All news with #regulatory action tag

AI Requires Difficult Choices: Regulatory Paths for Democracy

🧭 The piece argues that AI forces a societal reckoning similar to the arrival of social media: it can amplify individual agency but also concentrate control and harm democratic life. The authors identify four pivotal choices for executives and courts, Congress, states, and everyday users—centering on legal accountability, privacy and portability, reparative taxation, and consumer product choices. They urge proactive, aligned policy and civic action to avoid repeating past mistakes and to steer AI toward public-good outcomes.

ICO Reviews Mobile Games for Children's Code Compliance

🕹️ The UK Information Commissioner's Office has launched a focused review of 10 popular mobile games to assess compliance with the Children’s Code (Age-Appropriate Design Code). The review will scrutinize default privacy settings, geolocation controls, targeted advertising and other design features that could affect children’s privacy. The ICO cited parental research showing high levels of concern about data collection, exposure to strangers and harmful content in mobile games.

Vaillant CISO: From Technology to Strategic Cyber Leadership

🔒 Raphael Reiß, CISO at Vaillant Group, warns that rising geopolitical tensions and increasingly professional cybercriminals — now aided by AI — have lowered the barrier to complex attacks. Vaillant applies a holistic, multilayered security approach that spans IT, global production and customer-facing products, combining preventive and reactive controls. Reiß emphasises people-first awareness training and pragmatic compliance with standards such as NIS2, DORA and the Cyber Resilience Act. His advice is direct: analyse your starting point and start rather than wait.

India Orders Phones to Preinstall Government Cyber App

📱 India’s telecommunications ministry has instructed major handset manufacturers to preload the government-backed cybersecurity app Sanchar Saathi on all new phones within 90 days, according to Reuters. The directive, dated November 28, 2025, reportedly requires the app to be non-removable and non-disableable and mandates pushing it via updates to devices already in the supply chain. Sanchar Saathi enables reporting of fraud and malicious links, blocking and tracking stolen devices, and checking multiple mobile connections; it has more than 11.4 million installs and has helped trace and recover hundreds of thousands of handsets.

US State Attempts to Ban VPNs in Name of Child Safety

🔒 Wisconsin lawmakers are advancing legislation that would require age verification on sites deemed potentially sexual and mandate blocking users who access content via VPNs. The measure, A.B. 105 / S.B. 130, expands definitions of harmful to minors and would force site operators to verify age and detect or block VPN connections. Critics argue it undermines privacy, free expression, and effective safety outcomes, and advocates such as the EFF call the proposal a terrible idea.

EU 'Chat Control' Shift Should Alarm Businesses Across Europe

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.

Key Provisions of the UK Cyber Security and Resilience Bill

🛡️ The Cyber Security and Resilience Bill — introduced to the House of Commons on 12 November and outlined by Shona Lester (DSIT) on 24 November — aims to strengthen protection for essential services by expanding regulatory scope and accelerating incident reporting. It brings data centres, large load controllers, managed service providers and designated critical suppliers into an Operators of Essential Services regime and requires 24‑hour notification of incidents with fuller reporting to follow. The bill also increases regulators’ enforcement powers and penalty regimes.

UK Committee Urges Legal Liability for Software Insecurity

⚖️ The UK’s Business and Trade Committee has recommended making software providers legally accountable for insecure products, arguing that voluntary measures like the Software Security Code of Practice are insufficient to protect economic stability. The report highlights 2025 incidents affecting Co-op, M&S and Jaguar Land Rover that produced heavy public costs and operational disruption. It urges mandatory compliance, stronger enforcement powers and compulsory incident reporting to shift financial risk back to vendors.

UK Lawmakers Urge Legal Shift on Economic Cybersecurity

🔒 The House of Commons Business and Trade Committee has urged the UK government to enshrine a new approach to economic security in law, warning that cyber and other threats increasingly imperil the nation's open economy. The committee's report, Toward a new doctrine for economic security, stresses that economic security cannot be achieved without cybersecurity and highlights attacks on critical national infrastructure and private firms. Key recommendations include making the voluntary Software Security Code of Practice mandatory, introducing tax relief for IT services that enhance operational resilience, and consulting on a mandatory cyber-incident reporting regime.

FCC Reversal Removes Telecom Cybersecurity Mandates

⚠ The FCC has reversed its January 2025 Declaratory Ruling that required US telecom providers to adopt and annually certify stricter cybersecurity controls under CALEA. The agency said the earlier order was misconstrued and unlawful, citing recent engagements with carriers and targeted actions instead of prescriptive mandates. Critics, including FCC Commissioner Anna Gomez and security experts, warn the rollback could leave critical infrastructure more exposed after the Salt Typhoon attacks.

FCC Reverses Telco Cybersecurity Mandate After Salt Typhoon

🔒 The FCC has rescinded a January 2025 declaratory ruling under CALEA that would have required telecom carriers to adopt formal cybersecurity risk-management plans, submit annual certifications, and treat network cybersecurity as a legal obligation after the Salt Typhoon intrusions. The agency, now led by new commissioners, also withdrew the accompanying NPRM, calling the prior approach inflexible and legally flawed. Carriers say they have strengthened defenses and agreed to continued coordination, while critics warn that relying on voluntary measures risks leaving national communications infrastructure exposed.

SEC Drops Lawsuit Against SolarWinds After Years-long Probe

📰The U.S. Securities and Exchange Commission has voluntarily dismissed its lawsuit against SolarWinds and CISO Timothy G. Brown, filing a joint motion to dismiss on November 20, 2025. The October 2023 complaint alleged fraud, internal control failures, and misleading disclosures tied to the late-2020 supply-chain compromise attributed to APT29. Many allegations were rejected by the SDNY in July 2024 as relying on hindsight. SolarWinds' CEO said the company emerges stronger, more secure, and better prepared.

CISA Issues Guidance to Combat Bulletproof Hosting Abuse

🔒 CISA, together with US and international partners, has published a joint guide addressing bulletproof hosting (BPH) services that enable ransomware, phishing, malware delivery and other attacks. The guidance explains how BPH providers lease or resell infrastructure to criminals, enabling fast-flux operations, command-and-control activity and data extortion while evading takedowns. It recommends concrete defensive actions — including curating a high confidence list of malicious internet resources, continuous traffic analysis, automated blocklist reviews, network-edge filters, threat intelligence sharing and feedback processes — to help ISPs and network defenders reduce abuse while limiting collateral impact.

UK, US and Allies Sanction Russian Bulletproof Hosters

🔒 Western allies have announced coordinated sanctions targeting three bulletproof hosting providers — Media Land, ML.Cloud and Aeza Group — and four associated Russian executives, including Alexander Volosovik (aka Yalishanda). The measures, backed by the UK, US and Australia, also named UK-registered front Hypercore and aim to seize assets and cut access to legitimate banking channels. Authorities say the hosts supported numerous ransomware and infostealer operations, and Five Eyes nations published guidance to help ISPs and defenders mitigate malicious activity enabled by such services.

AWS Designated Critical Third-Party Provider under DORA

🔐 Amazon Web Services has been designated a critical third-party provider (CTPP) by the European Supervisory Authorities under the EU’s DORA regulation, which took effect in January 2025. The designation establishes a formal oversight relationship between AWS and the ESAs and signals heightened regulatory engagement for financial services customers operating in the EU. AWS says it will continue investing in compliance, operational resilience, risk management, and transparency, and will support customers with documentation, whitepapers, and a dedicated security and compliance team to help meet DORA obligations.

US, UK, Australia Sanction Russian Bulletproof Hosts

🔒 The US, UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land and related companies for supporting ransomware gangs such as LockBit, BlackSuit, and Play. Three executives were also designated and assets frozen, while clients and facilitators face secondary sanctions. Five Eyes agencies issued guidance for ISPs to detect and block BPH-enabled abuse.

CISA Urges Critical Infrastructure to Be Air Aware

🛡️ CISA urges critical infrastructure owners and operators to adopt a year‑round approach to managing risks from unmanned aircraft systems (UAS) and highlights its Be Air Aware(TM) campaign. The agency released three new guidance products including Suspicious Unmanned Aircraft System Activity Guidance, Safe Handling Considerations for Downed UAS, and UAS Detection Technology Guidance. CISA also offers regional assessments, exercise design, temporary flight restriction coordination for high‑risk events, and bombing prevention assistance to help organizations detect, mitigate, and respond to UAS incidents.

CISA 2015 Short-Term Extension Provides Temporary Relief

🛡️ The US Cybersecurity Information Sharing Act (CISA 2015) received a three-month extension in a Senate continuing resolution, preserving liability protections for voluntary threat sharing through the Automated Indicator Sharing (AIS) program until January 30, 2026. Cyber professionals broadly welcomed the move but called it a "temporary patch" and urged a longer-term renewal. Industry sources reported the lapse since September reduced federal-to-private sharing, while a Binalyze survey highlighted operational strains, estimating an average cost of $114,000 per hour of delayed incident response.

Energy Sector Targeted by Hackers: Risks, AI & Cooperation

🔒 The energy sector faces a high and growing cyber threat, with attackers targeting OT systems, grid sensors and IoT endpoints to create cascading societal impacts. Critical vulnerabilities — notably in Siemens products — and increasing IT‑OT coupling widen the attack surface. The article stresses the need for end-to-end visibility, AI-driven early warning and anomaly detection, and stronger international cooperation, including NIS 2-aligned practices and active CERT coordination to build resilience.

Google Cloud designated as DORA critical ICT provider

🔒 Google Cloud EMEA has been designated a critical ICT third-party provider under the EU DORA. The designation acknowledges the systemic importance of financial entities using Google Cloud services and establishes a direct oversight channel with a Lead Overseer from the ESAs. Google Cloud commits to transparency, customer support for compliance, and collaboration to strengthen digital operational resilience across Europe. They provide resources like a Register of Information Guide and an ICT Risk Management Customer Guide to support customers' compliance journeys.