< ciso
brief />
Regulation and Policy Brief Banner

All news in category “Regulation and Policy Brief

403 articles

UK launches Cyber Resilience Pledge for businesses

🛡️ The UK government announced the Cyber Resilience Pledge, with over 60 businesses signing up after its unveiling at CYBERUK in April alongside a £90m support package. Signatories such as Microsoft UK, Marks & Spencer and Vodafone commit to board-level cyber accountability, NCSC training, Early Warning registration and risk-based Cyber Essentials adoption across supply chains. The scheme targets medium and large firms with the aim of driving baseline security improvements across suppliers.
read more →

France ends certification of non-quantum encryption

🔒 France’s cybersecurity agency ANSSI announced it will stop certifying security products that lack quantum-resistant encryption beginning in 2027, accelerating a national shift to post-quantum cryptography. ANSSI’s decision effectively forces French government bodies and critical operators to adopt quantum-safe solutions, as its approval is required for official use. The agency advised businesses to purchase only quantum-safe products by 2030 to ensure compliance and future-proofing.
read more →

CJEU upholds €4.1B antitrust fine against Google

📢 The Court of Justice of the European Union has dismissed Google's final appeal against a €4.1 billion antitrust fine related to Android. The ruling affirms that Google used pre-installation, anti-fragmentation agreements, and certain revenue-sharing deals to strengthen its dominant position and restrict competition. Google contests the decision, noting changes to its practices since 2018 and arguing that market realities have shifted.
read more →

Cybersecurity Mission Creep in U.S. Policy Debates

🔍 Cybersecurity Mission Creep examines how policymakers increasingly reframe diverse social and regulatory problems as matters of cybersecurity, a process the paper labels cybersecuritization. This reframing elevates issues—from misinformation and child safety to antitrust and trafficking—to existential security threats, enabling urgency-driven legal and political responses. The article warns that this trend simplifies complex issues, channels deference to specialists, and risks eroding public trust and governance transparency.
read more →

FTC fines Amazon for withholding fraud victims’ records

🔎 The FTC says Amazon will pay a $2.25 million penalty after allegedly blocking identity-theft victims from obtaining transaction records required under Section 609(e) of the FCRA. The complaint claims Amazon customer service denied record requests citing "privacy" or "security," often delivered records after the 30-day statutory window, and sometimes refused law enforcement requests. The order requires Amazon to provide requested records within 30 days and notify affected consumers who previously requested records since April 2024.
read more →

Bill would require mandatory AI incident reporting

📝 A proposed AI Incident Reporting Act would obligate developers of designated high-capability models to report major safety and security incidents to the Commerce Department. Reports would be required within seven days of discovery, with 48-hour notifications to congressional leaders for imminent or ongoing serious harm. The bill tasks the Secretary of Commerce with defining capability thresholds and grants the department investigative and enforcement powers, including fines up to $2 million per violation.
read more →

Ten years of the GDPR: mixed outcomes and lessons

📄 Ten years after the GDPR came into force, data protection is far more established across Europe and beyond, raising consumer awareness and making privacy a competitive factor for businesses. Record fines against major tech firms underline enforcement seriousness, even as many penalties remain disputed. Companies increasingly view the regulation as burdensome and legally uncertain, complicating innovation, notably in AI development.
read more →

AI Liability and the Publisher–Carrier Distinction

📰 The German court found Google liable for AI-generated search summaries, rejecting defenses that users should verify AI output themselves. This ruling highlights the historical distinction between carriers and publishers and argues that AI summaries act like editorial content. Past cases, like Air Canada’s chatbot ruling, reinforce that organizations are responsible for their AI agents. The decision could force companies to improve AI accuracy or curtail certain commercial uses.
read more →

CISA guidance steers agencies from TIC 2.0 to SASE

🔒 CISA has issued guidance to help federal agencies transition from perimeter-based Trusted Internet Connections (TIC) 2.0 to a more flexible TIC 3.0 using Secure Access Service Edge (SASE) technology. The guidance explains how SASE can replace legacy Managed Trusted Internet Protocol Services (MTIPS) and combines networking and security functions such as SD-WAN, secure web gateways, CASBs, next-gen firewalls and ZTNA. It is vendor-agnostic and emphasizes architecture and visibility requirements rather than specific products.
read more →

MPs Warn UK Museums Face Cybersecurity Shortfalls

🛡️ Parliament’s Public Accounts Committee has criticised the Department for Culture, Media and Sport for a reactive approach to cybersecurity, leaving national galleries and museums exposed. The PAC highlighted incidents including a ransomware attack on the British Library and thefts from the British Museum as evidence of systemic failings. It calls on DCMS to set out concrete actions, share lessons across the sector, and address skills shortages and legacy technology.
read more →

Executive Order Accelerates Post‑Quantum Readiness

🔒 The White House Executive Order signed June 22, 2026 mandates migration of federal systems to NIST‑approved post‑quantum cryptography, setting milestones for key establishment by 2030 and digital signatures by 2031. It extends urgency to critical infrastructure, federal contractors, and procurement, highlights "harvest now, decrypt later" risk, and calls for cryptographic bill of materials guidance to drive visibility and operational readiness.
read more →

US issues post-quantum crypto deadlines, launches quantum push

🔒 The White House signed two executive orders to accelerate federal migration to post-quantum cryptography and expand investment in quantum technologies. The crypto order sets firm deadlines for replacing vulnerable algorithms, requires cryptographic inventories and a CBOM, and signals future procurement rules for contractors. The companion order creates a coordinated federal quantum initiative to drive research, commercialization, workforce development, and defenses for sensitive research.
read more →

U.S. Executive Order Accelerates PQC Adoption

🔒 On June 22, 2026, President Trump signed Executive Order 14409, setting federal deadlines to adopt post-quantum cryptography: key establishment by December 31, 2030, and authentication by December 31, 2031, with contractors required to comply by 2030. Cloudflare supports the EO, noting federal procurement has historically driven industry adoption and highlighting that post-quantum encryption deployment is already widespread across its services while authentication work continues. The EO focuses on NIST-standardized PQC, excludes National Security Systems, and directs OMB and agencies to plan and report migration progress.
read more →

U.S. Sets 2030–2031 Deadlines for PQC Migration

🔐 President Trump signed an executive order on June 22 directing federal agencies to migrate high-value assets to post-quantum cryptography with key establishment required by December 31, 2030 and digital signatures by December 31, 2031. The EO accelerates the federal timeline by four to five years and aligns agency schedules with NIST's 2024 FIPS for ML-KEM and ML-DSA/SLH-DSA. Agencies must name migration leads, inventory cryptographic assets, and submit plans; OMB, NIST, CISA and FAR will issue guidance to enforce timelines and contractor requirements.
read more →

US Executive Order Accelerates PQC Migration by 2031

🔐 The US has issued Executive Order 14409 requiring federal agencies to migrate to post-quantum cryptography (PQC) for key establishment by December 31, 2030 and for digital signatures by December 31, 2031. The EO mandates a Commerce-led PQC pilot to finish by December 31, 2027 and directs OMB and the National Cyber Director to accelerate a nationwide transition while coordinating with other agencies and international partners. It also tasks agencies to find cost efficiencies and ensures contractors meet federal cybersecurity standards by 2030.
read more →

Five Eyes Urges Urgent AI-Driven Cyber Resilience

🛡️ The Five Eyes cybersecurity agencies warned on June 22 that frontier AI is already reshaping offensive and defensive cyber capabilities and urged businesses to prioritize cyber resilience. They cautioned that AI accelerates attacks by lowering barriers and shrinking the window between discovery and exploitation, while also offering defensive benefits. The group recommended a whole-of-organization response focused on basics, secure-by-design, defence in depth, and integrating AI into security operations. Practical steps included reducing attack surfaces, accelerating patching, addressing legacy systems, strengthening access controls, and preparing incident response.
read more →

UK Information Commissioner Resigns After Probe

📰 The UK’s information commissioner, John Edwards, resigned on June 19 after an internal HR investigation concluded there was a case to answer for conduct that fell short of expected standards. Secretary of state Liz Kendall cited vulgar, sexualized language and thanked those who came forward. The ICO reiterated its commitment to a safe workplace and said it does not accept harassment, bullying or discrimination. Edwards acknowledged poor judgement, described his role as untenable and announced his resignation.
read more →

Estonia Proposes Government IDs for AI Agents

🛡️ The Estonian AI Council proposes government-backed digital identities for AI agents to define delegated powers and responsibilities. Prime Minister Kristen Michal emphasized that clear attribution, rights, and accountability are essential as AI increasingly acts on behalf of people and organizations. The ID could specify permissions such as data viewing, document editing, or making payments with defined limits. Estonia aims to leverage its digital ID leadership and become the first country to formalize agent identities.
read more →

EU Cybersecurity Reserve Extended to Ukraine

🛡️ The Council of the EU approved Ukraine’s inclusion in the EU Cybersecurity Reserve on June 16, allowing the Ukrainian government to request emergency EU cyber support for large-scale incidents. Managed by ENISA, the reserve leverages 47 trusted private providers who passed an ownership control assessment. The initiative is funded under the Digital Europe Work Programme 2025–2027 and grounded in the EU Cyber Solidarity Act.
read more →

UK to require ID or face scan for new social accounts

🔒 The UK will ban under-16s from social media and require age checks for new accounts, likely via ID upload or facial age scans, with regulations due before Christmas and rules effective spring 2027. Longstanding accounts are largely grandfathered, but new account creation will typically need verification. Experts warn checks are easy to circumvent, risk exposing ID/biometric data, and were pushed through with limited scrutiny. The government cites parental support and aims to restrict high-risk features and certain AI chatbot functions.
read more →