News round-up 9/2025
This is the September news and product review from Cyberday and also a summary of the latest admin webinar. Our next admin webinar, where we will go live, will take place end of 2025. You can register for the webinar on our webinars page closer to the date.
Funding call available for Finnish NIS2 SMEs
Article from kyberturvallisuuskeskus.fi
The Finnish Transport and Communications Agency (Traficom) has opened a funding call to help organizations implement the new Finnish Cybersecurity Act (the national NIS2 transposition).
This funding is targeted at SMEs directly in scope of the law, and supports projects focused on assessing and developing security measures (Section 9).
🔹 Total budget: €2 million
🔹 Grant size: €1,000–€100,000 per project
🔹 Support level: up to 50 % of eligible costs
🔹 Project period: 2026
🔹 Application deadline: 16 October 2025, 16:15
This is a great opportunity for Finnish organizations to strengthen cybersecurity maturity and ensure readiness for NIS2 requirements with financial support.
👉 More info (in Finnish): Kyberturvallisuuskeskus – Rahoitustukihaku
CRA vs. Existing Frameworks: ISO 27001, NIS2, and GDPR
Article from medium.com
The Cyber Resilience Act (CRA) focuses on products with digital elements, from connected devices to software. Its goal is to make cybersecurity a built-in feature throughout design, development, and the full product lifecycle.
While ISO 27001 helps organizations manage information security and risk, the CRA addresses product-level security — requiring security by design, vulnerability management, secure updates, and clear supply chain accountability. Compliance will be mandatory for EU market access, ensuring every product meets a common baseline of trust and resilience. As noted by experts l, long product lifecycles — especially in OT environments — make continuous security and documentation essential.
Want to see how CRA compares to other frameworks like NIS2 or ISO 27001?
👉 Try our free Framework Comparison Tool to explore overlaps and requirements side by side.
The energy sector has no time to wait for the next cyberattack
Article from helpnetsecuritycom
The energy sector is a top target for cyberattacks, as cyber actors see it as a high-value target. Attacks risk disrupting power grids, shutting down critical services, and triggering far-reaching economic damage. Even brief downtime can carry huge costs. And the core weakness in the sector remains as aging OT infrastructures. Many systems were never designed with security in mind, and retrofitting them is complex and costly. Rapid digitalization and rising electricity demand only widen the attack surface.
Threats to energy sector come from all sides: state-linked groups, ransomware gangs, insiders, and the conflict in Ukraine has underscored how energy systems become strategic targets in times of tension. Solar infrastructure, in particular, is vulnerable: some inverters carry unexplained embedded communications, and many devices run outdated firmware ripe for exploitation, leaving critical gaps.
Effective risk analysis must focus on legacy systems, supply chain dependencies, and firmware-level vulnerabilities, not just generic compliance.
GenAI in CRM Systems: Competitive Advantage or Compliance Risk?
Article from panorama-consulting.com
Generative AI is becoming a standard feature in popular CRM systems, powering email drafting, lead scoring, conversational analytics, and ticket resolution. These tools promise major efficiency gains but also introduce new compliance and operational risks.
Key concerns include privacy violations, AI "hallucinations" ( AI-generated content can misstate product details or pricing, creating potential legal exposure and reputational damage), and bias in model outputs (especially in areas like lead scoring). Many systems still struggle with data fragmentation, duplicate records, and inconsistent handling of consent and opt-out preferences, all of which can amplify AI risks.
Used well, GenAI can be a real competitive advantage. But without clear governance, it can create compliance gaps and reputational harm.
To use it responsibly:
- Redefine CRM data governance
- Start with low-risk, high-value use cases
- Independently validate vendors’ AI claims
Most important themes in Cyberday development
Cyberday AI assistant is live!
For a long time we've been developing and using AI tools on our framework and content development sides. Now we want to take the next step - bringing an AI assistant to help our users inside the Cyberday app. First version of the AI assistant is now live, and we'll continue making it smarted and more useful continuously.
Cyberday's AI assistant can help you e.g. in the following ways:
- Assists you in getting things done: Helps you write task descriptions that are customized for your organizations industry and size and your personal selections, assists you in picking the most relevant frameworks, assists you in writing personnel guidelines and training content, etc.
- Analyzes your compliance and gives priorization tips: This will include e.g. creating analysis reports of your compliance report for a single framework that provide most critical improvements and easiest quick wins to implement next - to improve your compliance score, and full ISMS analysis to help you notice, which parts of the ISMS system you should focus on improving next.
- Advises you in information security and Cyberday usage: Explains you task requirements in plain language, guides you to correct parts in Cyberday, explains you functionalities on different pages.
More info about AI Assistant you can find from cyberday.ai
AI Assistant is active on your account by default, but it can be disabled from whole organization through settings. AI Assistant won’t use your ISMS data for anything or make changes without your request.
Mass-edit on main tables
We have published a highly requested feature, Mass-editing! You can now use a mass-edit funtion on:
- Documentation tables
- All tasks
- All guidelines
You can enable mass editing from "select multiple" slider, click the selected assets and choose the action you want to do, for example assign owner, changing the status, or set a due date.
Remember: You can affect the Cyberdays development future by sending your ideas to the development idea forum.
Share a report with a link
You can now also share reports via a direct link. This can be useful, for example, if you are using Cyberday via Teams and are about to start an audit, but do not want to invite the auditor to your own Teams environment.
The report sharing link is available by default for 30 days, after which it will automatically be disabled.
Report will be shared on "read only" -mode utilizing the latest published version of the report. 🚀
Other developments
Next Development for AI Assistant: Development is ongoing to add more functionality to the AI assistant.
Task description and Content Sharing Part II: Improvements are currently being implemented for task sharing (and control) from top-level organization accounts to their sub-accounts, supporting customers with a organization structure.
Vendor Assessments, Part II: More controls are being added to vendor assessments, including the ability to add custom questions and have greater control over which assessment to send to which vendors.
Recently published and upcoming frameworks
During the summer, we’ve focused heavily on expanding Cyberday’s framework coverage. We recently released new national implementations of the EU NIS2 directive, bringing our total to 20 NIS2 versions, along with a new frameworks for local markets. We are already covering 50+ frameworks, and will continue publishing new ones based on customer wishes.
Check the available and upcoming frameworks in the Cyberday app or on the Frameworks website.
