In a nutshell: Reduced technological diversity increases vulnerability to supply-chain attacks, while manual control processes in Germany cannot keep pace with the speed of modern AI-driven development.
European companies are simplifying their technology stacks under pressure from the EU Cyber Resilience Act, but are creating new security risks in the process — particularly in AI-driven software development. The latest JFrog security report documents a growing gap between regulatory simplification measures and the actual threat landscape.
The JFrog security report, based on the analysis of billions of software artifacts and an international expert survey, reveals a paradoxical picture: while Germany and France are deliberately reducing their technology stacks under pressure from the EU Cyber Resilience Act and relying on fewer distinct programming languages, the dependence on individual core components is growing simultaneously. A compromised core library or frequently used package can have significantly greater impact in such centralized environments than in distributed architectures — complexity reduction merely shifts risks rather than eliminating them.
A particular deficit lies in the automation of security controls: European companies still rely heavily on manual review procedures when securing their development processes and automate AI systems significantly less frequently than the global average. Compliance verification often requires multiple days or weeks — a pace that does not reflect the dynamics of modern, AI-driven development. In Germany, this results in release delays of several days to weeks for open-source packages.
The threat landscape is escalating rapidly: in 2025, more than 48,000 new security vulnerabilities were registered globally, including a sharp increase in easily exploitable vulnerabilities such as SQL injection and cross-site scripting. Particularly serious is the growing number of manipulated open-source packages — the npm ecosystem recorded over 170,000 malicious packages. For companies with standardized, centralized software components, the risk increases exponentially.
Another critical point is the integration of AI models into the supply chain. Platforms such as Hugging Face recorded enormous growth in new models in the past year, including demonstrably malicious variants for the first time. Many companies are integrating AI libraries directly into their development processes, yet the existing security mechanisms were originally designed for classical software packages and often inadequately capture the particular risks of AI models. Germany does perform better than the European average in specialized security reviews for AI and machine learning models, but lags significantly behind required standards in comprehensive monitoring of AI systems.
Source: www.it-daily.net · Published 26 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.