Cybersecurity

On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”Continue Reading SEC Voluntarily Dismisses SolarWinds Litigation

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to

Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR. These guidelines may be of particular relevance for pharmaceutical, medical device, and other life sciences companies that conduct clinical research.Continue Reading New German Guidelines on GDPR Requirements for International Transfers of Health Data in Medical Research

The Cybersecurity Information Sharing Act of 2015 (“CISA 2015”), which provided protections for sharing cybersecurity threat information with the federal government and others, officially sunset on September 30, 2025 pursuant to the law’s original sunset date after efforts to re-authorize it did not succeed.  The law created a cybersecurity information

Continue Reading Cybersecurity Information Sharing Act of 2015 Allowed to Sunset

On September 29, California Governor Gavin Newsom (D) signed into law SB 53, the Transparency in Frontier Artificial Intelligence Act (“TFAIA”), establishing public safety regulations for developers of “frontier models,” or large foundation AI models trained using massive amounts of computing power.  TFAIA is the first frontier model safety

Continue Reading California Governor Signs Landmark AI Safety Legislation

On September 16, 2025, the European Commission launched a call for evidence to collect feedback and best practices on simplifying several key areas of the EU digital rulebook, ahead of its planned Digital Omnibus package. This initiative targets legislation related to data, cybersecurity, and artificial intelligence, aiming to reduce administrative burdens and compliance costs for businesses while preserving high standards of fairness, security, and privacy online.Continue Reading Commission Collects Feedback to Simplify Rules on Data, Cybersecurity and Artificial Intelligence in Upcoming Digital Omnibus

This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On September 10, 2025, DoD published the final version of the Cybersecurity Maturity Model Certification (“CMMC”) Defense Federal Acquisition Regulation Supplement (“DFARS”) Procurement Rule (“Procurement Rule” or “Rule”) in the Federal Register.  This Rule imposes the contractual requirements associated with the CMMC Program Rule that was published in final form in October 2024.  The Procurement Rule will become effective sixty days after publication, on November 10, 2025 and will be implemented in a phased approach.  Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence Regulation