All news in category “Regulation and Policy Brief”

🔍 The UK Information Commissioner's Office has opened a formal investigation into X and its Irish subsidiary after reports that the AI assistant Grok generated nonconsensual sexually explicit images using individuals' personal data. The ICO said it contacted X and xAI on January 7 to request urgent information and will assess whether X Internet Unlimited Company and X.AI LLC processed data lawfully and had adequate safeguards. The regulator warned that loss of control over intimate personal data can cause immediate and significant harm, especially where children are involved.

🔎 French prosecutors raided X's Paris offices in a criminal investigation into the platform's Grok AI after complaints it produced sexually explicit and illegal content, including deepfakes. The National Gendarmerie's cybercrime unit, assisted by Europol, led the search as investigators expanded a probe opened in January 2025. Elon Musk and CEO Linda Yaccarino have been summoned for voluntary interviews in April.

🔐 The NSA has released new Zero Trust Implementation Guidelines (ZIGs) introducing Phase One and Phase Two to help organisations progress from Discovery to target-level zero trust maturity. Phase One establishes a secure baseline with 36 activities supporting 30 capabilities, while Phase Two adds 41 activities to enable 34 additional capabilities and integrate solutions across component environments. The guidance emphasises continuous authentication and post-login evaluation, aligns with NIST SP 800-207 and other federal frameworks, and is designed as a modular, tailorable approach for skilled practitioners.

🛡️ Germany and Israel jointly conducted a first-ever exercise, called “Blue Horizon,” to practice defending against a major cyberattack as part of a recent bilateral cyber and security pact. The drill aims to familiarize experts and advance the planned construction of a German “Cyberdome”, modeled on Israeli systems that consolidate data and use AI to detect network vulnerabilities and warn organizations. The pact also foresees closer cooperation on cybercrime, artificial intelligence and drone defense.

⚖️ Cloudflare welcomes the UK CMA’s consultation on proposed conduct requirements for Google but argues the measures do not go far enough to protect publishers and competition. Cloudflare’s analysis shows Googlebot accesses substantially more unique pages than other AI crawlers, giving Google an entrenched advantage that can undercut publisher revenue. The company urges mandatory crawler separation so sites can permit search indexing while blocking use of content for generative AI, restoring publisher choice and enabling fairer market competition.

🔒 NIS2 pushes organizations to treat supply-chain risk as central to cybersecurity, making external dependencies part of security architecture and leadership responsibility. It requires systematic inventories, contractual security obligations, and continuous monitoring of both direct providers and downstream subcontractors. For the CISO, the role shifts from technical stewardship to cross-functional risk management and enforcement. Common failures—poor prioritization, unenforced controls and organizational silos—must be addressed with scalable, evidence-based controls.

🔐 The FBI has launched Operation Winter SHIELD, a ten-week campaign outlining ten concrete actions organisations should adopt to improve cyber resilience across IT and OT environments. Developed with domestic and international partners and informed by recent investigations, the initiative connects observed adversary behaviour to practical defenses such as phish-resistant authentication, immutable offline backups, vulnerability management and reduced administrator privileges. Aligned with the US National Cyber Strategy and the FBI Cyber Strategy, the effort aims to harden critical infrastructure and reduce the attack surface.

🔒 The US Cybersecurity and Infrastructure Security Agency (CISA) has released an infographic to help critical infrastructure operators and SLTT governments prevent, detect and respond to insider threats. It advocates treating insider risk as an essential capability and recommends scalable, multidisciplinary teams that are embedded in existing structures. The guidance outlines a four-stage model—plan, organize, execute, maintain—and emphasizes confidentiality, legal compliance and coordination with external partners.

📈 A new DLA Piper report finds that notifications of GDPR violations across the EU averaged 443 reports per day in 2025, a 22% increase over 2024. The firm cautions that the dataset does not definitively explain the rise but highlights likely drivers such as geopolitical tensions, new attacker technologies, and expanded mandatory reporting laws. Annual fines remained near €1.2 billion while cumulative penalties total about €7.1 billion since 2018.

⚠️ The German Association of Cities warns the coalition's proposed Kritis umbrella law, due for a Bundestag vote, is insufficient because its 500,000‑inhabitant threshold excludes many essential facilities and weakens crisis preparedness. The draft tightens obligations for classified operators — including reporting duties and fines — but the Städtetag urges lowering the cutoff to 150,000 to cover medium-sized municipalities. The association also warns that allowing federal states to designate additional facilities risks creating a fragmented patchwork. In response to a January power-supply arson in Berlin, the amendment asks the government to review and remove publicly available infrastructure data to limit attacker intelligence, a shift Chancellor Friedrich Merz framed as moving from broad transparency toward greater resilience.

🛡️ NIST is moving from high-level AI risk principles toward operational cybersecurity expectations, focusing especially on AI agent systems that take autonomous actions. The agency’s CAISI center has issued a formal RFI on secure practices for AI agents and is adapting the Cybersecurity Framework into a Cyber AI Profile. NIST’s work—spanning the AI RMF, Dioptra testing, an adversarial ML taxonomy, and SSDF guidance for generative models—signals that CISOs must treat AI as a near-term security priority rather than “just software.”

🛡️ CISA is urging critical infrastructure organizations and SLTT governments to take decisive action against insider threats and has published an infographic titled Assembling a Multi-Disciplinary Insider Threat Management Team to guide prevention, detection, and mitigation. The agency highlights that insider threats include both deliberate malicious acts and unintentional errors that can undermine systems and trust. The resource offers actionable steps to build cross-functional teams, foster accountability, and strengthen organizational resilience.

🛡️ On Data Protection Day 2026, CrowdStrike urges organizations to move beyond checkbox compliance toward operational resilience against modern data risks. The post details how adversaries exploit stolen credentials, identity abuse, SaaS sprawl and AI-driven workflows to access and exfiltrate data, often without crossing conventional boundaries. It calls for controls across identity, endpoints, browsers and the AI interaction layer, and highlights Falcon AIDR as a runtime capability to detect prompt injection, model manipulation and unauthorized tool execution while preserving legitimate workflows.

🔒 CISA has released an advisory mapping post-quantum cryptography (PQC) standards to common enterprise hardware and software categories to help CIOs and security teams evaluate quantum-safe readiness. Issued in response to the June 6, 2025 executive order, the guidance lists product classes that already implement, or are transitioning to, NIST-aligned PQC algorithms. CISA emphasizes many implementations provide PQC for key establishment (KEM/KGA) but not yet for digital signatures and authentication, so categories on the list are not fully quantum resistant. The advisory references FIPS 203–205 as the baseline for required primitives.

⚖️ The U.S. Supreme Court is weighing the constitutionality of geofence warrants in the appeal of Okello Chatrie, convicted after a 2019 Richmond-area robbery. Police obtained anonymized location records from Google for devices near the crime scene, which led investigators to Chatrie and evidence seized during a subsequent search. Chatrie’s appeal contends such warrants violate the Fourth Amendment. The Court’s decision could recalibrate the balance between investigative tools and individual location privacy.

⚖️ The European Commission has opened formal proceedings under the Digital Services Act to examine whether X properly assessed risks before deploying the Grok AI tool, after reports it produced sexually explicit and potentially child sexual abuse material. UK and Californian authorities are conducting parallel probes, and regulators say these apparent harms “seem to have materialised.” X later restricted image-generation and editing to paid subscribers while it faces enforcement as a VLOP and a recent c120 million fine for DSA transparency breaches.

🔐 CISA has published an initial list of hardware and software product categories that either support or are expected to support post-quantum cryptography (PQC) standards, following Executive Order 14306 issued on 6 June 2025. Compiled in collaboration with the NSA, the list covers cloud services, collaboration and web software, endpoint security and networking products, and is intended to guide procurement and risk planning as organizations prepare for quantum threats.

🕵️ The Irish government proposes new powers to allow police to intercept communications, including encrypted messages, and to authorize targeted, warrant-backed use of spyware. The draft measures would expand legal authority for interception, compel assistance from service providers and device makers, and define covert access procedures along with oversight obligations. Civil liberties groups and security experts warn the reforms risk weakening encryption, increasing misuse, and eroding privacy without robust independent safeguards.

🛡️ Germany plans to adopt a more offensive cyber posture, saying it will "strike back, also abroad," and aim to disrupt attackers and destroy their infrastructure. The Interior Ministry proposes joint operational responsibility for the Federal Criminal Police Office (BKA) and intelligence services and is creating a new defense center against hybrid threats. Minister Alexander Dobrindt said he will introduce laws in the first half of the year to expand intelligence powers for information gathering and operational action.

🏥The NHS has issued an open letter (22 January) signaling more proactive engagement with suppliers to bolster cyber resilience across health and social care. The initiative builds on last year’s voluntary cybersecurity supply chain charter and responds to persistent ransomware and supply-chain threats. NHS England stresses this is not an audit but a partnership to identify risks and agree proportionate remediation. Expectations include MFA, patched systems, effective logging and immutable backups with tested recovery plans.