Cybersecurity

18 briefs

FCDO ·

UK and EU designate 24 Russian cyber and information-operations targets under sanctions

UK financial institutions must screen and block the 24 newly designated Russian cyber and information-operations targets, freeze their UK assets, and avoid facilitating any ransomware payment to them

Bank of England ·

UK regulators begin overseeing four designated Critical Third Parties from 13 July 2026

Four designated technology providers (AWS, Google Cloud, Microsoft, Oracle) become Critical Third Parties under joint Bank of England, PRA and FCA oversight from 13 July 2026, with binding resilience and incident-communication obligations

SFC ·

SFC bans OTP login and mandates phishing-resistant authentication for internet brokers and VASPs by 8 July 2027

Internet brokers and SFC-licensed VASPs must stop using OTP for login and device binding and adopt phishing-resistant authentication (e.g. passkeys, bound devices) no later than 8 July 2027, with monitoring, incident-reporting and client-awareness measures required sooner

FINMA ·

FINMA issues quantum computing guidance, expecting institutions to plan quantum-safe migration

Swiss financial institutions must build quantum-safe migration into their operational-risk processes — roadmap, cryptographic inventory and crypto-agility — to keep meeting FINMA's resilience requirements

ESMA ·

ESMA launches Common Supervisory Action on CASPs' custody digital operational resilience

National Competent Authorities must assess authorised CASPs' custody digital resilience on a risk-based sample, producing findings for ESMA's consolidated supervisory report

JFSA ·

Japan's FSA asks financial institutions to take nine short-term cyber measures against the frontier-AI threat

Financial institutions in Japan should implement the FSA's nine short-term cyber measures against the frontier-AI threat, with direct senior-management involvement and a roughly one-month guideline

CISA ·

CISA issues BOD 26-04, replacing KEV remediation rules with risk-based timelines for federal civilian agencies

Federal civilian agency security teams must migrate from the prior KEV remediation regime to BOD 26-04's risk-based timelines, with policy updates due immediately and remediation timelines enforceable within 180 days

IFSCA ·

IFSCA imposes binding cyber controls on IFSC regulated entities for frontier-AI attack risks

IFSC regulated entities must adopt binding cyber controls against frontier-AI attack risks — including treating critical vulnerabilities as exploitable within hours, adding frontier AI as a defined risk-assessment scenario reviewed by the Board, maintaining an SBOM and API inventory, and imposing preparedness requirements on critical service providers — with immediate effect.

European Commission ·

EU amends vehicle OBD and repair-information access rules (Delegated Regulation 2026/699)

Vehicle manufacturers must implement the Appendix X procedures for secure, standardised OBD and RMI access (authentication, pseudonymised traceability, API provision, server availability and cybersecurity checks) so independent operators obtain non-discriminatory, machine-readable diagnostic and repair data