All news in category “Regulation and Policy Brief”

🔒 CISA published lists identifying hardware and software product categories where post-quantum cryptography (PQC) standards are already in use or expected to be widely available. Issued under Executive Order 14306, the guidance directs agencies to plan acquisitions to prefer PQC-capable products in listed categories and urges vendors to implement and test PQC features. It distinguishes categories that have implemented PQC for key establishment from those still transitioning for digital signatures and other functions, and it will be updated periodically.

🔐 The Cybersecurity and Infrastructure Security Agency (CISA) released an initial list of Product Categories for technologies that use post-quantum cryptography standards. Developed under Executive Order 14306 (June 6, 2025) and in coordination with the NSA, the list identifies hardware and software types that already support or are expected to adopt PQC, including cloud services, web software, networking, and endpoint security. CISA will update the list regularly to guide procurement and migration planning.

🔒 TikTok USDS Joint Venture LLC was formed to allow TikTok to continue operating in the U.S. under a majority-American ownership while ByteDance retains 19.9%. U.S. users' data and a retrained recommendation algorithm will be hosted in Oracle's secure U.S. cloud and protected under defined safeguards for algorithm security, content moderation, and software assurances. An independent, audited cybersecurity and privacy program will follow standards such as NIST CSF, NIST 800-53, ISO 27001, and CISA requirements.

📈 The number of organisations reporting GDPR breaches rose 22% in 2025 to a daily average of 443, according to DLA Piper, making this the first year since 2018 that notifications topped 400. Germany, the Netherlands and Poland recorded the most reports, and analysts pointed to geopolitical unrest and emerging AI-enabled threats as contributors. Annual GDPR fines remained stable at €1.2bn, with Ireland issuing the largest share, including a €530m penalty for TikTok over international data transfers.

🔐 The European Commission has unveiled a cybersecurity package to strengthen the EU’s resilience against state and criminal cyber and hybrid threats. The proposals focus on reducing risks from high-risk suppliers outside the EU—particularly in critical infrastructure like mobile networks—using a common, risk-based framework. The plan updates the European Cybersecurity Certification Framework to speed product testing, eases compliance burdens for SMEs, and reinforces ENISA’s role in threat analysis, incident response and vulnerability management.

🔒 The European Commission has proposed an update to the Cybersecurity Act, published on 20 January, to address shortcomings in the original regulation. The package aims to streamline the European cybersecurity certification framework, introduce a trusted ICT supply chain security framework across 18 critical sectors, and require certification schemes to be developed within 12 months by default. It also expands ENISA's powers to lead incident support, vet suppliers, and pilot skill attestation.

🛡️Report Fraud has launched in the UK to replace the criticised Action Fraud service, providing a single, modern national reporting, triage and intelligence platform across England, Wales and Northern Ireland. The service incorporates real-time analytics powered by Palantir and Microsoft, an interactive portal for victims to track and update cases, proactive notifications, and instant intelligence sharing with police and businesses. A new National Crime Analysis Service (N-CAS) will underpin analytics, and a national "Every Report Counts" advertising campaign will promote the launch.

🔒 The EU Commission has proposed a legal mechanism to ban network-equipment vendors it considers high-risk, a move widely seen as targeting Chinese firms such as Huawei and ZTE though the draft does not name specific companies. The plan would let Brussels require member states to replace prohibited technology in critical infrastructure within three years. It would also strengthen ENISA with additional staff and funding to coordinate EU-wide cybersecurity and ransomware defenses.

🔒 The European Commission has proposed a comprehensive cybersecurity package that would require the removal of high-risk suppliers from sensitive telecommunications networks and give Brussels authority to coordinate EU-wide risk assessments. The measure aims to strengthen defenses against state-backed actors and cybercrime targeting critical infrastructure while addressing uneven uptake of the 2020 5G Security Toolbox. The proposal also expands ENISA's remit to issue early threat alerts, centralize incident reporting, streamline voluntary certification, and support joint assessments across 18 critical sectors, with member states required to transpose changes within one year of approval.

📚 The essay links Aaron Swartz’s fight for open access to today’s large AI firms that scrape and monetize vast amounts of public and private knowledge. It argues that AI companies are effectively appropriating research and creative works, settling liabilities as a cost of business while public access and accountability erode. The piece warns this corporate capture shifts control of information from democratic institutions to private platforms.

🔐 The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation (FBI), alongside international partners, have released principles to secure operational technology (OT) connectivity. Led by NCSC-UK, the guidance offers a shared framework to design and manage secure connectivity across OT environments. It emphasizes embedding cybersecurity into network design to reduce exposure to both state-backed and opportunistic adversaries. The document warns that increased interconnection brings benefits such as real-time analytics and predictive maintenance, but also raises risks that could cause physical harm, environmental damage or service disruption.

📍 The Federal Trade Commission has finalized an order prohibiting General Motors and its OnStar unit from collecting, using, or sharing consumers' precise geolocation and driving-behavior data without express consent. The FTC said GM harvested location data every three seconds through the discontinued Smart Driver feature and sold it to third parties, including consumer reporting agencies, which could affect insurance outcomes. Under the order GM is barred from sharing such data with consumer reporting agencies for five years, must obtain express consent for collection and sharing for 20 years, and must give U.S. customers access, deletion rights, and the ability to disable precise location tracking.

🛡️ CISA, the UK’s NCSC, the FBI and international partners published the Secure Connectivity Principles for Operational Technology (OT), a joint guide led by NCSC‑UK to mitigate insecure and exposed connectivity and defend against opportunistic and nation‑state cyber threats. The guidance provides a practical framework and eight key principles to help OT owners and operators design, secure, and manage connectivity. Agencies also urge OT device manufacturers and integrators to embrace secure‑by‑design practices and recommend organizations assess OT connectivity and implement mitigations to strengthen critical infrastructure resilience.

🔒 CISA and the UK National Cyber Security Centre (NCSC-UK) issued Secure Connectivity Principles for Operational Technology (OT) to help asset owners manage increasing connectivity demands. The guidance provides an eight‑principle framework to design, secure, and operate network access into OT environments. It targets operators of essential services and aligns with federal and international collaboration. Stakeholder feedback is invited through a CISA product survey.

🔐 The G7 Cyber Expert Group has published a recommended roadmap asking financial firms and public entities to complete transition to post-quantum cryptography (PQC) by 2034 to anticipate future quantum-enabled threats. The non-prescriptive guidance outlines six phased activities from awareness and inventory to migration, testing and validation, with overlapping timelines beginning in 2025. It stresses a risk- and standards-based approach, crypto agility and cross-jurisdiction collaboration to reduce fragmentation and enhance interoperability.

🛡️ The White House’s March 2025 Executive Order and Congress’s State and Local Cybersecurity Grant Program (SLCGP) together create a framework for strengthening defenses at state, local and tribal levels. The proposed PILLAR Act would extend and reinforce funding, oversight and scope. Success requires restoring disbursements, aligning with NIST standards, and building local capacity through partnerships and workforce development.

🔐 Australia's 2026 law banning under-16s from social media has reignited debate over whether internet services should require identity verification. Tony Anscombe argues that distinguishing verified and unverified users could reduce abuse, targeted fraud and underage exposure while letting people filter unwanted content. He warns verification methods (biometrics, government ID) carry privacy and data-retention risks and that bans may drive minors to circumvent restrictions, so a balanced regulatory approach is needed.

⚠️ The White House renominated seasoned Coast Guard and Energy Department cyber official Sean Plankey to lead CISA, a step that eases an urgent leadership gap but does not resolve broader legislative gridlock. Experts cite both executive deprioritization and congressional dysfunction—blocked confirmations, holds, and delayed reports—as drivers of a hollowed-out agency. Quick Senate confirmation, reauthorization of CISA 2015, and restored grant funding are needed to begin rebuilding capacity.

🏛️ The Parliamentary Public Bill Committee is inviting industry submissions to inform scrutiny of the Cyber Security and Resilience Bill (CSRB), the planned successor to the NIS Regulations 2018. Now at committee stage after its second reading, the bill proposes expanded scope, tighter incident-reporting, mandatory supply‑chain risk management and alignment with the NCSC Cyber Assessment Framework. The committee will hear oral evidence from 3 February and has urged prompt written responses as it may conclude early.

🔐 CISA has formally closed ten Emergency Directives issued between 2019 and 2024 after finding their objectives were met and required remediations implemented across federal civilian agencies. The agency said many issues were absorbed into Binding Operational Directive 22-01 and are now tracked via the known exploited vulnerabilities (KEV) catalog. A subset of directives were closed because requirements no longer matched current risk posture, while Emergency Directives remain available for urgent threats.