Three threats or obligations for CISOs, 30 seconds to read, one protective measure per topic. Weekly guidance for Chief Information Security Officers — what should top your ticket list this week.
1. Nx Console Supply Chain Attack — Lessons for Your Engineering
In May 2026, the popular VS Code extension Nx Console in version 18.95.0 was compromised. Auto-update distributed the malicious code within hours to thousands of developer machines. Targets: GitHub tokens, npm credentials, SSH keys, cloud console cookies. Several large open-source projects had to halt their build pipelines.
Protective Measure: Conduct an inventory of all VS Code and JetBrains extensions per team role. For each extension: owner, approval date, and half-yearly review. Plus clear auto-update policy (with a delay window for curated rollout). Editor extensions are an unvetted trust chain — this will become an audit standard topic over the next 12 months.
→ KEDB #001 with task checklist
2. NISG 2026 — Deadline 1 October, Registration by 31 December
In 18 weeks, the Austrian NISG 2026 comes into force. Affected companies must register with the cybersecurity authority within three months — deadline 31 December 2026. Cybersecurity becomes executive-level liability, with documented training obligations and active risk management.
Protective Measure: Use the WKÖ online advisor to clarify your own applicability. If applicable: appoint an NIS2 coordinator, inventory your supply chain, schedule board-level training. Verena Becker is the authoritative expert voice — her public presentations at tip-noe.at and WKÖ are free compliance preparation.
→ NIS2 Self-Check Tool Overview
3. Article 50 EU AI Act — Transparency Obligations Applicable from 2 August
In 10 weeks, the transparency obligations from Article 50 become fully applicable: chatbots must be marked as AI, generated content must be watermarked, deepfakes must be labeled as such. Penalties up to EUR 15 million or 3 percent of global group annual revenue.
Protective Measure: This summer, conduct three inventories in your organization — chatbot inventory, AI-generated content inventory, biometric sensor inventory. Each of these three categories has its own labeling obligation from August onwards. Start by ensuring all chatbots on customer-facing sites carry a clear “You are speaking with an AI” notice.
Lumi CISO Watch, Week 22/2026. Pilot format — feedback anytime via the contact page. Research and first draft AI-assisted, editorial approval by Lumi-Systems.io. Marked in accordance with Art. 50 EU AI Act.