Disclaimer: This blog offers general information and should not be considered legal advice. Consult your own legal counsel for specific advice.<\/i><\/p>\n
As Cybersecurity Awareness Month comes to a close, the conversation around cyber law persists. The global landscape of cyber regulations continues to grow rapidly as governments around the world acknowledge the need for robust cybersecurity measures to protect national security, public safety, and individual privacy. Recent key regulations include:<\/p>\n
This blog contains a comprehensive list of over 30 recent global cyber regulations and guidelines, including effective date and the applicable entities and sectors. More regulations are expected from state regulators, government agencies and industry bodies in the coming months.<\/p>\n
Even if an organization isn’t a government agency, a public company, or in a regulated industry, it may still be affected by these rules due to \u201csupply chain flow-down.\u201d A company not categorized as a \u201ccritical infrastructure\u201d under the regulations can impact a critical infrastructure customer’s compliance with its reporting obligations in case of a cyber breach. Similarly, manufacturers of IoT device components or data analytics providers can also find themselves subject to these regulations through their customer relationships.<\/p>\n
If an organization has a customer (or a customer of a customer) that is a government agency, a critical infrastructure or in the regulated industry, these rules would apply to some extent.<\/p>\n
We summarized the general themes of these cyber rules below to help an organization stay ahead of the curve:<\/p>\n
Theme #1: Prescriptive Must-Haves<\/u><\/p>\n
Rather than leaving it to organizations to adopt best practices, many regulators now specify a list of must-haves. For example:<\/p>\n
Theme #2: Enforcement \u201cteeth\u201d<\/u><\/p>\n
To address inconsistent supervision and enforcement across different governments and agencies, NIS2 Directive requires each member state to mandate a penalty up to 2% of global annual revenue or EUR 10 million. NIS2 further provides a minimum list of supervisory means, including \u201cregular and targeted audits, on-site and off-site checks, request of information, and access to documents or evidence.\u201d<\/p>\n
Penalties for non-compliance include not only sanctions for the organization, but also civil and criminal liabilities against supervising executives. The recent SEC charge against Solarwinds\u2019 CISO<\/a>, the FTC order against the former Drizly CEO<\/a> and the DOJ\u2019s criminal conviction against the former Uber Chief Security Officer<\/a> served as fresh reminders of personal accountability. <\/p>\n Theme #3: Faster and Broader Incident Reporting<\/u><\/p>\n Many countries already have laws that require reporting of personal data breaches. Recent rules expand such requirements beyond personal data to business data, such as access credentials, material business information and IoT devices.<\/p>\n Another new development is the faster and multi-stage reporting. Under the NIS2 Directive, affected companies have 24 hours to submit an early warning to competent national authority. The early warning should be followed by an incident notification within the 72 hours of becoming aware of the incident and a final report no later than one month later. The U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), similarly, requires a critical infrastructure to report to CISA covered cyber incidents within 72 hours of reasonable belief that the incident occurred. If the incident involves a ransom payment, the reporting time would be shortened to 24 hours.<\/p>\n Theme #4: Unified Certification, Attestation, etc.<\/u><\/p>\n The regulations aim to promote a unified certification approach to ensure consistent and standardized security measures across the critical infrastructure supply chain.<\/p>\n One effort in this regard is the U.S. Department of Defense (DoD)\u2019s CMMC 2.0 update. CMMC means the Cybersecurity Maturity Model Certification (CMMC 2.0) that applies to sensitive unclassified information shared by the DoD with its contractors and subcontractors. NIS2 Directive, similarly, recommends its member states to require essential and important entities to procure products and services certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019\/881.<\/p>\n For more details around these recent developments, check out the recording of our Webinar \u201cQuick Guide to Global Cyber Laws: Be Informed; Not Overwhelmed\u201d here<\/a>.<\/p>\n In our next blog, we will provide detailed recommendations around the strategies for complying with these cyber regulations. For now, consider these best practices:<\/p>\n United States<\/u><\/p>\n\n
List of Recent Global Cyber Regulations and Guidelines<\/h3>\n