Regulatory Radar
Track regulatory changes, framework updates, and compliance deadlines. Filtered to what matters for your organization.
This page is for general informational and educational purposes only. It does not constitute legal, regulatory, or professional compliance advice. Details may be incomplete or outdated. Always verify compliance obligations with official sources and qualified legal counsel. See our Terms of Service.
(Projected) EU AI Act High-Risk System Obligations Apply
The EU AI Act's full obligations for high-risk AI systems are projected to become enforceable. High-risk systems, defined in Annex III, include AI used in biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and the administration of justice. Providers of high-risk AI systems must implement conformity assessment procedures, maintain quality management systems, and ensure ongoing post-market monitoring.
(Projected) CMMC Phase 2: All DoD Contracts Require Certification
CMMC Phase 2 is projected to expand certification requirements to all DoD contracts involving CUI, requiring third-party C3PAO assessments for Level 2 certification. This phase represents the full operationalization of CMMC, where every defense contractor handling CUI must hold a valid certification from an accredited C3PAO, not merely a self-assessment. Phase 2 also introduces CMMC Level 3 (government-led assessment) requirements for contracts involving the most sensitive CUI categories. The exact start date is subject to the DFARS rulemaking timeline and may shift.
(Projected) CISA Secure by Design Principles Expected in Federal Acquisition Requirements
CISA is expected to formalize Secure by Design principles as requirements in federal acquisition regulations by mid-2026. Building on the voluntary pledge program that enrolled over 250 software manufacturers, the projected rule would require software vendors selling to federal agencies to attest compliance with Secure by Design principles, including elimination of default passwords, MFA by default, evidence of vulnerability management maturity, and published vulnerability disclosure policies. This aligns with the broader federal push toward software supply chain security following Executive Order 14028.
ISO 27001:2013 to 2022 Transition Deadline
The three-year transition period for migrating from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 expires. After this date, all ISO 27001:2013 certifications are automatically invalid regardless of their stated expiry date, and organizations must hold a valid 2022 certification to claim ISO 27001 compliance. Certification bodies are prohibited from conducting surveillance audits against the 2013 edition after this deadline, and any organization that has not completed the transition will effectively lose its certification.
Maryland Online Data Privacy Act Takes Effect
The Maryland Online Data Privacy Act (MODPA) became effective, introducing one of the most restrictive state privacy laws in the United States. Unlike most other state privacy laws that allow opt-out rights for data sales and targeted advertising, Maryland's law prohibits the sale of sensitive personal data entirely and restricts the collection of personal data to what is reasonably necessary and proportionate to provide the requested service. The law also includes strong protections for minors' data and restricts targeted advertising directed at consumers under 18.
Tennessee and Minnesota Privacy Laws Take Effect
The Tennessee Information Protection Act (TIPA) took effect July 1, 2025, and the Minnesota Consumer Data Privacy Act became effective on July 31, 2025, adding two more states to the growing roster of comprehensive privacy jurisdictions. Tennessee's law follows the Virginia model and includes a notable affirmative defense provision for organizations that maintain and comply with a written privacy program conforming to NIST privacy framework standards. Minnesota's law includes broader protections and notably requires data protection assessments for certain processing activities.
PCI DSS v4.0 Future-Dated Requirements Now Mandatory
All 51 future-dated requirements in PCI DSS v4.0 transitioned from best practice to mandatory, completing the full v4.0 implementation cycle. Key requirements now enforceable include targeted risk analysis for flexible control frequencies, automated detection and response to payment page script modifications, enhanced authentication for all access to the cardholder data environment, and inventory-based management of custom and third-party software. Assessors must now validate compliance with every v4.0 requirement without exception.
PCI DSS v4.0.1 Penetration Testing Requirements Now Mandatory
PCI DSS v4.0.1 future-dated penetration testing requirements become mandatory, including Requirement 11.4.1 (documented internal pentest methodology) and Requirement 6.4.2 (automated technical solution for public-facing web applications).
CMMC Phase 1 Implementation Begins
CMMC Phase 1 implementation begins, marking the first time DoD contracts will include CMMC certification requirements in solicitations. During Phase 1, CMMC Level 1 (self-assessment) and Level 2 (self-assessment) requirements will appear in select new contracts and contract renewals. Phase 1 is intentionally limited in scope to allow the assessment ecosystem to scale, but it establishes the precedent and contractual mechanism for mandatory cybersecurity certification in defense procurement.
AICPA Reinforces Penetration Testing as SOC 2 Best Practice
Updated AICPA guidance emphasizes penetration testing as a key control activity under CC7.1 (Detection and Monitoring) and CC7.2 (Response to Identified Security Incidents). While not explicitly mandated, auditors increasingly expect to see pentest evidence during SOC 2 Type II examinations.
EU AI Act: Prohibited Practices Provisions Apply
The EU AI Act's provisions on prohibited AI practices became enforceable, banning specific categories of AI systems deemed to pose an unacceptable risk to fundamental rights. Prohibited practices include AI systems that deploy subliminal or manipulative techniques, exploit vulnerabilities of specific groups, perform social scoring by public authorities, conduct certain forms of predictive policing, and use real-time remote biometric identification in public spaces (with narrow exceptions). General-purpose AI (GPAI) model provider obligations, including transparency and systemic risk assessments, also begin to apply.
CISA Known Exploited Vulnerabilities Catalog Exceeds 1,200 Entries
The CISA KEV catalog continues to grow rapidly, with over 1,200 actively exploited vulnerabilities now listed. Federal agencies must remediate KEV entries within mandated timelines, and private sector organizations are strongly urged to prioritize these vulnerabilities in their testing programs.
HIPAA Security Rule NPRM Published in Federal Register
HHS published the Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule, representing the first major update since the 2013 Omnibus Rule. The proposed changes eliminate the distinction between addressable and required implementation specifications, mandate encryption of ePHI at rest and in transit without exception, require multi-factor authentication, and establish 72-hour system restoration requirements. The NPRM also proposes annual security compliance audits and network segmentation for systems containing ePHI.
Five State Privacy Laws Take Effect: Iowa, Delaware, Nebraska, New Hampshire, New Jersey
Privacy laws in Iowa, Delaware, Nebraska, and New Hampshire became effective on January 1, 2025, with New Jersey's law following on January 15, 2025, marking the largest single-month expansion of state privacy coverage in the United States. While these laws largely follow the Virginia/Connecticut model, there are notable variations: Delaware's law has a lower applicability threshold of 35,000 consumers, and New Jersey's law covers a broad range of personal data categories. With these additions, over half of US states now have or are implementing comprehensive privacy legislation.
CMMC 2.0 Final Rule Effective Date
The CMMC 2.0 final rule (32 CFR Part 170) became effective, formally establishing CMMC as enforceable regulation for the defense industrial base. From this date forward, the Department of Defense has the regulatory authority to include CMMC certification requirements in defense contracts through DFARS clause updates. The effective date triggers the phased implementation timeline, with Phase 1 beginning in early 2025 and subsequent phases expanding the scope of contracts requiring certification over a multi-year period.
CPPA Proposes Automated Decision-Making Technology Regulations
The California Privacy Protection Agency issued proposed regulations governing automated decision-making technology (ADMT), including profiling, under the CCPA/CPRA framework. The proposed rules would require businesses to provide pre-use notices when ADMT is used for significant decisions, offer consumers the right to opt out of ADMT, and provide access to information about the logic involved. The regulations also propose requirements for impact assessments when deploying ADMT in certain contexts.
NIST Updates Technical Security Testing Guidance (SP 800-115 Rev 1)
NIST publishes revised guidance on technical approaches for information security testing, including updated penetration testing methodologies, social engineering testing, and cloud-specific testing considerations.
CMMC 2.0 Final Rule Published
The Department of Defense published the CMMC 2.0 final rule (32 CFR Part 170) in the Federal Register, completing the regulatory process that began with the December 2023 proposed rule. The final rule establishes the definitive certification requirements, assessment processes, and phased implementation timeline for the defense industrial base. Key provisions include the three certification levels, C3PAO assessment methodology, POA&M requirements (limited, conditional, with 180-day closeout), and affirmation requirements for senior officials of defense contractors.
(Trend Analysis) Cyber Insurance Market Mandates Baseline Security Controls for Policy Renewal
This entry reflects an industry trend observation, not a single dated regulatory event. By late 2024, major cyber insurance carriers (including Coalition, Corvus, Beazley, and Chubb) had converged on a common set of baseline security controls required for policy issuance or renewal. These controls included: MFA on all remote access and privileged accounts, endpoint detection and response (EDR) on all endpoints, immutable and offsite backups tested quarterly, email authentication (DMARC at enforcement), privileged access management (PAM), and a documented incident response plan tested annually. Carriers reported that claims frequency dropped 30% among policyholders meeting all six controls, while organizations failing to meet these baselines faced premium increases of 50-200% or outright coverage denial.
EU AI Act Enters Into Force
The EU AI Act officially entered into force, starting the clock on its phased compliance deadlines. The first obligations, covering AI literacy requirements and prohibited AI practices, become applicable six months from entry into force. The regulation's full enforcement timeline extends to August 2027 for certain provisions, with high-risk system obligations applying from August 2026.
NIST AI RMF Generative AI Profile Published
NIST published the Generative AI Profile (NIST AI 600-1), a companion resource to the AI RMF 1.0 that addresses risks unique to generative AI systems including large language models, image generators, and code synthesis tools. The profile identifies 12 risks specific to generative AI, including confabulation, data privacy in training corpora, information integrity, harmful content generation, and environmental impact. For each risk, the profile maps relevant AI RMF subcategories and provides suggested actions across the Govern, Map, Measure, and Manage functions.
Oregon OCPA and Texas TDPSA Take Effect
The Oregon Consumer Privacy Act (OCPA) and Texas Data Privacy and Security Act (TDPSA) became effective, continuing the expansion of state-level privacy regulation. Oregon's law is notable for having no revenue threshold, applying to any entity processing 100,000 Oregon consumers' data or 25,000 consumers' data when deriving 25% of revenue from data sales. Texas's TDPSA is significant due to the state's large population and economy, substantially expanding the number of consumers covered by comprehensive privacy laws.
SEC Cybersecurity Rules Effective for Smaller Reporting Companies
The SEC cybersecurity incident disclosure rules on Form 8-K became effective for smaller reporting companies, extending the four-business-day material incident reporting requirement to all SEC registrants. The six-month grace period provided to smaller filers has now expired. Annual cybersecurity governance disclosures on Form 10-K also apply beginning with fiscal years ending on or after June 15, 2024.
PCI DSS v4.0.1 Released with Clarifications
The PCI Security Standards Council released PCI DSS v4.0.1 as a limited revision containing clarifications, corrections of typographical errors, and updated guidance for several requirements. No new requirements were added, but important clarifications were made to requirements around targeted risk analysis, multi-factor authentication applicability, and script integrity monitoring. The release addressed common implementation questions that emerged during the first year of v4.0 adoption.
Australian ISM June 2024 Update Released
The Australian Signals Directorate (ASD) released the June 2024 update to the Information Security Manual (ISM), the foundational security control framework underpinning IRAP assessments for Australian government systems. This update includes revised guidance on cloud security, updated cryptographic requirements reflecting post-quantum preparedness considerations, and refined controls for cross-domain solutions. The ISM is updated quarterly, but this release included more substantial changes than typical quarterly revisions.
FedRAMP Announces Rev 5 Baseline Transition Timeline
FedRAMP published its transition timeline for adopting NIST SP 800-53 Rev 5 baselines, replacing the Rev 4 baselines that had been in effect since the program's inception. The updated baselines incorporate new control families for supply chain risk management (SR) and personally identifiable information processing (PT), along with significant expansions to existing families. Cloud service providers with existing authorizations were given a defined window to update their System Security Plans and implement new controls.
CISA Known Exploited Vulnerabilities Catalog Surpasses 1,100 Entries
CISA's Known Exploited Vulnerabilities (KEV) catalog, established in November 2021 via BOD 22-01, surpassed 1,100 entries by mid-2024. The catalog, which requires federal agencies to remediate listed vulnerabilities within defined timelines, had become a de facto standard for vulnerability prioritization across the private sector. CISA added enhanced metadata including ransomware campaign associations, affected product categories, and remediation notes. The catalog's adoption by SOC 2 auditors, HITRUST assessors, and cyber insurance underwriters as a minimum patching standard solidified its role beyond federal compliance.
NIST SP 800-171 Revision 3 Published
NIST published SP 800-171 Revision 3, significantly restructuring the standard for protecting Controlled Unclassified Information (CUI) in non-federal systems. Rev 3 reorganizes requirements into 17 control families (aligned with SP 800-53 Rev 5), increases the total requirement count, introduces Organization-Defined Parameters (ODPs) that allow tailoring of specific thresholds, and removes the distinction between basic and derived requirements. The revision represents the most substantial change to 800-171 since its original publication.
AICPA Issues SOC 2 Examination Guidance for AI Systems
The AICPA released supplemental guidance for practitioners conducting SOC 2 examinations of organizations that develop or operate AI and machine learning systems. The guidance addresses how existing Trust Services Criteria apply to AI-specific risks including model governance, training data integrity, bias monitoring, and explainability. It provides illustrative controls and testing procedures mapped to the Security, Availability, Processing Integrity, Confidentiality, and Privacy categories.
PCI DSS v3.2.1 Officially Retired
PCI DSS v3.2.1 was officially retired after a two-year transition period. All organizations subject to PCI DSS must now validate compliance exclusively against v4.0. Assessments initiated after this date using v3.2.1 are no longer accepted by acquiring banks or payment brands. Future-dated requirements in v4.0 remain best practices until March 31, 2025, when they become mandatory.
HITRUST Announces AI Assurance Program for AI Risk Management
HITRUST announced the development of its AI Assurance Program, designed to provide a certifiable framework for managing AI-related risks in regulated industries. The program builds on the existing HITRUST CSF assessment methodology and incorporates requirements from the NIST AI Risk Management Framework (AI RMF 1.0), the EU AI Act, and ISO/IEC 42001. HITRUST stated the program would offer tiered AI risk assessments aligned with the e1/i1/r2 model, enabling organizations to demonstrate AI governance maturity to customers, regulators, and business partners.
EU AI Act Adopted by European Parliament
The European Parliament adopted the EU Artificial Intelligence Act, the world's first comprehensive legal framework for AI regulation. The regulation establishes a risk-based classification system with four tiers: unacceptable risk (banned), high risk (strict compliance obligations), limited risk (transparency requirements), and minimal risk (voluntary codes of conduct). The Act applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used within the EU.
NIST Cybersecurity Framework 2.0 Released
NIST released version 2.0 of the Cybersecurity Framework, the first major revision since the framework's original publication in 2014. CSF 2.0 introduces a sixth core function, Govern, which elevates cybersecurity governance, risk management strategy, and supply chain risk management to a top-level concern alongside Identify, Protect, Detect, Respond, and Recover. The update also expands the framework's applicability beyond critical infrastructure to all organizations, adds extensive implementation examples, and introduces Community Profiles for sector-specific guidance.
HHS OCR Settles with Pharmacy Chain for $1.65M Over HIPAA Violations
HHS OCR reached a $1.65 million settlement with a national pharmacy chain following an investigation into HIPAA Security Rule violations. The investigation revealed systemic failures in risk analysis, access controls, and audit logging across multiple facilities. The corrective action plan requires the pharmacy to conduct an enterprise-wide risk analysis, develop a risk management plan, and submit to two years of OCR compliance monitoring.
CMMC 2.0 Proposed Rule Published in Federal Register
The Department of Defense published the CMMC 2.0 proposed rule (32 CFR Part 170) in the Federal Register, initiating a 60-day public comment period. The proposed rule formalized the three-tiered certification model: Level 1 (self-assessment, 15 practices), Level 2 (third-party assessment, 110 practices from NIST 800-171 Rev 2), and Level 3 (government-led assessment, 110+ practices from NIST 800-172). The rule established the C3PAO ecosystem, assessment methodology, and Plans of Action and Milestones (POA&M) closeout requirements.
SEC Cybersecurity Disclosure Rules Effective for Large Companies
The SEC cybersecurity disclosure rules became effective for accelerated filers and large accelerated filers, requiring material incident reporting on Form 8-K and annual cybersecurity governance disclosures on Form 10-K. Companies with fiscal years ending on or after December 15, 2023 must include the new annual disclosures. The four-business-day incident disclosure requirement is now enforceable, with the SEC actively monitoring compliance.
ISO/IEC 42001:2023 Published -- AI Management Systems
ISO published ISO/IEC 42001:2023, the world's first certifiable international standard for Artificial Intelligence Management Systems (AIMS). The standard provides a structured framework for organizations that develop, provide, or use AI systems to establish, implement, maintain, and continually improve a responsible AI management system. ISO 42001 follows the familiar ISO management system structure (Harmonized Structure) and addresses AI-specific concerns including bias, transparency, data governance, and human oversight, with Annex A providing a set of AI-specific controls and Annex B offering implementation guidance.
Australian Essential Eight Maturity Model Updated
The Australian Cyber Security Centre (ACSC) released an updated Essential Eight Maturity Model, refining the maturity level definitions and tightening requirements across all eight mitigation strategies. Key changes include stricter patching timelines (48 hours for internet-facing services at Maturity Level 3), enhanced multi-factor authentication requirements, and more prescriptive application control configurations. The Essential Eight remains the baseline security standard referenced by IRAP assessments for Australian government cloud services.
SEC Enforcement on SolarWinds: Precedent for CISO Accountability and Supply Chain Disclosures
On October 30, 2023, the SEC filed a complaint against SolarWinds and its CISO in the aftermath of the 2020 SolarWinds Orion supply chain compromise (discovered December 2020), alleging they misled investors about the company's cybersecurity posture. While a federal judge dismissed several claims in July 2024, the surviving claims established that materially misleading cybersecurity disclosures in SEC filings could constitute securities fraud. The case set a precedent for personal CISO liability and reinforced the SEC's 2023 cybersecurity disclosure rules (effective December 2023) requiring registrants to disclose material cybersecurity incidents within four business days.
CISA Launches Secure by Design Initiative with Voluntary Pledge
CISA formally launched its Secure by Design initiative, publishing joint guidance with international partners (including the UK NCSC, Australian ACSC, and Canadian CCCS) calling on software manufacturers to take ownership of customer security outcomes. The initiative introduced a voluntary Secure by Design Pledge for enterprise software manufacturers committing to seven goals: MFA by default, elimination of default passwords, reduction of entire classes of vulnerability, customer-applied patching, published vulnerability disclosure policies, transparent CVE reporting, and evidence of intrusion detection capability. By 2024, over 200 companies had signed the pledge.
TikTok Fined EUR 345 Million for Children's Privacy Violations
The Irish DPC fined TikTok Technology Limited EUR 345 million for multiple GDPR violations related to the processing of children's personal data on the TikTok platform. Key findings included that child users' accounts were set to public by default, the paired accounts (Family Pairing) feature had verification weaknesses, and the platform's use of dark patterns nudged children toward less private settings. The decision also found transparency failures in how information was communicated to child users.
SEC Adopts Cybersecurity Disclosure Rules
The SEC adopted final rules requiring public companies to disclose material cybersecurity incidents within four business days on Form 8-K and to provide annual disclosures of cybersecurity risk management, strategy, and governance on Form 10-K. The rules apply to all SEC registrants and mandate that companies describe board oversight of cybersecurity risk, management's role in assessing and managing risk, and the processes used to identify and manage threats. This represented the most significant federal cybersecurity disclosure mandate for public companies to date.
FTC Health Breach Notification Rule Amendments Effective
The FTC's amended Health Breach Notification Rule became effective, expanding the definition of personal health record (PHR) to cover health apps, fitness trackers, and other direct-to-consumer digital health tools not covered by HIPAA. The amendments clarify that unauthorized sharing of health data with third parties (not just traditional security breaches) constitutes a reportable breach. Entities must notify the FTC, affected individuals, and in some cases the media within 60 days of discovering a breach.
HITRUST CSF v11.2 Released with Refined Assessment Model
HITRUST released CSF v11.2, refining the e1/i1/r2 tiered assessment model introduced in v11. The update clarified scoring methodology for the i1 Implemented assessment, added new control specifications addressing cloud-native architectures and API security, and improved integration with the HITRUST Assurance Intelligence Engine for continuous monitoring. HITRUST also announced that the r2 assessment now incorporated threat-adaptive controls as standard, and that the e1 assessment pathway had been expanded to accommodate additional industry verticals beyond healthcare.
EU-US Data Privacy Framework Adequacy Decision Adopted
The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF), restoring a legal mechanism for transferring personal data from the EU to certified US organizations. The framework introduced new safeguards including binding limitations on US intelligence access to EU data, a Data Protection Review Court, and enhanced oversight mechanisms. US organizations must self-certify through the Department of Commerce to rely on the DPF as a transfer mechanism.
CPRA Enforcement Begins by California Privacy Protection Agency
The California Privacy Protection Agency (CPPA) began enforcement of the CPRA alongside the California Attorney General's existing CCPA enforcement authority. The CPPA has authority to conduct investigations, issue subpoenas, bring administrative enforcement actions, and impose fines of up to $2,500 per violation or $7,500 per intentional violation. The agency also assumed rulemaking responsibility for CCPA/CPRA regulations, with several rulemaking packages in progress.
Colorado CPA and Connecticut CTDPA Take Effect
The Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) both became effective, bringing the total number of active comprehensive state privacy laws to four alongside California and Virginia. Colorado's law is notable for requiring businesses to recognize universal opt-out mechanisms by July 2024, while Connecticut's CTDPA closely mirrors the Virginia model but adds protections around consent for processing of minors' data. Both laws grant consumers rights to access, correct, delete, and port their data.
MOVEit Transfer Mass Exploitation (CVE-2023-34362): Supply Chain Compliance Fallout
The Cl0p ransomware group exploited a critical SQL injection zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer managed file transfer application, compromising over 2,600 organizations and exposing data of approximately 90 million individuals. Victims included major healthcare systems, financial institutions, government agencies, and their downstream service providers. The attack targeted the file transfer infrastructure itself rather than individual organizations, making it one of the largest supply chain breaches in history.
Meta Receives Record EUR 1.2 Billion GDPR Fine
The Irish DPC imposed a record EUR 1.2 billion fine on Meta Platforms Ireland for transferring EU users' personal data to the United States without adequate safeguards following the Schrems II ruling. The decision also ordered Meta to suspend transatlantic data transfers and bring its processing operations into compliance within specified deadlines. This remains the largest GDPR fine ever imposed and was issued following an EDPB binding decision.
Japan ISMAP-LIU (Low Impact Use) Service Launched
Japan's ISMAP (Information System Security Management and Assessment Program) expanded with the launch of ISMAP-LIU (Low Impact Use), a streamlined assessment track for cloud services handling less sensitive government data. ISMAP-LIU reduces the assessment burden for SaaS providers whose services are used for low-impact government workloads, while maintaining baseline security expectations. This creates a more accessible pathway for international cloud vendors seeking to serve Japan's government market without undergoing the full ISMAP assessment.
Banner Health Pays $1.25M HIPAA Settlement
HHS OCR settled with Banner Health for $1.25 million following a 2016 cyberattack that compromised the electronic protected health information (ePHI) of approximately 2.81 million individuals. The investigation found that Banner Health failed to conduct an accurate and thorough risk analysis, lacked sufficient monitoring of health information system activity, and did not implement adequate authentication controls. The corrective action plan requires two years of OCR monitoring.
NIST AI Risk Management Framework 1.0 Released
NIST published the AI Risk Management Framework (AI RMF) 1.0, establishing a voluntary, rights-preserving framework for managing risks associated with artificial intelligence systems throughout their lifecycle. The framework is organized around four core functions (Govern, Map, Measure, and Manage), providing organizations with a structured approach to identifying, assessing, and mitigating AI-specific risks including bias, transparency, accountability, and safety. The AI RMF is designed to be technology-agnostic and sector-neutral, complementing existing risk management frameworks like the NIST Cybersecurity Framework.
FTC Orders Drizly CEO to Implement Security Program
The FTC issued an order against Drizly and its CEO James Cory Rellas personally for security failures that exposed the personal data of approximately 2.5 million consumers. The order required Rellas to implement an information security program at any company where he serves as a majority owner or senior executive for the next ten years. This was a landmark action because it attached compliance obligations directly to an individual executive, not just the corporate entity.
California CPRA Amendments Take Effect
The California Privacy Rights Act (CPRA) amendments to the CCPA became operative, significantly expanding consumer privacy rights and business obligations. Key additions include the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, and new obligations around data minimization and purpose limitation. The CPRA also created the California Privacy Protection Agency (CPPA) as the first dedicated state privacy enforcement agency in the United States.
Virginia CDPA Becomes First Comprehensive State Privacy Law in Effect
The Virginia Consumer Data Protection Act (CDPA) became the first comprehensive state privacy law outside California to take effect, establishing consumer rights including access, correction, deletion, portability, and the right to opt out of targeted advertising, sale of personal data, and profiling. The law applies to entities that control or process personal data of at least 100,000 Virginia residents, or 25,000 residents if deriving over 50% of gross revenue from data sales. Enforcement is exclusively through the Virginia Attorney General.
FedRAMP Authorization Act Signed Into Law
The FedRAMP Authorization Act was signed into law as part of the FY2023 National Defense Authorization Act, codifying the Federal Risk and Authorization Management Program for the first time. The legislation established FedRAMP as the authoritative framework for federal cloud security assessments, mandated agency presumption of adequacy for existing FedRAMP authorizations, and required automated continuous monitoring. It formalized the program that had operated since 2011 under OMB memoranda alone.
ISO/IEC 27001:2022 Published
ISO/IEC 27001:2022 was officially published, replacing the 2013 edition as the global standard for information security management systems (ISMS). The revision incorporates the restructured Annex A controls from ISO 27002:2022, updates clause language to align with the latest ISO Harmonized Structure, and adds explicit requirements for monitoring organizational context changes and stakeholder needs. A three-year transition period was established, requiring all certified organizations to migrate by October 31, 2025.
CISA Issues Binding Operational Directive 23-01: Vulnerability Scanning Requirements
CISA published Binding Operational Directive (BOD) 23-01, 'Improving Asset Visibility and Vulnerability Detection on Federal Networks,' requiring federal civilian executive branch (FCEB) agencies to perform automated asset discovery every 7 days and vulnerability enumeration on all discovered assets every 14 days. Agencies were required to initiate automated asset discovery by April 3, 2023, and begin reporting vulnerability enumeration results to CISA's Continuous Diagnostics and Mitigation (CDM) dashboard. While directly binding only on federal agencies, the directive set a de facto industry benchmark for vulnerability management programs.
Instagram Fined EUR 405 Million Over Children's Data
The Irish DPC fined Meta's Instagram EUR 405 million for violations related to the processing of children's personal data. The investigation focused on the public exposure of children's email addresses and phone numbers through Instagram's business account feature and the default public profile setting for minors. This was the second-largest GDPR fine at the time and the largest penalty specifically concerning children's data protection.
Spain Royal Decree 311/2022 Updates ENS Framework
Spain published Royal Decree 311/2022, replacing the previous Royal Decree 3/2010 that established the Esquema Nacional de Seguridad (ENS). The updated framework modernizes security requirements for Spain's public sector and any private organizations providing services to government entities. Key changes include alignment with EU NIS2 Directive principles, updated security profiles, new provisions for cloud services and supply chain security, and a 24-month transition period for existing certifications.
PCI DSS v4.0 Released
The PCI Security Standards Council published PCI DSS v4.0, the first major revision since v3.2.1 in 2018. The update introduced 64 new requirements, a customized approach for meeting security objectives, and expanded multi-factor authentication mandates. Organizations were given a two-year transition window to adopt the new standard, with v3.2.1 remaining valid until March 31, 2024.
ISO/IEC 27002:2022 Published with Restructured Controls
ISO/IEC 27002:2022 replaced the 2013 edition with a completely restructured control set, consolidating 114 controls into 93 controls organized under four themes: Organizational, People, Physical, and Technological. The update introduced 11 new controls addressing cloud security, threat intelligence, ICT readiness for business continuity, and data masking, among others. This restructuring directly impacts Annex A of ISO 27001 and sets the foundation for the forthcoming 27001:2022 revision.
HITRUST CSF v11 Released: Major Framework Restructuring
HITRUST released CSF version 11, the most significant restructuring since the framework's inception. The update reduced the total control specification count from over 2,000 to approximately 500 by consolidating overlapping requirements and eliminating redundancy. HITRUST also introduced three distinct assessment types: e1 (Essentials, 1-year), i1 (Implemented, 1-year), and r2 (Risk-based, 2-year), replacing the single validated assessment model. The restructuring improved mappings to NIST CSF, HIPAA, and AICPA Trust Services Criteria.
Log4Shell (CVE-2021-44228) Zero-Day Disclosed, Compliance Impact Across All Frameworks
A critical remote code execution vulnerability in Apache Log4j 2 (versions 2.0-beta9 through 2.14.1) was publicly disclosed on December 9, 2021, receiving a CVSS score of 10.0. The flaw allowed unauthenticated remote code execution via crafted JNDI lookup strings in logged data. Due to Log4j's ubiquity in Java-based applications, the vulnerability affected hundreds of thousands of organizations worldwide, including healthcare systems, financial institutions, SaaS platforms, and defense contractors.
WhatsApp Fined EUR 225 Million for Transparency Violations
Ireland's Data Protection Commission (DPC) fined WhatsApp Ireland EUR 225 million for failing to provide transparent information to users and non-users about how their personal data was processed. The European Data Protection Board (EDPB) intervened with a binding decision that increased the fine significantly from the DPC's original draft. The ruling found deficiencies in WhatsApp's privacy notices under Articles 12, 13, and 14 of GDPR.
Amazon Receives Record EUR 746 Million GDPR Fine
Luxembourg's CNPD issued a EUR 746 million fine against Amazon Europe Core for processing personal data in violation of GDPR's targeted advertising requirements. The investigation found that Amazon's advertising targeting system operated without valid consent from data subjects. At the time of issuance, this represented the largest GDPR fine ever imposed by a European data protection authority.
FTC Settlement with Flo Health Over Health Data Sharing
The FTC finalized its order against Flo Health for sharing sensitive health data from its period-tracking app with third-party analytics firms including Facebook and Google, despite explicit privacy promises to users. The settlement requires Flo to obtain independent reviews of its privacy practices and obtain user consent before sharing health information. This case marked a turning point in FTC enforcement around health app data sharing outside HIPAA's traditional scope.
HITRUST CSF v9.5 Released with Expanded Threat-Adaptive Controls
HITRUST released CSF version 9.5, introducing threat-adaptive controls that dynamically adjust assessment requirements based on current threat intelligence. The update incorporated lessons from the SolarWinds supply chain attack and added controls for remote workforce security, reflecting the post-pandemic shift to hybrid work environments. The release also refined authoritative source mappings to NIST SP 800-53 Rev 5 and ISO 27001:2013 Annex A.
NIST SP 800-53 Rev 5 Supplemental Guidance Updated
NIST released Update 1 to SP 800-53 Revision 5, providing supplemental guidance that clarifies control implementation expectations across multiple control families. The update refines assessment procedures, adds implementation examples, and provides additional context for controls related to supply chain risk management (SR family) and privacy (PT family). While no new controls were added, the clarifications carry practical significance for organizations undergoing FedRAMP, FISMA, or CMMC assessments.
Regulatory Alerts Coming Soon
Leave your email and we'll notify you when framework-specific regulatory alerts launch.