NIS2 and DORA Compliance in 2026: Lessons from Ivanti, FortiGate, and APT28 Exploits

The 2026 Cybersecurity Landscape: A Compliance Wake-Up Call

The year 2026 has seen a significant escalation in sophisticated cyber threats, with threat actors exploiting vulnerabilities in widely used enterprise software and network infrastructure. High-profile incidents, such as the exploitation of CVE-2026-1603 in Ivanti Endpoint Manager (EPM), breaches via FortiGate Next-Generation Firewalls (NGFWs), and APT28's use of a customized Covenant framework, underscore a critical reality: traditional security postures are insufficient. For organizations operating in or serving the European Union, these incidents are not just operational crises but potential compliance failures under the incoming NIS2 Directive and the now-active Digital Operational Resilience Act (DORA). This analysis dissects these 2026 exploits to extract actionable lessons for building a resilient, compliant cybersecurity program.

Dissecting the 2026 Threat Incidents

1. Ivanti EPM Authentication Bypass (CVE-2026-1603)

In early 2026, CISA flagged CVE-2026-1603, a high-severity vulnerability in Ivanti Endpoint Manager, as actively exploited. This flaw allows remote threat actors to bypass authentication and steal credential data via low-complexity cross-site scripting attacks without user interaction. CISA mandated U.S. federal agencies to patch under Binding Operational Directive (BOD) 22-01 within three weeks. Researchers tracked over 700 internet-facing Ivanti EPM instances, primarily in North America. While Ivanti stated it had not received reports of exploitation prior to public disclosure, the incident highlights the critical gap between vulnerability disclosure and patch deployment.

2. FortiGate NGFW Configuration Theft Campaign

Cybersecurity researchers identified a campaign where threat actors exploit FortiGate NGFW appliances as primary entry points. Attackers leverage recently disclosed vulnerabilities or weak credentials to extract configuration files. These files contain sensitive service account credentials and detailed network topology, enabling lateral movement and deep network compromise. This method poses severe risks to data integrity and network security, demonstrating how a single compromised perimeter device can unravel an organization's entire defense-in-depth strategy.

3. APT28's Customized Covenant & BeardShell Espionage

The Russian state-sponsored group APT28 has been using a customized variant of the open-source Covenant post-exploitation framework alongside the BeardShell implant since at least April 2024. Targeting Ukrainian military and government bodies, the group exploits vulnerabilities like CVE-2026-21509 in Microsoft Office via malicious DOC files. The malware employs advanced obfuscation and uses legitimate cloud storage services (Icedrive, Filen, Koofr, pCloud) for command-and-control (C2), making detection and attribution challenging. This highlights the evolution toward leveraging trusted services and open-source tools for sophisticated, long-term espionage.

Common Vulnerability Themes: Authentication, Patching, Monitoring

These disparate incidents reveal convergent weaknesses that threat actors consistently target:

• Authentication Failures: The Ivanti flaw allowed complete authentication bypass, while the FortiGate breaches often started with weak or default credentials. Robust authentication is the first line of defense.
• Patch Management Gaps: Both the Ivanti and FortiGate incidents involved exploiting known vulnerabilities. The delay between patch availability and deployment creates a critical window of exposure that adversaries exploit.
• Inadequate Network Monitoring & Segmentation: The FortiGate breach showed how stolen configuration data maps the network for lateral movement. APT28's long-term residency indicates a failure to detect anomalous outbound traffic to cloud services. Without comprehensive monitoring and strict segmentation, a perimeter breach becomes a total compromise.

Mapping Incidents to NIS2 and DORA Compliance Obligations

These incidents directly trigger specific requirements under the EU's key cybersecurity regulations. Organizations should verify current timelines, but based on the regulatory framework:

NIS2 Directive (Directive (EU) 2022/2555)

• Risk Management Measures (Article 21): All incidents underscore the need for comprehensive policies on vulnerability handling (patch management), access control (multi-factor authentication), and network security (segmentation).
• Incident Reporting (Article 23): A successful exploit of any of these vulnerabilities would likely constitute a 'significant incident' under NIS2, requiring an early warning within 24 hours and a full notification within 72 hours.
• Supply Chain Security (Article 21): The Ivanti and FortiGate incidents highlight risks from third-party ICT service providers. NIS2 requires managing risks stemming from dependencies on such providers.
• Management Accountability: NIS2 holds management bodies legally accountable for compliance. Failure to address known critical vulnerabilities could lead to personal liability.

DORA (Regulation (EU) 2022/2554 – applicable from 17 January 2025)

• ICT Risk Management Framework (Article 6): Financial entities must have frameworks that specifically address timely patch management and hardening of network devices like firewalls.
• Incident Reporting (Article 19): Similar to NIS2, DORA mandates major incident reporting to competent authorities without undue delay.
• Digital Operational Resilience Testing (Article 24): These incidents validate the need for regular penetration testing and Threat-Led Penetration Testing (TLPT). Tests should simulate attacks exploiting similar authentication bypass and supply chain flaws.
• Third-Party ICT Risk Management (Article 28): The use of vulnerable software like Ivanti EPM or FortiGate OS falls squarely under DORA's stringent third-party risk management requirements, demanding enhanced due diligence and contractual safeguards.

Actionable Recommendations for Mitigation and Compliance

To mitigate these specific risks and align with NIS2/DORA, organizations should:

1. Enforce Strict Patch Management SLAs: Model internal patching deadlines on CISA's BOD 22-01 (e.g., critical patches within 72 hours). Utilize tools like Tenable or Qualys for continuous vulnerability assessment and prioritized remediation workflows.
2. Harden Authentication and Access: Implement phishing-resistant multi-factor authentication (MFA) universally, especially for administrative access to network devices and endpoint management systems. Enforce strong credential policies and regular rotation.
3. Enhance Network Monitoring and Detection: Deploy Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) platforms like CrowdStrike Falcon to detect post-exploitation activity, lateral movement, and beaconing to cloud C2 servers. Monitor egress traffic for connections to non-business cloud services.
4. Conduct Regular Compromise Assessments: Proactively hunt for indicators of compromise (IoCs) related to these campaigns, especially BeardShell and Covenant variants, within your environment.
5. Segment Networks Rigorously: Limit lateral movement by segmenting networks based on function and sensitivity. Ensure firewall rules are least-privilege and regularly reviewed.

Integrating Continuous Compliance with AIGovHub

Manually mapping evolving threats to regulatory requirements is complex and error-prone. Platforms like AIGovHub can automate this critical function. Our cybersecurity compliance modules can:

• Continuously monitor your security tooling (e.g., integrating with your Tenable or CrowdStrike instances) to assess control effectiveness against benchmarks derived from NIS2, DORA, and NIST CSF 2.0.
• Provide automated gap analysis, highlighting where your patch management cadence, incident response playbooks, or third-party risk assessments fall short of specific regulatory articles.
• Maintain an up-to-date library of regulatory requirements and map them to actionable security controls, helping you demonstrate due diligence to auditors and management.
• Assist in vendor risk assessments for your ICT service providers, a core requirement under both NIS2 and DORA.

Just as AI governance requires continuous monitoring for model drift and new regulations, cybersecurity compliance demands real-time alignment between your threat posture and legal obligations. For more on managing evolving regulatory landscapes, see our guide on EU AI Act compliance.

Key Takeaways

• The 2026 exploit landscape targets foundational security failures: weak authentication, slow patching, and poor monitoring.
• Incidents like Ivanti CVE-2026-1603 and FortiGate breaches directly trigger NIS2 incident reporting and DORA third-party risk management obligations.
• Compliance requires proactive measures: enforce aggressive patch SLAs, mandate strong MFA, deploy EDR/XDR, and conduct regular resilience testing.
• Automated compliance platforms are essential to bridge the gap between dynamic threat intelligence and static regulatory checklists.

This content is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified professionals to verify specific compliance requirements.

Ready to transform your incident response into a compliance advantage? Explore AIGovHub's Cybersecurity Compliance Modules for automated gap analysis, continuous monitoring, and streamlined reporting for NIS2, DORA, and other frameworks.