Safeguard
Topic

Regulation

In-depth guides and analysis on regulation from the Safeguard engineering team.

20 articles

Regulation

EUCC: First Certificates Issued Six Weeks After Scheme Launch

ANSSI issued the first two EUCC certificates in April 2025, just six weeks after the European Common Criteria-based cybersecurity certification scheme entered into force on 27 February 2025.

Sep 8, 20257 min read
Regulation

DORA Subcontracting RTS: Inside Commission Delegated Regulation 2025/532

The DORA subcontracting RTS adopted on 24 March 2025 governs how ICT third-party providers may subcontract critical or important functions, in force from 22 July 2025.

Sep 2, 20256 min read
Regulation

DORA TLPT RTS: What the Threat-Led Penetration Testing Standard Requires

The Commission published the DORA TLPT RTS on 18 June 2025 with direct effect from 8 July 2025. Tests are mandated every three years, aligned to TIBER-EU methodology.

Aug 20, 20256 min read
Regulation

FTC Safeguards Rule: The 30-Day Notification Window in Effect

Since May 13, 2024, non-banking financial institutions must notify the FTC within 30 days of a notification event affecting 500 or more consumers.

Jun 10, 20257 min read
Regulation

FAR CUI Proposed Rule: An 8-Hour Clock and a Government-Wide Standard

The January 15, 2025 FAR CUI rule extends NIST SP 800-171 to every federal contractor and adds an 8-hour incident reporting clock for non-federal facilities.

Apr 8, 20256 min read
Regulation

EU Cyber Solidarity Act: Regulation 2025/38 in Force

Regulation (EU) 2025/38 entered into force on 4 February 2025, establishing an EU Cybersecurity Reserve, alert system of cross-border hubs, and ENISA-led incident review mechanism.

Mar 17, 20257 min read
Regulation

SEC Item 1.05 Year Two: 8-Ks, Sweeps, and the May 2024 Guidance

Between December 2023 and January 2025, 54 companies filed 55 cyber incident 8-Ks. The May 2024 SEC staff guidance bifurcated the practice into 1.05 versus 8.01 disclosures.

Mar 4, 20256 min read
Regulation

HIPAA Security Rule NPRM: Encryption, MFA, and the End of 'Addressable'

OCR's December 27, 2024 NPRM removes the addressable/required distinction and mandates encryption, MFA, semi-annual vulnerability scans, and annual penetration tests for ePHI.

Feb 25, 20256 min read
Regulation (Page 2) — Supply Chain Security Blog | Safeguard