SIPA Cyber Regulations Watch
Welcome to the SIPA Cyber Regulations Watch
Brought to you by the SIPA Cyber Regulations Lab at Columbia University's School of International and Public Affairs, this twice-monthly newsletter offers a comprehensive review of everything related to cybersecurity and regulations: law firms' analyses, events, new academic research, international trends, and more!
Click here to sign up for future issues!
Brought to you twice-monthly by Columbia University’s SIPA Cyber Program
Written by Eunice Lee and Gabriel Rodriguez Leva with Jason Healey
27 May 2026
There was no newsletter last week, as it was graduation week. Congratulations to newsletter co-editor Gabriel for completing his MPA degree!
U.S. Regulators and Authorities
California’s record CCPA settlement makes data minimization a cyber-governance issue. Akin Gump notes that California has brought its largest CCPA (California Consumer Privacy Act) penalty to date, against General Motors, and its first enforcement action centered on data minimization, in a settlement that signals heightened scrutiny for connected-vehicle data such as precise geolocation and driving behavior.
- The case shows that California regulators are no longer treating overcollection and secondary use as abstract privacy concerns, but as enforceable governance failures tied to how sensitive digital data is retained, shared, and monetized.
- California’s Attorney General said the GM settlement is the state’s largest CCPA penalty so far at $12.75 million and the first case enforcing the CCPA’s data-minimization principle, which raises the compliance stakes for companies collecting high-volume behavioral or location data from connected products.
- The complaint focused on the collection and sale of names, contact information, geolocation, and driving-behavior data to brokers, and the settlement imposes a five-year ban on selling driving data to consumer reporting agencies, showing that data-governance failures can now trigger product-level restrictions, not just fines.
What’s Happening in the World
ECB pushes euro area banks to prepare faster for AI-assisted cyberattacks. Reuters reports that ECB supervisory board member Frank Elderson has urged euro area banks to move quickly to prepare for cyberattacks enabled by Anthropic’s Mythos or similar models. He frames the lack of direct access to the tool not as a reason to wait, but as a reason to accelerate defensive preparation.
- The regulatory angle is clear: Reuters says the ECB plans to question supervised banks about their preparedness, which turns AI-enabled cyber risk into an immediate supervisory expectation rather than a longer-term policy debate.
- Elderson also extends the expectation to third parties, saying banks and the contractors they rely on need to fix even minor vulnerabilities more quickly, which links cyber supervision to vendor management and operational resilience.
- The article suggests a growing regulatory concern about uneven access to frontier AI tools, with large U.S. banks and Japanese banks moving earlier than euro area institutions. That raises questions about supervisory convergence and competitive asymmetries in cyber preparedness.
Japan’s banking regulator creates a forum for AI-enabled cyber risk in finance. Reuters reports that Japan will launch a public-private working group to address cybersecurity risks to the financial system posed by Anthropic’s Mythos model. The group will bring together 36 entities, including banks, the Bank of Japan, regulators, and the Japanese units of Anthropic and OpenAI, showing an early supervisory push to coordinate around frontier-AI cyber risk in the financial sector.
- The forum is explicitly regulatory in nature: Japan’s Financial Services Agency says it will discuss procedures when vulnerabilities are found, defensive measures, and contingency planning if threats cannot be fully contained.
- The structure is also cross-border. Reuters says the group is being formed with inputs from the U.S. government and that Japan is considering information-sharing with U.S. and other overseas authorities, which points to a more internationalized model of cyber supervision.
- For banks, the key regulatory signal is that access to advanced AI tools is no longer being treated as a purely private technical matter. It is becoming a matter of financial-system resilience and coordinated oversight.
EU Space Act could turn cybersecurity compliance into a market-access condition for space operators: Hogan Lovells explains that the EU Space Act proposal is moving through the legislative process with major institutional disagreements over how cybersecurity should be regulated, especially for non-EU operators serving the EU market.
- The proposal is significant because it would create an EU-wide framework for authorization, resilience, and cyber obligations in space activities, with potentially extraterritorial effects for operators providing space-based data or services to EU customers. The main cyber-regulatory fault line is whether space operators should follow a dedicated sector-specific regime under the EU Space Act, as the Commission proposes, or instead be folded into the broader NIS2 framework, as the Parliament prefers and the Council partly supports.
- Under the Commission’s version, operators could face extensive cyber obligations across the full mission lifecycle, including continuous risk assessments, cryptography, anomaly monitoring, penetration testing before launch and at regular intervals, supply-chain risk controls, and incident reporting within 12 or 24 hours depending on the incident.
- The proposal also matters for market access because non-EU operators may need to prove compliance directly or through an equivalence decision, meaning cybersecurity rules could become a gatekeeping mechanism for accessing EU customers in the space and satellite-services market.
Expert Opinions
Companies move toward framework-based compliance across cyber and data rules. Dow Jones indicates that some companies are shifting away from trying to satisfy each cyber and data rule one-by-one and are instead building broader governance frameworks around common requirements.
- The regulatory logic behind that approach is straightforward: overlapping cyber, data, and AI rules increasingly require the same underlying controls, so firms are trying to map compliance around shared governance baselines rather than siloed obligations.
- That trend fits the broader direction of cyber regulation in areas like NIS2, where incident reporting, access governance, accountability, and management responsibility are becoming more integrated and more enforceable.
- In practice, this pushes companies toward enterprise-wide compliance architectures that can absorb multiple rulebooks at once, especially where cyber, privacy, vendor oversight, and documentation requirements overlap.
Genetic-data AI training creates litigation and compliance risk. Crowell argues that the use of genetic data for AI training after acquisitions is creating a fast-growing litigation and regulatory risk, especially as more states adopt their own genetic privacy rules. Although framed as a life sciences and data-governance issue, the alert has clear cyber-regulatory implications because it centers on control over sensitive data, downstream use restrictions, and defensible governance programs.
- Crowell emphasizes governance around AI data use controls, genetic data flows, and commercialization strategies, which shows that the compliance burden is moving beyond consent language and into operational data-governance design.
- The alert also highlights the importance of vendor oversight and incident readiness, both of which sit squarely inside modern cyber compliance programs when highly sensitive health or genetic datasets are involved.
- The broader regulatory implication is that organizations using sensitive datasets for AI development will increasingly need to prove not only lawful collection, but also secure governance, documented controls, and readiness for litigation or regulatory scrutiny.
News Briefs: Key Developments To Monitor
- Trump administration pushes long-term renewal of key cyber data-sharing law: Nextgov/FCW reports that the White House is seeking a long-term reauthorization of the Cybersecurity Information Sharing Act of 2015, which expires in September 2026. The law enables liability-protected threat intelligence sharing between private firms and the federal government, and sits at the center of the administration's broader cyber defense strategy.
Fresh Insights
Cyber Incidents Slightly Above 2025: Board Cybersecurity periodically shares with us the most recent cybersecurity incident graph based on its cybersecurity incident tracker which covers SEC cybersecurity disclosures. No updates since our last newsletter.
| View |
Ask us about sponsorship!
For more from the SIPA Cyber Program, click here.
Let SIPA Cyber know about related new analyses or upcoming events by emailing us at [email protected]
Past Newsletters
Past Newsletters
-
May
SIPA Cyber Regulations Watch — 27 May 2026
Global Cyber Rules Tighten: UK Mandates MFA, US Speeds Patching, Oversight Expands, AI Risks — 6 May 2026
April
March
A New U.S. Cyber Strategy Anchors This Week’s Developments, Emphasizing Offensive Operations, AI, And Supply-Chain Resilience. Countries Across Europe And Asia Push New Cybersecurity Regulations. — 10 March 2026
February
CISA Opens Comments On Cyber Incident Rules; GSA Updates Contractor Requirements; Congress and Europe Push New Cybersecurity Regulations — 25 February 2026
Global Cyber Regulators Shift Toward Outcome-based Rules, AI Security, Enforcement — 10 February 2026
January
E.U. and U.S. Accelerate Cyber and AI Governance Amid Rising Threats — 27 January 2026
U.S. and Global Authorities Expand Cyber, AI, and Privacy Compliance Enforcement — 13 January 2026
-
December
Cyber & AI Regulation Accelerates Across the U.S. and Globally — 23 December 2025
CMMC Takes Off; India Finalizes Data Law; AI Sovereignty Grows — 9 December 2025
November
Action at the FCC, More on the Future Cyber Strategy, and a DORA Update — 25 November 2025
Special Feature Interview — Emily Park — 18 November 2025
FCC Scraps Requirements, CMMC Is Live, and More AI Rules from California — 11 November 2025
October
States Step Up as National Cyber Strategy Takes Shape — 28 October 2025
California AI Law, Senate Push on CISA 2015 Renewal, and Europe's Chat Control — 14 October 2025
September
CISA Expires, White House Eyes AI Deregulation, and the EU Tries to Cut Red Tape — 30 September 2025
CIRCIA Delay, CMMC's Final Rule, and Cairncross' First Remarks — 16 September 2025
Kids’ Privacy, AI Delays, and CISA Deadlines — 5 September 2025
August
Quantum Bills, Privacy Shifts, and FCC’s Legal Win — 19 August 2025
"We're Not Waiting Around" — Colin Ahern Interview — 12 August 2025
No Summer Vacation for AI Regulation — 5 August 2025
July
The Era of DORA Compliance is Here – 22 July 2025
A New Direction for AI Regulation — 8 July 2025
June
Where is Your Data Going — 24 June 2025
Executive Decision Comes for Cyber Regulations — 10 June 2025
May
Who Will Regulate AI? — 27 May 2025
April