Kieran Upadrasta

DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Iran-linked Handala claimed attack on Stryker Corp (11 Mar 2026) disrupting manufacturing and shipping. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026; Axios/TeamPCP hit 60+ packages — CISA KEV Fortinet CVE-2026-35616 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains; PSTI Act fines up to £10M or 4% turnover for non-compliant IoT (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited; Cisco 4 critical flaws in Identity Services & Webex enabling code execution (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records via Snowflake auth tokens; 13.5M McGraw Hill accounts stolen via Salesforce breach (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk; 47% sensitive cloud data unencrypted; SpyCloud 2026: 65.7B identity records recaptured (+23% YoY), 18.1M exposed API keys; IBM X-Force: 300,000+ ChatGPT credentials exposed (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) 231 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records; 13.5M McGraw Hill accounts stolen (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) 231 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

London-based · EU-focused · EMEA Delivery · DORA · NIS2 · EU AI Act · ISO 42001

Publications & Doctrine Library

Complete library of published governance doctrine, research papers, and institutional frameworks.

DOCTRINE AUTHORITY

Why this doctrine wins

231

Published doctrines with full evidence chains

7

Jurisdictions covered — IE, UK, FR, EU, Global

100%

Mandates with verifiable artefacts delivered

2026

Doctrine current with live regulatory requirements

Thought Leadership

231 Published Frameworks

Latest Publications — March 2026

Engineering Truth

When AI meets the evidentiary standard — a technical framework for judicial-grade AI systems

The Architecture of Accountability

Designing AI systems that can explain, justify, and defend their decisions

The Responsible Core

Embedding ethical safeguards at the architectural level — responsibility as structure

Whitepapers and governance frameworks used in board packs, procurement bids, and regulatory submissions.

View Full Library & Read Online

231 governance doctrines. Each engineered to survive cross-examination, not collect dust on a SharePoint.

The evidence chain either holds under regulatory scrutiny or it does not. There is no partial credit.

Contact Email Direct

Contact Email Direct