Protection of Critical Infrastructure via LIPA and ICTS
On 3 June 2026, the three European Supervisory Authorities (the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority, together the ESAs)...more
On March 31, 2026, the Federal Communications Commission (FCC) published revisions to its FAQs on Recent Updates to FCC Covered List Regarding Routers Produced in Foreign Countries, providing additional context and...more
On 8 January 2026, Iranian authorities implemented a nationwide internet blackout that resulted in connectivity to the global internet declining by approximately 98% within 84 hours. This blackout did not occur in isolation,...more
On 19 March 2026, EU Advocate General Ćapeta issued her opinion in Elisa Eesti (C-354/24), confirming that Estonian measures requiring mobile operators to remove non-EU 5G equipment from their networks, while grounded in...more
The European Commission has launched a public consultation on the draft revised General Block Exemption Regulation (GBER). All interested parties may submit comments until 23 April 2026. The GBER is a cornerstone of EU State...more
The U.S. Department of Justice’s (DOJ’s) April 2024 rule imposing new requirements concerning the accessibility of web content and services, which applies to all colleges and universities accepting federal funds, will be...more
The European Banking Authority (EBA) has published a follow‑up report to its 2022 peer review on information and communication technology (ICT) risk assessment under the Supervisory Review and Evaluation Process (SREP). The...more
On 20 January 2026, the European Commission proposed a comprehensive new cybersecurity package with the aim of strengthening the European Union’s cybersecurity resilience and capabilities, in response to growing cyber and...more
Conceptually, you think of IoT devices, but the CRA has a far broader scope of application. In this article we examine one of the tricky nuances – distinguishing between a digital product and SaaS under the CRA. The EU’s...more
On January 20, 2026, the EU Commission unveiled a new Cybersecurity Package (the "Package") designed to reinforce the EU's cyber resilience in response to an increasingly complex and sophisticated threat environment....more
On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and...more
The European Commission (Commission) published a proposal for a new Digital Networks Act (DNA), and a revised Cybersecurity Act, aiming to reshape the EU regulatory framework for digital connectivity, telecoms, and...more
On January 20 2026, the European Commission announced its new cybersecurity package which aims to strengthen the EU’s cybersecurity resilience in response to an evolving threat landscape....more
BaFin published its yearly update on its report regarding Risks in BaFin’s Focus, accompanied by a press release. The report identifies the following six top risks for financial institutions, arising from: (i) significant...more
Certain large scale ICT companies (known as critical ICT third party providers, "CTPPs") which provide critical cloud storage, technology and data services to banks and other financial institutions play an increasingly...more
On 20 January 2026, the European Commission published another comprehensive proposal (The Cybersecurity Act 2) to revise the European Union’s cybersecurity legal framework. Main areas of focus are (again) significant reforms...more
The EU Cyber Resilience Act (“CRA”) establishes mandatory cybersecurity requirements for most hardware and software products made available on the EU market. While the CRA's date of full application (11 December 2027) is...more
The European Supervisory Authorities (ESAs) and the UK’s Bank of England, Prudential Regulation Authority and Financial Conduct Authority (together, the UK Regulators) have signed a Memorandum of Understanding (MoU) to...more
On December 5, 2025, the federal government registered amendments to the Accessible Canada Regulations made under the Accessible Canada Act (ACA). These amendments (the Digital Technologies Accessibility Regulations), which...more
The German Financial Supervisory Authority ("BaFin") has issued non-binding guidance ("Guidance") clarifying how financial institutions should manage Information and Communication Technology ("ICT") risks arising from...more
Germany’s Act implementing the NIS2 Directive ((EU) 2022/2055) is finally a reality. Well over a year after expiry of the Directive’s deadline for Member State implementation (see our EU-wide NIS2 implementation tracker and...more
The European Insurance and Occupational Pensions Authority (EIOPA) has published a Q&A under the Digital Operational Resilience Act (DORA) on the interpretation of Article 13 of Commission Delegated Regulation (EU) 2024/1774...more
The European Supervisory Authorities, referred to as ESAs (comprising the European Banking Authority, European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority) have published...more
The European Supervisory Authorities (ESAs) have now published their list of designated critical ICT third-party providers (CTPP) but what does this mean for the regulated firms that contract with these third parties? Will it...more
On 18 November 2025, the European Supervisory Authorities (ESAs) published the first list of designated critical information and communication technology (ICT) third party service providers (CTPPs) under the EU Digital...more