Accordingly, the restricted session considers that the failure to implement mandatory pre-authentication following the discovery of the vulnerability - when this measure had been identified and is the only measure to completely prevent the risk - constitutes a breach of section 32 of the Regulation.