Kieran Upadrasta

UK 1 May 2026: FCA/PRA PS26/2 PS7/26 operational resilience regime live — first 30-day board review window open; ICO reportable incidents +6.2% WoW (w/e 23 Apr); AI Act Digital Omnibus legal scrub — Annex III delay to Dec 2027 confirmed; UK CS&R Bill committee stage imminent; NCSC/CISA China-nexus botnet advisory: 10 prioritised defensive controls published (Volt Typhoon/Flax Typhoon shared hop-point infrastructure confirmed). (FCA/PRA/ICO/NCSC/EC, 1 May 2026) UK practitioner PM update 30 Apr 2026: ICO reportable-incident dashboard week-close: 312 filings week-ending 23 Apr (+6.2% WoW); week ending 30 Apr tracker pending — seasonal uptick expected with operational incident and third-party reporting regime now live. UK CS&R Bill Second Reading cleared 28 Apr — Committee Stage calendared May 2026; MSP and datacentre-operator scope confirmed; digital supply-chain due-diligence duty clauses advancing. Cyber Essentials expanded scheme: first post-launch monitoring window closes today with zero blocking issues reported; cloud-hosted asset and MSP-supply-chain inclusion mandatory for renewal from 27 Apr. FCA SM&CR Reform CP26/5 key deadline: 22 Jul 2026 — organisations should begin mapping reduced prescribed-responsibility changes now (ICO/DSIT/FCA/NCSC, 30 Apr 2026) UK Thursday 30 Apr 2026: FCA global finfluencer action week concludes — 17 regulators worldwide, Aaron Chalmers (Geordie Shore) guilty plea, 120 social-media takedown requests, 1,267 illegal adverts reaching 2.3M+ UK accounts. FCA PS26/2 / PRA PS7/26 operational incident and third-party reporting final rules in effect — 30-day window for notification-template and escalation-chain updates. CISA ED-26-05 (Apache Tomcat CVE-2026-34141, CVSS 9.8) 29 Apr: 48-hour federal window; UK CNI/financial-sector operators self-assessing against 3,400+ globally exposed instances. UK CS&R Bill Second Reading cleared 28 Apr — MSP/datacentre scope and digital supply-chain duty clauses confirmed for Committee Stage (FCA/PRA/CISA/DSIT/NCSC, 30 Apr 2026) UK Monday open 27 Apr 2026: UK Cyber Essentials revised scheme LIVE today — first mandatory update since 2023, expanded scope covers cloud-hosted assets and MSP supply chain; CS&R Bill Second Reading in Parliament tomorrow (28 Apr) — MSP/datacentre scope and digital supply-chain due diligence clauses centre stage; FCA SM&CR Reform Consultation CP26/5 published 22 Apr open until 22 Jul — key change: reduced prescribed responsibilities for smaller firms; NCSC APT28 router advisory: weekend patching cadence confirms 34% of targeted UK residential routers now updated, 66% still exposed; FCA crypto enforcement first-strike now formally on record ahead of 30 Sep 2026 authorisation window (DSIT/FCA/NCSC, 27 Apr 2026) UK weekly close 24 Apr 2026: ICO serves £8.9M monetary penalty notice on mid-tier fintech for GDPR Art.32 TOMs failure 2023–2025; FCA Dear CEO letter on DORA-equivalent operational resilience testing dispatched to 1,100 UK-regulated firms; PRA thematic review on cyber incident reporting cadence opens 6-week consultation; NCSC Early Warning Service logs 18% WoW rise in router-hijack indicators tied to APT28 (ICO/FCA/PRA/NCSC, 24 Apr 2026) UK Thursday 23 Apr 2026 — PRA CP4/26 cloud ICT concentration consultation closed 16:00 BST Wed, Tier-1 submission fingerprint shows aligned ask for impact-tolerance proportionality; ICO Commissioner adtech speech at techUK operationalises upper-Article-83 default for systemic failings; CYBERUK 2026 Glasgow Day 3 — NCSC panel on NIS2 two-year lessons-learned; UK CS&R Bill committee cleared clause 12 on digital supply-chain diligence overnight; UK Cyber Essentials revised scheme go-live T-4 (27 Apr) (PRA/ICO/NCSC/Parliament/DSIT, 23 Apr 2026) UK 22 Apr 2026: PRA CP4/26 cloud ICT concentration comments close TODAY 16:00 BST — Tier-1 bank submissions on impact-tolerance metrics filing ahead of 30 Jun attestation; ICO Commissioner adtech enforcement speech at techUK live morning; CYBERUK 2026 Day 2 in Glasgow with NCSC Director keynote on AI-augmented adversary tradecraft (PRA/ICO/NCSC, 22 Apr 2026) UK ICO 21 Apr 2026: First Article 83(5) decision in children’s-code health-app cluster expected this week; PRA reminds Tier-1 banks that 30 Jun ICT impact-tolerance attestation is non-delegable; CS&R Bill committee hears NCSC and CMA evidence on supply-chain due diligence scope (ICO/PRA/Parliament, 21 Apr 2026) UK ICO Week of 20 Apr 2026: enforcement decision cluster expected — adtech, children's code, and health-sector data-breach cases in final review UK PRA 20 Apr 2026: weekend operational resilience walkthrough at two Tier-1 UK banks on cloud ICT vendor concentration — feeds 30 Jun impact-tolerance deadline UK CS&R Bill 20 Apr 2026: standing committee publishes clause-by-clause commentary this week — digital supply-chain due diligence scope confirmed (DSIT) UK NCSC ACD 20 Apr 2026: ~11% uptick in credential-stuffing against UK government SSO endpoints over prior weekend DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Iran-linked Handala claimed attack on Stryker Corp (11 Mar 2026) disrupting manufacturing and shipping. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026; Axios/TeamPCP hit 60+ packages — CISA KEV Fortinet CVE-2026-35616 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains; PSTI Act fines up to £10M or 4% turnover for non-compliant IoT (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited; Cisco 4 critical flaws in Identity Services & Webex enabling code execution (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records via Snowflake auth tokens; 13.5M McGraw Hill accounts stolen via Salesforce breach (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk; 47% sensitive cloud data unencrypted; SpyCloud 2026: 65.7B identity records recaptured (+23% YoY), 18.1M exposed API keys; IBM X-Force: 300,000+ ChatGPT credentials exposed (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) UK FCA PS26/2 + PRA PS7/26 (16 Apr 2026): new operational incident & material third-party reporting framework finalised — firms must establish reporting governance, taxonomy mapping, and supervisory notification workflows now; first incidents under the regime expected within weeks (Sidley Data Matters/FCA/PRA, 16 Apr 2026) 900 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

UK practitioner PM update 30 Apr 2026: ICO reportable-incident dashboard week-close: 312 filings week-ending 23 Apr (+6.2% WoW); week ending 30 Apr tracker pending — seasonal uptick expected with operational incident and third-party reporting regime now live. UK CS&R Bill Second Reading cleared 28 Apr — Committee Stage calendared May 2026; MSP and datacentre-operator scope confirmed; digital supply-chain due-diligence duty clauses advancing. Cyber Essentials expanded scheme: first post-launch monitoring window closes today with zero blocking issues reported; cloud-hosted asset and MSP-supply-chain inclusion mandatory for renewal from 27 Apr. FCA SM&CR Reform CP26/5 key deadline: 22 Jul 2026 — organisations should begin mapping reduced prescribed-responsibility changes now (ICO/DSIT/FCA/NCSC, 30 Apr 2026) UK weekly close 24 Apr 2026: ICO serves £8.9M monetary penalty notice on mid-tier fintech for GDPR Art.32 TOMs failure 2023–2025; FCA Dear CEO letter on DORA-equivalent operational resilience testing dispatched to 1,100 UK-regulated firms; PRA thematic review on cyber incident reporting cadence opens 6-week consultation; NCSC Early Warning Service logs 18% WoW rise in router-hijack indicators tied to APT28 (ICO/FCA/PRA/NCSC, 24 Apr 2026) UK Thursday 23 Apr 2026 — PRA CP4/26 cloud ICT concentration consultation closed 16:00 BST Wed, Tier-1 submission fingerprint shows aligned ask for impact-tolerance proportionality; ICO Commissioner adtech speech at techUK operationalises upper-Article-83 default for systemic failings; CYBERUK 2026 Glasgow Day 3 — NCSC panel on NIS2 two-year lessons-learned; UK CS&R Bill committee cleared clause 12 on digital supply-chain diligence overnight; UK Cyber Essentials revised scheme go-live T-4 (27 Apr) (PRA/ICO/NCSC/Parliament/DSIT, 23 Apr 2026) UK 22 Apr 2026: PRA CP4/26 cloud ICT concentration comments close TODAY 16:00 BST — Tier-1 bank submissions on impact-tolerance metrics filing ahead of 30 Jun attestation; ICO Commissioner adtech enforcement speech at techUK live morning; CYBERUK 2026 Day 2 in Glasgow with NCSC Director keynote on AI-augmented adversary tradecraft (PRA/ICO/NCSC, 22 Apr 2026) UK ICO 21 Apr 2026: First Article 83(5) decision in children’s-code health-app cluster expected this week; PRA reminds Tier-1 banks that 30 Jun ICT impact-tolerance attestation is non-delegable; CS&R Bill committee hears NCSC and CMA evidence on supply-chain due diligence scope (ICO/PRA/Parliament, 21 Apr 2026) DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records; 13.5M McGraw Hill accounts stolen (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) UK FCA PS26/2 + PRA PS7/26 (16 Apr 2026): new operational incident & material third-party reporting framework finalised — firms must establish reporting governance, taxonomy mapping, and supervisory notification workflows now; first incidents under the regime expected within weeks (Sidley Data Matters/FCA/PRA, 16 Apr 2026) 900 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

London-based · UK-focused · EMEA Delivery · DORA · NIS2 · EU AI Act · ISO 42001

Privacy Policy

Effective: 2026-04-18. Minimal data collection, GDPR-aligned, no behavioural tracking.

1. Data Controller

Kieran Upadrasta (kieranupadrasta.co.uk) is the data controller for this site. Contact: info@kieranupadrasta.co.uk.

2. What This Site Collects

Essential cookies only. No analytics, no advertising, no behavioural tracking, no fingerprinting. We do not sell, share, or transfer personal data to third parties.

Server logs (IP address, user agent, request URL, timestamp) are retained for thirty (30) days for security and abuse prevention, then deleted.

3. Contact Form Data

If you submit a contact request, the message body, your name, and your email are processed solely to respond to your enquiry. Stored encrypted at rest. Retained for the duration of the engagement plus six (6) years for professional record-keeping (regulatory requirement).

4. PDF & Doctrine Downloads

Downloads of governance doctrines, frameworks, and research papers are not tracked at the user level. Aggregate counts may be inferred from server logs but no individual identifiers are retained.

5. Your Rights (GDPR / UK GDPR)

Right of access, rectification, erasure, restriction of processing, data portability, and objection. To exercise any right, email info@kieranupadrasta.co.uk. Response within one (1) business day. Right to lodge a complaint with the Information Commissioner’s Office (ICO) or your local supervisory authority.

6. Lawful Bases

Legitimate interests (site security, content delivery), consent (essential cookies, contact submission), and legal obligation (tax, professional record retention).

7. Cross-Border Transfers

Hosted on Netlify edge infrastructure. Standard Contractual Clauses (SCCs) and adequacy decisions apply where data crosses jurisdictional boundaries.

8. Updates

This policy is reviewed quarterly. Material changes will be flagged at the top of this page with revised effective date.

Contact Email Direct