#CyberWeekly

January 20: The European Commission proposed a sweeping revision of the EU Cybersecurity Act, targeting ICT supply chain security and simplifying compliance for businesses across Europe. The package includes NIS2 amendments that will ease compliance for 28,700 companies — including 6,200 micro and small-sized enterprises.

What's changing:

• ICT supply chain security framework — a risk-based approach to identify and mitigate vulnerabilities across critical sectors
• Mandatory telecom de-risking — European mobile networks must remove high-risk third-country suppliers (building on the 5G security toolbox)
• Simplified NIS2 compliance — clearer jurisdictional rules, streamlined ransomware reporting, and a unified incident reporting portal
• Voluntary certification — businesses can certify products, services, and security posture through a renewed European Cybersecurity Certification Framework
• Stronger ENISA — the EU cybersecurity agency gains coordination powers, will pilot a Cybersecurity Skills Academy, and will help companies recover from ransomware attacks

For Belgian SMEs, this is good news. The Commission explicitly acknowledged that regulatory complexity is a burden — especially the overlap between the Cybersecurity Act, NIS2, the Cyber Resilience Act, and GDPR. These changes aim to reduce duplication and make compliance more achievable. If you're subject to NIS2 requirements, the path just got a bit clearer.

Big week for the platform. We published 50 articles across the Learn section — covering NIS2, CyberFundamentals, security basics, practical guides, and industry-specific advice. Every article is available in English, Dutch, and French.

• NIS2 deep dives — from what NIS2 is to penalties, deadlines, and a full compliance checklist
• CyberFundamentals explained — what it is, assurance levels, controls, and certification
• Security basics — phishing, ransomware, passwords, 2FA, backup, and more
• Practical guides — risk assessment, employee training, supplier security
• Industry-specific — tailored advice for healthcare, manufacturing, retail, and professional services

Every article includes hero images, breadcrumbs for navigation, and cross-language links. All images were converted to WebP — loading 93% faster than the originals. Whether you're starting your first 30 days of compliance or evaluating the cost of doing nothing, there's an article for you.

January 19: A phishing campaign launched over the US holiday weekend targeted LastPass users with fake maintenance emails, trying to steal their master passwords. The attackers sent emails from spoofed addresses claiming LastPass was about to perform maintenance, urging users to "backup their vault" within 24 hours.

How it worked:

• Urgency trap — emails warned of a 24-hour deadline, a classic social engineering tactic
• Fake backup link — clicked through an AWS-hosted redirect to a convincing fake login page at "mail-lastpass[.]com"
• Holiday timing — launched over a long weekend to exploit reduced security staffing
• Second wave — after LastPass disrupted the first infrastructure, attackers sent new emails with updated links and registered additional impersonation domains

LastPass confirmed: "We will never ask for your master password or demand immediate action under a tight deadline." This is a reminder that phishing attacks don't just target email — they target the tools we trust most. If you use a password manager (and you should), make sure your team knows how to spot fake emails. Better yet, enable two-factor authentication on your vault — so even a stolen master password isn't enough.

The Clop ransomware gang exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882) to steal data from over 100 organizations — including Dartmouth College, Harvard, The Washington Post, Logitech, and American Airlines subsidiary Envoy Air.

What makes this attack particularly dangerous:

• Zero-day, zero blame — the vulnerability was unknown to Oracle when attacks began in August 2025. No employee clicked a bad link, no password was compromised
• 226GB stolen from Dartmouth alone — Social Security numbers, bank account info, and personal data of 40,000+ people exposed
• Extortion without encryption — Clop didn't encrypt anything. They stole data, waited, then threatened to publish unless paid. This "exfiltration-only" model is becoming the norm
• $10M bounty — the US Department of State now offers $10 million for information linking Clop's attacks to a foreign government

This is a textbook supply chain attack. Your organization may never use Oracle EBS directly, but your suppliers, partners, and vendors might. The lesson: you can do everything right and still be breached through software you depend on. That's why ransomware preparedness isn't just about your own systems — it's about understanding what your entire supply chain runs on.