The remaining fragmentation and barriers to implementation mean that organisations will have to continue navigating complex and overlapping regulations for some time to come.

This is the case as responsibility – and, in some cases, liability – is being firmly placed on senior leaders. As a result, it is critical that organisations’ C-suite have the information they need to make, justify, and defend decisions about their cyber strategy.

Drawing on engagement with cyber security policymakers around the world, NCC Group recently released the second edition of their Global Cyber Policy Radar.

The report provides a unique insight into key regulatory changes and policy developments organisations need to be aware of for the remainder of 2024, with a spotlight on data privacy. Amid ever-evolving cyber rules, it also offers a roadmap for organisations to navigate the complex cyber regulatory landscape to support today’s Chief Information Security Officers stay on top of what’s happening – and what it means for their security programmes and organisational resilience.

Governments are also cracking down on the use of offensive cyber tools, some of which are used in legitimate cyber security work such as red teaming, penetration testing and vulnerability assessments. Poorly crafted rules may affect CISOs’ ability to access these tools, impeding their ability to conduct effective security testing.

It’s therefore critical that the cyber security industry engages in the making of these rules from the outset.

With the forthcoming Cyber Security and Resilience Bill (CSRB) in the UK, the evolution of US sectoral regulations like the Federal Financial Institutions Examination Council (FFEIC)’s recent guidelines on IT examination, and Digital Operational Resilience Act (DORA) in Europe – to name but a few – regulators and governments are also moving to ensure that organisations have robust measures in place to protect software assets. 

This includes more requirements for managing the risks associated with third party software providers.

Through a new NCC Group analysis of data privacy fines that have been issued by global regulators, the Global Cyber Policy Radar also reveals the increasing complexity of the data privacy landscape. NCC Group analysed data collated by OneTrust to show:

• There have been over 2,700 fines related to data privacy totalling €6.6 billion since 2020.
• Of the penalties levied to date, only 14 fines have been issued in the UK and 72 in the US, while Spain has racked up over 840.
• Ireland has emerged as the de facto European regulator for multinational technology firms, levying 20 fines accounting for over a third of total worldwide penalties (around €2.5 billion).

According to the EU’s Report on the General Data Protection Regulation, supervisory authorities seem to have different priorities and tactics. For example:

• The public sector is the biggest area of global enforcement, although this rarely results in financial penalties.
• Social media, tech and e-commerce don’t even fall in the top 10 for enforcement activity, but when they are targeted, the fine is significant.

While GDPR has become the de facto standard across many countries, these differences in national and sector enforcement – alongside an evolving political landscape and regulators’ increasing focus on what online safety and the widespread adoption of AI means for data privacy – are creating an increasingly complex compliance landscape.

More cyber insights and trends.