Published: January 17, 2025
Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.
Featured Cyber News — New Global Trends in Cybersecurity and Privacy Frameworks
In response to an increasingly complex digital landscape, governments and regulators worldwide have been introducing stricter cybersecurity and data governance rules, reflecting a global push for greater accountability, transparency, and resilience. As these new frameworks impact cross-border business and the data privacy of residents and organizations overseas, small businesses in the U.S. must stay informed to avoid compliance risks.
This bulletin highlights key regulations and laws enacted recently or set to take effect soon across major countries, so that businesses are equipped with the insights they need to prepare for these updates and meet compliance requirements.
Key Cybersecurity Regulations and Laws
United States:
Securities and Exchange Commission (SEC) Cybersecurity Disclosure Rules
- Effective Date: September 2023
- Compliance Deadline: December 2023; for smaller reporting companies (SRCs), June 2024
- Overview: Publicly listed companies, including SRCs, must report material cybersecurity incidents within four business days and describe their cybersecurity risk management and governance practices in annual reports. Small businesses classified as SRCs must comply with these reporting requirements, while other businesses working in their supply chains may also face heightened scrutiny under the new rules (read more).
Canada:
Digital Charter Implementation Act (Bill C-27)
- Effective Date: Expected 2025
- Compliance Deadline: Pending enactment
- Overview: This proposed legislation aims to enhance data protection for individual rights by replacing Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). It introduces stricter privacy regulations, stronger penalties for non-compliance, and new rules governing artificial intelligence (AI) systems. U.S. businesses handling Canadian residents’ data will need to comply once enacted (read more).
European Union:
Network and Information Systems Directive II (NIS2 Directive)
- Effective Date: January 2023
- Compliance Deadline: October 2024
- Overview: NIS2 strengthens cybersecurity for essential and important services. These affected entities must implement robust security measures for critical infrastructure and, if a security incident occurs, must report it within 24 hours, with a follow-up report within 72 hours and a final report within one month. Small businesses in their supply chains must also adhere to stricter standards and reporting obligations (read more).
Digital Operational Resilience Act (DORA)
- Effective Date: January 2023
- Compliance Deadline: January 2025
- Overview: DORA requires financial institutions to enhance operational resilience, manage third-party risks, and report incidents in detail. It also mandates oversight of their information and communication technology (ICT) providers and the submission of ICT contracts to the authority where the financial institutions operate. Small businesses providing services to them must comply with these stringent requirements (read more).
EU Artificial Intelligence (AI) Act
- Effective Date: August 2024
- Compliance Deadline: August 2026; for high-risk AI systems’ full compliance, August 2027
- Overview: The EU AI Act governs AI systems based on its risk classification, with a strong focus on high-risk applications. Businesses using AI technologies must adhere to transparency, safety, and accountability requirements through robust cybersecurity practices. If AI systems will impact the EU market, developers and deployers, including those outside the EU, can face substantial penalties for non-compliance (read more).
India:
Digital Personal Data Protection (DPDP) Act
- Effective Date: August 2023
- Compliance Deadline: Gradually enforced from 2024 onward
- Overview: The DPDP Act requires businesses to obtain explicit consent for processing personal data, provide stringent data breach reporting, and comply with data localization These obligations apply to any foreign or domestic businesses operating in India or handling Indian customer data, necessitating compliance with stringent new standards for secure and responsible data handling (read more).
Brazil:
International Data Transfer Regulation (Resolution CD/ANPD No. 19)
- Effective Date: August 2024
- Compliance Deadline: August 2025
- Overview: This regulation governs international data transfers in line with the General Personal Data Protection Law (LGPD), requiring the use of standard contractual clauses (SCCs) and binding corporate rules (BCRs). U.S. businesses transferring Brazilian customer data must adopt these compliance measures to ensure data security and meet the standards enforced by the National Data Protection Authority (ANPD) (read more).
Australia:
Privacy Act 1988 (Privacy and Other Legislation Amendment Bill 2024)
- Effective Date: December 2024
- Compliance Deadline: Various, 2024 to 2025; for systems related to automated decision-making (ADM), December 2026
- Overview: The Privacy Act amendments introduce stricter penalties for data breaches, enhanced breach notification requirements, and obligations related to ADM computer systems, reflecting a broader global shift toward stricter data privacy practices. U.S. businesses handling Australian customer data must adopt robust cybersecurity measures to ensure compliance with the updated privacy rules (read more).
Conclusion: Key Takeaways for Small Businesses
As these new regulations and laws come into effect, businesses need to be aware of these global trends:
- Tighter Reporting Requirements: Businesses must report material cybersecurity incidents swiftly, often within short timeframes (which vary by jurisdiction).
- Increased Penalties: Fines for non-compliance are rising, with some regulations imposing penalties tied to company revenue.
- Cross-Border Data Privacy: Businesses handling data across international borders must navigate a complex landscape of multiple data protection and privacy frameworks.
The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving technology trends. We recommend you consider becoming an NCSS member to access a wide range of our services. For more information, visit our Small Business page.
References
https://www.sec.gov/files/33-11216-fact-sheet.pdf
https://nis2directive.eu/what-is-nis2/
https://www.digital-operational-resilience-act.com/
https://artificialintelligenceact.eu/the-act/
https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/
About the NCSS
The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.
The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.