All news in category “Regulation and Policy Brief”

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

🔒 Samsung and the State of Texas have settled a dispute over allegations that its smart TVs used Automated Content Recognition (ACR) to collect viewing data without users' express consent. Under the agreement, Samsung must halt collection or processing of ACR viewing data from Texas consumers unless they give clear, affirmative consent, and it will update TVs with clearer privacy disclosures and consent screens. Texas AG Ken Paxton said the settlement compels clear, conspicuous notices; Samsung maintains it did not spy on consumers but agreed to strengthen privacy notices.

⚠️The Pentagon has directed the Department of War to designate Anthropic a supply-chain risk after talks over military use of its AI model, Claude, reached an impasse. President Donald Trump ordered federal agencies to phase out Anthropic technology within six months, while Secretary of Defense Pete Hegseth ordered immediate cessation of contractor activity. Anthropic says the designation followed its refusal to allow mass domestic surveillance or fully autonomous weapons and calls the move legally unsound and limited to DoW contracts under 10 USC 3252. The dispute has drawn industry pushback and reignited debate over civil liberties, procurement policy, and how safeguards should apply in defense settings.

🔒Iran's January 2026 communications blackout was a comprehensive shutdown that disabled mobile networks, landlines, and even Starlink, extending beyond conventional URL blocking to dismantle both physical and logical connectivity. The regime is formalizing a two-tiered model—white SIM cards and data-center whitelists—that preserves full access for officials while isolating ordinary citizens. By removing social features and disabling local chat channels, the state aims to atomize the population and prevent real-time coordination. The author urges policy and technical measures—such as expanded humanitarian licensing and D2C satellite access—to give repressed populations resilient means of connectivity.

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.

🔒 US authorities have taken swift action against sellers of cyberweapons, sentencing Australian national Peter Williams to 87 months in prison after he sold sensitive exploit components for up to $4 million in cryptocurrency. The Treasury’s OFAC also sanctioned Sergey Sergeyevich Zelenyuk and Matrix LLC (trading as Operation Zero) for acquiring and distributing proprietary US cyber tools. Sanctions block US-held assets and may trigger criminal charges for prohibited transactions.

🔒 A forthcoming overhaul to the UK GDPR will convert the Information Commissioner's Office from a single-commissioner model into a board-run government agency, with Paul Arnold appointed as the first CEO of the new structure. The changes, to be enacted through the Data (Use and Access) Act 2025, aim to improve continuity, broaden expertise and manage a growing workload. The reform also grants the ICO new investigatory and compulsory powers and expands duties affecting businesses, while Data Essentials training will be scaled up.

🔐 This practical Q&A guide helps leaders translate evolving threats into actionable resilience measures. It highlights why national cyber security urgency has increased as adversaries shift from theft to persistent, disruptive positioning that can affect fuel, hospitals, elections, markets, and public trust. The brief recommends adoption of NIST frameworks, Zero Trust principles, and AI governance to mitigate cloud, OT, and supply chain risks. Leaders receive concise operational steps to align policy, technology, and cross‑sector coordination.

⚖️New York Attorney General Letitia James sued Valve Corporation, alleging the company facilitated illegal gambling through randomized loot boxes in Counter-Strike 2, Dota 2, and Team Fortress 2 on Steam. The complaint says rare virtual items can be exchanged for real money, that odds are skewed to increase value, and that the mechanics are addictive and harmful to children. James is seeking injunctive relief, disgorgement of profits, and fines.

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.

🔒 The UK Information Commissioner's Office (ICO) has fined Reddit £14.47m for failing to implement robust age verification and for not conducting a required DPIA before January 2025. The regulator found that children under 13 had personal data processed without a lawful basis and were potentially exposed to inappropriate content. Reddit maintains it avoids collecting identity data to protect privacy, while experts warn heavy-handed identity checks could introduce new privacy and security risks.

🛡️ In the first episode of Fortinet's Brass Tacks: Talking Cybersecurity season 2, host Joe Robertson speaks with Annita Sciacovelli, a professor of international law and cybersecurity advisor to the Italian Ministry of Defence, about how modern cyber conflict increasingly targets societies rather than only military or corporate assets. They explain that attacks on energy, transport, finance, and public administration aim to erode trust and create strategic psychological pressure, reframing cybersecurity as a public-interest challenge. The discussion highlights legal distinctions between terrorism and state use of force, the importance of ENISA, and EU frameworks such as NIS2, DORA, and the Cyber Resilience Act, while underscoring the need for cyber diplomacy, intelligence sharing, and continuous resilience-building.

🔒 The UK Information Commissioner's Office has fined Reddit £14.47 million for collecting and processing the personal information of children under 13 without adequate safeguards. The ICO found Reddit lacked a meaningful age-verification system until July 2025 and judged the measures introduced then could be easily bypassed. Reddit said it will appeal and disputes the regulator's assessment.

⚖️ Bruce Schneier contends that AI is reshaping democratic engagement by creating widespread, domain-specific arms races—from academic publishing and courts to media, hiring, and public comment systems. These dynamics advantage well-resourced corporate actors while pressuring governments to adopt automated tools to manage scale. Schneier urges both tactical citizen use of AI and stronger regulatory responses to prevent concentrated power and preserve civic voice.

🧭 NIST has launched the AI Agent Standards Initiative via the Center for AI Standards and Innovation (CAISI) to create a roadmap for developing interoperable, trustworthy autonomous AI agents. The effort will gather public input through an RFI (responses due March 9) and sector-specific listening sessions in April, and emphasizes industry-led standards, open-source work, and international engagement. Critics caution the process may be too slow to keep pace with agentic AI adoption and emerging threats.

🔒 Texas Attorney General Ken Paxton has sued TP-Link, alleging the company deceptively marketed routers as secure while obscuring Chinese supply-chain ties and labeling devices Made in Vietnam. The complaint cites firmware vulnerabilities exploited by Chinese state-backed actors and a large credential-theft botnet built from compromised routers. Paxton seeks monetary penalties and injunctions forcing disclosure of Chinese origins and limits on data collection; TP-Link denies the allegations and says U.S. user data is stored on domestic AWS servers.

⚖️ A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites and a dynamic set of IP addresses in Spain that facilitate illegal streaming of LaLiga matches. The measures were issued inaudita parte, meaning the providers were not called to a hearing and will have no opportunity to appeal. Rights holders argue VPNs fall under the EU Digital Services Regulation; the vendors say they were not notified and question the efficacy and legality of the order.

🔎 Ireland's Data Protection Commission has opened a formal probe into X over the use of its Grok AI to generate non‑consensual sexual images of real people, including children. The inquiry will assess whether X Internet Unlimited Company complied with core GDPR duties such as lawful processing, data protection by design, and required impact assessments. The DPC said it has been engaging with XIUC since media reports emerged and has commenced a large‑scale inquiry. As X's EU lead regulator, the DPC's findings could trigger cross‑border enforcement and significant penalties.

🔐 The NCSC's CEO Richard Horne has warned that small and medium-sized enterprises (SMEs) wrongly assume they are not attractive to cybercriminals and are failing to take basic protective measures. He stressed that attackers seek opportunity and weaknesses rather than high-profile brands, and urged businesses to adopt Cyber Essentials. The scheme focuses on five core controls — secure configuration, user access control, malware protection, security update management and firewalls — to reduce the risk of common attacks. Horne warned that leaving these protections undone is comparable to operating without physical security or insurance and called on SMEs to act immediately as the NCSC reports rising incidents and risks to critical infrastructure.

🔐 Password-based authentication is increasingly replaced by passkeys—FIDO2/WebAuthn-backed credentials that store private keys on devices and typically meet AAL2/AAL3 assurance per NIST SP 800-63B. This article explains how organizations can adopt passkeys while remaining compliant with ISO/IEC 27001, mapping changes to Annex A controls (Access Control, Authentication Information, Secure Authentication) and documenting risk treatment. It highlights benefits, common risks such as device loss and downgrade attacks, and practical migration steps for enterprise deployment.