All news in category “Regulation and Policy Brief”

🛡️ Companies facing NIS2 risk turning compliance into a voluminous paperwork exercise unless security is embedded in the technical stack from the outset. The piece argues that documentation alone does not equal protection and advocates for automating controls and evidence via infrastructure as code, CI/CD pipelines, and policy-as-code. Practical focus areas include IAM, vulnerability and supply-chain management, and monitoring and incident response, where automation both reduces burden and improves auditability.

⚖️ Italy's antitrust authority has fined Apple €98.6 million after finding that its App Tracking Transparency (ATT) framework restricted App Store competition by imposing a burdensome double-consent process on third-party developers. The AGCM said Apple used its dominant distribution position to unilaterally set consent rules without consulting developers. Regulators noted they are not contesting Apple's privacy goals but found the ATT consent requirements disproportionate and harmful to ad-supported developers. Apple said it will appeal and defended its privacy protections.

🔔 Italy's competition authority (AGCM) has fined Apple €98.6 million for using App Tracking Transparency (ATT) in a way the regulator says abused its dominant position in mobile app advertising. The AGCM found that ATT requires third-party apps to show a standardized tracking prompt while exempting Apple's own apps, creating a burdensome double-consent process because the ATT prompt does not satisfy GDPR requirements. Apple says it will appeal and continues to defend ATT as a privacy protection.

🚫 The FCC has placed foreign-made uncrewed aircraft systems (UAS) and critical UAS components on its Covered List, citing national security concerns and provisions of the 2025 NDAA. The action targets China-made vendors such as DJI and Autel Robotics and covers communications, flight controllers, navigation systems, batteries, motors, and related parts. The agency said the move will reduce risks of unauthorized surveillance, data exfiltration, and destructive operations over U.S. territory while permitting DHS to exempt specific models and allowing continued use and sale of previously approved devices.

🛡️ NIST and CISA released the initial draft of Interagency Report (IR) 8597, offering implementation guidance to protect identity tokens and assertions from forgery, theft, and misuse. The draft, open for public comment through January 30, 2026, targets federal agencies and cloud service providers. It reviews controls for IAM systems that rely on digitally signed tokens and calls on CSPs to adopt Secure by Design principles while prioritizing transparency, configurability, and interoperability. The report also urges agencies to understand CSP architectures and deployment models to align protections with their risk and threat environment.

🔍 The SEC’s Nov. 30 decision to drop its civil action against SolarWinds and CISO Tim Brown produced widespread relief among security leaders after five years of investigation tied to the SUNBURST supply‑chain compromise. While many celebrated, experts warn this outcome is not permanent closure: it exposed persistent organizational tensions where CISOs carry responsibility without full authority. Security leaders should confirm indemnification and D&O protections, clarify governance for cyber disclosures, and improve executive-level communication so cyber risk becomes an explicit company decision.

🔒 The Trump administration's second term enacted sweeping policy shifts that critics say have weakened the U.S. ability to address cybersecurity, privacy, and corruption risks. Changes include mass workforce cuts and reassignments at CISA, the dismissal of the Cyber Safety Review Board, and reduced enforcement by agencies such as the SEC and CFPB. The creation and apparent misuse of the Department of Government Efficiency (DOGE) raised serious data‑access and oversight concerns. New travel, vetting, and speech controls add further civil‑liberties implications.

📰 Instacart will refund $60 million to resolve FTC allegations that it misled customers through deceptive subscription and pricing practices. The FTC says Instacart advertised free delivery while charging mandatory service fees, concealed full-refund options behind self-service menus, and failed to disclose automatic charges at the end of Instacart+ free trials. Under the proposed order, affected consumers will receive refunds and the company must clearly disclose subscription terms.

🔐 The EU's NIS2 Directive requires organizations in critical sectors to strengthen identity and access controls, with Article 21 explicitly calling for access policies and practical protections. Modern password hygiene favours long passphrases (e.g., 15+ characters), breach screening, and avoiding routine rotations unless compromise is suspected, alongside user-friendly measures like password managers. While NIS2 doesn't always explicitly mandate MFA, national guidance and ENISA expect phishing‑resistant MFA for privileged and critical accounts.

🛡️ ISACA has been appointed by the US Department of Defense as the global credentialing authority for the CMMC program, responsible for training, examining and certifying assessors and instructors. The DoD's final CMMC rule published on 10 September 2025 and effective 10 November 2025 initiated a three-year rollout, requiring credentials across DoD suppliers by 2028. ISACA replaces The Cyber AB as the CAICO and expects the rules to affect over 200,000 contractors worldwide, including many in Europe.

🏟 CISA released the Venue Guide for Mitigating Dependency Disruptions to help stadium and arena owners reduce operational risk from outages in Energy, Water and Wastewater, Communications, and Transportation. Developed with government and industry partners, the concise, actionable resource offers baseline strategies, assessment steps, and partnership guidance tailored for major events including FIFA World Cup 2026 and the 2028 Summer Olympics. It encourages venues to assess lifeline dependencies, integrate contingency plans, and coordinate with local service providers and CISA Security Advisors to strengthen operational resilience.

🔒 CISA announced participation in the Office of Personnel Management’s CyberCorps® Scholarship for Service (SFS), offering internship and postgraduate career pathways to eligible scholarship recipients. With OPM adding 100 new SFS internship roles, CISA will place undergraduate selectees in time-limited excepted service appointments and may offer full-time excepted service positions to postgraduates. The initiative is intended to develop a skilled federal cybersecurity workforce and accelerate leadership in national cyber defense.

🏛️ The SEC Investor Advisory Committee has proposed a rule that would require public companies to analyze and disclose material AI efforts, including choices not to deploy or underinvest in AI. The draft would let issuers self-define “AI” and then consistently apply that definition across filings, disclosures, and governance documents. Legal and industry observers say the mandate could force boards and executives to scrutinize AI use and governance more closely, but they warn that inconsistent definitions, boilerplate language, and gaps such as shadow IT could render filings less useful to investors.

📰 Texas Attorney General Ken Paxton has sued five TV manufacturers — Sony, Samsung, LG, Hisense, and TCL — alleging they used Automated Content Recognition (ACR) to secretly record and transmit users' viewing activity without consent. The complaints filed in Texas state courts claim some TVs capture screenshots every 500 milliseconds, monitor viewing in real time, and send that data to corporate servers where it is allegedly sold for advertising. Paxton also raised concerns that the China-based vendors may be subject to China's National Security Law, potentially exposing U.S. consumer data to foreign authorities. An LG spokesperson declined to comment on the pending matter; other vendors had not responded at the time of reporting.

⚖️ The essay opposes a proposed ten‑year moratorium and an impending Executive Order that would bar states from regulating artificial intelligence, arguing this would cede power to a few dominant AI firms and undermine local consumer protections. It highlights growing state efforts in places like California, New York, Massachusetts, Utah, and Texas and rejects the industry claim that a regulatory patchwork would fatally stifle innovation. The authors advocate that the federal government should support state-led experimentation and fund public-interest AI models rather than preempt state authority, and note that the President signed an Executive Order shortly after publication.

🔒 The UK National Cyber Security Centre (NCSC) has published a practical playbook urging businesses to embed Cyber Essentials across supply chains and to use its new Supplier Check tool to verify supplier certification (CE or CE Plus). It highlights that firms with turnover under £20m qualify for free cyber‑liability insurance and incident response support when certified. The seven-step guidance covers risk mapping, defining security profiles, setting and enforcing minimum security requirements, incentivizing CE, embedding adoption into procurement and monitoring uptake.

🛡️The NCSC published findings from an Active Cyber Defence 2.0 pilot that evaluated cyber-deception solutions across 121 UK organisations and 14 vendors. The report highlights barriers including inconsistent terminology, a lack of impartial guidance, difficulty producing outcome-based metrics, and risks from misconfiguration. The centre plans large-scale deployment of honeypots, honeytokens and cloud traps and urges planning, continual tuning and peer learning to realise benefits safely.

🛡️CISA released version 2.0 of its Cross-Sector Cybersecurity Performance Goals (CPGs), aligning the framework with NIST Cybersecurity Framework 2.0 and three years of operational insights. The update consolidates IT, OT, and IoT goals into unified objectives, adds a new Govern function to strengthen leadership accountability, and expands guidance on zero trust, supply chain risk, and incident communication. CISA presents the streamlined, better-documented goals as practical, measurable, and voluntary actions organizations can adopt regardless of size.

🛡️ CISA released Cross-Sector Cybersecurity Performance Goals (CPG 2.0) providing measurable actions for critical infrastructure owners and operators to achieve a foundational cybersecurity baseline. The update aligns with the latest NIST Cybersecurity Framework revisions and incorporates lessons learned from recent incidents and threats. CPG 2.0 introduces a governance-focused component that emphasizes accountability, risk management, and the integration of cybersecurity into day-to-day operations. The goals are streamlined and outcome-driven to guide investment, benchmark progress, and reduce risk in measurable ways.

🔎The Financial Conduct Authority (FCA) has launched Firm Checker, a consumer-facing tool to verify whether a financial firm is authorised and whether its contact details match the regulator's records. The FCA says its Financial Services Register contains additional information on firms not covered by the tool, including crypto restrictions, historic fines and permissions. Industry commentators welcomed the move but warned the tool is not a silver bullet and called for broader action to tackle social engineering and money-mule networks.