Disclaimer: This blog offers general information and should not be considered legal advice. Consult your own legal counsel for specific advice.

As Cybersecurity Awareness Month comes to a close, the conversation around cyber law persists. The global landscape of cyber regulations continues to grow rapidly as governments around the world acknowledge the need for robust cybersecurity measures to protect national security, public safety, and individual privacy. Recent key regulations include:

  • Starting December 2023, the U.S. SEC Cybersecurity Disclosure Rules mandate public companies to report material cybersecurity incidents within four business days via 8-K filings. These rules also require disclosure of cybersecurity risk management processes in 10-K and other periodic reports.
  • The EU NIS2 Directive compels all EU member states to implement laws by October 18, 2024 to protect essential and important organizations from cyber threats and achieve a high level of common security across the EU.

This blog contains a comprehensive list of over 30 recent global cyber regulations and guidelines, including effective date and the applicable entities and sectors. More regulations are expected from state regulators, government agencies and industry bodies in the coming months.

Why Do All Organizations Need to Know These Rules?

Even if an organization isn’t a government agency, a public company, or in a regulated industry, it may still be affected by these rules due to “supply chain flow-down.” A company not categorized as a “critical infrastructure” under the regulations can impact a critical infrastructure customer’s compliance with its reporting obligations in case of a cyber breach. Similarly, manufacturers of IoT device components or data analytics providers can also find themselves subject to these regulations through their customer relationships.

If an organization has a customer (or a customer of a customer) that is a government agency, a critical infrastructure or in the regulated industry, these rules would apply to some extent.

Be Informed, Not Overwhelmed

We summarized the general themes of these cyber rules below to help an organization stay ahead of the curve:

Theme #1: Prescriptive Must-Haves

Rather than leaving it to organizations to adopt best practices, many regulators now specify a list of must-haves. For example:

  • The U.S. FTC Safeguards Rule, effective June 2023, specified 9 elements of a “reasonable information security program” for all covered financial institutions.
  • The New York Attorney General, in April 2023, highlighted findings from recent investigations and offered guidance in 9 specified areas.
  • EU NIS2, similarly, highlighted 10 minimum standards for its 27 member states to implement in their national laws by October 18, 2023.

Theme #2: Enforcement “teeth”

To address inconsistent supervision and enforcement across different governments and agencies, NIS2 Directive requires each member state to mandate a penalty up to 2% of global annual revenue or EUR 10 million. NIS2 further provides a minimum list of supervisory means, including “regular and targeted audits, on-site and off-site checks, request of information, and access to documents or evidence.”

Penalties for non-compliance include not only sanctions for the organization, but also civil and criminal liabilities against supervising executives. The recent SEC charge against Solarwinds’ CISO, the FTC order against the former Drizly CEO and the DOJ’s criminal conviction against the former Uber Chief Security Officer served as fresh reminders of personal accountability.

Theme #3: Faster and Broader Incident Reporting

Many countries already have laws that require reporting of personal data breaches. Recent rules expand such requirements beyond personal data to business data, such as access credentials, material business information and IoT devices.

Another new development is the faster and multi-stage reporting. Under the NIS2 Directive, affected companies have 24 hours to submit an early warning to competent national authority. The early warning should be followed by an incident notification within the 72 hours of becoming aware of the incident and a final report no later than one month later. The U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), similarly, requires a critical infrastructure to report to CISA covered cyber incidents within 72 hours of reasonable belief that the incident occurred. If the incident involves a ransom payment, the reporting time would be shortened to 24 hours.

Theme #4: Unified Certification, Attestation, etc.

The regulations aim to promote a unified certification approach to ensure consistent and standardized security measures across the critical infrastructure supply chain.

One effort in this regard is the U.S. Department of Defense (DoD)’s CMMC 2.0 update. CMMC means the Cybersecurity Maturity Model Certification (CMMC 2.0) that applies to sensitive unclassified information shared by the DoD with its contractors and subcontractors. NIS2 Directive, similarly, recommends its member states to require essential and important entities to procure products and services certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881.

For more details around these recent developments, check out the recording of our Webinar “Quick Guide to Global Cyber Laws: Be Informed; Not Overwhelmed” here.

In our next blog, we will provide detailed recommendations around the strategies for complying with these cyber regulations. For now, consider these best practices:

  • Know your regulators and rules
  • Document InfoSec policies and practices consistent with the rules
  • Know where your data is
  • Practice cybersecurity hygiene
  • Elevate cybersecurity discussions to the Board of Directors and the C-Suite
  • Evaluate government certification and assessment requirements

List of Recent Global Cyber Regulations and Guidelines

United States

Other Countries

Name Issue/ Effective Date Applicable Entities/Sectors
EU Directives EU Network and Information Security Directive (NIS2) 18 October 2024 Essential and Important Entities
EU Digital Operational Resilience Act (DORA) 18 October 2024 Financial services
Critical Entities Resilience Directive (CER) 18 October 2024 Critical infrastructure (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food)
Cyber Resilience Act (CRA)(proposed) 15 September 2022 Financial services
UK Guidance Ofcom Guidance for the digital infrastructure subsector: revised NIS Guidance May 2023 Digital infrastructure subsectors (TLD Name Registry, DNS Resolver Service, DNS Authoritative Hosting Service, IXP)
Canada Critical Cyber Systems Protection Act (CCSPA)(proposed) December 2022 Designated Operators of critical cyber systems to vital services & systems
Australia The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) April 2022 Critical Infrastructure (communications, financial services / markets, data storage or processing, defense industry, higher education/research, energy, food & grocery, health care & medical, space technology, transport, and water and sewerage.
Singapore Online Criminal Harms Bill (proposed) August 2023 All
India MeitY directions No. 20(3)/2022-CERT-In April 2022 All

Infoblox Original

About Author

Infoblox

See author's posts

Tags:

Related News

No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution

March 26, 2026

Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams

March 19, 2026

You may have missed

Iranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data

March 27, 2026

Security leaders say the next two years are going to be ‘insane’

March 27, 2026

ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review

March 26, 2026

FCC pushes new rules to crack down on robocallers, foreign call centers

March 26, 2026

Former NSA chiefs worry American offensive edge in cybersecurity is slipping

March 26, 2026

No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution

March 26, 2026
WordPress Appliance - Powered by TurnKey Linux