This week’s cybersecurity developments touch on three areas that continue to shape the threat landscape. Regulatory change at EU level, responsible disclosure activity in the automotive sector, and ongoing ransomware pressure on large retail organisations.

Individually, none of these are unexpected. Taken together, they reflect how cybersecurity is evolving in practice. Defenders are improving coordination and visibility, researchers are uncovering issues in increasingly complex systems, and attackers continue to focus on scale and leverage where it is most effective.

‍

EU Cybersecurity Act: Proposed Changes and the Role of ENISA

An interesting update this week came from the European Union, with proposed changes to the Cybersecurity Act.

The updates are aimed at streamlining compliance requirements and introducing additional certifications to support presumed compliance across member states. The intention appears to be reducing friction for organisations while maintaining consistent security baselines.

Of particular note is the proposed update to the role and responsibilities of ENISA. In practical terms, this moves ENISA closer to a central coordinating role, similar to that played by CISA in the United States.

Given the challenges CISA faced throughout 2025, particularly around funding and operational capacity, it is encouraging to see the EU taking steps to strengthen its own structures. Effective sharing of critical vulnerability information remains essential, not just within the EU but globally, especially as supply chains and digital services continue to cross borders.

‍

Pwn2Own Automotive: Responsible Disclosure in Connected Systems

The automotive edition of the Pwn2Own competition is currently underway, with participants already earning over $440,000 in rewards.

For those unfamiliar, Pwn2Own is a responsible disclosure initiative run by Trend Micro, where security researchers attempt to identify previously unknown vulnerabilities in real-world systems. In this case, the focus is on electric vehicles, infotainment platforms, and charging infrastructure.

As vehicles become more software-driven and connected, these systems present an expanding attack surface. Initiatives like Pwn2Own play an important role in identifying weaknesses before they are exploited maliciously.

Once the competition concludes, affected vendors will have a 90-day window to remediate identified vulnerabilities before details are made public. This approach continues to demonstrate how coordinated disclosure can improve security outcomes, particularly in environments where safety and reliability are critical.

‍

Retail Breaches and Ransomware Pressure

On the incident side, there were several notable developments in the retail sector this week.

Under Armour has confirmed a breach involving the exposure of more than 72 million email addresses and other personal data. At the time of writing, full details have not yet been disclosed. Nike and McDonald’s India have not confirmed breaches, but ransomware groups are currently posting countdowns on leak sites, threatening to release data if ransoms are not paid.

This tactic has become increasingly common. Rather than focusing solely on system disruption, attackers are applying public pressure through data exposure timelines, particularly against high-profile, consumer-facing brands.

These incidents serve as a reminder that organisational size and brand recognition do not reduce risk. Without appropriate controls, monitoring, and response capabilities, even large and well-resourced organisations remain exposed.

‍

Key Observations

This week reinforces several consistent themes. Regulatory bodies are working to improve coordination and reduce unnecessary complexity. Researchers continue to uncover vulnerabilities in emerging and increasingly connected technologies. Attackers remain focused on approaches that maximise leverage and visibility.

These are not isolated issues. They reflect longer-term shifts in how cyber risk manifests and how organisations need to respond. The challenge is not simply preventing incidents, but understanding where impact is most likely to occur and ensuring that controls, governance, and response capabilities are aligned accordingly.

‍