October 2025

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.Continue Reading China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks

The Commerce Department today published a Request for Information (RFI) inviting the public to submit comments on U.S. artificial intelligence exports.  The RFI asks stakeholders to weigh in on aspects of the Department’s new “American AI Exports Program,” an initiative intended to “promot[e] the export of full-stack American AI technology

Continue Reading Commerce Department Solicits Feedback on AI Exports Program

While the Environmental Protection Agency (“EPA”) is proposing to amend the federal Greenhouse Gas Reporting Program (“GHGRP”) to remove reporting requirements for nearly all sources, it remains important for companies to track developments and manage their compliance obligations with existing and emerging state GHG reporting programs.  Several states, such as California, already have some form of mandatory GHG reporting in place.  Others are introducing similar programs to take effect over the next several years.

In particular, New York is expected to finalize a rule establishing a Mandatory Greenhouse Gas Reporting Program.  The state announced its proposal in spring 2025 and public comments closed on July 1.  New York’s program appears to be similar to both the federal GHGRP (which EPA will likely roll back) and California’s Mandatory Reporting Regulation (“MRR”) and applies to companies with significant direct emissions from facilities located in New York state and fuels and electricity consumed within the state.  This blog post provides an overview of New York’s proposed program and compares it with California’s MRR.  Continue Reading State Greenhouse Gas Reporting Programs: New York’s Proposed Mandatory Reporting Program and California’s Existing Program

On October 22, 2025, the U.S. government imposed property-blocking sanctions on Russia’s two largest oil companies, Open Joint Stock Company Rosneft Oil Company (“Rosneft”) and Lukoil OAO (“Lukoil”), by designating these entities, as well as 34 Russia-based Rosneft and Lukoil subsidiaries, to the List of Specially Designated Nationals and Blocked

Continue Reading U.S. and UK Sanctions Target Russia’s Two Largest Oil Companies; EU Issues Significant New Russia and Belarus Sanctions Package

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

On October 17, 2025, the General Services Administration (“GSA”) announced that it plans to issue a Mass Modification to GSA’s Multiple Award Schedule (“MAS” or “Schedule”) Solicitation[1] and Schedule contracts in November 2025 (“Refresh”).  Periodically, GSA may issue a Mass Modification to Schedule contracts to uniformly impose changes to the contract terms applicable to all Schedule contract holders, often as a result of changes in applicable law, regulation, or policy.  This approach also ensures that existing Schedule contracts have consistent terms, even though with the evergreen nature of the Solicitation those contracts have been entered into at different times and are at different stages of performance.

This Refresh (i.e., Refresh #30) will implement several significant changes with the goal to align the GSA Schedule with recent developments in the Revolutionary FAR Overhaul (“RFO”).[2]  Although the full text of the Refresh is not yet available, GSA’s Refresh outline provides insight into the changes that are to come as GSA seeks to gain implementation experience with the RFO clauses, provisions, and ordering procedures through its Schedule contracts.  Given GSA’s leadership of the RFO process, and this year’s Executive Order to consolidate domestic procurement of common goods and services in GSA to the extent permitted by law,[3] it is no surprise that it has acted quickly to revise its long-term government-wide contracting vehicle according to these recent developments. 

Along with the Refresh announcement, GSA opened a 10 business day comment window on buy.gsa.gov, which we expect will close on October 31, 2025.  Schedules contractors will be expected to accept the Refresh no later than 90 days from its release which is expected sometime in November.  Below we discuss relevant background on the RFO process as it relates to the Schedule and anticipated changes to provisions and clauses in the Refresh.  We will continue to watch for updates as GSA’s implementation of the RFO unfolds.    Continue Reading Overhauling the GSA Schedule

California Governor Gavin Newsom has signed several Assembly Bills (AB) and Senate Bills (SB) that expand employee rights and increase workplace compliance obligations for employers.  Here is a rundown on the key new laws.  Unless otherwise specified, the laws take effect on January 1, 2026.Continue Reading California Update: New Employment Laws and Compliance Obligations for 2026

The figures are fresh off the press: the European Commission published its Fifth Annual Report on the screening of foreign direct investments (“FDI”) into the European Union (“EU”) just a few days ago.[1] Like the previous editions, the Fifth Annual Report offers a statistical overview of the EU FDI framework’s activities in the previous year (2024 for the Fifth Annual Report).  Based on submissions from all 27 Member States, the report surveys both the performance of Member States’s national screening regimes and the functioning of the EU cooperation process for FDI. FDI screening has expanded its reach in the EU, from 14 Member States having active FDI screening tools in 2019,[2] to 24 today, with the remaining three Member States in the midst of enacting similar tools. [3] This post distils the five key trends that have emerged in the past year highlighted by the Fifth Annual Report.Continue Reading EU’s Fifth FDI Annual Report: Five trends in Europe’s screening activities

The recent decision in Freedom Path, Inc. v. Internal Revenue Service addressed whether the IRS’s standards used to deny Freedom Path’s tax exemption as a 501(c)(4) organization were unconstitutionally vague. The United States District Court for the District of Columbia partially agreed with Freedom Path, acknowledging that the relevant guidance

Continue Reading Tax Exemption and Constitutional Vagueness – What Freedom Path Means for 501(c)(4) Organizations