All news in category "Regulation and Policy Brief"

UK and Portugal Move to Protect Security Researchers

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

HTTPS Certificate Industry Phases Out Weak Domain Checks

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.

2026 NDAA: Cybersecurity Changes for DoD Mobile and AI

🛡️ The compromise 2026 NDAA directs large new cybersecurity mandates for the Department of Defense, including contract requirements to harden mobile phones used by senior officials and enhanced AI/ML security and procurement standards. It sets timelines (90–180 days) for mobile protections and AI policies, ties requirements to industry frameworks such as NIST SP 800 and CMMC, and envisions workforce training and sandbox environments. The law also funds roughly $15.1 billion in cyber activities and adds provisions on spyware, biologics data risks, and industrial base harmonization.

Designing an Internet Teens Want: Access Over Bans

🧑‍💻 A Google‑commissioned study by youth specialists Livity centers the voices of over 7,000 European teenagers to show how adolescents want technology designed with people in mind. Teens report widespread, routine use of AI for learning and creativity and ask for clear, age‑appropriate guidance rather than blanket bans. The report recommends default-on safety and privacy controls, curriculum-level AI and media literacy, clearer reporting and labeling, and parental support programs.

Automating NIS2 Compliance: Move from Paperwork to Code

🛡️ The EU directive NIS2, in force in Germany since 06 December 2025, risks becoming a paperwork-heavy exercise unless organisations adopt automation and DevSecOps. The article argues security must be planned and enforced by technology, using Infrastructure as Code, policies-as-code and CI/CD pipelines so controls and evidence (commits, pipeline logs, SBOMs) are revision-proof. Solutions such as CIEM, CNAPP and SIEM can centralise IAM, vulnerability and incident data so auditability is produced by the platform rather than by post-hoc Word documents.

AI Creates New Security Risks for OT Networks, Warn Agencies

⚠️ CISA and international partner agencies have issued guidance warning that integrating AI into operational technology (OT) for critical infrastructure can introduce new security and safety risks. The guidance highlights threats such as prompt injection, data poisoning, data collection issues, AI drift and hallucinations, as well as human de‑skilling and cognitive overload. It urges adoption of secure design principles, cautious deployment, operator education and consideration of in‑house development to retain long‑term control.

Portugal exempts ethical hackers under updated law

🔒 Portugal has amended its cybercrime law to exempt cybersecurity researchers and ethical hackers from prosecution, with the change published in the Diário da República on 4 December. The amendment, titled “Acts not punishable due to public interest in cybersecurity,” creates a legal exception for good-faith vulnerability research provided strict conditions are met. Researchers must avoid economic gain, refrain from DoS, social engineering, phishing and data theft, report findings to the system owner and the data protection regulator, and delete sensitive data within 10 days of a fix.

UK ICO Seeks Urgent Clarity on Facial Recognition Bias

🔍 The UK Information Commissioner’s Office (ICO) has asked the Home Office for urgent clarity after a National Physical Laboratory (NPL) report identified racial bias in the retrospective facial recognition (RFR) algorithm Cognitec FaceVACS-DBScan ID v5.5 used by police. The study found far higher false positive rates for Asian (4%) and Black (5.5%) subjects compared with white subjects (0.04%), with an observed disparity between black males (0.4%) and black females (9.9%). Deputy information commissioner Emily Keaney said the ICO was disappointed it had not been informed earlier and stressed that public confidence, transparency and proper oversight are essential while the Home Office moves to operationally test a replacement algorithm.

Cyber Threats to the U.S.: What Policymakers Need for 2026

🔒 A new Check Point brief warns that cyber attacks against the U.S. have evolved into coordinated geopolitical tools employed by states, criminal networks, and ideological groups. These operations now aim to influence policy, erode public trust, and target critical infrastructure rather than being mere technical intrusions. The report urges leaders to prioritize resilience, improve cross-sector coordination, and strengthen information-sharing and recovery capabilities.

Vaillant CISO: Act Now on Security and Regulatory Change

🔐 Vaillant CISO Christoph Reiß says rising geopolitical tensions and the professionalization of cybercrime — amplified by accessible AI tools — are elevating the threat to the heating and energy sector. Vaillant relies on a holistic, multilayered security strategy that combines preventative and reactive measures and protects IT, production, and customer products. Employee-focused training, from gamification to practical compliance, is central, and Reiß highlights regulatory complexity (e.g., NIS2, DORA, Cyber Resilience Act) while urging organizations to start, don’t wait on pragmatic implementation.

Portugal Revises Law to Shield Security Researchers

🛡️ Portugal amended its cybercrime law to create a clear safe harbor for good-faith security research under new Article 8.o-A. The change exempts certain acts that would previously be illegal if performed solely to identify and responsibly disclose vulnerabilities, provided strict conditions are met: immediate notification to the system owner and the CNCS, no excessive financial gain, non-disruptive techniques, GDPR compliance, and deletion of obtained data within ten days of remediation. Tests carried out with owner consent are also covered but still require CNCS notification.

Senate Finds Widespread Use of Non-Approved Messaging Apps

📱 The Senate Committee on Armed Services concluded that unsecured use of non‑approved messaging apps is a wider problem in the Department of Defense. It found that Secretary Pete Hegseth violated policy by sharing operational details on Signal from a personal device two hours before a strike and inadvertently added a journalist to the group. The reports cite broader “shadow communications,” limited audit evidence, and recommend approved alternatives, training, and tighter authority controls.

FBI Warns of Virtual Kidnapping Scams Using Altered Photos

🔒 The FBI has issued a public service announcement warning that criminals are manipulating images shared on social media to support virtual kidnapping ransom schemes. Scammers contact victims by text, claim a relative has been abducted, and send altered photo or video proof-of-life, sometimes using timed messages to prevent scrutiny. The FBI urges vigilance: avoid sharing travel details, establish a family code word, and capture screenshots or recordings for investigators. BleepingComputer identified multiple social media examples and reports of number spoofing.

EU Fines X €120M for Deceptive Blue Checkmarks Under DSA

🔎The European Commission has fined X €120 million for breaching transparency obligations under the Digital Services Act. A two‑year inquiry found X's paid 'blue checkmark' programme misleading because badges could be purchased without meaningful identity verification, and that its ad repository and researcher access practices lacked required transparency. X has 60 working days to fix the checkmark issue and 90 days to submit plans for ad and research improvements or face further penalties.

NCSC launches Proactive Notifications pilot for UK orgs

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

Russia Blocks FaceTime and Snapchat Citing Terror Use

📵 Russian telecom regulator Roskomnadzor has blocked FaceTime and Snapchat, alleging the platforms are being used to coordinate terrorist attacks, recruit perpetrators, and facilitate fraud against Russian citizens. Roskomnadzor said Snapchat was blocked on October 10 under centralized public communication network rules, and announced the FaceTime restriction later. Apple and Snap did not immediately respond to requests for comment.

US, International Agencies Issue AI Guidance for OT

🛡️ US and allied cyber agencies have published joint guidance to help critical infrastructure operators incorporate AI safely into operational technology (OT). Developed by CISA with the Australian Signals Directorate and input from the UK's NCSC, the document covers ML, LLMs and AI agents while remaining applicable to traditional automation systems. It recommends assessing AI risks, protecting sensitive OT data, demanding vendor transparency on embedded AI and supply chains, establishing governance and testing in controlled environments, and maintaining human-in-the-loop oversight aligned with existing cybersecurity frameworks.

Russia Blocks Roblox Citing Distribution of LGBT Content

🚫 Roskomnadzor has restricted access to the US gaming platform Roblox, saying it repeatedly failed to stop the distribution of what the regulator described as LGBT propaganda, extremist and terrorist materials, and calls for violent illegal actions. The agency said unsafe content appeared in in-game rooms where users can simulate attacks, target schools, or participate in gambling. Roblox was reportedly warned in November after moderation shortcomings were confirmed.

UK Plans Ransomware Payment Ban With Security Exemptions

🔒 The UK government plans to ban ransomware payments for public sector and critical national infrastructure, while requiring other businesses to notify authorities if they intend to pay attackers. Announced after a public consultation and detailed in a September policy paper, the measure will include national security exemptions to avoid creating impossible choices for essential services. Security Minister Dan Jarvis said the move is a priority and that adoption will proceed when parliamentary time allows, with ongoing coordination across government and allied states.

Guide: Secure Integration of AI in Operational Technology

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre published a joint guide outlining four principles to safely integrate AI into operational technology (OT). The guidance emphasizes educating personnel, assessing AI uses and data risks, establishing governance, and embedding safety and security. It focuses on ML, LLMs, and AI agents while remaining applicable to other automation approaches. CISA and international partners encourage OT owners and operators to adopt these risk-informed practices to protect critical infrastructure.