Cyrolo logoCyroloBack to Home
Back to Blogs
Privacy Daily Brief

NIS2 Compliance After BRICKSTORM and AG Gateway Exploits

Siena Novak
Siena NovakVerified Privacy Expert
Privacy & Compliance Analyst
9 min read

Key Takeaways

9 min read
  • Regulatory Update: Latest EU privacy, GDPR, and cybersecurity policy changes affecting organizations.
  • Compliance Requirements: Actionable steps for legal, IT, and security teams to maintain regulatory compliance.
  • Risk Mitigation: Key threats, enforcement actions, and best practices to protect sensitive data.
  • Practical Tools: Secure document anonymization and processing solutions at www.cyrolo.eu.
Cyrolo logo

NIS2 compliance after BRICKSTORM and AG Gateway attacks: an EU operator’s playbook

In today’s Brussels briefing, national regulators compared notes on two fresh campaigns—the BRICKSTORM long‑term access operation flagged by U.S. authorities and the active command injection exploits against Array AG gateways reported by Japan’s CERT. The takeaway was blunt: NIS2 compliance is now inseparable from real‑time threat response across borders. If an adversary can burrow into critical infrastructure in North America or East Asia, the same tradecraft will probe Europe’s energy grids, finance backbones, hospitals and managed service providers next.

NIS2 Compliance After BRICKSTORM and AG Gateway Ex: Key visual representation of nis2, eu cybersecurity, brickstorm
NIS2 Compliance After BRICKSTORM and AG Gateway Ex: Key visual representation of nis2, eu cybersecurity, brickstorm

As an EU policy and cybersecurity reporter, I’ve spent the week interviewing a CISO at a continental bank, a hospital DPO in Lyon, and two national CSIRT leads. Their message matches the law: treat edge devices and remote access infrastructure as Tier‑1 risks, assume stealthy persistence, and prepare to deliver NIS2 incident notifications inside 24 hours—without leaking personal data or operational secrets while doing it.

What the latest intrusions signal for NIS2 compliance

BRICKSTORM is a campaign designed for quiet, durable footholds in operational networks. Blue teams describe “long-haul living‑off‑the‑land” techniques: abusing legitimate admin tools, staging in network appliances, and rotating infrastructure to evade routine security audits. In parallel, the AG gateway command injection activity is a classic reminder that internet‑facing appliances—SSL VPNs, load balancers, SD‑WAN and remote access gateways—remain prime initial access vectors when patches lag or hardening is inconsistent.

  • Persistence beats perimeter: Adversaries don’t need splashy malware if they can blend with standard admin behavior and survive reboots in appliances.
  • Supply chain exposure: Managed service providers and cross‑border vendors expand the blast radius—exactly the risk NIS2 elevates.
  • Rapid notification pressure: Under NIS2, essential and important entities must issue an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month.

A CISO I interviewed warned that the hardest part is not detection—it’s evidence handling. “We can collect logs in minutes,” she said, “but scrubbing personal data and sensitive business information so our regulator can actually accept the report? That’s where hours disappear.” This is where disciplined workflows, automated redaction, and safe sharing channels become make‑or‑break for compliance.

GDPR vs NIS2: what changes for security leaders

Many executives still treat NIS2 as “GDPR for uptime.” That’s half‑true and dangerously incomplete. Here’s a crisp comparison to align legal, risk and SOC teams:

Topic GDPR NIS2
Core focus Protection of personal data and privacy rights Cybersecurity and resilience of essential/important services
Scope Any controller/processor of EU personal data Sector-based operators (energy, transport, health, finance, digital infra, MSPs, etc.) across EU, including some non‑EU with EU operations
Incident trigger Personal data breach Any incident impacting service provision, security, or having significant impact (even if no PII is breached)
Reporting deadlines Notify authority within 72 hours if risk to individuals Early warning within 24h; incident notification within 72h; final report within 1 month
Supervision Data protection authorities National NIS authorities/CSIRTs with ENISA coordination
Fines Up to €20M or 4% global turnover Essential: up to €10M or 2% global turnover. Important: up to €7M or 1.4%
Security measures Appropriate technical and organizational measures Risk management measures including incident handling, supply chain security, encryption, MFA, vulnerability disclosure programs
Third‑country transfers Strict rules (adequacy, SCCs) Not transfer‑centric; focuses on operational resilience and cross‑border cooperation

Bottom line: you can be fully GDPR‑compliant on personal data and still fall foul of NIS2 for failing to harden remote access appliances, monitor MSP connections, or notify on time.

nis2, eu cybersecurity, brickstorm: Visual representation of key concepts discussed in this article
nis2, eu cybersecurity, brickstorm: Visual representation of key concepts discussed in this article

NIS2 compliance checklist for 2025

  • Map exposure: Inventory all edge devices (VPNs, gateways, load balancers) and confirm firmware levels and configuration baselines.
  • Patch and harden: Enforce MFA on remote access, disable unused services, rotate keys/certs, restrict management plane access.
  • Supply chain controls: Require MSPs and vendors to attest to timely patching and to segregate customer environments.
  • Detection playbooks: Create BRICKSTORM‑style “persistence hunts” for living‑off‑the‑land activity in appliances and Windows/Linux endpoints.
  • Reporting workflow: Pre‑build templates for the 24h early warning, 72h notification, and 1‑month final report.
  • Evidence hygiene: Automate redaction of personal data and secrets in logs, tickets, and screenshots before sharing.
  • Tabletop exercises: Run cross‑functional drills with Legal, DPO, PR, and SOC for appliance compromise and MSP breach scenarios.
  • Board oversight: Document risk acceptance and budget allocation; NIS2 expects accountability at the management level.

Secure evidence handling: anonymization and safe document uploads

During last month’s closed‑door roundtable in Brussels, one regulator noted that many late or incomplete NIS2 notifications trace back to “document chaos”—logs scattered across teams, reports bounced for privacy issues, and unsafe sharing via email. The fix is straightforward: define a single, secure pipeline for collecting, anonymization, and sending evidence.

  • Sanitize first: Remove personal data, tokens, passwords, and internal hostnames before any external submission.
  • Use a secure drop: Centralize uploads in a platform that avoids shadow IT and ensures encryption in transit and at rest.
  • AI with guardrails: If you use AI to summarize logs or generate timelines, redaction must happen before prompts touch external systems.

Professionals avoid risk by using Cyrolo’s anonymizer at www.cyrolo.eu. With a few clicks, you can scrub PDFs, DOCs, images, and raw logs, then produce regulator‑ready attachments. Try our secure document upload at www.cyrolo.eu — no sensitive data leaks.

Compliance reminder: When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

From detection to the 72‑hour mark: an operational timeline

Hour 0–6: Confirm and contain

  • Identify compromised gateway or appliance; isolate management interface; revoke credentials and tokens.
  • Capture volatile data and appliance configs; take hashed images where possible.
  • Initiate internal incident severity classification under NIS2 criteria.

Hour 6–24: Notify early and sanitize evidence

  • Issue the 24‑hour early warning to the national authority/CSIRT with facts, suspected vectors, and potential cross‑border impact.
  • Run automated redaction over attachments to remove personal data and trade secrets before transmission.
  • Engage vendor/MSP security contacts; obtain patch/mitigation timelines.

Hour 24–72: Deep dive and update

  • Hunt for persistence (scheduled tasks, service abuse, appliance‑level hooks); rotate keys and certificates.
  • Submit the 72‑hour incident notification with indicators of compromise, initial root cause, and service impact details.
  • Start drafting the one‑month final report outline to avoid scramble later.
Understanding nis2, eu cybersecurity, brickstorm through regulatory frameworks and compliance measures
Understanding nis2, eu cybersecurity, brickstorm through regulatory frameworks and compliance measures

To compress these cycles safely, many teams standardize evidence packaging with a trusted tool. That reduces legal review churn and protects data protection obligations while meeting NIS2’s speed demands. For streamlined redaction and controlled sharing, handle document uploads and anonymized exports through www.cyrolo.eu.

Budget and accountability: what boards need to hear

NIS2 elevates management liability. Regulators can require leadership training, and fines for essential entities can reach €10 million or 2% of worldwide turnover. Meanwhile, European breach costs routinely run into the millions once you include downtime, remediation, legal and customer support. The unintended consequence we’re seeing: organizations overspend on shiny detection and underspend on response hygiene—particularly evidence handling, supplier access governance, and regulator‑grade reporting.

Two pragmatic asks for the next budget cycle:

  • Edge security line item: Dedicated funding to replace or patch unsupported gateways, enforce MFA, and restrict admin access.
  • Compliance throughput tooling: Allocate a modest, high‑ROI budget for automated anonymization and secure evidence routing so Legal and SOC move faster together.

As one hospital CTO told me, “We shaved 36 hours off our last notification simply by standardizing redaction and submission. That saved our weekend—and possibly a fine.”

FAQ: quick answers for security, legal and compliance teams

What is NIS2 compliance in plain terms?

It means implementing risk‑based cybersecurity controls, monitoring suppliers, and reporting significant incidents on a 24h/72h/1‑month timeline. It applies to “essential” and “important” entities across sectors like energy, health, finance, transport, digital infrastructure, and managed services.

nis2, eu cybersecurity, brickstorm strategy: Implementation guidelines for organizations
nis2, eu cybersecurity, brickstorm strategy: Implementation guidelines for organizations

Do non‑EU vendors serving EU customers fall under NIS2?

Yes, if they provide covered services in the EU or are part of an EU operator’s supply chain. Even when a vendor is outside the EU, your organization remains accountable for supplier risk management and timely incident notification under NIS2.

What must be included in the first 24‑hour early warning?

Basic facts: that an incident occurred, suspected cause/vector (e.g., gateway command injection), potential cross‑border impact, and immediate containment actions. Detailed forensics can follow in the 72‑hour update and final report.

How does anonymization help with GDPR and NIS2 at once?

By stripping personal data and sensitive business details from logs and attachments, you minimize privacy risks under GDPR while enabling fast NIS2 reporting. Automated redaction also reduces legal review time and the chance of privacy breaches during regulator submissions.

Is it safe to upload logs to ChatGPT for analysis?

Only if they’re fully sanitized and organizational policy allows it. When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

EU vs US posture: convergence without harmonization

While the BRICKSTORM advisory landed in the U.S. and AG gateway exploits surfaced in Japan, the EU’s approach is distinct: NIS2 drives resilience and notification obligations across critical sectors, coordinated via ENISA and national CSIRTs. The U.S. leans on sectoral directives and voluntary frameworks, with binding rules ramping in select areas. For global groups, that means one detection stack but multiple reporting pipelines—and a premium on clean evidence that can be shared with different regulators without breaching privacy or trade secrets.

Conclusion: make NIS2 compliance your competitive advantage

The lesson from BRICKSTORM and the gateway exploits is clear: sophisticated adversaries will target your edges and your suppliers, then wait. Turning NIS2 compliance into a muscle—fast sanitization, disciplined reporting, hardened appliances—reduces fines, downtime, and brand damage. Put safe evidence handling on rails today: use www.cyrolo.eu for regulator‑ready anonymization and secure document uploads, and meet the next 24‑hour deadline with confidence.