will closely look into their compliance with our legislation,” said Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy.

Age Verification Under Question

In a related development, the European Commission has also taken preliminary action against adult content platforms including Pornhub, Stripchat, XNXX, and XVideos under the Digital Services Act. The Commission found that these platforms may have failed to adequately protect minors from accessing pornographic content. It noted that their risk assessments did not sufficiently identify or evaluate risks to children, and in some cases, placed more emphasis on business considerations than on child safety.

“In the EU, online platforms have a responsibility. Children are accessing adult content at increasingly younger ages and these platforms must put in place robust, privacy-preserving and effective measures to keep minors off their services. Today, we are taking another action to enforce the DSA - ensuring that children are properly protected online, as they have the right to be,” said Virkkunen.

The findings also indicate that these platforms rely heavily on self-declaration for age verification, which the Commission considers ineffective. Additional measures such as content warnings, page blurring, or “restricted to adults” labels were also deemed insufficient to prevent minors from accessing harmful material. The Commission has suggested that more robust, privacy-preserving age verification methods are required to address these risks. As part of ongoing proceedings, these platforms will have the opportunity to respond to the Commission’s findings and take corrective measures. If the breaches are confirmed, the Commission may issue a non-compliance decision, which could result in significant financial penalties or enforcement actions to ensure compliance. The broader enforcement push reflects a clear regulatory direction under the Digital Services Act, with authorities focusing on ensuring that platforms, regardless of size, take stronger responsibility for protecting minors online.

The European Union is moving one step closer to refining its landmark EU AI Act, with the European Council proposing new amendments aimed at simplifying regulations while addressing emerging risks from artificial intelligence. On Friday, the Council released its position on updates to the EU AI Act, including a new ban on AI nudification tools and stricter standards around the use of sensitive personal data. The proposal is part of the broader “Omnibus VII” legislative package designed to streamline the EU’s digital regulatory framework and reduce compliance burdens for businesses. While the changes are intended to make the rules more practical for companies, the latest amendments also reflect growing concerns about the misuse of AI technologies and the need for stronger safeguards.

EU AI Act Amendments Target Harmful AI Content

One of the most significant changes proposed under the updated EU AI Act is a new prohibition targeting AI tools capable of generating non-consensual sexual or intimate imagery. According to the Council, the new provision explicitly bans “AI practices regarding the generation of non-consensual sexual and intimate content or child sexual abuse material.” The move comes as regulators across Europe increasingly confront the real-world harms caused by AI-generated deepfake content. The proposal follows a similar step earlier this week when members of the European Parliament approved their own version of the ban. The alignment between the two bodies suggests that restrictions on AI nudification tools are likely to remain in the final version of the EU AI Act once negotiations conclude. The push for stricter rules comes after a high-profile incident involving the Grok chatbot developed by xAI and integrated into the social platform X (formerly Twitter). Beginning in late December, the chatbot reportedly generated millions of non-consensual intimate images that quickly spread online, triggering widespread backlash. In response, the European Commission launched a formal investigation into the platform and its AI features earlier this year. For policymakers, the episode underscored the speed at which generative AI tools can create and distribute harmful content—and why the EU AI Act needs mechanisms to address such risks.

Changes to High-Risk AI System Regulations

Alongside the new prohibition, the proposed reforms also adjust the timeline for implementing rules on high-risk AI systems, a key component of the EU AI Act. The European Commission previously suggested delaying the implementation of these rules by up to 16 months, allowing regulators time to develop the technical standards and tools needed to enforce them effectively. Under the Council’s proposal, the revised deadlines would be:

• 2 December 2027 for stand-alone high-risk AI systems
• 2 August 2028 for high-risk AI systems embedded in products

These extensions aim to provide organizations with clearer guidance and sufficient preparation time while still ensuring that the regulatory framework remains enforceable. At the same time, the Council reinstated a requirement for providers to register AI systems in the EU database for high-risk technologies, even when companies believe their systems qualify for exemptions. The measure is intended to strengthen transparency and oversight under the EU AI Act.

Stronger Safeguards for Sensitive Data

Another key amendment focuses on how organizations process sensitive personal data when developing or testing AI systems. The Council’s proposal restores the “strict necessity” standard for using special categories of personal data in bias detection and correction processes. This means organizations must clearly justify why such data is required before using it to improve algorithmic fairness. The change reflects ongoing debate within Europe about balancing innovation with strong privacy protections—particularly as AI systems rely on increasingly large datasets. In addition, the updated EU AI Act proposal postpones the deadline for establishing national AI regulatory sandboxes until December 2027. These sandboxes are designed to allow companies to test AI technologies in controlled environments under regulatory supervision.

Simplifying Rules Without Weakening Oversight

The broader objective behind the proposed amendments is to simplify the complex network of digital regulations affecting businesses across the EU. As part of the Digital Omnibus initiative, the European Commission has been working to reduce administrative burdens while improving the consistency of AI rules across member states. Marilena Raouna, Deputy Minister for European Affairs of the Republic of Cyprus, emphasized the importance of balancing innovation with regulatory clarity. “Streamlining the AI rules is essential for ensuring the EU’s digital sovereignty. As presidency, we worked on this proposal with urgency, reaching a swift agreement to facilitate the timely application of the AI act. The proposal will bring greater legal certainty, make the rules more proportionate and ensure more harmonised implementation across member states. We are ready to work with our co-legislators in our common efforts to support our companies, facilitate innovation and build a more competitive Europe.” The Council’s proposal also introduces new guidance obligations for regulators. Under the revised EU AI Act, the European Commission would provide clearer instructions to help companies comply with high-risk AI requirements while minimizing compliance costs.

What Happens Next for the EU AI Act

With the Council now formally adopting its negotiating position, discussions will move to the next stage. The proposal will be negotiated with the European Parliament to finalize the updated framework. While the process may still involve revisions, the latest developments signal that Europe remains committed to shaping global AI governance through the EU AI Act—balancing innovation, business competitiveness, and safeguards against emerging technological risks. As generative AI tools continue to evolve rapidly, the debate around how they should be regulated is far from over. But the Council’s latest proposal makes one thing clear: Europe is determined to tighten protections where AI misuse threatens privacy, safety, and trust in digital technologies.

The European Commission is investigating a cyberattack after detecting signs that its mobile device management system was compromised.

The European Commission is investigating a cyberattack on its mobile device management platform after detecting intrusion traces. Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

On 30 January, the European Commission detected a cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours. It continues to monitor security, strengthen cybersecurity, and review the incident to improve protections, reflecting its commitment to safeguarding EU systems amid ongoing cyber threats to critical services and institutions.

“On 30 January, the European Commission’s central infrastructure managing mobile devices identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members.” reads the advisory. “The Commission’s swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.”

The Commission has not revealed how the threat actors accessed the mobile device management platform.

The European Computer Emergency Response Team (CERT-EU) is investigating the security breach.

Attackers could use the stolen data to launch targeted vishing and phishing attacks by impersonating colleagues or officials to steal credentials. The stolen data enables reconnaissance for spear phishing or physical targeting of key personnel. Finally, GDPR violations and reputational damage undermine the Union’s cyber credibility.

In April 2021, a European Commission spokesperson confirmed that the organization, along with other European Union organizations, was hit by a cyberattack in March. The authorities did not disclose any details about the type of threats that hit the institutions, or the alleged threat actors behind the attack.

The spokesperson explained that multiple EU institutions, agencies, and IT infrastructure, were impacted by an “IT security incident in their IT infrastructure.”

According to a person familiar with the matter cited by Bloomberg, the incident was more severe than the ones that usually hit the EU. An EU official also revealed that the staff was recently warned of ongoing phishing campaign against EU representatives.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EU Commission)

This sweeping update introduces measures to identify and potentially exclude "high-risk" third countries and companies across 18 essential sectors.

The post EU’s New Cybersecurity Act Could Ban High-Risk Suppliers appeared first on TechRepublic.