All news with #regulatory action tag

India DPDP Rules 2025 Make Privacy an Engineering Challenge

🔒 India’s new Digital Personal Data Protection (DPDP) Rules, 2025 impose strict consent, verification, and fixed deletion timelines that require large platforms and enterprises to redesign how they collect, store, and erase personal data. The rules create Significant Data Fiduciaries with added audit and algorithmic-check obligations and formalize certified Consent Managers. Organizations have 12–18 months to adopt automated consent capture, verification, retention enforcement, and data-mapping across cloud, on‑prem, and SaaS environments.

European Digital Sovereignty Summit Shifts Priorities

🔒 European leaders, including Chancellor Friedrich Merz and President Emmanuel Macron, will attend a Berlin summit of digital ministers and IT experts expected to draw about 900 participants. The conference highlights concerns that US laws such as CLOUD Act and FISA 702 can compel US cloud providers to disclose data held in Europe, driving calls to reduce dependencies on non‑European vendors. Officials and industry leaders emphasise technological controls — notably strong encryption and customer-held keys — and the need for scalable European cloud alternatives while addressing regulatory and startup barriers.

Bundestag Approves German NIS2 Law, Adds New Controls

🔒 The Bundestag approved the federal government's draft law to implement the NIS2 Directive on 13 November 2025, bringing new cybersecurity obligations for an estimated 29,850 companies and federal authorities. Affected organizations must strengthen risk analyses, incident response, backups and encryption, and report incidents to the BSI within 24/72/30 hours/days. The law expands BSI supervisory powers and allows bans on "critical components" coordinated by the Interior Ministry, drawing criticism from industry groups.

New UK Cyber Security and Resilience Bill protects services

🔒 The UK introduced the Cyber Security and Resilience Bill on November 12, updating the NIS Regulations 2018 to strengthen protections for hospitals, energy, water and transport. The bill mandates security standards for medium and large managed service providers, requires incident notification to the NCSC and regulators within 24 hours (full reports in 72), and empowers regulators to designate and enforce controls on critical suppliers. It also creates turnover-based penalties and extends coverage to data centers and smart energy systems.

UK bill tightens cybersecurity for critical infrastructure

🛡️ The UK’s Cyber Security and Resilience Bill would impose mandatory security standards and a 24-hour reporting requirement on operators in healthcare, energy, water, transport and digital services. It updates the NIS 2018 framework and for the first time brings medium and large MSPs and data centres under direct regulatory oversight. Regulators would gain powers to levy turnover-linked penalties and the technology secretary would be able to order emergency mitigations during major cyber incidents.

Legal Boundaries and Risks of Private Hackback Operations

🔒 Former DoJ attorney John Carlin examines hackbacks, defining them as proactive counterattacks that go beyond passive defense. He argues that purely defensive measures that only affect a victim’s systems are generally lawful, while offensive actions that damage or access an attacker’s systems are likely prohibited without government authorization. Carlin recommends oversight and legal clarification to the CFAA and CISA, and urges private actors to proceed with caution.

UK introduces Cyber Security and Resilience Bill to Parliament

🔒 The UK government today introduced the Cyber Security and Resilience Bill, proposing a major overhaul of the NIS Regulations to align with updated EU standards. The draft would regulate managed service providers, expand scope to data centres and smart-appliance electricity flows, and mandate supply-chain risk management and NCSC Cyber Assessment Framework-based controls. Incident reporting windows would tighten to an initial 24 hours and full report within 72 hours, while the ICO and regulators gain stronger enforcement and fee powers.

EU draft seeks GDPR changes for AI training and cookies

🛡️A leaked draft of the EU Commission’s proposed “Digital Omnibus” would amend the GDPR to absorb cookie rules and relax limits on AI training with personal data. The draft, due to be presented on 19 November 2025, would add Article 88a to move cookie regulation into the GDPR and allow processing on a closed list of low‑risk purposes or other legal bases including legitimate interest. Critics warn this shifts tracking from opt‑in to opt‑out and risks diluting privacy protections, while the proposal also narrows sensitive‑data protections and requires browsers to transmit consent preferences.

CISO Guide: Defending Against AI Supply-Chain Attacks

⚠️ AI-enabled supply chain attacks have surged in scale and sophistication, with malicious package uploads to open-source repositories rising 156% year-over-year and real incidents — from PyPI trojans to compromises of Hugging Face, GitHub and npm — already impacting production environments. These threats are polymorphic, context-aware, semantically camouflaged and temporally evasive, rendering signature-based tools increasingly ineffective. CISOs should prioritize AI-aware detection, behavioral provenance, runtime containment and strict contributor verification immediately to reduce exposure and satisfy emerging regulatory obligations such as the EU AI Act.

Senate Restores Lapsed Cybersecurity Laws After Shutdown

🛡️ The Senate voted 60-40 to advance a continuing resolution that temporarily reinstates the Cybersecurity Information Sharing Act of 2015 (CISA) and the Federal Cybersecurity Enhancement Act through January 2026. The measure restores liability shields, antitrust exemptions and FOIA protections that encourage private-sector threat sharing and renews authority for EINSTEIN intrusion-detection services for civilian agencies. The stopgap leaves another funding deadline early next year and raises questions about a full reauthorization versus further short-term extensions.

Google Public Sector Achieves CMMC Level 2 Certification

🔒 Google Public Sector announced it has achieved CMMC Level 2 certification, validated by a certified third-party assessment organization (C3PAO). The certification confirms that its internal systems used to process and store Controlled Unclassified Information (CUI) meet DoD cybersecurity expectations. While the certification covers Google’s internal systems and does not extend to customer environments, Google highlights support for the Defense Industrial Base through FedRAMP-authorized cloud services and published compliance resources, including a Google Workspace CMMC Implementation Guide, to help partners accelerate their own CMMC journeys.

EU Commission proposes GDPR changes for AI and cookies

🔓 The European Commission's leaked "Digital Omnibus" draft would revise the GDPR, shifting cookie rules into the regulation and allowing broader processing based on legitimate interests. Websites could move from opt-in to opt-out tracking, and companies could train AI on personal data without explicit consent if safeguards like data minimization, transparency and an unconditional right to object are applied. Privacy groups warn the changes would weaken protections.

NCSC to Retire Web Check and Mail Check Tools in 2026

⚠️The National Cyber Security Centre (NCSC) has announced it will retire its Web Check and Mail Check external attack surface tools by 31 March 2026. These services, introduced in 2017, scanned for web vulnerabilities, misconfigurations, and email anti‑spoofing controls such as SPF, DKIM and DMARC. Current users are urged to seek commercial alternatives and consult an NCSC buyer’s guide and other Check services before the end-of-life date.

Proposed U.S. Ban on TP-Link Routers Raises Concerns

🔍 The U.S. government is weighing a ban on sales of TP‑Link networking gear amid concerns that the company may be subject to Chinese government influence and that its products handle sensitive U.S. data. TP‑Link Systems disputes the claims, says it split from its China-based namesake, and notes many competitors source components from China. The piece highlights industry-wide risks — insecure defaults, outdated firmware, and ISP-deployed devices — and suggests OpenWrt and similar open-source firmware as mitigations for technically capable users.

ID Verification Laws Fueling a New Wave of Breaches

🔒 The proliferation of age and identity verification laws is forcing organizations to retain sensitive government-issued IDs, increasing breach risk. A recent Discord incident exposed ID images via a compromised third-party provider, showing how regulatory mandates can create high-value data stores. The article advises that MSPs and affected organizations adopt natively integrated platforms and a single-agent, single-console approach to reduce attack surface, simplify operations and centralize visibility to mitigate these new risks.

Hacktivist DDoS Drives Majority of Public Sector Attacks

🛡️ ENISA's study of 586 public administration incidents found DDoS attacks made up roughly 60% of events, with 63% attributed to hacktivist groups. Central government incidents accounted for 69% of the total, while data breaches (17%) and ransomware (10%) caused disproportionate disruption. ENISA warns the sector's low maturity and recent inclusion in NIS2 increase risk and recommends CDNs/WAFs for DDoS mitigation, MFA/PAM/DLP for data protection, and EDR, segmentation and backups to combat ransomware.

From Tabletop to Turnkey: Cyber Resilience in Finance

🛡️ Financial institutions face a regulatory shift: cyber‑resilience has moved from best practice to prescriptive requirement under regimes such as DORA, CORIE, MAS TRM, FCA/PRA and others. Filigran’s OpenAEV combines tabletop crisis playbooks with breach-and-attack simulation so teams can rehearse human and technical responses together. The platform synchronizes players via enterprise IAM, translates threat intelligence into timed technical injects and simulated communications, and streamlines logistics, reporting and continual improvement. OpenAEV is free for community use, with a library of scenarios and SIEM/EDR integrations, and Filigran is hosting expert sessions to demonstrate operationalization.

Securing Critical Infrastructure: Europe’s Risk-Based Rules

🔒 In this Deputy CISO post, Freddy Dezeure of Microsoft explains how recent EU laws are reshaping cybersecurity for critical infrastructure. He argues that NIS2 and DORA broaden the CISO role across IT, OT, IoT, AI, and supply chains and push for stronger board-level accountability. The piece emphasizes a risk-based, prioritized approach—focusing on a few high-impact controls such as phishing-resistant multifactor authentication, comprehensive asset inventory, timely patching, and resilience testing.

UK Carriers to Block Spoofed Phone Numbers Within Year

🔒 Britain’s major mobile carriers have agreed to upgrade networks to eliminate phone-number spoofing within a year under the new Telecoms Charter. The pact, signed by BT EE, Virgin Media O2, Vodafone Three, Tesco Mobile, TalkTalk and Sky, requires call-origin labeling for international calls, broader data sharing with police, advanced tracing and faster victim support. Operators report AI systems already block millions of scam calls and texts monthly.

U.S. Sanctions 10 North Korean Financial and IT Facilitators

🛡️ The U.S. Treasury on Tuesday sanctioned eight individuals and two entities tied to North Korea's global financial network for laundering proceeds from cybercrime and fraudulent IT-worker schemes. The list names Jang Kuk Chol and Ho Jong Son, linked to $5.3 million in cryptocurrency managed for First Credit Bank, as well as Korea Mangyongdae Computer Technology Company (KMCTC), its president U Yong Su, and Ryujong Credit Bank. Treasury said the funds help finance Pyongyang's weapons and cyber programs, while blockchain firm TRM Labs reported sustained crypto inflows indicative of salary-routing activity.