Regulation
In-depth guides and analysis on regulation from the Safeguard engineering team.
20 articles
EUCC: First Certificates Issued Six Weeks After Scheme Launch
ANSSI issued the first two EUCC certificates in April 2025, just six weeks after the European Common Criteria-based cybersecurity certification scheme entered into force on 27 February 2025.
DORA Subcontracting RTS: Inside Commission Delegated Regulation 2025/532
The DORA subcontracting RTS adopted on 24 March 2025 governs how ICT third-party providers may subcontract critical or important functions, in force from 22 July 2025.
DORA TLPT RTS: What the Threat-Led Penetration Testing Standard Requires
The Commission published the DORA TLPT RTS on 18 June 2025 with direct effect from 8 July 2025. Tests are mandated every three years, aligned to TIBER-EU methodology.
FTC Safeguards Rule: The 30-Day Notification Window in Effect
Since May 13, 2024, non-banking financial institutions must notify the FTC within 30 days of a notification event affecting 500 or more consumers.
FAR CUI Proposed Rule: An 8-Hour Clock and a Government-Wide Standard
The January 15, 2025 FAR CUI rule extends NIST SP 800-171 to every federal contractor and adds an 8-hour incident reporting clock for non-federal facilities.
EU Cyber Solidarity Act: Regulation 2025/38 in Force
Regulation (EU) 2025/38 entered into force on 4 February 2025, establishing an EU Cybersecurity Reserve, alert system of cross-border hubs, and ENISA-led incident review mechanism.
SEC Item 1.05 Year Two: 8-Ks, Sweeps, and the May 2024 Guidance
Between December 2023 and January 2025, 54 companies filed 55 cyber incident 8-Ks. The May 2024 SEC staff guidance bifurcated the practice into 1.05 versus 8.01 disclosures.
HIPAA Security Rule NPRM: Encryption, MFA, and the End of 'Addressable'
OCR's December 27, 2024 NPRM removes the addressable/required distinction and mandates encryption, MFA, semi-annual vulnerability scans, and annual penetration tests for ePHI.