Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A few practical improvements this week, mostly driven by what we’re learning as customers deploy CertKit into larger infrastructures.

Note: This blog was originally published in July 2024 and updated on an annual basis. It was most recently updated in April 2026. Regulatory compliance is a common and critical part of today’s rapidly evolving financial services landscape. One new regulation that EU financial institutions must adhere to is the Digital Operational Resilience Act (DORA), enacted to enhance the operational resilience of digital financial services.

Effective January 1, 2026, Mexico’s Ley Aduanera (Customs Law) has dramatically increased documentation requirements for anyone importing or exporting through Mexico. If you move goods through Mexico, the increased documentation requirements can become a compliance risk if you’re not set up to both collect and verify the validity of documents.

The Digital Statute for Children and Adolescents (Digital Estatuto da Criança e do Adolescente or Lei 15.211/2025) is a new law outlining age assurance (garantia de idade) requirements in Brazil. Also known as the Digital ECA, it was enacted in September 2025 and goes beyond self-attestation, applying to a wider range of online platforms that offer certain services. On March 17, 2026, the Digital ECA will become enforceable.

‍The European Union's Artificial Intelligence Act (EU AI Act) represents the first comprehensive attempt by a major regulator to establish legal oversight of artificial intelligence. Its objective is to ensure that AI systems deployed across the EU operate safely, transparently, and in a manner that protects fundamental rights.

Most websites host tracking systems that change continuously, tag by tag, pixel by pixel, version to version, often without anyone in privacy touching a line of code. Marketing adds a session replay script through the tag manager. Vendors quietly push updates to the tags. By the time it’s noticed in the next periodic review, the damage is done. Drift in tag behaviour leads to consent violations. And tracking scripts load and process data despite GCP signals.

So your team just uncovered a GDPR tracking violation, a consent anomaly that, after a deeper look, turns out to be a pixel firing regardless of consent state.” From the looks of it, it’s definitely an ePrivacy violation. But the harder question, the one you now have to race against time to answer, is whether this is also a notifiable breach under GDPR. For that determination, you now have 72 hours. One gets fixed with a tag manager update and a stern email to marketing.

By January 2025, over 160,000 EU organizations became subject to new cybersecurity regulations—NIS2, DORA, or both. If you operate in the EU or serve EU clients, you’re likely affected. This guide clarifies which regulations apply to you and what you must do to comply. Contents hide At-a-Glance Comparison Is Your Organization Affected? Question 1: Where Do You Operate? Question 2: What Sector Are You In? Question 3: What’s Your Company Size? What is NIS2?