European Commission Proposes New Cybersecurity Package

European Commission proposes revised Cybersecurity Act to boost EU cyber resilience, secure ICT supply chains

The European Commission proposed a new cybersecurity package to bolster the EU’s cybersecurity resilience and capabilities in the face of these growing threats. The package includes a proposal for a revised Cybersecurity Act, which enhances the security of the EU’s ICT (information and communication technologies) supply chains. It ensures that products reaching EU citizens are cyber-secure by design through a simpler certification process. It also facilitates compliance with existing EU cybersecurity rules and reinforces the EU Agency for Cybersecurity (ENISA) in supporting Member States and the EU in managing cybersecurity threats.

The package introduces measures to simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU, complementing the single-entry point for incident reporting proposed in the Digital Omnibus.

Immediately applicable after approval by the European Parliament and the Council of the EU, the Cybersecurity Act will enter into force alongside proposed amendments to the NIS2 Directive, which will also be presented for approval. Once adopted, Member States will have one year to transpose the Directive into national law and notify the Commission of the relevant texts.

CISA and International Partners Highlight Nation-State Cyber Risks in Industrial Networks

The Cybersecurity and Infrastructure Security Agency (CISA), UK’s National Cyber Security Centre, FBI, and international partners have released Secure Connectivity Principles for Operational Technology. This joint guidance, led by NCSC-UK, helps organizations mitigate exposed and insecure connectivity and protect networks from highly capable and opportunistic cyber threat actors, including nation state-sponsored actors.

Operational technology (OT) network environments are increasingly interconnected, delivering benefits like real-time analytics, remote monitoring and predictive maintenance. However, this connectivity also heightens the risk to cyber intrusions that could cause physical harm, environmental damage, or disrupt essential services. This guide offers owners and operators a framework with clear goals for designing secure connectivity into their environments.

“This guide underscore’s CISA’s unwavering commitment to working hand-in-hand with U.S. and international partners to provide timely, actionable cybersecurity guidance. By providing OT organizations with practical steps to design, secure, and manage connectivity in OT environments, we help defend critical infrastructure against malicious and state-sponsored cyber threats,” said CISA Executive Assistant Director for Cybersecurity Nick Andersen.

Congressional appropriators move to extend information-sharing law, fund CISA

Congressional appropriators announced funding legislation this week that extends an expiring cyber threat information-sharing law and provides $2.6 billion for the Cybersecurity and Infrastructure Security Agency (CISA), including money for election security and directives on staffing levels.

The latest so-called “minibus” package of several spending bills to keep the government funded past a Jan. 30 deadline would extend the Cybersecurity and Information Sharing Act of 2015 through the end of the current fiscal year, Sept. 30. Industry and the Trump administration have been seeking a 10-year extension of a law that provides legal protections for sharing cyber threat data between companies and the government, but a deal on Capitol Hill has proven elusive.

The package, announced Tuesday, also would extend the expiring State and Local Cybersecurity Grants Program through the end of fiscal 2026. Both laws temporarily expired during the government shutdown before being included in broader government funding legislation that extended them through Jan. 30. The House Homeland Security Committee has approved legislation on a long-term extension of the grants program, but the Senate hasn’t taken any action on it.

CEOs and CISOs differ on AI’s security value and risks

Axis Capital’s report paints a picture of boardroom friction, as CISOs and CEOs express different views about the role of AI in their organizations.

Roughly two-thirds of CEOs trust AI tools to help them make cybersecurity decisions, according to the report, compared with 59% of CISOs. And while CEOs are more worried than CISOs about the potential for data leakage associated with AI (29% versus 17%), CISOs are more concerned than CEOs about the more complicated problem of shadow AI (27% versus 17%). U.S. CEOs were also more likely than their CISO counterparts to believe that their organization could respond to an AI-powered cyberattack faster than their peers.

At the same time, American CEOs were more concerned than their CISO counterparts about AI-powered cyberattacks.

Axis Capital’s report is based on surveys of 138 U.S. CEOs, 112 U.S. CISOs, 123 U.K. CEOs and 127 U.K. CISOs, all at companies with at least 250 employees.

The fractured global rulebook for data, cyber, and AI

Perhaps the most significant divergence in the current data regulatory environment is between the United States and the European Union (EU). Since returning to office, the Trump administration has touted an innovation-first model, pursuing an agenda of deregulation aimed at removing barriers and boosting investment in U.S.-based AI companies. The administration also released the "American AI Action Plan" and revoked an AI safety-related executive order issued by the Biden administration.

Meanwhile, the EU is charting a course in the direction of both regulatory coherence and simplification. As the EU AI Act moves into the implementation phase, Brussels has begun to acknowledge the potential detrimental impact of over-extensive legislation on innovation and economic competitiveness. As a result, the EU is now exploring initiatives to reduce administrative burdens and streamline compliance obligations. This requires a careful balance between enforcement of the current digital rulebook, including the EU AI Act, the General Data Protection Regulation, the Digital Services Act and the proposed Digital Fairness Act, and pursuing new efforts to simplify this framework for businesses.

Adding to this picture is the United Kingdom's (UK) emergence as a distinct "third pillar." By rejecting a comprehensive EU-style AI bill in favor of a "pro-innovation" middle-of-the-road approach, the UK is attempting to attract investment (see the recent announcement of billions in pledges from U.S. tech) while empowering existing regulators including financial (Financial Conduct Authority), data (Information Commissioner's Office), communications (Ofcom) and competition (Competition and Markets Authority) to navigate new challenges posed by AI. For financial services companies operating in the UK, this offers a flexible middle ground, but requires a compliance strategy mindful of cross-regulatory UK strategies as well as complementary and conflicting U.S. and EU regulations.

How Businesses Can Prepare for Post-Quantum Cybersecurity Threats

Quantum computing introduces a step-change in computational power that threatens today’s digital security foundations. Once a large-scale quantum machine is available, it can break widely used encryption methods that underpin everything from financial transactions to secure corporate communications.

Most businesses are unprepared for this change, leaving them vulnerable to quantum attacks that are no longer just theoretical or far into the future. Bain research shows that executives already anticipate this threat: About 71% expect quantum-enabled attacks within five years, and almost a third believe it could be as soon as three. Nearly 65% of business, IT, and cybersecurity leaders realize that quantum computing will have a strong adverse effect on cybersecurity risk.