All news with #regulatory action tag

Court Upholds EU-US Data Privacy Framework Agreement

⚖️ The European Court of Justice's General Court has dismissed a legal challenge seeking to annul the EU-US Data Privacy Framework (DPF), finding that, at the time of adoption, US law ensured an adequate level of protection for personal data transferred from the EU. Negotiated in July 2023, the DPF now stands as the main mechanism for transatlantic data flows, providing immediate relief to the European Commission and many businesses. Critics including Max Schrems and advocacy group NOYB have signalled likely appeals, meaning the ruling may not be the final word and legal uncertainty could continue.

US Sues Toy Maker Over Kids' Geolocation Data Leak

🔒 The U.S. Department of Justice has sued toy maker Apitor after an FTC referral, alleging it allowed a Chinese third party to collect precise geolocation data from children without notifying parents or obtaining consent required under COPPA. Apitor's Android app for robot toys uses the JPush SDK, which reportedly collected location data for any purpose, including targeted advertising. Under a proposed settlement, Apitor must secure third-party COPPA compliance, notify parents, delete collected personal information, limit retention, and faces a $500,000 penalty that is currently suspended amid claimed financial hardship.

Disney to Pay $10M Over YouTube Kids' Data Violations

⚖️ The FTC secured a $10 million settlement with Disney after finding the company mislabeled children’s content on YouTube, enabling collection of kids' personal data without parental notice or consent. The complaint says Disney applied channel-level tags that caused many videos to be marked as 'Not Made for Kids' instead of Made for Kids, circumventing COPPA protections. The settlement imposes a civil penalty, requires parental notice prior to data collection, and mandates a new program to ensure correct MFK labeling on future uploads.

CISA, NSA and Partners Release SBOM Shared Vision Guidance

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.

International Partners Release Shared SBOM Vision Statement

🔒 CISA, the NSA, and 19 international partners published a joint guide outlining the benefits of adopting software bills of materials (SBOM) to increase software component and supply chain transparency. The guide advises software producers, purchasers, and operators to integrate SBOM generation, analysis, and sharing into security processes to better identify and mitigate component risks. It calls for international alignment of SBOM technical approaches to reduce complexity, improve interoperability, and advance secure-by-design software.

Shadow AI Discovery: Visibility, Governance, and Risk

🔍 Employees are driving AI adoption from the ground up, often using unsanctioned tools and personal accounts that bypass corporate controls. Harmonic Security found that 45.4% of sensitive AI interactions come from personal email, underscoring a growing Shadow AI Economy. Rather than broad blocking, security and governance teams should prioritize continuous discovery and an AI asset inventory to apply role- and data-sensitive controls that protect sensitive workflows while enabling productivity.

BSI Urges Users to Assess Outage Risks in Digital Products

🔒 The German Federal Office for Information Security (BSI) recommends that consumers consider potential outage risks when selecting digital products and services. Users should evaluate how manufacturers handle security incidents, what happens to personal or family data, and whether vendors have a solid security reputation or trustworthy seals. The BSI also advises checking published information about incidents, remediation measures and contact options. Given the end of free Windows 10 updates from October 14, the agency urges timely upgrades or migration to alternatives such as macOS or Linux to help preserve confidentiality, integrity and availability.

U.S. Sanctions Network Supporting North Korean IT Workers

🔒 The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and two companies tied to a North Korean IT worker network that embeds personnel in foreign firms using stolen or fabricated identities and "laptop farms" to disguise locations. Designations include Russian national Vitaliy Sergeyevich Andreyev and DPRK consular official Kim Ung Sun, plus Chinese front Shenyang Geumpungri Network Technology Co., Ltd and DPRK-linked Korea Sinjin Trading Corporation. Blockchain intelligence firm Chainalysis identified Andreyev’s Bitcoin wallet as a laundering conduit, tied to nearly $600,000 in conversions. The sanctions freeze U.S.-based assets, bar American persons from transacting with the designees, and signal heightened targeting of infrastructure and crypto facilitators who help the DPRK monetize overseas IT labor.

UK Signals Possible Reversal of iPhone Backdoor Mandate

🔍 The US Director of National Intelligence reports that the UK government is dropping a proposed mandate requiring a backdoor into the Apple iPhone, a development attributed in early accounts to reporting by Tulsi Gabbard. If accurate, the announcement would mark a significant retreat from proposals that would compel vendors to weaken device security. The decision is described as provisional and underscores continuing tensions between privacy advocates, technology vendors, and law enforcement over access to encrypted communications.

August 2025 security roundup with Tony Anscombe highlights

🔒 In the August 2025 edition, ESET Chief Security Evangelist Tony Anscombe highlights major global developments that affect defenders and users alike. Key items include WhatsApp's takedown of 6.8 million scam-linked accounts in H1 2025, the UK government's reversal on an Apple cloud decryption demand, attacks on water facilities in Norway and Poland, and Nigeria's deportation of over 100 foreign nationals tied to a large cybercrime syndicate. He also notes auctions of active police and government email credentials on criminal forums and underscores lessons for resilience, encryption policy, and international cooperation.

US Treasury Sanctions DPRK IT-Worker Revenue Network

🛡️ The U.S. Treasury's Office of Foreign Assets Control (OFAC) announced sanctions on two individuals and two entities tied to a DPRK remote IT-worker revenue scheme that funneled illicit funds to weapons programs. Targets include Vitaliy Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. Treasury says nearly $600,000 in crypto-derived transfers were converted to U.S. dollars and that front companies generated over $1 million in profits. Officials also highlighted the group's use of AI tools to fabricate résumés, secure employment, exfiltrate data, and enable extortion.

German Government to Propose Stronger Cyber Defense Bill

🛡️ The federal government plans to present a draft bill by year-end aimed at strengthening cyber defense across Germany. The proposal would expand cyber-defense powers for security agencies and deepen cooperation between civilian and military bodies, with joint exercises planned between the Interior Ministry and the Ministry of Defence. It also calls for the development of a Cyber-Dome, an automated system to detect and respond to online attacks, as Interior Minister Alexander Dobrindt warned of daily cyberattacks and rising hybrid threats.

CISA Launches Interactive Tool to Secure Software Buying

🛡️ CISA has released the Software Acquisition Guide: Supplier Response Web Tool to help IT leaders, procurement officers and software vendors strengthen cybersecurity across the acquisition lifecycle. The free, interactive platform digitizes CISA’s existing guidance into an adaptive format that highlights context-specific questions and generates exportable summaries for CISOs, CIOs and other decision-makers. Designed with secure-by-design and secure-by-default principles, the tool supports due diligence without requiring procurement professionals to be cybersecurity experts and aims to simplify risk-aware procurement decisions.

ENISA to Run €36m EU Cybersecurity Incident Reserve

🛡️ ENISA has been allocated €36m to operate the EU Cybersecurity Reserve, a virtual pool of pre‑vetted private incident response providers established under the EU Cyber Solidarity Act. The funding, delivered through the Digital Europe Programme over three years, will be used to procure responders and to evaluate and fulfil support requests from member states, CSIRTs or CERT‑EU. Unused pre‑committed services can be repurposed for prevention and preparedness. ENISA will also lead a European certification scheme for managed security services, initially focusing on incident response.

CISA Launches Web Tool for Secure Software Procurement

🛡️ CISA released the Software Acquisition Guide: Supplier Response Web Tool, a free, interactive resource to help IT and procurement professionals assess software assurance and supplier risk across the acquisition lifecycle. The Web Tool converts existing guidance into an adaptive, question-driven interface with exportable summaries for CISOs and CIOs. It emphasizes secure-by-design and secure-by-default practices to strengthen due diligence and procurement outcomes.

CIISec: Majority of Security Pros Back Stricter Rules

🔒 A new CIISec survey finds 69% of security professionals believe current cybersecurity laws are insufficient. The annual State of the Security Profession report, compiled from CIISec members and the wider community, highlights a regulatory focus driven by recent legislation such as DORA, NIS2 and the EU AI Act. Respondents assign breach responsibility mainly to boards (91%), and indicate increasing support for senior management sanctions. CIISec's CEO urges improved collaboration, regulation literacy and clearer risk communication.

CISA Seeks Update to SBOM Minimum Requirements Guidance

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

UNWG Releases Video Series on P25 LMR Encryption Importance

🔐 The Joint SAFECOM–NCSWIC Project 25 (P25) User Needs Working Group (UNWG) has published a video series highlighting the importance of P25 land mobile radio (LMR) encryption for national security and first responder communications. The series explains three types of P25 protections — link layer authentication, link layer encryption, and voice traffic encryption — and why each matters. Another installment outlines UNWG’s role in preserving interoperability and encourages public safety stakeholder engagement.

CISA Issues Draft SBOM Minimum Elements Guide for Comment

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

CISA Seeks Comment on Updated SBOM Minimum Elements

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.