All news in category “Regulation and Policy Brief”

🔒 South Korea’s Personal Information Protection Commission (PIPC) fined the local subsidiaries of Louis Vuitton, Christian Dior Couture and Tiffany a combined KRW 36.033 billion plus KRW 10.8 million in additional penalties for failures securing customer data processed via a SaaS platform. The regulator found critical lapses — absent IP‑based access restrictions, weak or missing strong authentication, inadequate controls over bulk exports and insufficient log review — that allowed credential theft and social‑engineering attacks to expose personal information. The PIPC stressed that SaaS environments qualify as personal information processing systems under Korean law, placing responsibility squarely on data controllers, and ordered the firms to publicly disclose the enforcement actions.

🔒 The Federal Office for Information Security (BSI) has updated its technical guideline TR-02102, establishing concrete deadlines to end the sole use of classical asymmetric encryption: from 2031 generally and for high-security systems from the end of 2030. The guideline mandates hybrid configurations that combine traditional algorithms with post-quantum cryptography and schedules deprecation of conventional signature algorithms for sole use by 2035. TR-02102 is divided into parts addressing algorithm/key guidance, TLS, IPsec/IKEv2, and SSH, and is a reference for developers and mandatory for certain classified-product deployments.

🔒 CISA warns that unsupported edge hardware and software pose systemic risks and highlights Binding Operational Directive BOD 26-02 as a federal step to identify, replace, and patch end-of-support (EOS) devices. The article introduces OpenEoX, an OASIS OPEN, machine-readable JSON standard that standardizes product lifecycle information and integrates with SBOMs and CSAF. By enabling producers to publish EOS milestones and consumers to automate lifecycle tracking, OpenEoX aims to reduce exposure and streamline vulnerability management. The piece urges rapid, communitywide adoption to close doors on threat actors exploiting outdated products.

📣 CISA will host a series of virtual town hall meetings beginning March 9 to collect stakeholder input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rulemaking. The sessions will solicit feedback on the Notice of Proposed Rulemaking and implementation details; schedule information is published in the Federal Register and updates will be posted to CISA’s CIRCIA webpage. CIRCIA would require covered entities to report certain cyber incidents within 72 hours and ransom payments within 24 hours. CISA emphasized the need to balance improved national cybersecurity outcomes with minimizing unnecessary burden on critical infrastructure sectors.

🔒 Russia is escalating efforts to block WhatsApp and Telegram after Roskomnadzor excluded whatsapp.com and web.whatsapp.com from the national DNS and began throttling services. Authorities previously limited voice and video calls and attempted to block new registrations, while Meta has been labeled as extremist in Russia. The Kremlin is promoting the state-aligned MAX messenger as an endorsed alternative, and users currently rely on VPNs and external resolvers to maintain access amid mounting restrictions.

⚠️ New York’s 2026–2027 executive budget bill proposes a blocking technology requirement for all 3D printers sold or delivered in the state. The provision would require firmware or software to scan every print file with a firearms blueprint detection algorithm and refuse prints flagged as potential firearms or components. While intended to curb illicit weapon production, critics say it resembles DRM, will be technically ineffective, and would impose significant burdens on makers, educators, and small manufacturers.

🔒 CISA released guidance that examines why legacy industrial protocols are often insecure-by-design and why available protections are not widely adopted. Developed with OT equipment manufacturers and standards bodies, the document reports findings from interviews with asset owners and operators about motivations to secure communication and barriers they face. The guidance identifies practical, operational, and technical obstacles and offers recommendations for owners and operators and manufacturers to drive more usable, sustainable security capabilities.

⚠️ The NCSC has issued an urgent alert to critical national infrastructure (CNI) providers after December's coordinated malware attacks against Poland's energy sector, urging operators to act now to defend UK assets. Director Jonathan Ellison stressed the need to follow recent NCSC guidance on monitoring, situational awareness and hardening network defences. Recommended measures include patching, access controls and MFA, secure-by-design management and robust resilience and recovery plans.

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02 requiring federal civil executive branch agencies to decommission end-of-support (EOS) edge devices within specified timelines. Agencies must identify and remediate vulnerabilities within three months and remove EOS devices from external-facing network edges within 18 months, replacing them with vendor-supported hardware. The directive also mandates continuous discovery and inventory processes to prevent future exposure.

🔒 NIS2 forces organizations to treat supply chains as an integral part of cybersecurity rather than an afterthought. The directive shifts emphasis from perimeter defenses to the risks posed by external service providers and subcontractors, requiring firms to identify dependencies, set proportionate contractual security obligations, and implement continuous monitoring. It also elevates the CISO's remit to enforce cross-functional risk management.

🔐 Google issues a call to action to protect digital systems against quantum threats, outlining its post-quantum cryptography (PQC) work and policy recommendations. The company warns that large-scale quantum computers could break current public-key cryptography and cautions about 'store now, decrypt later' harvesting of encrypted data. Google commits to research transparency, completing PQC migrations within NIST guidelines, and strengthening crypto agility, critical shared infrastructure, and ecosystem readiness.

⚖️ The European Commission says TikTok may face a substantial penalty under the Digital Services Act after preliminary findings concluded that core design elements — infinite scroll, autoplay, push notifications and personalized recommendation systems — promote compulsive use and can harm minors and vulnerable adults. Regulators say TikTok failed to adequately assess and mitigate risks, pointing to nighttime usage and frequent app openings as ignored indicators of harm. If confirmed, the violations could trigger a fine of up to 6% of global turnover and the Commission has demanded screen-time breaks, adapted recommendation systems and the disabling of key addictive features; existing parental controls were judged insufficient.

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.

🔒 Cybersecurity regulatory obligations vary by company size, industry and geography, and meeting them is increasingly a business prerequisite. Leaders should treat compliance frameworks such as NIS-2, ISO and NIST as structured methodologies — not end goals — while recognizing that compliance is not the same as security. CISOs must partner with legal, privacy and audit teams, prioritize risk-based decisions, and use tools like GRC, SIEM and continuous monitoring to demonstrate and maintain compliance.

🔒 This fact sheet from CISA, the FBI, and the U.K. NCSC urges organizations to mitigate risks posed by end-of-support (EOS) edge devices such as firewalls, routers, load balancers, and VPN gateways. It highlights BOD 26-02 for U.S. federal agencies and recommends maintaining asset inventories, replacing EOS hardware, and applying timely updates and patches to reduce exposure to nation-state threat actors.

🔒 CISA issued Binding Operational Directive 26-02, requiring Federal Civilian Executive Branch agencies to mitigate risks from unsupported edge devices. Agencies must inventory devices, update vendor-supported software, remove end-of-support hardware and software, and implement mature lifecycle management within specified timeframes. CISA will monitor compliance, assess progress, and encourage non-federal organizations to adopt similar measures to reduce technical debt and strengthen cyber resilience.

🛰️The US National Reconnaissance Office has declassified details about the JUMPSEAT fleet, a series of spy satellites that operated from 1971 to 2006. The release is notable because much of the material was declassified roughly two decades after these systems were retired. The disclosure provides historians, analysts, and policymakers with new primary-source material to reassess historical intelligence programs.

🛡️ The UK Information Commissioner’s Office has opened a formal investigation into X and its AI assistant Grok after reports the system generated non-consensual sexual images using people’s personal data. The inquiry will assess whether such data were processed lawfully, fairly and transparently and whether appropriate safeguards were integrated into Grok’s design and deployment to prevent harmful image manipulation. The ICO has requested urgent information from X and warned the reports raise risks of significant harm, particularly to children.