Weekly Cybersecurity Digest [September, Week 2]
Posted on September 16, 2025
Dear Valued Clients,
Welcome to this week’s cybersecurity digest from Make Sense. Europe’s threat landscape continued to evolve sharply, with automotive giants acknowledging data theft, ransomware groups exploiting VPNs, and regulators tightening controls over critical infrastructure and encrypted communications. As phishing grows more AI-driven and compliance obligations expand under NIS2, our aim is to provide insights that strengthen your resilience and strategic readiness.
✅ Top Stories of the Week
i France threatens to block crypto licence ‘passporting’ in EU regulatory fight
France’s AMF says it may challenge “passporting” that lets crypto firms licensed in one EU state operate across the bloc under MiCA. Alongside Italy’s Consob and Austria’s FMA, it wants ESMA to oversee major players, citing regulatory-arbitrage, investor-protection, and cybersecurity risks, setting up a clash over uniform enforcement. [Read more via Reuters]
ii. LNER warns customers to remain vigilant after personal data exposed in cyber attack
UK rail operator LNER alerted customers after a third-party supplier breach exposed contact details and journey histories. No bank data or passwords were accessed, and services continue as normal. The operator urges vigilance against phishing and social-engineering attempts while it investigates with experts and the supplier to strengthen controls. [Read more via IT Pro]
iii. Chat Control: EU to decide on requirement for tech firms to scan encrypted messages
EU ministers are weighing a proposal to compel platforms to scan messages, including encrypted chats for CSAM. Denmark’s compromise revives a long-stalled plan, triggering warnings from privacy and security advocates that scanning could weaken end-to-end encryption and introduce new vulnerabilities even as supporters argue stronger detection is needed to protect children. [Read more via Computer Weekly]
✅ Industry Trends & Insights
EU Enforces Tougher Rules Under NIS2, Holding Executives to Account
As of 14 September, the EU’s updated NIS2 directive is being strictly enforced. Organisations in energy, healthcare, transport, ICT, and waste management must now adopt stronger cyber controls including encryption, multifactor authentication, and supplier oversight. Crucially, executives can be held personally liable for compliance failures. The shift marks a new era of accountability at the board level. [Read more via Dig.watch]
AI Chatbots Helping Phishers Build Realistic Scams, Reuters Finds
A Reuters investigation has shown how attackers are exploiting widely available AI chatbots to craft highly convincing phishing messages. By mimicking charities and public institutions, these scams exploit human trust at scale. Security experts warn that as AI becomes cheaper and easier to access, European organisations must prepare for phishing that looks indistinguishable from legitimate communication. [Read more via Reuters]
✅ Regulatory & Policy Updates
Germany Enacts Stronger Protection for Critical Infrastructure
Germany approved a new framework strengthening cybersecurity requirements for operators of essential services. Organisations serving more than 500,000 people, such as in energy, water, and health must now implement resilience plans, assess vulnerabilities, and report incidents immediately. The move reflects Berlin’s commitment to fortifying critical systems against sabotage and state-backed threats. [Read more via Reuters]
VPN Industry Speaks Out Against EU’s “Chat Control” Bill
The VPN Trust Initiative has joined growing opposition to the EU’s controversial “Chat Control” proposal. Providers argue that forcing client-side scanning of encrypted communications would compromise privacy and create exploitable backdoors. They warn the regulation risks undermining Europe’s trusted encryption ecosystem and eroding consumer confidence. [Read more via TechRadar]
✅ Cyber IQ Challenge + Proactive Security Hacks
Quick Quiz: Which European directive now holds senior executives personally accountable for cybersecurity compliance?
A) GDPR
B) MiCA
C) NIS2
D) EU Data Act
(Answer revealed below!)
Smart Security Moves of the Week:
- Patch VPN Gateways Immediately: Akira ransomware is exploiting SonicWall flaws; urgent patching and monitoring are critical.
- Reassess Board Accountability: With NIS2 enforcement, brief executives on personal liability and embed cyber KPIs into governance.
- Combat AI-Enhanced Phishing: Deploy AI-driven anomaly detection, simulate attacks, and train employees in real-time scenarios.
- Fortify Critical Infrastructure: Germany’s KRITIS law signals heightened expectations; review continuity and reporting procedures.
- Stay Informed on EU Policy Shifts: Monitor Chat Control developments and adjust compliance roadmaps accordingly.
Answer: C) NIS2
✅ Conclusion
This week underscored how Europe’s cyber environment is tightening on both operational and regulatory fronts. From ransomware exploiting VPNs and AI-generated phishing to Germany’s critical infrastructure rules and NIS2 enforcement, organisations face growing pressure to adapt. Make Sense transforms these insights into actionable playbooks – helping enterprises secure continuity, meet compliance, and anticipate future risks.
Stay secure,
The Make Sense SRL Team & CyberTania
