Posted in Commentary with tags EU on July 9, 2026 by itnerd
The European Commission unveiled an Action Plan on Cybersecurity and Artificial Intelligence aimed at helping Member States, public authorities, and industry address cyber risks associated with advanced AI systems.
The plan includes measures to expand AI-assisted vulnerability detection, establish an EU capability to evaluate advanced AI models, and develop secure testing environments for AI systems. It builds on existing legislation, including the Cyber Resilience Act, the AI Act, and NIS2.
The Commission said the initiative will support the secure development and deployment of AI by strengthening collaboration between governments, industry, and the cybersecurity community. Planned actions include coordinated vulnerability disclosure, AI-powered cyber defense capabilities, and guidance for organizations deploying AI in critical sectors.
Steven Swift, Managing Director, Suzu Labs provided this comment:
“The problem with locking new frontier models behind a governmental pre-release screening, is that it gives governments a mechanism to require frontier labs to modify their models in ways that aligns with political preferences, such as selecting which version of the truth they want models to present. While at the same time being able to claim “for better security” as the official reason to gate the release at all.
“The other problem with it, is that there isn’t really a difference between the offensive and defensive capabilities of a model. Even if screening focus is narrowly focused on cybersecurity capabilities, actively lowering a model’s offensive capabilities directly impacts its ability to perform defensive work. Especially defensive verification, which is critical. Models will hallucinate unpredictably. It is absolutely essential that agentic systems be capable of building tests to verify the validity of results to ensure that hallucinations aren’t present.
“This makes frontier models more insecure, and makes their use less safe. Despite the entire point of cybersecurity review process to be the opposite.
“If we are going to gate frontier models behind an approval process, it is absolutely critical that the structured access programs actually function effectively to get legitimate security professionals, and developers access to sensitive unrestricted models, so that appropriate verification and testing can be performed on their own systems.”
Seemant Sehgal, Founder & CEO, BreachLock has this comment:
“The EU is right to treat this as an infrastructure problem, not a software problem. AI embedded in critical sectors carries the same risk profile as power grids and financial rails in that a failure isn’t an inconvenience, but a systemic event.
“The window to set baseline security expectations before widespread deployment is already closing. What makes this harder than traditional infrastructure is that AI systems don’t stay static after deployment. The testing frameworks have to keep pace with that. The real question is whether coordinated disclosure and continuously updated validation environments can be stood up before adversaries finish mapping what Europe has already put in place.”
Doc McConnell, Head of Policy and Compliance, Finite State adds this:
“This action plan presents what the EU sees as an ideal ecosystem to support safe, responsible, and innovative development and utilization of AI across the Union. That vision is ambitious, including a stronger system of third-party AI evaluators, sovereign AI capacity, multi-state workforce training, and secure testing platforms. These will require significant investment, international coordination, and development of new technology. And as the EU works to achieve these goals, existing frontier labs will continue to innovate, and new open-weight models may emerge.
“The specificity of this action plan stands in contrast to the U.S. policy on AI security, as laid out in the June 2026 Executive Order Promoting Advanced Artificial Intelligence Innovation and Security. Although the goals are similar, including protection of critical infrastructure, early government access to cybersecurity tools, and the promotion of innovation, the U.S. approach is much more open-ended.
“I expect that neither approach will fully meet this moment, and we will see national policies have to adapt along with the technology they are seeking to oversee. The action plan describes a promising future: one of “unprecedented opportunities to enhance cyber resilience.” That is the goal to keep in mind. Even as plans, priorities, and AI models change, we must all, individual technologists and commercial companies, as well as policymakers, make choices that prioritize AI as an enabler of better defense, greater resilience, and stronger international security.”
The US and other countries that are not in the EU should copy what the EU is doing as the EU has the right idea here. And other countries when all is said and done are on the wrong side of history.
So get this. Freedom Mobile, which I have touted as a possible alternative to the “Big Three” telecoms have sent out a survey. Now there’s nothing unusual about a telco sending out a survey as telcos do that all the time. But this was different. One of the questions as captured by a Reddit thread was:
“If these advanced security features were offered by Freedom Mobile at an additional cost of $8 per month (on top of your mobile service plan), how likely would you be to subscribe?*
(Advanced security features: Encrypted text messages and voicemail, spam call detection, SIM swap protection, improved account sign-in security, and location privacy)”
The fact is that “Advanced security features” such as sim swap protection, spam call detection and the like would sit behind any sort of paywall is a #EpicFail on the part of Freedom Mobile. Doubly so given that they log in process quite frankly epically sucks beyond any belief as I covered here. The fact is that this should be the least that a carrier offers. Plus Freedom Mobile’s log in process needs a serious overall. As in they need to adhere to modern security standards such as multi factor authentication or some sort of passwordless authentication. Passkeys for example.
Now to be fair, Freedom Mobile haven’t announced any changes. Yet. But the fact that a survey like this has gone out shows that they are thinking about making changes. And like those who are part of this Reddit thread, I will be much more likely to dump Freedom Mobile if these changes are implemented. But I guess that Freedom Mobile feel that they need to generate revenue somehow. And simply stealing customers from the “Big Three” isn’t enough. I’d ask Freedom Mobile for their side of the story, but they won’t talk to me. So I guess I will have to see how this plays out. If they are smart, they make sure that it plays out in a way that customers win.
Check Point’s June 2026 Monthly Cyber Threat Statistics reveal a significant increase in global cyberattacks, with organizations experiencing an average of 2,270 weekly cyberattacks, up 17% year-over-year and 10% month-over-month. The report also highlights a 33% increase in ransomware activity, with The Gentlemen emerging as the most active ransomware group, alongside continued concerns around GenAI-related data leakage risks, as 1 in every 26 GenAI prompts carried a high risk of exposing sensitive information.
Key takeaways
Weekly cyber-attacks per organization reached 2,270 in June 2026, up 10% from May and 17% higher than June 2025
Education, Government, and Telecommunications again sat at the top of the industry list, with Education and Telecommunications posting double-digit gains while Government rose 5% year over year
Most regions grew year over year, led by Latin America at a 27% increase, while Africa was the exception with a 9% decline
GenAI exposure held roughly steady, though Healthcare and Telecommunications emerged as the industries carrying the most risk from unsafe prompts
Ransomware attacks reached 646 for the month, a 33% jump from June 2025, and The Gentlemen overtook Qilin as the most active group
A Global Rebound That Reaches Every Region
June reversed the brief calm of May. Organizations faced an average of 2,270 weekly cyber attacks, a 10% rise from the previous month and a 17% increase compared with June last year. What makes this month notable is not just the size of the jump but its reach. Rather than one region or sector absorbing the bulk of the growth, the increase showed up almost everywhere at once, suggesting attackers spread their effort wider rather than concentrating it.
Which Industries Faced the Most Attacks?
Education remained the most targeted sector, with organizations facing an average of 4,816 weekly attacks, a 16% climb from June 2025. Open campus networks, constant device turnover, and thin security budgets keep making schools and universities an easy draw for attackers. Government followed at 2,836 weekly attacks, up 5%, and Telecommunications came in close behind at 2,835, a 13% rise. Together these three sectors continue to absorb a disproportionate share of global attack volume, a pattern that has held steady across recent months even as the specific numbers shift.
Figure 1: Global average weekly cyber-attacks per industry, June 2026 vs June 2025
Which Regions Saw the Sharpest Increase?
Latin America held its position as the most attacked region, with organizations reporting 3,501 weekly attacks on average, a 27% increase over June 2025. APAC followed at 3,060, a smaller 5% rise, while Africa posted 3,008 weekly attacks, down 9% from a year earlier, its only decline among the five regions tracked. Europe and North America both saw sharp jumps, up 22% and 14% respectively, pushing every region into growth except Africa.
Figure 2: Weekly cyber-attacks per organization by region, June 2026
GenAI Exposure: Where the Risk Concentrates
GenAI exposure has become one of the clearest examples of how everyday business behavior can create security risk. In this context, the risk is not about attackers using AI or flaws in the models themselves. It is about what employees place into prompts: customer records, internal documents, infrastructure details, legal material, financial data, or HR information that may be copied into public or unmanaged GenAI tools.
The June data highlights three main signals:
High-risk prompts are common: 1 in every 26 GenAI prompts from enterprise networks carried a high risk of sensitive data leakage, equal to a global exposure rate of 3.9%
The risk is widespread: 85% of organizations that regularly use GenAI tools were affected by high-risk prompt activity
Sensitive information is frequently present: A further 27% of prompts contained potentially sensitive information
Adoption is broadening: Each organization used an average of 7 different GenAI tools over the past month, while the average user generated 78 prompts
That level of activity suggests GenAI is no longer a side experiment in many workplaces. It is becoming part of daily workflows, often faster than data protection policies, user training, and technical controls can adapt.
The highest-risk regions and industries stood out clearly against the 3.9% global benchmark. Looking at where this risk lands, Latin America stood out as the highest risk region at 5.2%, well above the global rate. Europe matched the global average of 3.9%, while North America and APAC came in slightly under it, at 3.6% and 3.5%. By industry, Healthcare and Medical carried the heaviest exposure at 5.7%, followed by Telecommunications and Business Services, both at 5.1%, and Information Technology at 4.1%.
Figure 3: High risk prompts per region, June 2026
Personal data made up the largest share of sensitive content flowing through these prompts, appearing in 80% of organizations, followed by network and infrastructure details at 62%, legal and regulatory material at 61%, financial data at 60%, and employee records at 57%. Taken together, these figures point to a workforce that treats GenAI tools as a general-purpose assistant, feeding them exactly the kind of material that governance policies are meant to protect.
Figure 4: The types of data flowing through AI prompts
This shows that GenAI exposure is not limited to one department or one type of task. It cuts across personal, technical, legal, financial, and workforce-related data, making prompt-level visibility and governance increasingly important as enterprise GenAI use continues to grow.
Figure 5: High risk prompts by industry, June 2026
Ransomware Keeps Climbing, With Business Services in the Crosshairs
* This ransomware data draws from ransomware “shame sites” operated by double-extortion groups, which publicly disclose victim information. While these sources have inherent biases, they provide valuable insight into the ransomware landscape.
Ransomware attacks totaled 646 in June, a 33% increase over the same month in 2025. Business Services remained the most affected industry, responsible for 31% of reported victims, followed by Consumer Goods and Services at 16% and Industrial Manufacturing at 14%. Two trends stand out over the past three months. Consumer Goods and Services has climbed steadily, from 14% of victims in April to 15% in May and 16% in June, and Government has moved even faster, rising from 4.0% to 4.3% to 5.4% across the same stretch.
Figure 6: Percentage of ransomware victims by industry, June 2026
Figure 7: Share of global ransomware victims by industry, April – June 2026
North America accounted for 44% of reported ransomware incidents, with APAC at 23% and Europe at 22%. APAC saw the sharpest shift of any region, its share of global victims rising from 16.8% in April to 22.6% in June, a jump of over a third in just two months.
Figure 8: Ransomware victims by region, June 2026
A New Name at the Top of the Ransomware Leaderboard
TheGentlemen was the most prevalent ransomware group in the past month, responsible for 17% of the published attacks, overtaking Qilin, which accounted for 11%. LockBit also recorded a significant increase, rising from 1% of published attacks in the previous month to 7%, making it the third most prevalent ransomware group.
The Gentlemen: The Gentlemen is a fast growing Ransomware-as-a-Service operation founded in mid-2025 by a Russian-speaking operator (Hastalamuerte) who previously worked as an affiliate across Qilin, Embargo, LockBit, Medusa, and BlackLock before launching his own platform after a dispute with Qilin. The group openly recruits affiliates in various forums and uniquely functions as both a RaaS provider and an Initial Access Broker, offering affiliates self-service access to approximately 14,000 pre-exploited FortiGate devices (CVE-2024-55591). With over 320 DLS-claimed victims and an estimated 1,570+ actual compromises revealed through Check Point Research’s analysis, The Gentlemen has established itself as a top-7 global ransomware threat in under a year. The group’s cross-platform lockers target Windows, Linux, and ESXi (C-based), and their latest May 2026 operator communication announces a shift from blunt-force BYOVD-based EDR killing to surgical userland evasion techniques. The group’s geographic targeting is notably atypical, with the US representing only 12% of victims (vs 50% ecosystem average), reflecting a device-driven victim selection model shaped by the FortiGate stockpile rather than deliberate geographic preference.
Qilin: Qilin is one of the most established RaaS groups, with a consistent track record of victim disclosures dating back to 2022. Originally operating under the name “Agenda,” the group rebranded as “Qilin” by September 2022, introducing a Rust-based encryptor and expanding its RaaS infrastructure. It provides affiliates with a full-featured toolkit via a dedicated administrative panel, including an encryptor, negotiation infrastructure, and support services. Following RansomHub’s retirement, Qilin intensified its affiliate recruitment efforts and, since March 2025, has significantly increased the volume of victim listings on its data leak site (DLS).
LockBit: LockBit is a ransomware-as-a-service (RaaS), that was first launched in September 2019 and was updated and improved in June 2021. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. LockBit shares details of their victims on a Tor-hosted leak site along with the countdown to the date and time at which stolen data will be published unless the ransom payment is received. LockBbit is considered to be the fastest ransomware in terms of encryption speed.
Frequently Asked Questions About June 2026’s Cyber Threat Landscape
Why did cyber attacks increase across nearly every region in June? The growth was broad rather than concentrated in one place, which points to attackers expanding their targeting rather than focusing on a single weak point. Latin America and Europe saw the steepest year over year gains, while Africa was the only region to post a decline.
Which industries face the highest GenAI data leakage risk? Healthcare and Medical carried the highest risk at 5.7% of prompts, followed by Telecommunications and Business Services at 5.1% each, and Information Technology at 4.1%. All four sat above the global average of 3.9%.
Why did The Gentlemen overtake Qilin as the top ransomware group? The Gentlemen built rapid scale through self-service access to a large pool of pre-exploited devices and an aggressive affiliate recruitment model, letting it grow into a leading threat within about a year of launching. In June it accounted for 17% of published attacks against Qilin’s 11%.
Is ransomware activity still concentrated in North America? Yes, though less so than before. North America still accounts for 44% of reported victims, but APAC’s share grew sharply, from 16.8% in April to 22.6% in June, making it the fastest growing region for ransomware activity.
Reading June Correctly: The headline number tells a straightforward story: attacks are up, broadly and consistently, across regions that had shown mixed signals in prior months. The more useful story sits underneath it. Ransomware is not just growing, it is reorganizing at the leadership level, with a group that barely existed a year ago now setting the pace. GenAI risk has not spiked, but it has settled into a steady baseline that most organizations still have not built the right controls around. None of this points to a single fix. It points to the same conclusion every month like this one does, that a prevention first strategy across network, cloud, endpoint, and user activity is the only approach built to keep up with a landscape that keeps shifting shape.
The “Friendly Fire” proof-of-concept highlights a difficult reality in AI security: the very tools built to detect malicious code can be tricked into running it. Researchers got Claude Code and OpenAI Codex, in their autonomous modes, to execute a hidden malicious binary just by hiding instructions in an ordinary README file, no config-file trust prompt, no elevated access required, just a routine “run this security check” request.
Eljan Mahammadli, Head of AI Provenance, Polygraf AIhad this to say:
“The important part of AI Now’s Friendly Fire research is the weakness it exposes, rather than the specific binary or poisoned README the researchers used to demonstrate it. An AI coding agent has no reliable way to distinguish the text it reads from instructions it is supposed to follow. A model processes everything in its context window as one stream of tokens, so the operator’s request to review the code and a third-party repository’s README arrive carrying the same authority. Once the malicious instruction is in the context, nothing marks it as untrusted. This is why the same weakness keeps surfacing through different channels: a booby-trapped repository in Adversa’s TrustFall, a fake Sentry bug report in Tenet’s Agentjacking, and now an ordinary README file here. It also explains why a model update will not close it, because the problem is a property of how these systems handle language and not a defect that can be trained away. In provenance terms, this is a failure of attribution: the agent acts on text without any dependable sense of where it came from or whether that source should be trusted.
I would push back on reading this as an argument against using AI for defensive security work, and I say that as someone who builds AI security tooling for a living. The research does not condemn AI-assisted defense as a category. What it condemns is one configuration that happens to be common: an agent that reads untrusted data, can run arbitrary commands, and can reach the developer’s credentials and host, all in the same process, with a safety classifier as the only thing standing between those capabilities. When those powers sit together, a single injected instruction is enough to turn the agent against its operator. When they are separated, most of the attack stops working. The durable control has to live in the runtime around the model. It should inspect what a tool or file hands the agent and refuse to let externally sourced text escalate into command execution. Sandboxing helps, but it is not sufficient on its own; Claude Code’s own sandbox had an escape vulnerability disclosed this year (CVE-2026-39861).
The detail worth sitting with is that some of the newer, more capable models actually detected the mismatch, recognizing that the binary did not correspond to the source it was supposed to come from, and then ran it anyway. The common assumption is that a more capable agent is a safer one. This research suggests a more capable and more compliant agent can simply be a more effective executor of whatever instruction reaches it, an attacker’s included. Capability without a trustworthy sense of source does not amount to defense. Governments and vendors are now moving quickly to place these agents inside security workflows and critical infrastructure, well ahead of any real solution to the weakness this work documents. Before we ask an agent to guard code we do not control, we should be honest that it still cannot answer a simple question about the text in front of it: who wrote this, and should I trust them?”
Again, I get to say that this highlights the fact that:
AI needs to have human supervision.
Security needs to take into account AI in order to be effective.
Otherwise, you can guarantee that bad things will happen to organizations that don’t take both of those items into account.
Posted in Commentary with tags ESET on July 9, 2026 by itnerd
ESET Research has released its H1 2026 Threat Report, which summarizes threat landscape trends seen in ESET telemetry, as well as insights from ESET threat detection and research experts, from December 2025 through May 2026. The first half of 2026 shows how attackers continue to improve the efficiency and scalability of their operations. Artificial intelligence (AI) is playing a growing role in this development. ESET analyzed nearly 900,000 AI skills – small functional components used by AI agents – and identified tens of thousands of suspicious and thousands of outright malicious instances. AI is also beginning to appear within malware itself: ESET researchers have identified PromptSpy, the first known Android malware to use generative AI in its execution flow.
AI skills are small add-ons or sets of instructions that instruct an AI agent how to perform a specific task, including which services or tools to use and what data to access. The published report covers details about malicious AI skills using third-party hacking tools such as Mimikatz or Impacket and a suspicious self-modifying skills designed to create a persistence mechanism (JSON file) and a tool for self-modification (Python code). This can lead to unpredictable behavior of the agent or its abuse by an attacker. And finally, there are benign but problematic skills such as those marketed as security scanners, which create a false sense of security but implement only basic scanning techniques – like AV tools from the 1990s – or simply query the reputation of hashes, URLs, and IP addresses on VirusTotal.
Meanwhile, ClickFix – a social engineering technique leveraging fake error messages – has expanded beyond fake CAPTCHA prompts into AI-themed help pages, browser extensions, and cloud authentication scenarios. AI-fix shows how adversaries exploit trust in generative AI, embedding ClickFix compromise chains into AI-generated troubleshooting content to nonexistent issues on pages that abuse domains of AI powerhouses. ConsentFix highlights an evolution toward token theft, combining ClickFix-style interaction with OAuth authorization abuse to hijack cloud accounts without the need to steal credentials, often bypassing MFA and relying entirely on legitimate login workflows. ESET detections of this vector more than doubled between H2 2025 and H1 2026, indicating sustained activity and adaptation.
Phishing campaigns are also evolving in response to user behavior. QR code phishing – also known as quishing – has reached record levels in ESET telemetry, with attackers embedding malicious links in QR codes to bypass inspection and shift user interaction to mobile devices while exploiting the implicit trust many people place in the barcodes with square patterns. Approximately 11% of all detected phishing emails in H1 2026 utilized QR codes, and QR code phishing threats were most prevalent in the US (19% of detections), Spain (17%), and Mexico (6%).
Last but not least, ransomware activity showed no signs of slowing down, with the continued use of EDR killers – tools designed to disable security software during attacks. ESET Research has documented over 100 different EDR killers used in the wild, with new variants appearing regularly. The number of ransomware attacks continued to grow in H1 2026, but the number of victims willing to pay reached all-time lows. Three recent industry reports confirmed this downward trend, reporting a 14–28% share of paying victims.
Comparitech researchers have published a new study looking at ransomware attacks against the healthcare sector in H1 2026.
According to the findings, during the first six months of 2026, the healthcare sector suffered an average of 2.3 ransomware attacks per day. Attacks increased by nearly 14 percent when compared to H2 2025, rising from 360 to 410.
Rebecca Moody, Head of Data Research at Comparitech, provided the following comment:
“As ransomware attacks remain at a consistently high level, the healthcare sector is no exception. Here, attacks continue to increase, particularly among healthcare businesses (e.g. pharmaceutical manufacturers, drug wholesalers, and medical billing providers). This means healthcare providers (those offering direct care) continue to face the threat of attacks within their own systems and within the systems of the third parties they entrust to carry out various services.
The March 2026 attack on the University of Mississippi Medical Center, which caused two weeks of disruptions, serves as a stark reminder of the devastating impact system encryption can have on healthcare providers. Meanwhile, attacks on third parties, like Unimed in Germany, demonstrate the far-reaching consequences of data theft following these attacks. In Unimed’s case, numerous clinics and hospitals were impacted, with the breach figure growing into the hundreds of thousands.”
Meta has launched its own AI image model integrated into the Instagram app. Now Meta and Instagram in the same sentence should send chills down your spine as the trust level of these two has to be zero. And you’d be right. As it stands by default, anyone can use your profile photo and posts as prompts for generative images.
Whisky, Tango, Foxtrot.
I strongly recommend users flip two settings to off to avoid what is guaranteed to be a privacy nightmare. Inside the Instagram app, tap your photo bottom-right then the hamburger menu icon top-right. Scroll down to Sharing and Reuse. There’s a section headed “Allow people to create with and reuse your content.” There are separate toggles for Posts and Reels, and you’ll want to flip both of them off.
The fact that these settings are buried deep within the Instagram app, and are opt out rather than being opt in is very problematic to say the least. But that is how Meta rolls. They want to grab as much data of yours in order to find a way to make a buck or two off of it. Assuming that they can’t leverage it themselves to advance their rather twisted needs and desires. My advice is to simply skip Meta products entirely like my wife and I have. But if you must use them for whatever reason, you have one more privacy item to keep in your tool belt.
According to Sophos researchers, AI coding agents, such as Claude Code, Cursor, Codex and others are activating attack detection rules written to catch human intruders, but in reality they are not malicious. From the perspective of an endpoint behavioral engine, some of that activity is indistinguishable from typical activity seen on customer networks – or, in some cases, from actions that might be undertaken by an active adversary.
Scott Miserendino, Chief Technology Officer at DataBee, A Comcast Company, provided the following comments:
“This is not surprising at all and we will likely see many more examples in the future. Endpoint detection and response vendors, such as Sophos, however, are accustomed to dealing with software that can act like an attacker. They have multiple techniques for tracking and whitelisting the combination of the process creator and behavior to reduce false positives from legitimate behavior. The question is how aggressively the EDR community is keeping up and maintaining these rules and detection tweaks to achieve acceptable false positive rates. One potential beneficial side-effect of identifying these subtle behavioral patterns of AI agents is it provides a signal of AI use even when users (or attackers) may be trying to obfuscate the use of AI to avoid policy enforcement.”
AI has to be a central part of your security strategy. Simply put, the days of AI living in a silo is over and modern security has to reflect that. Or else.
Digital ecosystems have hit a critical tipping point. As automated and AI-enhanced cyberattacks scale up globally, the gap between organizational preparedness and threat sophistication is widening at an alarming rate.
85% of technology and security experts believe that the pace of cyber threat evolution will fundamentally outstrip enterprise defensive capabilities over the coming year. Compounding the crisis, one in five organizations located in Poland admits to experiencing a confirmed cyber incident within the past 12 months, with ransomware and phishing remaining the most destructive vectors. According to ESET, Poland ranked first globally in terms of the number of detected ransomware attacks, accounting for 6% of all reported incidents worldwide and surpassing even the United States.
These are the benchmark findings from the Contemporary Cybersecurity Landscape2026 Report, published by Xopero Software. The study analyzes how European organizations are responding to an increasingly hostile threat landscape.
The Escalation Curve: 88% Expect Attack Surges in 2026
The scale of modern cyber risk is no longer a forward-looking prediction – it is actively disrupting operational stability across Europe. According to the study:
88% of respondents expect the volume of cyberattack attempts to escalate further throughout 2026.
One in five organizations (20%) reports having already experienced a confirmed cyber incident within the past 12 months.
When evaluating the vectors causing the most severe business disruption and financial liquidation, experts point squarely to ransomware (83%) and phishing (71%).
The Illusion of Security: The Resilience Gap
Despite years of increasing awareness, actual organizational cyber resilience remains deeply fragile. The report reveals a disconnect between recognized risks and active defense:
Only 29% of surveyed organizations rate their cyber resilience as high or very high. The vast majority (71%) describe it as “average” or “low.”
66% of experts predict a steadily widening gap between escalating threat levels and internal security capabilities, while an additional 19% believe cyber threats will completely outpace corporate preparedness. Together, this leaves 85% of leaders holding a deeply pessimistic outlook on corporate cyber resilience for the year ahead.
Despite these vulnerabilities, corporate responses remain conservative – 52% of organizations do not plan to increase their cybersecurity spending, and 64% operate entirely without cyber insurance.
The AI Skepticism Paradox
While Artificial Intelligence dominates global technology narratives, the report exposes a distrust of AI within frontline security operations. Only one in five organizations (20%) currently utilizes AI in their IT and security workflows.
The primary barrier is a lack of institutional trust: 40% of security specialists explicitly distrust AI-based solutions, citing concerns that the technology is unreliable, highly vulnerable to adversarial manipulation, or a source of entirely new threat vectors. Another 30% remain undecided, waiting for proven industry standards to emerge.
Legacy Mindsets in a Next-Gen Threat Environment
The report exposes a reliance on legacy defensive models. Cybercriminals are operating with corporate-level efficiency, yet corporate defenses remain heavily siloed and piecemeal:
55% of companies do not use threat intelligence to support proactive protection.
51% of respondents rely solely on traditional antivirus software for threat detection and response.
50% do not automate incident response processes, for example, through SOAR (Security Orchestration, Automation, and Response) platforms.
Every second company (50%) lacks both a Business Continuity Plan (BCP) and an Incident Response Plan (IRP).
The Contemporary Cybersecurity Landscape 2026 Report was conducted via a comprehensive survey of 420 IT decision-makers, CISOs, and security experts representing critical sectors in Central Europe (Poland). Data is presented in aggregate percentage formats to ensure absolute anonymity regarding sensitive infrastructure vulnerabilities.
CloudSEK today announced a partnership with Tech Mahindra a leading global provider of technology consulting and digital solutions to enterprises across industries.
The partnership will deliver AI-driven threat intelligence, attack surface monitoring, AI attack surface monitoring, and digital risk protection solutions globally.
Evolving cybersecurity regulations are driving enterprises to strengthen risk visibility, accelerate incident response, and enhance compliance readiness.
Regulatory and national cybersecurity frameworks such as NIS2 and DORA in Europe, CERT-In mandates, CIRCIA and SEC cyber-disclosure rules in the US, DPDP Act in India, and similar initiatives across the Middle East are increasing expectations around continuous monitoring, third-party risk oversight, and timely breach detection and reporting.
In response, organizations are rapidly adopting intelligence-led, real-time cybersecurity approaches that enable proactive risk identification, faster decision-making, and improved resilience, making integrated, AI-driven threat intelligence and digital risk protection capabilities essential to meeting both security and compliance objectives.
By combining CloudSEK’s AI-native predictive cyber intelligence platform with Tech Mahindra’s global cybersecurity services capabilities, the partnership offers a faster and more operationally scalable approach to regulatory compliance. CloudSEK’s ability to continuously monitor external and AI-driven attack surfaces, correlate threats, and identify real attack paths enables early risk detection and prioritization. Integrated with Tech Mahindra’s advisory, implementation, and managed security services, this enables enterprises to accelerate compliance execution, reduce response timelines, and operationalize regulatory requirements more efficiently across complex and dynamic digital environments.
The partnership is focused on enabling telcos and large enterprises across industries worldwide to respond to rapidly tightening cybersecurity regulations that demand immediate action. By combining CloudSEK’s AI-driven predictive threat intelligence with Tech Mahindra’s global delivery and managed security capabilities, the collaboration provides a scalable, real-time solution to help enterprises act now reducing compliance risk, improving response speed, and strengthening resilience across critical digital infrastructures.
EU unveils AI cybersecurity action plan to build on Cyber Resilience Act
Posted in Commentary with tags EU on July 9, 2026 by itnerdThe European Commission unveiled an Action Plan on Cybersecurity and Artificial Intelligence aimed at helping Member States, public authorities, and industry address cyber risks associated with advanced AI systems.
The plan includes measures to expand AI-assisted vulnerability detection, establish an EU capability to evaluate advanced AI models, and develop secure testing environments for AI systems. It builds on existing legislation, including the Cyber Resilience Act, the AI Act, and NIS2.
The Commission said the initiative will support the secure development and deployment of AI by strengthening collaboration between governments, industry, and the cybersecurity community. Planned actions include coordinated vulnerability disclosure, AI-powered cyber defense capabilities, and guidance for organizations deploying AI in critical sectors.
The plan’s press release can be found here: New EU plan to address the risks and opportunities of advanced AI for cybersecurity – European Commission
Steven Swift, Managing Director, Suzu Labs provided this comment:
“The problem with locking new frontier models behind a governmental pre-release screening, is that it gives governments a mechanism to require frontier labs to modify their models in ways that aligns with political preferences, such as selecting which version of the truth they want models to present. While at the same time being able to claim “for better security” as the official reason to gate the release at all.
“The other problem with it, is that there isn’t really a difference between the offensive and defensive capabilities of a model. Even if screening focus is narrowly focused on cybersecurity capabilities, actively lowering a model’s offensive capabilities directly impacts its ability to perform defensive work. Especially defensive verification, which is critical. Models will hallucinate unpredictably. It is absolutely essential that agentic systems be capable of building tests to verify the validity of results to ensure that hallucinations aren’t present.
“This makes frontier models more insecure, and makes their use less safe. Despite the entire point of cybersecurity review process to be the opposite.
“If we are going to gate frontier models behind an approval process, it is absolutely critical that the structured access programs actually function effectively to get legitimate security professionals, and developers access to sensitive unrestricted models, so that appropriate verification and testing can be performed on their own systems.”
Seemant Sehgal, Founder & CEO, BreachLock has this comment:
“The EU is right to treat this as an infrastructure problem, not a software problem. AI embedded in critical sectors carries the same risk profile as power grids and financial rails in that a failure isn’t an inconvenience, but a systemic event.
“The window to set baseline security expectations before widespread deployment is already closing. What makes this harder than traditional infrastructure is that AI systems don’t stay static after deployment. The testing frameworks have to keep pace with that. The real question is whether coordinated disclosure and continuously updated validation environments can be stood up before adversaries finish mapping what Europe has already put in place.”
Doc McConnell, Head of Policy and Compliance, Finite State adds this:
“This action plan presents what the EU sees as an ideal ecosystem to support safe, responsible, and innovative development and utilization of AI across the Union. That vision is ambitious, including a stronger system of third-party AI evaluators, sovereign AI capacity, multi-state workforce training, and secure testing platforms. These will require significant investment, international coordination, and development of new technology. And as the EU works to achieve these goals, existing frontier labs will continue to innovate, and new open-weight models may emerge.
“The specificity of this action plan stands in contrast to the U.S. policy on AI security, as laid out in the June 2026 Executive Order Promoting Advanced Artificial Intelligence Innovation and Security. Although the goals are similar, including protection of critical infrastructure, early government access to cybersecurity tools, and the promotion of innovation, the U.S. approach is much more open-ended.
“I expect that neither approach will fully meet this moment, and we will see national policies have to adapt along with the technology they are seeking to oversee. The action plan describes a promising future: one of “unprecedented opportunities to enhance cyber resilience.” That is the goal to keep in mind. Even as plans, priorities, and AI models change, we must all, individual technologists and commercial companies, as well as policymakers, make choices that prioritize AI as an enabler of better defense, greater resilience, and stronger international security.”
The US and other countries that are not in the EU should copy what the EU is doing as the EU has the right idea here. And other countries when all is said and done are on the wrong side of history.
Leave a comment »