SIPA Cyber Regulations Watch

Welcome to the SIPA Cyber Regulations Watch

Brought to you by the SIPA Cyber Regulations Lab at Columbia University's School of International and Public Affairs, this twice-monthly newsletter offers a comprehensive review of everything related to cybersecurity and regulations: law firms' analyses, events, new academic research, international trends, and more! 

Click here to sign up for future issues!

Written by Eunice Lee, and Gabriel Rodriguez Leva with Jason Healey

10 March 2026

A New U.S. Cyber Strategy Anchors This Week’s Developments, Emphasizing Offensive Operations, AI, And Supply-Chain Resilience. Countries Across Europe And Asia Push New Cybersecurity Regulations. 
All And More In This Week's Newsletter!

Top Story

Trump cyber strategy leans into offense, deregulation and emerging tech: The White House has released its long-awaited cyber strategy, paired with an executive order on cybercrime and fraud. Below is the SIPA analysis.

• The strategy links cyber resilience and regulation to industrial policy by emphasizing U.S.-made technology, harder supply chains, zero trust and post-quantum modernization for federal systems.

• Specifically on regulation, the strategy has two slightly different messages. In the introduction, the strategy says the administration “will remove burdensome, ineffective regulations so that our industry partners innovate quickly in emerging technologies.” Yet the body of the strategy, while Pillar 2 is entirely about regulation, such cutting is not mentioned. Rather, the action is about promoting “common sense regulation” to “streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.”

• The phrase about “cutting” seems more in line with previous administration statements around removing limitations regarding Artificial Intelligence (White House) while “streamlining” matches past comments on cybersecurity regulation by Sean Cairncross, the National Cyber Director (Bloomberg Law).

What's Happening in the World

EU auto rules pull vehicle cybersecurity into market-access compliance: Dark Reading reports that the EU’s Euro 7 framework will require automakers selling new vehicles in Europe to address cybersecurity alongside emissions and environmental standards. That marks an important shift as cyber controls become embedded in product-regulation regimes rather than siloed in standalone security laws.

• The rules call for secure transmission of emissions and battery-durability data, showing how cybersecurity is now tied directly to the integrity of connected-vehicle compliance data.

• Manufacturers will need security certificates covering risk assessment, threat mitigation and secure software development throughout the product lifecycle.

Poland finalises NIS2 cybersecurity law; foreign subsidiaries must self‑assess within a month: VisaHQ reports that Poland has completed transposition of the EU’s NIS2 Directive by amending its National Cybersecurity System Act, with the new law set to take effect after a a one‑month waiting period before the law takes effect, starting in late March 2026.

• Companies meeting sector or size thresholds must classify themselves as “essential” or “important” and implement expanded governance, incident-reporting, and supply-chain cybersecurity controls.

• Firms are required to complete a self-assessment within a month to determine their classification, a critical first step before full compliance obligations take effect.

• NIS2 imposes local liability on Polish subsidiaries and, in some cases, individual managers, and requires at least one manager to be reachable 24/7 to coordinate with the national CSIRT, ensuring operational readiness and effective incident response.

Cyber Security and Resilience Bill progresses through UK Parliament: Mondaq reports that the UK government is advancing legislation to strengthen cybersecurity oversight across critical sectors, expanding existing Network and Information Systems (NIS) regulations to improve resilience and accountability.

• The Bill broadens the scope of regulated entities, including managed service providers, data centres, and critical suppliers, requiring them to meet stronger cybersecurity standards.

• It tightens incident‑reporting requirements, mandating rapid (e.g., 24‑hour) notifications and detailed follow-ups, while giving regulators enhanced enforcement powers.

• The legislation introduces higher penalties for non‑compliance and empowers the Secretary of State to update regulations in response to emerging cyber threats, signaling a more robust UK cyber regulatory regime.

Indonesia moves to ban social media for children under 16: The Record reports that Indonesia will bar children under 16 from holding accounts on major social platforms from the end of March, framing the move as a response to mounting digital harms. Although presented as a child-safety measure, it also shows how governments are increasingly regulating platforms through a cyber-risk lens that includes scams, harmful algorithms and online abuse.

• The regulation explicitly links platform access to cyberbullying, scams and exposure to harmful content, broadening the policy definition of cyber risk beyond technical intrusion.

• Indonesia becomes the first non-Western country to adopt this kind of social-media age restriction, adding momentum to a fast-globalizing debate over platform governance.

• The measure reinforces a trend toward treating platform design and algorithmic amplification as security and resilience issues, not just content-moderation problems.

South Africa advances a sector-based AI policy with security safeguards: Baker McKenzie reports that South Africa’s draft National AI Policy has entered the Cabinet approval process and is expected to go out for public consultation in March. The government is opting for a sector-specific model, but SIPA notes that the cyber relevance is already clear: security, privacy, misinformation, deepfakes and accountability are all built into the proposed governance framework.

• One of the policy’s core pillars is “responsible AI governance,” which expressly identifies safety, security and privacy risks, including data misuse, cyber threats and deepfakes.

• The sector-based approach means cyber obligations may emerge unevenly across industries such as telecoms, finance and public administration, depending on risk profile.

Vietnam’s new e-commerce law tightens controls on cross-border platforms: Baker McKenzie reports that Vietnam’s new Law on E-Commerce will take effect on 1 July 2026, applying extraterritorially to both domestic and foreign platforms serving Vietnamese users. The law is framed as digital-economy regulation, but it has clear cyber implications through its focus on data security, local accountability and platform cooperation with enforcement.

• The law expands the definition of regulated e-commerce platforms broadly enough to potentially capture social networks, SaaS services and other digital intermediaries involved in transactions.

• Offshore operators may need a local authorized entity or subsidiary, which would handle legal procedures, content removal, complaints and cooperation with investigations.

• SIPA Analysis: The framework also explicitly reaches hosting, data centers, payments and electronic contract authentication, showing how cybersecurity-relevant infrastructure is being pulled into e-commerce compliance.

South Korea considers tougher governance, reporting and sanctions for cyber incidents: Hogan Lovells reports that South Korea is considering amendments to both the Network Act and PIPA that would significantly tighten cyber governance and breach response. The direction of travel is toward board-level accountability, faster disclosure and stronger penalties.

• Proposed changes would expand the CISO’s role, require large ISPs to create information-security committees and impose tighter certification and annual review requirements.

• The draft would require ISPs to notify users within 24 hours of discovering a breach involving personal information, while also broadening what counts as a notifiable data breach.

• Penalties could rise sharply, including daily corrective-action fines and, in some cases, revenue-based sanctions of up to 10%, giving the regime a much stronger enforcement edge.

US Regulators and Authorities

GSA’s CMMC‑like rules raise concerns in industry: Federal News Network reports that the U.S. General Services Administration (GSA) issued updated cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI) in an “IT security procedural guide,” which has drawn pushback from industry observers who say it could create a patchwork of conflicting contractor obligations.

• The GSA released new cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI), drawing on the DoD’s CMMC framework but tailored to GSA’s mission and risk profile.

• Under the guidance, contractors are required to undergo independent assessments of their cybersecurity controls based on NIST SP 800‑171 Revision 3, establishing a formal compliance process for safeguarding sensitive government data.

• Because the GSA rules differ from DoD standards, contractors working with multiple federal agencies may face fragmented regulatory obligations, higher compliance costs, and increased operational complexity in meeting overlapping cybersecurity requirements.

Defense Production Act threat raises cyber-policy stakes in Pentagon-AI clash: Bloomberg reports that the Pentagon’s dispute with Anthropic centers on possible use of the Defense Production Act, a Cold War-era law, alongside threats to label the company a supply-chain risk. The episode shows how national security authorities could be used to pressure AI providers over model access, safeguards and defense use cases.

• Treating a domestic AI company as a “supply-chain risk” would stretch a concept usually associated with foreign or adversarial technology dependencies, potentially widening the cyber-regulatory toolkit.

• SIPA Analysis: The key cyber issue is not just procurement. It is whether the government can use their powers to coerce technology companies to its own preferences, such as overriding or reshaping private AI safety guardrails tied to surveillance and military applications.

Google pushes Supreme Court to curb geofence warrants: The Record reports that Google has asked the U.S. Supreme Court to rule geofence warrants unconstitutional, arguing that reverse-search warrants sweep in the location data of large numbers of innocent users.

• Google says geofence warrants are structurally overbroad because they identify everyone in a place and time window first, then narrow later, reversing the usual particularized-search logic.

• The dispute matters beyond Google because it goes to whether cloud-stored location history should receive Fourth Amendment protection as the modern equivalent of “papers and effects.”

What's Happening on the Hill

House committee revives cybersecurity support for rural utilities: CyberScoop reports that the House Energy and Commerce Committee has advanced bipartisan legislation to reauthorize and fund the Department of Energy’s rural and municipal utility cybersecurity program. The measure reflects growing concern that smaller energy operators remain a soft spot in U.S. critical infrastructure security.

• The bill would extend a program that provides federal grants and technical assistance to rural utilities and cooperatives that often lack mature cyber teams or tooling.

• Lawmakers are framing rural electric utilities as a systemic weak link, meaning cyber underinvestment at the local level can create broader grid reliability and national-security risk.

• The proposal would authorize $250 million over five years, with funding aimed partly at modern cybersecurity technologies and better information-sharing across the energy sector.

Bipartisan bill would extend cybersecurity regulations on food nutrition programs: Brooklyn Daily Eagle reports that a bipartisan bill introduced in the U.S. House would improve and bolster cybersecurity and digital service regulations for government food assistance programs. The legislation responds to widespread thefts of SNAP and EBT benefits through vulnerabilities in electronic benefit cards and aims to tighten protections against fraud and theft.

• Introduced by Congressmember Dan Goldman and supported by State Senator Jessica Scarcella‑Spanton and Congressmember Nicole Malliotakis to address theft from electronic benefit transfer systems.

• Related bills include a state-level effort requiring chip technology in SNAP cards, reflecting a broader push to modernize security standards.

• If enacted, the federal bill would strengthen the regulatory framework governing SNAP payment card technology and interoperability, increasing defenses against fraud while seeking to protect billions in federal nutrition assistance funds for vulnerable families.

Expert Analysis

European Cybersecurity Regulations in 2026 and Beyond: Sitsi shares an in‑depth expert report that outlines how the European Union’s most ambitious cybersecurity regulatory program is unfolding in 2026, consolidating multiple major laws into a unified compliance framework with global implications.

• The EU has launched an expansive cybersecurity regulatory agenda that brings together NIS2, the Cyber Resilience Act (CRA), revised Cybersecurity Act proposals, and other digital regulations (AI Act, eIDAS 2.0) into a consolidated legal regime, signaling a shift from fragmented policy to strategic harmonisation across the bloc.

• Centralised enforcement and reporting are key themes: the European Union Agency for Cybersecurity (ENISA) is being positioned as the hub for incident notification, certification coordination, and vulnerability handling, tightening regulatory oversight and reducing national fragmentation on cybersecurity compliance.

• For global businesses and compliance teams, this marks a fundamental change: simplified cross‑border obligations but stricter compliance expectations across infrastructure, product, and service security, requiring updated governance processes and risk‑based regulatory readiness.

Fresh Insights

Cyber Incidents Slowly Rising But Still Far Behind Previous Years: With only one reported incident filed for 2026 to date, we present the most recent cybersecurity incident trends. SEC Cyber incidents disclosures flattened out last year compared to the two previous years. Check out our visual graph, based on data from the cybersecurity incident tracker from Board Cybersecurity.

Ask us about sponsorship!

For more from the SIPA Cyber Program, click here.

Let SIPA know about related new analyses or upcoming events by emailing us at [email protected]