Heading into the second half of 2024, it feels like it’s been a busy year for cybersecurity regulations and legislative initiatives—both new and revised.
This increased focus on cybersecurity regulations and legislation is partially due to it being an election year. As the election cycle kicks into overdrive, candidates roll out their plans for cybersecurity policy and legislative changes and incumbents take action on proposals that they want to see through before election day.
Political climate aside, data security is a hot topic, and it’s only getting hotter as AI gives malicious actors the tools they need to intensify the number and the severity of attacks on businesses and critical infrastructure providers. As a result, it’s no surprise that regulatory agencies and legislative bodies have ramped up efforts to mandate cybersecurity policies and protocols in both private and public sector industries.
To help you keep your business compliant, we did a roundup of 2024 regulatory updates and legislation that are either already active or are quickly approaching.
Regulatory Updates
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0
Effective date: January 2024
Summary: The NIST CSF 2.0 updates guidelines for how industry, government agencies, and other organizations manage cybersecurity risks, incorporating lessons learned from the past decade and emphasizing governance, supply chain security, and continuous improvement.
NIST SP 800-53 Rev.5
Effective date: December 2020 (Reaffirmed July 2024)
Summary: This revision of the security and privacy (SP) controls for federal information systems and organizations introduces controls for third-party risk, supply chain security, cyber resiliency, and secure systems design.
PCI DSS 4.0
Effective date: March 31, 2024
Summary: The latest version of the Payment Card Industry Data Security Standard (PCI DSS) includes 13 new requirements designed to improve payment data security, ensure secure software development, and enhance monitoring capabilities. The first set of new requirements went into effect on 3/31/2024, but remaining new requirements go into effect in 2025.
Federal Trade Commission (FTC) amended Safeguards Rule
Effective date: May 13, 2024
Summary: Non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders,are required to report data breaches involving at least 500 consumers to the FTC within 30 days of discovery.
Securities and Exchange Commission (SEC) cybersecurity incident reporting rules
Effective date: June 15, 2024
Summary: Smaller reporting companies must report material cybersecurity incidents within four business days and submit annual disclosures on the companies’ cybersecurity risk management, strategy, and governance.
New Data Privacy Laws—Florida, Oregon, Texas
Effective date: July 1, 2024
Summary: The Florida Digital Bill of Rights (FDBR), Texas Data Privacy and Security Act (TDPSA), and Oregon Consumer Privacy Act (OCPA) introduce new data privacy regulations, mandating stricter data handling practices and giving consumers greater control over their personal information.
U.S. federal government zero trust goals
Effective date: September 30, 2024
Summary: Federal agencies must implement a zero trust architecture, which sets a standard for consistently applied access controls.
NIS2 directive
Effective date: October 17, 2024
Summary: The EU’s NIS2 Directive mandates enhanced cybersecurity measures for critical infrastructure, with fines for non-compliance reaching up to €10,000,000 or 2% of global revenue.
Digital Operational Resilience Act (DORA)
Effective date: January 2025
Summary: This EU regulation focuses on strengthening the digital operational resilience of financial institutions and critical information and communications technology (ICT) third-party service providers, ensuring they can withstand, respond to, and recover from all types of ICT-related disruptions.
Legislative Developments
Cybersecurity Information Sharing Act (CISA Law)
Effective date: Ongoing
Summary: Facilitates the sharing of cybersecurity threat information between private companies and the government, promoting collective defense and improving the overall cybersecurity posture of the nation.
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
Effective date: Rulemaking expected 2024
Summary: Requires critical infrastructure entities to report significant cyber incidents and ransomware payments to federal authorities, helping to coordinate national response efforts and mitigate impacts.
With even more cybersecurity regulations on the horizon for 2025, achieving and maintaining compliance can feel like a never-ending battle. Logically’s team of cybersecurity specialists can help you stay in compliance with the latest regulations so you can stay focused on running your business.
Relevant Resources
- Resource: Security Assessment
- Webinar: Governance and Compliance – The Foundation of Reliable and Mature Cybersecurity
- Blog: How to Create a NIST-Compliant Cybersecurity Incident Playbook
- Blog: ZTNA Adoption: A Road Map for Organization Leaders
- Blog: 7 Ways to Apply Zero-Trust Principles Before Launching Microsoft 365 Copilot