On 26 November 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), together with the UK’s National Cyber Security Centre (NCSC), published joint ‘Guidelines for Secure AI System Development’ (the Guidelines).

The Guidelines were formulated by CISA and the NCSC, in cooperation with 21 other international agencies and ministries, as well as industry experts.Continue Reading UK & US cybersecurity agencies release new ‘Guidelines for Secure AI System Development’

On 3 October 2023, the UK Information Commissioner’s Office organised its annual Data Protection Practioner’s Conference 2023 (DPPC 2023). This year its focus was on Cybersecurity – a topic that concerns organisations across the board. Here are the takeaways from the DPPC 2023 (the event sessions available here).Continue Reading The UK Information Commissioner’s Data Protection Practioner’s Conference 2023 on Cybersecurity

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.Continue Reading SEC Issues Final Cybersecurity Rules Enhancing and Modifying Disclosure Requirements: Companies will want to Measure Twice and Cut Once

Please click here to access the source post from our Global Regulatory Enforcement Law Blog.

In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently

The Information Commissioner’s Office (ICO) has published a report on reprimands issued in the second quarter of the year, from April to June 2023. The recent reprimands by ICO shed light on areas of data protection where organizations across the public and private sectors have fallen foul of the UK GDPR and are instructive as to how organisations can improve their practices. Our blog focuses on three key lessons gleaned from these reprimands.Continue Reading Three lessons from ICO’s quarterly enforcement report

The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.Continue Reading Navigating the Path to Compliance: Takeaways from the New Draft Security Regulations for Connected Devices

On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.Continue Reading ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems

On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.Continue Reading Guidance on Privacy-Enhancing Technologies for Data Protection Compliance: Key Considerations for Organizations

The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing

In the June edition of IAPP’s Privacy Advisor, Divonne Smoyer and Roger Gibboni talk to Indiana State Attorney General Todd Rokita on the possibility of Congress passing a federal privacy law, Indiana’s different approaches to data privacy and protection, and its recent announcement that the state was joining Washington, Texas, and D.C. in an