< ciso
brief />
Regulation and Policy Brief Banner

All news in category “Regulation and Policy Brief

403 articles · page 7 of 21

Navigating Fragmented Cybersecurity Regulation in Europe

🔎 This Fortinet podcast episode examines the evolving EU-centric cybersecurity regulatory landscape and its implications for global businesses. Host Joe Robertson speaks with Dr. Tommaso De Zan of Access Partnership about layered rules such as NIS2, the Cyber Resilience Act, DORA, and emerging cloud sovereignty initiatives. They contrast horizontal and vertical regulations, highlight differences between regulations and directives, and emphasize that industry accepts rules but resents uncertainty. Practical advice includes early policy monitoring, engagement in consultations, and embedding security into products and operations.
read more →

UK VMS Cuts Remediation Time for Public Websites by Half

🔒 The UK’s new vulnerability monitoring service (VMS) continuously scans more than 6,000 public bodies, detecting around 1,000 vulnerability types and processing roughly 400 confirmed findings a month. The service reduced median remediation for general vulnerabilities from 53 to 32 days and cut DNS fix times from 50 to eight days. VMS provides specific, actionable guidance and tracks issues until closure, while the government pairs the platform with a £210m Cyber Action Plan and a new Cyber Profession to address skills gaps.
read more →

UK NCSC Issues Warning on Iranian Cyberattack Risks

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.
read more →

Samsung to Stop Collecting Texans' TV Viewing Data by Consent

🔒 Samsung and the State of Texas have settled a dispute over allegations that its smart TVs used Automated Content Recognition (ACR) to collect viewing data without users' express consent. Under the agreement, Samsung must halt collection or processing of ACR viewing data from Texas consumers unless they give clear, affirmative consent, and it will update TVs with clearer privacy disclosures and consent screens. Texas AG Ken Paxton said the settlement compels clear, conspicuous notices; Samsung maintains it did not spy on consumers but agreed to strengthen privacy notices.
read more →

Pentagon Labels Anthropic Supply-Chain Risk in AI Dispute

⚠️The Pentagon has directed the Department of War to designate Anthropic a supply-chain risk after talks over military use of its AI model, Claude, reached an impasse. President Donald Trump ordered federal agencies to phase out Anthropic technology within six months, while Secretary of Defense Pete Hegseth ordered immediate cessation of contractor activity. Anthropic says the designation followed its refusal to allow mass domestic surveillance or fully autonomous weapons and calls the move legally unsound and limited to DoW contracts under 10 USC 3252. The dispute has drawn industry pushback and reignited debate over civil liberties, procurement policy, and how safeguards should apply in defense settings.
read more →

Tehran's Two-Tiered Internet and Its Global Risks Today

🔒Iran's January 2026 communications blackout was a comprehensive shutdown that disabled mobile networks, landlines, and even Starlink, extending beyond conventional URL blocking to dismantle both physical and logical connectivity. The regime is formalizing a two-tiered model—white SIM cards and data-center whitelists—that preserves full access for officials while isolating ordinary citizens. By removing social features and disabling local chat channels, the state aims to atomize the population and prevent real-time coordination. The author urges policy and technical measures—such as expanded humanitarian licensing and D2C satellite access—to give repressed populations resilient means of connectivity.
read more →

UK Vulnerability Monitoring Service Cuts Fix Times

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.
read more →

US Authorities Penalize Sellers of Malware and Spyware

🔒 US authorities have taken swift action against sellers of cyberweapons, sentencing Australian national Peter Williams to 87 months in prison after he sold sensitive exploit components for up to $4 million in cryptocurrency. The Treasury’s OFAC also sanctioned Sergey Sergeyevich Zelenyuk and Matrix LLC (trading as Operation Zero) for acquiring and distributing proprietary US cyber tools. Sanctions block US-held assets and may trigger criminal charges for prohibited transactions.
read more →

UK Data Watchdog Reorganises to Board-Led Agency Structure

🔒 A forthcoming overhaul to the UK GDPR will convert the Information Commissioner's Office from a single-commissioner model into a board-run government agency, with Paul Arnold appointed as the first CEO of the new structure. The changes, to be enacted through the Data (Use and Access) Act 2025, aim to improve continuity, broaden expertise and manage a growing workload. The reform also grants the ICO new investigatory and compulsory powers and expands duties affecting businesses, while Data Essentials training will be scaled up.
read more →

National Cyber Resilience in the AI Era: A Leadership Guide

🔐 This practical Q&A guide helps leaders translate evolving threats into actionable resilience measures. It highlights why national cyber security urgency has increased as adversaries shift from theft to persistent, disruptive positioning that can affect fuel, hospitals, elections, markets, and public trust. The brief recommends adoption of NIST frameworks, Zero Trust principles, and AI governance to mitigate cloud, OT, and supply chain risks. Leaders receive concise operational steps to align policy, technology, and cross‑sector coordination.
read more →

New York Sues Valve Over Loot Boxes for Illegal Gambling

⚖️New York Attorney General Letitia James sued Valve Corporation, alleging the company facilitated illegal gambling through randomized loot boxes in Counter-Strike 2, Dota 2, and Team Fortress 2 on Steam. The complaint says rare virtual items can be exchanged for real money, that odds are skewed to increase value, and that the mechanics are addictive and harmful to children. James is seeking injunctive relief, disgorgement of profits, and fines.
read more →

U.S. Sanctions Russian Exploit Broker for Stolen Zero‑Days

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.
read more →

ICO fines Reddit £14.47m over inadequate age checks

🔒 The UK Information Commissioner's Office (ICO) has fined Reddit £14.47m for failing to implement robust age verification and for not conducting a required DPIA before January 2025. The regulator found that children under 13 had personal data processed without a lawful basis and were potentially exposed to inappropriate content. Reddit maintains it avoids collecting identity data to protect privacy, while experts warn heavy-handed identity checks could introduce new privacy and security risks.
read more →

Cyber Conflict Targeting Society: Policy and Resilience

🛡️ In the first episode of Fortinet's Brass Tacks: Talking Cybersecurity season 2, host Joe Robertson speaks with Annita Sciacovelli, a professor of international law and cybersecurity advisor to the Italian Ministry of Defence, about how modern cyber conflict increasingly targets societies rather than only military or corporate assets. They explain that attacks on energy, transport, finance, and public administration aim to erode trust and create strategic psychological pressure, reframing cybersecurity as a public-interest challenge. The discussion highlights legal distinctions between terrorism and state use of force, the importance of ENISA, and EU frameworks such as NIS2, DORA, and the Cyber Resilience Act, while underscoring the need for cyber diplomacy, intelligence sharing, and continuous resilience-building.
read more →

UK fines Reddit £14.47M for unlawfully using children's data

🔒 The UK Information Commissioner's Office has fined Reddit £14.47 million for collecting and processing the personal information of children under 13 without adequate safeguards. The ICO found Reddit lacked a meaningful age-verification system until July 2025 and judged the measures introduced then could be easily bypassed. Reddit said it will appeal and disputes the regulator's assessment.
read more →

Is AI Good for Democracy? Arms Races, Power, Policy

⚖️ Bruce Schneier contends that AI is reshaping democratic engagement by creating widespread, domain-specific arms races—from academic publishing and courts to media, hiring, and public comment systems. These dynamics advantage well-resourced corporate actors while pressuring governments to adopt automated tools to manage scale. Schneier urges both tactical citizen use of AI and stronger regulatory responses to prevent concentrated power and preserve civic voice.
read more →

NIST AI Agent Standards Initiative Aims for US Leadership

🧭 NIST has launched the AI Agent Standards Initiative via the Center for AI Standards and Innovation (CAISI) to create a roadmap for developing interoperable, trustworthy autonomous AI agents. The effort will gather public input through an RFI (responses due March 9) and sector-specific listening sessions in April, and emphasizes industry-led standards, open-source work, and international engagement. Critics caution the process may be too slow to keep pace with agentic AI adoption and emerging threats.
read more →

Texas Sues TP-Link Over Alleged Chinese Hacking Risks

🔒 Texas Attorney General Ken Paxton has sued TP-Link, alleging the company deceptively marketed routers as secure while obscuring Chinese supply-chain ties and labeling devices Made in Vietnam. The complaint cites firmware vulnerabilities exploited by Chinese state-backed actors and a large credential-theft botnet built from compromised routers. Paxton seeks monetary penalties and injunctions forcing disclosure of Chinese origins and limits on data collection; TP-Link denies the allegations and says U.S. user data is stored on domestic AWS servers.
read more →

Spain Court Orders NordVPN, ProtonVPN to Block Piracy

⚖️ A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites and a dynamic set of IP addresses in Spain that facilitate illegal streaming of LaLiga matches. The measures were issued inaudita parte, meaning the providers were not called to a hearing and will have no opportunity to appeal. Rights holders argue VPNs fall under the EU Digital Services Regulation; the vendors say they were not notified and question the efficacy and legality of the order.
read more →

Ireland launches GDPR probe into X's Grok for sexual images

🔎 Ireland's Data Protection Commission has opened a formal probe into X over the use of its Grok AI to generate non‑consensual sexual images of real people, including children. The inquiry will assess whether X Internet Unlimited Company complied with core GDPR duties such as lawful processing, data protection by design, and required impact assessments. The DPC said it has been engaging with XIUC since media reports emerged and has commenced a large‑scale inquiry. As X's EU lead regulator, the DPC's findings could trigger cross‑border enforcement and significant penalties.
read more →