NIS2 compliance: Lessons from the Trivy Docker worm and the Quest KACE CVE-2025-32975 hijacks

Brussels — Two fresh incidents—an infostealer spreading through Docker that triggers a worm and Kubernetes wiper, and live exploitation of CVE-2025-32975 (CVSS 10.0) to hijack unpatched Quest KACE SMA systems—are stark reminders that NIS2 compliance is now a day-to-day operational necessity, not a paperwork exercise. For EU operators and service providers, these attacks illuminate the fault lines regulators watch most closely: supply chain security, patch management, incident reporting, and data protection under EU regulations like GDPR and NIS2.

What happened: containers, worms, and a CVSS 10.0 takeover

• Reports indicate a Trivy-related compromise was abused to spread an infostealer via Docker, escalating to a worm and Kubernetes wiper behavior in certain environments. That chain—malicious image ingestion, lateral movement, and destructive actions—maps exactly to the risks NIS2 aims to curb in essential and important entities.
• Separately, attackers are exploiting CVE-2025-32975 (CVSS 10.0) to hijack unpatched Quest KACE SMA systems. This is the sort of “critical remote compromise” that regulators cite when asking boards for proof of vulnerability management, network segmentation, and tested response plans.

Details are still emerging, but the direction of travel is clear: containers and device management platforms sit squarely in the European threat model and in supervisors’ audit scripts for cybersecurity compliance.

Why these incidents matter for EU operators and boards

In today’s Brussels briefing, regulators emphasized three themes that these incidents crystallize:

• Supply chain vigilance: Unvetted or tampered container images and third-party software can propagate malware at scale. NIS2 elevates supplier risk management, including security clauses and verification practices.
• Speed of detection and reporting: NIS2 establishes a 24-hour “early warning,” a 72-hour notification, and a final post-incident report within one month. You cannot meet those timelines without centralized logging, forensics readiness, and decision playbooks.
• Data protection crossover: If personal data is implicated, GDPR applies alongside NIS2. That means privacy impact assessment, breach notification to authorities, and demonstrable safeguards against privacy breaches.

NIS2 compliance requirements: the essentials for 2026

NIS2 entered into force in 2023, with national transposition deadlines in October 2024. By 2026, most Member States are in the supervisory and enforcement phase. Expect regulators to request evidence of the following:

• Risk management measures proportionate to risk (policies, asset inventories, MFA, encryption, secure software development, zero-trust segmentation).
• Incident handling capabilities (detection, containment, eradication, recovery) and tested playbooks for worms and destructive malware like a Kubernetes wiper.
• Supply chain and procurement controls (due diligence, contractual cybersecurity requirements, provenance checks for Docker images and registries).
• Vulnerability management with SLA-based patching for critical CVEs like CVE-2025-32975, and compensating controls where patching lags.
• Logging and monitoring sufficient for rapid triage and structured reporting to regulators.
• Governance: board-level oversight, security audits, and accountability for executives in essential entities.

Penalties under NIS2 can reach at least €10 million or 2% of global annual turnover for essential entities, and at least €7 million or 1.4% for important entities. Combined with GDPR’s fines (up to €20 million or 4% of global turnover), the financial risk of weak controls is unequivocal.

GDPR vs NIS2 obligations: what changes and what overlaps

Dimension	GDPR	NIS2
Primary focus	Personal data protection and privacy	Cybersecurity and continuity of essential/important services
Who is in scope	Controllers and processors of personal data	“Essential” and “important” entities across sectors (energy, health, transport, finance, digital infra, etc.)
Incident reporting	Notify data protection authority within 72 hours if breach risks rights/freedoms	Early warning within 24 hours; incident notification within 72 hours; final report within 1 month
Security measures	Appropriate technical and organizational measures; DPIA where needed	Risk management measures (asset mgmt, access control, crypto, supply chain, vulnerability mgmt, BC/DR)
Fines	Up to €20m or 4% of global turnover	Essential: at least €10m or 2% of global turnover; Important: at least €7m or 1.4%
Examples relevant to recent attacks	Personal data exfiltrated by infostealer → breach notice	Service disruption from Kubernetes wiper → NIS2 incident reporting; supplier control failures → supervisory action

Your rapid NIS2 compliance checklist

• Map critical services and assets (including Kubernetes clusters, Docker registries, MDM/ITSM platforms like KACE SMA).
• Implement image provenance controls: only signed, verified container images via trusted registries; continuous scanning at build and deploy.
• Patch with urgency: prioritize CVSS 9.8–10.0 (e.g., CVE-2025-32975) within hours/days; apply compensating controls where patching is blocked.
• Enforce MFA, least privilege, and network segmentation; isolate build and orchestration planes.
• Enable centralized logs with tamper protection; pre-build queries and dashboards to support 24h/72h reporting.
• Run tabletop exercises for worm/ransom-wiper scenarios in Kubernetes and enterprise management systems.
• Vet suppliers under contractual security clauses; require attestations and timely vulnerability disclosures.
• Document board oversight, security audits, and continuous improvement cycles.
• Harden data protection: encryption at rest/in transit, data minimization, and anonymization before analysis or AI use.

Reducing exposure in daily workflows: anonymize and control uploads

Most breaches start with human workflows—rushed log sharing, ad hoc tooling, or well-meaning staff pasting sensitive data into AI chatbots. When you must circulate evidence (screenshots, logs, ticket exports, medical files, contracts) for triage or compliance, strip personal data first with an AI anonymizer and use a secure document upload path.

• Use an AI anonymizer to mask names, emails, IDs, and other personal data before sharing. Professionals avoid risk by using Cyrolo’s anonymizer at www.cyrolo.eu.
• Handle incident packets and regulator submissions through a secure document upload workflow that prevents unintended exposure. Try our secure document upload at www.cyrolo.eu — no sensitive data leaks.

Mandatory reminder: When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

Kubernetes/Docker and device management: supervisory hot spots in 2026

From interviews with CISOs at a European bank, a hospital group, and a fintech, three patterns recur:

• Container provenance debt: “We treated image origin as a developer concern. Now it’s a board metric.” Require signed images (Sigstore/Cosign), SBOMs, and policy gates.
• Orchestrator blast radius: “Our cluster was flat.” Segment control planes, enforce workload identity, and deny by default between namespaces.
• MDM/ITSM privilege cliffs: “Admin agents became the crown jewels.” For Quest KACE SMA and peers, restrict exposure, isolate admin interfaces, and monitor for anomalous agent behavior.

A CISO I interviewed warned that a single unpatched CVSS 10.0 device manager is “functionally a golden SSO” for lateral movement. Regulators hear the same and will probe whether your vulnerability management and change controls match your risk profile.

EU vs US: different levers, same pressure

US guidance often leans on sectoral rules and voluntary frameworks (e.g., NIST CSF), while the EU couples prescriptive controls with hard incident reporting deadlines and top-line fines under NIS2 and GDPR. For multinational operators, harmonize to the strictest common denominator: 24-hour internal escalation, 72-hour authority notification, and standardized evidence packs for audits across jurisdictions.

Operationalizing reporting: what “good” looks like under NIS2

To hit the 24h/72h/1-month cadence without chaos:

• Automate early-warning triggers tied to severity scoring (e.g., destructive activity like a Kubernetes wiper, or confirmed exploitation of CVSS ≥9.8 such as CVE-2025-32975).
• Pre-draft notification templates that separate service continuity impacts (NIS2) from personal data impacts (GDPR).
• Maintain an evidence ledger (chain-of-custody, hashes, timelines) and role-based access to protect personal data.
• Before sending to counsel or regulators, remove personal data with an AI anonymizer at www.cyrolo.eu and deliver via secure document uploads at www.cyrolo.eu.

FAQ: real questions we’re hearing this week

What is NIS2 compliance in practical terms?

It means demonstrating proportionate cybersecurity risk management for services you provide in the EU, rapid incident reporting (24h/72h/1-month), board oversight, supplier controls, and evidence you can produce during audits. It’s not a checkbox—it’s sustained capability.

Does NIS2 apply to Kubernetes clusters and Docker registries?

Yes, if they underpin services from an entity classified as essential or important. Supervisors will expect controls around image provenance, access, segmentation, and monitoring equivalent to their criticality.

How fast must I report under NIS2?

Submit an early warning within 24 hours after becoming aware of a significant incident, a more detailed notification within 72 hours, and a final report within one month, including root cause and mitigation.

How do GDPR and NIS2 interact after a breach?

If personal data is at risk, GDPR breach notification applies alongside NIS2 service-impact reporting. Prepare two aligned but distinct workflows and templates to avoid mixing privacy and service continuity content.

Is it safe to upload incident logs to ChatGPT or similar tools?

Only if logs are fully anonymized and policy allows it. When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

Conclusion: turning headlines into NIS2 compliance momentum

The Docker-spread infostealer with worm-like movement and a Kubernetes wiper, alongside active exploitation of CVE-2025-32975 in Quest KACE SMA, are your cue to validate controls where NIS2 compliance is scrutinized most: supplier vetting, critical patching, segmentation, monitoring, and reporting. Convert high-risk workflows into safe defaults—anonymize before you share and use secure document uploads. Start today with Cyrolo’s AI anonymizer and protected upload at www.cyrolo.eu, and turn supervisory pressure into a defensible, resilient posture.