All news in category “Regulation and Policy Brief”

🔒 European policymakers are accelerating a push for greater tech sovereignty in response to shifting geopolitical trust and concerns over dependence on US and other foreign technologies. The debate spans legal, operational and supply-chain dimensions, with proposals under the EU’s Tech Sovereignty Package and revisions to procurement and the Cybersecurity Act. Achieving autonomy will require investment in local R&D, talent, interoperable systems and realistic timelines, while avoiding protectionist measures that stifle competition. The private sector must factor geopolitical risk into procurement to scale credible European alternatives.

⚠️ On May 15 the UK government, the Financial Conduct Authority and the Bank of England issued a joint warning about cybersecurity threats from frontier AI. They noted models can outperform skilled practitioners at greater speed, scale and lower cost, amplifying risks to firms, customers and financial stability. The statement urges firms to strengthen governance, vulnerability management, third-party controls, protection and response capabilities and points to NCSC resources and prior resilience guidance.

🛡️The EU Cyber Resilience Act (CRA) shifts focus from development practices to product safety, extending CE-like obligations to software, firmware, backend services and connected devices. It mandates SBOMs, minimum support lifecycles, and rapid reporting: organizations must have vulnerability and incident processes in place by Sept 11 and report exploited flaws within 24 hours, with full reports in three days. Many vendors and CIOs remain unprepared, particularly around automated SBOMs, open source obligations, and the wider conformity assessments the law introduces.

🔐 The ICO has published a five-step guide urging organisations to prepare for AI-enhanced cyber threats, including deepfake social engineering, adaptive malware and automated exploitation. It points readers to the NCSC's updated Cyber Assessment Framework and expects baseline adoption of Cyber Essentials and the UK Cyber Governance Code. The guidance emphasises robust patching, MFA, least‑privilege, supply‑chain vetting, DPIAs for high‑risk AI and human oversight of AI-enabled defences.

🔍 A G7 Cybersecurity Working Group paper published on 12 May defines minimum elements for software bills of materials (SBOMs) tailored to AI systems, aiming to boost transparency across AI supply chains. It outlines seven clusters — Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure and Security Properties — to guide producers and users. The guidance stresses clusters are non-mandatory, that SBOMs alone are insufficient, and recommends linking SBOMs to vulnerability, advisory and tooling ecosystems.

🔍 The US Cybersecurity and Infrastructure Security Agency (CISA), working with G7 cyber partners, released supplemental minimum elements for an AI software bill of materials to document models, datasets, software components, providers, licenses, and other dependencies. The guidance extends traditional SBOM concepts into AI and is positioned to support procurement and vendor-risk assessments while remaining non‑exhaustive and non‑mandatory. Security teams should press vendors for model provenance, training and update practices, and runtime controls, but must recognize AI SBOMs provide visibility rather than assurance.

⚖️ California Attorney General Rob Bonta reached a $12.75 million settlement with General Motors after an investigation found GM collected and sold Californians’ driving and location data through OnStar and the Smart Driver program without proper notice or consent. The probe identified transfers to brokers Verisk and LexisNexis between 2020–2024. In addition to a record civil penalty, GM must stop sales for five years, delete retained data absent consent, require brokers to purge received records, and bolster privacy compliance with periodic assessments.

⚠️ The FCC has extended the deadline for suppliers of banned foreign-made consumer routers to deliver security updates to US customers until at least 1 January 2029. The March 2026 import and sale ban put these devices on the FCC’s covered list, with limited exceptions for devices conditionally approved by the DoD or DHS. The extension, announced by the Commission’s Office of Engineering and Technology on 8 May, permits only software and firmware updates that mitigate harm and maintain functionality, not the addition of new features, and it also covers foreign-made drone systems and critical components.

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.

🔒 CISA has launched CI Fortify, urging water, energy, transportation and communications operators to plan to disconnect from third-party networks and maintain essential services if targeted by cyber-attacks. The guidance sets two core objectives: isolation — proactively segmenting OT from business and upstream networks to keep services running in degraded communications — and recovery — documenting systems, backing up critical files and rehearsing component replacement or manual operation. Operators are advised to identify critical customers, set service targets, update continuity plans for prolonged isolation, and share the guidance with vendors, integrators and managed service providers.

⚠️ CISA is reportedly weighing a proposal to shorten the remediation window for critical government vulnerabilities from the current 14 days to just 72 hours. The Reuters-sourced report ties the consideration to concerns that AI tools such as Anthropic’s Claude Mythos could accelerate the discovery and weaponization of serious flaws, though CISA has not confirmed the discussion. Security practitioners warn the tighter window would strain testing, asset discovery, and patch deployment; others say it could be attainable with modern automation and processes.

🔒 CISA has launched the CI Fortify initiative to help critical infrastructure operators prepare to operate in isolation from the internet and third-party services during major cyber incidents. The program focuses on controlled isolation—distinct from traditional air-gapping—combined with local manual operations and rapid restoration. CISA will provide targeted assessments, guidance, and exercises during a pilot phase while urging operators to map dependencies and invest in resilient architectures.

🔒 The Federal Trade Commission will ban data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling precise geolocation data without consumers' affirmative express consent as part of a settlement stemming from an August 2022 suit. The FTC alleged Kochava supplied paid clients — via an AWS Marketplace feed — with high-volume raw latitude/longitude transactions that enabled tracking to sensitive sites. Under the proposed court order, sales or transfers of precise location data are prohibited unless consumers directly request a service and explicitly consent; the companies must also implement a sensitive location program, supplier assessments, consent withdrawal and disclosure mechanisms, incident reporting to the FTC, and retention/deletion schedules.

🔒 CISA released new guidance called CI Fortify to help critical infrastructure organizations prepare to operate through crises and conflicts and continue delivering essential services while under cyberattack. The guidance centers on two emergency capabilities: Isolation — proactively disconnecting from third-party dependencies and operating without reliable telecommunications — and Recovery — rapidly restoring compromised systems while isolated. CISA urges organizations to begin investing now, test recovery plans, and practice local and manual operations to maintain a baseline of continuity.

🛡️ The White House is privately discussing whether advanced AI models that could enable cyberattacks should undergo government-led or formal pre-release reviews before public deployment. The talks were prompted by Anthropic’s Mythos, which the company says has identified thousands of high-severity vulnerabilities, and by comparable capabilities from other labs. Officials are weighing options including formal vetting and targeted testing for higher-risk systems. No policy has been finalized and no timeline has been set.

⚠ APRA warns that frontier AI models such as Claude Mythos pose a rapidly evolving cyber risk to the banking sector by enabling faster, more automated discovery of vulnerabilities. The regulator found governance often treats AI as “just another technology,” missing distinctive features like predictive behavior, adaptability, bias and data risks, and urged firms to accelerate vulnerability identification and remediation. APRA called for robust security testing of AI‑generated code and deeper assessment of major AI platforms to avoid attackers outpacing current patch cycles.

🔒 A joint guide from CISA and federal partners outlines how to adapt zero trust principles to operational technology (OT) environments while preserving safety and uptime. It details practical measures such as passive asset discovery, network segmentation, microsegmentation, identity and access controls tailored to legacy devices, and secure remote access via jump hosts with MFA. The guidance calls out risks from IT/OT convergence, including credential compromise, supply-chain vulnerabilities and malware that can disrupt physical processes. It emphasizes compensating controls where modern security features cannot be deployed, and the need for close IT–OT collaboration and integrated incident response.

🔒 CISA has instructed owners and operators of operational technology to stop assuming network safety and released joint guidance, Adapting Zero Trust Principles to Operational Technology, to apply Zero Trust to systems supporting power, water, transportation, building automation, and weapons-support infrastructure. The 28-page guide — developed with the Department of War, Department of Energy, FBI, State Department and NIST technical input — emphasizes assuming adversaries are inside, validating access by identity, context, and risk, and tailoring controls to OT constraints like latency and safety.

🔐 CISA and U.S. government partners published Adapting Zero Trust Principles to Operational Technology, a practical guide for OT owners, operators, and Zero Trust practitioners. The guidance explains how to apply Zero Trust in OT environments while minimizing risk to mission-critical systems and accommodating legacy constraints and safety requirements. It highlights establishing zones and conduits, addressing supply chain risks, and implementing robust identity and access management to reduce exposure and strengthen resilience.