All news in category “Regulation and Policy Brief”

🔒 Escalating threats and expanding regulation have materially increased corporate exposure to cybersecurity and privacy disputes, with 2025 showing a marked rise in class actions and litigation risk. The piece identifies key drivers for 2026: sophisticated state-sponsored actors using AI, intensified federal initiatives and enforcement, proactive state regulator actions, growing third‑party/vendor risk, and inventive litigation tactics such as qui tam and False Claims Act claims. It urges organizations to revisit fundamentals — data inventories, governance, third‑party oversight, incident response and public statements — to reduce legal and operational exposure.

🔒 The Council of the European Union has sanctioned three companies and two individuals from China and Iran for cyberoperations that targeted devices and critical infrastructure. The measures name Integrity Technology Group (linked to the Raptor Train botnet), Anxun Information Technology (i‑Soon) and Iranian firm Emennet Pasargad. Listed parties face asset freezes and prohibitions on accessing funds, and natural persons are subject to travel bans through EU territory.

🔐 In a March 2026 episode of Brass Tacks, Professor Oreste Pollicino argues that cybersecurity has transitioned from a technical specialty to a constitutional concern that underpins trust and fundamental rights. He warns that fear-driven enforcement undermines cooperation and urges regulators to act as mediators by fostering dialogue, literacy, and mutual learning with the private sector. The episode advocates governance over punishment, calls for harmonization rather than uniformity, and supports naming accountable individuals to enable communication instead of creating scapegoats.

🛡️ Cloudflare is contesting Italy’s Piracy Shield, a regulator-run portal that requires rapid blocking of sites nominated by unnamed media companies, after refusing to register and being fined €14 million. The company says the system lacks due process, transparency, and judicial oversight, routinely causes overblocking, and conflicts with the Digital Services Act. Cloudflare has appealed the fine, sought disclosure of enforcement records, and is pursuing remedies in Italian courts and with EU authorities. It warns the scheme endangers global Internet infrastructure and user rights.

🤝 Google announced it has signed the Industry Accord Against Online Scams & Fraud with major industry partners including Adobe, Amazon, LinkedIn, Meta, Microsoft and OpenAI. The agreement commits participants to unify capabilities, share threat intelligence and coordinate defenses against sophisticated, cross-border scam networks. Google said it will expand technical support and deploy AI-driven detection tools, building on $15 million in Google.org funding. In 2026 the company will share more through the Global Signal Exchange and publish guides on data sharing, private sector referrals to law enforcement, and public policy frameworks.

🔒 The article argues the cyber perimeter was never dead but was abandoned, leaving unsupported firewalls, routers, and remote access appliances as easy footholds for attackers. It outlines the FBI’s Operation Winter SHIELD, a concentrated two-month effort targeting weak authentication, excessive privileges, and unpatched edge devices, and CISA’s BOD 26‑02, which mandates removal of end-of-life perimeter hardware within 18 months. The piece warns that neglecting edge devices undermines identity-first strategies and urges CISOs to regain total edge visibility and enforce disciplined asset lifecycles, strong hardware-based authentication, rapid patching, and strict privilege controls.

⚖️ Police Scotland was fined £66,000 and reprimanded after an Information Commissioner’s Office (ICO) investigation found the force extracted and then mistakenly shared the full contents of a female detective’s phone with the officer she accused of rape. The disclosed material reportedly included intimate photos, medical records and contact details. The ICO said the force failed to limit data sharing, implement appropriate organisational and technical measures, and notify the regulator within the required 72‑hour timeframe.

🔒 The Cybersecurity and Infrastructure Security Agency and MITRE have renegotiated the contract supporting the 26-year-old CVE program, averting the imminent funding cliff that triggered a one-day panic in 2025. Sources indicate the program has been elevated from a discretionary line to a protected budget item within CISA, providing multi-year operational stability. While the move reduces near-term shutdown risk, the agreement remains opaque to many stakeholders and raises outstanding questions about modernization, performance measurement, and governance.

🔒 The Trump Administration published a national cyber strategy on March 6, 2026, presenting a broad framework to strengthen US digital defenses, counter foreign adversaries and accelerate technological innovation. The plan centers on six policy pillars, covering offensive and defensive operations, streamlined cybersecurity and data regulation, federal network modernization, critical infrastructure and supply chain protection, leadership in emerging technologies and workforce expansion. It stresses proactive use of the full range of government tools — including offensive cyber operations, law enforcement and economic sanctions — alongside deeper public–private coordination. Industry leaders welcomed the priorities but warned implementation will depend on funding, contracting vehicles and clear operational authorities.

🔒 The UK government will establish an Online Crime Centre in April to disrupt large-scale cyber-enabled fraud by combining expertise from government, intelligence agencies, police, banks, mobile networks and major tech firms. The centre will identify and shut down scam accounts, websites and phone numbers, block scam texts, freeze criminal accounts and target overseas scam compounds. The strategy also plans to deploy AI for fraud detection and scam-baiting chatbots to gather intelligence, while introducing a new fraud victims charter to standardise support and reimbursements.

🛡️ The German implementation of the NIS-2 directive came into force on December 6, 2025, prompting a last-minute rush of registrations to the Federal Office for Information Security (BSI). The BSI recorded more than 4,000 new registrations in the final week as organisations checked whether the rules apply to them. The law mandates rapid incident reporting — initial notification within 24 hours, updates within 72 hours and a final report after one month — and serious violations may lead to fines.

🛡️ The German law implementing the NIS-2 directive came into force on 6 December 2025, introducing stricter incident reporting and registration requirements. The Bonn-based Federal Office for Information Security (BSI) reported a surge of more than 4,000 registrations in the final week before the deadline and expects further last-minute filings. Affected organisations must report significant incidents within 24 hours, provide updates within 72 hours and submit a final report after one month, with potential fines for serious violations.

⚖️ Advocate General Athanasios Rantos advised that, under PSD2, banks must immediately refund customers for unauthorised transactions resulting from phishing unless the bank has reasonable grounds to suspect the customer committed fraud and communicates those grounds in writing to the competent national authority. Banks may later seek reimbursement if they can prove the customer acted intentionally or with gross negligence. This opinion is advisory, not a final CJEU ruling.

⚔️ The White House released a concise seven-page cybersecurity strategy developed by the Office of the National Cyber Director that places offensive cyber operations at the center of U.S. policy while also pushing deregulation and accelerated AI adoption. It articulates six implementation pillars including shaping adversary behavior, modernizing federal networks with AI and zero-trust, securing critical infrastructure, and building workforce capacity. Industry responses were broadly positive from vendors emphasizing AI and quantum-safe security, but defenders warn the emphasis on proactive offense and deregulatory moves could raise escalation and resilience concerns.

🔐 The U.S. National Cyber Strategy offers a clear, action-oriented agenda to protect the digital way of life by emphasizing disruption of hostile actors, streamlined regulation, federal network modernization, and the security of AI and quantum technologies. Palo Alto Networks endorses the strategy and highlights practical measures—such as reciprocity for government software certifications, a four-stage quantum-safe framework, and its Secure AI by Design Policy Roadmap—to help operationalize these priorities through public–private collaboration.

⚖️ The Pentagon’s removal of Anthropic from US defense contracts, and the swift substitution by OpenAI, marks a high-profile clash over AI use for military and surveillance purposes. Anthropic refused DoD terms that would permit mass surveillance or fully autonomous weapons, provoking political backlash and a presidential order halting its federal partnerships. OpenAI has agreed to supply classified systems, raising questions about vendor politicization and how safety commitments will be enforced. The episode underscores procurement power, potential legal battles, and the limits of corporate ethical posturing.

🛡️ The Global Coalition on Telecoms (GCOT) has released voluntary 6G Security and Resilience Principles to guide the early development of next-generation mobile networks. Founded by Australia, Canada, Japan, the UK and the US, and joined by Finland and Sweden at Mobile World Congress 2026, the framework was published with industry partners including AT&T, Ericsson, NVIDIA and Nokia. The guidelines define four security and four resilience objectives—covering containment, confidentiality, integrity, resilience and regulatory compliance—to inform standards, supply-chain practices and network architectures ahead of anticipated 6G rollouts in 2029–2030.

🔒 The OpenID Foundation warns that inconsistent handling of deceased users' digital accounts across platforms and jurisdictions creates systemic gaps that invite fraud and exploitation. The report, titled The Unfinished Digital Estate, highlights the growing risk of AI-driven deepfakes simulating deceased individuals to manipulate relatives, spread disinformation, or extract funds. It urges coordinated action from policymakers, platforms and standards bodies to create interoperable frameworks, verifiable death/incapacity processes, and clear consent, delegation and audit mechanisms to protect posthumous identity autonomy.

🔎 This Fortinet podcast episode examines the evolving EU-centric cybersecurity regulatory landscape and its implications for global businesses. Host Joe Robertson speaks with Dr. Tommaso De Zan of Access Partnership about layered rules such as NIS2, the Cyber Resilience Act, DORA, and emerging cloud sovereignty initiatives. They contrast horizontal and vertical regulations, highlight differences between regulations and directives, and emphasize that industry accepts rules but resents uncertainty. Practical advice includes early policy monitoring, engagement in consultations, and embedding security into products and operations.

🔒 The UK’s new vulnerability monitoring service (VMS) continuously scans more than 6,000 public bodies, detecting around 1,000 vulnerability types and processing roughly 400 confirmed findings a month. The service reduced median remediation for general vulnerabilities from 53 to 32 days and cut DNS fix times from 50 to eight days. VMS provides specific, actionable guidance and tracks issues until closure, while the government pairs the platform with a £210m Cyber Action Plan and a new Cyber Profession to address skills gaps.