{{Short description|Information assurance (IA) requirements overview}}
A '''cybersecurity regulation''' comprises directives that safeguard [[information technology]] and [[computer systems]] with the purpose of forcing companies and organizations to protect their systems and information from [[cyberattack]]s like [[computer virus|viruses]], [[computer worm|worms]], [[computer trojan|Trojan horses]], [[phishing]], [[DoS attack|denial of service (DOS) attacks]], [[data breach|unauthorized access (stealing intellectual property or confidential information)]] and [[resilient control systems|control system attacks]].{{ref|howstuffworks}} While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.<ref name=":11">{{cite journal |last1=Kianpour |first1=Mazaher |last2=Raza |first2=Shahid |date=2024 |title= More than malware: unmasking the hidden risk of cybersecurity regulations|journal= International Cybersecurity Law Review |volume= 5 |pages=169–212 |doi= 10.1365/s43439-024-00111-7|doi-access=free |hdl=11250/3116767 |hdl-access=free }}</ref>
There are numerous measures available to prevent [[Cyberattack|cyberattacks]]. [[Cybersecurity]] measures include [[firewall (networking)|firewall]]s, [[anti-virus software]], [[intrusion detection]] and [[intrusion prevention|prevention]] systems, [[encryption]], and login [[password]]s.{{ref|gordon}} There have been attempts to improve cybersecurity through regulation and collaborative efforts between the [[government]] and the private sector to encourage voluntary improvements to cybersecurity.<ref name=":11"/><ref name=":3" /><ref name=":4" /> Industry regulators, including [[bank regulation|banking regulators]], have taken notice of the risk from cybersecurity and have either begun or planned to begin to include cybersecurity as an aspect of regulatory examinations.<ref name=":3">{{cite web |url= http://www.pwc.com/en_US/us/financial-services/regulatory-services/publications/assets/cyberrisk.pdf |title= Cyber: Think risk, not IT |website= pwc.com |publisher= PwC Financial Services Regulatory Practice, April, 2015}}</ref>
Recent research suggests there is also a lack of cyber-security regulation and enforcement in maritime businesses, including the digital connectivity between ships and ports.<ref>{{Cite journal |last=Hopcraft |first=Rory |date=2018 |title=Effective maritime cybersecurity regulation - the case for a cyber code |journal=Journal of Indian Ocean Region |volume=14 |issue=3 |pages=354–366|doi=10.1080/19480881.2018.1519056 |s2cid=158311827 }}</ref>
==Background== In 2011 the [[United States Department of Defense]] (DoD) released a guidance called the ''[[U.S. Department of Defense Strategy for Operating in Cyberspace|Department of Defense Strategy for Operating in Cyberspace]]'' which articulated five goals: to treat cyberspace as an operational domain, to employ new defensive concepts to protect DoD networks and systems, to partner with other agencies and the private sector in pursuit of a "whole-of-government cybersecurity Strategy", to work with international allies in support of collective cybersecurity and to support the development of a cyber workforce capable of rapid technological innovation.<ref name=":4">{{Cite web|url=https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf|title=DOD-Strategy-for-Operating-in-Cyberspace}}</ref> A March 2011 [[United States Government Accountability Office|Government Accountability Office]] (GAO) report "identified protecting the federal government's information systems and the nation's cyber critical infrastructure as a governmentwide high-risk area" noting that federal [[information security]] had been designated a high-risk area since 1997.<ref>{{Cite web |date=March 16, 2011 |title=Continued Attention Needed to Protect Our Nation's Critical Infrastructure and Federal Information Systems |url=https://www.gao.gov/products/gao-11-463t |access-date=January 1, 2026 |website=U.S. Government Accountability Office}}</ref> As of 2003 systems protecting critical infrastructure, called cyber critical infrastructure protection of cyber CIP has also been included.<ref>{{Cite conference| publisher = Social Science Research Network| last1 = Schooner| first1 = Steven L.| last2 = Berteau| first2 = David J.| title = Emerging Policy and Practice Issues (2011)| location = Rochester, NY| date = 2012-03-01| ssrn = 2014385}}</ref>
In November 2013, the DoD put forward the new cybersecurity rule (78 Fed. Reg. 69373), which imposed certain requirements on contractors: compliance with certain [[National Institute of Standards and Technology]] (NIST) IT standards, mandatory reporting of cybersecurity incidents to the DoD, and a "flow-down" clause that applies the same requirements to subcontractors.<ref name=schooner2014>{{Cite journal| last1 = Schooner| first1 = Steven| last2 = Berteau| first2 = David| title = Emerging Policy and Practice Issues| journal = GW Law Faculty Publications & Other Works| url=https://scholarship.law.gwu.edu/faculty_publications/1056/ |date = 2014-01-01}}</ref>
A June 2013 Congressional report found there were over 50 statutes relevant to cybersecurity compliance. The [[Federal Information Security Management Act of 2002]] (FISMA) is one of the key statutes governing federal cybersecurity regulations.<ref name=schooner2014 />
==United States== ===Federal government=== There are few federal cybersecurity regulations and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 [[Health Insurance Portability and Accountability Act]] (HIPAA), the 1999 [[Gramm-Leach-Bliley Act]], and the 2002 [[Homeland Security Act]], which included the [[Federal Information Security Management Act]] (FISMA). The three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information.{{ref|heiman}} For example, FISMA, which applies to every government agency, "requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security." However, the regulations do not address numerous computer-related industries, such as [[Internet service provider]]s (ISPs) and software companies.{{ref|lemos}} Furthermore, the regulations do not specify what cybersecurity measures must be implemented and require only a "reasonable" level of security. The vague language of these regulations leaves much room for interpretation. [[Bruce Schneier]], the founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless the government forces them to do so.{{ref|kirby}} He also states that successful cyberattacks on government systems still occur despite government efforts.{{ref|lemos}}
It has been suggested that the [[Data Quality Act]] already provides the [[Office of Management and Budget]] the statutory authority to implement [[critical infrastructure protection]] regulations by the [[Administrative Procedure Act (United States)|Administrative Procedure Act]] rulemaking process. The idea has not been fully vetted and would require additional legal analysis before a [[rulemaking]] could begin.<ref>{{cite web|title=Do Agencies Already Have the Authority to Issue Critical Infrastructure Protection Regulations?|url=http://www.circleid.com/posts/20120820_agencies_authority_to_issue_critical_infrastructure_protection/|access-date=27 December 2016}}</ref>
===State governments=== State governments have attempted to improve cybersecurity by increasing public visibility of firms with weak security. In 2003, [[California]] passed the Notice of [[Security breach|Security Breach]] Act, which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, [[social security number]], driver's license number, [[Payment card number|credit card number]] or financial information.{{ref|privacy}} Several other states have followed California's example and passed similar security breach notification regulations.{{ref|privacyrights}} Such security breach notification regulations punish firms for their cybersecurity failures while giving them the freedom to choose how to secure their systems. Also, the regulation creates an incentive for companies to voluntarily invest in cybersecurity to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber attack.<ref name=":5" />
In 2004, the [[California State Legislature]] passed California Assembly Bill 1950, which also applies to businesses that own or maintain personal information for California residents. The regulation dictates for businesses to maintain a reasonable level of security and that they required security practices also extend to business partners.{{ref|rasmussen}} The regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cybersecurity. However, like the federal legislation, it requires a "reasonable" level of cybersecurity, which leaves much room for interpretation until case law is established.{{ref|rasmussen}}
===Proposed regulation=== The [[US Congress]] has proposed numerous bills that expand upon cybersecurity regulation. The [[Consumer Data Security and Notification Act]] amends the [[Gramm-Leach-Bliley Act]] to require disclosure of security breaches by financial institutions. Congressmen have also proposed "expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card."{{ref|schmitt}} Congress has proposed cybersecurity regulations similar to California's Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers "ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals."{{ref|epic}}
In addition to requiring companies to improve cybersecurity, Congress is also considering bills that criminalize cyberattacks. The Securely Protect Yourself Against Cyber Trespass Act ([[SPY ACT]]) was a bill of this type. It focused on phishing and [[spyware]] bill and was passed on May 23, 2005, in the [[US House of Representatives]] but died in the [[US Senate]].<ref name=":5">{{cite web|url=https://www.govtrack.us/congress/bills/109/hr29|title=Securely Protect Yourself Against Cyber Trespass Act (2005; 109th Congress H.R. 29) – GovTrack.us|work=GovTrack.us}}</ref> The bill "makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose [[personally identifiable information]], install unsolicited software, and tamper with security, anti-spyware, or [[anti-virus software]]."{{ref|epic}}
On May 12, 2011, US president [[Barack Obama]] proposed a package of [https://obamawhitehouse.archives.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal cybersecurity legislative reforms] to improve the security of US persons, the federal government, and critical infrastructure. A year of public debate and Congress hearings followed, resulting in the House of Representative passing an [https://techcrunch.com/2012/04/26/u-s-house-passes-cispa-248-to-168/%20 information sharing bill] and the Senate developing a [http://www.upi.com/Top_News/US/2012/07/26/Cybersecurity-bill-wins-key-Senate-vote/UPI-57801343345113/ compromise bill] seeking to balance national security, privacy, and business interests.
In July 2012, the Cybersecurity Act of 2012 was proposed by Senators [[Joseph Lieberman]] and [[Susan Collins (politician)|Susan Collins]].{{ref|Rizzo}} The bill would have required creating voluntary "[[best practice]] standards" for protection of key infrastructure from cyber attacks, which businesses would be encouraged to adopt through incentives such as liability protection.{{ref|Rosenzweig}} The bill was put to a vote in the Senate but failed to pass.{{ref|OKeefe}} Obama had voiced his support for the Act in a ''Wall Street Journal'' op-ed{{ref|Fitzpatrick}}, and it also received support from officials in the military and national security including [[John O. Brennan]], the chief counterterrorism adviser to the White House.{{ref|OKeefe}}{{ref|Rizzo}} According to ''The Washington Post'', experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack." {{ref|OKeefe}} The act was opposed by Republican senators like [[John McCain]] who was concerned that the act would introduce regulations that would not be effective and could be a "burden" for businesses.{{ref|Sasso}} After the Senate vote, Republican Senator [[Kay Bailey Hutchison]] stated that the opposition to the bill was not a partisan issue but it not take the right approach to cybersecurity.{{ref|Vijayan}}The senate vote was not strictly along partisan lines, as six Democrats voted against it, and five Republicans voted for it.{{ref|Franzen}} Critics of the bill included the [[US Chamber of Commerce]],{{ref|Fitzpatrick2}} advocacy groups like the [[American Civil Liberties Union]] and the [[Electronic Frontier Foundation]],{{ref|Franzen}} cybersecurity expert Jody Westby, and [[The Heritage Foundation]], both of whom argued that although the government must act on cybersecurity, the bill was flawed in its approach and represented "too intrusive a federal role."{{ref|Rosenzweig}}
In February 2013, Obama proposed the Executive Order Improving Critical Infrastructure Cybersecurity. It represents the latest iteration of policy but is not considered to be law as it has not been addressed by Congress yet. It seeks to improve existing public-private partnerships by enhancing timeliness of information flow between DHS and critical infrastructure companies. It directs federal agencies to share cyber threat intelligence warnings to any private sector entity identified as a target. It also tasks DHS with improving the process to expedite security clearance processes for applicable public and private sector entities to enable the federal government to share this information at the appropriate sensitive and classified levels. It directs the development of a framework to reduce cyber risks, incorporating current industry best practices and voluntary standards. Lastly, it tasks the federal agencies involved with incorporating privacy and civil liberties protections in line with Fair Information Practice Principles.<ref>{{cite web|url=https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity|via=[[NARA|National Archives]]|work=[[whitehouse.gov]]|title=Executive Order – Improving Critical Infrastructure Cybersecurity|date=12 February 2013}}</ref>
In January 2015, Obama announced a new cybersecurity legislative proposal. The proposal was made in an effort to prepare the US from the expanding number of cyber crimes. In the proposal, Obama outlined three main efforts to work towards a more secure cyberspace for the US. The first main effort emphasized the importance of enabling cybersecurity information sharing. By enabling that, the proposal encouraged information sharing between the government and the private sector. That would allow the government to know what main cyber threats private firms are facing and would then allow the government to provide liability protection to those firms that shared their information. Furthermore, that would give the government a better idea of what the US needs to be protected against. Another main effort that was emphasized in this proposal was to modernize the law enforcement authorities to make them more equipped to properly deal with cyber crimes by giving them the tools they need in order to do so. It would also update classifications of cyber crimes and consequences. One way this would be done would be by making it a crime for overseas selling of financial information. Another goal of the effort is to place cyber crimes prosecutable. The last major effort of the legislative proposal was to require businesses to report data breaching to consumers if their personal information had been sacrificed. By requiring companies to do so, consumers are aware of when they are in danger of identity theft.<ref>{{Cite news|url=https://obamawhitehouse.archives.gov/the-press-office/2015/01/13/securing-cyberspace-president-obama-announces-new-cybersecurity-legislat|title=SECURING CYBERSPACE – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts|date=2015-01-13|access-date=2017-08-06|via=[[NARA|National Archives]]|work=[[whitehouse.gov]]|language=en}}</ref>
In February 2016, Obama developed a Cybersecurity National Security Action Plan (CNAP). The plan was made to create long-term actions and strategies in an effort to protect the US against cyber threats. The focus of the plan was to inform the public about the growing threat of cyber crimes, improve cybersecurity protections, protects personal information of Americans, and to inform Americans on how to control digital security. One of the highlights of this plan include creating a "Commission on Enhancing National Cybersecurity." The goal of this is to create a Commission that consists of a diverse group of thinkers with perspectives that can contribute to make recommendations on how to create a stronger cybersecurity for the public and private sector. The second highlight of the plan is to change Government IT. The new Government IT will make it so that a more secure IT can be put in place. The third highlight of the plan is to give Americans knowledge on how they can secure their online accounts and avoid theft of their personal information through [[multi-factor authentication]]. The fourth highlight of the plan is to invest 35% more money that was invested in 2016 into cybersecurity.<ref>{{Cite news|url=https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan|title=FACT SHEET: Cybersecurity National Action Plan|date=2016-02-09|access-date=2017-08-06|via=[[NARA|National Archives]]|work=[[whitehouse.gov]]|language=en}}</ref>
=== Recent federal and sectoral developments (2023-2025) === In July 2023, the [[United States Securities and Exchange Commission|SEC]] adopted rules that require public companies to report “material” cybersecurity incidents on Form 8-K and to describe risk management and governance practices in periodic reports; the incident disclosure is due four business days after a registrant determines materiality. Most registrants began complying in December 2023.<ref>{{cite web |date=26 July 2023|title=SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure|url=https://www.sec.gov/newsroom/press-releases/2023-139|access-date=25 October 2025|publisher=U.S. Securities and Exchange Commission}}</ref><ref>{{cite web |date=26 July 2023|title=Public Company Cybersecurity Disclosures, Final Rules (Fact Sheet)|url=https://www.sec.gov/files/33-11216-fact-sheet.pdf|access-date=25 October 2025|publisher=U.S. Securities and Exchange Commission}}</ref>
At the state level, the New York Department of Financial Services amended its cybersecurity regulation (23 NYCRR Part 500) with a second set of changes that became effective on 1 November 2023. The amendments expand requirements for governance and incident handling, and introduce heightened obligations for larger “Class A” firms.<ref>{{cite web |date=1 November 2023|title=Cybersecurity Resource Center|url=https://www.dfs.ny.gov/industry_guidance/cybersecurity|access-date=25 October 2025|publisher=New York State Department of Financial Services}}</ref>
The [[Federal Trade Commission]] amended the Safeguards Rule to add a breach-notification obligation for certain non-bank financial institutions. The requirement is now in effect and calls for notification to the FTC as soon as practicable and no later than 30 days after discovery when an incident involves the information of at least 500 consumers.<ref>{{cite press release |title=FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches|date=27 October 2023|publisher=Federal Trade Commission|url=https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches|access-date=25 October 2025}}</ref><ref>{{cite web |date=14 May 2024|title=Safeguards Rule notification requirement now in effect|url=https://www.ftc.gov/business-guidance/blog/2024/05/safeguards-rule-notification-requirement-now-effect|access-date=25 October 2025|website=FTC Business Blog}}</ref>
In health care, the [[Health Insurance Portability and Accountability Act|HIPAA]] Security Rule has been the subject of a modernization proposal. The U.S. Department of Health and Human Services released a [[notice of proposed rulemaking]] in late 2024 with publication in the [[Federal Register]] on 6 January 2025, seeking updates to strengthen requirements for safeguarding electronic protected health information. <ref>{{cite web |date=27 December 2024|title=HIPAA Security Rule — NPRM Fact Sheet|url=https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html|access-date=25 October 2025|publisher=U.S. Department of Health and Human Services}}</ref><ref>{{cite web |date=6 January 2025|title=HIPAA Security Rule to Strengthen the Cybersecurity of ePHI (Proposed Rule)|url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information|access-date=25 October 2025|website=Federal Register}}</ref>
Following the 2021 Colonial Pipeline incident, the [[Transportation Security Administration]] issued and later revised pipeline cybersecurity Security Directives. A redacted version of SD Pipeline-2021-02E was posted in July 2024, and the agency maintains a page listing current security directives for pipelines and other modes.<ref>{{cite web |date=27 July 2024|title=Security Directive Pipeline-2021-02E (redacted)|url=https://www.tsa.gov/sites/default/files/tsa-security-directive-pipeline-2021-02e-and-memo-508c.pdf|access-date=25 October 2025|publisher=Transportation Security Administration}}</ref><ref>{{cite web |date=2024|title=Security Directives and Emergency Amendments|url=https://www.tsa.gov/sd-and-ea|access-date=25 October 2025|publisher=Transportation Security Administration}}</ref>
===Other government efforts=== In addition to regulation, the federal government has tried to improve cybersecurity by allocating more resources to research and collaborating with the private sector to write standards. In 2003, the President's [[National Strategy to Secure Cyberspace]] made the [[Department of Homeland Security]] (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry "to create an emergency response system to cyber-attacks and to reduce the nation's vulnerability to such threats "{{ref|lemos}} In 2004, the US Congress allocated $4.7 billion toward cybersecurity and achieving many of the goals stated in the President's National Strategy to Secure Cyberspace.{{ref|heiman}} Some industry security experts state that the President's National Strategy to Secure Cyberspace is a good first step but is insufficient.{{ref|lemos}} The President's National Strategy states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem.{{ref|whitehouse}} However, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.
In the United States, the [[US Congress]] is trying to make information more transparent after the Cyber Security Act of 2012, which would have created voluntary standards for protecting vital infrastructure, failed to pass through the Senate.<ref name="FT Cyber">{{cite news|url=http://www.ft.com/intl/cms/s/0/5adfe5cc-c938-11e2-9d2a-00144feab7de.html#axzz2W2Vy3xSG|title=Secrecy hampers battle for web|date=7 June 2013|access-date=12 June 2013|newspaper=Financial Times}}</ref> In February 2013, the [[White House]] issued an executive order, titled "Improving Critical Infrastructure Cybersecurity," which allows the [[Federal government of the United States#Executive branch|executive branch]] to share information about threats with more companies and individuals.<ref name="FT Cyber" /><ref>{{cite web|title=Executive Order – Improving Critical Infrastructure Cybersecurity|url=https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity|work=The White House|date=12 February 2013|publisher=Office of the Press Secretary|access-date=12 June 2013}}</ref> In April 2013, the House of Representatives passed the [[Cyber Intelligence Sharing and Protection Act]] (CISPA), which calls for protecting against lawsuits aimed at companies that disclose breach information.<ref name="FT Cyber" /> The [[Obama administration]] said that it might veto the bill.<ref name="FT Cyber" />
==India== In the light of the hacking of the website of the [[Indian Space Agency]]'s commercial arm in 2015, Antrix Corporation and government's Digital India programme, a cyberlaw expert and advocate at the [[Supreme Court of India]], [[Pavan Duggal]], stated that "a dedicated cyber security legislation as a key requirement for India. It is not sufficient to merely put cyber security as a part of the IT Act. We have to see cyber security not only from the sectoral perspective, but also from the national perspective."<ref>{{cite web|url=http://computer.financialexpress.com/magazine/dedicated-legislation-for-cyber-security-is-needed-pavan-duggal/13378/|title=Dedicated legislation for Cyber Security is needed: Pavan Duggal – Express Computer|date=31 August 2015|work=Express Computer}}</ref>
More on India, Their cyber-security framework is built primarily on the Information Technology Act, 2000 (IT Act) and its 2008 amendments, which give legal recognition to electronic records and digital signatures and create offenses for unauthorized access, data tampering and certain forms of online content. The Act also designates the Indian Computer Emergency Response Team (CERT-In) as the national agency for incident response under section 70B, with functions that include collecting and analyzing incident information, issuing advisories and coordinating technical response. <ref>{{cite web|title=The Information Technology Act, 2000|website=WIPO Lex|publisher=World Intellectual Property Organization|url=https://www.wipo.int/wipolex/en/legislation/details/23164|access-date=29 November 2025}}</ref><ref>{{cite web|title=Reforming Cyber Law: The IT Act’s Move Towards Decriminalization|website=AZB & Partners|date=19 May 2023|url=https://www.azbpartners.com/bank/reforming-cyber-law-the-it-acts-move-towards-decriminalization/|access-date=29 November 2025}}</ref>
Under the IT Act, a series of rules and notifications provide more detailed obligations. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 place due diligence requirements on “intermediaries” such as social media and messaging services, including provisions on content take down and for certain categories of content, traceability of the originator.<ref>{{cite web|title=The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021|url=https://prsindia.org/|website=PRS Legislative Research|publisher=PRS Legislative Research|access-date=29 November 2025}}</ref>
In April 2022, CERT-In issued binding directions under section 70B that require service providers, intermediaries, data centers, virtual asset service providers and virtual private network (VPN) providers to report specified cyber incidents to the agency within six hours of detection and to retain certain system logs for 180 days. The directions also call for maintaining accurate subscriber or customer information that can be furnished to authorities on request.<ref>{{cite web|title=Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents|url=https://www.cert-in.org.in/|website=Indian Computer Emergency Response Team (CERT-In)|publisher=Ministry of Electronics and Information Technology, Government of India|date=28 April 2022|access-date=29 November 2025}}</ref>
== China == China has developed a comprehensive framework of laws and regulations that govern cyber security, data and personal information. The core instruments are the Cybersecurity Law, which entered into force in 2017, the Data Security Law, effective in 2021, and the Personal Information Protection Law (PIPL), effective in November 2021. Together they regulate network operators, “critical information infrastructure operators”, the classification and protection of data, and the processing of personal information, with an explicit emphasis on national security and public interest.<ref name=":6">{{Cite web|title=Translation: Cybersecurity Law of the People’s Republic of China (Effective June 1, 2017)|url=http://newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/|website=New America|access-date=2025-11-29|language=en|first=Rogier|last=Creemers|first2=Paul|last2=Triolo|first3=Graham|last3=Webster}}</ref>
The Cybersecurity Law requires operators of critical information infrastructure to adopt technical and organizational security measures, undergo security reviews for certain network products and services, and, in many cases, store personal information and “important data” generated within mainland China on domestic servers unless a security assessment is passed for cross-border transfers.<ref name=":6" /> The Data Security Law introduces a layered system for classifying and protecting data, including the concept of “important data”, and links data handling obligations to potential risks for national security, the public interest and individual rights.<ref name=":6" />
The Personal Information Protection Law sets out principles for lawful, fair and transparent processing of personal information, defines the rights of individuals over their data, and establishes duties for personal information handlers that are similar to those imposed on data controllers in other jurisdictions. It has extra territorial effect in certain situations where organizations outside China handle the personal information of individuals in China for providing products or services or for analyzing their behavior, and it imposes additional requirements such as security assessments, standard contracts or certification for transferring personal information abroad.<ref>{{Cite news|title=Personal Information Protection Law|url=https://www.chinalawtranslate.com/en/Personal-Information-Protection-Law/|work=China Law Translate|date=2021-08-20|access-date=2025-11-29|archive-url=http://web.archive.org/web/20250818191430/https://www.chinalawtranslate.com/en/Personal-Information-Protection-Law/|archive-date=2025-08-18|language=en-US|first=China Law|last=Translate}}</ref>
Detailed rules issued by the Cyberspace Administration of China, including the Measures for Security Assessment of Cross Border Data Transfers that took effect in 2022, further specify when data exporters must apply for an official security assessment, for example when exporting important data or large volumes of personal information. Business groups and legal commentators have highlighted the compliance burden and uncertainty created by overlapping definitions and approval procedures, especially for multinational companies that need to move operational or research data out of China.<ref>{{Cite web|title=CAC Issues Guidelines For Data Export Security Assessment|url=https://www.mondaq.com/china/security/1230658/cac-issues-guidelines-for-data-export-security-assessment|website=www.mondaq.com|access-date=2025-11-29|language=en}}</ref><ref>{{cite web|title=BSA Comments in Response to the Office of the U.S. Trade Representative’s Request for Comments on the 2022 Special 301 Review|url=https://downloads.regulations.gov/USTR-2022-0016-0039/attachment_1.pdf|website=Regulations.gov|publisher=BSA {{!}} The Software Alliance|date=2022|format=PDF|access-date=29 November 2025}}</ref><ref>{{cite web|title=BSA Submission for the 2025 National Trade Estimate Report on Foreign Trade Barriers|url=https://www.bsa.org/files/policy-filings/10172024bsa2025ntesubmission.pdf|website=BSA.org|publisher=BSA {{!}} The Software Alliance|date=17 October 2024|format=PDF|access-date=29 November 2025}}</ref>
These data transfer rules have also affected international scientific cooperation. In 2025 several major European public research funders announced pauses or changes to co-funded programs with Chinese partners, citing concerns that China’s data protection regime, particularly under the Data Security Law, makes it difficult to share research data across borders while remaining compliant.<ref>{{Cite news|title=China’s data protection rules prompt pause from major European research funders|url=https://www.reuters.com/sustainability/society-equity/chinas-data-protection-rules-prompt-pause-major-european-research-funders-2025-04-25/|work=Reuters|access-date=2025-11-29|archive-url=http://web.archive.org/web/20250425073109/https://www.reuters.com/sustainability/society-equity/chinas-data-protection-rules-prompt-pause-major-european-research-funders-2025-04-25/|archive-date=2025-04-25|language=en-US}}</ref>
==European Union== Cybersecurity standards have been of great prominence in today's technology driven businesses. To maximize their profits, corporations leverage technology by running most of their operations by the internet. Since there are a large number of risks that entail internetwork operations, such operations must be protected by comprehensive and extensive regulations. Existing cybersecurity regulations all cover different aspects of business operations and often vary by region or country in which a business operates. Because of the differences in a country's society, infrastructure, and values, one overarching cyber security standard is not optimal for decreasing risks. While US standards provide a basis for operations, the [[European Union]] has created a more tailored regulation for businesses operating specifically within the EU. Also, in light of [[Brexit]], it is important to consider how the [[Storbritannien|UK]] has chosen to adhere to such security regulations.
Three major regulations within the EU include the ENISA, the NIS Directive and the EU GDPR. They are part of the [[Digital Single Market]] strategy.
Regarding standards, the Cybersecurity Act / ENISA Regulation does not refer directly to standards. Nevertheless, ENISA recognises on its website that "EU’s cybersecurity strategy underscores support for greater standardisation via the European standardisation organisations (CEN, CENELEC and ETSI) as well as ISO.<ref>{{cite web |url=https://www.enisa.europa.eu/topics/standards |website=ENISA website |title=Standards |date=4 April 2024 }}</ref>"
ISO/IEC Standards, as well as European Standards from CEN, CENELEC and ETSI can be used on a voluntary way to support the requirements in the EU legislation. An updated list of ISO/IEC and CEN/CENELEC standards on the topic of Cybersecurity can be followed up via the free and publicly available information website Genorma.com.<ref>{{cite web |title=List of Cybersecurity Standards |url=https://genorma.com/en/topic/show/135 |website=GENORMA.COM}}</ref>
===ENISA=== The [[European Union Agency for Cybersecurity]] (ENISA) is a governing agency that was originally set up by the Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 for the Purpose of Raising Network and Information Security (NIS) for all internetwork operations in the EU. ENISA currently runs under Regulation (EU) No 526/2013,<ref>{{Cite web|url=http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:JOL_2013_165_R_0041_01&qid=1397226946093&from=EN|title=L_2013165EN.01004101.xml|website=eur-lex.europa.eu|access-date=2017-03-08}}</ref> which has replaced the original regulation in 2013. ENISA works actively with all member states of the EU to provide a range of services. The focus of their operations are on three factors: * Recommendations to member states on the course of action for security breaches * Policy making and implementation support for all members states of the EU * Direct support with ENISA taking a hands-on approach to working with operational teams in the EU<ref>{{Cite web|url=https://www.enisa.europa.eu/about-enisa|title=About ENISA — ENISA|website=www.enisa.europa.eu|language=en|access-date=2017-03-08}}</ref> ENISA is made up of a management board that relies on the support of the executive director and the Permanent Stakeholders Group. Most operations, however, are run by the heads of various departments.<ref>{{Cite web|url=https://www.enisa.europa.eu/about-enisa/structure-organization|title=Structure and Organisation — ENISA|website=www.enisa.europa.eu|language=en|access-date=2017-03-08}}</ref>
ENISA has released various publications that cover all major issues on cybersecurity. ENISA's past and current initiatives include the EU Cloud Strategy, Open Standards in Information Communications Technology, a Cyber Security Strategy of the EU and a Cyber Security Coordination Group. ENISA also works in collaboration with existing international standard organizations like the [[ISO]] and the [[ITU]].<ref>{{Cite book |last=Purser|first=Steve|editor-last=Hathaway |editor-first=Melissa E.|year=2014|chapter=Standards for Cyber Security|series=Nato Science for Peace and Security Series - D: Information and Communication Security|chapter-url=https://www.enisa.europa.eu/publications/articles/standards-for-cyber-security|publisher=IOS Press|volume=35|title=Best Practices in Computer Network Defense: Incident Detection and Response|issue=Best Practices in Computer Network Defense: Incident Detection and Response|doi=10.3233/978-1-61499-372-8-97|isbn=978-1-61499-372-8}}</ref>
===NIS Directive=== On July 6, 2016, the European Parliament set into policy the '''Directive on Security of Network and Information Systems''' (the '''NIS Directive''').<ref>{{Cite web|url=http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC|title= Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union|website=EUR Lex|date= 19 July 2016|language=en|access-date=2018-04-26}}</ref>
The [[EU directive|directive]] went into effect in August 2016, and all member states of the European Union were given 21 months to incorporate the directive's regulations into their own national laws.<ref>{{Cite news|url=https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive|title=The Directive on security of network and information systems (NIS Directive)|work=Digital Single Market|access-date=2017-03-12}}</ref> The aim of the NIS Directive is to create an overall higher level of cybersecurity in the EU. The directive significantly affects [[digital service provider]]s (DSPs) and '''operators of essential services''' (OESs). Operators of essential services include any organizations whose operations would be greatly affected in the case of a security breach if they engage in critical societal or economic activities. Both DSPs and OES are now held accountable for reporting major [[security incident]]s to [[Computer Security Incident Response Team]]s (CSIRT).<ref>{{Cite web|url=https://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/|title=The Network and Information Security Directive – who is in and who is out?|website=[[The Register]]|date=7 January 2016|access-date=2017-03-12}}</ref> While DSPs are not held to as stringent regulations as operators of essential services, DSPs that are not set up in the EU but still operate in the EU still face regulations. Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.<ref>{{Cite news|url=http://www.dataprotectionreport.com/2016/07/nis-directive-published-eu-member-states-have-just-under-two-years-to-implement/|title=NIS Directive Published: EU Member States Have Just Under Two Years to Implement – Data Protection Report|date=2016-07-21|work=Data Protection Report|access-date=2017-03-12|language=en-US}}</ref>
The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to [[National Competent Authorities]] (NCAs) and [[Single Points of Contact]] (SPOCs). Such resources are given the responsibility of handling cybersecurity breaches in a way that minimizes impact. In addition, all member states of the EU are encouraged to share cyber security information.<ref>{{Cite web|url=https://www2.deloitte.com/lu/en/pages/risk/articles/agreement-new-eu-network-information-security-directive.html|title=Agreement reached on EU Network and Information Security (NIS) Directive {{!}} Deloitte Luxembourg {{!}} Technology {{!}} Insight|website=Deloitte Luxembourg|language=en|access-date=2017-03-12|archive-date=2018-03-02|archive-url=https://web.archive.org/web/20180302044752/https://www2.deloitte.com/lu/en/pages/risk/articles/agreement-new-eu-network-information-security-directive.html|url-status=dead}}</ref>
Security requirements include technical measures that manage the risks of cybersecurity breaches in a preventative manner. Both DSP and OES must provide information that allows for an in depth assessment of their information systems and security policies.<ref name=":0">{{Cite web|url=https://www.out-law.com/en/articles/2017/january/network-and-information-security-directive-will-be-implemented-in-the-uk-despite-brexit-vote-government-confirms/|title=Network and Information Security Directive will be implemented in the UK despite Brexit vote, government confirms|website=www.out-law.com|language=en|access-date=2017-03-12}}</ref> All significant incidents must be notified to the CSIRTs. Significant cybersecurity incidents are determined by the number of users affected by the security breach as well as the longevity of the incident and the geographical reach of the incident.<ref name=":0" />
=== NIS2 === {{main article|NIS2 Directive}}
===EU Cybersecurity Act (CRA)=== The [[Cyber Resilience Act]] (Regulation (EU) 2024/2847) sets horizontal cybersecurity requirements for products with digital elements. It was adopted on 23 October 2024. Application is staged, with certain provisions applying in 2026 and full application from 11 December 2027, as set out in Article 71. <ref>{{cite web |date=23 October 2024|title=Regulation (EU) 2024/2847 (Cyber Resilience Act)|url=https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng|access-date=25 October 2025|publisher=EUR-Lex}}</ref> [[European Union Agency for Cybersecurity|ENISA]] will have a key role in setting up and maintaining the European cybersecurity certification framework.<ref>{{Cite web |title=The EU Cybersecurity Act|url=https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-act|access-date=2019-12-06|website=|language=en}}</ref>
===EU General Data Protection Regulation (GDPR)=== {{main|General Data Protection Regulation}} The EU [[General Data Protection Regulation]] (GDPR) was set into place on 14 April 2016, but then the date of enforcement has been changed to 25 May 2018.<ref>{{Cite web|url=http://www.eugdpr.org|title=Home Page of EU GDPR|website=EU GDPR Portal|language=en-GB|access-date=2017-03-12}}</ref> The GDPR aims to bring a single standard for data protection among all member states in the EU. Changes include the redefining of geographical borders. It applies to entities that operate in the EU or deal with the data of any resident of the EU. Regardless of where the data is processed, if an EU citizen's data is being processed, the entity is now subject to the GDPR.<ref name=":1">{{Cite web|url=http://www.eugdpr.org/key-changes.html|title=Key Changes with the General Data Protection Regulation|website=EU GDPR Portal|language=en-GB|access-date=2017-03-12}}</ref>
Fines are also much more stringent under the GDPR and can total €20 million or 4% of an entity's annual turnover, whichever is higher.<ref name=":1" /> In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.
The overarching board, the EU Data Protection Board, EDP, is in charge of all oversight set by the GDPR.
Consent plays a major role in the GDPR. Companies that hold data in regards to EU citizens must now also offer to them the right to back out of sharing data just as easily as when they consented to sharing data.<ref name=":2">{{Cite web|url=https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/|title=Overview of the General Data Protection Regulation (GDPR)|date=2017-03-03|website=ico.org.uk|language=en|access-date=2017-03-12}}</ref>
In addition, citizens can also restrict processing of the data stored on them and can choose to allow companies to store their data but not process it, which creates a clear differentiation. Unlike previous regulations, the GDPR also restricts the transfer of a citizen's data outside of the EU or to a third party without a citizen's prior consent.<ref name=":2" />
=== NIS 2 Directive ===
On the 16 January 2023, the EU Parliament and Council adopted the 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS Directive)<ref>{{Citation |title=Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union |date=2016-07-06 |work=[[Official Journal of the European Union]] |volume=194 |url=http://data.europa.eu/eli/dir/2016/1148/oj/eng |access-date=2025-10-27 |language=en}}</ref>. This new Directive aims to extend the scope of obligations on entities required to take measures to increase their cybersecurity capabilities. The Directive also aims to harmonise the EU approach to incident notifications, security requirements, supervisory measures and information sharing.<ref>{{cite web | url=https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32022L2555 | title=NIS2 Directive | website=eur-lex.europa.eu | access-date= 27 March 2023}}</ref> The [[National Cyber Security Bill 2024 (Ireland)|National Cyber Security Bill 2024]] will transpose NIS2 into Irish law once enacted.<ref>{{cite web |title=Technology Law Landscape in 2025 |url=https://www.mhc.ie/latest/insights/technology-law-in-2025 |website=Mason Hayes Curran |access-date=12 December 2024 |language=en}}</ref>
==== Background ==== Against the backdrop of increasing dependence on digital technologies, the [[COVID-19 pandemic]] highlighted how sensitive digitised societies can be to unexpected risks.<ref>{{Cite web |title=Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) - FAQs {{!}} Shaping Europe’s digital future |url=https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs |access-date=2025-10-27 |website=digital-strategy.ec.europa.eu |language=en}}</ref> In light of this evidence, the [[European Commission]] reviewed the existing NIS (Network and Information Security) Directive and identified the following critical points:
* insufficient cyber resilience of companies operating in the EU, * inconsistent compared robustness across [[Member state of the European Union|Member States]] and sectors, * insufficient shared understanding of the main threats and challenges among Member States, * lack of joint crisis response.
Following various rounds of consultations, the final NIS 2 Directive<ref>{{Citation |title=Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) |date=2022-12-14 |work=OJ L |volume=333 |pages=80–152 |url=http://data.europa.eu/eli/dir/2022/2555/oj/eng |access-date=2025-10-27 |language=en}}</ref> was adopted by the [[European Commission|EU Commission]] on 14 December 2022.
==== Content ==== The directive requires the [[Member state of the European Union|member states of the European Union]] to adopt a national cybersecurity strategy. Furthermore, national [[computer security incident response team]]s (CSIRTs) must be designated, responsible for handling risks and incidents. A so-called [[Point of contact|single point of contact]] (SPoC) is intended to ensure a secure cross-border cooperation between the authorities of the Member States.
The NIS 2 Directive imposes stricter requirements on national authorities than the previous NIS Directive and aligns sanction possibilities across Member States. The directive introduces stricter supervisory measures for national authorities, stricter enforcement requirements, and harmonisation of sanction regimes in all Member States.
==== Expansion of scope ==== Unlike, for example, in the ordinance issued in 2016 under the German {{Interlanguage link|BSI Act (Germany)|lt=BSI Act|de|BSI-Gesetz}} to protect [[Critical infrastructure|critical infrastructures]] (''BSI-KritisV''),<ref>{{Cite web |title=BSI-KritisV - Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz |trans-title=BSI-KritisV – Ordinance on the Determination of Critical Infrastructures under the BSI Act |url=https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html |access-date=2025-10-27 |website=Bundesamt für Justiz |language=de}}</ref> culture and media, {{Interlanguage link|Local public transport|lt=local public transport|de|Öffentlicher Personennahverkehr}} and wholesale of medicines are not covered by the NIS 2 Directive, but new areas such as space, top-level domain registrars and trust service providers were added.<ref>{{Cite web |title=NIS2 requirements: A complete guide to compliance & implementation |url=https://www.dataguard.com/nis2/requirements/ |access-date=2025-10-27 |website=DataGuard |language=en}}</ref> The increase in affected institutions is mainly due to the fact that the thresholds known from the BSI-KritisV no longer apply here. In addition, there are several gradations: a distinction is now made between so-called ''essential entities'' and ''important entities'', primarily based on the number of employees or turnover. As before, there are also ''critical entities''.<ref>{{Cite web |last=Weissmann |first=Paul |title=EU NIS2 and RCE directives for Critical Infrastructures |url=https://www.openkritis.de/eu/eu-nis-2-rce-directive.html |access-date=2025-10-27 |website=OpenKRITIS |language=en}}</ref>
=== The Digital Operational Resilience Act (DORA) === {{main|Digital Operational Resilience Act}}
DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of [[Information and communications technology|ICT]]-related disruptions and threats. These requirements are homogenous across all EU member states. The regulation will apply from 17 January 2025 for relevant financial entities and ICT third-party service providers.<ref>{{cite web |title=Digital Operational Resilience Act (DORA) |url=https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en |website=eiopa.europa.eu/ |access-date=27 March 2024}}</ref>
=== Cyber Resilience Act === {{main|Cyber Resilience Act}}
The [[Cyber Resilience Act]] (Regulation (EU) 2024/2847) sets horizontal cybersecurity requirements for products with digital elements. It was adopted on 23 October 2024. Application is staged, with certain provisions applying in 2026 and full application from 11 December 2027, as set out in Article 71.<ref>{{Cite web |last=Bertuzzi|first=Luca|date=2021-09-16|title=EU chief announces cybersecurity law for connected devices|url=https://www.euractiv.com/section/cybersecurity/news/eu-chief-announces-cybersecurity-law-for-connected-devices/|access-date=2023-01-30|website=www.euractiv.com|language=en-GB}}</ref><ref>{{Cite news |date=2022-11-09|title=Why a clear cyber policy is critical for companies|url=https://www.ft.com/content/0bb6df09-7d77-4605-aac3-89443ed65a18|access-date=2023-01-30|work=Financial Times}}</ref><ref>{{Cite web |date=2022-09-15|title=EU pitches cyber law to fix patchy Internet of Things|url=https://www.politico.eu/article/new-cyber-act-to-raise-safety-standards-across-the-bloc/|access-date=2023-01-30|website=POLITICO|language=en-US}}</ref>
===Individual EU Countries=== ====Republic of Ireland==== {{main|Criminal Justice (Offences Relating to Information Systems) Act 2017}}
The Criminal Justice (Offences Relating to Information Systems) Act 2017 was introduced in May 2017 to consolidate laws on computer crime.<ref name=lawsociety-gazette>{{Cite web |url=https://www.lawsociety.ie/gazette/in-depth/away-in-a-hack |title=Away in a hack |date=2019-04-15 |access-date=2024-02-19 |website=[[Law Society of Ireland]]|last=Reidy|first=Diane}}</ref><ref name=iclg>{{Cite web |url=https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/ireland |title=iclg.com > Practice Areas > Cybersecurity > Ireland |access-date=2024-02-20 |website=iclg.com |last1=Finlay |first1=Adam |last2=Hughes |first2=Ruth}}</ref>
== United Kingdom == The Product Security and Telecommunications Infrastructure (PSTI) regime introduced mandatory security requirements for consumer “connectable” products in the UK. It came into force on 29 April 2024 and includes measures such as banning default or easily guessable passwords, publishing a point of contact for vulnerability reporting, and providing transparency about security updates. <ref>{{cite web |title=Regulations: consumer connectable product security (PSTI)|url=https://www.gov.uk/guidance/regulations-consumer-connectable-product-security|publisher=UK Government|date=17 March 2025|access-date=25 October 2025}}</ref><ref>{{cite web |title=The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023|url=https://www.legislation.gov.uk/ukdsi/2023/9780348249767|publisher=legislation.gov.uk|date=2023|access-date=25 October 2025}}</ref>
== Frameworks and standards == Outside binding law, the [[NIST Cybersecurity Framework]] was updated to version 2.0 in February 2024. The update added a new Govern function that emphasizes governance and supply-chain risk and is intended to inform how organizations implement the other functions. <ref>{{cite web |title=NIST Releases Version 2.0 of Landmark Cybersecurity Framework|url=https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework|publisher=NIST|date=26 February 2024|access-date=25 October 2025}}</ref><ref>{{cite web |title=The NIST Cybersecurity Framework (CSF) 2.0|url=https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf|publisher=NIST|date=26 February 2024|access-date=25 October 2025}}</ref>
==Reactions== While experts agree that cybersecurity improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation.
===Support=== Many government officials and cybersecurity experts believe that the private sector has failed to solve the cybersecurity problem and that regulation is needed. [[Richard A. Clarke|Richard Clarke]] states that "industry only responds when you threaten regulation. If industry does not respond [to the threat], you have to follow through."{{ref|free2innovate}} He believes that software companies must be forced to produce more secure programs.{{ref|pbs}} [[Bruce Schneier]] also supports regulation that encourages software companies to write more secure code through economic incentives.{{ref|free2innovate}} US Representative [[Rick Boucher]] ([[United States Democratic Party|D–]][[Virginia|VA]]) proposes improving cybersecurity by making software companies liable for security flaws in their code.{{ref|menn}} In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.{{ref|free2innovate}}
===Opposition=== On the other hand, many private-sector executives and lobbyists believe that more regulation will restrict their ability to improve cybersecurity. Harris Miller, a [[lobbyist]] and president of the [[Information Technology Association of America]], believes that regulation inhibits innovation.{{ref|free2innovate}} Rick White, former corporate attorney and president and [[CEO]] of the lobby group TechNet, also opposes more regulation. He states that "the private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint."{{ref|free2innovate}}
Another reason many private-sector executives oppose regulation is that it is costly and involves government oversight in private enterprise. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cybersecurity problem efficiently.
Specifically around the CRA, concern is expressed over the breadth of impact by prominent free and [[Open source]] software organizations: [[Eclipse Foundation]], [[Internet Society]], and [[Python Software Foundation]]. These organizations highlight consequences unstated in the regulation, that they conclude fundamentally damage the Open source movement. They offer changes that would allow Open source to be used in the EU without being regulated in the same manner as would be on commercial software developers.<ref>{{cite web |last1=Milinkovich |first1=Mike |title=Cyber Resilience Act: Good Intentions and Unintended Consequences |url=https://blogs.eclipse.org/post/mike-milinkovich/cyber-resilience-act-good-intentions-and-unintended-consequences |website=Eclipse Foundation Blog |publisher=Eclipse Foundation Executive Director |access-date=11 April 2023}}</ref><ref>{{cite web |last1=Kolkman |first1=Olaf |title=The EU's Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem |url=https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ |website=The Internet Society |date=24 October 2022 |publisher=The Internet Society Principal - Internet Technology, Policy, and Advocacy |access-date=11 April 2023}}</ref><ref>{{cite web |last1=Nicholson |first1=Deb |title=The EU's Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem |url=https://pyfound.blogspot.com/2023/04/the-eus-proposed-cra-law-may-have.html |website=Python Software Foundation Blog |date=11 April 2023 |publisher=Python Software Foundation |access-date=11 April 2023}}</ref><ref>{{cite web |last1=Milinkovic |first1=Mike |title=European Cyber Resiliency Act: Potential Impact on the Eclipse Foundation |url=https://eclipse-foundation.blog/2023/01/15/european-cyber-resiliency-act-potential-impact-on-the-eclipse-foundation/ |website=Eclipse Foundation Blog |date=16 January 2023 |access-date=11 April 2023}}</ref>
==See also== * [[CERT Coordination Center]] * [[Cyber security standards]] * [[Cybersecurity Information Sharing Act]] * [[Cyber Security and Resilience Bill]] - proposed UK regulation. * [[Default password]] * [[Information assurance]] * [[List of data breaches]] * [[Medical device hijack]] * [[National Cyber Security Division]] * [[National Strategy to Secure Cyberspace]] * [[Presidential directive]] * [[Proactive cyber defence]] * [[United States Computer Emergency Readiness Team]] * [[United States Department of Homeland Security]]
==Notes== #{{note|privacyrights}} "[https://web.archive.org/web/20100613183200/http://www.privacyrights.org/ar/ChronDataBreaches.htm A chronology of data breaches reported since the ChoicePoint incident]." (2005). Retrieved October 13, 2005. #{{note|epic}} "[http://www.epic.org/privacy/bill_track.html Electronic privacy information center bill track: Tracking privacy, speech and civil liberties in the 109th congress]." (2005). Retrieved October 23, 2005. #{{note|howstuffworks}} "[http://www.howstuffworks.com/virus.htm How computer viruses work]." (2005). Retrieved October 10, 2005. #{{note|whitehouse}} "[http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf The National Strategy to Secure Cyberspace] {{Webarchive|url=https://web.archive.org/web/20120227090522/http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf |date=2012-02-27 }}." (2003). Retrieved December 14, 2005. #{{note|privacy}} "[https://web.archive.org/web/20051210162540/http://www.privacy.ca.gov/code/cc1798.291798.82.htm Notice of security breach – civil code sections 1798.29 and 1798.82 – 1798.84]." 2003). Retrieved October 23, 2005. #{{note|pbs}} "[https://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html Richard Clarke interview]." (2003). Retrieved December 4, 2005. #{{note|gordon}} Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005). "[http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf 2005 CSI/FBI computer crime and security survey]." Retrieved October 10, 2005. #{{note|heiman}} Heiman, B. J. (2003). [http://www.klgates.com/files/Publication/b107a7ae-1e01-404e-830d-5f4a20eebd1b/Presentation/PublicationAttachment/dbb0ff0d-33fd-4808-b338-60b3345450f6/CybersecurityRegisHere.pdf Cybersecurity regulation is here]. [[RSA Conference|RSA security conference]], Washington, D.C. Retrieved October 17, 2005. #{{note|kirby}} Kirby, C. (2003, December 4, 2003). "[http://www.sfgate.com/business/article/Forum-focuses-on-cyber-security-2510105.php Forum focuses on cybersecurity]". San Francisco Chronicle. #{{note|lemos}} Lemos, R. (2003). "[https://web.archive.org/web/20080302205503/http://news.zdnet.com/2100-1009_22-984697.html Bush unveils final cybersecurity plan]." Retrieved December 4, 2005. #{{note|menn}} Menn, J. (2002, January 14, 2002). "[https://www.latimes.com/archives/la-xpm-2002-jan-14-fi-micro14-story.html Security flaws may be pitfall for Microsoft]". Los Angeles Times, pp. C1. #{{note|rasmussen}} Rasmussen, M., & Brown, A. (2004). "[https://web.archive.org/web/20081121222303/http://www.forrester.com/Research/Document/0,7211,35913,00.html California Law Establishes Duty of Care for Information Security]." Retrieved October 31, 2005. #{{note|schmitt}} Schmitt, E., Charron, C., Anderson, E., & Joseph, J. (2004). "[https://web.archive.org/web/20081121222303/http://www.forrester.com/Research/Document/0,7211,35913,00.html What Proposed Data Laws Will Mean for Marketers]." Retrieved October 31, 2005. #{{note|Rizzo}} Jennifer Rizzo. (August 2, 2012) "[https://web.archive.org/web/20130203174242/http://articles.cnn.com/2012-08-02/politics/politics_cybersecurity-act_1_cybersecurity-bill-homeland-security-cyberattacks Cybersecurity bill fails in Senate]." Accessed August 29, 2012. #{{note|Rosenzweig}} Paul Rosenzweig. (July 23, 2012) "{{unfit|1=[https://web.archive.org/web/20120924233608/http://www.heritage.org/research/reports/2012/07/cybersecurity-act-of-2012-revised-cyber-bill-still-has-problems Cybersecurity Act of 2012: Revised Cyber Bill Still Has Problems]}}." The Heritage Foundation. Accessed August 20, 2012. #{{note|OKeefe}} Ed O'Keefe & Ellen Nakashima. (August 2, 2012 ) "[https://www.washingtonpost.com/world/national-security/cybersecurity-bill-fails-in-senate/2012/08/02/gJQADNOOSX_story.html Cybersecurity bill fails in Senate]." The Washington Post. Accessed August 20, 2012. #{{note|Fitzpatrick}} Alex Fitzpatrick. (July 20, 2012) "[http://mashable.com/2012/07/20/cybersecurity-obama/ Obama Gives Thumbs-Up to New Cybersecurity Bill]." Mashable. Accessed August 29, 2012. #{{note|Sasso}} Brendan Sasso. (August 4, 2012) "[https://thehill.com/policy/technology/121791-after-defeat-of-senate-cybersecurity-bill-obama-weighs-executive-order-option/ After defeat of Senate cybersecurity bill, Obama weighs executive-order option]". The Hill. Accessed August 20, 2012. #{{note|Vijayan}} Jaikumar Vijayan. (August 16, 2012) "[http://www.computerworld.com/s/article/9230341/No_partisan_fight_over_cybersecurity_bill_GOP_senator_says?taxonomyId=70 No partisan fight over cybersecurity bill, GOP senator says]". Computerworld. Accessed August 29, 2012. #{{note|Franzen}} Carl Franzen. (August 2, 2012) "[https://web.archive.org/web/20130513032101/http://idealab.talkingpointsmemo.com/2012/08/as-cybersecurity-bill-fails-in-senate-advocates-rejoice.php As Cybersecurity Bill Fails In Senate, Privacy Advocates Rejoice]". TPM. August 29, 2012. #{{note|Fitzpatrick2}} Alex Fitzpatrick. (August 2, 2012) "[http://mashable.com/2012/08/02/cybersecurity-bill-fails/ Cybersecurity Bill Stalls in the Senate]". Mashable. Accessed August 29, 2012. #{{note|Westby}} Jody Westby (August 13, 2012) "[https://www.forbes.com/sites/jodywestby/2012/08/13/congress-needs-to-go-back-to-school-on-cyber-legislation/ Congress Needs to Go Back To School on Cyber Legislation]". Forbes. Accessed August 20, 2012.
==References== {{reflist|30em}}
{{DEFAULTSORT:Cyber-Security Regulation}} [[Category:Government in the United States]] [[Category:Computer security procedures]] [[Category:Cyberwarfare]] [[Category:Politics and technology]] [[Category:Data laws]] [[Category:Computer law]]