All news with #regulatory action tag

UK and Portugal Move to Protect Security Researchers

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

AWS Strengthens Cybersecurity and Resilience in the EU

🔒 AWS reiterates its commitment to raising cybersecurity standards across the European Union, positioning security as a core responsibility across its global operations. The post explains how AWS supports customers in meeting the NIS 2 Directive (EU 2022/2555) and related Implementing Regulation (EU 2024/2690) through services, audited controls, and guidance. It highlights certifications, regional accreditations, and tools—such as AWS Security Hub, AWS Config, and AWS CloudTrail—that help entities meet governance, incident reporting, and resilience obligations. The blog also describes AWS collaboration with national authorities and programs that provide templates, training, and operational engagement to improve readiness and compliance.

HTTPS Certificate Industry Phases Out Weak Domain Checks

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.

2026 NDAA: Cybersecurity Changes for DoD Mobile and AI

🛡️ The compromise 2026 NDAA directs large new cybersecurity mandates for the Department of Defense, including contract requirements to harden mobile phones used by senior officials and enhanced AI/ML security and procurement standards. It sets timelines (90–180 days) for mobile protections and AI policies, ties requirements to industry frameworks such as NIST SP 800 and CMMC, and envisions workforce training and sandbox environments. The law also funds roughly $15.1 billion in cyber activities and adds provisions on spyware, biologics data risks, and industrial base harmonization.

Automating NIS2 Compliance: Move from Paperwork to Code

🛡️ The EU directive NIS2, in force in Germany since 06 December 2025, risks becoming a paperwork-heavy exercise unless organisations adopt automation and DevSecOps. The article argues security must be planned and enforced by technology, using Infrastructure as Code, policies-as-code and CI/CD pipelines so controls and evidence (commits, pipeline logs, SBOMs) are revision-proof. Solutions such as CIEM, CNAPP and SIEM can centralise IAM, vulnerability and incident data so auditability is produced by the platform rather than by post-hoc Word documents.

Portugal exempts ethical hackers under updated law

🔒 Portugal has amended its cybercrime law to exempt cybersecurity researchers and ethical hackers from prosecution, with the change published in the Diário da República on 4 December. The amendment, titled “Acts not punishable due to public interest in cybersecurity,” creates a legal exception for good-faith vulnerability research provided strict conditions are met. Researchers must avoid economic gain, refrain from DoS, social engineering, phishing and data theft, report findings to the system owner and the data protection regulator, and delete sensitive data within 10 days of a fix.

UK ICO Seeks Urgent Clarity on Facial Recognition Bias

🔍 The UK Information Commissioner’s Office (ICO) has asked the Home Office for urgent clarity after a National Physical Laboratory (NPL) report identified racial bias in the retrospective facial recognition (RFR) algorithm Cognitec FaceVACS-DBScan ID v5.5 used by police. The study found far higher false positive rates for Asian (4%) and Black (5.5%) subjects compared with white subjects (0.04%), with an observed disparity between black males (0.4%) and black females (9.9%). Deputy information commissioner Emily Keaney said the ICO was disappointed it had not been informed earlier and stressed that public confidence, transparency and proper oversight are essential while the Home Office moves to operationally test a replacement algorithm.

Vaillant CISO: Act Now on Security and Regulatory Change

🔐 Vaillant CISO Christoph Reiß says rising geopolitical tensions and the professionalization of cybercrime — amplified by accessible AI tools — are elevating the threat to the heating and energy sector. Vaillant relies on a holistic, multilayered security strategy that combines preventative and reactive measures and protects IT, production, and customer products. Employee-focused training, from gamification to practical compliance, is central, and Reiß highlights regulatory complexity (e.g., NIS2, DORA, Cyber Resilience Act) while urging organizations to start, don’t wait on pragmatic implementation.

Portugal Revises Law to Shield Security Researchers

🛡️ Portugal amended its cybercrime law to create a clear safe harbor for good-faith security research under new Article 8.o-A. The change exempts certain acts that would previously be illegal if performed solely to identify and responsibly disclose vulnerabilities, provided strict conditions are met: immediate notification to the system owner and the CNCS, no excessive financial gain, non-disruptive techniques, GDPR compliance, and deletion of obtained data within ten days of remediation. Tests carried out with owner consent are also covered but still require CNCS notification.

Senate Finds Widespread Use of Non-Approved Messaging Apps

📱 The Senate Committee on Armed Services concluded that unsecured use of non‑approved messaging apps is a wider problem in the Department of Defense. It found that Secretary Pete Hegseth violated policy by sharing operational details on Signal from a personal device two hours before a strike and inadvertently added a journalist to the group. The reports cite broader “shadow communications,” limited audit evidence, and recommend approved alternatives, training, and tighter authority controls.

EU Fines X €120M for Deceptive Blue Checkmarks Under DSA

🔎The European Commission has fined X €120 million for breaching transparency obligations under the Digital Services Act. A two‑year inquiry found X's paid 'blue checkmark' programme misleading because badges could be purchased without meaningful identity verification, and that its ad repository and researcher access practices lacked required transparency. X has 60 working days to fix the checkmark issue and 90 days to submit plans for ad and research improvements or face further penalties.

NCSC launches Proactive Notifications pilot for UK orgs

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

Russia Blocks FaceTime and Snapchat Citing Terror Use

📵 Russian telecom regulator Roskomnadzor has blocked FaceTime and Snapchat, alleging the platforms are being used to coordinate terrorist attacks, recruit perpetrators, and facilitate fraud against Russian citizens. Roskomnadzor said Snapchat was blocked on October 10 under centralized public communication network rules, and announced the FaceTime restriction later. Apple and Snap did not immediately respond to requests for comment.

Post Office Avoids £1.1m Fine for Leak of 502 Postmasters

🔒 The Information Commissioner's Office found that an unredacted settlement document related to the long-running Horizon scandal exposed the names, home addresses and postmaster status of 502 litigants on the Post Office website between 25 April and 19 June 2024. The ICO considered a fine just under £1.1m but issued a reprimand under its public sector approach after concluding the breach was not 'egregious'. The regulator criticised the Post Office for lacking documented publishing policies, quality assurance and sufficient staff training; the organisation has offered compensation and 24 months of identity protection and taken steps to remove cached copies and strengthen controls.

Protecting Submarine Cables: Cyber and Physical Security

🔒 Submarine cables carry between 95% and 99% of global data traffic, yet recent breakages — notably ten in the Baltic Sea between 2022 and July 2025 — highlight persistent vulnerabilities. Private operators now control most capacity, and governments and vendors must address both physical threats such as fishing and anchors and increasingly sophisticated cyber risks. Major cloud vendors emphasize route diversity and redundancy while operators like Telxius combine burial, audits, AI/ML detection and continuity planning to protect service availability.

Russia Blocks Roblox Citing Distribution of LGBT Content

🚫 Roskomnadzor has restricted access to the US gaming platform Roblox, saying it repeatedly failed to stop the distribution of what the regulator described as LGBT propaganda, extremist and terrorist materials, and calls for violent illegal actions. The agency said unsafe content appeared in in-game rooms where users can simulate attacks, target schools, or participate in gambling. Roblox was reportedly warned in November after moderation shortcomings were confirmed.

UK Plans Ransomware Payment Ban With Security Exemptions

🔒 The UK government plans to ban ransomware payments for public sector and critical national infrastructure, while requiring other businesses to notify authorities if they intend to pay attackers. Announced after a public consultation and detailed in a September policy paper, the measure will include national security exemptions to avoid creating impossible choices for essential services. Security Minister Dan Jarvis said the move is a priority and that adoption will proceed when parliamentary time allows, with ongoing coordination across government and allied states.

Pall Mall Process to Define Responsible Cyber Intrusion

🛡️ The Pall Mall Process, launched in 2024 by the UK and France with 27 governments and major tech firms onboard, seeks to set guidelines for commercial cyber intrusion capabilities. Its second phase invites input from the offensive cyber industry — vendors, brokers, researchers and service providers — on what constitutes responsible behaviour. The guidance will complement the existing Code of Practice for States and aims to curb irresponsible trade in spyware and zero‑day exploits. The public consultation closes on December 22.

FTC Settlement Requires Illuminate to Delete Student Data

⚖️ The FTC has proposed a settlement requiring Illuminate Education to delete unnecessary student data and strengthen its security program after a 2021 breach that exposed information for about 10.1 million students. The agency alleges failures including lack of access controls, storing data in plain text, weak patching, and misrepresenting encryption in contracts. The proposed order mandates data minimization, a public retention schedule, prompt breach reporting to the FTC, and will be open for 30 days of public comment; violations could trigger civil penalties.

India Orders Messaging Apps to Bind Accounts to SIMs

🔒 India's Department of Telecommunications (DoT) has directed messaging apps to bind accounts to an active, KYC‑verified SIM linked to the user's mobile number, with platforms required to comply within 90 days. The amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 aims to curb phishing, cross‑border fraud and remote account takeovers by closing gaps from long‑lived web/desktop sessions. Providers must enforce continuous SIM linkage and force web sessions to log out every six hours, requiring QR re‑linking. The DoT also announced a Mobile Number Validation (MNV) platform for decentralized, privacy‑compliant verification.