Today's Focus: Cybersecurity, Data Security & Cloud Security
TODAY'S TOP STORY: DORA Enforcement Is Live — Half of EU Financial Firms Are Not Ready
The EU Digital Operational Resilience Act is no longer a compliance horizon — it is an active enforcement reality. As of May 2026, European Supervisory Authorities (ESAs) are conducting audits, cross-checking Registers of Information submissions, and issuing compulsion payments for persistent deficiencies. The first filing deadline passed in late March 2026, and organizations that missed it face immediate enforcement risk.
With approximately 50% of in-scope EU financial entities assessed as fully compliant, the exposure is substantial. Penalties reach 2% of global annual turnover or €10 million per violation. Critical ICT third-party providers — including major cloud service providers — face up to €5 million plus 1% of average daily global turnover per non-compliant day. Italy has set a domestic ceiling of €20 million or 10% of annual turnover.
Act now: Verify your Register of Information has been submitted to your ESA. Audit your DORA Article 19 incident reporting workflows. Confirm contractual compliance with all ICT third-party providers.
ALSO TODAY
SEC Regulation S-P — Deadline in 9 Days (June 3, 2026)
The second and final compliance phase of the SEC's amended Regulation S-P takes effect June 3, 2026 for smaller registered investment advisers (under $1.5B AUM), broker-dealers, investment companies, transfer agents, and funding portals. Requirements: written incident response programme, 30-day customer breach notification, 72-hour service-provider breach reporting. The SEC Division of Examinations names Reg S-P as an explicit 2026 review priority.
EU Cyber Resilience Act — 109 Days to First Mandatory Obligation
Manufacturers of products with digital elements must have vulnerability and incident reporting workflows operational by September 11, 2026. Requirements: 24-hour early warnings and 72-hour full notifications for actively exploited vulnerabilities. Penalties reach €15 million or 2.5% of global annual turnover. Full application follows December 11, 2027.
FedRAMP 20x Phase 3 Goes Permanent
According to May 2026 reports, FedRAMP has made Phase 3 of its 20x initiative permanent, replacing legacy control checklists with Key Security Indicators (KSIs) and continuous monitoring. Cloud providers no longer need an agency sponsor to begin authorization. Low/Moderate timelines targeted to drop from 18+ months to ~3 months.
CNIL Hits Iliad/Free with €42M in GDPR Fines
France's CNIL imposed €42 million in GDPR penalties on Iliad/Free in January 2026 (€27M on Free, €15M on Free Mobile) for failures in subscriber data security measures. Global regulators collectively issued approximately $542 million in data-related fines in Q1 2026.
ONE THING TO DO TODAY
Finalize your written incident response programme. If you are a smaller registered investment adviser, broker-dealer, or investment company, SEC Regulation S-P compliance is due in nine days. Document your service-provider breach notification chain and confirm the 30-day customer notification procedure is assigned and tested.
TOMORROW'S FOCUS: Privacy & Personal Data Protection
CyberEyeQ — Actionable Regulatory Intelligence | [email protected]