All news with #regulatory action tag

CISA Issues Guidance to Combat Bulletproof Hosting Abuse

🔒 CISA, together with US and international partners, has published a joint guide addressing bulletproof hosting (BPH) services that enable ransomware, phishing, malware delivery and other attacks. The guidance explains how BPH providers lease or resell infrastructure to criminals, enabling fast-flux operations, command-and-control activity and data extortion while evading takedowns. It recommends concrete defensive actions — including curating a high confidence list of malicious internet resources, continuous traffic analysis, automated blocklist reviews, network-edge filters, threat intelligence sharing and feedback processes — to help ISPs and network defenders reduce abuse while limiting collateral impact.

UK, US and Allies Sanction Russian Bulletproof Hosters

🔒 Western allies have announced coordinated sanctions targeting three bulletproof hosting providers — Media Land, ML.Cloud and Aeza Group — and four associated Russian executives, including Alexander Volosovik (aka Yalishanda). The measures, backed by the UK, US and Australia, also named UK-registered front Hypercore and aim to seize assets and cut access to legitimate banking channels. Authorities say the hosts supported numerous ransomware and infostealer operations, and Five Eyes nations published guidance to help ISPs and defenders mitigate malicious activity enabled by such services.

AWS Designated Critical Third-Party Provider under DORA

🔐 Amazon Web Services has been designated a critical third-party provider (CTPP) by the European Supervisory Authorities under the EU’s DORA regulation, which took effect in January 2025. The designation establishes a formal oversight relationship between AWS and the ESAs and signals heightened regulatory engagement for financial services customers operating in the EU. AWS says it will continue investing in compliance, operational resilience, risk management, and transparency, and will support customers with documentation, whitepapers, and a dedicated security and compliance team to help meet DORA obligations.

US, UK, Australia Sanction Russian Bulletproof Hosts

🔒 The US, UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land and related companies for supporting ransomware gangs such as LockBit, BlackSuit, and Play. Three executives were also designated and assets frozen, while clients and facilitators face secondary sanctions. Five Eyes agencies issued guidance for ISPs to detect and block BPH-enabled abuse.

CISA Urges Critical Infrastructure to Be Air Aware

🛡️ CISA urges critical infrastructure owners and operators to adopt a year‑round approach to managing risks from unmanned aircraft systems (UAS) and highlights its Be Air Aware(TM) campaign. The agency released three new guidance products including Suspicious Unmanned Aircraft System Activity Guidance, Safe Handling Considerations for Downed UAS, and UAS Detection Technology Guidance. CISA also offers regional assessments, exercise design, temporary flight restriction coordination for high‑risk events, and bombing prevention assistance to help organizations detect, mitigate, and respond to UAS incidents.

CISA 2015 Short-Term Extension Provides Temporary Relief

🛡️ The US Cybersecurity Information Sharing Act (CISA 2015) received a three-month extension in a Senate continuing resolution, preserving liability protections for voluntary threat sharing through the Automated Indicator Sharing (AIS) program until January 30, 2026. Cyber professionals broadly welcomed the move but called it a "temporary patch" and urged a longer-term renewal. Industry sources reported the lapse since September reduced federal-to-private sharing, while a Binalyze survey highlighted operational strains, estimating an average cost of $114,000 per hour of delayed incident response.

Energy Sector Targeted by Hackers: Risks, AI & Cooperation

🔒 The energy sector faces a high and growing cyber threat, with attackers targeting OT systems, grid sensors and IoT endpoints to create cascading societal impacts. Critical vulnerabilities — notably in Siemens products — and increasing IT‑OT coupling widen the attack surface. The article stresses the need for end-to-end visibility, AI-driven early warning and anomaly detection, and stronger international cooperation, including NIS 2-aligned practices and active CERT coordination to build resilience.

Google Cloud designated as DORA critical ICT provider

🔒 Google Cloud EMEA has been designated a critical ICT third-party provider under the EU DORA. The designation acknowledges the systemic importance of financial entities using Google Cloud services and establishes a direct oversight channel with a Lead Overseer from the ESAs. Google Cloud commits to transparency, customer support for compliance, and collaboration to strengthen digital operational resilience across Europe. They provide resources like a Register of Information Guide and an ICT Risk Management Customer Guide to support customers' compliance journeys.

India DPDP Rules 2025 Make Privacy an Engineering Challenge

🔒 India’s new Digital Personal Data Protection (DPDP) Rules, 2025 impose strict consent, verification, and fixed deletion timelines that require large platforms and enterprises to redesign how they collect, store, and erase personal data. The rules create Significant Data Fiduciaries with added audit and algorithmic-check obligations and formalize certified Consent Managers. Organizations have 12–18 months to adopt automated consent capture, verification, retention enforcement, and data-mapping across cloud, on‑prem, and SaaS environments.

European Digital Sovereignty Summit Shifts Priorities

🔒 European leaders, including Chancellor Friedrich Merz and President Emmanuel Macron, will attend a Berlin summit of digital ministers and IT experts expected to draw about 900 participants. The conference highlights concerns that US laws such as CLOUD Act and FISA 702 can compel US cloud providers to disclose data held in Europe, driving calls to reduce dependencies on non‑European vendors. Officials and industry leaders emphasise technological controls — notably strong encryption and customer-held keys — and the need for scalable European cloud alternatives while addressing regulatory and startup barriers.

Bundestag Approves German NIS2 Law, Adds New Controls

🔒 The Bundestag approved the federal government's draft law to implement the NIS2 Directive on 13 November 2025, bringing new cybersecurity obligations for an estimated 29,850 companies and federal authorities. Affected organizations must strengthen risk analyses, incident response, backups and encryption, and report incidents to the BSI within 24/72/30 hours/days. The law expands BSI supervisory powers and allows bans on "critical components" coordinated by the Interior Ministry, drawing criticism from industry groups.

New UK Cyber Security and Resilience Bill protects services

🔒 The UK introduced the Cyber Security and Resilience Bill on November 12, updating the NIS Regulations 2018 to strengthen protections for hospitals, energy, water and transport. The bill mandates security standards for medium and large managed service providers, requires incident notification to the NCSC and regulators within 24 hours (full reports in 72), and empowers regulators to designate and enforce controls on critical suppliers. It also creates turnover-based penalties and extends coverage to data centers and smart energy systems.

UK bill tightens cybersecurity for critical infrastructure

🛡️ The UK’s Cyber Security and Resilience Bill would impose mandatory security standards and a 24-hour reporting requirement on operators in healthcare, energy, water, transport and digital services. It updates the NIS 2018 framework and for the first time brings medium and large MSPs and data centres under direct regulatory oversight. Regulators would gain powers to levy turnover-linked penalties and the technology secretary would be able to order emergency mitigations during major cyber incidents.

Legal Boundaries and Risks of Private Hackback Operations

🔒 Former DoJ attorney John Carlin examines hackbacks, defining them as proactive counterattacks that go beyond passive defense. He argues that purely defensive measures that only affect a victim’s systems are generally lawful, while offensive actions that damage or access an attacker’s systems are likely prohibited without government authorization. Carlin recommends oversight and legal clarification to the CFAA and CISA, and urges private actors to proceed with caution.

UK introduces Cyber Security and Resilience Bill to Parliament

🔒 The UK government today introduced the Cyber Security and Resilience Bill, proposing a major overhaul of the NIS Regulations to align with updated EU standards. The draft would regulate managed service providers, expand scope to data centres and smart-appliance electricity flows, and mandate supply-chain risk management and NCSC Cyber Assessment Framework-based controls. Incident reporting windows would tighten to an initial 24 hours and full report within 72 hours, while the ICO and regulators gain stronger enforcement and fee powers.

EU draft seeks GDPR changes for AI training and cookies

🛡️A leaked draft of the EU Commission’s proposed “Digital Omnibus” would amend the GDPR to absorb cookie rules and relax limits on AI training with personal data. The draft, due to be presented on 19 November 2025, would add Article 88a to move cookie regulation into the GDPR and allow processing on a closed list of low‑risk purposes or other legal bases including legitimate interest. Critics warn this shifts tracking from opt‑in to opt‑out and risks diluting privacy protections, while the proposal also narrows sensitive‑data protections and requires browsers to transmit consent preferences.

CISO Guide: Defending Against AI Supply-Chain Attacks

⚠️ AI-enabled supply chain attacks have surged in scale and sophistication, with malicious package uploads to open-source repositories rising 156% year-over-year and real incidents — from PyPI trojans to compromises of Hugging Face, GitHub and npm — already impacting production environments. These threats are polymorphic, context-aware, semantically camouflaged and temporally evasive, rendering signature-based tools increasingly ineffective. CISOs should prioritize AI-aware detection, behavioral provenance, runtime containment and strict contributor verification immediately to reduce exposure and satisfy emerging regulatory obligations such as the EU AI Act.

Senate Restores Lapsed Cybersecurity Laws After Shutdown

🛡️ The Senate voted 60-40 to advance a continuing resolution that temporarily reinstates the Cybersecurity Information Sharing Act of 2015 (CISA) and the Federal Cybersecurity Enhancement Act through January 2026. The measure restores liability shields, antitrust exemptions and FOIA protections that encourage private-sector threat sharing and renews authority for EINSTEIN intrusion-detection services for civilian agencies. The stopgap leaves another funding deadline early next year and raises questions about a full reauthorization versus further short-term extensions.

Google Public Sector Achieves CMMC Level 2 Certification

🔒 Google Public Sector announced it has achieved CMMC Level 2 certification, validated by a certified third-party assessment organization (C3PAO). The certification confirms that its internal systems used to process and store Controlled Unclassified Information (CUI) meet DoD cybersecurity expectations. While the certification covers Google’s internal systems and does not extend to customer environments, Google highlights support for the Defense Industrial Base through FedRAMP-authorized cloud services and published compliance resources, including a Google Workspace CMMC Implementation Guide, to help partners accelerate their own CMMC journeys.

EU Commission proposes GDPR changes for AI and cookies

🔓 The European Commission's leaked "Digital Omnibus" draft would revise the GDPR, shifting cookie rules into the regulation and allowing broader processing based on legitimate interests. Websites could move from opt-in to opt-out tracking, and companies could train AI on personal data without explicit consent if safeguards like data minimization, transparency and an unconditional right to object are applied. Privacy groups warn the changes would weaken protections.